doohochang
commented
4 years ago Thank for your vulnerability report. As you said, chat-server has no any rate limiting / throttling request techniques. We've already considered about DDos attack, and we think the best solution to prevent those kind of attacks which use large request traffic is using well-known rate limiting tools(nginx, aws gateway, etc...) in infrastructural level(especially, in stage before api gate / load balancer / etc...). Rate limiting by counting user tokens on each application server in cluster maybe less effective than techniques which counts IP/MAC addresses on another ingress component to the service. Conclusionally, we think the responsibility of the vulnerability which you reported should be owned by infrastructural level consideration, not only by chat-server. But also, we think your attack scenario is feasible and thanks for productive ideation.
Team ASU
AlanSynn
Version: 1.0 Env: ubuntu 16.0.4 loc: vulnerability was made by lack of funcs (기능이 없어서 생기는 취약점) type: cwe -400: https://cwe.mitre.org/data/definitions/400.html Explanation of vulnerability: I can't find any function that saving session or viewing user ip address (to prevent multiple login in single machine). That means user can access server with multiple accounts in one machine, and it means malicious user can do DDos Attack with fewer (zombies)machines than usual. you guys should make user to login with limited counts of account.