DDOS on GET:/api/v1/orgs/{id}/users

[intesar]

Title: DDOS Vulnerability on GET:/api/v1/orgs/{id}/users Project: NetBanking API Description: The Application DDoS exploit allows an attacker to overwelm you Application/DB by requesting seemingly large resources through vulnerable endpoint.

Assertion Name: DDoS ^{( 1 )( 2 )}

Overview: In computing, a Denial-of-Service attack (DoS attack) is a cyber-attack in which the perpetrator seeks to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host connected to the Internet. Denial of service is typically accomplished by flooding the targeted machine or resource with superfluous requests in an attempt to overload systems and prevent some or all legitimate requests from being fulfilled.

In a Distributed Denial-of-Service attack (DDoS attack), the incoming traffic flooding the victim originates from many different sources. This effectively makes it impossible to stop the attack simply by blocking a single source.

DDoS or Distributed Denial of service is flooding the targeted API endpoints with superfluous requests in an attempt to overload systems and prevent some or all legitimate requests from being fulfilled.

An advanced DDoS attack can be created with a very few tailored requests. e.g. if the API endpoints have a vulnerability which allows requesting 10,000 items or records by setting page-size=10000 or large date range on the vulnerable API endpoint, then by sending a few of these requests regularly can put the entire system unresponsive leading towards revenue and brand loss.

e.g. values pageSize=101 page_size=101 /api/v1/dashboard/count-bugs-between?fromDate={{@PastDate | dd/MM/yyyy}}&toDate={{@Date | dd/MM/yyyy}} /api/v1/dashboard/count-tests-between?fromDate={{@PastDate | dd/MM/yyyy}}&toDate={{@Date | dd/MM/yyyy}}.

Quite often, APIs do not impose any restrictions on the size or number of resources that can be requested by the client/user. Not only can this impact the API server performance, leading to Denial of Service (DoS), but also leaves the door open to authentication flaws such as brute force.

Severity: DDoS is a form of Cyber Attack. The DDoS attacks are increasing on Year-on-Year basis and is consistently reported in Akamai State of Internet / Security Reports^{( 3 )}.

Vulnerability Impact: A successful DDoS attacks can

• have an operational disruption of your service
• make your services unavailable for an indefinite period
• have financial and legal consequence if application fails to live up to service level agreements
• Can have irreparable damage to company’s brand reputation

Exploitation: DoS / DDoS attackers attempt to overwhelm web applications and APIs with a flood of HTTP/HTTPS requests. In order to obtain a high enough level of traffic, attackers typically need to leverage a large number of attacking hosts to achieve the desired effect. One way to do this is by purchasing access to a "booter service" - which is a marketing term for "DDoS for Hire" ^{( 5 )}.

Remediation: While it may not be completely possible to avoid DoS or DDoS attack, but it is possible to identify and take remediation steps. Different protections that can be leveraged are

• Network Controls – Allowing for blacklisting of IP Addresses and CIDR Ranges
• Rate Controls – Different threshold criterion can be defined to avoid volumetric flooding
• Site Defenders – to identify Slow Posts that open HTTP connections and then slowing sending data very slowly.
• Web Application Firewalls – Many DoS tools have tell-tale fingerprints and can be easily identified and blocked.

References:

1. Understanding Denial-of-Service Attacks - https://www.us-cert.gov/ncas/tips/ST04-015
2. DoS and DDoS - https://en.wikipedia.org/wiki/Denial-of-service_attack
3. Akamai 2018 State of Internet / Security Report - https://www.akamai.com/us/en/about/our-thinking/state-of-the-internet-report/global-state-of-the-internet-security-ddos-attack-reports.jsp
4. Akamai 2018 Attack Stats - https://www.akamai.com/us/en/multimedia/documents/infographic/ddos-web-application-attack-stats-asia-pacific-ponemon-web-security-infographic-2018.pdf
5. The Dark Side of APIs – Denial of Service Attacks - https://blogs.akamai.com/sitr/2018/08/the-dark-side-of-apis-denial-of-service-attacks.html

Risk: DDOS Severity: Medium API Endpoint: http://95.217.118.53:8080/api/v1/orgs/VArkMmWt/users?page=1&pageSize=101 Environment: Master Playbook: ApiV1OrgsIdUsersGetQueryParamPageDdos Researcher: [apisec Bot] QUICK TIPS Suggestion: Add a max limit validation on the endpoint params used for requesting maximum number of resources. Effort Estimate: 0.5 Wire Logs: 07:10:14 [D] [AVOIUGQPPDdos] : URL [http://95.217.118.53:8080/api/v1/orgs/VArkMmWt/users?page=1&pageSize=101] 07:10:14 [D] [AVOIUGQPPDdos] : Method [GET] 07:10:14 [D] [AVOIUGQPPDdos] : Auth [Default] 07:10:14 [D] [AVOIUGQPPDdos] : Request [] 07:10:14 [D] [AVOIUGQPPDdos] : Request-Headers [{Accept=[application/json], Content-Type=[application/json], Authorization=[**********]}] 07:10:14 [D] [AVOIUGQPPDdos] : Response [{ "requestId" : "None", "requestTime" : "2020-08-13T19:10:14.173+0000", "errors" : false, "messages" : [ ], "data" : [ ], "totalPages" : 0, "totalElements" : 0 }] 07:10:14 [D] [AVOIUGQPPDdos] : Response-Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=YzI4N2Q4YmMtMjNkNS00NWIzLWFmOGYtNTJhMGIxYzQxZDBk; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Thu, 13 Aug 2020 19:10:14 GMT]}] 07:10:14 [D] [AVOIUGQPPDdos] : StatusCode [200] 07:10:14 [D] [AVOIUGQPPDdos] : Time [205] 07:10:14 [D] [AVOIUGQPPDdos] : Size [137] 07:10:14 [E] [AVOIUGQPPDdos] : Assertion [@StatusCode == 200 AND @Response.errors != false] resolved-to [200 == 200 AND false != false] result [Failed] IMPORTANT LINKS Vulnerability Details: https://cloud.fxlabs.io/#/app/projects/8a8081766fc3e2a1016fc421d6e55a13/recommendations/8a80814f73e75f3f0173e93adc2d135a/details Project: https://cloud.fxlabs.io/#/app/projects/8a8081766fc3e2a1016fc421d6e55a13/jobs Environment: https://cloud.fxlabs.io/#/app/projects/8a8081766fc3e2a1016fc421d6e55a13/environments/8a8081766fc3e2a1016fc421d7155a15/edit Scan Dashboard: https://cloud.fxlabs.io/#/app/projects/8a8081766fc3e2a1016fc421d6e55a13/jobs/8a8081766fc3e2a1016fc4230f426628/runs/8a80814f73e75f3f0173e93acc32134c Playbook: https://cloud.fxlabs.io/#/app/projects/8a8081766fc3e2a1016fc421d6e55a13/template/ApiV1OrgsIdUsersGetQueryParamPageDdos Coverage: https://cloud.fxlabs.io/#/app/projects/8a8081766fc3e2a1016fc421d6e55a13/configuration Code Sample: https://cloud.fxlabs.io/#/app/projects/8a8081766fc3e2a1016fc421d6e55a13/recommendations/8a80814f73e75f3f0173e93adc2d135a/codesamples PS: Please contact support@apisec.ai for apisec access and login issues. --- apisec Bot ---

[intesar]

Message : This issue is manually closed from FX control plane.

Title: DDOS Vulnerability on GET:/api/v1/orgs/{id}/users Project: NetBanking API Description:

Assertion Name: DDoS ^{( 1 )( 2 )}

Overview: In computing, a Denial-of-Service attack (DoS attack) is a cyber-attack in which the perpetrator seeks to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host connected to the Internet. Denial of service is typically accomplished by flooding the targeted machine or resource with superfluous requests in an attempt to overload systems and prevent some or all legitimate requests from being fulfilled.

In a Distributed Denial-of-Service attack (DDoS attack), the incoming traffic flooding the victim originates from many different sources. This effectively makes it impossible to stop the attack simply by blocking a single source.

DDoS or Distributed Denial of service is flooding the targeted API endpoints with superfluous requests in an attempt to overload systems and prevent some or all legitimate requests from being fulfilled.

An advanced DDoS attack can be created with a very few tailored requests. e.g. if the API endpoints have a vulnerability which allows requesting 10,000 items or records by setting page-size=10000 or large date range on the vulnerable API endpoint, then by sending a few of these requests regularly can put the entire system unresponsive leading towards revenue and brand loss.

e.g. values pageSize=101 page_size=101 /api/v1/dashboard/count-bugs-between?fromDate={{@PastDate | dd/MM/yyyy}}&toDate={{@Date | dd/MM/yyyy}} /api/v1/dashboard/count-tests-between?fromDate={{@PastDate | dd/MM/yyyy}}&toDate={{@Date | dd/MM/yyyy}}.

Quite often, APIs do not impose any restrictions on the size or number of resources that can be requested by the client/user. Not only can this impact the API server performance, leading to Denial of Service (DoS), but also leaves the door open to authentication flaws such as brute force.

Severity: DDoS is a form of Cyber Attack. The DDoS attacks are increasing on Year-on-Year basis and is consistently reported in Akamai State of Internet / Security Reports^{( 3 )}.

Vulnerability Impact: A successful DDoS attacks can

• have an operational disruption of your service
• make your services unavailable for an indefinite period
• have financial and legal consequence if application fails to live up to service level agreements
• Can have irreparable damage to company’s brand reputation

Exploitation: DoS / DDoS attackers attempt to overwhelm web applications and APIs with a flood of HTTP/HTTPS requests. In order to obtain a high enough level of traffic, attackers typically need to leverage a large number of attacking hosts to achieve the desired effect. One way to do this is by purchasing access to a "booter service" - which is a marketing term for "DDoS for Hire" ^{( 5 )}.

Remediation: While it may not be completely possible to avoid DoS or DDoS attack, but it is possible to identify and take remediation steps. Different protections that can be leveraged are

• Network Controls – Allowing for blacklisting of IP Addresses and CIDR Ranges
• Rate Controls – Different threshold criterion can be defined to avoid volumetric flooding
• Site Defenders – to identify Slow Posts that open HTTP connections and then slowing sending data very slowly.
• Web Application Firewalls – Many DoS tools have tell-tale fingerprints and can be easily identified and blocked.

References:

1. Understanding Denial-of-Service Attacks - https://www.us-cert.gov/ncas/tips/ST04-015
2. DoS and DDoS - https://en.wikipedia.org/wiki/Denial-of-service_attack
3. Akamai 2018 State of Internet / Security Report - https://www.akamai.com/us/en/about/our-thinking/state-of-the-internet-report/global-state-of-the-internet-security-ddos-attack-reports.jsp
4. Akamai 2018 Attack Stats - https://www.akamai.com/us/en/multimedia/documents/infographic/ddos-web-application-attack-stats-asia-pacific-ponemon-web-security-infographic-2018.pdf
5. The Dark Side of APIs – Denial of Service Attacks - https://blogs.akamai.com/sitr/2018/08/the-dark-side-of-apis-denial-of-service-attacks.html

Risk: DDOS Severity: Medium API Endpoint: http://95.217.118.53:8080/api/v1/orgs/VArkMmWt/users?page=1&pageSize=101 Environment: Master Playbook: ApiV1OrgsIdUsersGetQueryParamPageDdos Researcher: Default QUICK TIPS Suggestion: Effort Estimate: Wire Logs: 07:10:14 [D] [AVOIUGQPPDdos] : URL [http://95.217.118.53:8080/api/v1/orgs/VArkMmWt/users?page=1&pageSize=101] 07:10:14 [D] [AVOIUGQPPDdos] : Method [GET] 07:10:14 [D] [AVOIUGQPPDdos] : Auth [Default] 07:10:14 [D] [AVOIUGQPPDdos] : Request [] 07:10:14 [D] [AVOIUGQPPDdos] : Request-Headers [{Accept=[application/json], Content-Type=[application/json], Authorization=[**********]}] 07:10:14 [D] [AVOIUGQPPDdos] : Response [{ "requestId" : "None", "requestTime" : "2020-08-13T19:10:14.173+0000", "errors" : false, "messages" : [ ], "data" : [ ], "totalPages" : 0, "totalElements" : 0 }] 07:10:14 [D] [AVOIUGQPPDdos] : Response-Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=YzI4N2Q4YmMtMjNkNS00NWIzLWFmOGYtNTJhMGIxYzQxZDBk; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Thu, 13 Aug 2020 19:10:14 GMT]}] 07:10:14 [D] [AVOIUGQPPDdos] : StatusCode [200] 07:10:14 [D] [AVOIUGQPPDdos] : Time [205] 07:10:14 [D] [AVOIUGQPPDdos] : Size [137] 07:10:14 [E] [AVOIUGQPPDdos] : Assertion [@StatusCode == 200 AND @Response.errors != false] resolved-to [200 == 200 AND false != false] result [Failed] IMPORTANT LINKS Vulnerability Details: https://cloud.fxlabs.io/#/app/projects/8a8081766fc3e2a1016fc421d6e55a13/recommendations/null/details Project: https://cloud.fxlabs.io/#/app/projects/8a8081766fc3e2a1016fc421d6e55a13/jobs Environment: https://cloud.fxlabs.io/#/app/projects/8a8081766fc3e2a1016fc421d6e55a13/environments/8a8081766fc3e2a1016fc421d7155a15/edit Scan Dashboard: https://cloud.fxlabs.io/#/app/projects/8a8081766fc3e2a1016fc421d6e55a13/jobs/8a8081766fc3e2a1016fc4230f426628/runs/8a80814f73e75f3f0173e93acc32134c Playbook: https://cloud.fxlabs.io/#/app/projects/8a8081766fc3e2a1016fc421d6e55a13/template/ApiV1OrgsIdUsersGetQueryParamPageDdos Coverage: https://cloud.fxlabs.io/#/app/projects/8a8081766fc3e2a1016fc421d6e55a13/configuration Code Sample: https://cloud.fxlabs.io/#/app/projects/8a8081766fc3e2a1016fc421d6e55a13/recommendations/null/codesamples PS: Please contact support@apisec.ai for apisec access and login issues. --- apisec Bot ---