search

sahat / hackathon-starter

A boilerplate for Node.js web applications
MIT License
34.88k stars 8.18k forks source link

Security Fix for Lack of Rate Limiting - huntr.dev #1131

Closed huntr-helper closed 3 years ago

huntr-helper commented 3 years ago

https://huntr.dev/users/arjunshibu has fixed the Lack of Rate Limiting vulnerability 🔨. Think you could fix a vulnerability like this?

Get involved at https://huntr.dev/

Q | A Version Affected | ALL Bug Fix | YES Original Pull Request | https://github.com/418sec/hackathon-starter/pull/1 Vulnerability README | https://github.com/418sec/huntr/blob/master/bounties/other/hackathon-starter/1/README.md

User Comments:

📊 Metadata *

hackathon-starter is a boilerplate for Node.js web applications. It lacks rate-limiting, which allows an attacker to brute-force login credentials and mass account creation

Bounty URL: https://www.huntr.dev/bounties/1-other-hackathon-starter

⚙️ Description *

Lack of rate-limiting in the login and signup page of hackathon-starter

💻 Technical Description *

This fix uses the express-rate-limit package, which is a rate-limiting middleware for express based servers. I've applied it to POST requests issuing to /login and /signup routes.

🐛 Proof of Concept (PoC) *

Login Brute-Force

  1. Install the package by following these instructions or try the live demo https://hackathon-starter.walcony.com
  2. Navigate to /login and send the POST request to Burp Intruder
  3. Use Grep Match option and add string Found. Redirecting to <a href="/login">/login</a>
  4. The succeeded payload will redirect to / instead of /login
    https://raw.githubusercontent.com/arjunshibu/files/main/hackathon-starter-poc/poc1.png
    https://raw.githubusercontent.com/arjunshibu/files/main/hackathon-starter-poc/poc2.png
    https://raw.githubusercontent.com/arjunshibu/files/main/hackathon-starter-poc/poc3.png

Mass Account Creation

  1. Navigate to /signup and send the POST request to Burp Intruder
  2. I used numbers as payloads
  3. Use Grep Match option and add the string Found. Redirecting to <a href="/">/</a>
  4. All succeeded payloads will redirect to / and to /signup if there is already a user
    https://raw.githubusercontent.com/arjunshibu/files/main/hackathon-starter-poc/poc4.png
    https://raw.githubusercontent.com/arjunshibu/files/main/hackathon-starter-poc/poc5.png

🔥 Proof of Fix (PoF) *

After fix any brute-forcing of login credentials and mass account creation is prevented by responding with 429 - Too Many Requests pof1 pof2

👍 User Acceptance Testing (UAT)

YasharF commented 3 years ago

This PR is invalid; marking as spam.

  1. The going to production checklist states that you would need to run the application behind a proxy such as Cloudflare. Such proxies provide the rate-limiting protection.
  2. Rate limiting should be boundled with other robot validations such as smart captchas to reduce degradation of the experience for legitimate users that might be having technical difficulties.
  3. The stated solution is insufficient since, express-rate-limit, does not have any smart ways to identify if it is behind a proxy. In the context of hackathon-starter such smarts are a must-have since, without it, the dev teams can completely stall during a time-crunched weekend when they do server deployments.