Closed tienthanh411 closed 3 years ago
snoopysecurity
commented
3 years ago Thanks for reporting this, i've fixed this in commit https://github.com/snoopysecurity/dvws-node/commit/d0c33a6a892495341343ba2e98ca334609a01660, can you check if this happens again?
tienthanh411
commented
3 years ago Thanks! The problem is still there, but less severe though. I ran an ZAP active scan, and still more than 100 Mongoose connections were opened.
I could see that you have added calls to mongoose.connect() again after the commit. Maybe that's the reason why the problem is still there.
You only need to create 1 Mongoose connection in index.js when starting the server, and remove all the calls to mongoose.connect() in the controllers (similar to what you did in commit d0c33a6a892495341343ba2e98ca334609a01660). This is an example how it could be done: https://github.com/madhums/node-express-mongoose-demo/blob/master/server.js
snoopysecurity
commented
3 years ago Yeah good point, I initially tried this approach but didn't get it working but the example you provided makes sense. I tried fixing this with commit https://github.com/snoopysecurity/dvws-node/commit/6c022d8364d48745ee00849d4d53965f9f4fc38b, mind scanning with ZAP again? thanks
snoopysecurity
commented
3 years ago Closing this issue, i think this is fixed now, i scanned with Burp Pro to verify this
Hi,
I deployed the project in a Docker container and tried to attack the APIs using OWASP ZAP. With the OWASP ZAP's active scanner, the web container showed more than 700 Mongoose connection after few seconds:
After this, the web server didn't respond anymore.