Boost _ Shardeum_ Ancillaries 34492 - [Websites and Applications - Insight] DoS via unbounded tx id list processing in api endpoints
Last updated
Was this helpful?
Last updated
Was this helpful?
Submitted on Tue Aug 13 2024 22:19:03 GMT-0400 (Atlantic Standard Time) by @Minato7namikazi for
Report ID: #34492
Report type: Websites and Applications
Report severity: Insight
Target: https://github.com/shardeum/relayer-distributor/tree/dev
Impacts:
Taking down the application/website
Temporarily disabling user to access target site, such as: Locking up the victim from login, Cookie bombing, etc.
there is critical missed check in the validateRequestData
function within the handling of the txIdList
parameter for the /originalTx
and /receipt endpoints.
The code correctly parses the txIdList string into an array of transaction IDs. However, it doesn't check the length of the resulting array. This means a malicious actor could submit a very large txIdList, potentially causing a denial-of-service (DoS) attack by overwhelming the server with database queries.
The code does parse the txIdList string into an array:
The code then iterates over each txId in the array:
there is indeed no check on the length of txIdListArr before starting the loop.
Add a check to limit the number of transaction IDs allowed in the txIdList array. This limit should be consistent with the other limits imposed by the API like ( MAX_ORIGINAL_TXS_PER_REQUEST and MAX_RECEIPTS_PER_REQUEST )
Denial of Service (DoS):
An attacker could send a request with an extremely large number of transaction IDs.
The server would attempt to process each ID, leading to a high number of database queries.
This could overwhelm the database, causing slowdowns or crashes.
The affected endpoint could become unresponsive, denying service to legitimate users.
Resource Exhaustion:
Processing a large number of IDs could consume significant CPU and memory resources.
This could impact the performance of the entire server, affecting other services and users.
To run this PoC:
Save it as a .ts
file (e.g., txListVulnerabilityPoC.ts
)
(npm install -g typescript ts-node
)
Run it with ts-node txListVulnerabilityPoC.ts
This is a minimal PoC to demonstrates the difference from high level :
A small list of 10 transaction IDs processes quickly.
A large list of 1000 transaction IDs takes significantly longer to process, simulating the potential for a DoS attack.
Expected output will be similar to:
The large difference in processing time between the small and large lists demonstrates how an attacker could potentially overwhelm the server by sending a request with a very large number of transaction IDs.
This minimal PoC proves from high level that without a limit on the number of transaction IDs that can be processed in a single request, an attacker could cause significant resource consumption and potentially a denial of service.