[Steemplus API] [v1.0] [Bug-Report] DOS Vulnerability in the API caused by the SPP-Job

in #utopian-io6 years ago (edited)

Project Information

Expected behavior

The job that updates the SPP (Steemplus Points) should only run every hour, as mentioned in the coding.

Only authorized persons should be able to start resource-intensive jobs on the steemplus api server. Such a functionality is never to be exposed via an api.

Actual behavior

Every user is able to call the mentioned api endpoint to start the job manually. A malicious user could use this to overload the steemplus api server, resulting in a DOS (Denial-of-Service) attack.
It is also possible (by creating a few requests in parallel) that some of the points are missing or doubled in the database, depending on the exact moment this is attempted.

How to reproduce

It is easily possible to reproduce the bug by just calling the specific endpoint for the api:
/job/update-steemplus-points

Solution

A solution could be to secure the api endpoint via a private key saved in the config. With this only authorized users can call the function.
Another solution would be to not expose this function to the api at all and only call it internally via a cronjob or similar.

I decided to go with solution number one and started a pull-request for it:
Pull-Request

Recording Of The Bug

Before executing the job:

Executing the job:

After executing the job:

As we see my user-information was created and my points where updated without waiting for an hour.

GitHub Account

https://github.com/MWFIAE

The problem was brought to the Project Owner via a github issue (additional to the Pull-Request) and I also reached out to him via discord where he confirmed that this is a problem. (Screenshot can be provided if needed )

Sort:  

Hello @mwfiae,
This is a really good extensively written report.

  • The Criticality Is Critical, It affects the resource monitoring majorly and can impact high unnecessary usage.
  • You proposed a solution, even if it was discarded it was a good initiative. you should try to inform the PO before starting on the fix that you're on it and get assigned to the issue. this resolves problems like 2 people working on the same project.
  • Other solutions could be to filter request based on origin header.
    the cronjob was the perfect solution. Thanks for including it in your report as well.

This report is very valuable and that's why I'll be staff-picking it from Bug-hunting category.
Thank you for contributing to this project

Your contribution has been evaluated according to Utopian policies and guidelines, as well as a predefined set of questions pertaining to the category.

To view those questions and the relevant answers related to your post, click here.


Need help? Write a ticket on https://support.utopian.io/.
Chat with us on Discord.
[utopian-moderator]

Thank you very much for the review and the staff-pick! :)

It's a shame that the pull-request wasn't merged because I mentioned it a few times... But I could have better used the github features to make it clearer and will certainly pay more attention next time :)

Ultimately it only were a few lines of code, so hopefully it didn't cost stoodkev too much time to reimplement it.

Also thank you for your valuable feedback! I need to make sure to read more about the origin header :)

Greetings,
Mw

Thank you for your review, @sachincool!

So far this week you've reviewed 1 contributions. Keep up the good work!

Congratulations @mwfiae! You have completed the following achievement on Steemit and have been rewarded with new badge(s) :

Award for the number of upvotes

Click on the badge to view your Board of Honor.
If you no longer want to receive notifications, reply to this comment with the word STOP

To support your work, I also upvoted your post!

Do not miss the last post from @steemitboard:
SteemFest³ - SteemitBoard support the Travel Reimbursement Fund.

Do you like SteemitBoard's project? Then Vote for its witness and get one more award!

Hi @mwfiae!

Your post was upvoted by @steem-ua, new Steem dApp, using UserAuthority for algorithmic post curation!
Your UA account score is currently 3.673 which ranks you at #5140 across all Steem accounts.
Your rank has improved 21 places in the last three days (old rank 5161).

In our last Algorithmic Curation Round, consisting of 188 contributions, your post is ranked at #132.

Evaluation of your UA score:
  • You're on the right track, try to gather more followers.
  • The readers like your work!
  • Your contribution has not gone unnoticed, keep up the good work!

Feel free to join our @steem-ua Discord server

Hey steem-ua, thanks for the upvote!

But you should increase the time before you vote, as utopian still wasn't here and that would have boosted my post-ua for sure! :)

Greetings,
mw

If they do that, they won't get thr share of curation which will be a loss to them :)

Then they should at least already calculate it in and make a bigger upvote. This way the curation would be even higher 😉

earning curation is not too difficult. I had to turn off my script because it was voting too much on utopian comments and posts.

Would be interested in that script, do you mind sharing? ;)

If you'd rather want to contact me via discord: MWFIAE#7029

Hi @mwfiae, thanks for your report. I worked on that part of Steem-plus and I apparently did a smaaaaall mistake haha.
I just want to clarify a point. When you say It is also possible (by creating a few requests in parallel) that some of the points are missing or doubled in the database, depending on the exact moment this is attempted., it is actually not possible to double your points because we only proceed data created after the last entry of our database. We decided to execute the job once every hour at first not to overload our server, but we could have done it every 5 minutes. :)

Hi Cedric,

Mistakes can happen that's why it's open source, so that mistakes can be spotted easily and fixed before harm is done :)

After some consideration I think you are right, it shouldn't be possible to double the points, but it's very easily possible to miss points entirely.
But anyhow, that's resolved now by securing the function :)

Also can you please contact me on discord? I think I found a few other points that need consideration :)
MWFIAE#7029

Greeting,
MW

Hey, @mwfiae!

Thanks for contributing on Utopian.
Congratulations! Your contribution was Staff Picked to receive a maximum vote for the bug-hunting category on Utopian for being of significant value to the project and the open source community.

We’re already looking forward to your next contribution!

Get higher incentives and support Utopian.io!
Simply set @utopian.pay as a 5% (or higher) payout beneficiary on your contribution post (via SteemPlus or Steeditor).

Want to chat? Join us on Discord https://discord.gg/h52nFrV.

Vote for Utopian Witness!