DDOS on GET:/api/v1/products

[asriz7777]

Title: DDOS Vulnerability on GET:/api/v1/products
Project: SanityGitHub0306
Description: The Application DDoS exploit allows an attacker to overwelm you Application/DB by requesting seemingly large resources through vulnerable endpoint.
Risk: DDOS
Severity: Major
API Endpoint: http://138.91.64.62:8080/api/v1/products?page=1001&pageSize=1001
Environment: Master
Playbook: ApiV1ProductsGetQueryParamPageDdos
Researcher: [apisec Bot]

QUICK TIPS

Suggestion: Add a max limit validation on the endpoint params used for requesting maximum number of resources.
Effort Estimate: 0.5
Wire Logs:
08:45:29 [D] [AVPGQPPDdos] : URL [http://138.91.64.62:8080/api/v1/products?page=1001&pageSize=1001]
08:45:29 [D] [AVPGQPPDdos] : Method [GET]
08:45:29 [D] [AVPGQPPDdos] : Auth [default]
08:45:29 [D] [AVPGQPPDdos] : Request []
08:45:29 [D] [AVPGQPPDdos] : Request-Headers [{Content-Type=[application/json], Accept=[application/json], Authorization=[**********]}]
08:45:29 [D] [AVPGQPPDdos] : Response [{
"requestId" : "None",
"requestTime" : "2020-06-03T08:45:29.152+0000",
"errors" : true,
"messages" : [ {
"type" : "ERROR",
"key" : "",
"value" : "findAll.arg1: must be less than or equal to 20"
} ],
"data" : null,
"totalPages" : 0,
"totalElements" : 0
}]
08:45:29 [D] [AVPGQPPDdos] : Response-Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=YWJhZDA2ZjMtYTZjMS00ZTdhLWE1YTktYjgzZDc2YmI2Yjc4; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 03 Jun 2020 08:45:28 GMT]}]
08:45:29 [D] [AVPGQPPDdos] : StatusCode [200]
08:45:29 [D] [AVPGQPPDdos] : Time [552]
08:45:29 [D] [AVPGQPPDdos] : Size [220]
08:45:29 [I] [AVPGQPPDdos] : Assertion [@statuscode != 404] resolved-to [200 != 404] result [Passed]
08:45:29 [I] [AVPGQPPDdos] : Assertion [@statuscode != 401] resolved-to [200 != 401] result [Passed]
08:45:29 [E] [AVPGQPPDdos] : Assertion [@statuscode != 200] resolved-to [200 != 200] result [Failed]

IMPORTANT LINKS

Vulnerability Details:
https://cloud.fxlabs.io/#/app/projects/8a8081397278f8ba01727922a45a0593/recommendations/8a8081397278f8ba0172795d7f6e24da/details

Project:
https://cloud.fxlabs.io/#/app/projects/8a8081397278f8ba01727922a45a0593/jobs

Environment:
https://cloud.fxlabs.io/#/app/projects/8a8081397278f8ba01727922a45a0593/environments/8a8081397278f8ba01727922a4600595/edit

Scan Dashboard:
https://cloud.fxlabs.io/#/app/projects/8a8081397278f8ba01727922a45a0593/jobs/8a8081397278f8ba0172792acd170e16/runs/8a8081397278f8ba0172794c1cdf1e63

Playbook:
https://cloud.fxlabs.io/#/app/projects/8a8081397278f8ba01727922a45a0593/template/ApiV1ProductsGetQueryParamPageDdos

Coverage:
https://cloud.fxlabs.io/#/app/projects/8a8081397278f8ba01727922a45a0593/configuration

Code Sample:
https://cloud.fxlabs.io/#/app/projects/8a8081397278f8ba01727922a45a0593/recommendations/8a8081397278f8ba0172795d7f6e24da/codesamples

PS: Please contact support@apisec.ai for apisec access and login issues.

--- apisec Bot ---