No rate limit via proxy url parameter in jgraph/drawio
Reported on
Aug 29th 2022
Description
Hi Drawio Team ,
Your proxy server has no limit of requests which an attacker can use it as PORT SCANNER.
https://app.diagrams.net/proxy?url={IP:PORT}&base64=1
Proof of Concept
Image from my OWASP ZAP : https://ibb.co/h87hz3N
Impact
Malicious use.
Load on memory ( DOS ).
Effect the availability.
Thanks for the report. You're reporting two things here:
- DoS. Rate limiting / dealing with DoS is an infrastructure level issue. You will not be able to DoS app.diagrams.net with this attack, we have infrastructure in place to deal with this.
If someone deployed the java ProxyServlet that would be up to them to deal with the issue.
- No port filtering. This is valid, but your current rating of critical is incorrect for this one item.
Hi Mr David ,
Thank you for response , So we can count one bug which is [ No port filtering ]. I will edit it now !
Is it okay now or we have to edit something else Mr David ?
You've set the effect on integrity and availability as high for the port scanning report, could you explain in detail why those two levels?
Sure, Imagine someone disclose your proxy in public , So a lot of people will use it as port scanner and put your domain at risk like (someone can use it to scan private or military systems) So if a lot of people used it that will effect the availability.
About the integrity, Sorry I forget to remove it while editing the report.