DoS via Collaborative Document in outline/outline
Aug 15th 2022
An attacker can send an enormous payload via the WebSockets collaborative document feature, without any proper size restriction, leading to the unresponsiveness of every user browser that visits the target document, and even worse, if the payload is bigger enough, in the demonstration below is 100MB, it will cause the server crash due to the incapacity of the application to handle such large amounts of data in one time and update the original document. After the server crashes, it is also necessary to restart the service manually to restore its normal function.
An additional problem is the storage resource usage, that could be filled up totally in a short time, since such payloads will be stored inside of the documents. The final document of the demonstration below takes up alone 100MB of the server storage.
This is only possible via the WebSockets because the
/api/documents.update API endpoint is protected by nginx, that throws the 413 - Request Entity Too Large error.
Proof of Concept
- 1 - Login in the application
- 2 - Create a new document or open an existing one.
- 3 - Generate the payload that consists of an Markdown Link:
- 4 - Paste the payload in the document.(This requires from the attacker machine a great amount of RAM. An optimal way to do it, would be to generate the document with the payload automatically and send it directly to the WebSockets document service).
- 5 - Wait for the payload to be sent. Once the server receives it, it will start to consume an abnormal quantity of computing resources, being them eventually exhausted leading to the server crash.
- 6 - The application becomes unavailable for all its users.
A user can cause a full denial of service attack in the application server, making the application unavailable to all its users.