create account

[Steemplus API] [v1.0] [Bug-Report] DOS Vulnerability in the API caused by the SPP-Job by mwfiae

View this thread on: hive.blogpeakd.comecency.com
utopian-io · @mwfiae · (edited)
$36.33
[Steemplus API] [v1.0] [Bug-Report] DOS Vulnerability in the API caused by the SPP-Job
#### Project Information
* Repository:
https://github.com/stoodkev/steemplus-api
* Project Name: **SteemPlus (API)**
* Publisher (if applicable): @stoodkev

#### Expected behavior
The job that updates the SPP (Steemplus Points) should only run every hour, as mentioned in the coding.
[![](https://cdn.steemitimages.com/DQmZ37YBrh2qS67WULXkUrQzoReFZsDKsd6pdApyyG82EzR/image.png)](https://cdn.steemitimages.com/DQmZ37YBrh2qS67WULXkUrQzoReFZsDKsd6pdApyyG82EzR/image.png)
Only authorized persons should be able to start resource-intensive jobs on the steemplus api server. Such a functionality is never to be exposed via an api.

#### Actual behavior
Every user is able to call the mentioned api endpoint to start the job manually. A malicious user could use this to overload the steemplus api server, resulting in a DOS (Denial-of-Service) attack. 
It is also possible (by creating a few requests in parallel) that some of the points are missing or doubled in the database, depending on the exact moment this is attempted.

#### How to reproduce
It is easily possible to reproduce the bug by just calling the specific endpoint for the api: 
**/job/update-steemplus-points**

#### Solution
A solution could be to secure the api endpoint via a private key saved in the config. With this only authorized users can call the function. 
Another solution would be to not expose this function to the api at all and only call it internally via a cronjob or similar. 

I decided to go with solution number one and started a pull-request for it:
[Pull-Request](https://github.com/stoodkev/steemplus-api/pull/8)

#### Recording Of The Bug
Before executing the job:
[![](https://cdn.steemitimages.com/DQmcCRJsRfG7CdJLAeSSGeNJtuDuqAC2Vs4phAiySxK8a4N/image.png)](https://cdn.steemitimages.com/DQmcCRJsRfG7CdJLAeSSGeNJtuDuqAC2Vs4phAiySxK8a4N/image.png)
Executing the job:
[![](https://cdn.steemitimages.com/DQmU5edoLcfuSun3QYuQ5aCohnB64YRMD89NwBRSmagKGx5/image.png)](https://cdn.steemitimages.com/DQmU5edoLcfuSun3QYuQ5aCohnB64YRMD89NwBRSmagKGx5/image.png)
After executing the job:
[![](https://cdn.steemitimages.com/DQmbXqpVCukkEUFjU3KQCykt1NVyXrBJVHB7PGBAckEvmTN/image.png)](https://cdn.steemitimages.com/DQmbXqpVCukkEUFjU3KQCykt1NVyXrBJVHB7PGBAckEvmTN/image.png)
As we see my user-information was created and my points where updated without waiting for an hour.

#### GitHub Account
https://github.com/MWFIAE

The problem was brought to the Project Owner via a [github issue](https://github.com/stoodkev/steemplus-api/issues/9) (additional to the [Pull-Request](https://github.com/stoodkev/steemplus-api/pull/8)) and I also reached out to him via discord where he confirmed that this is a problem. (Screenshot can be provided if needed  )
๐Ÿ‘  , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,
properties (23)
authormwfiae
permlinkbug-report-dos-vulnerability-in-the-steemplus-api-caused-by-the-spp-job
categoryutopian-io
json_metadata{"tags":["utopian-io","bug-hunting","steemplus","api","dos"],"app":"steemit/0.1","users":["stoodkev"],"image":["https://cdn.steemitimages.com/DQmZ37YBrh2qS67WULXkUrQzoReFZsDKsd6pdApyyG82EzR/image.png","https://cdn.steemitimages.com/DQmcCRJsRfG7CdJLAeSSGeNJtuDuqAC2Vs4phAiySxK8a4N/image.png","https://cdn.steemitimages.com/DQmU5edoLcfuSun3QYuQ5aCohnB64YRMD89NwBRSmagKGx5/image.png","https://cdn.steemitimages.com/DQmbXqpVCukkEUFjU3KQCykt1NVyXrBJVHB7PGBAckEvmTN/image.png"],"links":["https://github.com/stoodkev/steemplus-api","https://cdn.steemitimages.com/DQmZ37YBrh2qS67WULXkUrQzoReFZsDKsd6pdApyyG82EzR/image.png","https://github.com/stoodkev/steemplus-api/pull/8","https://cdn.steemitimages.com/DQmcCRJsRfG7CdJLAeSSGeNJtuDuqAC2Vs4phAiySxK8a4N/image.png","https://cdn.steemitimages.com/DQmU5edoLcfuSun3QYuQ5aCohnB64YRMD89NwBRSmagKGx5/image.png","https://cdn.steemitimages.com/DQmbXqpVCukkEUFjU3KQCykt1NVyXrBJVHB7PGBAckEvmTN/image.png","https://github.com/MWFIAE","https://github.com/stoodkev/steemplus-api/issues/9"],"format":"markdown"}
created2018-09-04 16:17:39
last_update2018-09-04 17:06:36
depth0
children13
last_payout2018-09-11 16:17:39
cashout_time1969-12-31 23:59:59
total_payout_value27.304 HBD
curator_payout_value9.027 HBD
pending_payout_value0.000 HBD
promoted0.000 HBD
body_length2,721
author_reputation8,649,692,852,318
root_title"[Steemplus API] [v1.0] [Bug-Report] DOS Vulnerability in the API caused by the SPP-Job"
beneficiaries
0.
accountsteemplus-pay
weight100
1.
accountutopian.pay
weight500
max_accepted_payout100,000.000 HBD
percent_hbd10,000
post_id70,306,960
net_rshares33,217,751,826,930
author_curate_reward""
vote details (32)
@cedricguillas · 
Hi @mwfiae, thanks for your report. I worked on that part of Steem-plus and I apparently did a smaaaaall mistake haha.  
I just want to clarify a point. When you say `It is also possible (by creating a few requests in parallel) that some of the points are missing or doubled in the database, depending on the exact moment this is attempted.`, it is actually not possible to double your points because we only proceed data created after the last entry of our database. We decided to execute the job once every hour at first not to overload our server, but we could have done it every 5 minutes. :)
properties (22)
authorcedricguillas
permlinkre-mwfiae-bug-report-dos-vulnerability-in-the-steemplus-api-caused-by-the-spp-job-20180906t101722493z
categoryutopian-io
json_metadata{"tags":["utopian-io"],"users":["mwfiae"],"app":"steemit/0.1"}
created2018-09-06 10:17:21
last_update2018-09-06 10:17:21
depth1
children1
last_payout2018-09-13 10:17:21
cashout_time1969-12-31 23:59:59
total_payout_value0.000 HBD
curator_payout_value0.000 HBD
pending_payout_value0.000 HBD
promoted0.000 HBD
body_length596
author_reputation1,509,744,265,110
root_title"[Steemplus API] [v1.0] [Bug-Report] DOS Vulnerability in the API caused by the SPP-Job"
beneficiaries[]
max_accepted_payout1,000,000.000 HBD
percent_hbd10,000
post_id70,488,778
net_rshares0
@mwfiae · 
Hi Cedric, 

Mistakes can happen that's why it's open source, so that mistakes can be spotted easily and fixed before harm is done :) 

After some consideration I think you are right, it shouldn't be possible to double the points, but it's very easily possible to miss points entirely. 
But anyhow, that's resolved now by securing the function :)

Also can you please contact me on discord? I think I found a few other points that need consideration :) 
MWFIAE#7029

Greeting,
MW
๐Ÿ‘  ,
properties (23)
authormwfiae
permlinkre-cedricguillas-re-mwfiae-bug-report-dos-vulnerability-in-the-steemplus-api-caused-by-the-spp-job-20180906t102741436z
categoryutopian-io
json_metadata{"tags":["utopian-io"],"app":"steemit/0.1"}
created2018-09-06 10:27:42
last_update2018-09-06 10:27:42
depth2
children0
last_payout2018-09-13 10:27:42
cashout_time1969-12-31 23:59:59
total_payout_value0.000 HBD
curator_payout_value0.000 HBD
pending_payout_value0.000 HBD
promoted0.000 HBD
body_length479
author_reputation8,649,692,852,318
root_title"[Steemplus API] [v1.0] [Bug-Report] DOS Vulnerability in the API caused by the SPP-Job"
beneficiaries[]
max_accepted_payout1,000,000.000 HBD
percent_hbd10,000
post_id70,489,484
net_rshares425,720,395
author_curate_reward""
vote details (2)
@sachincool ·
$6.71
Hello @mwfiae, 
This is a really good extensively written report. 
* The Criticality Is Critical,  It affects the resource monitoring majorly and can impact high unnecessary usage. 
* You proposed a solution, even if it was discarded it was a good initiative. you should try to inform the PO before starting on the fix that you're on it and get assigned to the issue. this resolves problems like 2 people working on the same project. 
* Other solutions could be to filter request based on `origin` header. 
the cronjob was the perfect solution. Thanks for including it in your report as well.

This report is very valuable and that's why I'll be staff-picking it from Bug-hunting category. 
Thank you for contributing to this project 

Your contribution has been evaluated according to [Utopian policies and guidelines](https://join.utopian.io/guidelines), as well as a predefined set of questions pertaining to the category.

To view those questions and the relevant answers related to your post, [click here](https://review.utopian.io/result/5/111211).

---- 
Need help? Write a ticket on https://support.utopian.io/. 
Chat with us on [Discord](https://discord.gg/uTyJkNm). 
[[utopian-moderator]](https://join.utopian.io/)
๐Ÿ‘  , , , , , , , , , , , , ,
properties (23)
authorsachincool
permlinkre-mwfiae-bug-report-dos-vulnerability-in-the-steemplus-api-caused-by-the-spp-job-20180905t045348043z
categoryutopian-io
json_metadata{"tags":["utopian-io"],"users":["mwfiae"],"links":["https://join.utopian.io/guidelines","https://review.utopian.io/result/5/111211","https://support.utopian.io/","https://discord.gg/uTyJkNm","https://join.utopian.io/"],"app":"steemit/0.1"}
created2018-09-05 04:53:48
last_update2018-09-05 04:53:48
depth1
children2
last_payout2018-09-12 04:53:48
cashout_time1969-12-31 23:59:59
total_payout_value5.082 HBD
curator_payout_value1.630 HBD
pending_payout_value0.000 HBD
promoted0.000 HBD
body_length1,224
author_reputation18,548,631,010,973
root_title"[Steemplus API] [v1.0] [Bug-Report] DOS Vulnerability in the API caused by the SPP-Job"
beneficiaries[]
max_accepted_payout1,000,000.000 HBD
percent_hbd10,000
post_id70,359,805
net_rshares5,947,210,204,892
author_curate_reward""
vote details (14)
@mwfiae · 
Thank you very much for the review and the staff-pick! :) 

It's a shame that the pull-request wasn't merged because I mentioned it a few times... But I could have better used the github features to make it clearer and will certainly pay more attention next time :) 

Ultimately it only were a few lines of code, so hopefully it didn't cost stoodkev too much time to reimplement it.

Also thank you for your valuable feedback! I need to make sure to read more about the origin header :) 

Greetings,
Mw
๐Ÿ‘  ,
properties (23)
authormwfiae
permlinkre-sachincool-re-mwfiae-bug-report-dos-vulnerability-in-the-steemplus-api-caused-by-the-spp-job-20180905t085436121z
categoryutopian-io
json_metadata{"tags":["utopian-io"],"app":"steemit/0.1"}
created2018-09-05 08:54:36
last_update2018-09-05 08:54:36
depth2
children0
last_payout2018-09-12 08:54:36
cashout_time1969-12-31 23:59:59
total_payout_value0.000 HBD
curator_payout_value0.000 HBD
pending_payout_value0.000 HBD
promoted0.000 HBD
body_length502
author_reputation8,649,692,852,318
root_title"[Steemplus API] [v1.0] [Bug-Report] DOS Vulnerability in the API caused by the SPP-Job"
beneficiaries[]
max_accepted_payout1,000,000.000 HBD
percent_hbd10,000
post_id70,376,234
net_rshares398,164,121
author_curate_reward""
vote details (2)
@utopian-io · 
Thank you for your review, @sachincool!

So far this week you've reviewed 1 contributions. Keep up the good work!
properties (22)
authorutopian-io
permlinkre-re-mwfiae-bug-report-dos-vulnerability-in-the-steemplus-api-caused-by-the-spp-job-20180905t045348043z-20180908t214638z
categoryutopian-io
json_metadata"{"app": "beem/0.19.42"}"
created2018-09-08 21:46:39
last_update2018-09-08 21:46:39
depth2
children0
last_payout2018-09-15 21:46:39
cashout_time1969-12-31 23:59:59
total_payout_value0.000 HBD
curator_payout_value0.000 HBD
pending_payout_value0.000 HBD
promoted0.000 HBD
body_length113
author_reputation152,955,367,999,756
root_title"[Steemplus API] [v1.0] [Bug-Report] DOS Vulnerability in the API caused by the SPP-Job"
beneficiaries[]
max_accepted_payout1,000,000.000 HBD
percent_hbd10,000
post_id70,734,306
net_rshares0
@steem-ua · 
#### Hi @mwfiae!

Your post was upvoted by @steem-ua, new Steem dApp, using UserAuthority for algorithmic post curation!
Your **UA** account score is currently 3.673 which ranks you at **#5140** across all Steem accounts.
Your rank has improved 21 places in the last three days (old rank 5161).

In our last Algorithmic Curation Round, consisting of 188 contributions, your post is ranked at **#132**.
##### Evaluation of your UA score:

* You're on the right track, try to gather more followers.
* The readers like your work!
* Your contribution has not gone unnoticed, keep up the good work!


**Feel free to join our [@steem-ua Discord server](https://discord.gg/KpBNYGz)**
properties (22)
authorsteem-ua
permlinkre-bug-report-dos-vulnerability-in-the-steemplus-api-caused-by-the-spp-job-20180905t143424z
categoryutopian-io
json_metadata"{"app": "beem/0.19.54"}"
created2018-09-05 14:34:24
last_update2018-09-05 14:34:24
depth1
children5
last_payout2018-09-12 14:34:24
cashout_time1969-12-31 23:59:59
total_payout_value0.000 HBD
curator_payout_value0.000 HBD
pending_payout_value0.000 HBD
promoted0.000 HBD
body_length676
author_reputation23,214,230,978,060
root_title"[Steemplus API] [v1.0] [Bug-Report] DOS Vulnerability in the API caused by the SPP-Job"
beneficiaries[]
max_accepted_payout1,000,000.000 HBD
percent_hbd10,000
post_id70,406,477
net_rshares0
@mwfiae · 
Hey steem-ua, thanks for the upvote! 

But you should increase the time before you vote, as utopian still wasn't here and that would have boosted my post-ua for sure! :)

Greetings, 
mw
๐Ÿ‘  
properties (23)
authormwfiae
permlinkre-steem-ua-re-bug-report-dos-vulnerability-in-the-steemplus-api-caused-by-the-spp-job-20180905t143424z-20180905t143809583z
categoryutopian-io
json_metadata{"tags":["utopian-io"],"app":"steemit/0.1"}
created2018-09-05 14:38:12
last_update2018-09-05 14:38:12
depth2
children4
last_payout2018-09-12 14:38:12
cashout_time1969-12-31 23:59:59
total_payout_value0.000 HBD
curator_payout_value0.000 HBD
pending_payout_value0.000 HBD
promoted0.000 HBD
body_length185
author_reputation8,649,692,852,318
root_title"[Steemplus API] [v1.0] [Bug-Report] DOS Vulnerability in the API caused by the SPP-Job"
beneficiaries[]
max_accepted_payout1,000,000.000 HBD
percent_hbd10,000
post_id70,406,862
net_rshares322,158,994
author_curate_reward""
vote details (1)
@mightypanda · 
If they do that, they won't get thr share of curation which will be a loss to them :)
properties (22)
authormightypanda
permlinkre-mwfiae-re-steem-ua-re-bug-report-dos-vulnerability-in-the-steemplus-api-caused-by-the-spp-job-20180905t143424z-20180905t191847165z
categoryutopian-io
json_metadata{"tags":["utopian-io"],"app":"steemit/0.1"}
created2018-09-05 19:18:48
last_update2018-09-05 19:18:48
depth3
children3
last_payout2018-09-12 19:18:48
cashout_time1969-12-31 23:59:59
total_payout_value0.000 HBD
curator_payout_value0.000 HBD
pending_payout_value0.000 HBD
promoted0.000 HBD
body_length85
author_reputation21,847,608,676,835
root_title"[Steemplus API] [v1.0] [Bug-Report] DOS Vulnerability in the API caused by the SPP-Job"
beneficiaries[]
max_accepted_payout1,000,000.000 HBD
percent_hbd10,000
post_id70,430,415
net_rshares0
@steemitboard · 
Congratulations @mwfiae! You have completed the following achievement on Steemit and have been rewarded with new badge(s) :

[![](https://steemitimages.com/70x80/http://steemitboard.com/notifications/votes.png)](http://steemitboard.com/@mwfiae) Award for the number of upvotes

<sub>_Click on the badge to view your Board of Honor._</sub>
<sub>_If you no longer want to receive notifications, reply to this comment with the word_ `STOP`</sub>


To support your work, I also upvoted your post!


**Do not miss the last post from @steemitboard:**
[SteemFestยณ - SteemitBoard support the Travel Reimbursement Fund.](https://steemit.com/steemfest/@steemitboard/steemfest-steemitboard-support-the-travel-reimbursement-fund)

> Do you like [SteemitBoard's project](https://steemit.com/@steemitboard)? Then **[Vote for its witness](https://v2.steemconnect.com/sign/account-witness-vote?witness=steemitboard&approve=1)** and **get one more award**!
properties (22)
authorsteemitboard
permlinksteemitboard-notify-mwfiae-20180905t032244000z
categoryutopian-io
json_metadata{"image":["https://steemitboard.com/img/notify.png"]}
created2018-09-05 03:22:42
last_update2018-09-05 03:22:42
depth1
children0
last_payout2018-09-12 03:22:42
cashout_time1969-12-31 23:59:59
total_payout_value0.000 HBD
curator_payout_value0.000 HBD
pending_payout_value0.000 HBD
promoted0.000 HBD
body_length939
author_reputation38,975,615,169,260
root_title"[Steemplus API] [v1.0] [Bug-Report] DOS Vulnerability in the API caused by the SPP-Job"
beneficiaries[]
max_accepted_payout1,000,000.000 HBD
percent_hbd10,000
post_id70,353,666
net_rshares0
@utopian-io · 
Hey, @mwfiae!

**Thanks for contributing on Utopian**.
Congratulations! Your contribution was Staff Picked to receive a maximum vote for the bug-hunting category on Utopian for being of significant value to the project and the open source community.

Weโ€™re already looking forward to your next contribution!

**Get higher incentives and support Utopian.io!**
 Simply set @utopian.pay as a 5% (or higher) payout beneficiary on your contribution post (via [SteemPlus](https://chrome.google.com/webstore/detail/steemplus/mjbkjgcplmaneajhcbegoffkedeankaj?hl=en) or [Steeditor](https://steeditor.app)).

**Want to chat? Join us on Discord https://discord.gg/h52nFrV.**

<a href='https://steemconnect.com/sign/account-witness-vote?witness=utopian-io&approve=1'>Vote for Utopian Witness!</a>
properties (22)
authorutopian-io
permlinkre-bug-report-dos-vulnerability-in-the-steemplus-api-caused-by-the-spp-job-20180906t141535z
categoryutopian-io
json_metadata"{"app": "beem/0.19.42"}"
created2018-09-06 14:15:36
last_update2018-09-06 14:15:36
depth1
children0
last_payout2018-09-13 14:15:36
cashout_time1969-12-31 23:59:59
total_payout_value0.000 HBD
curator_payout_value0.000 HBD
pending_payout_value0.000 HBD
promoted0.000 HBD
body_length784
author_reputation152,955,367,999,756
root_title"[Steemplus API] [v1.0] [Bug-Report] DOS Vulnerability in the API caused by the SPP-Job"
beneficiaries[]
max_accepted_payout1,000,000.000 HBD
percent_hbd10,000
post_id70,508,236
net_rshares0
Help/Feedback