이메일 길이 확인 부족으로 인한 서비스 거부 발생

Writer what_web Program wargame.kr

WEB Informative Low No Reward Created: Aug 14, 2021 (3 years ago) Last Updated: Jul 17, 2022 (2 years ago)

Weakness

CWE-400: 통제되지 않은 리소스 소비

Description

안녕하세요. 길이 값 유효성 문제를 테스트하는 동안 이메일 길이 제한이 없다는 것을 확인하였습니다.

일반적으로 RFC에 따라 이메일 주소에 허용되는 최대 길이는 255자입니다. 그러나 테스트하는 동안 wargame.kr 웹 애플리케이션에는 이메일 길이를 제한하지 않으므로 255자를 초과하는 매우 긴 이메일을 사용할 수 있음을 확인하였습니다.

매우 긴 이메일(1.000.000자)을 보내면 서버에 대한 서비스 거부 공격이 발생할 수 있습니다. 이로 인해 웹 사이트를 사용할 수 없거나 응답하지 않을 수 있습니다. 따라서 많은 양의 데이터는 서버를 대신하여 상당한 리소스 소비를 유발할 수 있으며 서비스 거부 공격의 쉬운 대상이 될 수 있습니다.

일반적으로 모든 사이트의 이메일 최대 길이는 서비스 거부 공격을 방지하기 위해 RFC에 따라 최대 255자로 구현합니다. 이 과정에서 wargame.kr 웹 애플리케이션을 테스트하는 동안 이것이 이론적인 취약점이 아님을 증명하기 위한 실질적인 개념증명이 포함된 스크린샷을 첨부하였습니다.

개념증명
image
image

위 스크린샷에서 이메일 길이 제한 부족으로 인한 HTTP/1.1 500 Internal Server Error 상태코드와 함께 데이터 베이스 에러(A Database Error Occurred) , SQL 에러( INSERT INTO users (email, name, password, reg_date, reg_ip, lang) VALUES ('sdaaaaaaaa) , 경로공개 Filename: /var/www/html/models/user_model.php 등이 노출됨을 확인할 수 있습니다.

테스트 하는동안 사용한 실제 이메일 길이이며. 이것은 약 4584자로 구성됩니다.
sdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaasdaaaaaaaaa@sda.com

  1. 링크 http://wargame.kr/#join 로 이동합니다.
  2. 계정 가입 시 최대 이메일 입력값 길이는 100자로 이를 우회하기 위해 Burp Suite 를 통해 계정을 가입하는 요청(POST /user/join_action HTTP/1.1)을 가져오십시오.
  3. Send to Repeater 를 통해 email , email2 매개변수에 위에 사용된 이메일 길이를 복사 후 붙여넣으십시오.
  4. 요청을 전송하고 서버가 HTTP/1.1 500 Internal Server Error 상태코드를 반환하는 것을 확인할 수 있습니다.

255자를 초과하는 이메일 주소를 추가할 수 있습니다. 이를 통해 길이가 100만 이상인 이메일을 사용하여 계정에 가입하면 과부하로 인해 서버에서 상당한 리소스 소비를 유발할 수 있으며 자원 고갈 및 서비스 거부 공격의 쉬운 대상이 될 수 있습니다.

감사합니다.

Timeline

what_web submitted ticket. August 14, 2021 (3 years ago)
what_web posted a comment. October 26, 2021 (2 years ago)

안녕하세요. 업데이트가 있는지 궁금합니다.

감사합니다.

4e6c6258 MANAGER changed the severity from 'High' to 'Low'. October 26, 2021 (2 years ago)
4e6c6258 MANAGER changed the status from 'Submitted' to 'Informative'. October 26, 2021 (2 years ago)
4e6c6258 MANAGER changed the disclosure from 'Closed' to 'Disclosed (Full)'. October 26, 2021 (2 years ago)
4e6c6258 MANAGER posted a comment. October 26, 2021 (2 years ago)

join시 DB의 스키마레벨에서 이미 허용치 이상의 데이터는 잘려서 들어가므로 해당 이메일을 활용한 다른 취약점으로의 연계는 불가능합니다. wargame.kr 서버 자체의 정보 유출이나 서버 공격에는 활용될 수 없는 취약점입니다.