Report #37836

Report ID

#37836

Report type

Websites and Applications

Has PoC?

Yes

Target

https://app.bean.money

Impacts

• Taking down the application/website requiring manual restoration
• Taking down the application (Out of scope)

Description

In the previous report, the impact "website requiring manual restoration" was selected, which caused it to be rejected, as this impact refers to logical issues within the application. At that time, I had no choice since no other prepared impact was available on the platform. However, selecting a Custom Impact would have resulted in the report being automatically rejected without further evaluation.

Primary Impact: This vulnerability takes down the application and can lead to significant disruption to business operations.

Note: Please carefully assess the validity of this report before dismissing it. The issue I am highlighting poses a significant threat to your business, and dismissing it easily could expose your system to serious risks. My previous report was rejected solely because the chosen impact during submission did not align perfectly.

I have been forced to select this impact in order for my report not to be automatically rejected in the first stage and reach your team. Please take this into consideration.

Summary

A DoS vulnerability has been identified, where sending a high volume of requests to a specific endpoint results in the application becoming unavailable. Additionally, during this process, a server error message reveals part of the system file path, which acts as a secondary disclosure.

Vulnerable Endpoint

• Endpoint URL: /.netlify/functions/l2migration
• Affected Parameter: account

Technical Details

Main Issue: The server lacks proper rate limiting and resource management, allowing an attacker to overwhelm it with requests, leading to downtime.

DoS Impact: If a malicious actor sends a massive number of requests (scaling to hundreds of thousands or millions), the response delay will significantly increase. This downtime can escalate from being temporary to lasting several hours, causing major disruption.

Malicious attackers do not send 10-20 requests; they flood servers with millions of requests, resulting in irreversible damage to system performance and availability.

Secondary Issue (Path Disclosure): During this process, the server error response exposes a partial system file path, confirming the underlying Linux operating system and revealing portions of the directory structure. While this alone may not be critical, it can aid attackers in further reconnaissance.

Steps to Reproduce

1. Send multiple requests to the vulnerable endpoint:
• URL: https://app.bean.money/.netlify/functions/l2migration?account=
• Request Method: POST with a simple parameter
2. Use a simple script to simulate the attack:

1. Observe increased response times and eventual application unavailability.
2. Check the server response for path disclosure in error messages.

Business Impact

Application Downtime: A DoS attack could render the application unavailable for hours, severely impacting business operations. This results in service disruption, loss of customers, and significant financial damage.

Path Disclosure: Revealing system file paths provides valuable information for attackers to plan advanced attacks.

Potential Risk: Combining both issues (downtime and path disclosure) increases the overall threat to the infrastructure.

Mitigation Recommendations

1. Implement Rate Limiting: Limit the number of consecutive requests to prevent server overload.
2. Sanitize Error Responses: Remove sensitive information, such as file paths, from server error messages.
3. Optimize Request Management: Improve server capacity and implement mechanisms to detect and block DoS attempts.

Proof of concept

DOS Tools