Application Level DoS - Smoking with ‘null’ Again

Summary

Application-level Denial of Service (DoS) refers to a type of attack that aims to disrupt the availability or functionality of a web application by exploiting vulnerabilities or weaknesses in its software or infrastructure. Unlike traditional network-level DoS attacks that target network resources or infrastructure (e.g., flooding a server with excessive traffic), application-level DoS attacks specifically target the application layer, exploiting flaws in the application’s logic, design or implementation.

Description

Me and my friend found an application level denial of service on a private program on on of the platform. The program had an option of private vault and that private vault had different sub tabs namely Overview, Documentation, Attachments, Permissions, History and Logs. All the tabs contains different information about the vault and in documentation tab there was an option to upload a document file which we uploaded and intercepted the request using burpsuite. We found that the data in the file we uploaded was being encoded with a private key in the request and was passed in the “data” parameter (e.g. “data”:”Azc345gokvdg/et4htgb/w==”) and sent to the server so we removed the value of data parameter and replaced it with the predefined data type of the json parameter “null” (e.g. from “data”:”Azc345gokvdg/et4htgb/w==” to “data”:null) and sent the request to server. Then we reloaded the page and went to documentation tab and it went in permanent loading causing application level denial of service.

Anatomy of ‘null’ data type

In JSON (JavaScript Object Notation), the “null” data type represents the absence of a value. It is a special keyword used to denote a lack of data or a placeholder where a value could exist but is intentionally missing.

1. Syntax: In JSON syntax, the “null” value is represented by the keyword null. It is case-sensitive and must be written in lowercase.
2. Data Type: “null” is a primitive data type in JSON. It is not a string, number, boolean, array, or object. Instead, it stands on its own as a distinct value representing the absence of any specific data.
3. Semantic Meaning: The “null” value indicates that a particular property or attribute does not have a defined value. It signifies the intentional absence of data rather than an error or unknown value.

Common Use Cases

1. Missing or Undefined Values: “null” is commonly used to represent missing or undefined values in JSON data structures. For example, if a certain property in an object does not have a value assigned to it, it can be represented as null.
2. Resetting Values: “null” can be used to reset or clear the value of a property. For instance, setting a property to null can indicate that it should be considered empty or uninitialized.
3. Explicit Indication of Absence: Sometimes, it is necessary to explicitly indicate that a property has no value. In such cases, using “null” helps to convey this meaning unambiguously.

Prerequisites

1. Account A (Owner) should invite account B to his/her vault

How we found this vulnerability ?

1. We logged in with account A (owner) and created a private vault where we uploaded a confidential document

Private Vault - Account A (Owner)

Uploaded Confidential Document - Account A (Owner)

2. From account B (attacker) we went to that private vault, clicked on Add Document > gave the title and clicked on Add button

Private Vault - Account B (Attacker)

Title - Account B (Attacker)

3. We intercepted the request using burpsuite, replace the value of data parameter with null keyword > right clicked on the request > do intercept > response to this request

Request Intercepted - Account B (Attacker)

Adding null data type to data parameter - Account B (Attacker)

Response - 200 OK

4. Then we went to Documentation tab from account A (Owner) and it went in permanent loading causing application level denial of service

Permanent Application Level DoS on Document Tab - Account A (Owner)

Why this happened ?

In my opinion,

It happened because in many programming languages and frameworks, including JavaScript and JSON (JavaScript Object Notation), null is a special keyword that represents the absence of a value and when the application receives a parameter with a null value, it often triggers certain operations or logic that the application is not equipped to handle properly.

When we replaced the encoded data value with null data type in the request, the application encountered an unexpected behavior or errors during the processing of this input. This unexpected input caused the application’s logic to enter an unforeseen or infinite loop, leading to a state of permanent loading or unresponsiveness in the Documentation tab.

It is also possible that the application attempted to process the null value in a loop or recursive function, leading to an infinite loop scenario. This continuous processing of invalid input could consume significant CPU and memory resources, ultimately causing the application to become unresponsive.

Vulnerability Flow

Impact

The application level denial-of-service condition caused by the null data type on document upload request affects the availability of the application, making the document’s tab of private vault inaccessible. This downtime can disrupt legitimate user’s access to critical information stored within the vault, leading to operational disruptions and loss of productivity.

CVSS

Score - 4.3 Medium

Vector String - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

Mitigation

It is recommended to implement below mentioned mitigations to fix this kind of issues:

1. If the parameter is set to null data type, handle this case properly without triggering any resource-intensive operations or infinite loops.
2. Enhance error handling mechanisms to properly handle unexpected input values like null data types
3. Implement server-side validation checks to verify the integrity and authenticity of data received from client requests.

Special thanks to - Sushil Ainani