Uploaded image for project: 'Support'
  1. Support
  2. SUP-81

Vulnerability to denial of service attack



    • Core: Platform
    • TBD


      Overview: A library raised the following issue after having several users rendered inactive due to invalid credential attempts. Please note that identifying information has been anonymized for this ticket submission:

      A system which has a publicly accessible log-in page and permanently locks an account after failed authentication attempts is vulnerable to a denial-of-service attack, which is aggravated if that system doesn't have source-based rate-limiting. To estimate our vulnerability, I created and set passwords for 10,000 test accounts in [a] test FOLIO instance.[2] Then I hastily put together and executed a command to lock those accounts:[3] It locked all 10,000 in less than twenty minutes.


      1. Our production FOLIO instance has [tens of thousands of] active accounts.


      1. To approximate the abilities of a mischievous freshman, I gave

           myself ten minutes to come up with this: I used my browser's

           debugger to capture the form submission at the log-in page as a

           Curl command and saved that as a script with the username

           parameterized such that:


             ./fail-login [username]


           would make one failed attempt to log in to my account. I then



             cat users users users users users |

                 xargs parallel-moreutils -j 100 \

                     "./fail-login.sh" –


           Our hypothetical freshman wouldn't have trouble getting a nearly

           complete list of real usernames to use, since anyone on [the university's]

           network can retrieve a list of campus usernames from [the university's]

           directory server or several other sources.



        Issue Links



              Unassigned Unassigned
              mdriscoll Molly Driscoll
              0 Vote for this issue
              6 Start watching this issue