Resource exhaustion via crafted body
Enrico204 opened this issue · comments
Here the code is reading the body of the request:
traefik-modsecurity-plugin/modsecurity.go
Line 63 in 19cdb47
The problem of this technique is that an attacker can issue a request using an arbitrary body size (1 terabyte) and crash the server, creating a Denial-of-Service.
A possible mitigation is reading the body while using http.MaxBytesReader()
function, to limit the maximum body size. Possibly, the maximum size should be configurable.
I'm not aware of any other solution (with this middleware architecture, see #2 (comment)).
Its a good idea indeed, even though I believe we could mitigate this using another middleware.
But this middleware shouldm't include some vulnerabilities.