Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Denial of Service attack on Parse.com app

I'm writing a small web application as I'm learning to use the features of Parse.com.

Since application_id and javascript_key are both public (as explained in the doc), it means anyone is free to run code like illustrated in the following snippet:

function sendRequest(){

    var query = new Parse.Query(Parse.User);
    query.find({

        success: function(results) {
            console.log("Request sucessful");       
        },

        error: function(error) {
            console.log("Request error: " + error.code + " " + error.message);
        }
    });
}

setInterval(sendRequest, (1000 / hitsPerSecond));

I think it can lead to "DOS" attacks pretty easily - anyone willing to bring this app down would only need to recover the public keys and send lots of requests.

edit Accounts have a request/s limit, free plan begins at 30, but using this simple script can saturate any subscription plan.

considering this is correct - is there any good practice against this? Any pattern to apply?

Thanks in advance,

like image 671
Jem Avatar asked Mar 11 '15 14:03

Jem


1 Answers

Yes, your Parse JavaScript keys are public

They have to be defined inside your JavaScript files, which can be openly accessed.

It is not said that you can't try to hide your keys by applying the principles of

Security by Obscurity ;-)

You can encrypt your keys and place decryption function right inside your JavaScript. You can further make it harder to find by hiding that function in the middle of a large nasty script that nobody would enjoy, and then minify your JavaScript (which you should be doing anyway). I am sure it is possible to get even "more creative" and reach some reasonable perfection :-)

It remains, however, possible, in principle, for a sufficiently motivated hacker to reverse-engineer your program and get the keys. Still you can make it hard enough, so the hacker will likely look for easier targets, of which there is plenty as we know ;-)

Reduce potential harm by setting correct permissions

Whether you applied the previous principles or not, your golden rule should be to tighten your Parse (or any other sever for that matter) permission as much as possible.

This will prevent bad things like your data getting destroyed, which is worse than DoS attack.

That would still permit anyone know your keys to abuse them - not only by DoS - but also more unpleasant things like signing other people's as user and unleashing a stream of confirmation emails to the unsuspecting victims. And since you probably want to allow new users to sign, you can't really protect yourself from this abuse (except the "methods" of previous paragraph that is).

Parse's own statement

A few years ago I actually asked that question on Parse forum and their answer was that, should that happen, they would look into that.

Final idea

Finally, assume your site business is critical and you can't afford to wait from Parse in case that actually happens (it is not to say they would be slow - I really have no experience with that situation).

What you can then do is register several other application keys for a fall-back and keep the copy of your site, so you can quickly divert your users there. Or only divert some of them.

like image 176
Dmitri Zaitsev Avatar answered Nov 03 '22 19:11

Dmitri Zaitsev