A normal user can create a playbook, that has some attributes like the run_summary_template
, retrospective_template
and description
,that don’t have any size check or validation, which allows an attacker to set an unlimited number of characters as their values.
In a production environment is possible to set up to 50MB of data, due to the default nginx configuration, as the run_summary_template
value. The creation of the playbook for itself is not sufficient to trigger an DoS attack in the application, but once this playbook is executed(run) the server starts to consume a large amount of computing resources, which causes to the server to stop responding to users requests and ultimately leads to server crash.
This attack is even worst because after the application is restarted, its not possible to the user who created the playbook run to finish its execution via the Web Portal, because both the channel created by the playbook run, and the run dedicated management page, don’t properly load, showing only a blank screen.
MMAUTHTOKEN
authentication token.run_summary_template
attribute value. Use F1893243POST
request to the plugins/playbooks/api/v0/playbooks
API endpoint:curl -X POST "http://<domain>/plugins/playbooks/api/v0/playbooks" -H 'Content-Type: application/json' -d @payload --cookie "MMAUTHTOKEN=<user-auth-token>" -H "X-CSRF-TOKEN: <csrf-token>"
A user can cause a full denial of service attack in the application server, making the application server unavailable to all its users.