uaa icon indicating copy to clipboard operation
uaa copied to clipboard

Published 20 hours ago verified publisher icon cloudfoundry

UAA has no protection against misuse/overuse of the API endpoints

Open torsten-sap opened this issue 2 years ago • 2 comments

How are you deploying the UAA?

I am deploying the UAA

  • using cf-release

What did you do?

Load tests against REST APIs, e.g. /oauth/token with an high amount of requests. This should simulate misuse/overuse of the API endpoints (e.g. by bots/scripts)

What did you expect to see? What goal are you trying to achieve with the UAA?

Some protection mechanism like rate limiting which ensures that the UAA only processes requests up to a certain threshold. All requests above the threshold are not processed. With such a mechanism it is ensured that the UAA still behaves as expected for all other users/applications that behave "normal".

What did you see instead?

UAA tries to process all requests without applying any protection mechanism. This means that UAA is vulnerable against misuse/overuse of the API endpoints.

torsten-sap avatar Aug 05 '22 15:08 torsten-sap

We have created an issue in Pivotal Tracker to manage this:

https://www.pivotaltracker.com/story/show/182916607

The labels on this github issue will be updated when the story is started.

cf-gitbot avatar Aug 05 '22 15:08 cf-gitbot

We are trying to write automated performance and load tests for the UAA, which should help catching potential issues like the one described here.

bruce-ricard avatar Aug 08 '22 17:08 bruce-ricard