swagger-stats icon indicating copy to clipboard operation
swagger-stats copied to clipboard

Published 20 hours ago verified publisher icon slanatech

DOS attack

Open areisenb opened this issue 7 years ago • 4 comments
trafficstars

It seems one could easily perform a DOS attack by:

  • sending REST request to an API path not specified in swagger
  • alter this path (or even just query parameters) with each request
  • perform this for about a week or so - scripted
  • patiently wait - memory consumption will grow until the service runs oom

I am afraid (at least in 0.94.1) it is caused by "swsProcessor.prototype.processResponse" in swsProcessor.js: line 332: req.sws.api_path = (route_path!=''?route_path:req.originalUrl); could result in bad experience

Q: Why not simply make req.sws.api_path an empty string in this scenario? Or even skip detailed statistics for such requests? Or did I miss any configuration option to prevent this?

areisenb avatar Mar 15 '18 17:03 areisenb

Very valid point, this is the scenario to be addressed by #15

Q: Why not simply make req.sws.api_path an empty string in this scenario? Or even skip detailed statistics for such requests?

Main reason is that I wanted not to lose any information about requests coming in, even if request is not specified in swagger or matches express route. Perhaps that could be made optional as well, i.e. introduce option that would enable setting single api_path for such requests, like "unknown"

sv2 avatar Mar 16 '18 04:03 sv2

I believe that you can now prevent this by using swaggerOnly=false option.

edit: oops I meant swaggerOnly=true

briankinney avatar Aug 16 '18 17:08 briankinney

hi, @briankinney you mean swaggerOnly = true?

a-wf avatar Feb 14 '19 13:02 a-wf

Yes I did mean that. Thanks for correcting.

briankinney avatar Feb 14 '19 18:02 briankinney