You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The willingness for the system to follow links when resolving overlay images allows for fairly simple and potent denial of service attacks.
For example, using a url shortener I was able to craft the following URL https://ppaas.herokuapp.com/partyparrot?overlay=https://tiny.cc/FaCzXsWad which hangs the API. Would be fairly easy to deny service completely with just a few calls to the server. The link in the overlay maps back to the full url.
Either redirects should never be followed, or the redirect needs to be checked for self reference.
The text was updated successfully, but these errors were encountered:
The willingness for the system to follow links when resolving overlay images allows for fairly simple and potent denial of service attacks.
For example, using a url shortener I was able to craft the following URL https://ppaas.herokuapp.com/partyparrot?overlay=https://tiny.cc/FaCzXsWad which hangs the API. Would be fairly easy to deny service completely with just a few calls to the server. The link in the overlay maps back to the full url.
Either redirects should never be followed, or the redirect needs to be checked for self reference.
The text was updated successfully, but these errors were encountered: