Skip to main content

Message flooding

Need

Mitigation of message flooding attacks

Context

  • Usage of Go 1.16 for developing efficient and scalable applications
  • Usage of Gin framework for building web applications in Go
  • Usage of net/http for creating HTTP servers in a Node.js application

Description

Non compliant code

package main

import (
	"github.com/gin-gonic/gin"
	"net/http"
)

func main() {
	r := gin.Default()

	r.POST("/sendmessage", func(c *gin.Context) {
		phoneNumber := c.PostForm("phoneNumber")
		email := c.PostForm("email")
		message := c.PostForm("message")

		// Here we are sending the message without any rate limiting or checks
		sendMessage(phoneNumber, email, message)

		c.String(http.StatusOK, "Message sent")
	})

	r.Run()
}

func sendMessage(phoneNumber string, email string, message string) {
	// Code to send message to phone number and email
}

This code has a vulnerability where it accepts POST requests to the "/sendmessage" endpoint, which takes a phone number, an email, and a message as parameters. The function sendMessage is then called, which sends the message to the provided phone number and email.

The vulnerability lies in the lack of rate limiting or checks on the number of messages that can be sent. This means that an attacker could potentially send a large number of messages to a victim's phone number or email, causing their inbox to become saturated and their resources to be consumed. This is known as a message flooding attack. There is no mechanism in place to prevent or limit such an attack.

Steps

  • Implement rate limiting to restrict the number of messages that can be sent within a certain time frame.
  • Validate the phone number and email address to ensure they are in the correct format before sending the message.
  • Consider implementing a CAPTCHA or other form of user verification to prevent automated flooding of messages.
  • Monitor and log message sending activity to detect any suspicious or excessive usage.
  • Consider implementing a queue system to handle message sending asynchronously and prevent overload of resources.
  • Implement proper error handling and response codes to inform the user if there was an issue sending the message.

Compliant code

package main

import (
	"github.com/gin-gonic/gin"
	"github.com/didip/tollbooth"
	"github.com/didip/tollbooth_gin"
	"net/http"
	"regexp"
)

func main() {
	r := gin.Default()

	// Implement rate limiting
	limiter := tollbooth.NewLimiter(1, nil) // limit to 1 request per second

	r.POST("/sendmessage", tollbooth_gin.LimitHandler(limiter), func(c *gin.Context) {
		phoneNumber := c.PostForm("phoneNumber")
		email := c.PostForm("email")
		message := c.PostForm("message")

		// Validate phone number and email
		if !isValidPhoneNumber(phoneNumber) || !isValidEmail(email) {
			c.String(http.StatusBadRequest, "Invalid phone number or email")
			return
		}

		// Send the message
		sendMessage(phoneNumber, email, message)

		c.String(http.StatusOK, "Message sent")
	})

	r.Run()
}

func sendMessage(phoneNumber string, email string, message string) {
	// Code to send message to phone number and email
}

func isValidPhoneNumber(phoneNumber string) bool {
	// Add your phone number validation logic here
	return true
}

func isValidEmail(email string) bool {
	// Simple regex check for email format
	match, _ := regexp.MatchString(`^[\\w-]+(\\.[\\w-]+)*@([\\w-]+\\.)+[a-zA-Z]{2,7}$`, email)
	return match
}

The updated code includes several measures to prevent message flooding:

  1. Rate Limiting: We use the tollbooth library to limit the number of requests that can be made to the /sendmessage endpoint. This is set to 1 request per second, but can be adjusted as needed.

  2. Input Validation: Before sending the message, we validate the phone number and email address to ensure they are in the correct format. If either is invalid, we return a 400 Bad Request response.

  3. Error Handling: If there is an issue with the phone number or email validation, we return an error message to the user. This helps to inform the user of any issues and prevents unnecessary attempts to send the message.

Please note that this code does not include all the recommended measures such as CAPTCHA implementation, logging, queue system, and more. These would require additional libraries and setup. This code is a starting point and should be further enhanced based on your specific application needs and security requirements.

References

Last updated on