Summary
Missing input validation on mod_auth_openidc_session_chunks cookie value makes the server vulnerable to DoS attack.
Details
We have carried out an internal security audit of our application that uses mod_auth_openidc and the reviewers found that if they manipulated the value of the mod_auth_openidc_session_chunks cookie and set it to a very large integer, lets say 99999999, the server struggles with the request for a long time and finally gets back with a 500 error. Making a few requests of this kind caused our server to become unresponsive.
Having the ability to configure a max value for mod_auth_openidc_session_chunks would mitigate this issue.
Is there a way to do this?
PoC
Setting up the apache server
We have set the following settings which might be relevant:
OIDCSessionType client-cookie:store_id_token
OIDCStripCookies mod_auth_openidc_session mod_auth_openidc_session_chunks mod_auth_openidc_session_0 mod_auth_openidc_session_1 mod_auth_openidc_session_2 mod_auth_openidc_session_3 mod_auth_openidc_session_4 mod_auth_openidc_session_5 mod_auth_openidc_session_6 mod_auth_openidc_session_7 mod_auth_openidc_session_8 mod_auth_openidc_session_9
The variable "OIDCSessionCookieChunkSize" is unset (using the default value 4000 i think)
Making the DoS
- Open the application URL in the browser
- Sign in using correct credentials
- While using the application in signed in mode, open chrome dev tools and modify content of cookie mod_auth_openidc_session_chunks and set it to 99999999
- Refresh the page
- Apache + mod_auth_openidc will take some time, then return a 500
Impact
Attackers can craft requests that would make the server work very hard (and possibly become unresponsive) and/or crash with minimal effort
Summary
Missing input validation on mod_auth_openidc_session_chunks cookie value makes the server vulnerable to DoS attack.
Details
We have carried out an internal security audit of our application that uses mod_auth_openidc and the reviewers found that if they manipulated the value of the mod_auth_openidc_session_chunks cookie and set it to a very large integer, lets say 99999999, the server struggles with the request for a long time and finally gets back with a 500 error. Making a few requests of this kind caused our server to become unresponsive.
Having the ability to configure a max value for mod_auth_openidc_session_chunks would mitigate this issue.
Is there a way to do this?
PoC
Setting up the apache server
We have set the following settings which might be relevant:
OIDCSessionType client-cookie:store_id_token
OIDCStripCookies mod_auth_openidc_session mod_auth_openidc_session_chunks mod_auth_openidc_session_0 mod_auth_openidc_session_1 mod_auth_openidc_session_2 mod_auth_openidc_session_3 mod_auth_openidc_session_4 mod_auth_openidc_session_5 mod_auth_openidc_session_6 mod_auth_openidc_session_7 mod_auth_openidc_session_8 mod_auth_openidc_session_9
The variable "OIDCSessionCookieChunkSize" is unset (using the default value 4000 i think)
Making the DoS
Impact
Attackers can craft requests that would make the server work very hard (and possibly become unresponsive) and/or crash with minimal effort