Project

General

Profile

Support #67

VAS

Added by Josip Almasi almost 3 years ago. Updated over 2 years ago.

Status:
Feedback
Priority:
Normal
Assignee:
-
Start date:
05/13/2021
Due date:
% Done:

0%

Estimated time:

Files

vrspace-report-20210703.zip (1.67 MB) vrspace-report-20210703.zip Josip Almasi, 07/05/2021 01:22 PM

History

#1

Updated by Josip Almasi almost 3 years ago

  • Status changed from New to In Progress
#2

Updated by Josip Almasi almost 3 years ago

Server secure enough to prevent peer exploits.
Clients not closing connection (SYN) may cause resource leaks. TODO: tcp keepalive

#3

Updated by Josip Almasi almost 3 years ago

Practical websocket connection limit around 5000. DoS potential. Best protection at reverse proxy.
https://serverfault.com/questions/252555/limit-simultaneous-connections-per-ip-with-apache2

The defaults are maxConnections=10,000 and maxThreads=200
https://stackoverflow.com/questions/24678661/tomcat-maxthreads-vs-maxconnections
https://stackoverflow.com/questions/39644830/what-are-acceptcount-maxconnections-and-maxthreads-in-tomcat-http-connector-con

Implement local per-client connection limit in SessionManager.afterConnectionEstablished(), using session.getRemoteAddress()

#4

Updated by Josip Almasi over 2 years ago

Denial of service through resource exhaustion [MEDIUM]
It is possible to use all websockets from a single source.
• Components with known vulnerabilities [LOW]
Application uses several older version of dependencies that have since been
updated due to vulnerabilities found in them:
- jquery version 3.3.1.min
- bcprov-jdk15on-1.64
- neo4j-java-driver-4.0.2
- Spring-core-5.2.14
• Parameter injection [LOW]
It is possible to inject parameter pair [“parameter”:”value” ] that will be
forwarded to other clients within the same world.

Also available in: Atom PDF