Unsafe Date Range

Severity: Medium
Test name: Unsafe Date Range
Test ID: date_manipulation
Summary

Unvalidated Date Range is a type of vulnerability that might cause DoS and other types of resource consumption. This vulnerability usually occurs in dynamic tables where a user can set a date range to get information, or reports generation interfaces where the user can specify a date range. The issue comes into play where the range is not limited to a specific reasonable timeframe (one week, one month for example).

Impact

The vulnerability allows an attacker to:

  • Execute unauthorized code or commands
  • Read and modify memory
  • Read files or directories
  • Cause denial of services (DoS)
Example
  1. Let's assume we have functionality that displays all orders in a store for a certain period of time:
https://{your_web_site}.com/orders?startDate=2021-01-01&endDate=2021-01-07
  1. As a result, the user can see a list of orders for one week. The request took about 0.2 seconds.
  2. By changing the requests parameters, an attacker can select an excessively long period of time, which will result in an unwanted load on the server.
https://{your_web_site}.com/orders?startDate=2019-01-01&endDate=2021-01-01
  1. As a result, the attacker can see a list of orders for two years. The request took an unexpectedly long time (for example, 10 seconds), and the server has been under unnecessary and unwanted load.

  2. The attacker can make similar requests in large amounts to cause the server to run out of resources and crash the system.

Location
  • The issue can be found in the source code on the server side.
  • The issue can be found in the source code on the client side.
Remedy suggestions

It is necessary to fully validate and restrict the date range selection available to the user on both the client and the server sides. Depending on the usage scenario, select the minimum and maximum dates, dates range and apply strict validation to these parameters.

In the situations where you need to keep an extensive date range (for example, preparation of annual reports), consider moving the business logic to a separate component that will run in the background (for example, microservice) and will be protected from DOS attacks.

Classifications
  • CWE-20
  • CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
References