Monday, 17 December 2018

MySQL & Socket.IO – Flooding Database > Duplikate transactions

Hello everyone,I don't know exactly where I should post my problem and the question behind it, but I'll give it a try in this subreddit.Some time ago I had a small project where users were able to spent coins on thinks. These coins were stored as balance on their user account in my MySQL database. The frontend was connected to the backend using `socket.io` and the node app communicated with the database using the regular `mysql` module.​The problem:Unfortunately, after a while I found out that it was possible to flood / spam the node app using the socket.io connection (or open up the website multiple times to get the same result) in order to slow down the mysql querys. That's why it was possible to spent the coins a user had twice or more.The normal workflow was like:Request to DB check balance if balance > 0 spend coins reduce coins in DB else reject Request endHow to spent coins twice: (the problem)Request to DB Request to DB check balance check balance if balance > 0 if balance > 0 spend coins spend coins reduce coins in DB reduce coins in DB else reject Request end Request end By that it was possible to reach the code to spent the coins BEFORE the balance were updated.​Question:How is it possible to prevent users from doing such things? Using a request limiter only works for people using the same IP so scriptkiddys should not be able to reach something I mentioned above. What about people using a small botnet with different ip's?​If I ever get a solution for that problem I could start the project again.

Submitted December 17, 2018 at 02:10PM by creazy231

No comments:

Post a Comment