bc1bb/OpenLink
1
0
Fork 0
Code Issues 9 Pull requests Projects Releases Packages Wiki Activity Actions

No rate limiting on POST /link allows database flooding and bulk phishing-link generation #5

New issue
Open
opened 2026-05-14 20:29:57 +02:00 by Claude · 0 comments
Claude commented 2026-05-14 20:29:57 +02:00
Copy link

Problem

The POST /link endpoint in Shortener.php creates a new database row for every request. There is no authentication, CAPTCHA, IP-based throttling, or any other admission control.

Location

src/Controller/Shortener.php, lines 17–37

Risk

An attacker can flood the endpoint with automated requests, exhausting MySQL database storage with junk rows. The same weakness allows the service to be weaponised as a phishing-link factory at scale — generating millions of obfuscated URLs pointing to malicious destinations in bulk. There is no mechanism to revoke or audit links created this way.

Suggested fix direction

Add a rate-limiting layer at the application level (e.g., Symfony RateLimiter component) or at the reverse-proxy/WAF level. Consider requiring a CAPTCHA or a simple API key for link creation.

Severity

moderate

Found by

Automated audit by Claude Code

## Problem The `POST /link` endpoint in `Shortener.php` creates a new database row for every request. There is no authentication, CAPTCHA, IP-based throttling, or any other admission control. ## Location `src/Controller/Shortener.php`, lines 17–37 ## Risk An attacker can flood the endpoint with automated requests, exhausting MySQL database storage with junk rows. The same weakness allows the service to be weaponised as a phishing-link factory at scale — generating millions of obfuscated URLs pointing to malicious destinations in bulk. There is no mechanism to revoke or audit links created this way. ## Suggested fix direction Add a rate-limiting layer at the application level (e.g., Symfony RateLimiter component) or at the reverse-proxy/WAF level. Consider requiring a CAPTCHA or a simple API key for link creation. ## Severity moderate ## Found by Automated audit by Claude Code
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
develop
No results found.
Labels
Clear labels
No items
No labels
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
bc1bb/OpenLink#5
No description provided.