๐ Twitter: character limitation bypass can lead to DoS on Twitter App and 500 Internal Server Error
๐ก Newskategorie: Sicherheitslรผcken
๐ Quelle: vulners.com
Summary: If you are creating a new moment on https://twitter.com/{username}/moments you get redirected to https://twitter.com/i/moments/edit/{moments-id}. There you can set a title, a description and also you can add, if you want, a Tweet to your Moment. The title and also the description are theoretically limited to 60 characters for the title and 250 characters for the description. I was able to bypass this character limitation and cause an 500 Internal Server Error Response and, during this process of investigation, a heavy load on the Android App, while I'm sending over a lot of characters with the request to create Twitter Moments which, in the end, cause this heavy load. Description: I started up BurpSuite to investigate how the creation of this Moments work. First of all, when you are on the https://twitter.com/{username}/moments page and you click on the tiny symbol in the middle right hand corner, I intercepted the following request for creating a moment: {F747462} In this request is nothing set. No title, no description, nothing. Because you get redirected to https://twitter.com/i/moments/edit/{moments-id} where you can edit everything on a beautiful Web UI. So at this point I can resend the request to create every single time a new empty moment with a new ID. I thought "What would happen, if I fill in the empty quotes for the title and description params with tons of characters?!". I tried one request after the other with more and more characters until I've got a... ...