The company ethical hacker write a macro in which he can send unlimited number of messages on xmpp in no time, it can affects openfire server and database. please note that it is a public chat in which we cannot implement captcha and cannot authenticate the user before start the chat. Could we do anything to prevent this, we also restrict the CORS with our domains.
Thank you in advance.
As far as I know, there is limited support in Openfire to control the amount of data that a single user can send to Openfire. This can be achieved by tweaking the settings for xmpp.client.maxReadBufferSize and xmpp.client_ssl.maxReadBufferSize, which controls the amount of memory available to accept client data from the network (before it’s being processed).
Additional protection could be created by adding more specific interceptors, but to the best of my knowledge, those are not in the works yet.
Thank you very much @guus , are these properties control the amount of data in a single message or in a single session?
There are per session.
Hi @guus , sorry to tell you that these properties are not working, we set the values to 1 mb, we are also updated the openfire with the latest version. Hacker is able to send the 5 mb string with unlimited times. Could you please help us ?
Hi Talha. I’m sorry to hear that the existing settings do not provide enough functionality for you. There can certainly put more in place through development, but that is an effort that is not currently in the works.
To have this added to Openfire in the fastest way possible, I advise you to either develop the implementation yourself (and possibly provide it to the upstream Openfire project), or engage one of our professional partners to have them build the work for you (for full disclosure: my company is one of the organisations listed there).