Wordpress Marketo API calls

Glenn_Green_Hat
Level 1

Wordpress Marketo API calls

We've installed the Marketo Forms and Tracking by HutchHouse. This is causing more than 60-70 API calls per second to the admin_ajax which slows down the entire site.

How can this be fixed?

The function being called is marketo_ajax_get_lead.

7 REPLIES 7
SanfordWhiteman
Level 10 - Community Moderator

Re: Wordpress Marketo API calls

This vulnerability cannot be fixed while preserving functionality. Ultimately, this plugin -- like all API-consuming, user-facing widgets -- is not suitable for professional use. Any malicious user can easily rack up all your daily API calls (and a high-traffic site can exceed limits from legit use alone!).

Casey_Grimes
Level 10

Re: Wordpress Marketo API calls

Hi Glenn,

There's a newer plugin that was released a few months ago I really quite like: it actually uses the REST API correctly to perform the same basic functionality.

Ultimate Marketo Forms — WordPress Plugins

SanfordWhiteman
Level 10 - Community Moderator

Re: Wordpress Marketo API calls

Does it really stop me from using all your API calls if I'm in the mood? How does it throttle while maintaining functionality?

Casey_Grimes
Level 10

Re: Wordpress Marketo API calls

Well, I'd argue your first line there should be a WAF, adjusting your server's rate limits and modifying php.ini before even starting to worry about hardening a WordPress plugin, but let's entertain this thought.

Putting a basic PHP rate limiter to allow ajax_check_mkrto_lead() to be called once every couple of seconds (or better yet, just cookie the returned values) for prefill purposes wouldn't be that hard, and everything else uses standard Forms 2.0.

Though having user-defined rate limits on the REST API in general would be quite interesting. It's not as though separate users aren't being set up to monitor different access points as-is for the vast majority of folks.

For what it's worth, I did at least attempt to reach out to the author of this plugin a couple months ago and they didn't reply.

SanfordWhiteman
Level 10 - Community Moderator

Re: Wordpress Marketo API calls

I disagree, a WAF can't realistically protect a back end that is capable of an absolute maximum of 50K requests per day. (That's assuming there are no other integrations, ever, which is a huge stretch.)

If you had a webserver that could only serve 50K connections over the entire day, the right thing is to not connect it to the internet, since even a trickle of requests from a tiny range of attackers will get past WAF limits. And if you tuned the WAF limits low enough to stop such an attack, you'd also make the server unusable for legit traffic.

Caching the returned values for unique sessions is only feasible for legitimate traffic (and still under 50K new visitors per day). Moment you get malicious traffic then every hit is going to look unique.

Such a plugin being both functional and resilient is pretty much impossible. Best they could do is consume only a fixed amount of API calls per day.... at least then you'd guarantee your other integrations wouldn't be affected, even though this one would be easily brought down.

Casey_Grimes
Level 10

Re: Wordpress Marketo API calls

I had written a more detailed answer before realizing it was getting way, way too TMI for this venue, but I'll say this much: every enterprise Marketo instance I've seen that also is using WordPress is only using it as one part of a much larger web presence. Most are using API for form submit but not prefill. The ones that use prefill are easily under 25K sessions a month. They're not making a dent in the massive API call limits companies of that size have.

The clientele these plugins are being pitched to are SMB companies for the most part. These companies are lucky if they get 30K sessions a month across their entire site. While I could see someone trying to DDoS them, it wouldn't be their public-facing sites.

I mean, if the whole point of this is to say "yeah, you could theoretically blow through 50,000 calls in less than three hours via a malicious party and that's why you shouldn't use prefill via API," I'm just not sure how...realistic that is. Anyone who needs this protection already has it via other means. Everyone else is in a low enough risk pool that this probably is going to be maybe the tenth most interesting way to really disrupt their systems.

SanfordWhiteman
Level 10 - Community Moderator

Re: Wordpress Marketo API calls

To my mind, security and availability should be paramount for everyone given the current threat landscape. It's plain reckless to roll out functionality that's so easily disrupted (let alone one which has the capacity to disrupt other back-end systems). Our financial clients are technically SMB-sized, but they wouldn't think of introducing any of this stuff: it's an incident report waiting to happen, and their malicious probes are 10x their legit traffic, so attacks are assumed. 

In addition to big money/small shops, there are lots of small software (even security software and hardware!) companies using Marketo, and using well-known CMSes to front their site.  But their size doesn't let them off the hook. Sure, it's a bigger win and/or payday if they bring down a big boy, but black hats will hit anyone, especially one professing to "get" technology. I just don't get this low risk pool concept... if anything, when I look at Marketo users with my grey hat on I think This is a perfect target population: they're relying on uncertain technology, and their IT staff thinks everything's unlimited in the cloud.

I do see what you're saying about the WordPress user profile, but it's not just WP: same applies to Drupal and Joomla plugins, and even the Marketo-aware integrations offered by enterprise CMSes like EpiServer.  Point is, these aren't responsibly coded pieces of software, and they all have DoS vulnerabilities (worthy of an actual CVE if someone felt like it).  Sure, the core platform may be mature and scalable, but the plugins are embarrassing junk.  All they have to do is put a cap on daily use and I'll be impressed. But somehow even that doesn't seem important.  We had a call the other day where it was clear an "enterprise" CMS's form-to-SFDC integration hadn't been thought through for scale. Their answer: "CloudFlare handles that." Yeah, no. Maybe if you can maintain 1000s of back-end connections. Not when you're limited to 10 outstanding conns.

Everyone else is in a low enough risk pool that this probably is going to be maybe the tenth most interesting way to really disrupt their systems.

Low-volume DoS is the lowest-hanging fruit, and no one should be vulnerable at this level. It's not that it's interesting, it's that it's easy.