Unrestricted access to quiesce functionality in dss.api.playstation.com REST API leads to unavailability of application

## Report Summary ---- Unrestricted access to the quiesce function via a `PUT` request to `https://dss.api.playstation.com/api/application/state` makes the application unreachable for an uncertain amount of time. ## Steps To Reproduce ---- [Reproduction method #1] + *Burp Suite is the program required for the following method of reproduction* + *Any OS platform can be used to reproduce this bug* 1. Using Burp Suite, go to *Proxy* tab -> *Intercept* tab. On this pane, click on **Open Browser** to launch the embedded chromium browser. {F1006879} 1. In the chromium browser address bar, enter: https://dss.api.playstation.com/api/application/state 1. In Burp Suite, go to *Proxy* tab -> *HTTP history* and in this window pane, click on the request so that it is highlighted and press keys: `CTRL+R` {F1006881} 1. Click on the tab *Repeater* in Burp Suite and in the left pane labeled *Request*, omit the word GET and type PUT so that the first line now looks like this: `PUT /api/application/state HTTP/1.1` 1. Click on the first of the last two empty lines in the request and type: `Content-Type: application/json`. On the last of the empty lines type: `Content-Length: ` with a space at the end and leave this value to be filled by Burp Suite. Press ENTER twice so that two empty lines remain. 1. On the last empty line of the pair type the following JSON name/value pair: `{"appState":"quiesce"}` 1. The request should appear like this: {F1006882} Click **Send**. Within as low as 15 seconds, on refresh or on visitation to another path of the application e.g. https://dss.api.playstation.com/api/application.wadl , the application should return a 502 Bad Gateway error response. ---- [Reproduction method #2] + *Firefox browser is the program required for the following method of reproduction* + *Any OS platform can be used to reproduce this bug* 1. In the Firefox browser address bar, enter: https://dss.api.playstation.com/api/application/state 1. Once the page has loaded, press the key combination: `CTRL+SHIFT+E` to access the *Network* tool and click on the button labeled *Reload*. 1. Once the Network view is populated with the GET request the browser sent, click on its entry so that it is highlighted and right-click to open a context menu and click on *Edit and Resend*. 4. In *New Request* editor that opened on the right end of the Network window, perform the following edits: * In the box labeled **Method** change GET to PUT * at the end of the **Request Headers** box, add the following lines: `Content-Type: application/json` and `Content-Length: 22` * In the box labeled **Request Body** box enter: `{"appState":"quiesce"}` 5. The request should look like this: {F1006899} Click **Send**. Within as low as 15 seconds, on refresh or on visitation to another path of the application e.g. https://dss.api.playstation.com/api/application.wadl , the application should return a 502 Bad Gateway error response. +-+-+ ## Supporting Material/References ---- * Burp-Step1.png, Burp-Step2.png, Burp-Step3.png * Firefox-Step1.png, Firefox-Step2.png, Firefox-Step3.png * impact.png ## Impact No authorization for `/api/application/state` allows an attacker to disrupt the availability of the application in a sustained manner for an undisclosed amount of time through multiple PUT requests for quiescence. This affected host was unavailable for over an hour at the start of today starting at around 10:40 AM CDT UTC-5 and persisting past 11:45 CDT UTC-5 the last time I performed the request. [7:07 PM UTC-5] I tested Reproduction method #2 and 502 response was received.