aKinderWellness Testing and Quality analysis

The /api/clients/add endpoint does not properly handle malformed multipart/form-data requests. When an incorrect multipart boundary is provided, the server does not reject the request and instead keeps the connection open without returning a response.

This indicates that:

• Multipart parsing does not fail fast on invalid input
• No request parsing timeout is enforced
• Connections remain open while the server waits for completion of the request body

Proof of Concept (PoC)¶

1. Send malformed multipart request
   Header:
   Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryABC
   Body (intentionally incorrect boundary):

------WebKitFormBoundaryABC
Content-Disposition: form-data; name="first_name"

test
------WebKitFormBoundaryABC2

2. Observed behavior
   No HTTP response returned
   No status code received
   Connection remains open indefinitely
   Tool show request as pending (e.g., size = -1)

3. Validation
   When boundary is corrected → request completes successfully
   When malformed → request hangs indefinitely

Testing Performed¶

Opened 100+ concurrent malformed requests
Observed:

• Connections remained open
• No immediate service disruption
• Legitimate requests continued to succeed

Observed Behavior
Server accepts malformed request but does not terminate it
No timeout or error response is triggered
Connections persist indefinitely until manually closed

Expected Behavior
Server should:

• Immediately reject malformed multipart requests with: HTTP/1.1 400 Bad Request
  OR
• Enforce request/body read timeout and close connection