The Parable of the Pagination Attack

Table of Contents

    Subscribe for Email Updates

    I was minding my own business the other day when out of the blue one of the warning sirens in our office started wailing! OK, maybe it wasn’t a siren exactly, but something was definitely amiss with one of our Marketpath CMS sites.

    I discovered one particular site was getting hit repeatedly by a rogue script that was spamming the server. It wasn’t a denial-of-service (DDOS) attack, but it was the next best thing. As expected, Marketpath CMS handled the large increase in traffic like a champ.

    Surprisingly, this was because of pagination - you know, those navigational links that help you move from one page of results to another? They look like the example below:

    Previous  1   2   3   ….  4   5   6  7   8  Next

    The script hitting the site wasn’t malicious - it was simply doing its job by scanning all of the site’s pages and links, most likely so it could index and rate them for SEO and linking purposes.

    The trouble began with the previous and next links. These links simply added or subtracted 1 from the current page number. If I was on the first page, the previous link, when clicked, would take the user to page 0, and then page -1, and the page -2. You get the idea.

    If I was on the last page (let’s say page 8) the next button would link to a non-existent page 9, and then 10, and so on.

    A human reading these pages of blog posts wouldn’t be impacted much by this. If they clicked previous or next for non-existent pages they would see zero results and probably just hit the back button. They wouldn’t continue on to page 1,243.

    But a script is not human.

    And so this script began scanning endlessly through page after page without any content.

    As with many technical issues, this whole event could have been prevented entirely with just a little more thought and attention to detail earlier in the process.

    The solution: Do not display previous and next links when the previous and next page do not exist. Or, at the very least (if your design calls for it), do not make them working hyperlinks.

    This was a great lesson learned and prompted us to build our own pagination package that can be reused easily on any site. You can find examples and instructions on usage by visiting the package details at Just like Marketpath CMS, this is very easy to set up and provides simple and flexible options.

    And, of course, it completely avoids the endless pagination issue we just described. It even throws a proper 404 error if an out-of-bounds page is attempted.


    Related Tags:

    About the Author

    Levi Carter

    Levi Carter is the senior developer of software products at Marketpath. While his primary responsibility is planning, developing, and maintaining Marketpath CMS, he has also been heavily involved in the full software lifecycle starting with strategy discussions and analysis through customer support and documentation.

    When Levi is not working on Marketpath software products he enjoys gardening, woodworking, and spending time with his wife and four children.

    Subscribe for Email Updates