Hash collision DoS

Have been dealing with this vulnerability a little bit. Amusingly, my old favorite Perl has had the fix for this for years – salt the hash randomly so an attacker can’t predict how your entries will hash. That’s really the only fix, because while you might be able to mitigate the specific case of hashing CGI parameters, anything that takes user input in any form from potentially malicious clients could be vulnerable. That’s a pretty wide use case.

Of course, if the bad guys don’t know how the processing of input is implemented, it will be tricky for them to find the hole to exploit. So I suppose blocking the specific method (as Tomcat did by limiting the number of parameters it will hash) serves to block opportunistic attacks. But it may still leave possibilities for those who are really determined to cause havoc with a specific site.

 

Advertisements