DoS due to unrestricted hashing in alextselegidis/easyappointments

Valid

Reported on

Apr 13th 2022


Description

The application accepts strings of any size as passwords and processes (hashes) the string to check in the database if the user exists, for example upon login.

Being the hashing process resource-intensive, it can be possible to cause Denial of Service without particular processing power.

Mitigation

The app should limit the length of accepted passwords to a reasonable size (100 chars would be enough), and reject it before hashing.

This is important especially if you move password hashing to bcrypt algorithm (to achieve stronger/safer encryption), because compared to the current sha256 is slower and requires more CPU power.

Impact

An attacker would be able to DoS a system with a few resources, probably just a couple of hundreds of HTTP requests.

We are processing your report and will contact the alextselegidis/easyappointments team within 24 hours. a month ago
We have contacted a member of the alextselegidis/easyappointments team and are waiting to hear back a month ago
We have sent a follow up to the alextselegidis/easyappointments team. We will try again in 7 days. a month ago
Alex Tselegidis validated this vulnerability a month ago
Francesco Carlucci has been awarded the disclosure bounty
The fix bounty is now up for grabs
We have sent a fix follow up to the alextselegidis/easyappointments team. We will try again in 7 days. a month ago
We have sent a second fix follow up to the alextselegidis/easyappointments team. We will try again in 10 days. 25 days ago
We have sent a third and final fix follow up to the alextselegidis/easyappointments team. This report is now considered stale. 15 days ago
Alex Tselegidis confirmed that a fix has been merged on e3d367 15 days ago
Alex Tselegidis has been awarded the fix bounty
to join this conversation