Application Level DoS: in microweber/microweber


Reported on

May 16th 2022


Hey, when I attempt to change the password, I noticed that you haven't kept any password boundary. You need to limit password length. Hashing a large amount of data can cause significant resource consumption on behalf of the server and would be an easy target for an Application-level Denial Of Service attack.

Reproduction steps:

  1. Navigate to ""

  2. Click: John Doe (Edit profile)

  3. Change password

  4. Set New password = Boundless Characters/Special characters/Numbers

  5. Confirm edit profile, Done

Proof of Concept

# Request 

POST /demo/api/save_user HTTP/1.1
Cookie: remember_web_59ba36addc2b2f9401580f014c7f58ea4e30989d=2%7CTtYWLvivLcGGOKkv5QqtzWhOA7vw6wZPZIbryyJKGsVNHLLfQ4n75QWDNFH8%7C%242y%2410%24114oPbqv.UAg3ca706prIuSTMe3pAc9qYqT2gOBR1uldB9UTk%2FlYu; back_to_admin=https%3A//; csrf-token-data=%7B%22value%22%3A%222Utn6oLIsUeQAaTi9OoWKuaDwEpCC5VOb1MrfpoC%22%2C%22expiry%22%3A1652722744571%7D; mw-back-to-live-edit=true; show-sidebar-layouts=0; laravel_session=5WcF8Lu9MFINlPTt5mPVjsFtzU5XwwDoKRVAC2Zq
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:100.0) Gecko/20100101 Firefox/100.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 12093
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Sec-Gpc: 1
Te: trailers
Connection: close



Application-Level DoS

This allows for denial-of-service attacks through reworked submission of comprehensive passwords, tying up server resources in the expensive computation of the corresponding hashes.

We are processing your report and will contact the microweber team within 24 hours. a year ago
We have contacted a member of the microweber team and are waiting to hear back a year ago
Bozhidar Slaveykov modified the Severity from High to Low a year ago
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
Bozhidar Slaveykov validated this vulnerability a year ago
7h3h4ckv157 has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Bozhidar Slaveykov marked this as fixed in 1.2.16 with commit 495f7f a year ago
Bozhidar Slaveykov has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation