A vulnerability in most web application frameworks may allow attackers to mount a denial-of-service attack on a computer system, researchers demonstrated at a security conference in Germany.
Computer security firm Sophos said Alexander “alech” Klink and Julian “zeri” Wälde delivered a demonstration and lecture at the 28th Chaos Communication Congress.
"During the talk they performed a denial of service attack against an Apache Tomcat server, which is a commonly used java servlet container for hosting web pages. They sent the server some pre-computed hash collisions and showed how it used 100% of their processor for the entire talk," Sophos said in a blog post.
Sophos said the hashing used by PHP, Java, Python and JavaScript in this attack is not a cryptographic hash but a simple mathematical hash used to speed up storing a retrieving data posted to web pages.
Collisions in these hashes are expected and managed by the programming framework in a reliable way - when not being abused.
"It is known that an attacker who understands the values used in your hashing algorithm could pre-compute a set of values that result in all hashes being the same. Comparing these hashes becomes a quadratic function which can create a very heavy load on the web server," Sophos said.
Sophos said the researchers urged developers of the vulnerable programming languages to randomize the key used when computing hashes.
This would prevent an attacker from being able to pre-compute the collisions, they said.
"Perl was updated to fix this problem in version 5.8.1, which was released in September of 2003. For some reason most of the other languages did not take the cue from Perl and are still vulnerable to these attacks," it noted.
- Reduce the length of parameters that can posted.
- Reduce the number of parameters accepted by the web application framework.
- Limit the amount of CPU time that any given thread is allowed to run.