Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

DOS Exploit #130

Open
Tostino opened this issue Jan 26, 2023 · 3 comments
Open

DOS Exploit #130

Tostino opened this issue Jan 26, 2023 · 3 comments

Comments

@Tostino
Copy link

Tostino commented Jan 26, 2023

Hey, just wanted to let you know I've gotten reports from users of my library: Nbvcxz that are getting a DOS every so often by specifically crafted passwords.

I even found a tool created by a government contractor used for issuing a DOS against programs using libraries containing the vulnerable (to combination explosion) algorithms from the original zxcvbn implementation:

I've solved this by implementing a maxLength type configuration...but that isn't totally done yet as I feel like I still need to have it do dictionary checks against the full-length password without any transformations. Working on finishing that feature and putting out a release. I just wanted to mention it to you, since this is also often run server-side rather than client-side.

@vvatanabe
Copy link
Member

vvatanabe commented Aug 19, 2023

If you are worried about DOS then just limit the password length to a few hundred characters. (We are not rejecting the approach of setting a maximum number of characters.)

@luc-x41
Copy link

luc-x41 commented Oct 16, 2023

I have not looked at the specific regexes used, but note that limiting to a few hundred characters is typically not a solution for ReDoS vulnerabilities. Taking the class name regex example from Wikipedia, 36 characters takes nearly a full second to match for me. Submitting more than one request per second is possible on any data connection, which would lead to the server becoming overloaded because that rate is faster than the server can match against such a regex.

@bowbahdoe
Copy link

bowbahdoe commented Dec 15, 2023

@Tostino @vvatanabe Is this still an issue/something to be worried about? What is the magnitude of the issue here?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

4 participants