HashDOS and ColdFusion
Earlier this week at the 28C3 security conference in Berlin researchers presented on a denial of service (DOS) technique that several web application platforms (PHP, ASP.NET, Node.js, Tomcat, Java's HashMap/Hashtable etc) are vulnerable to, known as
The exploit takes advantage of hash collisions in the internal implementation of hashtables / hashmaps (think CFML
struct). When two keys are hashed and result in the same hash code a collision occurrs, and additional processing must take place to store or retrieve the item. Most application servers store request input variable (eg form, url scopes) in such a data structure. If you can construct a request with variable names that all have the same internal hashcode, the request goes from taking less than a second to process to several minutes.
As you can imagine this can cause a server to crawl/crash pretty quickly with a relatively small payload. Microsoft has released an out of band security patch for ASP.NET already. Tomcat has provided a work around in versions 7.0.23 or 6.0.35 and up.
The typical patch / workaround for this issue is to limit the number of input request variables, ASP.NET defaults this limit to 1000, tomcat defaults to 10,000.
Update: - Adobe has released a security hotfix to address this issue on ColdFusion 8 and 9. If you are running CF 6 or 7 you may still be vulnerable to this but Adobe no longer produces security hotfixes for these versions (upgrade to CF 8 or above).
To learn more about the mitigation that Adobe ColdFusion has put into place for HashDOS you can read my follow up post: Understanding HashDos and postParameterLimit.
Like this? Follow me ↯Tweet Follow @pfreitag
HashDOS and ColdFusion was first published on December 30, 2011.
If you like reading about coldfusion, java, tomcat, hashdos, hash, security, or jrun then you might also like:
- OpenSSL and ColdFusion / Lucee / Tomcat
- Spring4Shell and ColdFusion
- Log4j CVE-2021-44228 Log4Shell Vulnerability on ColdFusion / Lucee
- J2EE Sessions in CF10 Uses Secure Cookies
- Understanding HashDos and postParameterLimit
- Using AntiSamy with ColdFusion
- Speaking at ColdFusion Summit Online Next Week
- ColdFusion Security Training Class December 2022
The Fixinator Code Security Scanner for ColdFusion & CFML is an easy to use security tool that every CF developer can use. It can also easily integrate into CI for automatic scanning on every commit.
The weekly newsletter for the CFML Community
But if you'd say there really is no new info you're aware of about these things since then, no worries. I just wanted to check if perhaps you did, and for the sake of others who may come across this post in the future.
I am not sure as to the reason Adobe choose the default limit, but it could be that the Hash table implementation used by the form (and other) scopes is slower WRT collisions than the one used by .NET or by Tomcat so it needed to be set lower. It's not necessarily an apples to apples comparison as they could have chosen different algorithms.
The maxParameterCount setting in Tomcat still defaults to 10,000 in Tomcat 9.
As I mention in the other post with 50,000 parameters you can craft a request that might take the server 30 minutes to process. So using those numbers if you had 10,000 parameters it might still take 6 minutes (though probably a bit less, since it is exponential) to process the request (and it would not timeout). This was several years ago, so the numbers may differ now and of course depend on the hardware used.