Understanding HashDos and postParameterLimit
I received a question today about the postParameterLimit that was added to ColdFusion 8,9 by security hotfix APSB12-06 and exists in ColdFusion 10 by default (it is also configurable in the CF10 administrator).
The question I was asked about this was:
I was wondering your opinion on the maximum level of this setiing in relation to security.
I've also seen a lot of people unclear why they are getting a 500 Server Error (
coldfusion.filter.FormScope$PostParametersLimitExceededException: POST parameters exceeds the maximum limit specified in the server.) when posting a lot of form variables, so let's dig in to this issue.
Step back and learn about the HashDos Vulnerability
First we need to understand the vulnerability that this setting is meant to protect, called HashDos. To do that we need to take another step back and learn about how hashing algorithms work. When you store something in a struct in ColdFusion, eg form["pete"], it will create a hash of the key in this case "pete", it hashes the value to an integer, let's suppose that "pete".hashCode() == 8
All hash algorithms have the possibility of creating a collision, where two different strings result in the same hash code. So let's say that "peter".hashCode() == 8 as well. You don't want form["peter"] to return the result of form["pete"] so the hash table creates a bucket for each integer code. If the bucket contains multiple items then each item in the bucket is compared (this is slow).
Because this collision comparison is so slow, this is where the opportunity for the Denial of Service comes into play. If you can construct a request which results in thousands of hash collision lookups the request can take seconds to several minutes to process. For example with around 50,000 collisions my quad core mac pro with 15 gb of ram took close to 30 minutes to process the request (whose total size was less than 2mb).
HashDos does not only pertain to form post variables
Any time you store a lot of keys in a struct you have the potential for a HashDOS. The URL scope would potentially be vulnerable too but the web server will typically limit the size of the query string. Another place this might come up is if you accept Xml or JSON strings from external sources, which are then parsed into a struct. So keep this in mind whenever you accept external input that might yield struct keys.
So how to you fix HashDOS
ColdFusion added the
postParameterLimit setting to
neo-runtime.xml to mitigate the effects of the HashDos vulnerability, which existed in many web application servers. Adobe set their default limit to 100, while Microsoft set their default limit to 1000 for ASP.NET.
Getting back to the original question how high can you set this value? -- the answer is that you want to set this as low as your application allows. The actual number of what you can handle depends on what your hardware can handle, and what an acceptable wait time is for the end user.
- HashDOS and ColdFusion - December 30, 2011
- CFSummit 2016 Slides - October 17, 2016
- Scope Injection in CFML - March 3, 2015
- New HackMyCF Features - October 24, 2013
- J2EE Sessions in CF10 Uses Secure Cookies - April 5, 2013
Kinda annoying if you have complex templates on a command & control server and your back-end suddenly refuses to respond after you've added another batch of options.
- Updating Java on ColdFusion or Lucee
- ColdFusion returning empty response with server-error: true
- Careful applying CF11u16, CF2016u8, CF2018u2
- Sessions don't work in Chrome but do in IE
- csrfVerifyToken does not invalidate the token
- The cf_sql_ is optional in cfqueryparam
- Cookie Expires / Max-Age 1969-12-31T23:59:59.000Z
- Burst Throttling on AWS API Gateway Explained