SlideShare une entreprise Scribd logo

Collision vulnerability for hash data structures in web platforms

B
Berescu Ionut

Collision vulnerability for hash data structures in web platforms (Denial of Service attack)

Technologie
1  sur  13
Collision vulnerability for hash data structures in web platforms (Denial of Service attack) Berescu Ionut 2012
Overview • A variety of programming languages suffer from a vulnerability when storing data as key/value pairs in hash data structures. • The condition can be leveraged by exploiting predictable collisions in the underlying hashing algorithms and can be used for constructing a low-bandwidth Denial of Service attack (DoS)
Vulnerable languages/servers • Java, all versions • Apache Geronimo, all versions • JRuby <= 1.6.5 • Apache Tomcat <= 5.5.34, <= 6.0.34, <= 7.0.22 • PHP <= 5.3.8, <= 5.4.0RC3 • Oracle Glassfish <= 3.1.1 • Python, all versions • Jetty, all versions • Rubinius, all versions • Plone, all versions • Ruby <= 1.8.7-p356 • Rack <= 1.3.5, <= 1.2.4, <= 1.1.2 • V8 JavaScript Engine, all versions
What is a hash table? • A hash table or hash map is a data structure that uses a hash function to map identifying values, known as keys to their associated values . • Ideally, the hash function should map each possible key to a unique slot index, but this ideal is rarely achievable in practice. Instead, most hash table designs assume that hash collisions (different keys that map to the same hash value) will occur and must be accommodated in some way.
How are the languages vulnerable? • Most languages do not provide a randomized hash function or the application server does not recognize attacks using multi-collisions, so an attacker can degenerate the hash table by sending lots of colliding keys. • The algorithmic complexity of inserting n elements into the table then goes to O(n*2), making it possible to exhaust hours of CPU time using a single HTTP request.
Hash tables in PHP • PHP internally uses hash tables to store arrays. • Hash tables are very fast for storing and getting data and that it’s why they are used heavily in every language. • Most PHP arrays have in the back a C hash table. Example: $_GET, $_POST, ARRAY, $GLOBALS, etc..
Constructing a 100% colliding hash table in PHP • In PHP if the array key is a integer the hash is the integer itself, all PHP does is apply a table mask on top of it: hash & tableMask. • The underlying C array has always a size which is a power of 2. • So if we store 10 elements the real size will be 16. If we store 33 it will be 64. If we store 63 it will also be 64. The table mask is the size minus one. So if the size is 64, i.e. 1000000 in binary the table mask will be 63, i.e. 0111111 in binary. • Basically the table mask removes all bits that are greater than the hashtable size.
Constructing a 100% colliding hash table in PHP • If we insert a total of 32 elements, the first one 0, the second one 32, the third one 64, the fourth one 128, etc., all of those elements will have the same hash and all will be put into the same linked list, creating a 100% colliding hash table.
Constructing a 100% colliding hash table in PHP • Code example: $size = pow(2, 15); $max = ($size - 1) * $size; for ($key = 0, $key <= $max; $key += $size) { $data[$key] = 0; } • The above example will require an abnormal amount of time to run, as all hash values will be in the same linked list, inserting them taking a lot longer.
DoS attack • Sending a POST request, or a request that will be decoded into an Array (JSON for example) can result in a DoS attack. • By sending a large number of parameters by POST with keys that will create a hash table with 100% collision, it will require the web platform a very large amount of time and CPU usage for inserting the elements.
DoS attack in PHP • Sending the 100% collision array in a POST request (with a size of let’s say 2^16) will make PHP consume 100% of the systems CPU for a couple of hours.
Impact • Any website running one of the technologies mentioned which provides the option to perform a POST/GET request is vulnerable to this very effective DoS attack. • With a very low-bandwith connection we can keep thousands of targeted systems cores at 100% use.
Workarounds • For languages where no fixes have been issued, there are a number of workarounds: • Limiting CPU time (max_input_time in PHP). • Limiting the maximal number of parameters (max_input_vars in PHP). • Using different data structures.

Recommandé

Hash DoS Attack
Hash DoS AttackHash DoS Attack
Hash DoS AttackMiroslav Stampar
 
Riding the Overflow - Then and Now
Riding the Overflow - Then and NowRiding the Overflow - Then and Now
Riding the Overflow - Then and NowMiroslav Stampar
 
Riding the Overflow - Then and Now
Riding the Overflow - Then and NowRiding the Overflow - Then and Now
Riding the Overflow - Then and NowMiroslav Stampar
 
Analysis of mass SQL injection attacks
Analysis of mass SQL injection attacksAnalysis of mass SQL injection attacks
Analysis of mass SQL injection attacksMiroslav Stampar
 
How-to crack 43kk passwords while drinking your juice/smoozie in the Hood
How-to crack 43kk passwords while drinking your juice/smoozie in the HoodHow-to crack 43kk passwords while drinking your juice/smoozie in the Hood
How-to crack 43kk passwords while drinking your juice/smoozie in the HoodYurii Bilyk
 
The Cryptography has YOU
The Cryptography has YOUThe Cryptography has YOU
The Cryptography has YOUYurii Bilyk
 
Cryptography - Simplified - Hash Functions
Cryptography - Simplified - Hash FunctionsCryptography - Simplified - Hash Functions
Cryptography - Simplified - Hash FunctionsAbdul Manaf Vellakodath
 
Synchronization
SynchronizationSynchronization
SynchronizationDavid Evans
 

Recommandé

Hash DoS Attack
Hash DoS AttackHash DoS Attack
Hash DoS AttackMiroslav Stampar
 
Riding the Overflow - Then and Now
Riding the Overflow - Then and NowRiding the Overflow - Then and Now
Riding the Overflow - Then and NowMiroslav Stampar
 
Riding the Overflow - Then and Now
Riding the Overflow - Then and NowRiding the Overflow - Then and Now
Riding the Overflow - Then and NowMiroslav Stampar
 
Analysis of mass SQL injection attacks
Analysis of mass SQL injection attacksAnalysis of mass SQL injection attacks
Analysis of mass SQL injection attacksMiroslav Stampar
 
How-to crack 43kk passwords while drinking your juice/smoozie in the Hood
How-to crack 43kk passwords while drinking your juice/smoozie in the HoodHow-to crack 43kk passwords while drinking your juice/smoozie in the Hood
How-to crack 43kk passwords while drinking your juice/smoozie in the HoodYurii Bilyk
 
The Cryptography has YOU
The Cryptography has YOUThe Cryptography has YOU
The Cryptography has YOUYurii Bilyk
 
Cryptography - Simplified - Hash Functions
Cryptography - Simplified - Hash FunctionsCryptography - Simplified - Hash Functions
Cryptography - Simplified - Hash FunctionsAbdul Manaf Vellakodath
 
Synchronization
SynchronizationSynchronization
SynchronizationDavid Evans
 
Parsing JSON Really Quickly: Lessons Learned
Parsing JSON Really Quickly: Lessons LearnedParsing JSON Really Quickly: Lessons Learned
Parsing JSON Really Quickly: Lessons LearnedDaniel Lemire
 
Redis - for duplicate detection on real time stream
Redis - for duplicate detection on real time streamRedis - for duplicate detection on real time stream
Redis - for duplicate detection on real time streamCodemotion
 
SSL/POODLE: History repeats itself
SSL/POODLE: History repeats itselfSSL/POODLE: History repeats itself
SSL/POODLE: History repeats itselfYurii Bilyk
 
How does cryptography work? by Jeroen Ooms
How does cryptography work? by Jeroen OomsHow does cryptography work? by Jeroen Ooms
How does cryptography work? by Jeroen OomsAjay Ohri
 
Network security cryptographic hash function
Network security cryptographic hash functionNetwork security cryptographic hash function
Network security cryptographic hash functionMijanur Rahman Milon
 
ToroDB: scaling PostgreSQL like MongoDB / Álvaro Hernández Tortosa (8Kdata)
ToroDB: scaling PostgreSQL like MongoDB / Álvaro Hernández Tortosa (8Kdata)ToroDB: scaling PostgreSQL like MongoDB / Álvaro Hernández Tortosa (8Kdata)
ToroDB: scaling PostgreSQL like MongoDB / Álvaro Hernández Tortosa (8Kdata)Ontico
 
Text tagging with finite state transducers
Text tagging with finite state transducersText tagging with finite state transducers
Text tagging with finite state transducerslucenerevolution
 
Briefly Rust - Daniele Esposti - Codemotion Rome 2017
Briefly Rust - Daniele Esposti - Codemotion Rome 2017Briefly Rust - Daniele Esposti - Codemotion Rome 2017
Briefly Rust - Daniele Esposti - Codemotion Rome 2017Codemotion
 
Natural Language Toolkit (NLTK), Basics
Natural Language Toolkit (NLTK), Basics Natural Language Toolkit (NLTK), Basics
Natural Language Toolkit (NLTK), Basics Prakash Pimpale
 
Mitigating DNS Amplification Attacks At The DNS Server Using BGP AS Paths and...
Mitigating DNS Amplification Attacks At The DNS Server Using BGP AS Paths and...Mitigating DNS Amplification Attacks At The DNS Server Using BGP AS Paths and...
Mitigating DNS Amplification Attacks At The DNS Server Using BGP AS Paths and...FrancisJeremiah1
 
Diagnostics & Debugging webinar
Diagnostics & Debugging webinarDiagnostics & Debugging webinar
Diagnostics & Debugging webinarMongoDB
 
Diagnostics and Debugging
Diagnostics and DebuggingDiagnostics and Debugging
Diagnostics and DebuggingMongoDB
 
Python for Penetration testers
Python for Penetration testersPython for Penetration testers
Python for Penetration testersChristian Martorella
 
Google Spanner
Google SpannerGoogle Spanner
Google SpannerVaidas Brundza
 
Hash function
Hash function Hash function
Hash function Salman Memon
 
Python build your security tools.pdf
Python build your security tools.pdfPython build your security tools.pdf
Python build your security tools.pdfTECHNOLOGY CONTROL CO.
 
Encryption in php
Encryption in phpEncryption in php
Encryption in phpsana mateen
 
Meetup mini conférences AFUP Paris Deezer Janvier 2017
Meetup mini conférences AFUP Paris Deezer Janvier 2017Meetup mini conférences AFUP Paris Deezer Janvier 2017
Meetup mini conférences AFUP Paris Deezer Janvier 2017Alexis Von Glasow
 
SnortUsersWebcast-Rules_pt2
SnortUsersWebcast-Rules_pt2SnortUsersWebcast-Rules_pt2
SnortUsersWebcast-Rules_pt2Liễu Hồng
 
Automata Invasion
Automata InvasionAutomata Invasion
Automata Invasionlucenerevolution
 
PHP MySQL Workshop - facehook
PHP MySQL Workshop - facehookPHP MySQL Workshop - facehook
PHP MySQL Workshop - facehookBrainware Consultancy Pvt Ltd
 
Techniques for password hashing and cracking
Techniques for password hashing and crackingTechniques for password hashing and cracking
Techniques for password hashing and crackingNipun Joshi
 

Contenu connexe

Tendances

Parsing JSON Really Quickly: Lessons Learned
Parsing JSON Really Quickly: Lessons LearnedParsing JSON Really Quickly: Lessons Learned
Parsing JSON Really Quickly: Lessons LearnedDaniel Lemire
 
Redis - for duplicate detection on real time stream
Redis - for duplicate detection on real time streamRedis - for duplicate detection on real time stream
Redis - for duplicate detection on real time streamCodemotion
 
SSL/POODLE: History repeats itself
SSL/POODLE: History repeats itselfSSL/POODLE: History repeats itself
SSL/POODLE: History repeats itselfYurii Bilyk
 
How does cryptography work? by Jeroen Ooms
How does cryptography work? by Jeroen OomsHow does cryptography work? by Jeroen Ooms
How does cryptography work? by Jeroen OomsAjay Ohri
 
Network security cryptographic hash function
Network security cryptographic hash functionNetwork security cryptographic hash function
Network security cryptographic hash functionMijanur Rahman Milon
 
ToroDB: scaling PostgreSQL like MongoDB / Álvaro Hernández Tortosa (8Kdata)
ToroDB: scaling PostgreSQL like MongoDB / Álvaro Hernández Tortosa (8Kdata)ToroDB: scaling PostgreSQL like MongoDB / Álvaro Hernández Tortosa (8Kdata)
ToroDB: scaling PostgreSQL like MongoDB / Álvaro Hernández Tortosa (8Kdata)Ontico
 
Text tagging with finite state transducers
Text tagging with finite state transducersText tagging with finite state transducers
Text tagging with finite state transducerslucenerevolution
 
Briefly Rust - Daniele Esposti - Codemotion Rome 2017
Briefly Rust - Daniele Esposti - Codemotion Rome 2017Briefly Rust - Daniele Esposti - Codemotion Rome 2017
Briefly Rust - Daniele Esposti - Codemotion Rome 2017Codemotion
 
Natural Language Toolkit (NLTK), Basics
Natural Language Toolkit (NLTK), Basics Natural Language Toolkit (NLTK), Basics
Natural Language Toolkit (NLTK), Basics Prakash Pimpale
 
Mitigating DNS Amplification Attacks At The DNS Server Using BGP AS Paths and...
Mitigating DNS Amplification Attacks At The DNS Server Using BGP AS Paths and...Mitigating DNS Amplification Attacks At The DNS Server Using BGP AS Paths and...
Mitigating DNS Amplification Attacks At The DNS Server Using BGP AS Paths and...FrancisJeremiah1
 
Diagnostics & Debugging webinar
Diagnostics & Debugging webinarDiagnostics & Debugging webinar
Diagnostics & Debugging webinarMongoDB
 
Diagnostics and Debugging
Diagnostics and DebuggingDiagnostics and Debugging
Diagnostics and DebuggingMongoDB
 
Encryption in php
Encryption in phpEncryption in php
Encryption in phpsana mateen
 
Meetup mini conférences AFUP Paris Deezer Janvier 2017
Meetup mini conférences AFUP Paris Deezer Janvier 2017Meetup mini conférences AFUP Paris Deezer Janvier 2017
Meetup mini conférences AFUP Paris Deezer Janvier 2017Alexis Von Glasow
 
SnortUsersWebcast-Rules_pt2
SnortUsersWebcast-Rules_pt2SnortUsersWebcast-Rules_pt2
SnortUsersWebcast-Rules_pt2Liễu Hồng
 

Tendances (20)

Parsing JSON Really Quickly: Lessons Learned
Parsing JSON Really Quickly: Lessons LearnedParsing JSON Really Quickly: Lessons Learned
Parsing JSON Really Quickly: Lessons Learned
 
Redis - for duplicate detection on real time stream
Redis - for duplicate detection on real time streamRedis - for duplicate detection on real time stream
Redis - for duplicate detection on real time stream
 
SSL/POODLE: History repeats itself
SSL/POODLE: History repeats itselfSSL/POODLE: History repeats itself
SSL/POODLE: History repeats itself
 
How does cryptography work? by Jeroen Ooms
How does cryptography work? by Jeroen OomsHow does cryptography work? by Jeroen Ooms
How does cryptography work? by Jeroen Ooms
 
Network security cryptographic hash function
Network security cryptographic hash functionNetwork security cryptographic hash function
Network security cryptographic hash function
 
ToroDB: scaling PostgreSQL like MongoDB / Álvaro Hernández Tortosa (8Kdata)
ToroDB: scaling PostgreSQL like MongoDB / Álvaro Hernández Tortosa (8Kdata)ToroDB: scaling PostgreSQL like MongoDB / Álvaro Hernández Tortosa (8Kdata)
ToroDB: scaling PostgreSQL like MongoDB / Álvaro Hernández Tortosa (8Kdata)
 
Text tagging with finite state transducers
Text tagging with finite state transducersText tagging with finite state transducers
Text tagging with finite state transducers
 
Briefly Rust - Daniele Esposti - Codemotion Rome 2017
Briefly Rust - Daniele Esposti - Codemotion Rome 2017Briefly Rust - Daniele Esposti - Codemotion Rome 2017
Briefly Rust - Daniele Esposti - Codemotion Rome 2017
 
Natural Language Toolkit (NLTK), Basics
Natural Language Toolkit (NLTK), Basics Natural Language Toolkit (NLTK), Basics
Natural Language Toolkit (NLTK), Basics
 
Mitigating DNS Amplification Attacks At The DNS Server Using BGP AS Paths and...
Mitigating DNS Amplification Attacks At The DNS Server Using BGP AS Paths and...Mitigating DNS Amplification Attacks At The DNS Server Using BGP AS Paths and...
Mitigating DNS Amplification Attacks At The DNS Server Using BGP AS Paths and...
 
Diagnostics & Debugging webinar
Diagnostics & Debugging webinarDiagnostics & Debugging webinar
Diagnostics & Debugging webinar
 
Diagnostics and Debugging
Diagnostics and DebuggingDiagnostics and Debugging
Diagnostics and Debugging
 
Python for Penetration testers
Python for Penetration testersPython for Penetration testers
Python for Penetration testers
 
Google Spanner
Google SpannerGoogle Spanner
Google Spanner
 
Hash function
Hash function Hash function
Hash function
 
Python build your security tools.pdf
Python build your security tools.pdfPython build your security tools.pdf
Python build your security tools.pdf
 
Encryption in php
Encryption in phpEncryption in php
Encryption in php
 
Meetup mini conférences AFUP Paris Deezer Janvier 2017
Meetup mini conférences AFUP Paris Deezer Janvier 2017Meetup mini conférences AFUP Paris Deezer Janvier 2017
Meetup mini conférences AFUP Paris Deezer Janvier 2017
 
SnortUsersWebcast-Rules_pt2
SnortUsersWebcast-Rules_pt2SnortUsersWebcast-Rules_pt2
SnortUsersWebcast-Rules_pt2
 
Automata Invasion
Automata InvasionAutomata Invasion
Automata Invasion
 

Similaire à Collision vulnerability for hash data structures in web platforms

Techniques for password hashing and cracking
Techniques for password hashing and crackingTechniques for password hashing and cracking
Techniques for password hashing and crackingNipun Joshi
 
IntroductiontoPHP.ppt
IntroductiontoPHP.pptIntroductiontoPHP.ppt
IntroductiontoPHP.ppttruptitasol
 
IntroductiontoPHP.ppt
IntroductiontoPHP.pptIntroductiontoPHP.ppt
IntroductiontoPHP.ppttruptitasol
 
IntroductiontoPHP.ppt
IntroductiontoPHP.pptIntroductiontoPHP.ppt
IntroductiontoPHP.ppttruptitasol
 
IntroductiontoPHP.ppt
IntroductiontoPHP.pptIntroductiontoPHP.ppt
IntroductiontoPHP.ppttruptitasol
 
IntroductiontoPHP.ppt
IntroductiontoPHP.pptIntroductiontoPHP.ppt
IntroductiontoPHP.ppttruptitasol
 
IntroductiontoPHP.ppt
IntroductiontoPHP.pptIntroductiontoPHP.ppt
IntroductiontoPHP.ppttruptitasol
 
IntroductiontoPHP.ppt
IntroductiontoPHP.pptIntroductiontoPHP.ppt
IntroductiontoPHP.ppttruptitasol
 
IntroductiontoPHP.ppt
IntroductiontoPHP.pptIntroductiontoPHP.ppt
IntroductiontoPHP.ppttruptitasol
 

Similaire à Collision vulnerability for hash data structures in web platforms (20)

PHP MySQL Workshop - facehook
PHP MySQL Workshop - facehookPHP MySQL Workshop - facehook
PHP MySQL Workshop - facehook
 
Techniques for password hashing and cracking
Techniques for password hashing and crackingTechniques for password hashing and cracking
Techniques for password hashing and cracking
 
Php intro
Php introPhp intro
Php intro
 
Php intro
Php introPhp intro
Php intro
 
Php intro
Php introPhp intro
Php intro
 
Materi Dasar PHP
Materi Dasar PHPMateri Dasar PHP
Materi Dasar PHP
 
test
testtest
test
 
IntroductiontoPHP.ppt
IntroductiontoPHP.pptIntroductiontoPHP.ppt
IntroductiontoPHP.ppt
 
ssfsd fsdf ds f
ssfsd fsdf ds fssfsd fsdf ds f
ssfsd fsdf ds f
 
IntroductiontoPHP.ppt
IntroductiontoPHP.pptIntroductiontoPHP.ppt
IntroductiontoPHP.ppt
 
IntroductiontoPHP.ppt
IntroductiontoPHP.pptIntroductiontoPHP.ppt
IntroductiontoPHP.ppt
 
IntroductiontoPHP.ppt
IntroductiontoPHP.pptIntroductiontoPHP.ppt
IntroductiontoPHP.ppt
 
IntroductiontoPHP.ppt
IntroductiontoPHP.pptIntroductiontoPHP.ppt
IntroductiontoPHP.ppt
 
IntroductiontoPHP.ppt
IntroductiontoPHP.pptIntroductiontoPHP.ppt
IntroductiontoPHP.ppt
 
IntroductiontoPHP.ppt
IntroductiontoPHP.pptIntroductiontoPHP.ppt
IntroductiontoPHP.ppt
 
ssfsd fsdf ds f
ssfsd fsdf ds fssfsd fsdf ds f
ssfsd fsdf ds f
 
ssfsd fsdf ds f
ssfsd fsdf ds fssfsd fsdf ds f
ssfsd fsdf ds f
 
IntroductiontoPHP.ppt
IntroductiontoPHP.pptIntroductiontoPHP.ppt
IntroductiontoPHP.ppt
 
ssfsd fsdf ds f
ssfsd fsdf ds fssfsd fsdf ds f
ssfsd fsdf ds f
 
ssfsd fsdf ds f
ssfsd fsdf ds fssfsd fsdf ds f
ssfsd fsdf ds f
 

Dernier

How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilV3cube
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfhans926745
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesBoston Institute of Analytics
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 

Dernier (20)

How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 

Collision vulnerability for hash data structures in web platforms

  • 1. Collision vulnerability for hash data structures in web platforms (Denial of Service attack) Berescu Ionut 2012
  • 2. Overview • A variety of programming languages suffer from a vulnerability when storing data as key/value pairs in hash data structures. • The condition can be leveraged by exploiting predictable collisions in the underlying hashing algorithms and can be used for constructing a low-bandwidth Denial of Service attack (DoS)
  • 3. Vulnerable languages/servers • Java, all versions • Apache Geronimo, all versions • JRuby <= 1.6.5 • Apache Tomcat <= 5.5.34, <= 6.0.34, <= 7.0.22 • PHP <= 5.3.8, <= 5.4.0RC3 • Oracle Glassfish <= 3.1.1 • Python, all versions • Jetty, all versions • Rubinius, all versions • Plone, all versions • Ruby <= 1.8.7-p356 • Rack <= 1.3.5, <= 1.2.4, <= 1.1.2 • V8 JavaScript Engine, all versions
  • 4. What is a hash table? • A hash table or hash map is a data structure that uses a hash function to map identifying values, known as keys to their associated values . • Ideally, the hash function should map each possible key to a unique slot index, but this ideal is rarely achievable in practice. Instead, most hash table designs assume that hash collisions (different keys that map to the same hash value) will occur and must be accommodated in some way.
  • 5. How are the languages vulnerable? • Most languages do not provide a randomized hash function or the application server does not recognize attacks using multi-collisions, so an attacker can degenerate the hash table by sending lots of colliding keys. • The algorithmic complexity of inserting n elements into the table then goes to O(n*2), making it possible to exhaust hours of CPU time using a single HTTP request.
  • 6. Hash tables in PHP • PHP internally uses hash tables to store arrays. • Hash tables are very fast for storing and getting data and that it’s why they are used heavily in every language. • Most PHP arrays have in the back a C hash table. Example: $_GET, $_POST, ARRAY, $GLOBALS, etc..
  • 7. Constructing a 100% colliding hash table in PHP • In PHP if the array key is a integer the hash is the integer itself, all PHP does is apply a table mask on top of it: hash & tableMask. • The underlying C array has always a size which is a power of 2. • So if we store 10 elements the real size will be 16. If we store 33 it will be 64. If we store 63 it will also be 64. The table mask is the size minus one. So if the size is 64, i.e. 1000000 in binary the table mask will be 63, i.e. 0111111 in binary. • Basically the table mask removes all bits that are greater than the hashtable size.
  • 8. Constructing a 100% colliding hash table in PHP • If we insert a total of 32 elements, the first one 0, the second one 32, the third one 64, the fourth one 128, etc., all of those elements will have the same hash and all will be put into the same linked list, creating a 100% colliding hash table.
  • 9. Constructing a 100% colliding hash table in PHP • Code example: $size = pow(2, 15); $max = ($size - 1) * $size; for ($key = 0, $key <= $max; $key += $size) { $data[$key] = 0; } • The above example will require an abnormal amount of time to run, as all hash values will be in the same linked list, inserting them taking a lot longer.
  • 10. DoS attack • Sending a POST request, or a request that will be decoded into an Array (JSON for example) can result in a DoS attack. • By sending a large number of parameters by POST with keys that will create a hash table with 100% collision, it will require the web platform a very large amount of time and CPU usage for inserting the elements.
  • 11. DoS attack in PHP • Sending the 100% collision array in a POST request (with a size of let’s say 2^16) will make PHP consume 100% of the systems CPU for a couple of hours.
  • 12. Impact • Any website running one of the technologies mentioned which provides the option to perform a POST/GET request is vulnerable to this very effective DoS attack. • With a very low-bandwith connection we can keep thousands of targeted systems cores at 100% use.
  • 13. Workarounds • For languages where no fixes have been issued, there are a number of workarounds: • Limiting CPU time (max_input_time in PHP). • Limiting the maximal number of parameters (max_input_vars in PHP). • Using different data structures.