28C3: Denial-of-Service attacks on web applications made easy

Internet icon At the 28th Chaos Communication Congress (28C3) in Berlin on Wednesday, security researchers pointed out dangerous vulnerabilities in popular scripting languages and web application platforms such as PHP, ASP.NET, Java and Python. Alexander 'alech' Klink from security firm n.runs and TU Darmstadt researcher Julian Wälde warned that the hashing methods used to find individual objects in large amounts of data are vulnerable to simple attacks which could, in turn, be exploited to launch massive "Denial-of-Service" (DoS) attacks.

Wälde said that hash tables are used by many programmers; however, the researcher explained that with this method, two different keys can potentially lead to the same hash key or table field, and that the occurrence of such collisions can be promoted intentionally. For example, Klink said that it is relatively easy to find identical string segments and trigger deliberate collisions. The researcher added that launching such common cryptographic attacks as a "Meet in the Middle" attack on hash functions could also successfully be used to produce a similar effect.

Klink explained that web programming languages tend to use the DJBX33A or DJBX33X hash functions developed by Daniel Bernstein. He said that identical string segments can be detected, and the described collisions triggered, in DJBX33A; this hash function is used in such languages as PHP5, Ruby 1.8 and Java, as well as in systems based on Java, such as Tomcat and Glassfish. PHP4, ASP.NET, Python and JavaScript use DJBX33X or comparable algorithms and can be compromised via "Meet in the Middle" attacks, added Klink.

The researcher explained that, ultimately, the described methods for triggering collisions potentially allow attackers to hijack a server's processor using just a client-side request. Klink conceded that scripting languages and application environments usually limit the amount of arbitrary data in server input windows through parameters that stipulate the maximum size or duration of a "post" action, but added that these values tend to offer sufficient scope to keep a hijacked processor busy and cripple it if required. Furthermore, he said that it is possible to send coordinated requests from multiple clients.

Klink presented examples to demonstrate the efficiency of such attacks: triggering POST requests, and the corresponding form inputs and collisions, in a PHP application at an available bandwidth of between 70 and 100 Kbits/s can keep an Intel i7 processor core working at full capacity. When describing the basic threat scenario during his presentation, Klink said that, at worst, users need only to click on a link that generates a specially crafted HTTP request to launch such an attack.

Wälde said that this could provide sufficient power for a very effective DoS attack that could, for instance, cripple an entire social network, and that vulnerable hash tables have even been identified in Facebook. He added that similar functions are also used in the Linux kernel, in the Lua programming language that is used by the "World of Warcraft" client, in Erlang, and in Objective-C. The researchers concluded that the best way of avoiding the problem is to use randomised hash functions such as those used in Perl, which were included after a security conference paper on the technique was published in 2003 PDF . CRuby 1.9 has used a similar randomisation technique since 2008.

The researchers noted that they informed the developers of the vulnerable programming languages in November, and that good or acceptable responses came, for example, from the makers of Ruby and from Microsoft; Microsoft warned of the problem in a separate advisory. Many of the other project maintainers have apparently fixed the vulnerabilities with temporary workarounds. For example, the Apache Tomcat developers have released updates to Tomcat 7 (7.0.23) and 6 (6.0.35) which limit the number of parameters processed by a single request to 10,000, which is set by a new "maxParameterCount" option. Such responses are, however, only a first step in the right direction, concluded Klink and Wälde.

See also: