You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Note: while using large number of hashing rounds to prevent brute-forcing is good, we need to ensure that our servers are reliable. Limit the length of the password and add rate-limit for unsuccessful logins.
Vulnerability Name: Possible denial of service when entering a long password
Description: Until the final user enters and arise or [DoS], you can make a really lengthy password. Passwords typically have 8–10–24 digits supplying a password that is 1000000 characters long. Typically, this issue is brought on by a weak password-hashing technique. The hashing procedure will exhaust the CPU and memory when a lengthy password is given.*Remediation
The maximum length of allowed passwords must be limited by fixing the password hashing algorithm.
On the password field, you can just input many digits, so you have generated it.
I have tried
Kunal@123456Kunal@123456Kunal@123456Kunal@123456Kunal@123456Kunal@123456Kunal@123456Kunal@123456Kunal@123456Kunal@123456Kunal@123456Kunal@123456Kunal@123456Kunal@123456Kunal@123456Kunal@123456Kunal@123456Kunal@123456Kunal@123456Kunal@123456Kunal@123456Kunal@123456Kunal@123456Kunal@123456Kunal@123456Kunal@123456Kunal@123456Kunal@123456Kunal@123456Kunal@123456Kunal@123456Kunal@123456Kunal@123456Kunal@123456Kunal@123456Kunal@123456Kunal@123456Kunal@123456Kunal@123456Kunal@123456Kunal@123456Kunal@123456Kunal@123456Kunal@123456Kunal@123456Kunal@123456Kunal@123456Kunal@123456Kunal@123456Kunal@123456Kunal@123456Kunal@123456Kunal@123456Kunal@123456Kunal@123456Kunal@123456Kunal@123456Kunal@123456Kunal@123456Kunal@123456Kunal@123456Kunal@123456Kunal@123456Kunal@123456Kunal@123456Kunal@123456Kunal@123456Kunal@123456Kunal@123456Kunal@123456Kunal@123456Kunal@123456Kunal@123456Kunal@123456Kunal@123456Kunal@123456Kunal@123456Kunal@123456Kunal@123456Kunal@123456Kunal@123456Kunal@123456Kunal@123456Kunal@123456Kunal@123456Kunal@123456Kunal@123456Kunal@123456Kunal@123456Kunal@123456Kunal@123456 is Dos @#
Impact:
it's possible to cause a denial of service attack on the server. This may lead to the website becoming unavailable or unresponsive
The text was updated successfully, but these errors were encountered:
Reported by Kunal Mhaske [email protected]
Note: while using large number of hashing rounds to prevent brute-forcing is good, we need to ensure that our servers are reliable. Limit the length of the password and add rate-limit for unsuccessful logins.
Vulnerability Name: Possible denial of service when entering a long password
Target URL: https://ctl.ptah.sh/
Vulnerable URL: https://ctl.ptah.sh/reset-password/resettoken?email=kunalmhaske555%40gmail.com
Description: Until the final user enters and arise or [DoS], you can make a really lengthy password. Passwords typically have 8–10–24 digits supplying a password that is 1000000 characters long. Typically, this issue is brought on by a weak password-hashing technique. The hashing procedure will exhaust the CPU and memory when a lengthy password is given.*Remediation
The maximum length of allowed passwords must be limited by fixing the password hashing algorithm.
step to reproduce:-
I have tried
Kunal@123456Kunal@123456Kunal@123456Kunal@123456Kunal@123456Kunal@123456Kunal@123456Kunal@123456Kunal@123456Kunal@123456Kunal@123456Kunal@123456Kunal@123456Kunal@123456Kunal@123456Kunal@123456Kunal@123456Kunal@123456Kunal@123456Kunal@123456Kunal@123456Kunal@123456Kunal@123456Kunal@123456Kunal@123456Kunal@123456Kunal@123456Kunal@123456Kunal@123456Kunal@123456Kunal@123456Kunal@123456Kunal@123456Kunal@123456Kunal@123456Kunal@123456Kunal@123456Kunal@123456Kunal@123456Kunal@123456Kunal@123456Kunal@123456Kunal@123456Kunal@123456Kunal@123456Kunal@123456Kunal@123456Kunal@123456Kunal@123456Kunal@123456Kunal@123456Kunal@123456Kunal@123456Kunal@123456Kunal@123456Kunal@123456Kunal@123456Kunal@123456Kunal@123456Kunal@123456Kunal@123456Kunal@123456Kunal@123456Kunal@123456Kunal@123456Kunal@123456Kunal@123456Kunal@123456Kunal@123456Kunal@123456Kunal@123456Kunal@123456Kunal@123456Kunal@123456Kunal@123456Kunal@123456Kunal@123456Kunal@123456Kunal@123456Kunal@123456Kunal@123456Kunal@123456Kunal@123456Kunal@123456Kunal@123456Kunal@123456Kunal@123456Kunal@123456Kunal@123456Kunal@123456Kunal@123456 is Dos @#
Impact:
it's possible to cause a denial of service attack on the server. This may lead to the website becoming unavailable or unresponsive
The text was updated successfully, but these errors were encountered: