DoS due to unrestricted hashing in alextselegidis/easyappointments
Apr 13th 2022
The application accepts strings of any size as passwords and processes (hashes) the string to check in the database if the user exists, for example upon login.
Being the hashing process resource-intensive, it can be possible to cause Denial of Service without particular processing power.
The app should limit the length of accepted passwords to a reasonable size (100 chars would be enough), and reject it before hashing.
This is important especially if you move password hashing to bcrypt algorithm (to achieve stronger/safer encryption), because compared to the current sha256 is slower and requires more CPU power.
An attacker would be able to DoS a system with a few resources, probably just a couple of hundreds of HTTP requests.