Incorrect Implementation of Authentication Algorithm in cortezaproject/corteza-server
Nov 10th 2021
Hey, when I attempt to change the password after creating an account I noticed that you haven't kept any password boundary. You need to limit password length. Hashing a large amount of data can cause significant resource consumption on behalf of the server and would be an easy target for an Application-level Denial Of Service attack.
1. Create an account by using any mail (I used temp mail) 2. Login 3. Change password 4. Set New password = Boundless Characters/Special characters/Numbers 5. Done
This allows for denial-of-service attacks through reworked submission of comprehensive passwords, tying up server resources in the expensive computation of the corresponding hashes.