DOS exploit
Opened this issue · 2 comments
Hey, just wanted to let you know I've gotten reports from users of my library: Nbvcxz that are getting a DOS every so often by specifically crafted passwords.
I even found a tool created by a government contractor used for issuing a DOS against programs using libraries containing the vulnerable (to combination explosion) algorithms from the original zxcvbn implementation:
I've solved this by implementing a maxLength type configuration...but that isn't totally done yet as I feel like I still need to have it do dictionary checks against the full-length password without any transformations. Working on finishing that feature and putting out a release. I just wanted to mention it to you, since this is also often run server-side rather than client-side.
Confirmed! With polynomial growth of time O(n^c)
in relation to the size of the password as you mention on your tests.
[14] pry(main)> $ Zxcvbn
From: /home/me/.asdf/installs/ruby/2.5.9/lib/ruby/gems/2.5.0/gems/zxcvbn-ruby-1.2.0/lib/zxcvbn.rb:5
Module name: Zxcvbn
Number of lines: 16
module Zxcvbn
extend self
DATA_PATH = Pathname(File.expand_path('../../data', __FILE__))
# Returns a Zxcvbn::Score for the given password
#
# Example:
#
# Zxcvbn.test("password").score #=> 0
def test(password, user_inputs = [], word_lists = {})
tester = Tester.new
tester.add_word_lists(word_lists)
tester.test(password, user_inputs)
end
end
[15] pry(main)> Benchmark.realtime { Zxcvbn.test "4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/" }
=> 2.2909809999982826
[16] pry(main)> Benchmark.realtime { Zxcvbn.test "4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/" * 2 }
=> 9.578882999994676
Thank you for letting people know, @Tostino 😊
If you don't mind I would really appreciate it if you could drop a copy of this note on formigarafa/zxcvbn issues.
Update:
Improved process time, now linear O(n)
instead of polynomial O(n^c)
on formigarafa/zxcvbn released new version 0.1.9 of zxcvbn gem
No problem, will make a similar report over there. I've been trying to hit all the major forks with relevant issues today.