1

I was going through the DOS attack reported in Hash function of most of the languages. ( See Application vulnerability due to Non Random Hash Functions ).

Can you please tell me does Tomcat or any webservers stores parameters in a HTTP request to data structure like HashTable by default ?

Community
  • 1
  • 1
Nikhil K R
  • 677
  • 1
  • 9
  • 19

2 Answers2

1

Yes, since

  • a Map<String, String[]> is the most adapted data structure to store parameters
  • HttpServletRequest has a getParameterMap() method.

Note that this vulnerability has been fixed in recent versions of Tomcat.

JB Nizet
  • 678,734
  • 91
  • 1,224
  • 1,255
  • Do the newer version use a TreeMap? That would be the easiest fix. – Michael Borgwardt Jan 02 '12 at 10:47
  • Thanks... So Tomcat stores all parameters in HTTP Req. My app uses Tomcat 6. Is there any work around in Tomcat 6 for the above vulnerability? – Nikhil K R Jan 02 '12 at 10:48
  • 1
    Yes. Use a version of Tomcat 6 where this vulnerability has been fixed. See http://stackoverflow.com/questions/8669946/application-vulnerability-due-to-non-random-hash-functions – JB Nizet Jan 02 '12 at 10:51
  • @MichaelBorgwardt: I don't know if Tomcat uses a TreeMap to fix the issue. The report suggests adding a random part in the keys. – JB Nizet Jan 02 '12 at 10:52
  • @JB Nizet: I think that's because hash-based maps are a builtin datatype in some languages, so you can't easily switch to a different implementation when that's part of the API. – Michael Borgwardt Jan 02 '12 at 11:08
0

Link to the release notes of the work-around:

http://tomcat.10.n6.nabble.com/SECURITY-Apache-Tomcat-and-the-hashtable-collision-DoS-vulnerability-td2405294.html

Strictly speaking this is not a "fix" to the hash collision problem, but a limitation for exploiting it with large POST parameter lists.

light_303
  • 2,101
  • 2
  • 18
  • 35