[Date Prev][Date Next][Thread Prev][Thread Next]
- Subject: Hash Table Collisions (n.runs-SA-2011.004)
- From: fredrik danerklint <fredan-lua@...>
- Date: Thu, 29 Dec 2011 18:37:37 +0100
I've would like to know if Lua is vulnerably to this hash collision that
was presented at CCC yesterday.
The presentation on youtube:
And the information about this:
Hash tables are a commonly used data structure in most programming
languages. Web application servers or platforms commonly parse
attacker-controlled POST form data into hash tables automatically, so
that they can be accessed by application developers.
If the language does not provide a randomized hash function or the
application server does not recognize attacks using multi-collisions, an
attacker can degenerate the hash table by sending lots of colliding
keys. The algorithmic complexity of inserting n elements into the table
then goes to O(n**2), making it possible to exhaust hours of CPU time
using a single HTTP request.
They did mention that Lua could be vulnerably to this kind of an attack
at the end of the presentation, so I would like to know if it is or not.