You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Is your feature request related to a problem? Please describe.
So, i've looked on the dependencies list and found module safe-compare that used only in one place (here)
It prevents timing attacks as well but it opens DoS attacks using hookPath and secretToken variables.
Attacker can send requests with very long strings and it will cause DoS because safe compare tries to achieve same response time by iterating over all string characters all the time and with very big string it will take a lot of time.
I've made some tests to prove it
Tests
constsafeCompare=require('safe-compare');constTIMINGATTACK_STRING='just a long string to test'.repeat(1000);constTARGET_STRING='my secret token';constMAX_COMPARISIONS=1000;letstartTime=performance.now();letcounter=0;for(leti=0;i<MAX_COMPARISIONS;i++){if(TIMINGATTACK_STRING===TARGET_STRING)counter++;}console.log(`default equal: ${performance.now()-startTime}`);startTime=performance.now();for(leti=0;i<MAX_COMPARISIONS;i++){if(safeCompare(TIMINGATTACK_STRING,TARGET_STRING))counter++;}console.log(`safe equal: ${performance.now()-startTime}`);
Describe the solution you'd like
Use custom function to compare "dangerous" strings. I've made one that will prevent timing attacks on characters only but exposes string length
Custom safeCompare
/*** Safely compare two strings to prevent timing attacks* @param a Target string to compare* @param b Expected string*/exportfunctionsafeCompare(a: string,b: string){letresult=0;if(a.length!=b.length){if(b.length<a.length)a=b;result=1;}for(leti=0;i<a.length;i++){result|=(a.charCodeAt(i)^b.charCodeAt(i));}returnresult==0;}
Is your feature request related to a problem? Please describe.
So, i've looked on the dependencies list and found module
safe-compare
that used only in one place (here)It prevents timing attacks as well but it opens DoS attacks using hookPath and secretToken variables.
Attacker can send requests with very long strings and it will cause DoS because safe compare tries to achieve same response time by iterating over all string characters all the time and with very big string it will take a lot of time.
I've made some tests to prove it
Tests
Result:
Describe the solution you'd like
Use custom function to compare "dangerous" strings. I've made one that will prevent timing attacks on characters only but exposes string length
Custom safeCompare
Test results:
The text was updated successfully, but these errors were encountered: