Hawk is an HTTP authentication scheme providing mechanisms for making authenticated HTTP requests with partial cryptographic verification of the request and response, covering the HTTP method, request URI, host, and optionally the request payload. Hawk used a regular expression to parse Host
HTTP header (Hawk.utils.parseHost()
), which was subject to regular expression DoS attack - meaning each added character in the attackers input increases the computation time exponentially. parseHost()
was patched in 9.0.1
to use built-in URL
class to parse hostname instead. Hawk.authenticate()
accepts options
argument. If that contains host
and port
, those would be used instead of a call to utils.parseHost()
.
The product does not properly control the allocation and maintenance of a limited resource.
Name | Vendor | Start Version | End Version |
---|---|---|---|
Hawk | Mozilla | * | 9.0.1 (excluding) |
Node-hawk | Ubuntu | bionic | * |
Node-hawk | Ubuntu | esm-apps/bionic | * |
Node-hawk | Ubuntu | esm-apps/focal | * |
Node-hawk | Ubuntu | esm-apps/jammy | * |
Node-hawk | Ubuntu | focal | * |
Node-hawk | Ubuntu | jammy | * |
Node-hawk | Ubuntu | kinetic | * |
Node-hawk | Ubuntu | trusty | * |
Node-hawk | Ubuntu | upstream | * |
Node-hawk | Ubuntu | xenial | * |
Mitigation of resource exhaustion attacks requires that the target system either:
The first of these solutions is an issue in itself though, since it may allow attackers to prevent the use of the system by a particular valid user. If the attacker impersonates the valid user, they may be able to prevent the user from accessing the server in question.
The second solution is simply difficult to effectively institute – and even when properly done, it does not provide a full solution. It simply makes the attack require more resources on the part of the attacker.