-
Notifications
You must be signed in to change notification settings - Fork 65
Security Isssue #82
Comments
Can you just share the details here? |
Sure. The issues aren't big.Issue 1: Weak Password RequirementsThe OnTrack application allows extremely weak passwords such as "toor". Below is the exact output demonstrating that the application created a user with a weak password that is also the same as the username.Loading production environment (Rails 6.1.6) Reference: https://cwe.mitre.org/data/definitions/521.htmlIssue 2: Use of Password Hash With Insufficient Computational EffortThe username/passwords of the OnTrack application is utilizing Bcrypt (default configuration). Below is in the input/output of running hashcat against the hashed username/passwords. hashcat -m 3200 -a 0 hashlist wordlist --force hashcat (v6.2.5-508-g0b27d1f9e) starting You have enabled --force to bypass dangerous warnings and errors! Minimum password length supported by kernel: 0 Hashes: 2 digests; 2 unique digests, 2 unique salts Optimizers applied:
Watchdog: Temperature abort trigger set to 100c Host memory required for this attack: 0 MB Dictionary cache built:
The wordlist or mask that you are using is too small. Approaching final keyspace - workload adjusted. $2a$12$DpOrLFhATVwY2.4W7rdXLu.pJyESqE2hb6NpbJLTj9tk4TImvMxWq:toor Session..........: hashcat Started: Thu Jun 30 01:04:39 2022Reference: https://cwe.mitre.org/data/definitions/916.htmlAgain nothing serious at all. Just wanted to bring to your attention and publish/post about the issues. Do I have permission to do that? Would you like me to wait a week or two so you can implement a fix if you see fit? |
Isn't issue 2 just a result of issue 1? Or is there some bcrypt configuration I should be taking advantage of? |
Think you can increase the "cost" to mitigate the ease of cracking : https://www.rubydoc.info/github/codahale/bcrypt-ruby/BCrypt/Password Class Method Details Hashes a secret, returning a BCrypt::Password instance. Takes an optional :cost option, which is a logarithmic variable which determines how computational expensive the hash is to calculate (a :cost of 4 is twice as much work as a :cost of 3). The higher the :cost the harder it becomes for attackers to try to guess passwords (even if a copy of your database is stolen), but the slower it is to check users' passwords. Increasing the password complexity requirements is also ideal ofc. |
Hey, can you just email me at security@gainsecmail.com and I'll give you the details.
Thanks
The text was updated successfully, but these errors were encountered: