A variety of programming languages suffer from a denial-of-service (DoS)
condition against storage functions of key/value pairs in hash data structures,
the condition can be leveraged by exploiting predictable collisions in the
underlying hashing algorithms.
The issue finds particular exposure in web server applications and/or
frameworks. In particular, the lack of sufficient limits for the number of
parameters in POST requests in conjunction with the predictable collision
properties in the hashing functions of the underlying languages can render web
applications vulnerable to the DoS condition. The attacker, using specially
crafted HTTP requests, can lead to a 100% of CPU usage which can last up to
several hours depending on the targeted application and server performance, the
amplification effect is considerable and requires little bandwidth and time on
the attacker side.
Source: #2011-003 multiple
implementations denial-of-service via hash algorithm collision
How will our mORMot framework handle such DOS attacks?
The current implementation of parameters parsing is not using a hash table,
nor using any storage list.
The parameters are parsed and checked only once. No global list is created,
just to avoid such DOS problems.