SlideShare uma empresa Scribd logo

This DoS goes loop-di-loop

Allon Mureinik
Allon Mureinik

The document discusses different types of denial of service (DoS) attacks that can impact Node.js applications, including regular expression DoS (ReDoS), JSON parsing DoS, and storage/I/O DoS. It provides code examples demonstrating how these attacks work and suggestions for mitigations, such as using libraries less vulnerable to ReDoS, limiting input sizes, and ensuring asynchronous storage operations.

Software
1 de 15
Baixar para ler offline
This DoS Goes Loop-di-Loop Allon Mureinik Senior Manager, Seeker Node.js and .NET Agents Synopsys, Inc. allon.mureinik@synopsys.com / @mureinik / https://www.linkedin.com/in/mureinik/ FlawCon, 20/10/2019
© 2019 Synopsys, Inc. 2This DoS Goes Loop-di-Loop (Allon Mureinik, FlawCon 2019, cc-by-sa-4.0) Developers vs Hackers How will an unreasonable person abuse it? How will a reasonable person use it? https://thenounproject.com/term/theater/17128
© 2019 Synopsys, Inc. 3This DoS Goes Loop-di-Loop (Allon Mureinik, FlawCon 2019, cc-by-sa-4.0) Quick Reminder: Node.js’ Event Loop https://thenounproject.com/term/redo/62716
© 2019 Synopsys, Inc. 4This DoS Goes Loop-di-Loop (Allon Mureinik, FlawCon 2019, cc-by-sa-4.0) Benchmarks https://www.tandemseven.com/blog/performance-java-vs-node/
© 2019 Synopsys, Inc. 5This DoS Goes Loop-di-Loop (Allon Mureinik, FlawCon 2019, cc-by-sa-4.0) Reminder: Denial of Service (DoS) https://thenounproject.com/term/decline/373722
© 2019 Synopsys, Inc. 6This DoS Goes Loop-di-Loop (Allon Mureinik, FlawCon 2019, cc-by-sa-4.0) Regex DoS (ReDoS) console.log('a'sttime'); let regex = new RegExp('^(a+)+$'); for (let i = 1; i < 100; ++i) { const str = Array(i + 1).join('a') + 'b'; const before = new Date(); regex.test(str); const after = new Date(); const time = after - before; console.log(`${i}t${time}`); }
© 2019 Synopsys, Inc. 7This DoS Goes Loop-di-Loop (Allon Mureinik, FlawCon 2019, cc-by-sa-4.0) Regex DoS (ReDoS) - results 0 50,000 100,000 150,000 200,000 250,000 300,000 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 33 34 35 Time(ms) As
© 2019 Synopsys, Inc. 8This DoS Goes Loop-di-Loop (Allon Mureinik, FlawCon 2019, cc-by-sa-4.0) https://thenounproject.com/term/alternative-route/2902159 •Check your regexes –E.g., use safe-regex, vuln-regex-detector •Don’t allow tainted input as regex –Not always possible… –If you must, sanitize it (again safe-regex etc.) •Don’t allow tainted input to be evaluated by a dodgy regex –Usually not possible… –Use length limits •Think about alternative solutions –re2 isn’t vulnerable to ReDoS –Use specific tools for specific needs (e.g., validator.js) Regex DoS (ReDoS) - Remediation
© 2019 Synopsys, Inc. 9This DoS Goes Loop-di-Loop (Allon Mureinik, FlawCon 2019, cc-by-sa-4.0) JSON DoS for (let i = 1024; i <= 1024 * 1024 ; i += 1024) { const str = '"' + Array(i + 1).join('a') + '"'; const before = new Date(); for (let j = 1; j < 100; ++j) { JSON.parse(str); } const after = new Date(); console.log(`${i}t${after-before}`); }
© 2019 Synopsys, Inc. 10This DoS Goes Loop-di-Loop (Allon Mureinik, FlawCon 2019, cc-by-sa-4.0) JSON DoS - Results -50 0 50 100 150 200 250 300 0 200 400 600 800 1000 1200 Time(ms) String Lengh (KB)
© 2019 Synopsys, Inc. 11This DoS Goes Loop-di-Loop (Allon Mureinik, FlawCon 2019, cc-by-sa-4.0) https://thenounproject.com/term/alternative-route/2902159/ •Don’t allow tainted input to be parsed –Not realistic… •Limit the size of the input –Express: app.use(express.json({limit: '50kb'}) –Hapi: route.options.payload.maxBytes = 50 * 1024 •If you aren’t parsing JSON by a middle, consider alternative libraries like BFJ or JSONStream JSON DoS - Remediation
© 2019 Synopsys, Inc. 12This DoS Goes Loop-di-Loop (Allon Mureinik, FlawCon 2019, cc-by-sa-4.0) “If anything can hang, it will” - Murphy’s law of storage Storage (I/O) DoS
© 2019 Synopsys, Inc. 13This DoS Goes Loop-di-Loop (Allon Mureinik, FlawCon 2019, cc-by-sa-4.0) The are two ways to perform storage operations in Node.js: 1. The async way –Delegate a storage operation to the kernel, and wait for a callback –E.g.: fs.readDir, fs.writeFile, etc –3rd parties follow similar patterns (e.g., fs-extra, adm-zip) 2. The wrong way Storage (I/O) DoS - Remediation
© 2019 Synopsys, Inc. 15This DoS Goes Loop-di-Loop (Allon Mureinik, FlawCon 2019, cc-by-sa-4.0) Questions? https://thenounproject.com/term/questions/1195076/
Thank You Contact allon.mureinik@synopsys.com @mureinik https://www.linkedin.com/in/mureinik/

Recomendados

Cognitive biases, blind spots and inclusion
Cognitive biases, blind spots and inclusionCognitive biases, blind spots and inclusion
Cognitive biases, blind spots and inclusionAllon Mureinik
 
Chaos Debugging for Microservices
Chaos Debugging for MicroservicesChaos Debugging for Microservices
Chaos Debugging for MicroservicesChristian Posta
 
apidays Paris 2022 - Blurred Lines, Denis Jannot, Solo.io
apidays Paris 2022 - Blurred Lines, Denis Jannot, Solo.ioapidays Paris 2022 - Blurred Lines, Denis Jannot, Solo.io
apidays Paris 2022 - Blurred Lines, Denis Jannot, Solo.ioapidays
 
Monoliths, Microservices, Events, Functions: What It Takes to Go Through the ...
Monoliths, Microservices, Events, Functions: What It Takes to Go Through the ...Monoliths, Microservices, Events, Functions: What It Takes to Go Through the ...
Monoliths, Microservices, Events, Functions: What It Takes to Go Through the ...VMware Tanzu
 
Private Cloud Platform as a Service
Private Cloud Platform as a ServicePrivate Cloud Platform as a Service
Private Cloud Platform as a ServiceJim Kaskade
 
The security phoenix - from the ashes of DEV-OPS Appsec California 2020
The security phoenix - from the ashes of DEV-OPS Appsec California 2020The security phoenix - from the ashes of DEV-OPS Appsec California 2020
The security phoenix - from the ashes of DEV-OPS Appsec California 2020NSC42 Ltd
 
apidays LIVE Australia - From micro to macro-coordination through domain-cent...
apidays LIVE Australia - From micro to macro-coordination through domain-cent...apidays LIVE Australia - From micro to macro-coordination through domain-cent...
apidays LIVE Australia - From micro to macro-coordination through domain-cent...apidays
 
Consumer Driven Contracts and Your Microservice Architecture
Consumer Driven Contracts and Your Microservice ArchitectureConsumer Driven Contracts and Your Microservice Architecture
Consumer Driven Contracts and Your Microservice ArchitectureVMware Tanzu
 

Recomendados

Cognitive biases, blind spots and inclusion
Cognitive biases, blind spots and inclusionCognitive biases, blind spots and inclusion
Cognitive biases, blind spots and inclusionAllon Mureinik
 
Chaos Debugging for Microservices
Chaos Debugging for MicroservicesChaos Debugging for Microservices
Chaos Debugging for MicroservicesChristian Posta
 
apidays Paris 2022 - Blurred Lines, Denis Jannot, Solo.io
apidays Paris 2022 - Blurred Lines, Denis Jannot, Solo.ioapidays Paris 2022 - Blurred Lines, Denis Jannot, Solo.io
apidays Paris 2022 - Blurred Lines, Denis Jannot, Solo.ioapidays
 
Monoliths, Microservices, Events, Functions: What It Takes to Go Through the ...
Monoliths, Microservices, Events, Functions: What It Takes to Go Through the ...Monoliths, Microservices, Events, Functions: What It Takes to Go Through the ...
Monoliths, Microservices, Events, Functions: What It Takes to Go Through the ...VMware Tanzu
 
Private Cloud Platform as a Service
Private Cloud Platform as a ServicePrivate Cloud Platform as a Service
Private Cloud Platform as a ServiceJim Kaskade
 
The security phoenix - from the ashes of DEV-OPS Appsec California 2020
The security phoenix - from the ashes of DEV-OPS Appsec California 2020The security phoenix - from the ashes of DEV-OPS Appsec California 2020
The security phoenix - from the ashes of DEV-OPS Appsec California 2020NSC42 Ltd
 
apidays LIVE Australia - From micro to macro-coordination through domain-cent...
apidays LIVE Australia - From micro to macro-coordination through domain-cent...apidays LIVE Australia - From micro to macro-coordination through domain-cent...
apidays LIVE Australia - From micro to macro-coordination through domain-cent...apidays
 
Consumer Driven Contracts and Your Microservice Architecture
Consumer Driven Contracts and Your Microservice ArchitectureConsumer Driven Contracts and Your Microservice Architecture
Consumer Driven Contracts and Your Microservice ArchitectureVMware Tanzu
 
Ivanti Patch Tuesday for April 2020
Ivanti Patch Tuesday for April 2020Ivanti Patch Tuesday for April 2020
Ivanti Patch Tuesday for April 2020Ivanti
 
Cheqd: Making privacy-preserving digital credentials fun
Cheqd: Making privacy-preserving digital credentials funCheqd: Making privacy-preserving digital credentials fun
Cheqd: Making privacy-preserving digital credentials funSSIMeetup
 
Nsc42 security knights slayer of dragons 0-5_very_short_15m_share
Nsc42 security knights slayer of dragons 0-5_very_short_15m_shareNsc42 security knights slayer of dragons 0-5_very_short_15m_share
Nsc42 security knights slayer of dragons 0-5_very_short_15m_shareNSC42 Ltd
 
Open AR Cloud One Year Since the Launch
Open AR Cloud One Year Since the LaunchOpen AR Cloud One Year Since the Launch
Open AR Cloud One Year Since the LaunchOpen AR Cloud
 
Consumer Driven Contracts and Your Microservice Architecture
Consumer Driven Contracts and Your Microservice ArchitectureConsumer Driven Contracts and Your Microservice Architecture
Consumer Driven Contracts and Your Microservice ArchitectureMarcin Grzejszczak
 
Internet of Things Security & Privacy
Internet of Things Security & PrivacyInternet of Things Security & Privacy
Internet of Things Security & PrivacyChris Adriaensen
 
Webinar–OWASP Top 10 for JavaScript for Developers
Webinar–OWASP Top 10 for JavaScript for DevelopersWebinar–OWASP Top 10 for JavaScript for Developers
Webinar–OWASP Top 10 for JavaScript for DevelopersSynopsys Software Integrity Group
 
AWS Summit Singapore 2019 | Learn How to Achieve Complete Visibility, Strong ...
AWS Summit Singapore 2019 | Learn How to Achieve Complete Visibility, Strong ...AWS Summit Singapore 2019 | Learn How to Achieve Complete Visibility, Strong ...
AWS Summit Singapore 2019 | Learn How to Achieve Complete Visibility, Strong ...AWS Summits
 
Chevron Phillips Chemical Co LLC .docx
Chevron Phillips Chemical Co LLC .docxChevron Phillips Chemical Co LLC .docx
Chevron Phillips Chemical Co LLC .docxmccormicknadine86
 
Chevron Phillips Chemical Co LLC .docx
Chevron Phillips Chemical Co LLC .docxChevron Phillips Chemical Co LLC .docx
Chevron Phillips Chemical Co LLC .docxbissacr
 
Check Point Consolidation
Check Point ConsolidationCheck Point Consolidation
Check Point ConsolidationGroup of company MUK
 
Dart on Arm - Flutter Bangalore June 2021
Dart on Arm - Flutter Bangalore June 2021Dart on Arm - Flutter Bangalore June 2021
Dart on Arm - Flutter Bangalore June 2021Chris Swan
 
Devoxx UK 2022 - Application security: What should the attack landscape look ...
Devoxx UK 2022 - Application security: What should the attack landscape look ...Devoxx UK 2022 - Application security: What should the attack landscape look ...
Devoxx UK 2022 - Application security: What should the attack landscape look ...Chris Swan
 
Tools to Slay the Fire Breathing Monoliths in Your Enterprise
Tools to Slay the Fire Breathing Monoliths in Your EnterpriseTools to Slay the Fire Breathing Monoliths in Your Enterprise
Tools to Slay the Fire Breathing Monoliths in Your EnterpriseVMware Tanzu
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesBrad Hill
 
Common Missteps in Cross-Platform Development.pdf
Common Missteps in Cross-Platform Development.pdfCommon Missteps in Cross-Platform Development.pdf
Common Missteps in Cross-Platform Development.pdfPridesys IT Ltd.
 
IoTivity: Smart Home to Automotive and Beyond
IoTivity: Smart Home to Automotive and BeyondIoTivity: Smart Home to Automotive and Beyond
IoTivity: Smart Home to Automotive and BeyondSamsung Open Source Group
 
Des ops101 : Overview - RH CoP UI/UX 9nov2018
Des ops101 : Overview - RH CoP UI/UX 9nov2018Des ops101 : Overview - RH CoP UI/UX 9nov2018
Des ops101 : Overview - RH CoP UI/UX 9nov2018Samir Dash
 
Oracle Code Capgemini: API management & microservices a match made in heaven
Oracle Code Capgemini: API management & microservices a match made in heavenOracle Code Capgemini: API management & microservices a match made in heaven
Oracle Code Capgemini: API management & microservices a match made in heavenluisw19
 
Dev net and_tech_centers_working_together_final_for_tech_center_webex_session...
Dev net and_tech_centers_working_together_final_for_tech_center_webex_session...Dev net and_tech_centers_working_together_final_for_tech_center_webex_session...
Dev net and_tech_centers_working_together_final_for_tech_center_webex_session...Ravanne Harris
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Default to Async - Prevent DoS attacks on your app and your day
Default to Async - Prevent DoS attacks on your app and your dayDefault to Async - Prevent DoS attacks on your app and your day
Default to Async - Prevent DoS attacks on your app and your dayAllon Mureinik
 

Mais conteúdo relacionado

Semelhante a This DoS goes loop-di-loop

Ivanti Patch Tuesday for April 2020
Ivanti Patch Tuesday for April 2020Ivanti Patch Tuesday for April 2020
Ivanti Patch Tuesday for April 2020Ivanti
 
Cheqd: Making privacy-preserving digital credentials fun
Cheqd: Making privacy-preserving digital credentials funCheqd: Making privacy-preserving digital credentials fun
Cheqd: Making privacy-preserving digital credentials funSSIMeetup
 
Nsc42 security knights slayer of dragons 0-5_very_short_15m_share
Nsc42 security knights slayer of dragons 0-5_very_short_15m_shareNsc42 security knights slayer of dragons 0-5_very_short_15m_share
Nsc42 security knights slayer of dragons 0-5_very_short_15m_shareNSC42 Ltd
 
Open AR Cloud One Year Since the Launch
Open AR Cloud One Year Since the LaunchOpen AR Cloud One Year Since the Launch
Open AR Cloud One Year Since the LaunchOpen AR Cloud
 
Consumer Driven Contracts and Your Microservice Architecture
Consumer Driven Contracts and Your Microservice ArchitectureConsumer Driven Contracts and Your Microservice Architecture
Consumer Driven Contracts and Your Microservice ArchitectureMarcin Grzejszczak
 
Internet of Things Security & Privacy
Internet of Things Security & PrivacyInternet of Things Security & Privacy
Internet of Things Security & PrivacyChris Adriaensen
 
AWS Summit Singapore 2019 | Learn How to Achieve Complete Visibility, Strong ...
AWS Summit Singapore 2019 | Learn How to Achieve Complete Visibility, Strong ...AWS Summit Singapore 2019 | Learn How to Achieve Complete Visibility, Strong ...
AWS Summit Singapore 2019 | Learn How to Achieve Complete Visibility, Strong ...AWS Summits
 
Chevron Phillips Chemical Co LLC .docx
Chevron Phillips Chemical Co LLC .docxChevron Phillips Chemical Co LLC .docx
Chevron Phillips Chemical Co LLC .docxmccormicknadine86
 
Chevron Phillips Chemical Co LLC .docx
Chevron Phillips Chemical Co LLC .docxChevron Phillips Chemical Co LLC .docx
Chevron Phillips Chemical Co LLC .docxbissacr
 
Dart on Arm - Flutter Bangalore June 2021
Dart on Arm - Flutter Bangalore June 2021Dart on Arm - Flutter Bangalore June 2021
Dart on Arm - Flutter Bangalore June 2021Chris Swan
 
Devoxx UK 2022 - Application security: What should the attack landscape look ...
Devoxx UK 2022 - Application security: What should the attack landscape look ...Devoxx UK 2022 - Application security: What should the attack landscape look ...
Devoxx UK 2022 - Application security: What should the attack landscape look ...Chris Swan
 
Tools to Slay the Fire Breathing Monoliths in Your Enterprise
Tools to Slay the Fire Breathing Monoliths in Your EnterpriseTools to Slay the Fire Breathing Monoliths in Your Enterprise
Tools to Slay the Fire Breathing Monoliths in Your EnterpriseVMware Tanzu
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesBrad Hill
 
Common Missteps in Cross-Platform Development.pdf
Common Missteps in Cross-Platform Development.pdfCommon Missteps in Cross-Platform Development.pdf
Common Missteps in Cross-Platform Development.pdfPridesys IT Ltd.
 
IoTivity: Smart Home to Automotive and Beyond
IoTivity: Smart Home to Automotive and BeyondIoTivity: Smart Home to Automotive and Beyond
IoTivity: Smart Home to Automotive and BeyondSamsung Open Source Group
 
Des ops101 : Overview - RH CoP UI/UX 9nov2018
Des ops101 : Overview - RH CoP UI/UX 9nov2018Des ops101 : Overview - RH CoP UI/UX 9nov2018
Des ops101 : Overview - RH CoP UI/UX 9nov2018Samir Dash
 
Oracle Code Capgemini: API management & microservices a match made in heaven
Oracle Code Capgemini: API management & microservices a match made in heavenOracle Code Capgemini: API management & microservices a match made in heaven
Oracle Code Capgemini: API management & microservices a match made in heavenluisw19
 
Dev net and_tech_centers_working_together_final_for_tech_center_webex_session...
Dev net and_tech_centers_working_together_final_for_tech_center_webex_session...Dev net and_tech_centers_working_together_final_for_tech_center_webex_session...
Dev net and_tech_centers_working_together_final_for_tech_center_webex_session...Ravanne Harris
 

Semelhante a This DoS goes loop-di-loop (20)

Ivanti Patch Tuesday for April 2020
Ivanti Patch Tuesday for April 2020Ivanti Patch Tuesday for April 2020
Ivanti Patch Tuesday for April 2020
 
Cheqd: Making privacy-preserving digital credentials fun
Cheqd: Making privacy-preserving digital credentials funCheqd: Making privacy-preserving digital credentials fun
Cheqd: Making privacy-preserving digital credentials fun
 
Nsc42 security knights slayer of dragons 0-5_very_short_15m_share
Nsc42 security knights slayer of dragons 0-5_very_short_15m_shareNsc42 security knights slayer of dragons 0-5_very_short_15m_share
Nsc42 security knights slayer of dragons 0-5_very_short_15m_share
 
Open AR Cloud One Year Since the Launch
Open AR Cloud One Year Since the LaunchOpen AR Cloud One Year Since the Launch
Open AR Cloud One Year Since the Launch
 
Consumer Driven Contracts and Your Microservice Architecture
Consumer Driven Contracts and Your Microservice ArchitectureConsumer Driven Contracts and Your Microservice Architecture
Consumer Driven Contracts and Your Microservice Architecture
 
Internet of Things Security & Privacy
Internet of Things Security & PrivacyInternet of Things Security & Privacy
Internet of Things Security & Privacy
 
Webinar–OWASP Top 10 for JavaScript for Developers
Webinar–OWASP Top 10 for JavaScript for DevelopersWebinar–OWASP Top 10 for JavaScript for Developers
Webinar–OWASP Top 10 for JavaScript for Developers
 
AWS Summit Singapore 2019 | Learn How to Achieve Complete Visibility, Strong ...
AWS Summit Singapore 2019 | Learn How to Achieve Complete Visibility, Strong ...AWS Summit Singapore 2019 | Learn How to Achieve Complete Visibility, Strong ...
AWS Summit Singapore 2019 | Learn How to Achieve Complete Visibility, Strong ...
 
Chevron Phillips Chemical Co LLC .docx
Chevron Phillips Chemical Co LLC .docxChevron Phillips Chemical Co LLC .docx
Chevron Phillips Chemical Co LLC .docx
 
Chevron Phillips Chemical Co LLC .docx
Chevron Phillips Chemical Co LLC .docxChevron Phillips Chemical Co LLC .docx
Chevron Phillips Chemical Co LLC .docx
 
Check Point Consolidation
Check Point ConsolidationCheck Point Consolidation
Check Point Consolidation
 
Dart on Arm - Flutter Bangalore June 2021
Dart on Arm - Flutter Bangalore June 2021Dart on Arm - Flutter Bangalore June 2021
Dart on Arm - Flutter Bangalore June 2021
 
Devoxx UK 2022 - Application security: What should the attack landscape look ...
Devoxx UK 2022 - Application security: What should the attack landscape look ...Devoxx UK 2022 - Application security: What should the attack landscape look ...
Devoxx UK 2022 - Application security: What should the attack landscape look ...
 
Tools to Slay the Fire Breathing Monoliths in Your Enterprise
Tools to Slay the Fire Breathing Monoliths in Your EnterpriseTools to Slay the Fire Breathing Monoliths in Your Enterprise
Tools to Slay the Fire Breathing Monoliths in Your Enterprise
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realities
 
Common Missteps in Cross-Platform Development.pdf
Common Missteps in Cross-Platform Development.pdfCommon Missteps in Cross-Platform Development.pdf
Common Missteps in Cross-Platform Development.pdf
 
IoTivity: Smart Home to Automotive and Beyond
IoTivity: Smart Home to Automotive and BeyondIoTivity: Smart Home to Automotive and Beyond
IoTivity: Smart Home to Automotive and Beyond
 
Des ops101 : Overview - RH CoP UI/UX 9nov2018
Des ops101 : Overview - RH CoP UI/UX 9nov2018Des ops101 : Overview - RH CoP UI/UX 9nov2018
Des ops101 : Overview - RH CoP UI/UX 9nov2018
 
Oracle Code Capgemini: API management & microservices a match made in heaven
Oracle Code Capgemini: API management & microservices a match made in heavenOracle Code Capgemini: API management & microservices a match made in heaven
Oracle Code Capgemini: API management & microservices a match made in heaven
 
Dev net and_tech_centers_working_together_final_for_tech_center_webex_session...
Dev net and_tech_centers_working_together_final_for_tech_center_webex_session...Dev net and_tech_centers_working_together_final_for_tech_center_webex_session...
Dev net and_tech_centers_working_together_final_for_tech_center_webex_session...
 

Mais de Allon Mureinik

Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Default to Async - Prevent DoS attacks on your app and your day
Default to Async - Prevent DoS attacks on your app and your dayDefault to Async - Prevent DoS attacks on your app and your day
Default to Async - Prevent DoS attacks on your app and your dayAllon Mureinik
 
What an episode of Rick and Morty taught me about (accidental) toxicity
What an episode of Rick and Morty taught me about (accidental) toxicityWhat an episode of Rick and Morty taught me about (accidental) toxicity
What an episode of Rick and Morty taught me about (accidental) toxicityAllon Mureinik
 
We are the Borg, you will be interviewed
We are the Borg, you will be interviewedWe are the Borg, you will be interviewed
We are the Borg, you will be interviewedAllon Mureinik
 
What I wish I knew about security - Allon Mureinik DevConf.CZ 2022
What I wish I knew about security - Allon Mureinik DevConf.CZ 2022What I wish I knew about security - Allon Mureinik DevConf.CZ 2022
What I wish I knew about security - Allon Mureinik DevConf.CZ 2022Allon Mureinik
 
Somebody set up us the bomb DevConf.CZ 2022 Lightning Talk
Somebody set up us the bomb DevConf.CZ 2022 Lightning TalkSomebody set up us the bomb DevConf.CZ 2022 Lightning Talk
Somebody set up us the bomb DevConf.CZ 2022 Lightning TalkAllon Mureinik
 
How open source made me a better manager
How open source made me a better managerHow open source made me a better manager
How open source made me a better managerAllon Mureinik
 
Automatic for the People
Automatic for the PeopleAutomatic for the People
Automatic for the PeopleAllon Mureinik
 
Automatic for the people
Automatic for the peopleAutomatic for the people
Automatic for the peopleAllon Mureinik
 
Mockito - How a mocking library built a real community
Mockito - How a mocking library built a real communityMockito - How a mocking library built a real community
Mockito - How a mocking library built a real communityAllon Mureinik
 
Mockito - how a mocking library built a real community (August Penguin 2017)
Mockito - how a mocking library built a real community (August Penguin 2017)Mockito - how a mocking library built a real community (August Penguin 2017)
Mockito - how a mocking library built a real community (August Penguin 2017)Allon Mureinik
 
Reversim Summit 2016 - Ja-WAT
Reversim Summit 2016 - Ja-WATReversim Summit 2016 - Ja-WAT
Reversim Summit 2016 - Ja-WATAllon Mureinik
 
Virtualization Management The oVirt Way (August Penguin 2015)
Virtualization Management The oVirt Way (August Penguin 2015)Virtualization Management The oVirt Way (August Penguin 2015)
Virtualization Management The oVirt Way (August Penguin 2015)Allon Mureinik
 
Step by Step - Reusing old features to build new ones
Step by Step - Reusing old features to build new onesStep by Step - Reusing old features to build new ones
Step by Step - Reusing old features to build new onesAllon Mureinik
 
oVirt 3.5 Storage Features Overview
oVirt 3.5 Storage Features OverviewoVirt 3.5 Storage Features Overview
oVirt 3.5 Storage Features OverviewAllon Mureinik
 
Disaster Recovery Strategies Using oVirt's new Storage Connection Management ...
Disaster Recovery Strategies Using oVirt's new Storage Connection Management ...Disaster Recovery Strategies Using oVirt's new Storage Connection Management ...
Disaster Recovery Strategies Using oVirt's new Storage Connection Management ...Allon Mureinik
 
Live Storage Migration in oVirt (Open Storage Meetup May 2013)
Live Storage Migration in oVirt (Open Storage Meetup May 2013)Live Storage Migration in oVirt (Open Storage Meetup May 2013)
Live Storage Migration in oVirt (Open Storage Meetup May 2013)Allon Mureinik
 
Retro Testing (DevConTLV Jan 2014)
Retro Testing (DevConTLV Jan 2014)Retro Testing (DevConTLV Jan 2014)
Retro Testing (DevConTLV Jan 2014)Allon Mureinik
 

Mais de Allon Mureinik (19)

Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Default to Async - Prevent DoS attacks on your app and your day
Default to Async - Prevent DoS attacks on your app and your dayDefault to Async - Prevent DoS attacks on your app and your day
Default to Async - Prevent DoS attacks on your app and your day
 
What an episode of Rick and Morty taught me about (accidental) toxicity
What an episode of Rick and Morty taught me about (accidental) toxicityWhat an episode of Rick and Morty taught me about (accidental) toxicity
What an episode of Rick and Morty taught me about (accidental) toxicity
 
We are the Borg, you will be interviewed
We are the Borg, you will be interviewedWe are the Borg, you will be interviewed
We are the Borg, you will be interviewed
 
What I wish I knew about security - Allon Mureinik DevConf.CZ 2022
What I wish I knew about security - Allon Mureinik DevConf.CZ 2022What I wish I knew about security - Allon Mureinik DevConf.CZ 2022
What I wish I knew about security - Allon Mureinik DevConf.CZ 2022
 
Somebody set up us the bomb DevConf.CZ 2022 Lightning Talk
Somebody set up us the bomb DevConf.CZ 2022 Lightning TalkSomebody set up us the bomb DevConf.CZ 2022 Lightning Talk
Somebody set up us the bomb DevConf.CZ 2022 Lightning Talk
 
Zoom out
Zoom outZoom out
Zoom out
 
How open source made me a better manager
How open source made me a better managerHow open source made me a better manager
How open source made me a better manager
 
Automatic for the People
Automatic for the PeopleAutomatic for the People
Automatic for the People
 
Automatic for the people
Automatic for the peopleAutomatic for the people
Automatic for the people
 
Mockito - How a mocking library built a real community
Mockito - How a mocking library built a real communityMockito - How a mocking library built a real community
Mockito - How a mocking library built a real community
 
Mockito - how a mocking library built a real community (August Penguin 2017)
Mockito - how a mocking library built a real community (August Penguin 2017)Mockito - how a mocking library built a real community (August Penguin 2017)
Mockito - how a mocking library built a real community (August Penguin 2017)
 
Reversim Summit 2016 - Ja-WAT
Reversim Summit 2016 - Ja-WATReversim Summit 2016 - Ja-WAT
Reversim Summit 2016 - Ja-WAT
 
Virtualization Management The oVirt Way (August Penguin 2015)
Virtualization Management The oVirt Way (August Penguin 2015)Virtualization Management The oVirt Way (August Penguin 2015)
Virtualization Management The oVirt Way (August Penguin 2015)
 
Step by Step - Reusing old features to build new ones
Step by Step - Reusing old features to build new onesStep by Step - Reusing old features to build new ones
Step by Step - Reusing old features to build new ones
 
oVirt 3.5 Storage Features Overview
oVirt 3.5 Storage Features OverviewoVirt 3.5 Storage Features Overview
oVirt 3.5 Storage Features Overview
 
Disaster Recovery Strategies Using oVirt's new Storage Connection Management ...
Disaster Recovery Strategies Using oVirt's new Storage Connection Management ...Disaster Recovery Strategies Using oVirt's new Storage Connection Management ...
Disaster Recovery Strategies Using oVirt's new Storage Connection Management ...
 
Live Storage Migration in oVirt (Open Storage Meetup May 2013)
Live Storage Migration in oVirt (Open Storage Meetup May 2013)Live Storage Migration in oVirt (Open Storage Meetup May 2013)
Live Storage Migration in oVirt (Open Storage Meetup May 2013)
 
Retro Testing (DevConTLV Jan 2014)
Retro Testing (DevConTLV Jan 2014)Retro Testing (DevConTLV Jan 2014)
Retro Testing (DevConTLV Jan 2014)
 

Último

Clustering techniques data mining book ....
Clustering techniques data mining book ....Clustering techniques data mining book ....
Clustering techniques data mining book ....ShaimaaMohamedGalal
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Modelsaagamshah0812
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...MyIntelliSource, Inc.
 
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...gurkirankumar98700
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVshikhaohhpro
 
Professional Resume Template for Software Developers
Professional Resume Template for Software DevelopersProfessional Resume Template for Software Developers
Professional Resume Template for Software DevelopersVinodh Ram
 
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AISyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AIABDERRAOUF MEHENNI
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfkalichargn70th171
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Steffen Staab
 
DNT_Corporate presentation know about us
DNT_Corporate presentation know about usDNT_Corporate presentation know about us
DNT_Corporate presentation know about usDynamic Netsoft
 
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️anilsa9823
 
Active Directory Penetration Testing, cionsystems.com.pdf
Active Directory Penetration Testing, cionsystems.com.pdfActive Directory Penetration Testing, cionsystems.com.pdf
Active Directory Penetration Testing, cionsystems.com.pdfCionsystems
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfkalichargn70th171
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsAlberto González Trastoy
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...MyIntelliSource, Inc.
 
Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxbodapatigopi8531
 

Último (20)

Clustering techniques data mining book ....
Clustering techniques data mining book ....Clustering techniques data mining book ....
Clustering techniques data mining book ....
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Models
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
 
Exploring iOS App Development: Simplifying the Process
Exploring iOS App Development: Simplifying the ProcessExploring iOS App Development: Simplifying the Process
Exploring iOS App Development: Simplifying the Process
 
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS LiveVip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
 
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
 
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
 
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICECHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTV
 
Professional Resume Template for Software Developers
Professional Resume Template for Software DevelopersProfessional Resume Template for Software Developers
Professional Resume Template for Software Developers
 
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AISyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
 
DNT_Corporate presentation know about us
DNT_Corporate presentation know about usDNT_Corporate presentation know about us
DNT_Corporate presentation know about us
 
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
 
Active Directory Penetration Testing, cionsystems.com.pdf
Active Directory Penetration Testing, cionsystems.com.pdfActive Directory Penetration Testing, cionsystems.com.pdf
Active Directory Penetration Testing, cionsystems.com.pdf
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
 
Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptx
 

This DoS goes loop-di-loop

  • 1. This DoS Goes Loop-di-Loop Allon Mureinik Senior Manager, Seeker Node.js and .NET Agents Synopsys, Inc. allon.mureinik@synopsys.com / @mureinik / https://www.linkedin.com/in/mureinik/ FlawCon, 20/10/2019
  • 2. © 2019 Synopsys, Inc. 2This DoS Goes Loop-di-Loop (Allon Mureinik, FlawCon 2019, cc-by-sa-4.0) Developers vs Hackers How will an unreasonable person abuse it? How will a reasonable person use it? https://thenounproject.com/term/theater/17128
  • 3. © 2019 Synopsys, Inc. 3This DoS Goes Loop-di-Loop (Allon Mureinik, FlawCon 2019, cc-by-sa-4.0) Quick Reminder: Node.js’ Event Loop https://thenounproject.com/term/redo/62716
  • 4. © 2019 Synopsys, Inc. 4This DoS Goes Loop-di-Loop (Allon Mureinik, FlawCon 2019, cc-by-sa-4.0) Benchmarks https://www.tandemseven.com/blog/performance-java-vs-node/
  • 5. © 2019 Synopsys, Inc. 5This DoS Goes Loop-di-Loop (Allon Mureinik, FlawCon 2019, cc-by-sa-4.0) Reminder: Denial of Service (DoS) https://thenounproject.com/term/decline/373722
  • 6. © 2019 Synopsys, Inc. 6This DoS Goes Loop-di-Loop (Allon Mureinik, FlawCon 2019, cc-by-sa-4.0) Regex DoS (ReDoS) console.log('a'sttime'); let regex = new RegExp('^(a+)+$'); for (let i = 1; i < 100; ++i) { const str = Array(i + 1).join('a') + 'b'; const before = new Date(); regex.test(str); const after = new Date(); const time = after - before; console.log(`${i}t${time}`); }
  • 7. © 2019 Synopsys, Inc. 7This DoS Goes Loop-di-Loop (Allon Mureinik, FlawCon 2019, cc-by-sa-4.0) Regex DoS (ReDoS) - results 0 50,000 100,000 150,000 200,000 250,000 300,000 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 33 34 35 Time(ms) As
  • 8. © 2019 Synopsys, Inc. 8This DoS Goes Loop-di-Loop (Allon Mureinik, FlawCon 2019, cc-by-sa-4.0) https://thenounproject.com/term/alternative-route/2902159 •Check your regexes –E.g., use safe-regex, vuln-regex-detector •Don’t allow tainted input as regex –Not always possible… –If you must, sanitize it (again safe-regex etc.) •Don’t allow tainted input to be evaluated by a dodgy regex –Usually not possible… –Use length limits •Think about alternative solutions –re2 isn’t vulnerable to ReDoS –Use specific tools for specific needs (e.g., validator.js) Regex DoS (ReDoS) - Remediation
  • 9. © 2019 Synopsys, Inc. 9This DoS Goes Loop-di-Loop (Allon Mureinik, FlawCon 2019, cc-by-sa-4.0) JSON DoS for (let i = 1024; i <= 1024 * 1024 ; i += 1024) { const str = '"' + Array(i + 1).join('a') + '"'; const before = new Date(); for (let j = 1; j < 100; ++j) { JSON.parse(str); } const after = new Date(); console.log(`${i}t${after-before}`); }
  • 10. © 2019 Synopsys, Inc. 10This DoS Goes Loop-di-Loop (Allon Mureinik, FlawCon 2019, cc-by-sa-4.0) JSON DoS - Results -50 0 50 100 150 200 250 300 0 200 400 600 800 1000 1200 Time(ms) String Lengh (KB)
  • 11. © 2019 Synopsys, Inc. 11This DoS Goes Loop-di-Loop (Allon Mureinik, FlawCon 2019, cc-by-sa-4.0) https://thenounproject.com/term/alternative-route/2902159/ •Don’t allow tainted input to be parsed –Not realistic… •Limit the size of the input –Express: app.use(express.json({limit: '50kb'}) –Hapi: route.options.payload.maxBytes = 50 * 1024 •If you aren’t parsing JSON by a middle, consider alternative libraries like BFJ or JSONStream JSON DoS - Remediation
  • 12. © 2019 Synopsys, Inc. 12This DoS Goes Loop-di-Loop (Allon Mureinik, FlawCon 2019, cc-by-sa-4.0) “If anything can hang, it will” - Murphy’s law of storage Storage (I/O) DoS
  • 13. © 2019 Synopsys, Inc. 13This DoS Goes Loop-di-Loop (Allon Mureinik, FlawCon 2019, cc-by-sa-4.0) The are two ways to perform storage operations in Node.js: 1. The async way –Delegate a storage operation to the kernel, and wait for a callback –E.g.: fs.readDir, fs.writeFile, etc –3rd parties follow similar patterns (e.g., fs-extra, adm-zip) 2. The wrong way Storage (I/O) DoS - Remediation
  • 14. © 2019 Synopsys, Inc. 15This DoS Goes Loop-di-Loop (Allon Mureinik, FlawCon 2019, cc-by-sa-4.0) Questions? https://thenounproject.com/term/questions/1195076/