Allon Mureinik, profile picture
Uploaded byAllon Mureinik
PDF, PPTX337 views

This DoS goes loop-di-loop

The document discusses different types of denial of service (DoS) attacks that can impact Node.js applications, including regular expression DoS (ReDoS), JSON parsing DoS, and storage/I/O DoS. It provides code examples demonstrating how these attacks work and suggestions for mitigations, such as using libraries less vulnerable to ReDoS, limiting input sizes, and ensuring asynchronous storage operations.

Embed presentation

Download as PDF, PPTX
This DoS Goes Loop-di-Loop Allon Mureinik Senior Manager, Seeker Node.js and .NET Agents Synopsys, Inc. allon.mureinik@synopsys.com / @mureinik / https://www.linkedin.com/in/mureinik/ FlawCon, 20/10/2019
© 2019 Synopsys, Inc. 2This DoS Goes Loop-di-Loop (Allon Mureinik, FlawCon 2019, cc-by-sa-4.0) Developers vs Hackers How will an unreasonable person abuse it? How will a reasonable person use it? https://thenounproject.com/term/theater/17128
© 2019 Synopsys, Inc. 3This DoS Goes Loop-di-Loop (Allon Mureinik, FlawCon 2019, cc-by-sa-4.0) Quick Reminder: Node.js’ Event Loop https://thenounproject.com/term/redo/62716
© 2019 Synopsys, Inc. 4This DoS Goes Loop-di-Loop (Allon Mureinik, FlawCon 2019, cc-by-sa-4.0) Benchmarks https://www.tandemseven.com/blog/performance-java-vs-node/
© 2019 Synopsys, Inc. 5This DoS Goes Loop-di-Loop (Allon Mureinik, FlawCon 2019, cc-by-sa-4.0) Reminder: Denial of Service (DoS) https://thenounproject.com/term/decline/373722
© 2019 Synopsys, Inc. 6This DoS Goes Loop-di-Loop (Allon Mureinik, FlawCon 2019, cc-by-sa-4.0) Regex DoS (ReDoS) console.log('a'sttime'); let regex = new RegExp('^(a+)+$'); for (let i = 1; i < 100; ++i) { const str = Array(i + 1).join('a') + 'b'; const before = new Date(); regex.test(str); const after = new Date(); const time = after - before; console.log(`${i}t${time}`); }
© 2019 Synopsys, Inc. 7This DoS Goes Loop-di-Loop (Allon Mureinik, FlawCon 2019, cc-by-sa-4.0) Regex DoS (ReDoS) - results 0 50,000 100,000 150,000 200,000 250,000 300,000 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 33 34 35 Time(ms) As
© 2019 Synopsys, Inc. 8This DoS Goes Loop-di-Loop (Allon Mureinik, FlawCon 2019, cc-by-sa-4.0) https://thenounproject.com/term/alternative-route/2902159 •Check your regexes –E.g., use safe-regex, vuln-regex-detector •Don’t allow tainted input as regex –Not always possible… –If you must, sanitize it (again safe-regex etc.) •Don’t allow tainted input to be evaluated by a dodgy regex –Usually not possible… –Use length limits •Think about alternative solutions –re2 isn’t vulnerable to ReDoS –Use specific tools for specific needs (e.g., validator.js) Regex DoS (ReDoS) - Remediation
© 2019 Synopsys, Inc. 9This DoS Goes Loop-di-Loop (Allon Mureinik, FlawCon 2019, cc-by-sa-4.0) JSON DoS for (let i = 1024; i <= 1024 * 1024 ; i += 1024) { const str = '"' + Array(i + 1).join('a') + '"'; const before = new Date(); for (let j = 1; j < 100; ++j) { JSON.parse(str); } const after = new Date(); console.log(`${i}t${after-before}`); }
© 2019 Synopsys, Inc. 10This DoS Goes Loop-di-Loop (Allon Mureinik, FlawCon 2019, cc-by-sa-4.0) JSON DoS - Results -50 0 50 100 150 200 250 300 0 200 400 600 800 1000 1200 Time(ms) String Lengh (KB)
© 2019 Synopsys, Inc. 11This DoS Goes Loop-di-Loop (Allon Mureinik, FlawCon 2019, cc-by-sa-4.0) https://thenounproject.com/term/alternative-route/2902159/ •Don’t allow tainted input to be parsed –Not realistic… •Limit the size of the input –Express: app.use(express.json({limit: '50kb'}) –Hapi: route.options.payload.maxBytes = 50 * 1024 •If you aren’t parsing JSON by a middle, consider alternative libraries like BFJ or JSONStream JSON DoS - Remediation
© 2019 Synopsys, Inc. 12This DoS Goes Loop-di-Loop (Allon Mureinik, FlawCon 2019, cc-by-sa-4.0) “If anything can hang, it will” - Murphy’s law of storage Storage (I/O) DoS
© 2019 Synopsys, Inc. 13This DoS Goes Loop-di-Loop (Allon Mureinik, FlawCon 2019, cc-by-sa-4.0) The are two ways to perform storage operations in Node.js: 1. The async way –Delegate a storage operation to the kernel, and wait for a callback –E.g.: fs.readDir, fs.writeFile, etc –3rd parties follow similar patterns (e.g., fs-extra, adm-zip) 2. The wrong way Storage (I/O) DoS - Remediation
© 2019 Synopsys, Inc. 15This DoS Goes Loop-di-Loop (Allon Mureinik, FlawCon 2019, cc-by-sa-4.0) Questions? https://thenounproject.com/term/questions/1195076/
Thank You Contact allon.mureinik@synopsys.com @mureinik https://www.linkedin.com/in/mureinik/

More Related Content

PDF
Default to Async - Prevent DoS attacks on your app and your day
byAllon Mureinik
 
PDF
Node.js Security - XSS, Vulnerable Dependencies, Snyk, OWASP
byLiran Tal
 
PDF
Node.js security - JS Day Italy 2018
byLiran Tal
 
PDF
Douglas Crockford: Serversideness
byWebExpo
 
PDF
Cluj JSHeroes 2017 - Liran Tal on Node.js Security
byLiran Tal
 
ODP
Node.js security
byMaciej Lasyk
 
PDF
ES6: The Awesome Parts
byDomenic Denicola
 
PDF
Killer Bugs From Outer Space
byJérôme Petazzoni
 
Default to Async - Prevent DoS attacks on your app and your day
byAllon Mureinik
 
Node.js Security - XSS, Vulnerable Dependencies, Snyk, OWASP
byLiran Tal
 
Node.js security - JS Day Italy 2018
byLiran Tal
 
Douglas Crockford: Serversideness
byWebExpo
 
Cluj JSHeroes 2017 - Liran Tal on Node.js Security
byLiran Tal
 
Node.js security
byMaciej Lasyk
 
ES6: The Awesome Parts
byDomenic Denicola
 
Killer Bugs From Outer Space
byJérôme Petazzoni
 

Similar to This DoS goes loop-di-loop

PDF
Fault Tolerance 101
byC4Media
 
ODP
DevOps Days Vancouver 2014 Slides
byAlex Cruise
 
PDF
Ch 18: Source Code Auditing
bySam Bowne
 
PDF
Defensive programming in Javascript and Node.js
byRuben Tan
 
PDF
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers
byLewis Ardern
 
PDF
Angus Fletcher - Error Handling in Concurrent Systems
byMaritime DevCon
 
PDF
Promises generatorscallbacks
byMike Frey
 
PPTX
Node.js - Advanced Basics
byDoug Jones
 
PDF
Think Async: Asynchronous Patterns in NodeJS
byAdam L Barrett
 
PPTX
introduction to node.js
byorkaplan
 
PDF
Rust and the coming age of high integrity languages
byAdaCore
 
PDF
Kamil witecki asynchronous, yet readable, code
byKamil Witecki
 
PPT
Clojure's take on concurrency
byyoavrubin
 
PDF
CNIT 127: Ch 18: Source Code Auditing
bySam Bowne
 
PPTX
20160211 OWASP Charlotte RASP
bychadtindel
 
PDF
Matthew Eernisse, NodeJs, .toster {webdev}
by.toster
 
PPTX
Workshop 1: Good practices in JavaScript
byVisual Engineering
 
PPTX
Reflections on Rousting Rust?
byDavid Evans
 
KEY
NodeJS
by.toster
 
PDF
The Evolution of Async-Programming (SD 2.0, JavaScript)
byjeffz
 
Fault Tolerance 101
byC4Media
 
DevOps Days Vancouver 2014 Slides
byAlex Cruise
 
Ch 18: Source Code Auditing
bySam Bowne
 
Defensive programming in Javascript and Node.js
byRuben Tan
 
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers
byLewis Ardern
 
Angus Fletcher - Error Handling in Concurrent Systems
byMaritime DevCon
 
Promises generatorscallbacks
byMike Frey
 
Node.js - Advanced Basics
byDoug Jones
 
Think Async: Asynchronous Patterns in NodeJS
byAdam L Barrett
 
introduction to node.js
byorkaplan
 
Rust and the coming age of high integrity languages
byAdaCore
 
Kamil witecki asynchronous, yet readable, code
byKamil Witecki
 
Clojure's take on concurrency
byyoavrubin
 
CNIT 127: Ch 18: Source Code Auditing
bySam Bowne
 
20160211 OWASP Charlotte RASP
bychadtindel
 
Matthew Eernisse, NodeJs, .toster {webdev}
by.toster
 
Workshop 1: Good practices in JavaScript
byVisual Engineering
 
Reflections on Rousting Rust?
byDavid Evans
 
NodeJS
by.toster
 
The Evolution of Async-Programming (SD 2.0, JavaScript)
byjeffz
 

More from Allon Mureinik

PDF
CV Writing (slides from my Hackeriot 2025 workshop)
byAllon Mureinik
 
PDF
Who Watches the Watchmen (SciFiDevCon 2025)
byAllon Mureinik
 
PDF
Injustice - Developers Among Us (SciFiDevCon 2024)
byAllon Mureinik
 
PDF
What an episode of Rick and Morty taught me about (accidental) toxicity
byAllon Mureinik
 
PDF
We are the Borg, you will be interviewed
byAllon Mureinik
 
PDF
What I wish I knew about security - Allon Mureinik DevConf.CZ 2022
byAllon Mureinik
 
PDF
Somebody set up us the bomb DevConf.CZ 2022 Lightning Talk
byAllon Mureinik
 
PDF
Zoom out
byAllon Mureinik
 
PDF
Cognitive biases, blind spots and inclusion
byAllon Mureinik
 
PDF
How open source made me a better manager
byAllon Mureinik
 
PDF
Automatic for the People
byAllon Mureinik
 
PDF
Automatic for the people
byAllon Mureinik
 
PDF
Mockito - How a mocking library built a real community
byAllon Mureinik
 
PDF
Mockito - how a mocking library built a real community (August Penguin 2017)
byAllon Mureinik
 
PDF
Reversim Summit 2016 - Ja-WAT
byAllon Mureinik
 
PDF
Virtualization Management The oVirt Way (August Penguin 2015)
byAllon Mureinik
 
PDF
Step by Step - Reusing old features to build new ones
byAllon Mureinik
 
PDF
oVirt 3.5 Storage Features Overview
byAllon Mureinik
 
PDF
Disaster Recovery Strategies Using oVirt's new Storage Connection Management ...
byAllon Mureinik
 
PDF
Live Storage Migration in oVirt (Open Storage Meetup May 2013)
byAllon Mureinik
 
CV Writing (slides from my Hackeriot 2025 workshop)
byAllon Mureinik
 
Who Watches the Watchmen (SciFiDevCon 2025)
byAllon Mureinik
 
Injustice - Developers Among Us (SciFiDevCon 2024)
byAllon Mureinik
 
What an episode of Rick and Morty taught me about (accidental) toxicity
byAllon Mureinik
 
We are the Borg, you will be interviewed
byAllon Mureinik
 
What I wish I knew about security - Allon Mureinik DevConf.CZ 2022
byAllon Mureinik
 
Somebody set up us the bomb DevConf.CZ 2022 Lightning Talk
byAllon Mureinik
 
Zoom out
byAllon Mureinik
 
Cognitive biases, blind spots and inclusion
byAllon Mureinik
 
How open source made me a better manager
byAllon Mureinik
 
Automatic for the People
byAllon Mureinik
 
Automatic for the people
byAllon Mureinik
 
Mockito - How a mocking library built a real community
byAllon Mureinik
 
Mockito - how a mocking library built a real community (August Penguin 2017)
byAllon Mureinik
 
Reversim Summit 2016 - Ja-WAT
byAllon Mureinik
 
Virtualization Management The oVirt Way (August Penguin 2015)
byAllon Mureinik
 
Step by Step - Reusing old features to build new ones
byAllon Mureinik
 
oVirt 3.5 Storage Features Overview
byAllon Mureinik
 
Disaster Recovery Strategies Using oVirt's new Storage Connection Management ...
byAllon Mureinik
 
Live Storage Migration in oVirt (Open Storage Meetup May 2013)
byAllon Mureinik
 

Recently uploaded

PDF
Smart ways to se AI in your business , presentation
byAI n Dot Net
 
PDF
Water Delivery App Development Solutions.pdf
byeSiteWorld TechnoLabs Pvt. Ltd.
 
PDF
Attendance Dashboard – Time & Attendance Analytics
byHajir Pro
 
PDF
Monitoring your MySQL Server's Health Trends
byIgor Donchovski
 
PDF
Accelerating Data Validation with QuerySurge AI
byRTTS
 
PDF
2026 Safety Roadmap: Systems, Skills, and Scale for EHS Leaders
byTECH EHS Solution
 
PDF
Windows Server 2025 Administration Fundamentals 4ED
byraynasolomon136
 
PDF
Pet Care Service App Development Company
byV3CUBE TECHNOLABS
 
PDF
LogiNext Media Kit & Company Overview 2025
bypriyajoshi2929
 
PDF
Why I Volunteer at FOSDEM and You Should Too
byImma Valls Bernaus
 
PDF
Build a Scalable On-Demand Courier Service App.pdf
byV3CUBE TECHNOLABS
 
PDF
谷歌留痕技术教程[ 𝙩𝙤𝙥 𝟮𝟯𝟯. 𝙘 𝙤𝙢 ]
by6stynggfo
 
PPTX
HackYourBrain_JFokusConference_03022026.pptx
bySimonedeGijt
 
PDF
Manual Testing Still Matters: 7 Areas Where Humans Beat Automation
byKiwiQA Services
 
PDF
LogiNext Media Kit & Company Overview 2025
bynidhisharmaq7184
 
PDF
Artificial Intelligence Planning (Harinath Palavalli)
byHarinath Palavalli
 
PDF
AI-native development: from Prompt to Platform
byMaxim Salnikov
 
PDF
ChampionMATES – Compete With Friends. Predict Sports. Become the Champion.
byRafal Ksiazek
 
PDF
LogiNext Media Kit & Company Overview 2025
bysanikaroy72
 
DOCX
The Rise of Headless CMS in Modern Web Development.docx
bywork4noahmiller
 
Smart ways to se AI in your business , presentation
byAI n Dot Net
 
Water Delivery App Development Solutions.pdf
byeSiteWorld TechnoLabs Pvt. Ltd.
 
Attendance Dashboard – Time & Attendance Analytics
byHajir Pro
 
Monitoring your MySQL Server's Health Trends
byIgor Donchovski
 
Accelerating Data Validation with QuerySurge AI
byRTTS
 
2026 Safety Roadmap: Systems, Skills, and Scale for EHS Leaders
byTECH EHS Solution
 
Windows Server 2025 Administration Fundamentals 4ED
byraynasolomon136
 
Pet Care Service App Development Company
byV3CUBE TECHNOLABS
 
LogiNext Media Kit & Company Overview 2025
bypriyajoshi2929
 
Why I Volunteer at FOSDEM and You Should Too
byImma Valls Bernaus
 
Build a Scalable On-Demand Courier Service App.pdf
byV3CUBE TECHNOLABS
 
谷歌留痕技术教程[ 𝙩𝙤𝙥 𝟮𝟯𝟯. 𝙘 𝙤𝙢 ]
by6stynggfo
 
HackYourBrain_JFokusConference_03022026.pptx
bySimonedeGijt
 
Manual Testing Still Matters: 7 Areas Where Humans Beat Automation
byKiwiQA Services
 
LogiNext Media Kit & Company Overview 2025
bynidhisharmaq7184
 
Artificial Intelligence Planning (Harinath Palavalli)
byHarinath Palavalli
 
AI-native development: from Prompt to Platform
byMaxim Salnikov
 
ChampionMATES – Compete With Friends. Predict Sports. Become the Champion.
byRafal Ksiazek
 
LogiNext Media Kit & Company Overview 2025
bysanikaroy72
 
The Rise of Headless CMS in Modern Web Development.docx
bywork4noahmiller
 

This DoS goes loop-di-loop

  • 1.
    This DoS GoesLoop-di-Loop Allon Mureinik Senior Manager, Seeker Node.js and .NET Agents Synopsys, Inc. allon.mureinik@synopsys.com / @mureinik / https://www.linkedin.com/in/mureinik/ FlawCon, 20/10/2019
  • 2.
    © 2019 Synopsys,Inc. 2This DoS Goes Loop-di-Loop (Allon Mureinik, FlawCon 2019, cc-by-sa-4.0) Developers vs Hackers How will an unreasonable person abuse it? How will a reasonable person use it? https://thenounproject.com/term/theater/17128
  • 3.
    © 2019 Synopsys,Inc. 3This DoS Goes Loop-di-Loop (Allon Mureinik, FlawCon 2019, cc-by-sa-4.0) Quick Reminder: Node.js’ Event Loop https://thenounproject.com/term/redo/62716
  • 4.
    © 2019 Synopsys,Inc. 4This DoS Goes Loop-di-Loop (Allon Mureinik, FlawCon 2019, cc-by-sa-4.0) Benchmarks https://www.tandemseven.com/blog/performance-java-vs-node/
  • 5.
    © 2019 Synopsys,Inc. 5This DoS Goes Loop-di-Loop (Allon Mureinik, FlawCon 2019, cc-by-sa-4.0) Reminder: Denial of Service (DoS) https://thenounproject.com/term/decline/373722
  • 6.
    © 2019 Synopsys,Inc. 6This DoS Goes Loop-di-Loop (Allon Mureinik, FlawCon 2019, cc-by-sa-4.0) Regex DoS (ReDoS) console.log('a'sttime'); let regex = new RegExp('^(a+)+$'); for (let i = 1; i < 100; ++i) { const str = Array(i + 1).join('a') + 'b'; const before = new Date(); regex.test(str); const after = new Date(); const time = after - before; console.log(`${i}t${time}`); }
  • 7.
    © 2019 Synopsys,Inc. 7This DoS Goes Loop-di-Loop (Allon Mureinik, FlawCon 2019, cc-by-sa-4.0) Regex DoS (ReDoS) - results 0 50,000 100,000 150,000 200,000 250,000 300,000 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 33 34 35 Time(ms) As
  • 8.
    © 2019 Synopsys,Inc. 8This DoS Goes Loop-di-Loop (Allon Mureinik, FlawCon 2019, cc-by-sa-4.0) https://thenounproject.com/term/alternative-route/2902159 •Check your regexes –E.g., use safe-regex, vuln-regex-detector •Don’t allow tainted input as regex –Not always possible… –If you must, sanitize it (again safe-regex etc.) •Don’t allow tainted input to be evaluated by a dodgy regex –Usually not possible… –Use length limits •Think about alternative solutions –re2 isn’t vulnerable to ReDoS –Use specific tools for specific needs (e.g., validator.js) Regex DoS (ReDoS) - Remediation
  • 9.
    © 2019 Synopsys,Inc. 9This DoS Goes Loop-di-Loop (Allon Mureinik, FlawCon 2019, cc-by-sa-4.0) JSON DoS for (let i = 1024; i <= 1024 * 1024 ; i += 1024) { const str = '"' + Array(i + 1).join('a') + '"'; const before = new Date(); for (let j = 1; j < 100; ++j) { JSON.parse(str); } const after = new Date(); console.log(`${i}t${after-before}`); }
  • 10.
    © 2019 Synopsys,Inc. 10This DoS Goes Loop-di-Loop (Allon Mureinik, FlawCon 2019, cc-by-sa-4.0) JSON DoS - Results -50 0 50 100 150 200 250 300 0 200 400 600 800 1000 1200 Time(ms) String Lengh (KB)
  • 11.
    © 2019 Synopsys,Inc. 11This DoS Goes Loop-di-Loop (Allon Mureinik, FlawCon 2019, cc-by-sa-4.0) https://thenounproject.com/term/alternative-route/2902159/ •Don’t allow tainted input to be parsed –Not realistic… •Limit the size of the input –Express: app.use(express.json({limit: '50kb'}) –Hapi: route.options.payload.maxBytes = 50 * 1024 •If you aren’t parsing JSON by a middle, consider alternative libraries like BFJ or JSONStream JSON DoS - Remediation
  • 12.
    © 2019 Synopsys,Inc. 12This DoS Goes Loop-di-Loop (Allon Mureinik, FlawCon 2019, cc-by-sa-4.0) “If anything can hang, it will” - Murphy’s law of storage Storage (I/O) DoS
  • 13.
    © 2019 Synopsys,Inc. 13This DoS Goes Loop-di-Loop (Allon Mureinik, FlawCon 2019, cc-by-sa-4.0) The are two ways to perform storage operations in Node.js: 1. The async way –Delegate a storage operation to the kernel, and wait for a callback –E.g.: fs.readDir, fs.writeFile, etc –3rd parties follow similar patterns (e.g., fs-extra, adm-zip) 2. The wrong way Storage (I/O) DoS - Remediation
  • 14.
    © 2019 Synopsys,Inc. 15This DoS Goes Loop-di-Loop (Allon Mureinik, FlawCon 2019, cc-by-sa-4.0) Questions? https://thenounproject.com/term/questions/1195076/
  • 15.