SlideShare a Scribd company logo

Default to Async - Prevent DoS attacks on your app and your day

Allon Mureinik
Allon Mureinik

Slides from my talk at PancakesCon 5 – Full Stack Hack

Technology
1 of 42
Download to read offline
Default to Async PancakesCon 5, 24/03/2024 Prevent DoS attacks on your app and your day Allon Mureinik Senior Manager, Seeker (IAST) Agents R&D, Synopsys allon.mureinik@synopsys.com
© 2024 Synopsys, Inc. 2 Can we prevent DoS in our apps? Default to Async (Allon Mureinik, cc-by-sa-4.0)
© 2024 Synopsys, Inc. 3 No, not that kind of DOS Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/save-dos-818218/
© 2024 Synopsys, Inc. 4 This kind of DoS Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/no-service-1496954/
© 2024 Synopsys, Inc. 5 This kind of DoS “The Denial of Service (DoS) attack is focused on making a resource (site, application, server) unavailable for the purpose it was designed.” (https://owasp.org/www-community/attacks/Denial_of_Service) Default to Async (Allon Mureinik, cc-by-sa-4.0)
© 2024 Synopsys, Inc. 6 DDoS – in a different lecture Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/distributed-6001953/
© 2024 Synopsys, Inc. 7 We want to focus on the application Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/application-1249006/
© 2024 Synopsys, Inc. 8 It’s not about speed – it’s about [not] blocking others Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/speed-1116526/
© 2024 Synopsys, Inc. 9 Overwork that parser (JSON Example) const express = require('express'); const app = express(); app.use(express.json()); app.post('/json', (req, res) => { const numKeys = Object.keys(req.body).length; res.end(numKeys + ' keys in the payload'); }); app.listen(3000, () => console.log('Listening on port 3000')); Default to Async (Allon Mureinik, cc-by-sa-4.0)
© 2024 Synopsys, Inc. 10 How bad is it really? Default to Async (Allon Mureinik, cc-by-sa-4.0) -50 0 50 100 150 200 250 300 0 200 400 600 800 1000 1200 Time (ms) String Length (KB)
© 2024 Synopsys, Inc. 11 What can we do? Default to Async (Allon Mureinik, cc-by-sa-4.0)
© 2024 Synopsys, Inc. 12 What can we do? • Don’t allow tainted input to be parsed –Not realistic… Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/no-entry-1379330/
© 2024 Synopsys, Inc. 13 What can we do? • Don’t allow tainted input to be parsed –Not realistic… • Limit the size of the input –E.g., in the above Express example: app.use(express.json({limit: '40kb'}) Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/speed-limit-4873715/
© 2024 Synopsys, Inc. 14 What can we do? • Don’t allow tainted input to be parsed –Not realistic… • Limit the size of the input –E.g., in the above Express example: app.use(express.json({limit: '40kb'}) • Do it in the background, not the event loop –E.g., use a library like BFJ or JSONStream Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/fade-2102225/
© 2024 Synopsys, Inc. 15 Bomb that parser (XML Example) Default to Async (Allon Mureinik, cc-by-sa-4.0) const express = require('express'); const app = express(); app.use(express.text({type: '*/*'})); const libxmljs = require('libxmljs2'); const opts = {noent: true, nocdata: true, noblanks: true, huge: true}; app.post('/xml', (req, res) => { const parsed = libxmljs.parseXml(req.body, opts); res.end(parsed.childNodes().length + ' child nodes in the payload'); }); app.listen(3000, () => console.log('Listening on port 3000'));
© 2024 Synopsys, Inc. 16 Sounds serious, let’s have a laugh Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/joker-3976603/
© 2024 Synopsys, Inc. 17 Or a billion laughs <?xml version="1.0"?> <!DOCTYPE lolz [ <!ENTITY lol0 "lol"> <!ELEMENT lolz (#PCDATA)> <!ENTITY lol1 "&lol0;&lol0;&lol0;&lol0;&lol0;&lol0;&lol0;&lol0;&lol0;&lol0;"> <!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;"> <!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;"> <!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;"> <!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;"> <!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;"> <!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;"> <!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;"> <!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;"> ]> <lolz>&lol9;</lolz> Default to Async (Allon Mureinik, cc-by-sa-4.0) https://en.wikipedia.org/wiki/Billion_laughs_attack
© 2024 Synopsys, Inc. 18 How bad is it really? Default to Async (Allon Mureinik, cc-by-sa-4.0) 0 5 10 15 20 25 30 35 1 2 3 4 5 6 7 Size (MB) # Lolz XML Expansion per Lol XML Length Expanded Length ~650b ~29MB
© 2024 Synopsys, Inc. 19 What can we do? Default to Async (Allon Mureinik, cc-by-sa-4.0)
© 2024 Synopsys, Inc. 20 What can we do? • Don’t use XML –If you can… Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/no-entry-1379330/
© 2024 Synopsys, Inc. 21 What can we do? • Don’t use XML –If you can… • Don’t allow tainted input in your XML –If you can… Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/no-entry-1379330/
© 2024 Synopsys, Inc. 22 What can we do? • Don’t use XML –If you can… • Don’t allow tainted input in your XML –If you can… •Configure your library to not expand entities –If you can… –libxml wrappers:{noent: false} or {huge: false} Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/configure-1883381/
© 2024 Synopsys, Inc. 23 What can we do? • Don’t use XML –If you can… • Don’t allow tainted input in your XML –If you can… •Configure your library to not expand entities –If you can… –libxml wrappers:{noent: false} or {huge: false} •Sanitize your input Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/sanitizer-3470901/
© 2024 Synopsys, Inc. 24 ReDoS const express = require('express'); const app = express(); app.get('/regexp', (req, res) => { // Consider a regex like /(a+)+/ const regexp = new RegExp(req.query.regexp); const text = req.query.text; res.end(regexp.test(text) ? 'Match!' : 'No match'); }); app.listen(3000, () => console.log('Listening on port 3000')); Default to Async (Allon Mureinik, cc-by-sa-4.0)
© 2024 Synopsys, Inc. 25 How bad is it really? Default to Async (Allon Mureinik, cc-by-sa-4.0) 0 50,000 100,000 150,000 200,000 250,000 300,000 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 33 34 35 Time (ms) As
© 2024 Synopsys, Inc. 26 What can we do? Default to Async (Allon Mureinik, cc-by-sa-4.0)
© 2024 Synopsys, Inc. 27 What can we do? • Check your regexes – SAST tools are usually pretty good at this Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/check-1159941/
© 2024 Synopsys, Inc. 28 What can we do? • Check your regexes – SAST tools are usually pretty good at this • Don’t allow tainted input as regex – Not always possible… Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/no-entry-1379330/
© 2024 Synopsys, Inc. 29 What can we do? • Check your regexes – SAST tools are usually pretty good at this • Don’t allow tainted input as regex – Not always possible… • Don’t allow tainted input to be evaluated by a dodgy regex – Usually not possible… – Use length limits Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/no-entry-1379330/
© 2024 Synopsys, Inc. 30 What can we do? • Check your regexes – SAST tools are usually pretty good at this • Don’t allow tainted input as regex – Not always possible… • Don’t allow tainted input to be evaluated by a dodgy regex – Usually not possible… – Use length limits • Think about alternatives to regex – re2 isn’t vulnerable to ReDoS – Use specific tools for specific needs (e.g., validator.js) Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/alternative-3203434/
© 2024 Synopsys, Inc. 31 Some general take aways Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/takeaway-3438027/
© 2024 Synopsys, Inc. 32 Can we prevent DoS in our day? Default to Async (Allon Mureinik, cc-by-sa-4.0)
© 2024 Synopsys, Inc. 33 “Let’s have a meeting” Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/meeting-6528201/
© 2024 Synopsys, Inc. 34 You need to fit it in your day Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/fit-4584641/
© 2024 Synopsys, Inc. 35 Limited time == limited communication Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/time-limit-4456645/
© 2024 Synopsys, Inc. 36 It’s exclusionary Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/racism-4670344/
© 2024 Synopsys, Inc. 37 The timezone problem Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/timezone-5429333/
© 2024 Synopsys, Inc. 38 The language problem Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/language-3786977/
© 2024 Synopsys, Inc. 39 The like-me problem Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/similar-3856992/
© 2024 Synopsys, Inc. 40 The solution – default to async Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/asynchronous-learning-27462/
© 2024 Synopsys, Inc. 41 Don’t be a stranger allon.mureinik@synopsys.com @mureinik https://www.linkedin.com/in/mureinik/ Default to Async (Allon Mureinik, cc-by-sa-4.0)
© 2024 Synopsys, Inc. 42 Questions Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/term/questions/1195076/

Recommended

Webinar–OWASP Top 10 for JavaScript for Developers
Webinar–OWASP Top 10 for JavaScript for DevelopersWebinar–OWASP Top 10 for JavaScript for Developers
Webinar–OWASP Top 10 for JavaScript for DevelopersSynopsys Software Integrity Group
 
CI/CD Pipeline Security: Advanced Continuous Delivery Recommendations
CI/CD Pipeline Security: Advanced Continuous Delivery RecommendationsCI/CD Pipeline Security: Advanced Continuous Delivery Recommendations
CI/CD Pipeline Security: Advanced Continuous Delivery RecommendationsAmazon Web Services
 
Automating Security and Compliance Testing of Infrastructure-as-Code for DevS...
Automating Security and Compliance Testing of Infrastructure-as-Code for DevS...Automating Security and Compliance Testing of Infrastructure-as-Code for DevS...
Automating Security and Compliance Testing of Infrastructure-as-Code for DevS...Amazon Web Services
 
Best practices iOS meetup - pmd
Best practices iOS meetup - pmdBest practices iOS meetup - pmd
Best practices iOS meetup - pmdSuyash Gupta
 
Rails security: above and beyond the defaults
Rails security: above and beyond the defaultsRails security: above and beyond the defaults
Rails security: above and beyond the defaultsMatias Korhonen
 
Advanced Serverless Apps With Step Functions
Advanced Serverless Apps With Step FunctionsAdvanced Serverless Apps With Step Functions
Advanced Serverless Apps With Step FunctionsAmazon Web Services
 
20160211 OWASP Charlotte RASP
20160211 OWASP Charlotte RASP20160211 OWASP Charlotte RASP
20160211 OWASP Charlotte RASPchadtindel
 
Advanced Serverless Apps With Step Functions
Advanced Serverless Apps With Step FunctionsAdvanced Serverless Apps With Step Functions
Advanced Serverless Apps With Step FunctionsAmazon Web Services
 

Recommended

Webinar–OWASP Top 10 for JavaScript for Developers
Webinar–OWASP Top 10 for JavaScript for DevelopersWebinar–OWASP Top 10 for JavaScript for Developers
Webinar–OWASP Top 10 for JavaScript for DevelopersSynopsys Software Integrity Group
 
CI/CD Pipeline Security: Advanced Continuous Delivery Recommendations
CI/CD Pipeline Security: Advanced Continuous Delivery RecommendationsCI/CD Pipeline Security: Advanced Continuous Delivery Recommendations
CI/CD Pipeline Security: Advanced Continuous Delivery RecommendationsAmazon Web Services
 
Automating Security and Compliance Testing of Infrastructure-as-Code for DevS...
Automating Security and Compliance Testing of Infrastructure-as-Code for DevS...Automating Security and Compliance Testing of Infrastructure-as-Code for DevS...
Automating Security and Compliance Testing of Infrastructure-as-Code for DevS...Amazon Web Services
 
Best practices iOS meetup - pmd
Best practices iOS meetup - pmdBest practices iOS meetup - pmd
Best practices iOS meetup - pmdSuyash Gupta
 
Rails security: above and beyond the defaults
Rails security: above and beyond the defaultsRails security: above and beyond the defaults
Rails security: above and beyond the defaultsMatias Korhonen
 
Advanced Serverless Apps With Step Functions
Advanced Serverless Apps With Step FunctionsAdvanced Serverless Apps With Step Functions
Advanced Serverless Apps With Step FunctionsAmazon Web Services
 
20160211 OWASP Charlotte RASP
20160211 OWASP Charlotte RASP20160211 OWASP Charlotte RASP
20160211 OWASP Charlotte RASPchadtindel
 
Advanced Serverless Apps With Step Functions
Advanced Serverless Apps With Step FunctionsAdvanced Serverless Apps With Step Functions
Advanced Serverless Apps With Step FunctionsAmazon Web Services
 
So you thought you were safe using AngularJS.. Think again!
So you thought you were safe using AngularJS.. Think again!So you thought you were safe using AngularJS.. Think again!
So you thought you were safe using AngularJS.. Think again!Lewis Ardern
 
ConFoo Montreal - Approaches for application request throttling
ConFoo Montreal - Approaches for application request throttlingConFoo Montreal - Approaches for application request throttling
ConFoo Montreal - Approaches for application request throttlingMaarten Balliauw
 
Web Security - CSP & Web Cryptography
Web Security - CSP & Web CryptographyWeb Security - CSP & Web Cryptography
Web Security - CSP & Web CryptographySamsung Open Source Group
 
Reactive frontends with RxJS and Angular
Reactive frontends with RxJS and AngularReactive frontends with RxJS and Angular
Reactive frontends with RxJS and AngularVMware Tanzu
 
A Practical Guide to Securing Modern Web Applications
A Practical Guide to Securing Modern Web ApplicationsA Practical Guide to Securing Modern Web Applications
A Practical Guide to Securing Modern Web ApplicationsManish Shekhawat
 
Abusing bleeding edge web standards for appsec glory
Abusing bleeding edge web standards for appsec gloryAbusing bleeding edge web standards for appsec glory
Abusing bleeding edge web standards for appsec gloryPriyanka Aash
 
Building CI-CD Pipelines for Serverless Applications
Building CI-CD Pipelines for Serverless ApplicationsBuilding CI-CD Pipelines for Serverless Applications
Building CI-CD Pipelines for Serverless ApplicationsAmazon Web Services
 
DEV325_Application Deployment Techniques for Amazon EC2 Workloads with AWS Co...
DEV325_Application Deployment Techniques for Amazon EC2 Workloads with AWS Co...DEV325_Application Deployment Techniques for Amazon EC2 Workloads with AWS Co...
DEV325_Application Deployment Techniques for Amazon EC2 Workloads with AWS Co...Amazon Web Services
 
How Secure Is AngularJS?
How Secure Is AngularJS?How Secure Is AngularJS?
How Secure Is AngularJS?Ksenia Peguero
 
Serverless and DevOps
Serverless and DevOpsServerless and DevOps
Serverless and DevOpsChris Munns
 
You Spent All That Money And Still Got Owned
You Spent All That Money And Still Got OwnedYou Spent All That Money And Still Got Owned
You Spent All That Money And Still Got OwnedJoe McCray
 
20160225 OWASP Atlanta Prevoty RASP
20160225 OWASP Atlanta Prevoty RASP20160225 OWASP Atlanta Prevoty RASP
20160225 OWASP Atlanta Prevoty RASPchadtindel
 
Node.js Deeper Dive
Node.js Deeper DiveNode.js Deeper Dive
Node.js Deeper DiveJustin Reock
 
Php Dependency Management with Composer ZendCon 2016
Php Dependency Management with Composer ZendCon 2016Php Dependency Management with Composer ZendCon 2016
Php Dependency Management with Composer ZendCon 2016Clark Everetts
 
Authentication and Identity with Amazon Cognito & Analytics with Amazon Pinpoint
Authentication and Identity with Amazon Cognito & Analytics with Amazon PinpointAuthentication and Identity with Amazon Cognito & Analytics with Amazon Pinpoint
Authentication and Identity with Amazon Cognito & Analytics with Amazon PinpointAmazon Web Services
 
Approaches for application request throttling - dotNetCologne
Approaches for application request throttling - dotNetCologneApproaches for application request throttling - dotNetCologne
Approaches for application request throttling - dotNetCologneMaarten Balliauw
 
Java fx smart code econ
Java fx smart code econJava fx smart code econ
Java fx smart code econTom Schindl
 
Content Security Policy - Lessons learned at Yahoo
Content Security Policy - Lessons learned at YahooContent Security Policy - Lessons learned at Yahoo
Content Security Policy - Lessons learned at YahooBinu Ramakrishnan
 
Kubernetes on AWS
Kubernetes on AWSKubernetes on AWS
Kubernetes on AWSAmazon Web Services
 
JavaOne 2016 - Faces Counter
JavaOne 2016 - Faces CounterJavaOne 2016 - Faces Counter
JavaOne 2016 - Faces CounterCoritel
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
What an episode of Rick and Morty taught me about (accidental) toxicity
What an episode of Rick and Morty taught me about (accidental) toxicityWhat an episode of Rick and Morty taught me about (accidental) toxicity
What an episode of Rick and Morty taught me about (accidental) toxicityAllon Mureinik
 

More Related Content

Similar to Default to Async - Prevent DoS attacks on your app and your day

So you thought you were safe using AngularJS.. Think again!
So you thought you were safe using AngularJS.. Think again!So you thought you were safe using AngularJS.. Think again!
So you thought you were safe using AngularJS.. Think again!Lewis Ardern
 
ConFoo Montreal - Approaches for application request throttling
ConFoo Montreal - Approaches for application request throttlingConFoo Montreal - Approaches for application request throttling
ConFoo Montreal - Approaches for application request throttlingMaarten Balliauw
 
Reactive frontends with RxJS and Angular
Reactive frontends with RxJS and AngularReactive frontends with RxJS and Angular
Reactive frontends with RxJS and AngularVMware Tanzu
 
A Practical Guide to Securing Modern Web Applications
A Practical Guide to Securing Modern Web ApplicationsA Practical Guide to Securing Modern Web Applications
A Practical Guide to Securing Modern Web ApplicationsManish Shekhawat
 
Abusing bleeding edge web standards for appsec glory
Abusing bleeding edge web standards for appsec gloryAbusing bleeding edge web standards for appsec glory
Abusing bleeding edge web standards for appsec gloryPriyanka Aash
 
Building CI-CD Pipelines for Serverless Applications
Building CI-CD Pipelines for Serverless ApplicationsBuilding CI-CD Pipelines for Serverless Applications
Building CI-CD Pipelines for Serverless ApplicationsAmazon Web Services
 
DEV325_Application Deployment Techniques for Amazon EC2 Workloads with AWS Co...
DEV325_Application Deployment Techniques for Amazon EC2 Workloads with AWS Co...DEV325_Application Deployment Techniques for Amazon EC2 Workloads with AWS Co...
DEV325_Application Deployment Techniques for Amazon EC2 Workloads with AWS Co...Amazon Web Services
 
How Secure Is AngularJS?
How Secure Is AngularJS?How Secure Is AngularJS?
How Secure Is AngularJS?Ksenia Peguero
 
Serverless and DevOps
Serverless and DevOpsServerless and DevOps
Serverless and DevOpsChris Munns
 
You Spent All That Money And Still Got Owned
You Spent All That Money And Still Got OwnedYou Spent All That Money And Still Got Owned
You Spent All That Money And Still Got OwnedJoe McCray
 
20160225 OWASP Atlanta Prevoty RASP
20160225 OWASP Atlanta Prevoty RASP20160225 OWASP Atlanta Prevoty RASP
20160225 OWASP Atlanta Prevoty RASPchadtindel
 
Node.js Deeper Dive
Node.js Deeper DiveNode.js Deeper Dive
Node.js Deeper DiveJustin Reock
 
Php Dependency Management with Composer ZendCon 2016
Php Dependency Management with Composer ZendCon 2016Php Dependency Management with Composer ZendCon 2016
Php Dependency Management with Composer ZendCon 2016Clark Everetts
 
Authentication and Identity with Amazon Cognito & Analytics with Amazon Pinpoint
Authentication and Identity with Amazon Cognito & Analytics with Amazon PinpointAuthentication and Identity with Amazon Cognito & Analytics with Amazon Pinpoint
Authentication and Identity with Amazon Cognito & Analytics with Amazon PinpointAmazon Web Services
 
Approaches for application request throttling - dotNetCologne
Approaches for application request throttling - dotNetCologneApproaches for application request throttling - dotNetCologne
Approaches for application request throttling - dotNetCologneMaarten Balliauw
 
Java fx smart code econ
Java fx smart code econJava fx smart code econ
Java fx smart code econTom Schindl
 
Content Security Policy - Lessons learned at Yahoo
Content Security Policy - Lessons learned at YahooContent Security Policy - Lessons learned at Yahoo
Content Security Policy - Lessons learned at YahooBinu Ramakrishnan
 
JavaOne 2016 - Faces Counter
JavaOne 2016 - Faces CounterJavaOne 2016 - Faces Counter
JavaOne 2016 - Faces CounterCoritel
 

Similar to Default to Async - Prevent DoS attacks on your app and your day (20)

So you thought you were safe using AngularJS.. Think again!
So you thought you were safe using AngularJS.. Think again!So you thought you were safe using AngularJS.. Think again!
So you thought you were safe using AngularJS.. Think again!
 
ConFoo Montreal - Approaches for application request throttling
ConFoo Montreal - Approaches for application request throttlingConFoo Montreal - Approaches for application request throttling
ConFoo Montreal - Approaches for application request throttling
 
Web Security - CSP & Web Cryptography
Web Security - CSP & Web CryptographyWeb Security - CSP & Web Cryptography
Web Security - CSP & Web Cryptography
 
Reactive frontends with RxJS and Angular
Reactive frontends with RxJS and AngularReactive frontends with RxJS and Angular
Reactive frontends with RxJS and Angular
 
A Practical Guide to Securing Modern Web Applications
A Practical Guide to Securing Modern Web ApplicationsA Practical Guide to Securing Modern Web Applications
A Practical Guide to Securing Modern Web Applications
 
Abusing bleeding edge web standards for appsec glory
Abusing bleeding edge web standards for appsec gloryAbusing bleeding edge web standards for appsec glory
Abusing bleeding edge web standards for appsec glory
 
Building CI-CD Pipelines for Serverless Applications
Building CI-CD Pipelines for Serverless ApplicationsBuilding CI-CD Pipelines for Serverless Applications
Building CI-CD Pipelines for Serverless Applications
 
DEV325_Application Deployment Techniques for Amazon EC2 Workloads with AWS Co...
DEV325_Application Deployment Techniques for Amazon EC2 Workloads with AWS Co...DEV325_Application Deployment Techniques for Amazon EC2 Workloads with AWS Co...
DEV325_Application Deployment Techniques for Amazon EC2 Workloads with AWS Co...
 
How Secure Is AngularJS?
How Secure Is AngularJS?How Secure Is AngularJS?
How Secure Is AngularJS?
 
Serverless and DevOps
Serverless and DevOpsServerless and DevOps
Serverless and DevOps
 
You Spent All That Money And Still Got Owned
You Spent All That Money And Still Got OwnedYou Spent All That Money And Still Got Owned
You Spent All That Money And Still Got Owned
 
20160225 OWASP Atlanta Prevoty RASP
20160225 OWASP Atlanta Prevoty RASP20160225 OWASP Atlanta Prevoty RASP
20160225 OWASP Atlanta Prevoty RASP
 
Node.js Deeper Dive
Node.js Deeper DiveNode.js Deeper Dive
Node.js Deeper Dive
 
Php Dependency Management with Composer ZendCon 2016
Php Dependency Management with Composer ZendCon 2016Php Dependency Management with Composer ZendCon 2016
Php Dependency Management with Composer ZendCon 2016
 
Authentication and Identity with Amazon Cognito & Analytics with Amazon Pinpoint
Authentication and Identity with Amazon Cognito & Analytics with Amazon PinpointAuthentication and Identity with Amazon Cognito & Analytics with Amazon Pinpoint
Authentication and Identity with Amazon Cognito & Analytics with Amazon Pinpoint
 
Approaches for application request throttling - dotNetCologne
Approaches for application request throttling - dotNetCologneApproaches for application request throttling - dotNetCologne
Approaches for application request throttling - dotNetCologne
 
Java fx smart code econ
Java fx smart code econJava fx smart code econ
Java fx smart code econ
 
Content Security Policy - Lessons learned at Yahoo
Content Security Policy - Lessons learned at YahooContent Security Policy - Lessons learned at Yahoo
Content Security Policy - Lessons learned at Yahoo
 
Kubernetes on AWS
Kubernetes on AWSKubernetes on AWS
Kubernetes on AWS
 
JavaOne 2016 - Faces Counter
JavaOne 2016 - Faces CounterJavaOne 2016 - Faces Counter
JavaOne 2016 - Faces Counter
 

More from Allon Mureinik

Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
What an episode of Rick and Morty taught me about (accidental) toxicity
What an episode of Rick and Morty taught me about (accidental) toxicityWhat an episode of Rick and Morty taught me about (accidental) toxicity
What an episode of Rick and Morty taught me about (accidental) toxicityAllon Mureinik
 
We are the Borg, you will be interviewed
We are the Borg, you will be interviewedWe are the Borg, you will be interviewed
We are the Borg, you will be interviewedAllon Mureinik
 
What I wish I knew about security - Allon Mureinik DevConf.CZ 2022
What I wish I knew about security - Allon Mureinik DevConf.CZ 2022What I wish I knew about security - Allon Mureinik DevConf.CZ 2022
What I wish I knew about security - Allon Mureinik DevConf.CZ 2022Allon Mureinik
 
Somebody set up us the bomb DevConf.CZ 2022 Lightning Talk
Somebody set up us the bomb DevConf.CZ 2022 Lightning TalkSomebody set up us the bomb DevConf.CZ 2022 Lightning Talk
Somebody set up us the bomb DevConf.CZ 2022 Lightning TalkAllon Mureinik
 
Cognitive biases, blind spots and inclusion
Cognitive biases, blind spots and inclusionCognitive biases, blind spots and inclusion
Cognitive biases, blind spots and inclusionAllon Mureinik
 
This DoS goes loop-di-loop
This DoS goes loop-di-loopThis DoS goes loop-di-loop
This DoS goes loop-di-loopAllon Mureinik
 
How open source made me a better manager
How open source made me a better managerHow open source made me a better manager
How open source made me a better managerAllon Mureinik
 
Automatic for the People
Automatic for the PeopleAutomatic for the People
Automatic for the PeopleAllon Mureinik
 
Automatic for the people
Automatic for the peopleAutomatic for the people
Automatic for the peopleAllon Mureinik
 
Mockito - How a mocking library built a real community
Mockito - How a mocking library built a real communityMockito - How a mocking library built a real community
Mockito - How a mocking library built a real communityAllon Mureinik
 
Mockito - how a mocking library built a real community (August Penguin 2017)
Mockito - how a mocking library built a real community (August Penguin 2017)Mockito - how a mocking library built a real community (August Penguin 2017)
Mockito - how a mocking library built a real community (August Penguin 2017)Allon Mureinik
 
Reversim Summit 2016 - Ja-WAT
Reversim Summit 2016 - Ja-WATReversim Summit 2016 - Ja-WAT
Reversim Summit 2016 - Ja-WATAllon Mureinik
 
Virtualization Management The oVirt Way (August Penguin 2015)
Virtualization Management The oVirt Way (August Penguin 2015)Virtualization Management The oVirt Way (August Penguin 2015)
Virtualization Management The oVirt Way (August Penguin 2015)Allon Mureinik
 
Step by Step - Reusing old features to build new ones
Step by Step - Reusing old features to build new onesStep by Step - Reusing old features to build new ones
Step by Step - Reusing old features to build new onesAllon Mureinik
 
oVirt 3.5 Storage Features Overview
oVirt 3.5 Storage Features OverviewoVirt 3.5 Storage Features Overview
oVirt 3.5 Storage Features OverviewAllon Mureinik
 
Disaster Recovery Strategies Using oVirt's new Storage Connection Management ...
Disaster Recovery Strategies Using oVirt's new Storage Connection Management ...Disaster Recovery Strategies Using oVirt's new Storage Connection Management ...
Disaster Recovery Strategies Using oVirt's new Storage Connection Management ...Allon Mureinik
 
Live Storage Migration in oVirt (Open Storage Meetup May 2013)
Live Storage Migration in oVirt (Open Storage Meetup May 2013)Live Storage Migration in oVirt (Open Storage Meetup May 2013)
Live Storage Migration in oVirt (Open Storage Meetup May 2013)Allon Mureinik
 
Retro Testing (DevConTLV Jan 2014)
Retro Testing (DevConTLV Jan 2014)Retro Testing (DevConTLV Jan 2014)
Retro Testing (DevConTLV Jan 2014)Allon Mureinik
 

More from Allon Mureinik (20)

Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
What an episode of Rick and Morty taught me about (accidental) toxicity
What an episode of Rick and Morty taught me about (accidental) toxicityWhat an episode of Rick and Morty taught me about (accidental) toxicity
What an episode of Rick and Morty taught me about (accidental) toxicity
 
We are the Borg, you will be interviewed
We are the Borg, you will be interviewedWe are the Borg, you will be interviewed
We are the Borg, you will be interviewed
 
What I wish I knew about security - Allon Mureinik DevConf.CZ 2022
What I wish I knew about security - Allon Mureinik DevConf.CZ 2022What I wish I knew about security - Allon Mureinik DevConf.CZ 2022
What I wish I knew about security - Allon Mureinik DevConf.CZ 2022
 
Somebody set up us the bomb DevConf.CZ 2022 Lightning Talk
Somebody set up us the bomb DevConf.CZ 2022 Lightning TalkSomebody set up us the bomb DevConf.CZ 2022 Lightning Talk
Somebody set up us the bomb DevConf.CZ 2022 Lightning Talk
 
Zoom out
Zoom outZoom out
Zoom out
 
Cognitive biases, blind spots and inclusion
Cognitive biases, blind spots and inclusionCognitive biases, blind spots and inclusion
Cognitive biases, blind spots and inclusion
 
This DoS goes loop-di-loop
This DoS goes loop-di-loopThis DoS goes loop-di-loop
This DoS goes loop-di-loop
 
How open source made me a better manager
How open source made me a better managerHow open source made me a better manager
How open source made me a better manager
 
Automatic for the People
Automatic for the PeopleAutomatic for the People
Automatic for the People
 
Automatic for the people
Automatic for the peopleAutomatic for the people
Automatic for the people
 
Mockito - How a mocking library built a real community
Mockito - How a mocking library built a real communityMockito - How a mocking library built a real community
Mockito - How a mocking library built a real community
 
Mockito - how a mocking library built a real community (August Penguin 2017)
Mockito - how a mocking library built a real community (August Penguin 2017)Mockito - how a mocking library built a real community (August Penguin 2017)
Mockito - how a mocking library built a real community (August Penguin 2017)
 
Reversim Summit 2016 - Ja-WAT
Reversim Summit 2016 - Ja-WATReversim Summit 2016 - Ja-WAT
Reversim Summit 2016 - Ja-WAT
 
Virtualization Management The oVirt Way (August Penguin 2015)
Virtualization Management The oVirt Way (August Penguin 2015)Virtualization Management The oVirt Way (August Penguin 2015)
Virtualization Management The oVirt Way (August Penguin 2015)
 
Step by Step - Reusing old features to build new ones
Step by Step - Reusing old features to build new onesStep by Step - Reusing old features to build new ones
Step by Step - Reusing old features to build new ones
 
oVirt 3.5 Storage Features Overview
oVirt 3.5 Storage Features OverviewoVirt 3.5 Storage Features Overview
oVirt 3.5 Storage Features Overview
 
Disaster Recovery Strategies Using oVirt's new Storage Connection Management ...
Disaster Recovery Strategies Using oVirt's new Storage Connection Management ...Disaster Recovery Strategies Using oVirt's new Storage Connection Management ...
Disaster Recovery Strategies Using oVirt's new Storage Connection Management ...
 
Live Storage Migration in oVirt (Open Storage Meetup May 2013)
Live Storage Migration in oVirt (Open Storage Meetup May 2013)Live Storage Migration in oVirt (Open Storage Meetup May 2013)
Live Storage Migration in oVirt (Open Storage Meetup May 2013)
 
Retro Testing (DevConTLV Jan 2014)
Retro Testing (DevConTLV Jan 2014)Retro Testing (DevConTLV Jan 2014)
Retro Testing (DevConTLV Jan 2014)
 

Recently uploaded

"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentationphoebematthew05
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 

Recently uploaded (20)

"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentation
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 

Default to Async - Prevent DoS attacks on your app and your day

  • 1. Default to Async PancakesCon 5, 24/03/2024 Prevent DoS attacks on your app and your day Allon Mureinik Senior Manager, Seeker (IAST) Agents R&D, Synopsys allon.mureinik@synopsys.com
  • 2. © 2024 Synopsys, Inc. 2 Can we prevent DoS in our apps? Default to Async (Allon Mureinik, cc-by-sa-4.0)
  • 3. © 2024 Synopsys, Inc. 3 No, not that kind of DOS Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/save-dos-818218/
  • 4. © 2024 Synopsys, Inc. 4 This kind of DoS Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/no-service-1496954/
  • 5. © 2024 Synopsys, Inc. 5 This kind of DoS “The Denial of Service (DoS) attack is focused on making a resource (site, application, server) unavailable for the purpose it was designed.” (https://owasp.org/www-community/attacks/Denial_of_Service) Default to Async (Allon Mureinik, cc-by-sa-4.0)
  • 6. © 2024 Synopsys, Inc. 6 DDoS – in a different lecture Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/distributed-6001953/
  • 7. © 2024 Synopsys, Inc. 7 We want to focus on the application Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/application-1249006/
  • 8. © 2024 Synopsys, Inc. 8 It’s not about speed – it’s about [not] blocking others Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/speed-1116526/
  • 9. © 2024 Synopsys, Inc. 9 Overwork that parser (JSON Example) const express = require('express'); const app = express(); app.use(express.json()); app.post('/json', (req, res) => { const numKeys = Object.keys(req.body).length; res.end(numKeys + ' keys in the payload'); }); app.listen(3000, () => console.log('Listening on port 3000')); Default to Async (Allon Mureinik, cc-by-sa-4.0)
  • 10. © 2024 Synopsys, Inc. 10 How bad is it really? Default to Async (Allon Mureinik, cc-by-sa-4.0) -50 0 50 100 150 200 250 300 0 200 400 600 800 1000 1200 Time (ms) String Length (KB)
  • 11. © 2024 Synopsys, Inc. 11 What can we do? Default to Async (Allon Mureinik, cc-by-sa-4.0)
  • 12. © 2024 Synopsys, Inc. 12 What can we do? • Don’t allow tainted input to be parsed –Not realistic… Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/no-entry-1379330/
  • 13. © 2024 Synopsys, Inc. 13 What can we do? • Don’t allow tainted input to be parsed –Not realistic… • Limit the size of the input –E.g., in the above Express example: app.use(express.json({limit: '40kb'}) Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/speed-limit-4873715/
  • 14. © 2024 Synopsys, Inc. 14 What can we do? • Don’t allow tainted input to be parsed –Not realistic… • Limit the size of the input –E.g., in the above Express example: app.use(express.json({limit: '40kb'}) • Do it in the background, not the event loop –E.g., use a library like BFJ or JSONStream Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/fade-2102225/
  • 15. © 2024 Synopsys, Inc. 15 Bomb that parser (XML Example) Default to Async (Allon Mureinik, cc-by-sa-4.0) const express = require('express'); const app = express(); app.use(express.text({type: '*/*'})); const libxmljs = require('libxmljs2'); const opts = {noent: true, nocdata: true, noblanks: true, huge: true}; app.post('/xml', (req, res) => { const parsed = libxmljs.parseXml(req.body, opts); res.end(parsed.childNodes().length + ' child nodes in the payload'); }); app.listen(3000, () => console.log('Listening on port 3000'));
  • 16. © 2024 Synopsys, Inc. 16 Sounds serious, let’s have a laugh Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/joker-3976603/
  • 17. © 2024 Synopsys, Inc. 17 Or a billion laughs <?xml version="1.0"?> <!DOCTYPE lolz [ <!ENTITY lol0 "lol"> <!ELEMENT lolz (#PCDATA)> <!ENTITY lol1 "&lol0;&lol0;&lol0;&lol0;&lol0;&lol0;&lol0;&lol0;&lol0;&lol0;"> <!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;"> <!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;"> <!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;"> <!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;"> <!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;"> <!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;"> <!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;"> <!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;"> ]> <lolz>&lol9;</lolz> Default to Async (Allon Mureinik, cc-by-sa-4.0) https://en.wikipedia.org/wiki/Billion_laughs_attack
  • 18. © 2024 Synopsys, Inc. 18 How bad is it really? Default to Async (Allon Mureinik, cc-by-sa-4.0) 0 5 10 15 20 25 30 35 1 2 3 4 5 6 7 Size (MB) # Lolz XML Expansion per Lol XML Length Expanded Length ~650b ~29MB
  • 19. © 2024 Synopsys, Inc. 19 What can we do? Default to Async (Allon Mureinik, cc-by-sa-4.0)
  • 20. © 2024 Synopsys, Inc. 20 What can we do? • Don’t use XML –If you can… Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/no-entry-1379330/
  • 21. © 2024 Synopsys, Inc. 21 What can we do? • Don’t use XML –If you can… • Don’t allow tainted input in your XML –If you can… Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/no-entry-1379330/
  • 22. © 2024 Synopsys, Inc. 22 What can we do? • Don’t use XML –If you can… • Don’t allow tainted input in your XML –If you can… •Configure your library to not expand entities –If you can… –libxml wrappers:{noent: false} or {huge: false} Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/configure-1883381/
  • 23. © 2024 Synopsys, Inc. 23 What can we do? • Don’t use XML –If you can… • Don’t allow tainted input in your XML –If you can… •Configure your library to not expand entities –If you can… –libxml wrappers:{noent: false} or {huge: false} •Sanitize your input Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/sanitizer-3470901/
  • 24. © 2024 Synopsys, Inc. 24 ReDoS const express = require('express'); const app = express(); app.get('/regexp', (req, res) => { // Consider a regex like /(a+)+/ const regexp = new RegExp(req.query.regexp); const text = req.query.text; res.end(regexp.test(text) ? 'Match!' : 'No match'); }); app.listen(3000, () => console.log('Listening on port 3000')); Default to Async (Allon Mureinik, cc-by-sa-4.0)
  • 25. © 2024 Synopsys, Inc. 25 How bad is it really? Default to Async (Allon Mureinik, cc-by-sa-4.0) 0 50,000 100,000 150,000 200,000 250,000 300,000 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 33 34 35 Time (ms) As
  • 26. © 2024 Synopsys, Inc. 26 What can we do? Default to Async (Allon Mureinik, cc-by-sa-4.0)
  • 27. © 2024 Synopsys, Inc. 27 What can we do? • Check your regexes – SAST tools are usually pretty good at this Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/check-1159941/
  • 28. © 2024 Synopsys, Inc. 28 What can we do? • Check your regexes – SAST tools are usually pretty good at this • Don’t allow tainted input as regex – Not always possible… Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/no-entry-1379330/
  • 29. © 2024 Synopsys, Inc. 29 What can we do? • Check your regexes – SAST tools are usually pretty good at this • Don’t allow tainted input as regex – Not always possible… • Don’t allow tainted input to be evaluated by a dodgy regex – Usually not possible… – Use length limits Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/no-entry-1379330/
  • 30. © 2024 Synopsys, Inc. 30 What can we do? • Check your regexes – SAST tools are usually pretty good at this • Don’t allow tainted input as regex – Not always possible… • Don’t allow tainted input to be evaluated by a dodgy regex – Usually not possible… – Use length limits • Think about alternatives to regex – re2 isn’t vulnerable to ReDoS – Use specific tools for specific needs (e.g., validator.js) Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/alternative-3203434/
  • 31. © 2024 Synopsys, Inc. 31 Some general take aways Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/takeaway-3438027/
  • 32. © 2024 Synopsys, Inc. 32 Can we prevent DoS in our day? Default to Async (Allon Mureinik, cc-by-sa-4.0)
  • 33. © 2024 Synopsys, Inc. 33 “Let’s have a meeting” Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/meeting-6528201/
  • 34. © 2024 Synopsys, Inc. 34 You need to fit it in your day Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/fit-4584641/
  • 35. © 2024 Synopsys, Inc. 35 Limited time == limited communication Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/time-limit-4456645/
  • 36. © 2024 Synopsys, Inc. 36 It’s exclusionary Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/racism-4670344/
  • 37. © 2024 Synopsys, Inc. 37 The timezone problem Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/timezone-5429333/
  • 38. © 2024 Synopsys, Inc. 38 The language problem Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/language-3786977/
  • 39. © 2024 Synopsys, Inc. 39 The like-me problem Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/similar-3856992/
  • 40. © 2024 Synopsys, Inc. 40 The solution – default to async Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/asynchronous-learning-27462/
  • 41. © 2024 Synopsys, Inc. 41 Don’t be a stranger allon.mureinik@synopsys.com @mureinik https://www.linkedin.com/in/mureinik/ Default to Async (Allon Mureinik, cc-by-sa-4.0)
  • 42. © 2024 Synopsys, Inc. 42 Questions Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/term/questions/1195076/