Abstract image of a woman sitting on books and studying on a laptop

Default to Async - Prevent DoS attacks on your app and your day

Allon Mureinik, profile picture
Allon Mureinik

The document is a presentation on preventing denial of service (DoS) attacks on applications. It discusses how parsing large payloads like JSON, XML, and regular expressions can slow down or crash apps. To prevent this, the presentation recommends limiting input size, parsing asynchronously instead of blocking the event loop, sanitizing inputs, and avoiding technologies like XML if possible. It also suggests defaulting to asynchronous communication to prevent DoS attacks on personal schedules and communication.

Technology
Related topics:
Information Security
1 of 42
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
Default to Async PancakesCon 5, 24/03/2024 Prevent DoS attacks on your app and your day Allon Mureinik Senior Manager, Seeker (IAST) Agents R&D, Synopsys allon.mureinik@synopsys.com
© 2024 Synopsys, Inc. 2 Can we prevent DoS in our apps? Default to Async (Allon Mureinik, cc-by-sa-4.0)
© 2024 Synopsys, Inc. 3 No, not that kind of DOS Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/save-dos-818218/
© 2024 Synopsys, Inc. 4 This kind of DoS Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/no-service-1496954/
© 2024 Synopsys, Inc. 5 This kind of DoS “The Denial of Service (DoS) attack is focused on making a resource (site, application, server) unavailable for the purpose it was designed.” (https://owasp.org/www-community/attacks/Denial_of_Service) Default to Async (Allon Mureinik, cc-by-sa-4.0)
© 2024 Synopsys, Inc. 6 DDoS – in a different lecture Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/distributed-6001953/
© 2024 Synopsys, Inc. 7 We want to focus on the application Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/application-1249006/
© 2024 Synopsys, Inc. 8 It’s not about speed – it’s about [not] blocking others Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/speed-1116526/
© 2024 Synopsys, Inc. 9 Overwork that parser (JSON Example) const express = require('express'); const app = express(); app.use(express.json()); app.post('/json', (req, res) => { const numKeys = Object.keys(req.body).length; res.end(numKeys + ' keys in the payload'); }); app.listen(3000, () => console.log('Listening on port 3000')); Default to Async (Allon Mureinik, cc-by-sa-4.0)
© 2024 Synopsys, Inc. 10 How bad is it really? Default to Async (Allon Mureinik, cc-by-sa-4.0) -50 0 50 100 150 200 250 300 0 200 400 600 800 1000 1200 Time (ms) String Length (KB)
© 2024 Synopsys, Inc. 11 What can we do? Default to Async (Allon Mureinik, cc-by-sa-4.0)
© 2024 Synopsys, Inc. 12 What can we do? • Don’t allow tainted input to be parsed –Not realistic… Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/no-entry-1379330/
© 2024 Synopsys, Inc. 13 What can we do? • Don’t allow tainted input to be parsed –Not realistic… • Limit the size of the input –E.g., in the above Express example: app.use(express.json({limit: '40kb'}) Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/speed-limit-4873715/
© 2024 Synopsys, Inc. 14 What can we do? • Don’t allow tainted input to be parsed –Not realistic… • Limit the size of the input –E.g., in the above Express example: app.use(express.json({limit: '40kb'}) • Do it in the background, not the event loop –E.g., use a library like BFJ or JSONStream Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/fade-2102225/
© 2024 Synopsys, Inc. 15 Bomb that parser (XML Example) Default to Async (Allon Mureinik, cc-by-sa-4.0) const express = require('express'); const app = express(); app.use(express.text({type: '*/*'})); const libxmljs = require('libxmljs2'); const opts = {noent: true, nocdata: true, noblanks: true, huge: true}; app.post('/xml', (req, res) => { const parsed = libxmljs.parseXml(req.body, opts); res.end(parsed.childNodes().length + ' child nodes in the payload'); }); app.listen(3000, () => console.log('Listening on port 3000'));
© 2024 Synopsys, Inc. 16 Sounds serious, let’s have a laugh Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/joker-3976603/
© 2024 Synopsys, Inc. 17 Or a billion laughs <?xml version="1.0"?> <!DOCTYPE lolz [ <!ENTITY lol0 "lol"> <!ELEMENT lolz (#PCDATA)> <!ENTITY lol1 "&lol0;&lol0;&lol0;&lol0;&lol0;&lol0;&lol0;&lol0;&lol0;&lol0;"> <!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;"> <!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;"> <!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;"> <!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;"> <!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;"> <!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;"> <!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;"> <!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;"> ]> <lolz>&lol9;</lolz> Default to Async (Allon Mureinik, cc-by-sa-4.0) https://en.wikipedia.org/wiki/Billion_laughs_attack
© 2024 Synopsys, Inc. 18 How bad is it really? Default to Async (Allon Mureinik, cc-by-sa-4.0) 0 5 10 15 20 25 30 35 1 2 3 4 5 6 7 Size (MB) # Lolz XML Expansion per Lol XML Length Expanded Length ~650b ~29MB
© 2024 Synopsys, Inc. 19 What can we do? Default to Async (Allon Mureinik, cc-by-sa-4.0)
© 2024 Synopsys, Inc. 20 What can we do? • Don’t use XML –If you can… Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/no-entry-1379330/
© 2024 Synopsys, Inc. 21 What can we do? • Don’t use XML –If you can… • Don’t allow tainted input in your XML –If you can… Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/no-entry-1379330/
© 2024 Synopsys, Inc. 22 What can we do? • Don’t use XML –If you can… • Don’t allow tainted input in your XML –If you can… •Configure your library to not expand entities –If you can… –libxml wrappers:{noent: false} or {huge: false} Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/configure-1883381/
© 2024 Synopsys, Inc. 23 What can we do? • Don’t use XML –If you can… • Don’t allow tainted input in your XML –If you can… •Configure your library to not expand entities –If you can… –libxml wrappers:{noent: false} or {huge: false} •Sanitize your input Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/sanitizer-3470901/
© 2024 Synopsys, Inc. 24 ReDoS const express = require('express'); const app = express(); app.get('/regexp', (req, res) => { // Consider a regex like /(a+)+/ const regexp = new RegExp(req.query.regexp); const text = req.query.text; res.end(regexp.test(text) ? 'Match!' : 'No match'); }); app.listen(3000, () => console.log('Listening on port 3000')); Default to Async (Allon Mureinik, cc-by-sa-4.0)
© 2024 Synopsys, Inc. 25 How bad is it really? Default to Async (Allon Mureinik, cc-by-sa-4.0) 0 50,000 100,000 150,000 200,000 250,000 300,000 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 33 34 35 Time (ms) As
© 2024 Synopsys, Inc. 26 What can we do? Default to Async (Allon Mureinik, cc-by-sa-4.0)
© 2024 Synopsys, Inc. 27 What can we do? • Check your regexes – SAST tools are usually pretty good at this Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/check-1159941/
© 2024 Synopsys, Inc. 28 What can we do? • Check your regexes – SAST tools are usually pretty good at this • Don’t allow tainted input as regex – Not always possible… Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/no-entry-1379330/
© 2024 Synopsys, Inc. 29 What can we do? • Check your regexes – SAST tools are usually pretty good at this • Don’t allow tainted input as regex – Not always possible… • Don’t allow tainted input to be evaluated by a dodgy regex – Usually not possible… – Use length limits Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/no-entry-1379330/
© 2024 Synopsys, Inc. 30 What can we do? • Check your regexes – SAST tools are usually pretty good at this • Don’t allow tainted input as regex – Not always possible… • Don’t allow tainted input to be evaluated by a dodgy regex – Usually not possible… – Use length limits • Think about alternatives to regex – re2 isn’t vulnerable to ReDoS – Use specific tools for specific needs (e.g., validator.js) Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/alternative-3203434/
© 2024 Synopsys, Inc. 31 Some general take aways Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/takeaway-3438027/
© 2024 Synopsys, Inc. 32 Can we prevent DoS in our day? Default to Async (Allon Mureinik, cc-by-sa-4.0)
© 2024 Synopsys, Inc. 33 “Let’s have a meeting” Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/meeting-6528201/
© 2024 Synopsys, Inc. 34 You need to fit it in your day Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/fit-4584641/
© 2024 Synopsys, Inc. 35 Limited time == limited communication Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/time-limit-4456645/
© 2024 Synopsys, Inc. 36 It’s exclusionary Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/racism-4670344/
© 2024 Synopsys, Inc. 37 The timezone problem Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/timezone-5429333/
© 2024 Synopsys, Inc. 38 The language problem Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/language-3786977/
© 2024 Synopsys, Inc. 39 The like-me problem Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/similar-3856992/
© 2024 Synopsys, Inc. 40 The solution – default to async Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/asynchronous-learning-27462/
© 2024 Synopsys, Inc. 41 Don’t be a stranger allon.mureinik@synopsys.com @mureinik https://www.linkedin.com/in/mureinik/ Default to Async (Allon Mureinik, cc-by-sa-4.0)
© 2024 Synopsys, Inc. 42 Questions Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/term/questions/1195076/

More Related Content

PDF
This DoS goes loop-di-loop
Allon Mureinik
 
PDF
Webinar–OWASP Top 10 for JavaScript for Developers
Synopsys Software Integrity Group
 
PDF
OWASP Portland - OWASP Top 10 For JavaScript Developers
Lewis Ardern
 
PPTX
20160211 OWASP Charlotte RASP
chadtindel
 
PPTX
Dont run with scissors
Morgan Roman
 
PPTX
20160225 OWASP Atlanta Prevoty RASP
chadtindel
 
PDF
Neoito — Secure coding practices
Neoito
 
PDF
ruxc0n 2012
mimeframe
 
This DoS goes loop-di-loop
Allon Mureinik
 
Webinar–OWASP Top 10 for JavaScript for Developers
Synopsys Software Integrity Group
 
OWASP Portland - OWASP Top 10 For JavaScript Developers
Lewis Ardern
 
20160211 OWASP Charlotte RASP
chadtindel
 
Dont run with scissors
Morgan Roman
 
20160225 OWASP Atlanta Prevoty RASP
chadtindel
 
Neoito — Secure coding practices
Neoito
 
ruxc0n 2012
mimeframe
 

Similar to Default to Async - Prevent DoS attacks on your app and your day (20)

PDF
Technical Architecture of RASP Technology
Priyanka Aash
 
PPTX
Lightweight Self-Protecting JavaScript
Phú Phùng
 
PPTX
Banfootguns devseccon 2019
Morgan Roman
 
PDF
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers
Lewis Ardern
 
PPTX
Lightweight Self-Protecting JavaScript
Phú Phùng
 
PDF
Serverless Security Guy Podjarny Liran Tal
xenikwit30
 
PPTX
Web security-–-everything-we-know-is-wrong-eoin-keary
drewz lin
 
PDF
Introduction to node.js by Ran Mizrahi @ Reversim Summit
Ran Mizrahi
 
ODP
Node.js security
Maciej Lasyk
 
PDF
Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...
Mario Heiderich
 
PDF
Top 10 Security Vulnerabilities (2006)
Susam Pal
 
PDF
Defensive programming in Javascript and Node.js
Ruben Tan
 
PDF
Rentv
Timothy Tsvetkov
 
PDF
Intro to node.js - Ran Mizrahi (27/8/2014)
Ran Mizrahi
 
PDF
Intro to node.js - Ran Mizrahi (28/8/14)
Ran Mizrahi
 
PDF
50 common web developer interview questions [2020 updated] [www.full stack....
Alex Ershov
 
PDF
Locking the Throneroom 2.0
Mario Heiderich
 
PPTX
Defensive programming
Mark Reynolds
 
PPTX
My Little Webap - DevOpsSec is Magic
Apollo Clark
 
PPTX
DevBeat 2013 - Developer-first Security
Coverity
 
Technical Architecture of RASP Technology
Priyanka Aash
 
Lightweight Self-Protecting JavaScript
Phú Phùng
 
Banfootguns devseccon 2019
Morgan Roman
 
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers
Lewis Ardern
 
Lightweight Self-Protecting JavaScript
Phú Phùng
 
Serverless Security Guy Podjarny Liran Tal
xenikwit30
 
Web security-–-everything-we-know-is-wrong-eoin-keary
drewz lin
 
Introduction to node.js by Ran Mizrahi @ Reversim Summit
Ran Mizrahi
 
Node.js security
Maciej Lasyk
 
Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...
Mario Heiderich
 
Top 10 Security Vulnerabilities (2006)
Susam Pal
 
Defensive programming in Javascript and Node.js
Ruben Tan
 
Rentv
Timothy Tsvetkov
 
Intro to node.js - Ran Mizrahi (27/8/2014)
Ran Mizrahi
 
Intro to node.js - Ran Mizrahi (28/8/14)
Ran Mizrahi
 
50 common web developer interview questions [2020 updated] [www.full stack....
Alex Ershov
 
Locking the Throneroom 2.0
Mario Heiderich
 
Defensive programming
Mark Reynolds
 
My Little Webap - DevOpsSec is Magic
Apollo Clark
 
DevBeat 2013 - Developer-first Security
Coverity
 
Ad

More from Allon Mureinik (20)

PDF
Who Watches the Watchmen (SciFiDevCon 2025)
Allon Mureinik
 
PDF
Injustice - Developers Among Us (SciFiDevCon 2024)
Allon Mureinik
 
PDF
What an episode of Rick and Morty taught me about (accidental) toxicity
Allon Mureinik
 
PDF
We are the Borg, you will be interviewed
Allon Mureinik
 
PDF
What I wish I knew about security - Allon Mureinik DevConf.CZ 2022
Allon Mureinik
 
PDF
Somebody set up us the bomb DevConf.CZ 2022 Lightning Talk
Allon Mureinik
 
PDF
Zoom out
Allon Mureinik
 
PDF
Cognitive biases, blind spots and inclusion
Allon Mureinik
 
PDF
How open source made me a better manager
Allon Mureinik
 
PDF
Automatic for the People
Allon Mureinik
 
PDF
Automatic for the people
Allon Mureinik
 
PDF
Mockito - How a mocking library built a real community
Allon Mureinik
 
PDF
Mockito - how a mocking library built a real community (August Penguin 2017)
Allon Mureinik
 
PDF
Reversim Summit 2016 - Ja-WAT
Allon Mureinik
 
PDF
Virtualization Management The oVirt Way (August Penguin 2015)
Allon Mureinik
 
PDF
Step by Step - Reusing old features to build new ones
Allon Mureinik
 
PDF
oVirt 3.5 Storage Features Overview
Allon Mureinik
 
PDF
Disaster Recovery Strategies Using oVirt's new Storage Connection Management ...
Allon Mureinik
 
PDF
Live Storage Migration in oVirt (Open Storage Meetup May 2013)
Allon Mureinik
 
PDF
Retro Testing (DevConTLV Jan 2014)
Allon Mureinik
 
Who Watches the Watchmen (SciFiDevCon 2025)
Allon Mureinik
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Allon Mureinik
 
What an episode of Rick and Morty taught me about (accidental) toxicity
Allon Mureinik
 
We are the Borg, you will be interviewed
Allon Mureinik
 
What I wish I knew about security - Allon Mureinik DevConf.CZ 2022
Allon Mureinik
 
Somebody set up us the bomb DevConf.CZ 2022 Lightning Talk
Allon Mureinik
 
Zoom out
Allon Mureinik
 
Cognitive biases, blind spots and inclusion
Allon Mureinik
 
How open source made me a better manager
Allon Mureinik
 
Automatic for the People
Allon Mureinik
 
Automatic for the people
Allon Mureinik
 
Mockito - How a mocking library built a real community
Allon Mureinik
 
Mockito - how a mocking library built a real community (August Penguin 2017)
Allon Mureinik
 
Reversim Summit 2016 - Ja-WAT
Allon Mureinik
 
Virtualization Management The oVirt Way (August Penguin 2015)
Allon Mureinik
 
Step by Step - Reusing old features to build new ones
Allon Mureinik
 
oVirt 3.5 Storage Features Overview
Allon Mureinik
 
Disaster Recovery Strategies Using oVirt's new Storage Connection Management ...
Allon Mureinik
 
Live Storage Migration in oVirt (Open Storage Meetup May 2013)
Allon Mureinik
 
Retro Testing (DevConTLV Jan 2014)
Allon Mureinik
 
Ad

Recently uploaded (20)

PDF
Hybrid horned lizard optimization algorithm-aquila optimizer for DC motor
IAESIJAI
 
PDF
Zenith AI: Advanced Artificial Intelligence
Biz Preneurs
 
PDF
Developing a website for English-speaking practice to English as a foreign la...
IAESIJAI
 
PPTX
Final SEM Unit 1 for mit wpu at pune .pptx
anishtilekar08
 
PDF
Architecture types and enterprise applications.pdf
ChristopherTHyatt
 
PPTX
MicrosoftCybserSecurityReferenceArchitecture-April-2025.pptx
SilvioHayashi
 
PDF
Consumable AI The What, Why & How for Small Teams.pdf
Vivek Sai
 
DOCX
search engine optimization ppt fir known well about this
StandardCodeLearning
 
PPT
What is a Computer? Input Devices /output devices
GulJan8
 
PPTX
Benefits of Physical activity for teenagers.pptx
Nokwanda Thabethe
 
PPTX
Custom Battery Pack Design Considerations for Performance and Safety
Epec Engineered Technologies
 
PPTX
Microsoft Excel 365/2024 Beginner's training
frank yeboah
 
PPTX
The various Industrial Revolutions .pptx
bandileshozi3
 
PDF
TrustArc Webinar - Click, Consent, Trust: Winning the Privacy Game
TrustArc
 
PDF
STKI Israel Market Study 2025 version august
Dr. Jimmy Schwarzkopf
 
PPTX
Chapter 5: Probability Theory and Statistics
RandyFin
 
PDF
A Late Bloomer's Guide to GenAI: Ethics, Bias, and Effective Prompting - Boha...
Mindy Bohannon
 
PPT
Geologic Time for studying geology for geologist
ssuser738f5a
 
PDF
NewMind AI Weekly Chronicles – August ’25 Week III
NewMind AI
 
PPTX
2018-HIPAA-Renewal-Training for executives
Mayank Mathur
 
Hybrid horned lizard optimization algorithm-aquila optimizer for DC motor
IAESIJAI
 
Zenith AI: Advanced Artificial Intelligence
Biz Preneurs
 
Developing a website for English-speaking practice to English as a foreign la...
IAESIJAI
 
Final SEM Unit 1 for mit wpu at pune .pptx
anishtilekar08
 
Architecture types and enterprise applications.pdf
ChristopherTHyatt
 
MicrosoftCybserSecurityReferenceArchitecture-April-2025.pptx
SilvioHayashi
 
Consumable AI The What, Why & How for Small Teams.pdf
Vivek Sai
 
search engine optimization ppt fir known well about this
StandardCodeLearning
 
What is a Computer? Input Devices /output devices
GulJan8
 
Benefits of Physical activity for teenagers.pptx
Nokwanda Thabethe
 
Custom Battery Pack Design Considerations for Performance and Safety
Epec Engineered Technologies
 
Microsoft Excel 365/2024 Beginner's training
frank yeboah
 
The various Industrial Revolutions .pptx
bandileshozi3
 
TrustArc Webinar - Click, Consent, Trust: Winning the Privacy Game
TrustArc
 
STKI Israel Market Study 2025 version august
Dr. Jimmy Schwarzkopf
 
Chapter 5: Probability Theory and Statistics
RandyFin
 
A Late Bloomer's Guide to GenAI: Ethics, Bias, and Effective Prompting - Boha...
Mindy Bohannon
 
Geologic Time for studying geology for geologist
ssuser738f5a
 
NewMind AI Weekly Chronicles – August ’25 Week III
NewMind AI
 
2018-HIPAA-Renewal-Training for executives
Mayank Mathur
 

Default to Async - Prevent DoS attacks on your app and your day

  • 1. Default to Async PancakesCon 5, 24/03/2024 Prevent DoS attacks on your app and your day Allon Mureinik Senior Manager, Seeker (IAST) Agents R&D, Synopsys allon.mureinik@synopsys.com
  • 2. © 2024 Synopsys, Inc. 2 Can we prevent DoS in our apps? Default to Async (Allon Mureinik, cc-by-sa-4.0)
  • 3. © 2024 Synopsys, Inc. 3 No, not that kind of DOS Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/save-dos-818218/
  • 4. © 2024 Synopsys, Inc. 4 This kind of DoS Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/no-service-1496954/
  • 5. © 2024 Synopsys, Inc. 5 This kind of DoS “The Denial of Service (DoS) attack is focused on making a resource (site, application, server) unavailable for the purpose it was designed.” (https://owasp.org/www-community/attacks/Denial_of_Service) Default to Async (Allon Mureinik, cc-by-sa-4.0)
  • 6. © 2024 Synopsys, Inc. 6 DDoS – in a different lecture Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/distributed-6001953/
  • 7. © 2024 Synopsys, Inc. 7 We want to focus on the application Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/application-1249006/
  • 8. © 2024 Synopsys, Inc. 8 It’s not about speed – it’s about [not] blocking others Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/speed-1116526/
  • 9. © 2024 Synopsys, Inc. 9 Overwork that parser (JSON Example) const express = require('express'); const app = express(); app.use(express.json()); app.post('/json', (req, res) => { const numKeys = Object.keys(req.body).length; res.end(numKeys + ' keys in the payload'); }); app.listen(3000, () => console.log('Listening on port 3000')); Default to Async (Allon Mureinik, cc-by-sa-4.0)
  • 10. © 2024 Synopsys, Inc. 10 How bad is it really? Default to Async (Allon Mureinik, cc-by-sa-4.0) -50 0 50 100 150 200 250 300 0 200 400 600 800 1000 1200 Time (ms) String Length (KB)
  • 11. © 2024 Synopsys, Inc. 11 What can we do? Default to Async (Allon Mureinik, cc-by-sa-4.0)
  • 12. © 2024 Synopsys, Inc. 12 What can we do? • Don’t allow tainted input to be parsed –Not realistic… Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/no-entry-1379330/
  • 13. © 2024 Synopsys, Inc. 13 What can we do? • Don’t allow tainted input to be parsed –Not realistic… • Limit the size of the input –E.g., in the above Express example: app.use(express.json({limit: '40kb'}) Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/speed-limit-4873715/
  • 14. © 2024 Synopsys, Inc. 14 What can we do? • Don’t allow tainted input to be parsed –Not realistic… • Limit the size of the input –E.g., in the above Express example: app.use(express.json({limit: '40kb'}) • Do it in the background, not the event loop –E.g., use a library like BFJ or JSONStream Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/fade-2102225/
  • 15. © 2024 Synopsys, Inc. 15 Bomb that parser (XML Example) Default to Async (Allon Mureinik, cc-by-sa-4.0) const express = require('express'); const app = express(); app.use(express.text({type: '*/*'})); const libxmljs = require('libxmljs2'); const opts = {noent: true, nocdata: true, noblanks: true, huge: true}; app.post('/xml', (req, res) => { const parsed = libxmljs.parseXml(req.body, opts); res.end(parsed.childNodes().length + ' child nodes in the payload'); }); app.listen(3000, () => console.log('Listening on port 3000'));
  • 16. © 2024 Synopsys, Inc. 16 Sounds serious, let’s have a laugh Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/joker-3976603/
  • 17. © 2024 Synopsys, Inc. 17 Or a billion laughs <?xml version="1.0"?> <!DOCTYPE lolz [ <!ENTITY lol0 "lol"> <!ELEMENT lolz (#PCDATA)> <!ENTITY lol1 "&lol0;&lol0;&lol0;&lol0;&lol0;&lol0;&lol0;&lol0;&lol0;&lol0;"> <!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;"> <!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;"> <!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;"> <!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;"> <!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;"> <!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;"> <!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;"> <!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;"> ]> <lolz>&lol9;</lolz> Default to Async (Allon Mureinik, cc-by-sa-4.0) https://en.wikipedia.org/wiki/Billion_laughs_attack
  • 18. © 2024 Synopsys, Inc. 18 How bad is it really? Default to Async (Allon Mureinik, cc-by-sa-4.0) 0 5 10 15 20 25 30 35 1 2 3 4 5 6 7 Size (MB) # Lolz XML Expansion per Lol XML Length Expanded Length ~650b ~29MB
  • 19. © 2024 Synopsys, Inc. 19 What can we do? Default to Async (Allon Mureinik, cc-by-sa-4.0)
  • 20. © 2024 Synopsys, Inc. 20 What can we do? • Don’t use XML –If you can… Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/no-entry-1379330/
  • 21. © 2024 Synopsys, Inc. 21 What can we do? • Don’t use XML –If you can… • Don’t allow tainted input in your XML –If you can… Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/no-entry-1379330/
  • 22. © 2024 Synopsys, Inc. 22 What can we do? • Don’t use XML –If you can… • Don’t allow tainted input in your XML –If you can… •Configure your library to not expand entities –If you can… –libxml wrappers:{noent: false} or {huge: false} Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/configure-1883381/
  • 23. © 2024 Synopsys, Inc. 23 What can we do? • Don’t use XML –If you can… • Don’t allow tainted input in your XML –If you can… •Configure your library to not expand entities –If you can… –libxml wrappers:{noent: false} or {huge: false} •Sanitize your input Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/sanitizer-3470901/
  • 24. © 2024 Synopsys, Inc. 24 ReDoS const express = require('express'); const app = express(); app.get('/regexp', (req, res) => { // Consider a regex like /(a+)+/ const regexp = new RegExp(req.query.regexp); const text = req.query.text; res.end(regexp.test(text) ? 'Match!' : 'No match'); }); app.listen(3000, () => console.log('Listening on port 3000')); Default to Async (Allon Mureinik, cc-by-sa-4.0)
  • 25. © 2024 Synopsys, Inc. 25 How bad is it really? Default to Async (Allon Mureinik, cc-by-sa-4.0) 0 50,000 100,000 150,000 200,000 250,000 300,000 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 33 34 35 Time (ms) As
  • 26. © 2024 Synopsys, Inc. 26 What can we do? Default to Async (Allon Mureinik, cc-by-sa-4.0)
  • 27. © 2024 Synopsys, Inc. 27 What can we do? • Check your regexes – SAST tools are usually pretty good at this Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/check-1159941/
  • 28. © 2024 Synopsys, Inc. 28 What can we do? • Check your regexes – SAST tools are usually pretty good at this • Don’t allow tainted input as regex – Not always possible… Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/no-entry-1379330/
  • 29. © 2024 Synopsys, Inc. 29 What can we do? • Check your regexes – SAST tools are usually pretty good at this • Don’t allow tainted input as regex – Not always possible… • Don’t allow tainted input to be evaluated by a dodgy regex – Usually not possible… – Use length limits Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/no-entry-1379330/
  • 30. © 2024 Synopsys, Inc. 30 What can we do? • Check your regexes – SAST tools are usually pretty good at this • Don’t allow tainted input as regex – Not always possible… • Don’t allow tainted input to be evaluated by a dodgy regex – Usually not possible… – Use length limits • Think about alternatives to regex – re2 isn’t vulnerable to ReDoS – Use specific tools for specific needs (e.g., validator.js) Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/alternative-3203434/
  • 31. © 2024 Synopsys, Inc. 31 Some general take aways Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/takeaway-3438027/
  • 32. © 2024 Synopsys, Inc. 32 Can we prevent DoS in our day? Default to Async (Allon Mureinik, cc-by-sa-4.0)
  • 33. © 2024 Synopsys, Inc. 33 “Let’s have a meeting” Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/meeting-6528201/
  • 34. © 2024 Synopsys, Inc. 34 You need to fit it in your day Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/fit-4584641/
  • 35. © 2024 Synopsys, Inc. 35 Limited time == limited communication Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/time-limit-4456645/
  • 36. © 2024 Synopsys, Inc. 36 It’s exclusionary Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/racism-4670344/
  • 37. © 2024 Synopsys, Inc. 37 The timezone problem Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/timezone-5429333/
  • 38. © 2024 Synopsys, Inc. 38 The language problem Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/language-3786977/
  • 39. © 2024 Synopsys, Inc. 39 The like-me problem Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/similar-3856992/
  • 40. © 2024 Synopsys, Inc. 40 The solution – default to async Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/asynchronous-learning-27462/
  • 41. © 2024 Synopsys, Inc. 41 Don’t be a stranger allon.mureinik@synopsys.com @mureinik https://www.linkedin.com/in/mureinik/ Default to Async (Allon Mureinik, cc-by-sa-4.0)
  • 42. © 2024 Synopsys, Inc. 42 Questions Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/term/questions/1195076/