Abstract image of a woman sitting on books and studying on a laptop

This DoS goes loop-di-loop

Allon Mureinik, profile picture
Allon Mureinik

The document discusses different types of denial of service (DoS) attacks that can impact Node.js applications, including regular expression DoS (ReDoS), JSON parsing DoS, and storage/I/O DoS. It provides code examples demonstrating how these attacks work and suggestions for mitigations, such as using libraries less vulnerable to ReDoS, limiting input sizes, and ensuring asynchronous storage operations.

Software
Related topics:
Node.js Development Information Security
1 of 15
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
This DoS Goes Loop-di-Loop Allon Mureinik Senior Manager, Seeker Node.js and .NET Agents Synopsys, Inc. allon.mureinik@synopsys.com / @mureinik / https://www.linkedin.com/in/mureinik/ FlawCon, 20/10/2019
© 2019 Synopsys, Inc. 2This DoS Goes Loop-di-Loop (Allon Mureinik, FlawCon 2019, cc-by-sa-4.0) Developers vs Hackers How will an unreasonable person abuse it? How will a reasonable person use it? https://thenounproject.com/term/theater/17128
© 2019 Synopsys, Inc. 3This DoS Goes Loop-di-Loop (Allon Mureinik, FlawCon 2019, cc-by-sa-4.0) Quick Reminder: Node.js’ Event Loop https://thenounproject.com/term/redo/62716
© 2019 Synopsys, Inc. 4This DoS Goes Loop-di-Loop (Allon Mureinik, FlawCon 2019, cc-by-sa-4.0) Benchmarks https://www.tandemseven.com/blog/performance-java-vs-node/
© 2019 Synopsys, Inc. 5This DoS Goes Loop-di-Loop (Allon Mureinik, FlawCon 2019, cc-by-sa-4.0) Reminder: Denial of Service (DoS) https://thenounproject.com/term/decline/373722
© 2019 Synopsys, Inc. 6This DoS Goes Loop-di-Loop (Allon Mureinik, FlawCon 2019, cc-by-sa-4.0) Regex DoS (ReDoS) console.log('a'sttime'); let regex = new RegExp('^(a+)+$'); for (let i = 1; i < 100; ++i) { const str = Array(i + 1).join('a') + 'b'; const before = new Date(); regex.test(str); const after = new Date(); const time = after - before; console.log(`${i}t${time}`); }
© 2019 Synopsys, Inc. 7This DoS Goes Loop-di-Loop (Allon Mureinik, FlawCon 2019, cc-by-sa-4.0) Regex DoS (ReDoS) - results 0 50,000 100,000 150,000 200,000 250,000 300,000 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 33 34 35 Time(ms) As
© 2019 Synopsys, Inc. 8This DoS Goes Loop-di-Loop (Allon Mureinik, FlawCon 2019, cc-by-sa-4.0) https://thenounproject.com/term/alternative-route/2902159 •Check your regexes –E.g., use safe-regex, vuln-regex-detector •Don’t allow tainted input as regex –Not always possible… –If you must, sanitize it (again safe-regex etc.) •Don’t allow tainted input to be evaluated by a dodgy regex –Usually not possible… –Use length limits •Think about alternative solutions –re2 isn’t vulnerable to ReDoS –Use specific tools for specific needs (e.g., validator.js) Regex DoS (ReDoS) - Remediation
© 2019 Synopsys, Inc. 9This DoS Goes Loop-di-Loop (Allon Mureinik, FlawCon 2019, cc-by-sa-4.0) JSON DoS for (let i = 1024; i <= 1024 * 1024 ; i += 1024) { const str = '"' + Array(i + 1).join('a') + '"'; const before = new Date(); for (let j = 1; j < 100; ++j) { JSON.parse(str); } const after = new Date(); console.log(`${i}t${after-before}`); }
© 2019 Synopsys, Inc. 10This DoS Goes Loop-di-Loop (Allon Mureinik, FlawCon 2019, cc-by-sa-4.0) JSON DoS - Results -50 0 50 100 150 200 250 300 0 200 400 600 800 1000 1200 Time(ms) String Lengh (KB)
© 2019 Synopsys, Inc. 11This DoS Goes Loop-di-Loop (Allon Mureinik, FlawCon 2019, cc-by-sa-4.0) https://thenounproject.com/term/alternative-route/2902159/ •Don’t allow tainted input to be parsed –Not realistic… •Limit the size of the input –Express: app.use(express.json({limit: '50kb'}) –Hapi: route.options.payload.maxBytes = 50 * 1024 •If you aren’t parsing JSON by a middle, consider alternative libraries like BFJ or JSONStream JSON DoS - Remediation
© 2019 Synopsys, Inc. 12This DoS Goes Loop-di-Loop (Allon Mureinik, FlawCon 2019, cc-by-sa-4.0) “If anything can hang, it will” - Murphy’s law of storage Storage (I/O) DoS
© 2019 Synopsys, Inc. 13This DoS Goes Loop-di-Loop (Allon Mureinik, FlawCon 2019, cc-by-sa-4.0) The are two ways to perform storage operations in Node.js: 1. The async way –Delegate a storage operation to the kernel, and wait for a callback –E.g.: fs.readDir, fs.writeFile, etc –3rd parties follow similar patterns (e.g., fs-extra, adm-zip) 2. The wrong way Storage (I/O) DoS - Remediation
© 2019 Synopsys, Inc. 15This DoS Goes Loop-di-Loop (Allon Mureinik, FlawCon 2019, cc-by-sa-4.0) Questions? https://thenounproject.com/term/questions/1195076/
Thank You Contact allon.mureinik@synopsys.com @mureinik https://www.linkedin.com/in/mureinik/

More Related Content

PDF
Default to Async - Prevent DoS attacks on your app and your day
Allon Mureinik
 
PDF
Node.js Security - XSS, Vulnerable Dependencies, Snyk, OWASP
Liran Tal
 
PDF
Node.js security - JS Day Italy 2018
Liran Tal
 
PDF
Douglas Crockford: Serversideness
WebExpo
 
PDF
Cluj JSHeroes 2017 - Liran Tal on Node.js Security
Liran Tal
 
ODP
Node.js security
Maciej Lasyk
 
PDF
ES6: The Awesome Parts
Domenic Denicola
 
PDF
Killer Bugs From Outer Space
Jérôme Petazzoni
 
Default to Async - Prevent DoS attacks on your app and your day
Allon Mureinik
 
Node.js Security - XSS, Vulnerable Dependencies, Snyk, OWASP
Liran Tal
 
Node.js security - JS Day Italy 2018
Liran Tal
 
Douglas Crockford: Serversideness
WebExpo
 
Cluj JSHeroes 2017 - Liran Tal on Node.js Security
Liran Tal
 
Node.js security
Maciej Lasyk
 
ES6: The Awesome Parts
Domenic Denicola
 
Killer Bugs From Outer Space
Jérôme Petazzoni
 

Similar to This DoS goes loop-di-loop (20)

PDF
Fault Tolerance 101
C4Media
 
ODP
DevOps Days Vancouver 2014 Slides
Alex Cruise
 
PDF
Ch 18: Source Code Auditing
Sam Bowne
 
PDF
Defensive programming in Javascript and Node.js
Ruben Tan
 
PDF
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers
Lewis Ardern
 
PDF
Angus Fletcher - Error Handling in Concurrent Systems
Maritime DevCon
 
PDF
Promises generatorscallbacks
Mike Frey
 
PPTX
Node.js - Advanced Basics
Doug Jones
 
PDF
Think Async: Asynchronous Patterns in NodeJS
Adam L Barrett
 
PPTX
introduction to node.js
orkaplan
 
PDF
Rust and the coming age of high integrity languages
AdaCore
 
PDF
Kamil witecki asynchronous, yet readable, code
Kamil Witecki
 
PPT
Clojure's take on concurrency
yoavrubin
 
PDF
CNIT 127: Ch 18: Source Code Auditing
Sam Bowne
 
PPTX
20160211 OWASP Charlotte RASP
chadtindel
 
PDF
Matthew Eernisse, NodeJs, .toster {webdev}
.toster
 
PPTX
Workshop 1: Good practices in JavaScript
Visual Engineering
 
PPTX
Reflections on Rousting Rust?
David Evans
 
KEY
NodeJS
.toster
 
PDF
The Evolution of Async-Programming (SD 2.0, JavaScript)
jeffz
 
Fault Tolerance 101
C4Media
 
DevOps Days Vancouver 2014 Slides
Alex Cruise
 
Ch 18: Source Code Auditing
Sam Bowne
 
Defensive programming in Javascript and Node.js
Ruben Tan
 
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers
Lewis Ardern
 
Angus Fletcher - Error Handling in Concurrent Systems
Maritime DevCon
 
Promises generatorscallbacks
Mike Frey
 
Node.js - Advanced Basics
Doug Jones
 
Think Async: Asynchronous Patterns in NodeJS
Adam L Barrett
 
introduction to node.js
orkaplan
 
Rust and the coming age of high integrity languages
AdaCore
 
Kamil witecki asynchronous, yet readable, code
Kamil Witecki
 
Clojure's take on concurrency
yoavrubin
 
CNIT 127: Ch 18: Source Code Auditing
Sam Bowne
 
20160211 OWASP Charlotte RASP
chadtindel
 
Matthew Eernisse, NodeJs, .toster {webdev}
.toster
 
Workshop 1: Good practices in JavaScript
Visual Engineering
 
Reflections on Rousting Rust?
David Evans
 
NodeJS
.toster
 
The Evolution of Async-Programming (SD 2.0, JavaScript)
jeffz
 
Ad

More from Allon Mureinik (20)

PDF
Who Watches the Watchmen (SciFiDevCon 2025)
Allon Mureinik
 
PDF
Injustice - Developers Among Us (SciFiDevCon 2024)
Allon Mureinik
 
PDF
What an episode of Rick and Morty taught me about (accidental) toxicity
Allon Mureinik
 
PDF
We are the Borg, you will be interviewed
Allon Mureinik
 
PDF
What I wish I knew about security - Allon Mureinik DevConf.CZ 2022
Allon Mureinik
 
PDF
Somebody set up us the bomb DevConf.CZ 2022 Lightning Talk
Allon Mureinik
 
PDF
Zoom out
Allon Mureinik
 
PDF
Cognitive biases, blind spots and inclusion
Allon Mureinik
 
PDF
How open source made me a better manager
Allon Mureinik
 
PDF
Automatic for the People
Allon Mureinik
 
PDF
Automatic for the people
Allon Mureinik
 
PDF
Mockito - How a mocking library built a real community
Allon Mureinik
 
PDF
Mockito - how a mocking library built a real community (August Penguin 2017)
Allon Mureinik
 
PDF
Reversim Summit 2016 - Ja-WAT
Allon Mureinik
 
PDF
Virtualization Management The oVirt Way (August Penguin 2015)
Allon Mureinik
 
PDF
Step by Step - Reusing old features to build new ones
Allon Mureinik
 
PDF
oVirt 3.5 Storage Features Overview
Allon Mureinik
 
PDF
Disaster Recovery Strategies Using oVirt's new Storage Connection Management ...
Allon Mureinik
 
PDF
Live Storage Migration in oVirt (Open Storage Meetup May 2013)
Allon Mureinik
 
PDF
Retro Testing (DevConTLV Jan 2014)
Allon Mureinik
 
Who Watches the Watchmen (SciFiDevCon 2025)
Allon Mureinik
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Allon Mureinik
 
What an episode of Rick and Morty taught me about (accidental) toxicity
Allon Mureinik
 
We are the Borg, you will be interviewed
Allon Mureinik
 
What I wish I knew about security - Allon Mureinik DevConf.CZ 2022
Allon Mureinik
 
Somebody set up us the bomb DevConf.CZ 2022 Lightning Talk
Allon Mureinik
 
Zoom out
Allon Mureinik
 
Cognitive biases, blind spots and inclusion
Allon Mureinik
 
How open source made me a better manager
Allon Mureinik
 
Automatic for the People
Allon Mureinik
 
Automatic for the people
Allon Mureinik
 
Mockito - How a mocking library built a real community
Allon Mureinik
 
Mockito - how a mocking library built a real community (August Penguin 2017)
Allon Mureinik
 
Reversim Summit 2016 - Ja-WAT
Allon Mureinik
 
Virtualization Management The oVirt Way (August Penguin 2015)
Allon Mureinik
 
Step by Step - Reusing old features to build new ones
Allon Mureinik
 
oVirt 3.5 Storage Features Overview
Allon Mureinik
 
Disaster Recovery Strategies Using oVirt's new Storage Connection Management ...
Allon Mureinik
 
Live Storage Migration in oVirt (Open Storage Meetup May 2013)
Allon Mureinik
 
Retro Testing (DevConTLV Jan 2014)
Allon Mureinik
 
Ad

Recently uploaded (20)

PDF
E-Commerce Website Development Companyin india
Digital India
 
DOCX
How to Use SharePoint as an ISO-Compliant Document Management System
Sharepoint Designs
 
PPTX
Tech Workshop Escape Room Tech Workshop
muthuiyad
 
PDF
Salesforce Agentforce AI Implementation.pdf
Robert Mark
 
PDF
Multiverse AI Review 2025: Access All TOP AI Model-Versions!
Moshiur Rahman Jisan
 
PPTX
Matchmaking for JVMs: How to Pick the Perfect GC Partner
Tier1 app
 
PPTX
WiFi Honeypot Detecscfddssdffsedfseztor.pptx
singlesrihari
 
PDF
DNT Brochure 2025 – ISV Solutions @ D365
sai vignesh
 
PPTX
Airline CRS | Airline CRS Systems | CRS System
yugababu033
 
PDF
AI Guide for Business Growth - Arna Softech
Arna Softech
 
PDF
Microsoft Office 365 Crack Download Free
wasibhadar
 
PPTX
Computer Software - Technology and Livelihood Education
ShielaGuevarra6
 
PDF
AI/ML Infra Meetup | Beyond S3's Basics: Architecting for AI-Native Data Access
Alluxio, Inc.
 
PDF
Top 10 Software Development Trends to Watch in 2025 🚀.pdf
KodekX
 
PPTX
MLforCyber_MLDataSetsandFeatures_Presentation.pptx
AaryaNaik8
 
PDF
How AI/LLM recommend to you ? GDG meetup 16 Aug by Fariman Guliev
HusseinMalikMammadli
 
PPTX
GSA Content Generator Crack (2025 Latest)
halimaanam8
 
PDF
Topaz Photo AI Crack New Download (Latest 2025)
hashmi66g66
 
PDF
DuckDuckGo Private Browser Premium APK for Android Crack Latest 2025
hashmi66g66
 
PDF
Visual explanation of Dijkstra's Algorithm using Python
Universidad Nacional de Ingenieria
 
E-Commerce Website Development Companyin india
Digital India
 
How to Use SharePoint as an ISO-Compliant Document Management System
Sharepoint Designs
 
Tech Workshop Escape Room Tech Workshop
muthuiyad
 
Salesforce Agentforce AI Implementation.pdf
Robert Mark
 
Multiverse AI Review 2025: Access All TOP AI Model-Versions!
Moshiur Rahman Jisan
 
Matchmaking for JVMs: How to Pick the Perfect GC Partner
Tier1 app
 
WiFi Honeypot Detecscfddssdffsedfseztor.pptx
singlesrihari
 
DNT Brochure 2025 – ISV Solutions @ D365
sai vignesh
 
Airline CRS | Airline CRS Systems | CRS System
yugababu033
 
AI Guide for Business Growth - Arna Softech
Arna Softech
 
Microsoft Office 365 Crack Download Free
wasibhadar
 
Computer Software - Technology and Livelihood Education
ShielaGuevarra6
 
AI/ML Infra Meetup | Beyond S3's Basics: Architecting for AI-Native Data Access
Alluxio, Inc.
 
Top 10 Software Development Trends to Watch in 2025 🚀.pdf
KodekX
 
MLforCyber_MLDataSetsandFeatures_Presentation.pptx
AaryaNaik8
 
How AI/LLM recommend to you ? GDG meetup 16 Aug by Fariman Guliev
HusseinMalikMammadli
 
GSA Content Generator Crack (2025 Latest)
halimaanam8
 
Topaz Photo AI Crack New Download (Latest 2025)
hashmi66g66
 
DuckDuckGo Private Browser Premium APK for Android Crack Latest 2025
hashmi66g66
 
Visual explanation of Dijkstra's Algorithm using Python
Universidad Nacional de Ingenieria
 

This DoS goes loop-di-loop

  • 1. This DoS Goes Loop-di-Loop Allon Mureinik Senior Manager, Seeker Node.js and .NET Agents Synopsys, Inc. allon.mureinik@synopsys.com / @mureinik / https://www.linkedin.com/in/mureinik/ FlawCon, 20/10/2019
  • 2. © 2019 Synopsys, Inc. 2This DoS Goes Loop-di-Loop (Allon Mureinik, FlawCon 2019, cc-by-sa-4.0) Developers vs Hackers How will an unreasonable person abuse it? How will a reasonable person use it? https://thenounproject.com/term/theater/17128
  • 3. © 2019 Synopsys, Inc. 3This DoS Goes Loop-di-Loop (Allon Mureinik, FlawCon 2019, cc-by-sa-4.0) Quick Reminder: Node.js’ Event Loop https://thenounproject.com/term/redo/62716
  • 4. © 2019 Synopsys, Inc. 4This DoS Goes Loop-di-Loop (Allon Mureinik, FlawCon 2019, cc-by-sa-4.0) Benchmarks https://www.tandemseven.com/blog/performance-java-vs-node/
  • 5. © 2019 Synopsys, Inc. 5This DoS Goes Loop-di-Loop (Allon Mureinik, FlawCon 2019, cc-by-sa-4.0) Reminder: Denial of Service (DoS) https://thenounproject.com/term/decline/373722
  • 6. © 2019 Synopsys, Inc. 6This DoS Goes Loop-di-Loop (Allon Mureinik, FlawCon 2019, cc-by-sa-4.0) Regex DoS (ReDoS) console.log('a'sttime'); let regex = new RegExp('^(a+)+$'); for (let i = 1; i < 100; ++i) { const str = Array(i + 1).join('a') + 'b'; const before = new Date(); regex.test(str); const after = new Date(); const time = after - before; console.log(`${i}t${time}`); }
  • 7. © 2019 Synopsys, Inc. 7This DoS Goes Loop-di-Loop (Allon Mureinik, FlawCon 2019, cc-by-sa-4.0) Regex DoS (ReDoS) - results 0 50,000 100,000 150,000 200,000 250,000 300,000 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 33 34 35 Time(ms) As
  • 8. © 2019 Synopsys, Inc. 8This DoS Goes Loop-di-Loop (Allon Mureinik, FlawCon 2019, cc-by-sa-4.0) https://thenounproject.com/term/alternative-route/2902159 •Check your regexes –E.g., use safe-regex, vuln-regex-detector •Don’t allow tainted input as regex –Not always possible… –If you must, sanitize it (again safe-regex etc.) •Don’t allow tainted input to be evaluated by a dodgy regex –Usually not possible… –Use length limits •Think about alternative solutions –re2 isn’t vulnerable to ReDoS –Use specific tools for specific needs (e.g., validator.js) Regex DoS (ReDoS) - Remediation
  • 9. © 2019 Synopsys, Inc. 9This DoS Goes Loop-di-Loop (Allon Mureinik, FlawCon 2019, cc-by-sa-4.0) JSON DoS for (let i = 1024; i <= 1024 * 1024 ; i += 1024) { const str = '"' + Array(i + 1).join('a') + '"'; const before = new Date(); for (let j = 1; j < 100; ++j) { JSON.parse(str); } const after = new Date(); console.log(`${i}t${after-before}`); }
  • 10. © 2019 Synopsys, Inc. 10This DoS Goes Loop-di-Loop (Allon Mureinik, FlawCon 2019, cc-by-sa-4.0) JSON DoS - Results -50 0 50 100 150 200 250 300 0 200 400 600 800 1000 1200 Time(ms) String Lengh (KB)
  • 11. © 2019 Synopsys, Inc. 11This DoS Goes Loop-di-Loop (Allon Mureinik, FlawCon 2019, cc-by-sa-4.0) https://thenounproject.com/term/alternative-route/2902159/ •Don’t allow tainted input to be parsed –Not realistic… •Limit the size of the input –Express: app.use(express.json({limit: '50kb'}) –Hapi: route.options.payload.maxBytes = 50 * 1024 •If you aren’t parsing JSON by a middle, consider alternative libraries like BFJ or JSONStream JSON DoS - Remediation
  • 12. © 2019 Synopsys, Inc. 12This DoS Goes Loop-di-Loop (Allon Mureinik, FlawCon 2019, cc-by-sa-4.0) “If anything can hang, it will” - Murphy’s law of storage Storage (I/O) DoS
  • 13. © 2019 Synopsys, Inc. 13This DoS Goes Loop-di-Loop (Allon Mureinik, FlawCon 2019, cc-by-sa-4.0) The are two ways to perform storage operations in Node.js: 1. The async way –Delegate a storage operation to the kernel, and wait for a callback –E.g.: fs.readDir, fs.writeFile, etc –3rd parties follow similar patterns (e.g., fs-extra, adm-zip) 2. The wrong way Storage (I/O) DoS - Remediation
  • 14. © 2019 Synopsys, Inc. 15This DoS Goes Loop-di-Loop (Allon Mureinik, FlawCon 2019, cc-by-sa-4.0) Questions? https://thenounproject.com/term/questions/1195076/