SlideShare a Scribd company logo

Default to Async - Prevent DoS attacks on your app and your day

Allon Mureinik
Allon Mureinik

Slides from my talk at PancakesCon 5 – Full Stack Hack

Technology
1 of 42
Download to read offline
Default to Async PancakesCon 5, 24/03/2024 Prevent DoS attacks on your app and your day Allon Mureinik Senior Manager, Seeker (IAST) Agents R&D, Synopsys allon.mureinik@synopsys.com
© 2024 Synopsys, Inc. 2 Can we prevent DoS in our apps? Default to Async (Allon Mureinik, cc-by-sa-4.0)
© 2024 Synopsys, Inc. 3 No, not that kind of DOS Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/save-dos-818218/
© 2024 Synopsys, Inc. 4 This kind of DoS Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/no-service-1496954/
© 2024 Synopsys, Inc. 5 This kind of DoS “The Denial of Service (DoS) attack is focused on making a resource (site, application, server) unavailable for the purpose it was designed.” (https://owasp.org/www-community/attacks/Denial_of_Service) Default to Async (Allon Mureinik, cc-by-sa-4.0)
© 2024 Synopsys, Inc. 6 DDoS – in a different lecture Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/distributed-6001953/
© 2024 Synopsys, Inc. 7 We want to focus on the application Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/application-1249006/
© 2024 Synopsys, Inc. 8 It’s not about speed – it’s about [not] blocking others Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/speed-1116526/
© 2024 Synopsys, Inc. 9 Overwork that parser (JSON Example) const express = require('express'); const app = express(); app.use(express.json()); app.post('/json', (req, res) => { const numKeys = Object.keys(req.body).length; res.end(numKeys + ' keys in the payload'); }); app.listen(3000, () => console.log('Listening on port 3000')); Default to Async (Allon Mureinik, cc-by-sa-4.0)
© 2024 Synopsys, Inc. 10 How bad is it really? Default to Async (Allon Mureinik, cc-by-sa-4.0) -50 0 50 100 150 200 250 300 0 200 400 600 800 1000 1200 Time (ms) String Length (KB)
© 2024 Synopsys, Inc. 11 What can we do? Default to Async (Allon Mureinik, cc-by-sa-4.0)
© 2024 Synopsys, Inc. 12 What can we do? • Don’t allow tainted input to be parsed –Not realistic… Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/no-entry-1379330/
© 2024 Synopsys, Inc. 13 What can we do? • Don’t allow tainted input to be parsed –Not realistic… • Limit the size of the input –E.g., in the above Express example: app.use(express.json({limit: '40kb'}) Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/speed-limit-4873715/
© 2024 Synopsys, Inc. 14 What can we do? • Don’t allow tainted input to be parsed –Not realistic… • Limit the size of the input –E.g., in the above Express example: app.use(express.json({limit: '40kb'}) • Do it in the background, not the event loop –E.g., use a library like BFJ or JSONStream Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/fade-2102225/
© 2024 Synopsys, Inc. 15 Bomb that parser (XML Example) Default to Async (Allon Mureinik, cc-by-sa-4.0) const express = require('express'); const app = express(); app.use(express.text({type: '*/*'})); const libxmljs = require('libxmljs2'); const opts = {noent: true, nocdata: true, noblanks: true, huge: true}; app.post('/xml', (req, res) => { const parsed = libxmljs.parseXml(req.body, opts); res.end(parsed.childNodes().length + ' child nodes in the payload'); }); app.listen(3000, () => console.log('Listening on port 3000'));
© 2024 Synopsys, Inc. 16 Sounds serious, let’s have a laugh Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/joker-3976603/
© 2024 Synopsys, Inc. 17 Or a billion laughs <?xml version="1.0"?> <!DOCTYPE lolz [ <!ENTITY lol0 "lol"> <!ELEMENT lolz (#PCDATA)> <!ENTITY lol1 "&lol0;&lol0;&lol0;&lol0;&lol0;&lol0;&lol0;&lol0;&lol0;&lol0;"> <!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;"> <!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;"> <!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;"> <!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;"> <!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;"> <!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;"> <!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;"> <!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;"> ]> <lolz>&lol9;</lolz> Default to Async (Allon Mureinik, cc-by-sa-4.0) https://en.wikipedia.org/wiki/Billion_laughs_attack
© 2024 Synopsys, Inc. 18 How bad is it really? Default to Async (Allon Mureinik, cc-by-sa-4.0) 0 5 10 15 20 25 30 35 1 2 3 4 5 6 7 Size (MB) # Lolz XML Expansion per Lol XML Length Expanded Length ~650b ~29MB
© 2024 Synopsys, Inc. 19 What can we do? Default to Async (Allon Mureinik, cc-by-sa-4.0)
© 2024 Synopsys, Inc. 20 What can we do? • Don’t use XML –If you can… Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/no-entry-1379330/
© 2024 Synopsys, Inc. 21 What can we do? • Don’t use XML –If you can… • Don’t allow tainted input in your XML –If you can… Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/no-entry-1379330/
© 2024 Synopsys, Inc. 22 What can we do? • Don’t use XML –If you can… • Don’t allow tainted input in your XML –If you can… •Configure your library to not expand entities –If you can… –libxml wrappers:{noent: false} or {huge: false} Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/configure-1883381/
© 2024 Synopsys, Inc. 23 What can we do? • Don’t use XML –If you can… • Don’t allow tainted input in your XML –If you can… •Configure your library to not expand entities –If you can… –libxml wrappers:{noent: false} or {huge: false} •Sanitize your input Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/sanitizer-3470901/
© 2024 Synopsys, Inc. 24 ReDoS const express = require('express'); const app = express(); app.get('/regexp', (req, res) => { // Consider a regex like /(a+)+/ const regexp = new RegExp(req.query.regexp); const text = req.query.text; res.end(regexp.test(text) ? 'Match!' : 'No match'); }); app.listen(3000, () => console.log('Listening on port 3000')); Default to Async (Allon Mureinik, cc-by-sa-4.0)
© 2024 Synopsys, Inc. 25 How bad is it really? Default to Async (Allon Mureinik, cc-by-sa-4.0) 0 50,000 100,000 150,000 200,000 250,000 300,000 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 33 34 35 Time (ms) As
© 2024 Synopsys, Inc. 26 What can we do? Default to Async (Allon Mureinik, cc-by-sa-4.0)
© 2024 Synopsys, Inc. 27 What can we do? • Check your regexes – SAST tools are usually pretty good at this Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/check-1159941/
© 2024 Synopsys, Inc. 28 What can we do? • Check your regexes – SAST tools are usually pretty good at this • Don’t allow tainted input as regex – Not always possible… Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/no-entry-1379330/
© 2024 Synopsys, Inc. 29 What can we do? • Check your regexes – SAST tools are usually pretty good at this • Don’t allow tainted input as regex – Not always possible… • Don’t allow tainted input to be evaluated by a dodgy regex – Usually not possible… – Use length limits Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/no-entry-1379330/
© 2024 Synopsys, Inc. 30 What can we do? • Check your regexes – SAST tools are usually pretty good at this • Don’t allow tainted input as regex – Not always possible… • Don’t allow tainted input to be evaluated by a dodgy regex – Usually not possible… – Use length limits • Think about alternatives to regex – re2 isn’t vulnerable to ReDoS – Use specific tools for specific needs (e.g., validator.js) Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/alternative-3203434/
© 2024 Synopsys, Inc. 31 Some general take aways Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/takeaway-3438027/
© 2024 Synopsys, Inc. 32 Can we prevent DoS in our day? Default to Async (Allon Mureinik, cc-by-sa-4.0)
© 2024 Synopsys, Inc. 33 “Let’s have a meeting” Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/meeting-6528201/
© 2024 Synopsys, Inc. 34 You need to fit it in your day Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/fit-4584641/
© 2024 Synopsys, Inc. 35 Limited time == limited communication Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/time-limit-4456645/
© 2024 Synopsys, Inc. 36 It’s exclusionary Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/racism-4670344/
© 2024 Synopsys, Inc. 37 The timezone problem Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/timezone-5429333/
© 2024 Synopsys, Inc. 38 The language problem Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/language-3786977/
© 2024 Synopsys, Inc. 39 The like-me problem Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/similar-3856992/
© 2024 Synopsys, Inc. 40 The solution – default to async Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/asynchronous-learning-27462/
© 2024 Synopsys, Inc. 41 Don’t be a stranger allon.mureinik@synopsys.com @mureinik https://www.linkedin.com/in/mureinik/ Default to Async (Allon Mureinik, cc-by-sa-4.0)
© 2024 Synopsys, Inc. 42 Questions Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/term/questions/1195076/

Recommended

Webinar–OWASP Top 10 for JavaScript for Developers
Webinar–OWASP Top 10 for JavaScript for DevelopersWebinar–OWASP Top 10 for JavaScript for Developers
Webinar–OWASP Top 10 for JavaScript for DevelopersSynopsys Software Integrity Group
 
CI/CD Pipeline Security: Advanced Continuous Delivery Recommendations
CI/CD Pipeline Security: Advanced Continuous Delivery RecommendationsCI/CD Pipeline Security: Advanced Continuous Delivery Recommendations
CI/CD Pipeline Security: Advanced Continuous Delivery RecommendationsAmazon Web Services
 
Automating Security and Compliance Testing of Infrastructure-as-Code for DevS...
Automating Security and Compliance Testing of Infrastructure-as-Code for DevS...Automating Security and Compliance Testing of Infrastructure-as-Code for DevS...
Automating Security and Compliance Testing of Infrastructure-as-Code for DevS...Amazon Web Services
 
Best practices iOS meetup - pmd
Best practices iOS meetup - pmdBest practices iOS meetup - pmd
Best practices iOS meetup - pmdSuyash Gupta
 
Rails security: above and beyond the defaults
Rails security: above and beyond the defaultsRails security: above and beyond the defaults
Rails security: above and beyond the defaultsMatias Korhonen
 
Advanced Serverless Apps With Step Functions
Advanced Serverless Apps With Step FunctionsAdvanced Serverless Apps With Step Functions
Advanced Serverless Apps With Step FunctionsAmazon Web Services
 
20160211 OWASP Charlotte RASP
20160211 OWASP Charlotte RASP20160211 OWASP Charlotte RASP
20160211 OWASP Charlotte RASPchadtindel
 
Advanced Serverless Apps With Step Functions
Advanced Serverless Apps With Step FunctionsAdvanced Serverless Apps With Step Functions
Advanced Serverless Apps With Step FunctionsAmazon Web Services
 

Recommended

Webinar–OWASP Top 10 for JavaScript for Developers
Webinar–OWASP Top 10 for JavaScript for DevelopersWebinar–OWASP Top 10 for JavaScript for Developers
Webinar–OWASP Top 10 for JavaScript for DevelopersSynopsys Software Integrity Group
 
CI/CD Pipeline Security: Advanced Continuous Delivery Recommendations
CI/CD Pipeline Security: Advanced Continuous Delivery RecommendationsCI/CD Pipeline Security: Advanced Continuous Delivery Recommendations
CI/CD Pipeline Security: Advanced Continuous Delivery RecommendationsAmazon Web Services
 
Automating Security and Compliance Testing of Infrastructure-as-Code for DevS...
Automating Security and Compliance Testing of Infrastructure-as-Code for DevS...Automating Security and Compliance Testing of Infrastructure-as-Code for DevS...
Automating Security and Compliance Testing of Infrastructure-as-Code for DevS...Amazon Web Services
 
Best practices iOS meetup - pmd
Best practices iOS meetup - pmdBest practices iOS meetup - pmd
Best practices iOS meetup - pmdSuyash Gupta
 
Rails security: above and beyond the defaults
Rails security: above and beyond the defaultsRails security: above and beyond the defaults
Rails security: above and beyond the defaultsMatias Korhonen
 
Advanced Serverless Apps With Step Functions
Advanced Serverless Apps With Step FunctionsAdvanced Serverless Apps With Step Functions
Advanced Serverless Apps With Step FunctionsAmazon Web Services
 
20160211 OWASP Charlotte RASP
20160211 OWASP Charlotte RASP20160211 OWASP Charlotte RASP
20160211 OWASP Charlotte RASPchadtindel
 
Advanced Serverless Apps With Step Functions
Advanced Serverless Apps With Step FunctionsAdvanced Serverless Apps With Step Functions
Advanced Serverless Apps With Step FunctionsAmazon Web Services
 
So you thought you were safe using AngularJS.. Think again!
So you thought you were safe using AngularJS.. Think again!So you thought you were safe using AngularJS.. Think again!
So you thought you were safe using AngularJS.. Think again!Lewis Ardern
 
ConFoo Montreal - Approaches for application request throttling
ConFoo Montreal - Approaches for application request throttlingConFoo Montreal - Approaches for application request throttling
ConFoo Montreal - Approaches for application request throttlingMaarten Balliauw
 
Web Security - CSP & Web Cryptography
Web Security - CSP & Web CryptographyWeb Security - CSP & Web Cryptography
Web Security - CSP & Web CryptographySamsung Open Source Group
 
Reactive frontends with RxJS and Angular
Reactive frontends with RxJS and AngularReactive frontends with RxJS and Angular
Reactive frontends with RxJS and AngularVMware Tanzu
 
A Practical Guide to Securing Modern Web Applications
A Practical Guide to Securing Modern Web ApplicationsA Practical Guide to Securing Modern Web Applications
A Practical Guide to Securing Modern Web ApplicationsManish Shekhawat
 
Abusing bleeding edge web standards for appsec glory
Abusing bleeding edge web standards for appsec gloryAbusing bleeding edge web standards for appsec glory
Abusing bleeding edge web standards for appsec gloryPriyanka Aash
 
Building CI-CD Pipelines for Serverless Applications
Building CI-CD Pipelines for Serverless ApplicationsBuilding CI-CD Pipelines for Serverless Applications
Building CI-CD Pipelines for Serverless ApplicationsAmazon Web Services
 
DEV325_Application Deployment Techniques for Amazon EC2 Workloads with AWS Co...
DEV325_Application Deployment Techniques for Amazon EC2 Workloads with AWS Co...DEV325_Application Deployment Techniques for Amazon EC2 Workloads with AWS Co...
DEV325_Application Deployment Techniques for Amazon EC2 Workloads with AWS Co...Amazon Web Services
 
How Secure Is AngularJS?
How Secure Is AngularJS?How Secure Is AngularJS?
How Secure Is AngularJS?Ksenia Peguero
 
Serverless and DevOps
Serverless and DevOpsServerless and DevOps
Serverless and DevOpsChris Munns
 
You Spent All That Money And Still Got Owned
You Spent All That Money And Still Got OwnedYou Spent All That Money And Still Got Owned
You Spent All That Money And Still Got OwnedJoe McCray
 
20160225 OWASP Atlanta Prevoty RASP
20160225 OWASP Atlanta Prevoty RASP20160225 OWASP Atlanta Prevoty RASP
20160225 OWASP Atlanta Prevoty RASPchadtindel
 
Node.js Deeper Dive
Node.js Deeper DiveNode.js Deeper Dive
Node.js Deeper DiveJustin Reock
 
Php Dependency Management with Composer ZendCon 2016
Php Dependency Management with Composer ZendCon 2016Php Dependency Management with Composer ZendCon 2016
Php Dependency Management with Composer ZendCon 2016Clark Everetts
 
Authentication and Identity with Amazon Cognito & Analytics with Amazon Pinpoint
Authentication and Identity with Amazon Cognito & Analytics with Amazon PinpointAuthentication and Identity with Amazon Cognito & Analytics with Amazon Pinpoint
Authentication and Identity with Amazon Cognito & Analytics with Amazon PinpointAmazon Web Services
 
Approaches for application request throttling - dotNetCologne
Approaches for application request throttling - dotNetCologneApproaches for application request throttling - dotNetCologne
Approaches for application request throttling - dotNetCologneMaarten Balliauw
 
Java fx smart code econ
Java fx smart code econJava fx smart code econ
Java fx smart code econTom Schindl
 
Content Security Policy - Lessons learned at Yahoo
Content Security Policy - Lessons learned at YahooContent Security Policy - Lessons learned at Yahoo
Content Security Policy - Lessons learned at YahooBinu Ramakrishnan
 
Kubernetes on AWS
Kubernetes on AWSKubernetes on AWS
Kubernetes on AWSAmazon Web Services
 
JavaOne 2016 - Faces Counter
JavaOne 2016 - Faces CounterJavaOne 2016 - Faces Counter
JavaOne 2016 - Faces CounterCoritel
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
What an episode of Rick and Morty taught me about (accidental) toxicity
What an episode of Rick and Morty taught me about (accidental) toxicityWhat an episode of Rick and Morty taught me about (accidental) toxicity
What an episode of Rick and Morty taught me about (accidental) toxicityAllon Mureinik
 

More Related Content

Similar to Default to Async - Prevent DoS attacks on your app and your day

So you thought you were safe using AngularJS.. Think again!
So you thought you were safe using AngularJS.. Think again!So you thought you were safe using AngularJS.. Think again!
So you thought you were safe using AngularJS.. Think again!Lewis Ardern
 
ConFoo Montreal - Approaches for application request throttling
ConFoo Montreal - Approaches for application request throttlingConFoo Montreal - Approaches for application request throttling
ConFoo Montreal - Approaches for application request throttlingMaarten Balliauw
 
Reactive frontends with RxJS and Angular
Reactive frontends with RxJS and AngularReactive frontends with RxJS and Angular
Reactive frontends with RxJS and AngularVMware Tanzu
 
A Practical Guide to Securing Modern Web Applications
A Practical Guide to Securing Modern Web ApplicationsA Practical Guide to Securing Modern Web Applications
A Practical Guide to Securing Modern Web ApplicationsManish Shekhawat
 
Abusing bleeding edge web standards for appsec glory
Abusing bleeding edge web standards for appsec gloryAbusing bleeding edge web standards for appsec glory
Abusing bleeding edge web standards for appsec gloryPriyanka Aash
 
Building CI-CD Pipelines for Serverless Applications
Building CI-CD Pipelines for Serverless ApplicationsBuilding CI-CD Pipelines for Serverless Applications
Building CI-CD Pipelines for Serverless ApplicationsAmazon Web Services
 
DEV325_Application Deployment Techniques for Amazon EC2 Workloads with AWS Co...
DEV325_Application Deployment Techniques for Amazon EC2 Workloads with AWS Co...DEV325_Application Deployment Techniques for Amazon EC2 Workloads with AWS Co...
DEV325_Application Deployment Techniques for Amazon EC2 Workloads with AWS Co...Amazon Web Services
 
How Secure Is AngularJS?
How Secure Is AngularJS?How Secure Is AngularJS?
How Secure Is AngularJS?Ksenia Peguero
 
Serverless and DevOps
Serverless and DevOpsServerless and DevOps
Serverless and DevOpsChris Munns
 
You Spent All That Money And Still Got Owned
You Spent All That Money And Still Got OwnedYou Spent All That Money And Still Got Owned
You Spent All That Money And Still Got OwnedJoe McCray
 
20160225 OWASP Atlanta Prevoty RASP
20160225 OWASP Atlanta Prevoty RASP20160225 OWASP Atlanta Prevoty RASP
20160225 OWASP Atlanta Prevoty RASPchadtindel
 
Node.js Deeper Dive
Node.js Deeper DiveNode.js Deeper Dive
Node.js Deeper DiveJustin Reock
 
Php Dependency Management with Composer ZendCon 2016
Php Dependency Management with Composer ZendCon 2016Php Dependency Management with Composer ZendCon 2016
Php Dependency Management with Composer ZendCon 2016Clark Everetts
 
Authentication and Identity with Amazon Cognito & Analytics with Amazon Pinpoint
Authentication and Identity with Amazon Cognito & Analytics with Amazon PinpointAuthentication and Identity with Amazon Cognito & Analytics with Amazon Pinpoint
Authentication and Identity with Amazon Cognito & Analytics with Amazon PinpointAmazon Web Services
 
Approaches for application request throttling - dotNetCologne
Approaches for application request throttling - dotNetCologneApproaches for application request throttling - dotNetCologne
Approaches for application request throttling - dotNetCologneMaarten Balliauw
 
Java fx smart code econ
Java fx smart code econJava fx smart code econ
Java fx smart code econTom Schindl
 
Content Security Policy - Lessons learned at Yahoo
Content Security Policy - Lessons learned at YahooContent Security Policy - Lessons learned at Yahoo
Content Security Policy - Lessons learned at YahooBinu Ramakrishnan
 
JavaOne 2016 - Faces Counter
JavaOne 2016 - Faces CounterJavaOne 2016 - Faces Counter
JavaOne 2016 - Faces CounterCoritel
 

Similar to Default to Async - Prevent DoS attacks on your app and your day (20)

So you thought you were safe using AngularJS.. Think again!
So you thought you were safe using AngularJS.. Think again!So you thought you were safe using AngularJS.. Think again!
So you thought you were safe using AngularJS.. Think again!
 
ConFoo Montreal - Approaches for application request throttling
ConFoo Montreal - Approaches for application request throttlingConFoo Montreal - Approaches for application request throttling
ConFoo Montreal - Approaches for application request throttling
 
Web Security - CSP & Web Cryptography
Web Security - CSP & Web CryptographyWeb Security - CSP & Web Cryptography
Web Security - CSP & Web Cryptography
 
Reactive frontends with RxJS and Angular
Reactive frontends with RxJS and AngularReactive frontends with RxJS and Angular
Reactive frontends with RxJS and Angular
 
A Practical Guide to Securing Modern Web Applications
A Practical Guide to Securing Modern Web ApplicationsA Practical Guide to Securing Modern Web Applications
A Practical Guide to Securing Modern Web Applications
 
Abusing bleeding edge web standards for appsec glory
Abusing bleeding edge web standards for appsec gloryAbusing bleeding edge web standards for appsec glory
Abusing bleeding edge web standards for appsec glory
 
Building CI-CD Pipelines for Serverless Applications
Building CI-CD Pipelines for Serverless ApplicationsBuilding CI-CD Pipelines for Serverless Applications
Building CI-CD Pipelines for Serverless Applications
 
DEV325_Application Deployment Techniques for Amazon EC2 Workloads with AWS Co...
DEV325_Application Deployment Techniques for Amazon EC2 Workloads with AWS Co...DEV325_Application Deployment Techniques for Amazon EC2 Workloads with AWS Co...
DEV325_Application Deployment Techniques for Amazon EC2 Workloads with AWS Co...
 
How Secure Is AngularJS?
How Secure Is AngularJS?How Secure Is AngularJS?
How Secure Is AngularJS?
 
Serverless and DevOps
Serverless and DevOpsServerless and DevOps
Serverless and DevOps
 
You Spent All That Money And Still Got Owned
You Spent All That Money And Still Got OwnedYou Spent All That Money And Still Got Owned
You Spent All That Money And Still Got Owned
 
20160225 OWASP Atlanta Prevoty RASP
20160225 OWASP Atlanta Prevoty RASP20160225 OWASP Atlanta Prevoty RASP
20160225 OWASP Atlanta Prevoty RASP
 
Node.js Deeper Dive
Node.js Deeper DiveNode.js Deeper Dive
Node.js Deeper Dive
 
Php Dependency Management with Composer ZendCon 2016
Php Dependency Management with Composer ZendCon 2016Php Dependency Management with Composer ZendCon 2016
Php Dependency Management with Composer ZendCon 2016
 
Authentication and Identity with Amazon Cognito & Analytics with Amazon Pinpoint
Authentication and Identity with Amazon Cognito & Analytics with Amazon PinpointAuthentication and Identity with Amazon Cognito & Analytics with Amazon Pinpoint
Authentication and Identity with Amazon Cognito & Analytics with Amazon Pinpoint
 
Approaches for application request throttling - dotNetCologne
Approaches for application request throttling - dotNetCologneApproaches for application request throttling - dotNetCologne
Approaches for application request throttling - dotNetCologne
 
Java fx smart code econ
Java fx smart code econJava fx smart code econ
Java fx smart code econ
 
Content Security Policy - Lessons learned at Yahoo
Content Security Policy - Lessons learned at YahooContent Security Policy - Lessons learned at Yahoo
Content Security Policy - Lessons learned at Yahoo
 
Kubernetes on AWS
Kubernetes on AWSKubernetes on AWS
Kubernetes on AWS
 
JavaOne 2016 - Faces Counter
JavaOne 2016 - Faces CounterJavaOne 2016 - Faces Counter
JavaOne 2016 - Faces Counter
 

More from Allon Mureinik

Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
What an episode of Rick and Morty taught me about (accidental) toxicity
What an episode of Rick and Morty taught me about (accidental) toxicityWhat an episode of Rick and Morty taught me about (accidental) toxicity
What an episode of Rick and Morty taught me about (accidental) toxicityAllon Mureinik
 
We are the Borg, you will be interviewed
We are the Borg, you will be interviewedWe are the Borg, you will be interviewed
We are the Borg, you will be interviewedAllon Mureinik
 
What I wish I knew about security - Allon Mureinik DevConf.CZ 2022
What I wish I knew about security - Allon Mureinik DevConf.CZ 2022What I wish I knew about security - Allon Mureinik DevConf.CZ 2022
What I wish I knew about security - Allon Mureinik DevConf.CZ 2022Allon Mureinik
 
Somebody set up us the bomb DevConf.CZ 2022 Lightning Talk
Somebody set up us the bomb DevConf.CZ 2022 Lightning TalkSomebody set up us the bomb DevConf.CZ 2022 Lightning Talk
Somebody set up us the bomb DevConf.CZ 2022 Lightning TalkAllon Mureinik
 
Cognitive biases, blind spots and inclusion
Cognitive biases, blind spots and inclusionCognitive biases, blind spots and inclusion
Cognitive biases, blind spots and inclusionAllon Mureinik
 
This DoS goes loop-di-loop
This DoS goes loop-di-loopThis DoS goes loop-di-loop
This DoS goes loop-di-loopAllon Mureinik
 
How open source made me a better manager
How open source made me a better managerHow open source made me a better manager
How open source made me a better managerAllon Mureinik
 
Automatic for the People
Automatic for the PeopleAutomatic for the People
Automatic for the PeopleAllon Mureinik
 
Automatic for the people
Automatic for the peopleAutomatic for the people
Automatic for the peopleAllon Mureinik
 
Mockito - How a mocking library built a real community
Mockito - How a mocking library built a real communityMockito - How a mocking library built a real community
Mockito - How a mocking library built a real communityAllon Mureinik
 
Mockito - how a mocking library built a real community (August Penguin 2017)
Mockito - how a mocking library built a real community (August Penguin 2017)Mockito - how a mocking library built a real community (August Penguin 2017)
Mockito - how a mocking library built a real community (August Penguin 2017)Allon Mureinik
 
Reversim Summit 2016 - Ja-WAT
Reversim Summit 2016 - Ja-WATReversim Summit 2016 - Ja-WAT
Reversim Summit 2016 - Ja-WATAllon Mureinik
 
Virtualization Management The oVirt Way (August Penguin 2015)
Virtualization Management The oVirt Way (August Penguin 2015)Virtualization Management The oVirt Way (August Penguin 2015)
Virtualization Management The oVirt Way (August Penguin 2015)Allon Mureinik
 
Step by Step - Reusing old features to build new ones
Step by Step - Reusing old features to build new onesStep by Step - Reusing old features to build new ones
Step by Step - Reusing old features to build new onesAllon Mureinik
 
oVirt 3.5 Storage Features Overview
oVirt 3.5 Storage Features OverviewoVirt 3.5 Storage Features Overview
oVirt 3.5 Storage Features OverviewAllon Mureinik
 
Disaster Recovery Strategies Using oVirt's new Storage Connection Management ...
Disaster Recovery Strategies Using oVirt's new Storage Connection Management ...Disaster Recovery Strategies Using oVirt's new Storage Connection Management ...
Disaster Recovery Strategies Using oVirt's new Storage Connection Management ...Allon Mureinik
 
Live Storage Migration in oVirt (Open Storage Meetup May 2013)
Live Storage Migration in oVirt (Open Storage Meetup May 2013)Live Storage Migration in oVirt (Open Storage Meetup May 2013)
Live Storage Migration in oVirt (Open Storage Meetup May 2013)Allon Mureinik
 
Retro Testing (DevConTLV Jan 2014)
Retro Testing (DevConTLV Jan 2014)Retro Testing (DevConTLV Jan 2014)
Retro Testing (DevConTLV Jan 2014)Allon Mureinik
 

More from Allon Mureinik (20)

Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
What an episode of Rick and Morty taught me about (accidental) toxicity
What an episode of Rick and Morty taught me about (accidental) toxicityWhat an episode of Rick and Morty taught me about (accidental) toxicity
What an episode of Rick and Morty taught me about (accidental) toxicity
 
We are the Borg, you will be interviewed
We are the Borg, you will be interviewedWe are the Borg, you will be interviewed
We are the Borg, you will be interviewed
 
What I wish I knew about security - Allon Mureinik DevConf.CZ 2022
What I wish I knew about security - Allon Mureinik DevConf.CZ 2022What I wish I knew about security - Allon Mureinik DevConf.CZ 2022
What I wish I knew about security - Allon Mureinik DevConf.CZ 2022
 
Somebody set up us the bomb DevConf.CZ 2022 Lightning Talk
Somebody set up us the bomb DevConf.CZ 2022 Lightning TalkSomebody set up us the bomb DevConf.CZ 2022 Lightning Talk
Somebody set up us the bomb DevConf.CZ 2022 Lightning Talk
 
Zoom out
Zoom outZoom out
Zoom out
 
Cognitive biases, blind spots and inclusion
Cognitive biases, blind spots and inclusionCognitive biases, blind spots and inclusion
Cognitive biases, blind spots and inclusion
 
This DoS goes loop-di-loop
This DoS goes loop-di-loopThis DoS goes loop-di-loop
This DoS goes loop-di-loop
 
How open source made me a better manager
How open source made me a better managerHow open source made me a better manager
How open source made me a better manager
 
Automatic for the People
Automatic for the PeopleAutomatic for the People
Automatic for the People
 
Automatic for the people
Automatic for the peopleAutomatic for the people
Automatic for the people
 
Mockito - How a mocking library built a real community
Mockito - How a mocking library built a real communityMockito - How a mocking library built a real community
Mockito - How a mocking library built a real community
 
Mockito - how a mocking library built a real community (August Penguin 2017)
Mockito - how a mocking library built a real community (August Penguin 2017)Mockito - how a mocking library built a real community (August Penguin 2017)
Mockito - how a mocking library built a real community (August Penguin 2017)
 
Reversim Summit 2016 - Ja-WAT
Reversim Summit 2016 - Ja-WATReversim Summit 2016 - Ja-WAT
Reversim Summit 2016 - Ja-WAT
 
Virtualization Management The oVirt Way (August Penguin 2015)
Virtualization Management The oVirt Way (August Penguin 2015)Virtualization Management The oVirt Way (August Penguin 2015)
Virtualization Management The oVirt Way (August Penguin 2015)
 
Step by Step - Reusing old features to build new ones
Step by Step - Reusing old features to build new onesStep by Step - Reusing old features to build new ones
Step by Step - Reusing old features to build new ones
 
oVirt 3.5 Storage Features Overview
oVirt 3.5 Storage Features OverviewoVirt 3.5 Storage Features Overview
oVirt 3.5 Storage Features Overview
 
Disaster Recovery Strategies Using oVirt's new Storage Connection Management ...
Disaster Recovery Strategies Using oVirt's new Storage Connection Management ...Disaster Recovery Strategies Using oVirt's new Storage Connection Management ...
Disaster Recovery Strategies Using oVirt's new Storage Connection Management ...
 
Live Storage Migration in oVirt (Open Storage Meetup May 2013)
Live Storage Migration in oVirt (Open Storage Meetup May 2013)Live Storage Migration in oVirt (Open Storage Meetup May 2013)
Live Storage Migration in oVirt (Open Storage Meetup May 2013)
 
Retro Testing (DevConTLV Jan 2014)
Retro Testing (DevConTLV Jan 2014)Retro Testing (DevConTLV Jan 2014)
Retro Testing (DevConTLV Jan 2014)
 

Recently uploaded

Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 

Recently uploaded (20)

Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 

Default to Async - Prevent DoS attacks on your app and your day

  • 1. Default to Async PancakesCon 5, 24/03/2024 Prevent DoS attacks on your app and your day Allon Mureinik Senior Manager, Seeker (IAST) Agents R&D, Synopsys allon.mureinik@synopsys.com
  • 2. © 2024 Synopsys, Inc. 2 Can we prevent DoS in our apps? Default to Async (Allon Mureinik, cc-by-sa-4.0)
  • 3. © 2024 Synopsys, Inc. 3 No, not that kind of DOS Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/save-dos-818218/
  • 4. © 2024 Synopsys, Inc. 4 This kind of DoS Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/no-service-1496954/
  • 5. © 2024 Synopsys, Inc. 5 This kind of DoS “The Denial of Service (DoS) attack is focused on making a resource (site, application, server) unavailable for the purpose it was designed.” (https://owasp.org/www-community/attacks/Denial_of_Service) Default to Async (Allon Mureinik, cc-by-sa-4.0)
  • 6. © 2024 Synopsys, Inc. 6 DDoS – in a different lecture Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/distributed-6001953/
  • 7. © 2024 Synopsys, Inc. 7 We want to focus on the application Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/application-1249006/
  • 8. © 2024 Synopsys, Inc. 8 It’s not about speed – it’s about [not] blocking others Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/speed-1116526/
  • 9. © 2024 Synopsys, Inc. 9 Overwork that parser (JSON Example) const express = require('express'); const app = express(); app.use(express.json()); app.post('/json', (req, res) => { const numKeys = Object.keys(req.body).length; res.end(numKeys + ' keys in the payload'); }); app.listen(3000, () => console.log('Listening on port 3000')); Default to Async (Allon Mureinik, cc-by-sa-4.0)
  • 10. © 2024 Synopsys, Inc. 10 How bad is it really? Default to Async (Allon Mureinik, cc-by-sa-4.0) -50 0 50 100 150 200 250 300 0 200 400 600 800 1000 1200 Time (ms) String Length (KB)
  • 11. © 2024 Synopsys, Inc. 11 What can we do? Default to Async (Allon Mureinik, cc-by-sa-4.0)
  • 12. © 2024 Synopsys, Inc. 12 What can we do? • Don’t allow tainted input to be parsed –Not realistic… Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/no-entry-1379330/
  • 13. © 2024 Synopsys, Inc. 13 What can we do? • Don’t allow tainted input to be parsed –Not realistic… • Limit the size of the input –E.g., in the above Express example: app.use(express.json({limit: '40kb'}) Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/speed-limit-4873715/
  • 14. © 2024 Synopsys, Inc. 14 What can we do? • Don’t allow tainted input to be parsed –Not realistic… • Limit the size of the input –E.g., in the above Express example: app.use(express.json({limit: '40kb'}) • Do it in the background, not the event loop –E.g., use a library like BFJ or JSONStream Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/fade-2102225/
  • 15. © 2024 Synopsys, Inc. 15 Bomb that parser (XML Example) Default to Async (Allon Mureinik, cc-by-sa-4.0) const express = require('express'); const app = express(); app.use(express.text({type: '*/*'})); const libxmljs = require('libxmljs2'); const opts = {noent: true, nocdata: true, noblanks: true, huge: true}; app.post('/xml', (req, res) => { const parsed = libxmljs.parseXml(req.body, opts); res.end(parsed.childNodes().length + ' child nodes in the payload'); }); app.listen(3000, () => console.log('Listening on port 3000'));
  • 16. © 2024 Synopsys, Inc. 16 Sounds serious, let’s have a laugh Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/joker-3976603/
  • 17. © 2024 Synopsys, Inc. 17 Or a billion laughs <?xml version="1.0"?> <!DOCTYPE lolz [ <!ENTITY lol0 "lol"> <!ELEMENT lolz (#PCDATA)> <!ENTITY lol1 "&lol0;&lol0;&lol0;&lol0;&lol0;&lol0;&lol0;&lol0;&lol0;&lol0;"> <!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;"> <!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;"> <!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;"> <!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;"> <!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;"> <!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;"> <!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;"> <!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;"> ]> <lolz>&lol9;</lolz> Default to Async (Allon Mureinik, cc-by-sa-4.0) https://en.wikipedia.org/wiki/Billion_laughs_attack
  • 18. © 2024 Synopsys, Inc. 18 How bad is it really? Default to Async (Allon Mureinik, cc-by-sa-4.0) 0 5 10 15 20 25 30 35 1 2 3 4 5 6 7 Size (MB) # Lolz XML Expansion per Lol XML Length Expanded Length ~650b ~29MB
  • 19. © 2024 Synopsys, Inc. 19 What can we do? Default to Async (Allon Mureinik, cc-by-sa-4.0)
  • 20. © 2024 Synopsys, Inc. 20 What can we do? • Don’t use XML –If you can… Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/no-entry-1379330/
  • 21. © 2024 Synopsys, Inc. 21 What can we do? • Don’t use XML –If you can… • Don’t allow tainted input in your XML –If you can… Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/no-entry-1379330/
  • 22. © 2024 Synopsys, Inc. 22 What can we do? • Don’t use XML –If you can… • Don’t allow tainted input in your XML –If you can… •Configure your library to not expand entities –If you can… –libxml wrappers:{noent: false} or {huge: false} Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/configure-1883381/
  • 23. © 2024 Synopsys, Inc. 23 What can we do? • Don’t use XML –If you can… • Don’t allow tainted input in your XML –If you can… •Configure your library to not expand entities –If you can… –libxml wrappers:{noent: false} or {huge: false} •Sanitize your input Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/sanitizer-3470901/
  • 24. © 2024 Synopsys, Inc. 24 ReDoS const express = require('express'); const app = express(); app.get('/regexp', (req, res) => { // Consider a regex like /(a+)+/ const regexp = new RegExp(req.query.regexp); const text = req.query.text; res.end(regexp.test(text) ? 'Match!' : 'No match'); }); app.listen(3000, () => console.log('Listening on port 3000')); Default to Async (Allon Mureinik, cc-by-sa-4.0)
  • 25. © 2024 Synopsys, Inc. 25 How bad is it really? Default to Async (Allon Mureinik, cc-by-sa-4.0) 0 50,000 100,000 150,000 200,000 250,000 300,000 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 33 34 35 Time (ms) As
  • 26. © 2024 Synopsys, Inc. 26 What can we do? Default to Async (Allon Mureinik, cc-by-sa-4.0)
  • 27. © 2024 Synopsys, Inc. 27 What can we do? • Check your regexes – SAST tools are usually pretty good at this Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/check-1159941/
  • 28. © 2024 Synopsys, Inc. 28 What can we do? • Check your regexes – SAST tools are usually pretty good at this • Don’t allow tainted input as regex – Not always possible… Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/no-entry-1379330/
  • 29. © 2024 Synopsys, Inc. 29 What can we do? • Check your regexes – SAST tools are usually pretty good at this • Don’t allow tainted input as regex – Not always possible… • Don’t allow tainted input to be evaluated by a dodgy regex – Usually not possible… – Use length limits Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/no-entry-1379330/
  • 30. © 2024 Synopsys, Inc. 30 What can we do? • Check your regexes – SAST tools are usually pretty good at this • Don’t allow tainted input as regex – Not always possible… • Don’t allow tainted input to be evaluated by a dodgy regex – Usually not possible… – Use length limits • Think about alternatives to regex – re2 isn’t vulnerable to ReDoS – Use specific tools for specific needs (e.g., validator.js) Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/alternative-3203434/
  • 31. © 2024 Synopsys, Inc. 31 Some general take aways Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/takeaway-3438027/
  • 32. © 2024 Synopsys, Inc. 32 Can we prevent DoS in our day? Default to Async (Allon Mureinik, cc-by-sa-4.0)
  • 33. © 2024 Synopsys, Inc. 33 “Let’s have a meeting” Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/meeting-6528201/
  • 34. © 2024 Synopsys, Inc. 34 You need to fit it in your day Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/fit-4584641/
  • 35. © 2024 Synopsys, Inc. 35 Limited time == limited communication Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/time-limit-4456645/
  • 36. © 2024 Synopsys, Inc. 36 It’s exclusionary Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/racism-4670344/
  • 37. © 2024 Synopsys, Inc. 37 The timezone problem Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/timezone-5429333/
  • 38. © 2024 Synopsys, Inc. 38 The language problem Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/language-3786977/
  • 39. © 2024 Synopsys, Inc. 39 The like-me problem Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/similar-3856992/
  • 40. © 2024 Synopsys, Inc. 40 The solution – default to async Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/asynchronous-learning-27462/
  • 41. © 2024 Synopsys, Inc. 41 Don’t be a stranger allon.mureinik@synopsys.com @mureinik https://www.linkedin.com/in/mureinik/ Default to Async (Allon Mureinik, cc-by-sa-4.0)
  • 42. © 2024 Synopsys, Inc. 42 Questions Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/term/questions/1195076/