SlideShare a Scribd company logo

Default to Async - Prevent DoS attacks on your app and your day

Allon Mureinik
Allon Mureinik

The document is a presentation on preventing denial of service (DoS) attacks on applications. It discusses how parsing large payloads like JSON, XML, and regular expressions can slow down or crash apps. To prevent this, the presentation recommends limiting input size, parsing asynchronously instead of blocking the event loop, sanitizing inputs, and avoiding technologies like XML if possible. It also suggests defaulting to asynchronous communication to prevent DoS attacks on personal schedules and communication.

1 of 42
Download to read offline
Default to Async PancakesCon 5, 24/03/2024 Prevent DoS attacks on your app and your day Allon Mureinik Senior Manager, Seeker (IAST) Agents R&D, Synopsys allon.mureinik@synopsys.com
© 2024 Synopsys, Inc. 2 Can we prevent DoS in our apps? Default to Async (Allon Mureinik, cc-by-sa-4.0)
© 2024 Synopsys, Inc. 3 No, not that kind of DOS Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/save-dos-818218/
© 2024 Synopsys, Inc. 4 This kind of DoS Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/no-service-1496954/
© 2024 Synopsys, Inc. 5 This kind of DoS “The Denial of Service (DoS) attack is focused on making a resource (site, application, server) unavailable for the purpose it was designed.” (https://owasp.org/www-community/attacks/Denial_of_Service) Default to Async (Allon Mureinik, cc-by-sa-4.0)
© 2024 Synopsys, Inc. 6 DDoS – in a different lecture Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/distributed-6001953/
© 2024 Synopsys, Inc. 7 We want to focus on the application Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/application-1249006/
© 2024 Synopsys, Inc. 8 It’s not about speed – it’s about [not] blocking others Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/speed-1116526/
© 2024 Synopsys, Inc. 9 Overwork that parser (JSON Example) const express = require('express'); const app = express(); app.use(express.json()); app.post('/json', (req, res) => { const numKeys = Object.keys(req.body).length; res.end(numKeys + ' keys in the payload'); }); app.listen(3000, () => console.log('Listening on port 3000')); Default to Async (Allon Mureinik, cc-by-sa-4.0)
© 2024 Synopsys, Inc. 10 How bad is it really? Default to Async (Allon Mureinik, cc-by-sa-4.0) -50 0 50 100 150 200 250 300 0 200 400 600 800 1000 1200 Time (ms) String Length (KB)
© 2024 Synopsys, Inc. 11 What can we do? Default to Async (Allon Mureinik, cc-by-sa-4.0)
© 2024 Synopsys, Inc. 12 What can we do? • Don’t allow tainted input to be parsed –Not realistic… Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/no-entry-1379330/
© 2024 Synopsys, Inc. 13 What can we do? • Don’t allow tainted input to be parsed –Not realistic… • Limit the size of the input –E.g., in the above Express example: app.use(express.json({limit: '40kb'}) Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/speed-limit-4873715/
© 2024 Synopsys, Inc. 14 What can we do? • Don’t allow tainted input to be parsed –Not realistic… • Limit the size of the input –E.g., in the above Express example: app.use(express.json({limit: '40kb'}) • Do it in the background, not the event loop –E.g., use a library like BFJ or JSONStream Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/fade-2102225/
© 2024 Synopsys, Inc. 15 Bomb that parser (XML Example) Default to Async (Allon Mureinik, cc-by-sa-4.0) const express = require('express'); const app = express(); app.use(express.text({type: '*/*'})); const libxmljs = require('libxmljs2'); const opts = {noent: true, nocdata: true, noblanks: true, huge: true}; app.post('/xml', (req, res) => { const parsed = libxmljs.parseXml(req.body, opts); res.end(parsed.childNodes().length + ' child nodes in the payload'); }); app.listen(3000, () => console.log('Listening on port 3000'));
© 2024 Synopsys, Inc. 16 Sounds serious, let’s have a laugh Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/joker-3976603/
© 2024 Synopsys, Inc. 17 Or a billion laughs <?xml version="1.0"?> <!DOCTYPE lolz [ <!ENTITY lol0 "lol"> <!ELEMENT lolz (#PCDATA)> <!ENTITY lol1 "&lol0;&lol0;&lol0;&lol0;&lol0;&lol0;&lol0;&lol0;&lol0;&lol0;"> <!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;"> <!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;"> <!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;"> <!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;"> <!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;"> <!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;"> <!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;"> <!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;"> ]> <lolz>&lol9;</lolz> Default to Async (Allon Mureinik, cc-by-sa-4.0) https://en.wikipedia.org/wiki/Billion_laughs_attack
© 2024 Synopsys, Inc. 18 How bad is it really? Default to Async (Allon Mureinik, cc-by-sa-4.0) 0 5 10 15 20 25 30 35 1 2 3 4 5 6 7 Size (MB) # Lolz XML Expansion per Lol XML Length Expanded Length ~650b ~29MB
© 2024 Synopsys, Inc. 19 What can we do? Default to Async (Allon Mureinik, cc-by-sa-4.0)
© 2024 Synopsys, Inc. 20 What can we do? • Don’t use XML –If you can… Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/no-entry-1379330/
© 2024 Synopsys, Inc. 21 What can we do? • Don’t use XML –If you can… • Don’t allow tainted input in your XML –If you can… Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/no-entry-1379330/
© 2024 Synopsys, Inc. 22 What can we do? • Don’t use XML –If you can… • Don’t allow tainted input in your XML –If you can… •Configure your library to not expand entities –If you can… –libxml wrappers:{noent: false} or {huge: false} Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/configure-1883381/
© 2024 Synopsys, Inc. 23 What can we do? • Don’t use XML –If you can… • Don’t allow tainted input in your XML –If you can… •Configure your library to not expand entities –If you can… –libxml wrappers:{noent: false} or {huge: false} •Sanitize your input Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/sanitizer-3470901/
© 2024 Synopsys, Inc. 24 ReDoS const express = require('express'); const app = express(); app.get('/regexp', (req, res) => { // Consider a regex like /(a+)+/ const regexp = new RegExp(req.query.regexp); const text = req.query.text; res.end(regexp.test(text) ? 'Match!' : 'No match'); }); app.listen(3000, () => console.log('Listening on port 3000')); Default to Async (Allon Mureinik, cc-by-sa-4.0)
© 2024 Synopsys, Inc. 25 How bad is it really? Default to Async (Allon Mureinik, cc-by-sa-4.0) 0 50,000 100,000 150,000 200,000 250,000 300,000 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 33 34 35 Time (ms) As
© 2024 Synopsys, Inc. 26 What can we do? Default to Async (Allon Mureinik, cc-by-sa-4.0)
© 2024 Synopsys, Inc. 27 What can we do? • Check your regexes – SAST tools are usually pretty good at this Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/check-1159941/
© 2024 Synopsys, Inc. 28 What can we do? • Check your regexes – SAST tools are usually pretty good at this • Don’t allow tainted input as regex – Not always possible… Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/no-entry-1379330/
© 2024 Synopsys, Inc. 29 What can we do? • Check your regexes – SAST tools are usually pretty good at this • Don’t allow tainted input as regex – Not always possible… • Don’t allow tainted input to be evaluated by a dodgy regex – Usually not possible… – Use length limits Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/no-entry-1379330/
© 2024 Synopsys, Inc. 30 What can we do? • Check your regexes – SAST tools are usually pretty good at this • Don’t allow tainted input as regex – Not always possible… • Don’t allow tainted input to be evaluated by a dodgy regex – Usually not possible… – Use length limits • Think about alternatives to regex – re2 isn’t vulnerable to ReDoS – Use specific tools for specific needs (e.g., validator.js) Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/alternative-3203434/
© 2024 Synopsys, Inc. 31 Some general take aways Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/takeaway-3438027/
© 2024 Synopsys, Inc. 32 Can we prevent DoS in our day? Default to Async (Allon Mureinik, cc-by-sa-4.0)
© 2024 Synopsys, Inc. 33 “Let’s have a meeting” Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/meeting-6528201/
© 2024 Synopsys, Inc. 34 You need to fit it in your day Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/fit-4584641/
© 2024 Synopsys, Inc. 35 Limited time == limited communication Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/time-limit-4456645/
© 2024 Synopsys, Inc. 36 It’s exclusionary Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/racism-4670344/
© 2024 Synopsys, Inc. 37 The timezone problem Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/timezone-5429333/
© 2024 Synopsys, Inc. 38 The language problem Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/language-3786977/
© 2024 Synopsys, Inc. 39 The like-me problem Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/similar-3856992/
© 2024 Synopsys, Inc. 40 The solution – default to async Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/asynchronous-learning-27462/
© 2024 Synopsys, Inc. 41 Don’t be a stranger allon.mureinik@synopsys.com @mureinik https://www.linkedin.com/in/mureinik/ Default to Async (Allon Mureinik, cc-by-sa-4.0)
© 2024 Synopsys, Inc. 42 Questions Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/term/questions/1195076/
Ad

Recommended

Webinar–OWASP Top 10 for JavaScript for Developers
Webinar–OWASP Top 10 for JavaScript for DevelopersWebinar–OWASP Top 10 for JavaScript for Developers
Webinar–OWASP Top 10 for JavaScript for Developers
Synopsys Software Integrity Group
 
Best practices iOS meetup - pmd
Best practices iOS meetup - pmdBest practices iOS meetup - pmd
Best practices iOS meetup - pmd
Suyash Gupta
 
Rails security: above and beyond the defaults
Rails security: above and beyond the defaultsRails security: above and beyond the defaults
Rails security: above and beyond the defaults
Matias Korhonen
 
20160211 OWASP Charlotte RASP
20160211 OWASP Charlotte RASP20160211 OWASP Charlotte RASP
20160211 OWASP Charlotte RASP
chadtindel
 
So you thought you were safe using AngularJS.. Think again!
So you thought you were safe using AngularJS.. Think again!So you thought you were safe using AngularJS.. Think again!
So you thought you were safe using AngularJS.. Think again!
Lewis Ardern
 
ConFoo Montreal - Approaches for application request throttling
ConFoo Montreal - Approaches for application request throttlingConFoo Montreal - Approaches for application request throttling
ConFoo Montreal - Approaches for application request throttling
Maarten Balliauw
 
Web Security - CSP & Web Cryptography
Web Security - CSP & Web CryptographyWeb Security - CSP & Web Cryptography
Web Security - CSP & Web Cryptography
Samsung Open Source Group
 
Reactive frontends with RxJS and Angular
Reactive frontends with RxJS and AngularReactive frontends with RxJS and Angular
Reactive frontends with RxJS and Angular
VMware Tanzu
 
A Practical Guide to Securing Modern Web Applications
A Practical Guide to Securing Modern Web ApplicationsA Practical Guide to Securing Modern Web Applications
A Practical Guide to Securing Modern Web Applications
Manish Shekhawat
 
Abusing bleeding edge web standards for appsec glory
Abusing bleeding edge web standards for appsec gloryAbusing bleeding edge web standards for appsec glory
Abusing bleeding edge web standards for appsec glory
Priyanka Aash
 
How Secure Is AngularJS?
How Secure Is AngularJS?How Secure Is AngularJS?
How Secure Is AngularJS?
Ksenia Peguero
 
Serverless and DevOps
Serverless and DevOpsServerless and DevOps
Serverless and DevOps
Chris Munns
 
You Spent All That Money And Still Got Owned
You Spent All That Money And Still Got OwnedYou Spent All That Money And Still Got Owned
You Spent All That Money And Still Got Owned
Joe McCray
 
20160225 OWASP Atlanta Prevoty RASP
20160225 OWASP Atlanta Prevoty RASP20160225 OWASP Atlanta Prevoty RASP
20160225 OWASP Atlanta Prevoty RASP
chadtindel
 
Node.js Deeper Dive
Node.js Deeper DiveNode.js Deeper Dive
Node.js Deeper Dive
Justin Reock
 
Php Dependency Management with Composer ZendCon 2016
Php Dependency Management with Composer ZendCon 2016Php Dependency Management with Composer ZendCon 2016
Php Dependency Management with Composer ZendCon 2016
Clark Everetts
 
Approaches for application request throttling - dotNetCologne
Approaches for application request throttling - dotNetCologneApproaches for application request throttling - dotNetCologne
Approaches for application request throttling - dotNetCologne
Maarten Balliauw
 
Java fx smart code econ
Java fx smart code econJava fx smart code econ
Java fx smart code econ
Tom Schindl
 
Content Security Policy - Lessons learned at Yahoo
Content Security Policy - Lessons learned at YahooContent Security Policy - Lessons learned at Yahoo
Content Security Policy - Lessons learned at Yahoo
Binu Ramakrishnan
 
JavaOne 2016 - Faces Counter
JavaOne 2016 - Faces CounterJavaOne 2016 - Faces Counter
JavaOne 2016 - Faces Counter
Coritel
 
Rails and Content Security Policies
Rails and Content Security PoliciesRails and Content Security Policies
Rails and Content Security Policies
Matias Korhonen
 
Connecting All Abstractions with Istio
Connecting All Abstractions with IstioConnecting All Abstractions with Istio
Connecting All Abstractions with Istio
VMware Tanzu
 
Breaking Bad CSP
Breaking Bad CSPBreaking Bad CSP
Breaking Bad CSP
Lukas Weichselbaum
 
DefCamp 2013 - Http header analysis
DefCamp 2013 - Http header analysisDefCamp 2013 - Http header analysis
DefCamp 2013 - Http header analysis
DefCamp
 
CON410 - Deep Dive into Container Networking (re:Invent 2018)
CON410 - Deep Dive into Container Networking (re:Invent 2018)CON410 - Deep Dive into Container Networking (re:Invent 2018)
CON410 - Deep Dive into Container Networking (re:Invent 2018)
aniait
 
Approaches for application request throttling - Cloud Developer Days Poland
Approaches for application request throttling - Cloud Developer Days PolandApproaches for application request throttling - Cloud Developer Days Poland
Approaches for application request throttling - Cloud Developer Days Poland
Maarten Balliauw
 
Advanced Chrome extension exploitation
Advanced Chrome extension exploitationAdvanced Chrome extension exploitation
Advanced Chrome extension exploitation
Krzysztof Kotowicz
 
Web application penetration testing lab setup guide
Web application penetration testing lab setup guideWeb application penetration testing lab setup guide
Web application penetration testing lab setup guide
Sudhanshu Chauhan
 
Who Watches the Watchmen (SciFiDevCon 2025)
Who Watches the Watchmen (SciFiDevCon 2025)Who Watches the Watchmen (SciFiDevCon 2025)
Who Watches the Watchmen (SciFiDevCon 2025)
Allon Mureinik
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
Allon Mureinik
 
Ad

More Related Content

Similar to Default to Async - Prevent DoS attacks on your app and your day (20)

A Practical Guide to Securing Modern Web Applications
A Practical Guide to Securing Modern Web ApplicationsA Practical Guide to Securing Modern Web Applications
A Practical Guide to Securing Modern Web Applications
Manish Shekhawat
 
Abusing bleeding edge web standards for appsec glory
Abusing bleeding edge web standards for appsec gloryAbusing bleeding edge web standards for appsec glory
Abusing bleeding edge web standards for appsec glory
Priyanka Aash
 
How Secure Is AngularJS?
How Secure Is AngularJS?How Secure Is AngularJS?
How Secure Is AngularJS?
Ksenia Peguero
 
Serverless and DevOps
Serverless and DevOpsServerless and DevOps
Serverless and DevOps
Chris Munns
 
You Spent All That Money And Still Got Owned
You Spent All That Money And Still Got OwnedYou Spent All That Money And Still Got Owned
You Spent All That Money And Still Got Owned
Joe McCray
 
20160225 OWASP Atlanta Prevoty RASP
20160225 OWASP Atlanta Prevoty RASP20160225 OWASP Atlanta Prevoty RASP
20160225 OWASP Atlanta Prevoty RASP
chadtindel
 
Node.js Deeper Dive
Node.js Deeper DiveNode.js Deeper Dive
Node.js Deeper Dive
Justin Reock
 
Php Dependency Management with Composer ZendCon 2016
Php Dependency Management with Composer ZendCon 2016Php Dependency Management with Composer ZendCon 2016
Php Dependency Management with Composer ZendCon 2016
Clark Everetts
 
Approaches for application request throttling - dotNetCologne
Approaches for application request throttling - dotNetCologneApproaches for application request throttling - dotNetCologne
Approaches for application request throttling - dotNetCologne
Maarten Balliauw
 
Java fx smart code econ
Java fx smart code econJava fx smart code econ
Java fx smart code econ
Tom Schindl
 
Content Security Policy - Lessons learned at Yahoo
Content Security Policy - Lessons learned at YahooContent Security Policy - Lessons learned at Yahoo
Content Security Policy - Lessons learned at Yahoo
Binu Ramakrishnan
 
JavaOne 2016 - Faces Counter
JavaOne 2016 - Faces CounterJavaOne 2016 - Faces Counter
JavaOne 2016 - Faces Counter
Coritel
 
Rails and Content Security Policies
Rails and Content Security PoliciesRails and Content Security Policies
Rails and Content Security Policies
Matias Korhonen
 
Connecting All Abstractions with Istio
Connecting All Abstractions with IstioConnecting All Abstractions with Istio
Connecting All Abstractions with Istio
VMware Tanzu
 
Breaking Bad CSP
Breaking Bad CSPBreaking Bad CSP
Breaking Bad CSP
Lukas Weichselbaum
 
DefCamp 2013 - Http header analysis
DefCamp 2013 - Http header analysisDefCamp 2013 - Http header analysis
DefCamp 2013 - Http header analysis
DefCamp
 
CON410 - Deep Dive into Container Networking (re:Invent 2018)
CON410 - Deep Dive into Container Networking (re:Invent 2018)CON410 - Deep Dive into Container Networking (re:Invent 2018)
CON410 - Deep Dive into Container Networking (re:Invent 2018)
aniait
 
Approaches for application request throttling - Cloud Developer Days Poland
Approaches for application request throttling - Cloud Developer Days PolandApproaches for application request throttling - Cloud Developer Days Poland
Approaches for application request throttling - Cloud Developer Days Poland
Maarten Balliauw
 
Advanced Chrome extension exploitation
Advanced Chrome extension exploitationAdvanced Chrome extension exploitation
Advanced Chrome extension exploitation
Krzysztof Kotowicz
 
Web application penetration testing lab setup guide
Web application penetration testing lab setup guideWeb application penetration testing lab setup guide
Web application penetration testing lab setup guide
Sudhanshu Chauhan
 
A Practical Guide to Securing Modern Web Applications
A Practical Guide to Securing Modern Web ApplicationsA Practical Guide to Securing Modern Web Applications
A Practical Guide to Securing Modern Web Applications
Manish Shekhawat
 
Abusing bleeding edge web standards for appsec glory
Abusing bleeding edge web standards for appsec gloryAbusing bleeding edge web standards for appsec glory
Abusing bleeding edge web standards for appsec glory
Priyanka Aash
 
How Secure Is AngularJS?
How Secure Is AngularJS?How Secure Is AngularJS?
How Secure Is AngularJS?
Ksenia Peguero
 
Serverless and DevOps
Serverless and DevOpsServerless and DevOps
Serverless and DevOps
Chris Munns
 
You Spent All That Money And Still Got Owned
You Spent All That Money And Still Got OwnedYou Spent All That Money And Still Got Owned
You Spent All That Money And Still Got Owned
Joe McCray
 
20160225 OWASP Atlanta Prevoty RASP
20160225 OWASP Atlanta Prevoty RASP20160225 OWASP Atlanta Prevoty RASP
20160225 OWASP Atlanta Prevoty RASP
chadtindel
 
Node.js Deeper Dive
Node.js Deeper DiveNode.js Deeper Dive
Node.js Deeper Dive
Justin Reock
 
Php Dependency Management with Composer ZendCon 2016
Php Dependency Management with Composer ZendCon 2016Php Dependency Management with Composer ZendCon 2016
Php Dependency Management with Composer ZendCon 2016
Clark Everetts
 
Approaches for application request throttling - dotNetCologne
Approaches for application request throttling - dotNetCologneApproaches for application request throttling - dotNetCologne
Approaches for application request throttling - dotNetCologne
Maarten Balliauw
 
Java fx smart code econ
Java fx smart code econJava fx smart code econ
Java fx smart code econ
Tom Schindl
 
Content Security Policy - Lessons learned at Yahoo
Content Security Policy - Lessons learned at YahooContent Security Policy - Lessons learned at Yahoo
Content Security Policy - Lessons learned at Yahoo
Binu Ramakrishnan
 
JavaOne 2016 - Faces Counter
JavaOne 2016 - Faces CounterJavaOne 2016 - Faces Counter
JavaOne 2016 - Faces Counter
Coritel
 
Rails and Content Security Policies
Rails and Content Security PoliciesRails and Content Security Policies
Rails and Content Security Policies
Matias Korhonen
 
Connecting All Abstractions with Istio
Connecting All Abstractions with IstioConnecting All Abstractions with Istio
Connecting All Abstractions with Istio
VMware Tanzu
 
Breaking Bad CSP
Breaking Bad CSPBreaking Bad CSP
Breaking Bad CSP
Lukas Weichselbaum
 
DefCamp 2013 - Http header analysis
DefCamp 2013 - Http header analysisDefCamp 2013 - Http header analysis
DefCamp 2013 - Http header analysis
DefCamp
 
CON410 - Deep Dive into Container Networking (re:Invent 2018)
CON410 - Deep Dive into Container Networking (re:Invent 2018)CON410 - Deep Dive into Container Networking (re:Invent 2018)
CON410 - Deep Dive into Container Networking (re:Invent 2018)
aniait
 
Approaches for application request throttling - Cloud Developer Days Poland
Approaches for application request throttling - Cloud Developer Days PolandApproaches for application request throttling - Cloud Developer Days Poland
Approaches for application request throttling - Cloud Developer Days Poland
Maarten Balliauw
 
Advanced Chrome extension exploitation
Advanced Chrome extension exploitationAdvanced Chrome extension exploitation
Advanced Chrome extension exploitation
Krzysztof Kotowicz
 
Web application penetration testing lab setup guide
Web application penetration testing lab setup guideWeb application penetration testing lab setup guide
Web application penetration testing lab setup guide
Sudhanshu Chauhan
 

More from Allon Mureinik (20)

Who Watches the Watchmen (SciFiDevCon 2025)
Who Watches the Watchmen (SciFiDevCon 2025)Who Watches the Watchmen (SciFiDevCon 2025)
Who Watches the Watchmen (SciFiDevCon 2025)
Allon Mureinik
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
Allon Mureinik
 
What an episode of Rick and Morty taught me about (accidental) toxicity
What an episode of Rick and Morty taught me about (accidental) toxicityWhat an episode of Rick and Morty taught me about (accidental) toxicity
What an episode of Rick and Morty taught me about (accidental) toxicity
Allon Mureinik
 
We are the Borg, you will be interviewed
We are the Borg, you will be interviewedWe are the Borg, you will be interviewed
We are the Borg, you will be interviewed
Allon Mureinik
 
What I wish I knew about security - Allon Mureinik DevConf.CZ 2022
What I wish I knew about security - Allon Mureinik DevConf.CZ 2022What I wish I knew about security - Allon Mureinik DevConf.CZ 2022
What I wish I knew about security - Allon Mureinik DevConf.CZ 2022
Allon Mureinik
 
Somebody set up us the bomb DevConf.CZ 2022 Lightning Talk
Somebody set up us the bomb DevConf.CZ 2022 Lightning TalkSomebody set up us the bomb DevConf.CZ 2022 Lightning Talk
Somebody set up us the bomb DevConf.CZ 2022 Lightning Talk
Allon Mureinik
 
Zoom out
Zoom outZoom out
Zoom out
Allon Mureinik
 
Cognitive biases, blind spots and inclusion
Cognitive biases, blind spots and inclusionCognitive biases, blind spots and inclusion
Cognitive biases, blind spots and inclusion
Allon Mureinik
 
This DoS goes loop-di-loop
This DoS goes loop-di-loopThis DoS goes loop-di-loop
This DoS goes loop-di-loop
Allon Mureinik
 
How open source made me a better manager
How open source made me a better managerHow open source made me a better manager
How open source made me a better manager
Allon Mureinik
 
Automatic for the People
Automatic for the PeopleAutomatic for the People
Automatic for the People
Allon Mureinik
 
Automatic for the people
Automatic for the peopleAutomatic for the people
Automatic for the people
Allon Mureinik
 
Mockito - How a mocking library built a real community
Mockito - How a mocking library built a real communityMockito - How a mocking library built a real community
Mockito - How a mocking library built a real community
Allon Mureinik
 
Mockito - how a mocking library built a real community (August Penguin 2017)
Mockito - how a mocking library built a real community (August Penguin 2017)Mockito - how a mocking library built a real community (August Penguin 2017)
Mockito - how a mocking library built a real community (August Penguin 2017)
Allon Mureinik
 
Reversim Summit 2016 - Ja-WAT
Reversim Summit 2016 - Ja-WATReversim Summit 2016 - Ja-WAT
Reversim Summit 2016 - Ja-WAT
Allon Mureinik
 
Virtualization Management The oVirt Way (August Penguin 2015)
Virtualization Management The oVirt Way (August Penguin 2015)Virtualization Management The oVirt Way (August Penguin 2015)
Virtualization Management The oVirt Way (August Penguin 2015)
Allon Mureinik
 
Step by Step - Reusing old features to build new ones
Step by Step - Reusing old features to build new onesStep by Step - Reusing old features to build new ones
Step by Step - Reusing old features to build new ones
Allon Mureinik
 
oVirt 3.5 Storage Features Overview
oVirt 3.5 Storage Features OverviewoVirt 3.5 Storage Features Overview
oVirt 3.5 Storage Features Overview
Allon Mureinik
 
Disaster Recovery Strategies Using oVirt's new Storage Connection Management ...
Disaster Recovery Strategies Using oVirt's new Storage Connection Management ...Disaster Recovery Strategies Using oVirt's new Storage Connection Management ...
Disaster Recovery Strategies Using oVirt's new Storage Connection Management ...
Allon Mureinik
 
Live Storage Migration in oVirt (Open Storage Meetup May 2013)
Live Storage Migration in oVirt (Open Storage Meetup May 2013)Live Storage Migration in oVirt (Open Storage Meetup May 2013)
Live Storage Migration in oVirt (Open Storage Meetup May 2013)
Allon Mureinik
 
Who Watches the Watchmen (SciFiDevCon 2025)
Who Watches the Watchmen (SciFiDevCon 2025)Who Watches the Watchmen (SciFiDevCon 2025)
Who Watches the Watchmen (SciFiDevCon 2025)
Allon Mureinik
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
Allon Mureinik
 
What an episode of Rick and Morty taught me about (accidental) toxicity
What an episode of Rick and Morty taught me about (accidental) toxicityWhat an episode of Rick and Morty taught me about (accidental) toxicity
What an episode of Rick and Morty taught me about (accidental) toxicity
Allon Mureinik
 
We are the Borg, you will be interviewed
We are the Borg, you will be interviewedWe are the Borg, you will be interviewed
We are the Borg, you will be interviewed
Allon Mureinik
 
What I wish I knew about security - Allon Mureinik DevConf.CZ 2022
What I wish I knew about security - Allon Mureinik DevConf.CZ 2022What I wish I knew about security - Allon Mureinik DevConf.CZ 2022
What I wish I knew about security - Allon Mureinik DevConf.CZ 2022
Allon Mureinik
 
Somebody set up us the bomb DevConf.CZ 2022 Lightning Talk
Somebody set up us the bomb DevConf.CZ 2022 Lightning TalkSomebody set up us the bomb DevConf.CZ 2022 Lightning Talk
Somebody set up us the bomb DevConf.CZ 2022 Lightning Talk
Allon Mureinik
 
Zoom out
Zoom outZoom out
Zoom out
Allon Mureinik
 
Cognitive biases, blind spots and inclusion
Cognitive biases, blind spots and inclusionCognitive biases, blind spots and inclusion
Cognitive biases, blind spots and inclusion
Allon Mureinik
 
This DoS goes loop-di-loop
This DoS goes loop-di-loopThis DoS goes loop-di-loop
This DoS goes loop-di-loop
Allon Mureinik
 
How open source made me a better manager
How open source made me a better managerHow open source made me a better manager
How open source made me a better manager
Allon Mureinik
 
Automatic for the People
Automatic for the PeopleAutomatic for the People
Automatic for the People
Allon Mureinik
 
Automatic for the people
Automatic for the peopleAutomatic for the people
Automatic for the people
Allon Mureinik
 
Mockito - How a mocking library built a real community
Mockito - How a mocking library built a real communityMockito - How a mocking library built a real community
Mockito - How a mocking library built a real community
Allon Mureinik
 
Mockito - how a mocking library built a real community (August Penguin 2017)
Mockito - how a mocking library built a real community (August Penguin 2017)Mockito - how a mocking library built a real community (August Penguin 2017)
Mockito - how a mocking library built a real community (August Penguin 2017)
Allon Mureinik
 
Reversim Summit 2016 - Ja-WAT
Reversim Summit 2016 - Ja-WATReversim Summit 2016 - Ja-WAT
Reversim Summit 2016 - Ja-WAT
Allon Mureinik
 
Virtualization Management The oVirt Way (August Penguin 2015)
Virtualization Management The oVirt Way (August Penguin 2015)Virtualization Management The oVirt Way (August Penguin 2015)
Virtualization Management The oVirt Way (August Penguin 2015)
Allon Mureinik
 
Step by Step - Reusing old features to build new ones
Step by Step - Reusing old features to build new onesStep by Step - Reusing old features to build new ones
Step by Step - Reusing old features to build new ones
Allon Mureinik
 
oVirt 3.5 Storage Features Overview
oVirt 3.5 Storage Features OverviewoVirt 3.5 Storage Features Overview
oVirt 3.5 Storage Features Overview
Allon Mureinik
 
Disaster Recovery Strategies Using oVirt's new Storage Connection Management ...
Disaster Recovery Strategies Using oVirt's new Storage Connection Management ...Disaster Recovery Strategies Using oVirt's new Storage Connection Management ...
Disaster Recovery Strategies Using oVirt's new Storage Connection Management ...
Allon Mureinik
 
Live Storage Migration in oVirt (Open Storage Meetup May 2013)
Live Storage Migration in oVirt (Open Storage Meetup May 2013)Live Storage Migration in oVirt (Open Storage Meetup May 2013)
Live Storage Migration in oVirt (Open Storage Meetup May 2013)
Allon Mureinik
 
Ad

Recently uploaded (20)

Complete Guide to Advanced Logistics Management Software in Riyadh.pdf
Complete Guide to Advanced Logistics Management Software in Riyadh.pdfComplete Guide to Advanced Logistics Management Software in Riyadh.pdf
Complete Guide to Advanced Logistics Management Software in Riyadh.pdf
Software Company
 
Build Your Own Copilot & Agents For Devs
Build Your Own Copilot & Agents For DevsBuild Your Own Copilot & Agents For Devs
Build Your Own Copilot & Agents For Devs
Brian McKeiver
 
Splunk Security Update | Public Sector Summit Germany 2025
Splunk Security Update | Public Sector Summit Germany 2025Splunk Security Update | Public Sector Summit Germany 2025
Splunk Security Update | Public Sector Summit Germany 2025
Splunk
 
Increasing Retail Store Efficiency How can Planograms Save Time and Money.pptx
Increasing Retail Store Efficiency How can Planograms Save Time and Money.pptxIncreasing Retail Store Efficiency How can Planograms Save Time and Money.pptx
Increasing Retail Store Efficiency How can Planograms Save Time and Money.pptx
Anoop Ashok
 
tecnologias de las primeras civilizaciones.pdf
tecnologias de las primeras civilizaciones.pdftecnologias de las primeras civilizaciones.pdf
tecnologias de las primeras civilizaciones.pdf
fjgm517
 
AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...
AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...
AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...
SOFTTECHHUB
 
Rusty Waters: Elevating Lakehouses Beyond Spark
Rusty Waters: Elevating Lakehouses Beyond SparkRusty Waters: Elevating Lakehouses Beyond Spark
Rusty Waters: Elevating Lakehouses Beyond Spark
carlyakerly1
 
How Can I use the AI Hype in my Business Context?
How Can I use the AI Hype in my Business Context?How Can I use the AI Hype in my Business Context?
How Can I use the AI Hype in my Business Context?
Daniel Lehner
 
UiPath Community Berlin: Orchestrator API, Swagger, and Test Manager API
UiPath Community Berlin: Orchestrator API, Swagger, and Test Manager APIUiPath Community Berlin: Orchestrator API, Swagger, and Test Manager API
UiPath Community Berlin: Orchestrator API, Swagger, and Test Manager API
UiPathCommunity
 
How analogue intelligence complements AI
How analogue intelligence complements AIHow analogue intelligence complements AI
How analogue intelligence complements AI
Paul Rowe
 
TrsLabs - Fintech Product & Business Consulting
TrsLabs - Fintech Product & Business ConsultingTrsLabs - Fintech Product & Business Consulting
TrsLabs - Fintech Product & Business Consulting
Trs Labs
 
Quantum Computing Quick Research Guide by Arthur Morgan
Quantum Computing Quick Research Guide by Arthur MorganQuantum Computing Quick Research Guide by Arthur Morgan
Quantum Computing Quick Research Guide by Arthur Morgan
Arthur Morgan
 
ThousandEyes Partner Innovation Updates for May 2025
ThousandEyes Partner Innovation Updates for May 2025ThousandEyes Partner Innovation Updates for May 2025
ThousandEyes Partner Innovation Updates for May 2025
ThousandEyes
 
Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...
Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...
Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...
Noah Loul
 
Role of Data Annotation Services in AI-Powered Manufacturing
Role of Data Annotation Services in AI-Powered ManufacturingRole of Data Annotation Services in AI-Powered Manufacturing
Role of Data Annotation Services in AI-Powered Manufacturing
Andrew Leo
 
Designing Low-Latency Systems with Rust and ScyllaDB: An Architectural Deep Dive
Designing Low-Latency Systems with Rust and ScyllaDB: An Architectural Deep DiveDesigning Low-Latency Systems with Rust and ScyllaDB: An Architectural Deep Dive
Designing Low-Latency Systems with Rust and ScyllaDB: An Architectural Deep Dive
ScyllaDB
 
Electronic_Mail_Attacks-1-35.pdf by xploit
Electronic_Mail_Attacks-1-35.pdf by xploitElectronic_Mail_Attacks-1-35.pdf by xploit
Electronic_Mail_Attacks-1-35.pdf by xploit
niftliyevhuseyn
 
Procurement Insights Cost To Value Guide.pptx
Procurement Insights Cost To Value Guide.pptxProcurement Insights Cost To Value Guide.pptx
Procurement Insights Cost To Value Guide.pptx
Jon Hansen
 
2025-05-Q4-2024-Investor-Presentation.pptx
2025-05-Q4-2024-Investor-Presentation.pptx2025-05-Q4-2024-Investor-Presentation.pptx
2025-05-Q4-2024-Investor-Presentation.pptx
Samuele Fogagnolo
 
Dev Dives: Automate and orchestrate your processes with UiPath Maestro
Dev Dives: Automate and orchestrate your processes with UiPath MaestroDev Dives: Automate and orchestrate your processes with UiPath Maestro
Dev Dives: Automate and orchestrate your processes with UiPath Maestro
UiPathCommunity
 
Complete Guide to Advanced Logistics Management Software in Riyadh.pdf
Complete Guide to Advanced Logistics Management Software in Riyadh.pdfComplete Guide to Advanced Logistics Management Software in Riyadh.pdf
Complete Guide to Advanced Logistics Management Software in Riyadh.pdf
Software Company
 
Build Your Own Copilot & Agents For Devs
Build Your Own Copilot & Agents For DevsBuild Your Own Copilot & Agents For Devs
Build Your Own Copilot & Agents For Devs
Brian McKeiver
 
Splunk Security Update | Public Sector Summit Germany 2025
Splunk Security Update | Public Sector Summit Germany 2025Splunk Security Update | Public Sector Summit Germany 2025
Splunk Security Update | Public Sector Summit Germany 2025
Splunk
 
Increasing Retail Store Efficiency How can Planograms Save Time and Money.pptx
Increasing Retail Store Efficiency How can Planograms Save Time and Money.pptxIncreasing Retail Store Efficiency How can Planograms Save Time and Money.pptx
Increasing Retail Store Efficiency How can Planograms Save Time and Money.pptx
Anoop Ashok
 
tecnologias de las primeras civilizaciones.pdf
tecnologias de las primeras civilizaciones.pdftecnologias de las primeras civilizaciones.pdf
tecnologias de las primeras civilizaciones.pdf
fjgm517
 
AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...
AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...
AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...
SOFTTECHHUB
 
Rusty Waters: Elevating Lakehouses Beyond Spark
Rusty Waters: Elevating Lakehouses Beyond SparkRusty Waters: Elevating Lakehouses Beyond Spark
Rusty Waters: Elevating Lakehouses Beyond Spark
carlyakerly1
 
How Can I use the AI Hype in my Business Context?
How Can I use the AI Hype in my Business Context?How Can I use the AI Hype in my Business Context?
How Can I use the AI Hype in my Business Context?
Daniel Lehner
 
UiPath Community Berlin: Orchestrator API, Swagger, and Test Manager API
UiPath Community Berlin: Orchestrator API, Swagger, and Test Manager APIUiPath Community Berlin: Orchestrator API, Swagger, and Test Manager API
UiPath Community Berlin: Orchestrator API, Swagger, and Test Manager API
UiPathCommunity
 
How analogue intelligence complements AI
How analogue intelligence complements AIHow analogue intelligence complements AI
How analogue intelligence complements AI
Paul Rowe
 
TrsLabs - Fintech Product & Business Consulting
TrsLabs - Fintech Product & Business ConsultingTrsLabs - Fintech Product & Business Consulting
TrsLabs - Fintech Product & Business Consulting
Trs Labs
 
Quantum Computing Quick Research Guide by Arthur Morgan
Quantum Computing Quick Research Guide by Arthur MorganQuantum Computing Quick Research Guide by Arthur Morgan
Quantum Computing Quick Research Guide by Arthur Morgan
Arthur Morgan
 
ThousandEyes Partner Innovation Updates for May 2025
ThousandEyes Partner Innovation Updates for May 2025ThousandEyes Partner Innovation Updates for May 2025
ThousandEyes Partner Innovation Updates for May 2025
ThousandEyes
 
Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...
Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...
Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...
Noah Loul
 
Role of Data Annotation Services in AI-Powered Manufacturing
Role of Data Annotation Services in AI-Powered ManufacturingRole of Data Annotation Services in AI-Powered Manufacturing
Role of Data Annotation Services in AI-Powered Manufacturing
Andrew Leo
 
Designing Low-Latency Systems with Rust and ScyllaDB: An Architectural Deep Dive
Designing Low-Latency Systems with Rust and ScyllaDB: An Architectural Deep DiveDesigning Low-Latency Systems with Rust and ScyllaDB: An Architectural Deep Dive
Designing Low-Latency Systems with Rust and ScyllaDB: An Architectural Deep Dive
ScyllaDB
 
Electronic_Mail_Attacks-1-35.pdf by xploit
Electronic_Mail_Attacks-1-35.pdf by xploitElectronic_Mail_Attacks-1-35.pdf by xploit
Electronic_Mail_Attacks-1-35.pdf by xploit
niftliyevhuseyn
 
Procurement Insights Cost To Value Guide.pptx
Procurement Insights Cost To Value Guide.pptxProcurement Insights Cost To Value Guide.pptx
Procurement Insights Cost To Value Guide.pptx
Jon Hansen
 
2025-05-Q4-2024-Investor-Presentation.pptx
2025-05-Q4-2024-Investor-Presentation.pptx2025-05-Q4-2024-Investor-Presentation.pptx
2025-05-Q4-2024-Investor-Presentation.pptx
Samuele Fogagnolo
 
Dev Dives: Automate and orchestrate your processes with UiPath Maestro
Dev Dives: Automate and orchestrate your processes with UiPath MaestroDev Dives: Automate and orchestrate your processes with UiPath Maestro
Dev Dives: Automate and orchestrate your processes with UiPath Maestro
UiPathCommunity
 
Ad

Default to Async - Prevent DoS attacks on your app and your day

  • 1. Default to Async PancakesCon 5, 24/03/2024 Prevent DoS attacks on your app and your day Allon Mureinik Senior Manager, Seeker (IAST) Agents R&D, Synopsys [email protected]
  • 2. © 2024 Synopsys, Inc. 2 Can we prevent DoS in our apps? Default to Async (Allon Mureinik, cc-by-sa-4.0)
  • 3. © 2024 Synopsys, Inc. 3 No, not that kind of DOS Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/save-dos-818218/
  • 4. © 2024 Synopsys, Inc. 4 This kind of DoS Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/no-service-1496954/
  • 5. © 2024 Synopsys, Inc. 5 This kind of DoS “The Denial of Service (DoS) attack is focused on making a resource (site, application, server) unavailable for the purpose it was designed.” (https://owasp.org/www-community/attacks/Denial_of_Service) Default to Async (Allon Mureinik, cc-by-sa-4.0)
  • 6. © 2024 Synopsys, Inc. 6 DDoS – in a different lecture Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/distributed-6001953/
  • 7. © 2024 Synopsys, Inc. 7 We want to focus on the application Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/application-1249006/
  • 8. © 2024 Synopsys, Inc. 8 It’s not about speed – it’s about [not] blocking others Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/speed-1116526/
  • 9. © 2024 Synopsys, Inc. 9 Overwork that parser (JSON Example) const express = require('express'); const app = express(); app.use(express.json()); app.post('/json', (req, res) => { const numKeys = Object.keys(req.body).length; res.end(numKeys + ' keys in the payload'); }); app.listen(3000, () => console.log('Listening on port 3000')); Default to Async (Allon Mureinik, cc-by-sa-4.0)
  • 10. © 2024 Synopsys, Inc. 10 How bad is it really? Default to Async (Allon Mureinik, cc-by-sa-4.0) -50 0 50 100 150 200 250 300 0 200 400 600 800 1000 1200 Time (ms) String Length (KB)
  • 11. © 2024 Synopsys, Inc. 11 What can we do? Default to Async (Allon Mureinik, cc-by-sa-4.0)
  • 12. © 2024 Synopsys, Inc. 12 What can we do? • Don’t allow tainted input to be parsed –Not realistic… Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/no-entry-1379330/
  • 13. © 2024 Synopsys, Inc. 13 What can we do? • Don’t allow tainted input to be parsed –Not realistic… • Limit the size of the input –E.g., in the above Express example: app.use(express.json({limit: '40kb'}) Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/speed-limit-4873715/
  • 14. © 2024 Synopsys, Inc. 14 What can we do? • Don’t allow tainted input to be parsed –Not realistic… • Limit the size of the input –E.g., in the above Express example: app.use(express.json({limit: '40kb'}) • Do it in the background, not the event loop –E.g., use a library like BFJ or JSONStream Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/fade-2102225/
  • 15. © 2024 Synopsys, Inc. 15 Bomb that parser (XML Example) Default to Async (Allon Mureinik, cc-by-sa-4.0) const express = require('express'); const app = express(); app.use(express.text({type: '*/*'})); const libxmljs = require('libxmljs2'); const opts = {noent: true, nocdata: true, noblanks: true, huge: true}; app.post('/xml', (req, res) => { const parsed = libxmljs.parseXml(req.body, opts); res.end(parsed.childNodes().length + ' child nodes in the payload'); }); app.listen(3000, () => console.log('Listening on port 3000'));
  • 16. © 2024 Synopsys, Inc. 16 Sounds serious, let’s have a laugh Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/joker-3976603/
  • 17. © 2024 Synopsys, Inc. 17 Or a billion laughs <?xml version="1.0"?> <!DOCTYPE lolz [ <!ENTITY lol0 "lol"> <!ELEMENT lolz (#PCDATA)> <!ENTITY lol1 "&lol0;&lol0;&lol0;&lol0;&lol0;&lol0;&lol0;&lol0;&lol0;&lol0;"> <!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;"> <!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;"> <!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;"> <!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;"> <!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;"> <!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;"> <!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;"> <!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;"> ]> <lolz>&lol9;</lolz> Default to Async (Allon Mureinik, cc-by-sa-4.0) https://en.wikipedia.org/wiki/Billion_laughs_attack
  • 18. © 2024 Synopsys, Inc. 18 How bad is it really? Default to Async (Allon Mureinik, cc-by-sa-4.0) 0 5 10 15 20 25 30 35 1 2 3 4 5 6 7 Size (MB) # Lolz XML Expansion per Lol XML Length Expanded Length ~650b ~29MB
  • 19. © 2024 Synopsys, Inc. 19 What can we do? Default to Async (Allon Mureinik, cc-by-sa-4.0)
  • 20. © 2024 Synopsys, Inc. 20 What can we do? • Don’t use XML –If you can… Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/no-entry-1379330/
  • 21. © 2024 Synopsys, Inc. 21 What can we do? • Don’t use XML –If you can… • Don’t allow tainted input in your XML –If you can… Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/no-entry-1379330/
  • 22. © 2024 Synopsys, Inc. 22 What can we do? • Don’t use XML –If you can… • Don’t allow tainted input in your XML –If you can… •Configure your library to not expand entities –If you can… –libxml wrappers:{noent: false} or {huge: false} Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/configure-1883381/
  • 23. © 2024 Synopsys, Inc. 23 What can we do? • Don’t use XML –If you can… • Don’t allow tainted input in your XML –If you can… •Configure your library to not expand entities –If you can… –libxml wrappers:{noent: false} or {huge: false} •Sanitize your input Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/sanitizer-3470901/
  • 24. © 2024 Synopsys, Inc. 24 ReDoS const express = require('express'); const app = express(); app.get('/regexp', (req, res) => { // Consider a regex like /(a+)+/ const regexp = new RegExp(req.query.regexp); const text = req.query.text; res.end(regexp.test(text) ? 'Match!' : 'No match'); }); app.listen(3000, () => console.log('Listening on port 3000')); Default to Async (Allon Mureinik, cc-by-sa-4.0)
  • 25. © 2024 Synopsys, Inc. 25 How bad is it really? Default to Async (Allon Mureinik, cc-by-sa-4.0) 0 50,000 100,000 150,000 200,000 250,000 300,000 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 33 34 35 Time (ms) As
  • 26. © 2024 Synopsys, Inc. 26 What can we do? Default to Async (Allon Mureinik, cc-by-sa-4.0)
  • 27. © 2024 Synopsys, Inc. 27 What can we do? • Check your regexes – SAST tools are usually pretty good at this Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/check-1159941/
  • 28. © 2024 Synopsys, Inc. 28 What can we do? • Check your regexes – SAST tools are usually pretty good at this • Don’t allow tainted input as regex – Not always possible… Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/no-entry-1379330/
  • 29. © 2024 Synopsys, Inc. 29 What can we do? • Check your regexes – SAST tools are usually pretty good at this • Don’t allow tainted input as regex – Not always possible… • Don’t allow tainted input to be evaluated by a dodgy regex – Usually not possible… – Use length limits Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/no-entry-1379330/
  • 30. © 2024 Synopsys, Inc. 30 What can we do? • Check your regexes – SAST tools are usually pretty good at this • Don’t allow tainted input as regex – Not always possible… • Don’t allow tainted input to be evaluated by a dodgy regex – Usually not possible… – Use length limits • Think about alternatives to regex – re2 isn’t vulnerable to ReDoS – Use specific tools for specific needs (e.g., validator.js) Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/alternative-3203434/
  • 31. © 2024 Synopsys, Inc. 31 Some general take aways Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/takeaway-3438027/
  • 32. © 2024 Synopsys, Inc. 32 Can we prevent DoS in our day? Default to Async (Allon Mureinik, cc-by-sa-4.0)
  • 33. © 2024 Synopsys, Inc. 33 “Let’s have a meeting” Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/meeting-6528201/
  • 34. © 2024 Synopsys, Inc. 34 You need to fit it in your day Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/fit-4584641/
  • 35. © 2024 Synopsys, Inc. 35 Limited time == limited communication Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/time-limit-4456645/
  • 36. © 2024 Synopsys, Inc. 36 It’s exclusionary Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/racism-4670344/
  • 37. © 2024 Synopsys, Inc. 37 The timezone problem Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/timezone-5429333/
  • 38. © 2024 Synopsys, Inc. 38 The language problem Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/language-3786977/
  • 39. © 2024 Synopsys, Inc. 39 The like-me problem Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/similar-3856992/
  • 40. © 2024 Synopsys, Inc. 40 The solution – default to async Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/asynchronous-learning-27462/
  • 41. © 2024 Synopsys, Inc. 41 Don’t be a stranger [email protected] @mureinik https://www.linkedin.com/in/mureinik/ Default to Async (Allon Mureinik, cc-by-sa-4.0)
  • 42. © 2024 Synopsys, Inc. 42 Questions Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/term/questions/1195076/