Suche senden
Hochladen
Default to Async - Prevent DoS attacks on your app and your day
•
0 gefällt mir
•
8 views
Allon Mureinik
Folgen
Slides from my talk at PancakesCon 5 – Full Stack Hack
Weniger lesen
Mehr lesen
Technologie
Melden
Teilen
Melden
Teilen
1 von 42
Jetzt herunterladen
Downloaden Sie, um offline zu lesen
Empfohlen
Webinar–OWASP Top 10 for JavaScript for Developers
Webinar–OWASP Top 10 for JavaScript for Developers
Synopsys Software Integrity Group
CI/CD Pipeline Security: Advanced Continuous Delivery Recommendations
CI/CD Pipeline Security: Advanced Continuous Delivery Recommendations
Amazon Web Services
Automating Security and Compliance Testing of Infrastructure-as-Code for DevS...
Automating Security and Compliance Testing of Infrastructure-as-Code for DevS...
Amazon Web Services
Best practices iOS meetup - pmd
Best practices iOS meetup - pmd
Suyash Gupta
Rails security: above and beyond the defaults
Rails security: above and beyond the defaults
Matias Korhonen
Advanced Serverless Apps With Step Functions
Advanced Serverless Apps With Step Functions
Amazon Web Services
20160211 OWASP Charlotte RASP
20160211 OWASP Charlotte RASP
chadtindel
Advanced Serverless Apps With Step Functions
Advanced Serverless Apps With Step Functions
Amazon Web Services
Empfohlen
Webinar–OWASP Top 10 for JavaScript for Developers
Webinar–OWASP Top 10 for JavaScript for Developers
Synopsys Software Integrity Group
CI/CD Pipeline Security: Advanced Continuous Delivery Recommendations
CI/CD Pipeline Security: Advanced Continuous Delivery Recommendations
Amazon Web Services
Automating Security and Compliance Testing of Infrastructure-as-Code for DevS...
Automating Security and Compliance Testing of Infrastructure-as-Code for DevS...
Amazon Web Services
Best practices iOS meetup - pmd
Best practices iOS meetup - pmd
Suyash Gupta
Rails security: above and beyond the defaults
Rails security: above and beyond the defaults
Matias Korhonen
Advanced Serverless Apps With Step Functions
Advanced Serverless Apps With Step Functions
Amazon Web Services
20160211 OWASP Charlotte RASP
20160211 OWASP Charlotte RASP
chadtindel
Advanced Serverless Apps With Step Functions
Advanced Serverless Apps With Step Functions
Amazon Web Services
So you thought you were safe using AngularJS.. Think again!
So you thought you were safe using AngularJS.. Think again!
Lewis Ardern
ConFoo Montreal - Approaches for application request throttling
ConFoo Montreal - Approaches for application request throttling
Maarten Balliauw
Web Security - CSP & Web Cryptography
Web Security - CSP & Web Cryptography
Samsung Open Source Group
Reactive frontends with RxJS and Angular
Reactive frontends with RxJS and Angular
VMware Tanzu
A Practical Guide to Securing Modern Web Applications
A Practical Guide to Securing Modern Web Applications
Manish Shekhawat
Abusing bleeding edge web standards for appsec glory
Abusing bleeding edge web standards for appsec glory
Priyanka Aash
Building CI-CD Pipelines for Serverless Applications
Building CI-CD Pipelines for Serverless Applications
Amazon Web Services
DEV325_Application Deployment Techniques for Amazon EC2 Workloads with AWS Co...
DEV325_Application Deployment Techniques for Amazon EC2 Workloads with AWS Co...
Amazon Web Services
How Secure Is AngularJS?
How Secure Is AngularJS?
Ksenia Peguero
Serverless and DevOps
Serverless and DevOps
Chris Munns
You Spent All That Money And Still Got Owned
You Spent All That Money And Still Got Owned
Joe McCray
20160225 OWASP Atlanta Prevoty RASP
20160225 OWASP Atlanta Prevoty RASP
chadtindel
Node.js Deeper Dive
Node.js Deeper Dive
Justin Reock
Php Dependency Management with Composer ZendCon 2016
Php Dependency Management with Composer ZendCon 2016
Clark Everetts
Authentication and Identity with Amazon Cognito & Analytics with Amazon Pinpoint
Authentication and Identity with Amazon Cognito & Analytics with Amazon Pinpoint
Amazon Web Services
Approaches for application request throttling - dotNetCologne
Approaches for application request throttling - dotNetCologne
Maarten Balliauw
Java fx smart code econ
Java fx smart code econ
Tom Schindl
Content Security Policy - Lessons learned at Yahoo
Content Security Policy - Lessons learned at Yahoo
Binu Ramakrishnan
Kubernetes on AWS
Kubernetes on AWS
Amazon Web Services
JavaOne 2016 - Faces Counter
JavaOne 2016 - Faces Counter
Coritel
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
Allon Mureinik
What an episode of Rick and Morty taught me about (accidental) toxicity
What an episode of Rick and Morty taught me about (accidental) toxicity
Allon Mureinik
Weitere ähnliche Inhalte
Ähnlich wie Default to Async - Prevent DoS attacks on your app and your day
So you thought you were safe using AngularJS.. Think again!
So you thought you were safe using AngularJS.. Think again!
Lewis Ardern
ConFoo Montreal - Approaches for application request throttling
ConFoo Montreal - Approaches for application request throttling
Maarten Balliauw
Web Security - CSP & Web Cryptography
Web Security - CSP & Web Cryptography
Samsung Open Source Group
Reactive frontends with RxJS and Angular
Reactive frontends with RxJS and Angular
VMware Tanzu
A Practical Guide to Securing Modern Web Applications
A Practical Guide to Securing Modern Web Applications
Manish Shekhawat
Abusing bleeding edge web standards for appsec glory
Abusing bleeding edge web standards for appsec glory
Priyanka Aash
Building CI-CD Pipelines for Serverless Applications
Building CI-CD Pipelines for Serverless Applications
Amazon Web Services
DEV325_Application Deployment Techniques for Amazon EC2 Workloads with AWS Co...
DEV325_Application Deployment Techniques for Amazon EC2 Workloads with AWS Co...
Amazon Web Services
How Secure Is AngularJS?
How Secure Is AngularJS?
Ksenia Peguero
Serverless and DevOps
Serverless and DevOps
Chris Munns
You Spent All That Money And Still Got Owned
You Spent All That Money And Still Got Owned
Joe McCray
20160225 OWASP Atlanta Prevoty RASP
20160225 OWASP Atlanta Prevoty RASP
chadtindel
Node.js Deeper Dive
Node.js Deeper Dive
Justin Reock
Php Dependency Management with Composer ZendCon 2016
Php Dependency Management with Composer ZendCon 2016
Clark Everetts
Authentication and Identity with Amazon Cognito & Analytics with Amazon Pinpoint
Authentication and Identity with Amazon Cognito & Analytics with Amazon Pinpoint
Amazon Web Services
Approaches for application request throttling - dotNetCologne
Approaches for application request throttling - dotNetCologne
Maarten Balliauw
Java fx smart code econ
Java fx smart code econ
Tom Schindl
Content Security Policy - Lessons learned at Yahoo
Content Security Policy - Lessons learned at Yahoo
Binu Ramakrishnan
Kubernetes on AWS
Kubernetes on AWS
Amazon Web Services
JavaOne 2016 - Faces Counter
JavaOne 2016 - Faces Counter
Coritel
Ähnlich wie Default to Async - Prevent DoS attacks on your app and your day
(20)
So you thought you were safe using AngularJS.. Think again!
So you thought you were safe using AngularJS.. Think again!
ConFoo Montreal - Approaches for application request throttling
ConFoo Montreal - Approaches for application request throttling
Web Security - CSP & Web Cryptography
Web Security - CSP & Web Cryptography
Reactive frontends with RxJS and Angular
Reactive frontends with RxJS and Angular
A Practical Guide to Securing Modern Web Applications
A Practical Guide to Securing Modern Web Applications
Abusing bleeding edge web standards for appsec glory
Abusing bleeding edge web standards for appsec glory
Building CI-CD Pipelines for Serverless Applications
Building CI-CD Pipelines for Serverless Applications
DEV325_Application Deployment Techniques for Amazon EC2 Workloads with AWS Co...
DEV325_Application Deployment Techniques for Amazon EC2 Workloads with AWS Co...
How Secure Is AngularJS?
How Secure Is AngularJS?
Serverless and DevOps
Serverless and DevOps
You Spent All That Money And Still Got Owned
You Spent All That Money And Still Got Owned
20160225 OWASP Atlanta Prevoty RASP
20160225 OWASP Atlanta Prevoty RASP
Node.js Deeper Dive
Node.js Deeper Dive
Php Dependency Management with Composer ZendCon 2016
Php Dependency Management with Composer ZendCon 2016
Authentication and Identity with Amazon Cognito & Analytics with Amazon Pinpoint
Authentication and Identity with Amazon Cognito & Analytics with Amazon Pinpoint
Approaches for application request throttling - dotNetCologne
Approaches for application request throttling - dotNetCologne
Java fx smart code econ
Java fx smart code econ
Content Security Policy - Lessons learned at Yahoo
Content Security Policy - Lessons learned at Yahoo
Kubernetes on AWS
Kubernetes on AWS
JavaOne 2016 - Faces Counter
JavaOne 2016 - Faces Counter
Mehr von Allon Mureinik
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
Allon Mureinik
What an episode of Rick and Morty taught me about (accidental) toxicity
What an episode of Rick and Morty taught me about (accidental) toxicity
Allon Mureinik
We are the Borg, you will be interviewed
We are the Borg, you will be interviewed
Allon Mureinik
What I wish I knew about security - Allon Mureinik DevConf.CZ 2022
What I wish I knew about security - Allon Mureinik DevConf.CZ 2022
Allon Mureinik
Somebody set up us the bomb DevConf.CZ 2022 Lightning Talk
Somebody set up us the bomb DevConf.CZ 2022 Lightning Talk
Allon Mureinik
Zoom out
Zoom out
Allon Mureinik
Cognitive biases, blind spots and inclusion
Cognitive biases, blind spots and inclusion
Allon Mureinik
This DoS goes loop-di-loop
This DoS goes loop-di-loop
Allon Mureinik
How open source made me a better manager
How open source made me a better manager
Allon Mureinik
Automatic for the People
Automatic for the People
Allon Mureinik
Automatic for the people
Automatic for the people
Allon Mureinik
Mockito - How a mocking library built a real community
Mockito - How a mocking library built a real community
Allon Mureinik
Mockito - how a mocking library built a real community (August Penguin 2017)
Mockito - how a mocking library built a real community (August Penguin 2017)
Allon Mureinik
Reversim Summit 2016 - Ja-WAT
Reversim Summit 2016 - Ja-WAT
Allon Mureinik
Virtualization Management The oVirt Way (August Penguin 2015)
Virtualization Management The oVirt Way (August Penguin 2015)
Allon Mureinik
Step by Step - Reusing old features to build new ones
Step by Step - Reusing old features to build new ones
Allon Mureinik
oVirt 3.5 Storage Features Overview
oVirt 3.5 Storage Features Overview
Allon Mureinik
Disaster Recovery Strategies Using oVirt's new Storage Connection Management ...
Disaster Recovery Strategies Using oVirt's new Storage Connection Management ...
Allon Mureinik
Live Storage Migration in oVirt (Open Storage Meetup May 2013)
Live Storage Migration in oVirt (Open Storage Meetup May 2013)
Allon Mureinik
Retro Testing (DevConTLV Jan 2014)
Retro Testing (DevConTLV Jan 2014)
Allon Mureinik
Mehr von Allon Mureinik
(20)
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
What an episode of Rick and Morty taught me about (accidental) toxicity
What an episode of Rick and Morty taught me about (accidental) toxicity
We are the Borg, you will be interviewed
We are the Borg, you will be interviewed
What I wish I knew about security - Allon Mureinik DevConf.CZ 2022
What I wish I knew about security - Allon Mureinik DevConf.CZ 2022
Somebody set up us the bomb DevConf.CZ 2022 Lightning Talk
Somebody set up us the bomb DevConf.CZ 2022 Lightning Talk
Zoom out
Zoom out
Cognitive biases, blind spots and inclusion
Cognitive biases, blind spots and inclusion
This DoS goes loop-di-loop
This DoS goes loop-di-loop
How open source made me a better manager
How open source made me a better manager
Automatic for the People
Automatic for the People
Automatic for the people
Automatic for the people
Mockito - How a mocking library built a real community
Mockito - How a mocking library built a real community
Mockito - how a mocking library built a real community (August Penguin 2017)
Mockito - how a mocking library built a real community (August Penguin 2017)
Reversim Summit 2016 - Ja-WAT
Reversim Summit 2016 - Ja-WAT
Virtualization Management The oVirt Way (August Penguin 2015)
Virtualization Management The oVirt Way (August Penguin 2015)
Step by Step - Reusing old features to build new ones
Step by Step - Reusing old features to build new ones
oVirt 3.5 Storage Features Overview
oVirt 3.5 Storage Features Overview
Disaster Recovery Strategies Using oVirt's new Storage Connection Management ...
Disaster Recovery Strategies Using oVirt's new Storage Connection Management ...
Live Storage Migration in oVirt (Open Storage Meetup May 2013)
Live Storage Migration in oVirt (Open Storage Meetup May 2013)
Retro Testing (DevConTLV Jan 2014)
Retro Testing (DevConTLV Jan 2014)
Kürzlich hochgeladen
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
Radu Cotescu
Slack Application Development 101 Slides
Slack Application Development 101 Slides
praypatel2
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
naman860154
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Igalia
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
RTylerCroy
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
Puma Security, LLC
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
The Digital Insurer
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
Khem
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
apidays
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
Delhi Call girls
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
Martijn de Jong
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
Delhi Call girls
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
Results
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
sudhanshuwaghmare1
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
Earley Information Science
Kürzlich hochgeladen
(20)
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
Slack Application Development 101 Slides
Slack Application Development 101 Slides
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
Default to Async - Prevent DoS attacks on your app and your day
1.
Default to Async PancakesCon
5, 24/03/2024 Prevent DoS attacks on your app and your day Allon Mureinik Senior Manager, Seeker (IAST) Agents R&D, Synopsys allon.mureinik@synopsys.com
2.
© 2024 Synopsys,
Inc. 2 Can we prevent DoS in our apps? Default to Async (Allon Mureinik, cc-by-sa-4.0)
3.
© 2024 Synopsys,
Inc. 3 No, not that kind of DOS Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/save-dos-818218/
4.
© 2024 Synopsys,
Inc. 4 This kind of DoS Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/no-service-1496954/
5.
© 2024 Synopsys,
Inc. 5 This kind of DoS “The Denial of Service (DoS) attack is focused on making a resource (site, application, server) unavailable for the purpose it was designed.” (https://owasp.org/www-community/attacks/Denial_of_Service) Default to Async (Allon Mureinik, cc-by-sa-4.0)
6.
© 2024 Synopsys,
Inc. 6 DDoS – in a different lecture Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/distributed-6001953/
7.
© 2024 Synopsys,
Inc. 7 We want to focus on the application Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/application-1249006/
8.
© 2024 Synopsys,
Inc. 8 It’s not about speed – it’s about [not] blocking others Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/speed-1116526/
9.
© 2024 Synopsys,
Inc. 9 Overwork that parser (JSON Example) const express = require('express'); const app = express(); app.use(express.json()); app.post('/json', (req, res) => { const numKeys = Object.keys(req.body).length; res.end(numKeys + ' keys in the payload'); }); app.listen(3000, () => console.log('Listening on port 3000')); Default to Async (Allon Mureinik, cc-by-sa-4.0)
10.
© 2024 Synopsys,
Inc. 10 How bad is it really? Default to Async (Allon Mureinik, cc-by-sa-4.0) -50 0 50 100 150 200 250 300 0 200 400 600 800 1000 1200 Time (ms) String Length (KB)
11.
© 2024 Synopsys,
Inc. 11 What can we do? Default to Async (Allon Mureinik, cc-by-sa-4.0)
12.
© 2024 Synopsys,
Inc. 12 What can we do? • Don’t allow tainted input to be parsed –Not realistic… Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/no-entry-1379330/
13.
© 2024 Synopsys,
Inc. 13 What can we do? • Don’t allow tainted input to be parsed –Not realistic… • Limit the size of the input –E.g., in the above Express example: app.use(express.json({limit: '40kb'}) Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/speed-limit-4873715/
14.
© 2024 Synopsys,
Inc. 14 What can we do? • Don’t allow tainted input to be parsed –Not realistic… • Limit the size of the input –E.g., in the above Express example: app.use(express.json({limit: '40kb'}) • Do it in the background, not the event loop –E.g., use a library like BFJ or JSONStream Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/fade-2102225/
15.
© 2024 Synopsys,
Inc. 15 Bomb that parser (XML Example) Default to Async (Allon Mureinik, cc-by-sa-4.0) const express = require('express'); const app = express(); app.use(express.text({type: '*/*'})); const libxmljs = require('libxmljs2'); const opts = {noent: true, nocdata: true, noblanks: true, huge: true}; app.post('/xml', (req, res) => { const parsed = libxmljs.parseXml(req.body, opts); res.end(parsed.childNodes().length + ' child nodes in the payload'); }); app.listen(3000, () => console.log('Listening on port 3000'));
16.
© 2024 Synopsys,
Inc. 16 Sounds serious, let’s have a laugh Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/joker-3976603/
17.
© 2024 Synopsys,
Inc. 17 Or a billion laughs <?xml version="1.0"?> <!DOCTYPE lolz [ <!ENTITY lol0 "lol"> <!ELEMENT lolz (#PCDATA)> <!ENTITY lol1 "&lol0;&lol0;&lol0;&lol0;&lol0;&lol0;&lol0;&lol0;&lol0;&lol0;"> <!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;"> <!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;"> <!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;"> <!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;"> <!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;"> <!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;"> <!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;"> <!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;"> ]> <lolz>&lol9;</lolz> Default to Async (Allon Mureinik, cc-by-sa-4.0) https://en.wikipedia.org/wiki/Billion_laughs_attack
18.
© 2024 Synopsys,
Inc. 18 How bad is it really? Default to Async (Allon Mureinik, cc-by-sa-4.0) 0 5 10 15 20 25 30 35 1 2 3 4 5 6 7 Size (MB) # Lolz XML Expansion per Lol XML Length Expanded Length ~650b ~29MB
19.
© 2024 Synopsys,
Inc. 19 What can we do? Default to Async (Allon Mureinik, cc-by-sa-4.0)
20.
© 2024 Synopsys,
Inc. 20 What can we do? • Don’t use XML –If you can… Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/no-entry-1379330/
21.
© 2024 Synopsys,
Inc. 21 What can we do? • Don’t use XML –If you can… • Don’t allow tainted input in your XML –If you can… Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/no-entry-1379330/
22.
© 2024 Synopsys,
Inc. 22 What can we do? • Don’t use XML –If you can… • Don’t allow tainted input in your XML –If you can… •Configure your library to not expand entities –If you can… –libxml wrappers:{noent: false} or {huge: false} Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/configure-1883381/
23.
© 2024 Synopsys,
Inc. 23 What can we do? • Don’t use XML –If you can… • Don’t allow tainted input in your XML –If you can… •Configure your library to not expand entities –If you can… –libxml wrappers:{noent: false} or {huge: false} •Sanitize your input Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/sanitizer-3470901/
24.
© 2024 Synopsys,
Inc. 24 ReDoS const express = require('express'); const app = express(); app.get('/regexp', (req, res) => { // Consider a regex like /(a+)+/ const regexp = new RegExp(req.query.regexp); const text = req.query.text; res.end(regexp.test(text) ? 'Match!' : 'No match'); }); app.listen(3000, () => console.log('Listening on port 3000')); Default to Async (Allon Mureinik, cc-by-sa-4.0)
25.
© 2024 Synopsys,
Inc. 25 How bad is it really? Default to Async (Allon Mureinik, cc-by-sa-4.0) 0 50,000 100,000 150,000 200,000 250,000 300,000 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 33 34 35 Time (ms) As
26.
© 2024 Synopsys,
Inc. 26 What can we do? Default to Async (Allon Mureinik, cc-by-sa-4.0)
27.
© 2024 Synopsys,
Inc. 27 What can we do? • Check your regexes – SAST tools are usually pretty good at this Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/check-1159941/
28.
© 2024 Synopsys,
Inc. 28 What can we do? • Check your regexes – SAST tools are usually pretty good at this • Don’t allow tainted input as regex – Not always possible… Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/no-entry-1379330/
29.
© 2024 Synopsys,
Inc. 29 What can we do? • Check your regexes – SAST tools are usually pretty good at this • Don’t allow tainted input as regex – Not always possible… • Don’t allow tainted input to be evaluated by a dodgy regex – Usually not possible… – Use length limits Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/no-entry-1379330/
30.
© 2024 Synopsys,
Inc. 30 What can we do? • Check your regexes – SAST tools are usually pretty good at this • Don’t allow tainted input as regex – Not always possible… • Don’t allow tainted input to be evaluated by a dodgy regex – Usually not possible… – Use length limits • Think about alternatives to regex – re2 isn’t vulnerable to ReDoS – Use specific tools for specific needs (e.g., validator.js) Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/alternative-3203434/
31.
© 2024 Synopsys,
Inc. 31 Some general take aways Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/takeaway-3438027/
32.
© 2024 Synopsys,
Inc. 32 Can we prevent DoS in our day? Default to Async (Allon Mureinik, cc-by-sa-4.0)
33.
© 2024 Synopsys,
Inc. 33 “Let’s have a meeting” Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/meeting-6528201/
34.
© 2024 Synopsys,
Inc. 34 You need to fit it in your day Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/fit-4584641/
35.
© 2024 Synopsys,
Inc. 35 Limited time == limited communication Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/time-limit-4456645/
36.
© 2024 Synopsys,
Inc. 36 It’s exclusionary Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/racism-4670344/
37.
© 2024 Synopsys,
Inc. 37 The timezone problem Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/timezone-5429333/
38.
© 2024 Synopsys,
Inc. 38 The language problem Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/language-3786977/
39.
© 2024 Synopsys,
Inc. 39 The like-me problem Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/similar-3856992/
40.
© 2024 Synopsys,
Inc. 40 The solution – default to async Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/icon/asynchronous-learning-27462/
41.
© 2024 Synopsys,
Inc. 41 Don’t be a stranger allon.mureinik@synopsys.com @mureinik https://www.linkedin.com/in/mureinik/ Default to Async (Allon Mureinik, cc-by-sa-4.0)
42.
© 2024 Synopsys,
Inc. 42 Questions Default to Async (Allon Mureinik, cc-by-sa-4.0) https://thenounproject.com/term/questions/1195076/
Jetzt herunterladen