freezing the web a study of redos vulnerabilities in
play

Freezing the Web: A Study of ReDoS Vulnerabilities in - PowerPoint PPT Presentation

Feb 24, 2023 •179 likes •875 views

Freezing the Web: A Study of ReDoS Vulnerabilities in JavaScript-based Web Servers Cristian-Alexandru Staicu Michael Pradel TU Darmstadt www.software-lab.org 15 th August 2018 Regular Expression Denial of Service (ReDoS) i n p u t :

  1. Freezing the Web: A Study of ReDoS Vulnerabilities in JavaScript-based Web Servers Cristian-Alexandru Staicu Michael Pradel TU Darmstadt www.software-lab.org 15 th August 2018

  2. Regular Expression Denial of Service (ReDoS) i n p u t : ” L o r e m i p s u m ” 1/18

  3. Regular Expression Denial of Service (ReDoS) i n p u t : ” L o r e m i p s u m ” input.match(regexp); 1/18

  4. Regular Expression Denial of Service (ReDoS) i n p u t : ” L o r e m p i p r o s u c m e s ” s i n g t i m e : O ( 1 ) input.match(regexp); 1/18

  5. Regular Expression Denial of Service (ReDoS) i n p u t : ” L o r e m p i p r o s u c m e s ” s i n g t i m e : O ( 1 ) input.match(regexp); 1/18

  6. Regular Expression Denial of Service (ReDoS) i n p u t : ” L o r e m p i p r o s u c m e s ” s i n g t i m e : O ( 1 ) input.match(regexp); , ” x 1000 ´ s A o ´ a ˘ ” : t u p n i 1/18

  7. Regular Expression Denial of Service (ReDoS) i n p u t : ” L o r e m p i p r o s u c m e s ” s i n g t i m e : O ( 1 ) input.match(regexp); , ” x 1000 ´ s A ´ o ˘ a processing time: O ( n x ) , x > 1 ” : t u p n i 1/18

  8. Regular Expression Denial of Service (ReDoS) i n p u t : ” L o r e m p i p r o s u c m e s ” s i n g t i m e : O ( 1 ) input.match(regexp); , ” x 1000 ´ s A ´ o ˘ a processing time: O ( n x ) , x > 1 ” : t u p n i 1/18

  9. This Talk ReDoS affects libraries we identify 25 vulnerabilities in popular npm modules 2/18

  10. This Talk ReDoS affects libraries we identify 25 vulnerabilities in popular npm modules ReDoS affects websites hundreds of live websites are vulnerable 2/18

  11. This Talk ReDoS affects libraries we identify 25 vulnerabilities in popular npm modules ReDoS affects websites hundreds of live websites are vulnerable Novel methodology library vulnerability → website vulnerability 2/18

  12. Backtracking-based Matching var regEx = /^a*a*b$/; 3/18

  13. Backtracking-based Matching var regEx = /^a*a*b$/; ǫ ǫ ǫ ǫ ǫ ǫ start 3 4 5 6 7 a ǫ ǫ ǫ 11 10 9 8 ǫ a ǫ b accept 3/18

  14. Backtracking-based Matching var regEx = /^a*a*b$/; ǫ ǫ ǫ ǫ ǫ ǫ start 3 4 5 6 7 a ǫ ǫ ǫ 11 10 9 8 ǫ a ǫ b accept input : ”ab” 3/18

  15. Backtracking-based Matching var regEx = /^a*a*b$/; ǫ ǫ ǫ ǫ ǫ ǫ start 3 4 5 6 7 a ǫ ǫ ǫ 11 10 9 8 ǫ a ǫ b accept input : ”aab” 3/18

  16. Backtracking-based Matching var regEx = /^a*a*b$/; ǫ ǫ ǫ ǫ ǫ ǫ start 3 4 5 6 7 a ǫ ǫ ǫ 11 10 9 8 ǫ a ǫ b accept input : ”aab” 3/18

  17. Backtracking-based Matching var regEx = /^a*a*b$/; ǫ ǫ ǫ ǫ ǫ ǫ start 3 4 5 6 7 a ǫ ǫ ǫ 11 10 9 8 ǫ a ǫ b accept input : ”aaaaaaaaaaaaaaaaaaaa” 3/18

  18. Backtracking-based Matching var regEx = /^a*a*b$/; ǫ ǫ ǫ ǫ ǫ ǫ start 3 4 5 6 7 a ǫ ǫ ǫ 11 10 9 8 ǫ a ǫ b accept input : ”aaaaaaaaaaaaaaaaaaaa” 3/18

  19. Overview ReDoS analysis (Phase 1) Npm modules of libraries 4/18

  20. Overview ReDoS analysis (Phase 1) Npm modules of libraries Module level vulnerabilities (Phase 2) Usage scenarios Exploits creation 4/18

  21. Overview ReDoS analysis (Phase 1) Npm modules of libraries Module level vulnerabilities (Phase 2) Usage scenarios Exploits creation Payloads using HTTP requests List of websites ReDoS analysis List of vulner- (Phase 3) using Node.js of websites able websites 4/18

  22. Overview ReDoS analysis (Phase 1) Npm modules of libraries Module level vulnerabilities (Phase 2) Usage scenarios Exploits creation Payloads using HTTP requests Local machines Live websites List of websites ReDoS analysis List of vulner- (Phase 3) using Node.js of websites able websites 4/18

  23. Setup measure in single instance manually analyze popular setup packages analyze 2,800 websites from fifth most-dependent upon Top 1 million npm package 5/18

  24. Node.js Particularities Events Workers O / I g n i k c o b l file system e1 e2 network Event Loop (JS code) process e3 ... ... callback 6/18

  25. Node.js Particularities Events Workers O / I g n i k c o b l file system e1 e2 network Event Loop (JS code) process e3 Regex.match() ... ... callback 6/18

  26. Node.js Particularities (2) ... ... templates vulnerable engine module strings utility Node.js application headers parser ... DB access 7/18

  27. Ethical Considerations 8/18

  28. Ethical Considerations Few payloads 80 requests in total 8/18

  29. Ethical Considerations Few payloads 80 requests in total Iterative probing most websites use redundancy 8/18

  30. Ethical Considerations Few payloads 80 requests in total Iterative probing most websites use redundancy Safety mechanism stop after timeout or error 8/18

  31. Ethical Considerations Few payloads 80 requests in total Iterative probing most websites use redundancy Safety mechanism stop after timeout or error Vulnerabilities disclosure the majority of them have been fixed 8/18

  32. Phase 1: Npm Analysis Criterion for vulnerable libraries We consider a module to be vulnerable iff we find an input that is at most 80,000 characters long, whose matching time takes more than 5 seconds. 9/18

  33. Phase 1: Npm Analysis Criterion for vulnerable libraries We consider a module to be vulnerable iff we find an input that is at most 80,000 characters long, whose matching time takes more than 5 seconds. Manual analysis of regular expressions and information flow 9/18

  34. Phase 1: Npm Analysis Criterion for vulnerable libraries We consider a module to be vulnerable iff we find an input that is at most 80,000 characters long, whose matching time takes more than 5 seconds. Manual analysis of regular expressions and information flow Manually written exploits 9/18

  35. Phase 1: Vulnerable Regular Expressions 25 ReDoS vulnerabilities 10/18

  36. Phase 1: Vulnerable Regular Expressions 25 ReDoS vulnerabilities 13 advisories 10/18

  37. Phase 1: Vulnerable Regular Expressions 25 ReDoS vulnerabilities 13 advisories One bug bounty 10/18

  38. Phase 1: Vulnerable Regular Expressions 25 ReDoS vulnerabilities 13 advisories One bug bounty Example 1 : content /^([^\/]+\/[^\ s;]+) (?:(?:\s*;\s*boundary =(?:"([^" ]+)"|([^;"]+)))|(?:\s*;\s *[^=]+=(?:(?: "(?:[^" ]+)")|(?:[^;"]+))))*$/i 10/18

  39. Phase 1: Vulnerable Regular Expressions 25 ReDoS vulnerabilities 13 advisories One bug bounty Example 1 : content /^([^\/]+\/[^\ s;]+) (?:(?:\s*;\s*boundary =(?:"([^" ]+)"|([^;"]+)))|(?:\s*;\s *[^=]+=(?:(?: "(?:[^" ]+)")|(?:[^;"]+))))*$/i Example 2 : ua-parser-js /ip[honead ]+(.* os\s([\w]+)*\ slike\smac |;\ sopera)/ 10/18

  40. Phase 2: HTTP-level Payload Creation Local Node.js installation 11/18

  41. Phase 2: HTTP-level Payload Creation Local Node.js installation For each payload, create a usage scenario 11/18

  42. Phase 2: HTTP-level Payload Creation Local Node.js installation For each payload, create a usage scenario var MobileDetect = require("mobile -detect"); var headers = req.headers["user -agent"]; var md = new MobileDetect (headers); md.phone (); 11/18

  43. Phase 2: HTTP-level Payload Creation Local Node.js installation For each payload, create a usage scenario var MobileDetect = require("mobile -detect"); var headers = req.headers["user -agent"]; var md = new MobileDetect (headers); md.phone (); For each scenario, create HTTP level payloads 11/18

  44. Phase 2: HTTP-level Payload Creation Local Node.js installation For each payload, create a usage scenario var MobileDetect = require("mobile -detect"); var headers = req.headers["user -agent"]; var md = new MobileDetect (headers); md.phone (); For each scenario, create HTTP level payloads In total 8 payloads corresponding to 8 popular modules 11/18

  45. Phase 2: Input Dependency 2000 Matching time (ms) 1500 1000 500 ua-parser-js 0 0 1 2 3 4 5 6 7 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 Input size (number of characters) 12/18

  46. Phase 2: Input Dependency 2000 Matching time (ms) 1500 1000 500 ua-parser-js useragent 0 0 1 2 3 4 5 6 7 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 Input size (number of characters) 12/18

  47. Phase 2: Input Dependency 2000 Matching time (ms) charset 1500 fresh forwarded 1000 content mobile-detect platform 500 ua-parser-js useragent 0 0 1 2 3 4 5 6 7 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 Input size (number of characters) 12/18

  48. Phase 3: Websites Analysis P1 100ms 3x 5x 3x 5x 13/18

  49. Phase 3: Websites Analysis P1 P2 100ms 200ms 3x 5x 3x 5x 3x 5x 3x 5x 13/18

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

TISSUE FREEZING METHODS FOR CRYOSTAT SECTIONING Basic Tissue Freezing Methods Preparing Tissue

TISSUE FREEZING METHODS FOR CRYOSTAT SECTIONING Basic Tissue Freezing Methods Preparing Tissue

TISSUE FREEZING METHODS FOR CRYOSTAT SECTIONING Basic Tissue Freezing Methods Preparing Tissue for Freezing Then a quick overview of MHPL Cryostat sectioning Techniques: Using The Brush; Using The Anti-Roll Plate; Speaker: Donna J. Emge,

567 views • 33 slides
Type Freezing Motivation Background Simple Type Freezing Nested Type Freezing Evaluation Page

Type Freezing Motivation Background Simple Type Freezing Nested Type Freezing Evaluation Page

T YPE F REEZING : E XPLOITING A TTRIBUTE T YPE M ONOMORPHISM IN T RACING JIT C OMPILERS Lin Cheng 1 , Berkin Ilbeyi 1 , Carl Friedrich Bolz-Tereick 2 , Christopher Batten 1 1 Computer Systems Laboratory Cornell University 2

540 views • 40 slides
Modeling, Detecting, and Tracking of Freezing of Gait in Parkinson Disease using Inertial Sensors

Modeling, Detecting, and Tracking of Freezing of Gait in Parkinson Disease using Inertial Sensors

Freezing of Gait Modeling, Detecting, and Tracking of Freezing of Gait in Parkinson Disease using Inertial Sensors Prateek Gundannavar Vijay Advisor: Arye Nehorai Research Overview Preston M. Green Department of Electrical & Systems

491 views • 21 slides
Female Reproductive Aging & Egg Freezing JOSHUA U. KLEIN, MD, FACOG ASSISTANT CLI NICAL

Female Reproductive Aging & Egg Freezing JOSHUA U. KLEIN, MD, FACOG ASSISTANT CLI NICAL

Female Reproductive Aging & Egg Freezing JOSHUA U. KLEIN, MD, FACOG ASSISTANT CLI NICAL PROFESSOR OF OBSTETRICS, GYNECOLOGY, & REPRODUCTIVE SCI ENCE I CAHN SCHOOL OF MEDICINE AT MOUNT SI NAI Egg Freezing: Media Darling What You Need

512 views • 28 slides
Freezing of gait it Pathophysiology Alice Nieuwboer Rehabilitation Sciences KU Leuven, Belgium

Freezing of gait it Pathophysiology Alice Nieuwboer Rehabilitation Sciences KU Leuven, Belgium

Freezing of gait it Pathophysiology Alice Nieuwboer Rehabilitation Sciences KU Leuven, Belgium Disclosure - None Learning objective Understand the pathophysiological mechanism of freezing of gait Examine the abnormal changes in brain

363 views • 22 slides
Spin and orbital freezing in unconventional superconductors Philipp Werner University of

Spin and orbital freezing in unconventional superconductors Philipp Werner University of

Spin and orbital freezing in unconventional superconductors Philipp Werner University of Fribourg Kyoto, November 2017 Spin and orbital freezing in unconventional superconductors In collaboration with: Shintaro Hoshino (Saitama) Hiroshi

972 views • 52 slides
Freezing of Gait: Phenomenology PD Dr. M. Ptter-Nerger UKE Hamburg, Germany Phenomenology gait

Freezing of Gait: Phenomenology PD Dr. M. Ptter-Nerger UKE Hamburg, Germany Phenomenology gait

Nr. 1 MDS-ES Online Course 11/2020 Gait Disturbances in PD: What PTs have to know to treat patients Freezing of Gait: Phenomenology PD Dr. M. Ptter-Nerger UKE Hamburg, Germany Phenomenology gait disturbance and freezing in Parkinsons

979 views • 25 slides
Spin freezing in unconventional superconductors Philipp Werner University of Fribourg Beijing,

Spin freezing in unconventional superconductors Philipp Werner University of Fribourg Beijing,

Spin freezing in unconventional superconductors Philipp Werner University of Fribourg Beijing, August 2018 Tuesday, August 21, 18 Spin freezing in unconventional superconductors In collaboration with: Shintaro Hoshino (Saitama) Hiroshi

770 views • 52 slides
Cryo Preparation at NRAMM NRAMM group Joel Quispe Overview of the freezing procedures at NRAMM

Cryo Preparation at NRAMM NRAMM group Joel Quispe Overview of the freezing procedures at NRAMM

Cryo Preparation at NRAMM NRAMM group Joel Quispe Overview of the freezing procedures at NRAMM First Ill go over some background of cryo-EM Then the principles of freezing Steps we follow at NRAMM to freeze grids Problems

784 views • 33 slides
NECESSARY BACKGROUND ON MEMORY EXPLOITS AND WEB APPLICATION VULNERABILITIES Outline 2

NECESSARY BACKGROUND ON MEMORY EXPLOITS AND WEB APPLICATION VULNERABILITIES Outline 2

1 NECESSARY BACKGROUND ON MEMORY EXPLOITS AND WEB APPLICATION VULNERABILITIES Outline 2 Memory safety attacks Buffer overruns Format string vulnerabilities Web application vulnerabilities SQL injections Cross-site

901 views • 39 slides
vulnerabilities CVE, Common Vulnerabilities and Exposures CWE, Common Weakness Enumeration

vulnerabilities CVE, Common Vulnerabilities and Exposures CWE, Common Weakness Enumeration

Security & Knowledge Management a.a. 2019/20 There are a set of sources that provide updated information about security vulnerabilities CVE, Common Vulnerabilities and Exposures CWE, Common Weakness Enumeration CAPEC,

197 views • 8 slides
Windows Kernel Reference Count Vulnerabilities - Case Study Mateusz "j00ru" Jurczyk @

Windows Kernel Reference Count Vulnerabilities - Case Study Mateusz "j00ru" Jurczyk @

Windows Kernel Reference Count Vulnerabilities - Case Study Mateusz "j00ru" Jurczyk @ ZeroNights E.0x02 November 2012 PS C:\Users\j00ru> whoami nt authority\system Microsoft Windows internals fanboy Also into reverse

976 views • 80 slides
Operating System Hardening Vulnerabilities Unique vulnerabilities for: Different

Operating System Hardening Vulnerabilities Unique vulnerabilities for: Different

Operating System Hardening Vulnerabilities Unique vulnerabilities for: Different operating systems Different vendors Client and server systems Vendors try to correct Attackers try to exploit Security professionals must

620 views • 11 slides
Oocyte Cryopreservation Fertility Preservation Program (aka Egg Freezing) Fertility

Oocyte Cryopreservation Fertility Preservation Program (aka Egg Freezing) Fertility

10/16/2015 Disclosure No one involved in the planning or presentation of this activity has any relevant financial relationships with a commercial interest to disclose. Oocyte Cryopreservation Fertility Preservation Program (aka Egg Freezing)

751 views • 7 slides
Windows Kernel Trap Handler and NTVDM Vulnerabilities Case Study Mateusz "j00ru"

Windows Kernel Trap Handler and NTVDM Vulnerabilities Case Study Mateusz "j00ru"

Windows Kernel Trap Handler and NTVDM Vulnerabilities Case Study Mateusz "j00ru" Jurczyk ZeroNights 2013 E.0x03 Moscow, Russia Introduction Mateusz j00ru Jurczyk Information Security Engineer @ Extremely into Windows

1.11k views • 110 slides
Understanding of Freezing Precipitation Processes and their Changes Pavel Groisman 1,4,7 ,

Understanding of Freezing Precipitation Processes and their Changes Pavel Groisman 1,4,7 ,

Understanding of Freezing Precipitation Processes and their Changes Pavel Groisman 1,4,7 , Xungang Yin 2 , Olga Bulygina 3 , Irina Danilovich (Partasenok) 5 , and Olga Zolina 6,4 (1) North Carolina State University Scholar at NOAA National

633 views • 52 slides
Packrat: A Dependency Management System for R J.J. Allaire June 27, 2014 3/23 Reproducible

Packrat: A Dependency Management System for R J.J. Allaire June 27, 2014 3/23 Reproducible

Packrat: A Dependency Management System for R J.J. Allaire June 27, 2014 3/23 Reproducible Research Foundational as a basis for scientific claims "The goal of reproducible research is to tie specific instructions to data analysis

594 views • 21 slides
COVID VACCINE INFORMATION FOR PHARMACIES October 22 nd , 2020 1 PHARMACIST IMPACT More than

COVID VACCINE INFORMATION FOR PHARMACIES October 22 nd , 2020 1 PHARMACIST IMPACT More than

10/26/2020 COVID VACCINE INFORMATION FOR PHARMACIES October 22 nd , 2020 1 PHARMACIST IMPACT More than 25% of annual influenza vaccinations are administered within pharmacies More than 50% of shingles vaccines are administered by

377 views • 24 slides
AKPhA COVID Vaccine Taskforce Town Hall Meeting October 22, 2020 Agenda Welcome What We

AKPhA COVID Vaccine Taskforce Town Hall Meeting October 22, 2020 Agenda Welcome What We

AKPhA COVID Vaccine Taskforce Town Hall Meeting October 22, 2020 Agenda Welcome What We Know Evolving variables Call to Action What you can do now. Team Lead Updates Discussion/Questions Relations nshi hips ps

453 views • 21 slides
Stubborn Sets with Frozen Actions Antti Valmari Tampere University of Technology Mathematics 1

Stubborn Sets with Frozen Actions Antti Valmari Tampere University of Technology Mathematics 1

Stubborn Sets with Frozen Actions Antti Valmari Tampere University of Technology Mathematics 1 Aps Set Methods 2 The Famous Cycle Condition for Liveness 3 The Contribution of This Study 4 Stubborn Set Conditions for This Study 5

363 views • 13 slides
Increasing Large-Scale Data Center Capacity by Statistical Power Control Guosai Wang, Shuhao

Increasing Large-Scale Data Center Capacity by Statistical Power Control Guosai Wang, Shuhao

Increasing Large-Scale Data Center Capacity by Statistical Power Control Guosai Wang, Shuhao Wang, Bing Luo, Weisong Shi, Yinghang Zhu, Wenjun Yang, Dianming Hu, Longbo Huang, Xin Jin, Wei Xu Data Centers Expensive to build and operate

900 views • 74 slides
A Hard Problem In A Boolean Asynchronous Freezing Cellular Automata Eric Goles, Diego Maldonado,

A Hard Problem In A Boolean Asynchronous Freezing Cellular Automata Eric Goles, Diego Maldonado,

A Hard Problem In A Boolean Asynchronous Freezing Cellular Automata Eric Goles, Diego Maldonado, Pedro Montealegre, and Mart n R os-Wilson Facultad de Ingenier a y Ciencias International Workshop on Boolean Neworks, 9 de enero

1.93k views • 179 slides
Mobile Communications Chapter 9: Mobile Transport Layer Motivation Additional

Mobile Communications Chapter 9: Mobile Transport Layer Motivation Additional

Mobile Communications Chapter 9: Mobile Transport Layer Motivation Additional optimizations TCP-mechanisms Fast retransmit/recovery Classical approaches Transmission freezing Indirect TCP Selective retransmission

364 views • 18 slides
Warm Up - Phase Change Titans Disappearing Lakes Investigating Methane on Titan What questions

Warm Up - Phase Change Titans Disappearing Lakes Investigating Methane on Titan What questions

Warm Up - Phase Change Titans Disappearing Lakes Investigating Methane on Titan What questions about Titan are Dr. Mike Malaska and Dr. Alex Hayes trying to answer through their research? What evidence are they using to answer these

179 views • 14 slides

More recommend