Freezing the Web: A Study of ReDoS Vulnerabilities in ......using Node.js ReDoS analysis of websites...
Transcript of Freezing the Web: A Study of ReDoS Vulnerabilities in ......using Node.js ReDoS analysis of websites...
![Page 1: Freezing the Web: A Study of ReDoS Vulnerabilities in ......using Node.js ReDoS analysis of websites Payloads using HTTP requests List of vulner-able websites (Phase 3) Local machines](https://reader034.fdocuments.us/reader034/viewer/2022052014/602b4fec9066da59bc5f94e0/html5/thumbnails/1.jpg)
Freezing the Web: A Study of ReDoSVulnerabilities in JavaScript-based Web Servers
Cristian-Alexandru Staicu Michael Pradel
TU Darmstadt
www.software-lab.org
15th August 2018
![Page 2: Freezing the Web: A Study of ReDoS Vulnerabilities in ......using Node.js ReDoS analysis of websites Payloads using HTTP requests List of vulner-able websites (Phase 3) Local machines](https://reader034.fdocuments.us/reader034/viewer/2022052014/602b4fec9066da59bc5f94e0/html5/thumbnails/2.jpg)
1/18
Regular Expression Denial of Service (ReDoS)
input: ”Lorem ipsum”
input.match(regexp);
processing time: O(1)
input: ”aoAs,”x 1000
processing tim
e: O(nx ), x
> 1
![Page 3: Freezing the Web: A Study of ReDoS Vulnerabilities in ......using Node.js ReDoS analysis of websites Payloads using HTTP requests List of vulner-able websites (Phase 3) Local machines](https://reader034.fdocuments.us/reader034/viewer/2022052014/602b4fec9066da59bc5f94e0/html5/thumbnails/3.jpg)
1/18
Regular Expression Denial of Service (ReDoS)
input: ”Lorem ipsum”
input.match(regexp);
processing time: O(1)
input: ”aoAs,”x 1000
processing tim
e: O(nx ), x
> 1
![Page 4: Freezing the Web: A Study of ReDoS Vulnerabilities in ......using Node.js ReDoS analysis of websites Payloads using HTTP requests List of vulner-able websites (Phase 3) Local machines](https://reader034.fdocuments.us/reader034/viewer/2022052014/602b4fec9066da59bc5f94e0/html5/thumbnails/4.jpg)
1/18
Regular Expression Denial of Service (ReDoS)
input: ”Lorem ipsum”
input.match(regexp);
processing time: O(1)
input: ”aoAs,”x 1000
processing tim
e: O(nx ), x
> 1
![Page 5: Freezing the Web: A Study of ReDoS Vulnerabilities in ......using Node.js ReDoS analysis of websites Payloads using HTTP requests List of vulner-able websites (Phase 3) Local machines](https://reader034.fdocuments.us/reader034/viewer/2022052014/602b4fec9066da59bc5f94e0/html5/thumbnails/5.jpg)
1/18
Regular Expression Denial of Service (ReDoS)
input: ”Lorem ipsum”
input.match(regexp);
processing time: O(1)
input: ”aoAs,”x 1000
processing tim
e: O(nx ), x
> 1
![Page 6: Freezing the Web: A Study of ReDoS Vulnerabilities in ......using Node.js ReDoS analysis of websites Payloads using HTTP requests List of vulner-able websites (Phase 3) Local machines](https://reader034.fdocuments.us/reader034/viewer/2022052014/602b4fec9066da59bc5f94e0/html5/thumbnails/6.jpg)
1/18
Regular Expression Denial of Service (ReDoS)
input: ”Lorem ipsum”
input.match(regexp);
processing time: O(1)
input: ”aoAs,”x 1000
processing tim
e: O(nx ), x
> 1
![Page 7: Freezing the Web: A Study of ReDoS Vulnerabilities in ......using Node.js ReDoS analysis of websites Payloads using HTTP requests List of vulner-able websites (Phase 3) Local machines](https://reader034.fdocuments.us/reader034/viewer/2022052014/602b4fec9066da59bc5f94e0/html5/thumbnails/7.jpg)
1/18
Regular Expression Denial of Service (ReDoS)
input: ”Lorem ipsum”
input.match(regexp);
processing time: O(1)
input: ”aoAs,”x 1000
processing tim
e: O(nx ), x
> 1
![Page 8: Freezing the Web: A Study of ReDoS Vulnerabilities in ......using Node.js ReDoS analysis of websites Payloads using HTTP requests List of vulner-able websites (Phase 3) Local machines](https://reader034.fdocuments.us/reader034/viewer/2022052014/602b4fec9066da59bc5f94e0/html5/thumbnails/8.jpg)
1/18
Regular Expression Denial of Service (ReDoS)
input: ”Lorem ipsum”
input.match(regexp);
processing time: O(1)
input: ”aoAs,”x 1000
processing tim
e: O(nx ), x
> 1
![Page 9: Freezing the Web: A Study of ReDoS Vulnerabilities in ......using Node.js ReDoS analysis of websites Payloads using HTTP requests List of vulner-able websites (Phase 3) Local machines](https://reader034.fdocuments.us/reader034/viewer/2022052014/602b4fec9066da59bc5f94e0/html5/thumbnails/9.jpg)
2/18
This Talk
ReDoS affects librarieswe identify 25 vulnerabilities in popular npm modules
ReDoS affects websiteshundreds of live websites are vulnerable
Novel methodologylibrary vulnerability → website vulnerability
![Page 10: Freezing the Web: A Study of ReDoS Vulnerabilities in ......using Node.js ReDoS analysis of websites Payloads using HTTP requests List of vulner-able websites (Phase 3) Local machines](https://reader034.fdocuments.us/reader034/viewer/2022052014/602b4fec9066da59bc5f94e0/html5/thumbnails/10.jpg)
2/18
This Talk
ReDoS affects librarieswe identify 25 vulnerabilities in popular npm modules
ReDoS affects websiteshundreds of live websites are vulnerable
Novel methodologylibrary vulnerability → website vulnerability
![Page 11: Freezing the Web: A Study of ReDoS Vulnerabilities in ......using Node.js ReDoS analysis of websites Payloads using HTTP requests List of vulner-able websites (Phase 3) Local machines](https://reader034.fdocuments.us/reader034/viewer/2022052014/602b4fec9066da59bc5f94e0/html5/thumbnails/11.jpg)
2/18
This Talk
ReDoS affects librarieswe identify 25 vulnerabilities in popular npm modules
ReDoS affects websiteshundreds of live websites are vulnerable
Novel methodologylibrary vulnerability → website vulnerability
![Page 12: Freezing the Web: A Study of ReDoS Vulnerabilities in ......using Node.js ReDoS analysis of websites Payloads using HTTP requests List of vulner-able websites (Phase 3) Local machines](https://reader034.fdocuments.us/reader034/viewer/2022052014/602b4fec9066da59bc5f94e0/html5/thumbnails/12.jpg)
3/18
Backtracking-based Matching
var regEx = /^a*a*b$/;
start 3 4 5 6
accept
7
891011
ε
ε ε
a
εε
bε ε
ε
ε ε
a
ε
![Page 13: Freezing the Web: A Study of ReDoS Vulnerabilities in ......using Node.js ReDoS analysis of websites Payloads using HTTP requests List of vulner-able websites (Phase 3) Local machines](https://reader034.fdocuments.us/reader034/viewer/2022052014/602b4fec9066da59bc5f94e0/html5/thumbnails/13.jpg)
3/18
Backtracking-based Matching
var regEx = /^a*a*b$/;
start 3 4 5 6
accept
7
891011
ε
ε ε
a
εε
bε ε
ε
ε ε
a
ε
![Page 14: Freezing the Web: A Study of ReDoS Vulnerabilities in ......using Node.js ReDoS analysis of websites Payloads using HTTP requests List of vulner-able websites (Phase 3) Local machines](https://reader034.fdocuments.us/reader034/viewer/2022052014/602b4fec9066da59bc5f94e0/html5/thumbnails/14.jpg)
3/18
Backtracking-based Matching
var regEx = /^a*a*b$/;
start 3 4 5 6
accept
7
891011
ε
ε ε
a
εε
bε ε
ε
ε ε
a
ε
input: ”ab”
![Page 15: Freezing the Web: A Study of ReDoS Vulnerabilities in ......using Node.js ReDoS analysis of websites Payloads using HTTP requests List of vulner-able websites (Phase 3) Local machines](https://reader034.fdocuments.us/reader034/viewer/2022052014/602b4fec9066da59bc5f94e0/html5/thumbnails/15.jpg)
3/18
Backtracking-based Matching
var regEx = /^a*a*b$/;
start 3 4 5 6
accept
7
891011
ε
ε ε
a
εε
bε ε
ε
ε ε
a
ε
input: ”aab”
![Page 16: Freezing the Web: A Study of ReDoS Vulnerabilities in ......using Node.js ReDoS analysis of websites Payloads using HTTP requests List of vulner-able websites (Phase 3) Local machines](https://reader034.fdocuments.us/reader034/viewer/2022052014/602b4fec9066da59bc5f94e0/html5/thumbnails/16.jpg)
3/18
Backtracking-based Matching
var regEx = /^a*a*b$/;
start 3 4 5 6
accept
7
891011
ε
ε ε
a
εε
bε ε
ε
ε ε
a
ε
input: ”aab”
![Page 17: Freezing the Web: A Study of ReDoS Vulnerabilities in ......using Node.js ReDoS analysis of websites Payloads using HTTP requests List of vulner-able websites (Phase 3) Local machines](https://reader034.fdocuments.us/reader034/viewer/2022052014/602b4fec9066da59bc5f94e0/html5/thumbnails/17.jpg)
3/18
Backtracking-based Matching
var regEx = /^a*a*b$/;
start 3 4 5 6
accept
7
891011
ε
ε ε
a
εε
bε ε
ε
ε ε
a
ε
input: ”aaaaaaaaaaaaaaaaaaaa”
![Page 18: Freezing the Web: A Study of ReDoS Vulnerabilities in ......using Node.js ReDoS analysis of websites Payloads using HTTP requests List of vulner-able websites (Phase 3) Local machines](https://reader034.fdocuments.us/reader034/viewer/2022052014/602b4fec9066da59bc5f94e0/html5/thumbnails/18.jpg)
3/18
Backtracking-based Matching
var regEx = /^a*a*b$/;
start 3 4 5 6
accept
7
891011
ε
ε ε
a
εε
bε ε
ε
ε ε
a
ε
input: ”aaaaaaaaaaaaaaaaaaaa”
![Page 19: Freezing the Web: A Study of ReDoS Vulnerabilities in ......using Node.js ReDoS analysis of websites Payloads using HTTP requests List of vulner-able websites (Phase 3) Local machines](https://reader034.fdocuments.us/reader034/viewer/2022052014/602b4fec9066da59bc5f94e0/html5/thumbnails/19.jpg)
4/18
Overview
Npm modules (Phase 1)ReDoS analysisof libraries
Exploits creation
Module levelvulnerabilities
Usage scenarios (Phase 2)
List of websitesusing Node.js
ReDoS analysisof websites
Payloads usingHTTP requests
List of vulner-able websites
(Phase 3)
Local machines
Live websites
![Page 20: Freezing the Web: A Study of ReDoS Vulnerabilities in ......using Node.js ReDoS analysis of websites Payloads using HTTP requests List of vulner-able websites (Phase 3) Local machines](https://reader034.fdocuments.us/reader034/viewer/2022052014/602b4fec9066da59bc5f94e0/html5/thumbnails/20.jpg)
4/18
Overview
Npm modules (Phase 1)ReDoS analysisof libraries
Exploits creation
Module levelvulnerabilities
Usage scenarios (Phase 2)
List of websitesusing Node.js
ReDoS analysisof websites
Payloads usingHTTP requests
List of vulner-able websites
(Phase 3)
Local machines
Live websites
![Page 21: Freezing the Web: A Study of ReDoS Vulnerabilities in ......using Node.js ReDoS analysis of websites Payloads using HTTP requests List of vulner-able websites (Phase 3) Local machines](https://reader034.fdocuments.us/reader034/viewer/2022052014/602b4fec9066da59bc5f94e0/html5/thumbnails/21.jpg)
4/18
Overview
Npm modules (Phase 1)ReDoS analysisof libraries
Exploits creation
Module levelvulnerabilities
Usage scenarios (Phase 2)
List of websitesusing Node.js
ReDoS analysisof websites
Payloads usingHTTP requests
List of vulner-able websites
(Phase 3)
Local machines
Live websites
![Page 22: Freezing the Web: A Study of ReDoS Vulnerabilities in ......using Node.js ReDoS analysis of websites Payloads using HTTP requests List of vulner-able websites (Phase 3) Local machines](https://reader034.fdocuments.us/reader034/viewer/2022052014/602b4fec9066da59bc5f94e0/html5/thumbnails/22.jpg)
4/18
Overview
Npm modules (Phase 1)ReDoS analysisof libraries
Exploits creation
Module levelvulnerabilities
Usage scenarios (Phase 2)
List of websitesusing Node.js
ReDoS analysisof websites
Payloads usingHTTP requests
List of vulner-able websites
(Phase 3)
Local machines
Live websites
![Page 23: Freezing the Web: A Study of ReDoS Vulnerabilities in ......using Node.js ReDoS analysis of websites Payloads using HTTP requests List of vulner-able websites (Phase 3) Local machines](https://reader034.fdocuments.us/reader034/viewer/2022052014/602b4fec9066da59bc5f94e0/html5/thumbnails/23.jpg)
5/18
Setup
measure in single instancesetup
analyze 2,800 websites fromTop 1 million
manually analyze popularpackages
fifth most-dependent uponnpm package
![Page 24: Freezing the Web: A Study of ReDoS Vulnerabilities in ......using Node.js ReDoS analysis of websites Payloads using HTTP requests List of vulner-able websites (Phase 3) Local machines](https://reader034.fdocuments.us/reader034/viewer/2022052014/602b4fec9066da59bc5f94e0/html5/thumbnails/24.jpg)
6/18
Node.js Particularities
Event Loop (JS code)
e1
e2
e3
...
file system
network
process
...
Events Workers
blocking I/O
callback
Regex.match()
![Page 25: Freezing the Web: A Study of ReDoS Vulnerabilities in ......using Node.js ReDoS analysis of websites Payloads using HTTP requests List of vulner-able websites (Phase 3) Local machines](https://reader034.fdocuments.us/reader034/viewer/2022052014/602b4fec9066da59bc5f94e0/html5/thumbnails/25.jpg)
6/18
Node.js Particularities
Event Loop (JS code)
e1
e2
e3
...
file system
network
process
...
Events Workers
blocking I/O
callback
Regex.match()
![Page 26: Freezing the Web: A Study of ReDoS Vulnerabilities in ......using Node.js ReDoS analysis of websites Payloads using HTTP requests List of vulner-able websites (Phase 3) Local machines](https://reader034.fdocuments.us/reader034/viewer/2022052014/602b4fec9066da59bc5f94e0/html5/thumbnails/26.jpg)
7/18
Node.js Particularities (2)
Node.jsapplication
stringsutility
templatesengine
DBaccess
headersparser
vulnerablemodule
...
...
...
![Page 27: Freezing the Web: A Study of ReDoS Vulnerabilities in ......using Node.js ReDoS analysis of websites Payloads using HTTP requests List of vulner-able websites (Phase 3) Local machines](https://reader034.fdocuments.us/reader034/viewer/2022052014/602b4fec9066da59bc5f94e0/html5/thumbnails/27.jpg)
8/18
Ethical Considerations
Few payloads80 requests in total
Iterative probingmost websites use redundancy
Safety mechanismstop after timeout or error
Vulnerabilities disclosurethe majority of them have been fixed
![Page 28: Freezing the Web: A Study of ReDoS Vulnerabilities in ......using Node.js ReDoS analysis of websites Payloads using HTTP requests List of vulner-able websites (Phase 3) Local machines](https://reader034.fdocuments.us/reader034/viewer/2022052014/602b4fec9066da59bc5f94e0/html5/thumbnails/28.jpg)
8/18
Ethical Considerations
Few payloads80 requests in total
Iterative probingmost websites use redundancy
Safety mechanismstop after timeout or error
Vulnerabilities disclosurethe majority of them have been fixed
![Page 29: Freezing the Web: A Study of ReDoS Vulnerabilities in ......using Node.js ReDoS analysis of websites Payloads using HTTP requests List of vulner-able websites (Phase 3) Local machines](https://reader034.fdocuments.us/reader034/viewer/2022052014/602b4fec9066da59bc5f94e0/html5/thumbnails/29.jpg)
8/18
Ethical Considerations
Few payloads80 requests in total
Iterative probingmost websites use redundancy
Safety mechanismstop after timeout or error
Vulnerabilities disclosurethe majority of them have been fixed
![Page 30: Freezing the Web: A Study of ReDoS Vulnerabilities in ......using Node.js ReDoS analysis of websites Payloads using HTTP requests List of vulner-able websites (Phase 3) Local machines](https://reader034.fdocuments.us/reader034/viewer/2022052014/602b4fec9066da59bc5f94e0/html5/thumbnails/30.jpg)
8/18
Ethical Considerations
Few payloads80 requests in total
Iterative probingmost websites use redundancy
Safety mechanismstop after timeout or error
Vulnerabilities disclosurethe majority of them have been fixed
![Page 31: Freezing the Web: A Study of ReDoS Vulnerabilities in ......using Node.js ReDoS analysis of websites Payloads using HTTP requests List of vulner-able websites (Phase 3) Local machines](https://reader034.fdocuments.us/reader034/viewer/2022052014/602b4fec9066da59bc5f94e0/html5/thumbnails/31.jpg)
8/18
Ethical Considerations
Few payloads80 requests in total
Iterative probingmost websites use redundancy
Safety mechanismstop after timeout or error
Vulnerabilities disclosurethe majority of them have been fixed
![Page 32: Freezing the Web: A Study of ReDoS Vulnerabilities in ......using Node.js ReDoS analysis of websites Payloads using HTTP requests List of vulner-able websites (Phase 3) Local machines](https://reader034.fdocuments.us/reader034/viewer/2022052014/602b4fec9066da59bc5f94e0/html5/thumbnails/32.jpg)
9/18
Phase 1: Npm Analysis
Criterion for vulnerable libraries
We consider a module to be vulnerable iff we find an input that
is at most 80,000 characters long,
whose matching time takes more than 5 seconds.
Manual analysis of regular expressions and information flow
Manually written exploits
![Page 33: Freezing the Web: A Study of ReDoS Vulnerabilities in ......using Node.js ReDoS analysis of websites Payloads using HTTP requests List of vulner-able websites (Phase 3) Local machines](https://reader034.fdocuments.us/reader034/viewer/2022052014/602b4fec9066da59bc5f94e0/html5/thumbnails/33.jpg)
9/18
Phase 1: Npm Analysis
Criterion for vulnerable libraries
We consider a module to be vulnerable iff we find an input that
is at most 80,000 characters long,
whose matching time takes more than 5 seconds.
Manual analysis of regular expressions and information flow
Manually written exploits
![Page 34: Freezing the Web: A Study of ReDoS Vulnerabilities in ......using Node.js ReDoS analysis of websites Payloads using HTTP requests List of vulner-able websites (Phase 3) Local machines](https://reader034.fdocuments.us/reader034/viewer/2022052014/602b4fec9066da59bc5f94e0/html5/thumbnails/34.jpg)
9/18
Phase 1: Npm Analysis
Criterion for vulnerable libraries
We consider a module to be vulnerable iff we find an input that
is at most 80,000 characters long,
whose matching time takes more than 5 seconds.
Manual analysis of regular expressions and information flow
Manually written exploits
![Page 35: Freezing the Web: A Study of ReDoS Vulnerabilities in ......using Node.js ReDoS analysis of websites Payloads using HTTP requests List of vulner-able websites (Phase 3) Local machines](https://reader034.fdocuments.us/reader034/viewer/2022052014/602b4fec9066da59bc5f94e0/html5/thumbnails/35.jpg)
10/18
Phase 1: Vulnerable Regular Expressions
25 ReDoS vulnerabilities
13 advisories
One bug bounty
Example 1: content
/^([^\/]+\/[^\s;]+) (?:(?:\s*;\s*boundary =(?:"([^"
]+)"|([^;"]+)))|(?:\s*;\s*[^=]+=(?:(?:"(?:[^"
]+)")|(?:[^;"]+))))*$/i
Example 2: ua-parser-js
/ip[honead ]+(.* os\s([\w]+)*\ slike\smac |;\ sopera)/
![Page 36: Freezing the Web: A Study of ReDoS Vulnerabilities in ......using Node.js ReDoS analysis of websites Payloads using HTTP requests List of vulner-able websites (Phase 3) Local machines](https://reader034.fdocuments.us/reader034/viewer/2022052014/602b4fec9066da59bc5f94e0/html5/thumbnails/36.jpg)
10/18
Phase 1: Vulnerable Regular Expressions
25 ReDoS vulnerabilities
13 advisories
One bug bounty
Example 1: content
/^([^\/]+\/[^\s;]+) (?:(?:\s*;\s*boundary =(?:"([^"
]+)"|([^;"]+)))|(?:\s*;\s*[^=]+=(?:(?:"(?:[^"
]+)")|(?:[^;"]+))))*$/i
Example 2: ua-parser-js
/ip[honead ]+(.* os\s([\w]+)*\ slike\smac |;\ sopera)/
![Page 37: Freezing the Web: A Study of ReDoS Vulnerabilities in ......using Node.js ReDoS analysis of websites Payloads using HTTP requests List of vulner-able websites (Phase 3) Local machines](https://reader034.fdocuments.us/reader034/viewer/2022052014/602b4fec9066da59bc5f94e0/html5/thumbnails/37.jpg)
10/18
Phase 1: Vulnerable Regular Expressions
25 ReDoS vulnerabilities
13 advisories
One bug bounty
Example 1: content
/^([^\/]+\/[^\s;]+) (?:(?:\s*;\s*boundary =(?:"([^"
]+)"|([^;"]+)))|(?:\s*;\s*[^=]+=(?:(?:"(?:[^"
]+)")|(?:[^;"]+))))*$/i
Example 2: ua-parser-js
/ip[honead ]+(.* os\s([\w]+)*\ slike\smac |;\ sopera)/
![Page 38: Freezing the Web: A Study of ReDoS Vulnerabilities in ......using Node.js ReDoS analysis of websites Payloads using HTTP requests List of vulner-able websites (Phase 3) Local machines](https://reader034.fdocuments.us/reader034/viewer/2022052014/602b4fec9066da59bc5f94e0/html5/thumbnails/38.jpg)
10/18
Phase 1: Vulnerable Regular Expressions
25 ReDoS vulnerabilities
13 advisories
One bug bounty
Example 1: content
/^([^\/]+\/[^\s;]+) (?:(?:\s*;\s*boundary =(?:"([^"
]+)"|([^;"]+)))|(?:\s*;\s*[^=]+=(?:(?:"(?:[^"
]+)")|(?:[^;"]+))))*$/i
Example 2: ua-parser-js
/ip[honead ]+(.* os\s([\w]+)*\ slike\smac |;\ sopera)/
![Page 39: Freezing the Web: A Study of ReDoS Vulnerabilities in ......using Node.js ReDoS analysis of websites Payloads using HTTP requests List of vulner-able websites (Phase 3) Local machines](https://reader034.fdocuments.us/reader034/viewer/2022052014/602b4fec9066da59bc5f94e0/html5/thumbnails/39.jpg)
10/18
Phase 1: Vulnerable Regular Expressions
25 ReDoS vulnerabilities
13 advisories
One bug bounty
Example 1: content
/^([^\/]+\/[^\s;]+) (?:(?:\s*;\s*boundary =(?:"([^"
]+)"|([^;"]+)))|(?:\s*;\s*[^=]+=(?:(?:"(?:[^"
]+)")|(?:[^;"]+))))*$/i
Example 2: ua-parser-js
/ip[honead ]+(.* os\s([\w]+)*\ slike\smac |;\ sopera)/
![Page 40: Freezing the Web: A Study of ReDoS Vulnerabilities in ......using Node.js ReDoS analysis of websites Payloads using HTTP requests List of vulner-able websites (Phase 3) Local machines](https://reader034.fdocuments.us/reader034/viewer/2022052014/602b4fec9066da59bc5f94e0/html5/thumbnails/40.jpg)
11/18
Phase 2: HTTP-level Payload Creation
Local Node.js installation
For each payload, create a usage scenario
var MobileDetect = require("mobile -detect");
var headers = req.headers["user -agent"];
var md = new MobileDetect(headers);
md.phone();
For each scenario, create HTTP level payloads
In total 8 payloads corresponding to 8 popular modules
![Page 41: Freezing the Web: A Study of ReDoS Vulnerabilities in ......using Node.js ReDoS analysis of websites Payloads using HTTP requests List of vulner-able websites (Phase 3) Local machines](https://reader034.fdocuments.us/reader034/viewer/2022052014/602b4fec9066da59bc5f94e0/html5/thumbnails/41.jpg)
11/18
Phase 2: HTTP-level Payload Creation
Local Node.js installation
For each payload, create a usage scenario
var MobileDetect = require("mobile -detect");
var headers = req.headers["user -agent"];
var md = new MobileDetect(headers);
md.phone();
For each scenario, create HTTP level payloads
In total 8 payloads corresponding to 8 popular modules
![Page 42: Freezing the Web: A Study of ReDoS Vulnerabilities in ......using Node.js ReDoS analysis of websites Payloads using HTTP requests List of vulner-able websites (Phase 3) Local machines](https://reader034.fdocuments.us/reader034/viewer/2022052014/602b4fec9066da59bc5f94e0/html5/thumbnails/42.jpg)
11/18
Phase 2: HTTP-level Payload Creation
Local Node.js installation
For each payload, create a usage scenario
var MobileDetect = require("mobile -detect");
var headers = req.headers["user -agent"];
var md = new MobileDetect(headers);
md.phone();
For each scenario, create HTTP level payloads
In total 8 payloads corresponding to 8 popular modules
![Page 43: Freezing the Web: A Study of ReDoS Vulnerabilities in ......using Node.js ReDoS analysis of websites Payloads using HTTP requests List of vulner-able websites (Phase 3) Local machines](https://reader034.fdocuments.us/reader034/viewer/2022052014/602b4fec9066da59bc5f94e0/html5/thumbnails/43.jpg)
11/18
Phase 2: HTTP-level Payload Creation
Local Node.js installation
For each payload, create a usage scenario
var MobileDetect = require("mobile -detect");
var headers = req.headers["user -agent"];
var md = new MobileDetect(headers);
md.phone();
For each scenario, create HTTP level payloads
In total 8 payloads corresponding to 8 popular modules
![Page 44: Freezing the Web: A Study of ReDoS Vulnerabilities in ......using Node.js ReDoS analysis of websites Payloads using HTTP requests List of vulner-able websites (Phase 3) Local machines](https://reader034.fdocuments.us/reader034/viewer/2022052014/602b4fec9066da59bc5f94e0/html5/thumbnails/44.jpg)
11/18
Phase 2: HTTP-level Payload Creation
Local Node.js installation
For each payload, create a usage scenario
var MobileDetect = require("mobile -detect");
var headers = req.headers["user -agent"];
var md = new MobileDetect(headers);
md.phone();
For each scenario, create HTTP level payloads
In total 8 payloads corresponding to 8 popular modules
![Page 45: Freezing the Web: A Study of ReDoS Vulnerabilities in ......using Node.js ReDoS analysis of websites Payloads using HTTP requests List of vulner-able websites (Phase 3) Local machines](https://reader034.fdocuments.us/reader034/viewer/2022052014/602b4fec9066da59bc5f94e0/html5/thumbnails/45.jpg)
12/18
Phase 2: Input Dependency
0
500
1000
1500
2000
0 10000
20000
30000
40000
50000
60000
70000
Matc
hin
g t
ime
(ms)
Input size (number of characters)
ua-parser-js
![Page 46: Freezing the Web: A Study of ReDoS Vulnerabilities in ......using Node.js ReDoS analysis of websites Payloads using HTTP requests List of vulner-able websites (Phase 3) Local machines](https://reader034.fdocuments.us/reader034/viewer/2022052014/602b4fec9066da59bc5f94e0/html5/thumbnails/46.jpg)
12/18
Phase 2: Input Dependency
0
500
1000
1500
2000
0 10000
20000
30000
40000
50000
60000
70000
Matc
hin
g t
ime
(ms)
Input size (number of characters)
ua-parser-js
useragent
![Page 47: Freezing the Web: A Study of ReDoS Vulnerabilities in ......using Node.js ReDoS analysis of websites Payloads using HTTP requests List of vulner-able websites (Phase 3) Local machines](https://reader034.fdocuments.us/reader034/viewer/2022052014/602b4fec9066da59bc5f94e0/html5/thumbnails/47.jpg)
12/18
Phase 2: Input Dependency
0
500
1000
1500
2000
0 10000
20000
30000
40000
50000
60000
70000
Matc
hin
g t
ime
(ms)
Input size (number of characters)
charset
fresh
forwarded
content
mobile-detect
platform
ua-parser-js
useragent
![Page 48: Freezing the Web: A Study of ReDoS Vulnerabilities in ......using Node.js ReDoS analysis of websites Payloads using HTTP requests List of vulner-able websites (Phase 3) Local machines](https://reader034.fdocuments.us/reader034/viewer/2022052014/602b4fec9066da59bc5f94e0/html5/thumbnails/48.jpg)
13/18
Phase 3: Websites Analysis
3x
3x
5x
5x
100ms
P1
3x
3x
5x
5x
200ms
P2
3x
3x
5x
5x
500ms
P3
3x
3x
5x
5x
1s
P4
3x
3x
5x
5x
2s
P5
![Page 49: Freezing the Web: A Study of ReDoS Vulnerabilities in ......using Node.js ReDoS analysis of websites Payloads using HTTP requests List of vulner-able websites (Phase 3) Local machines](https://reader034.fdocuments.us/reader034/viewer/2022052014/602b4fec9066da59bc5f94e0/html5/thumbnails/49.jpg)
13/18
Phase 3: Websites Analysis
3x
3x
5x
5x
100ms
P1
3x
3x
5x
5x
200ms
P2
3x
3x
5x
5x
500ms
P3
3x
3x
5x
5x
1s
P4
3x
3x
5x
5x
2s
P5
![Page 50: Freezing the Web: A Study of ReDoS Vulnerabilities in ......using Node.js ReDoS analysis of websites Payloads using HTTP requests List of vulner-able websites (Phase 3) Local machines](https://reader034.fdocuments.us/reader034/viewer/2022052014/602b4fec9066da59bc5f94e0/html5/thumbnails/50.jpg)
13/18
Phase 3: Websites Analysis
3x
3x
5x
5x
100ms
P1
3x
3x
5x
5x
200ms
P2
3x
3x
5x
5x
500ms
P3
3x
3x
5x
5x
1s
P4
3x
3x
5x
5x
2s
P5
![Page 51: Freezing the Web: A Study of ReDoS Vulnerabilities in ......using Node.js ReDoS analysis of websites Payloads using HTTP requests List of vulner-able websites (Phase 3) Local machines](https://reader034.fdocuments.us/reader034/viewer/2022052014/602b4fec9066da59bc5f94e0/html5/thumbnails/51.jpg)
13/18
Phase 3: Websites Analysis
3x
3x
5x
5x
100ms
P1
3x
3x
5x
5x
200ms
P2
3x
3x
5x
5x
500ms
P3
3x
3x
5x
5x
1s
P4
3x
3x
5x
5x
2s
P5
Criterion for vulnerable websites
We consider a website to be vulnerable iff:
statistically significant difference between the response timesto random and crafted inputs,
this difference increases when the input size increases.
![Page 52: Freezing the Web: A Study of ReDoS Vulnerabilities in ......using Node.js ReDoS analysis of websites Payloads using HTTP requests List of vulner-able websites (Phase 3) Local machines](https://reader034.fdocuments.us/reader034/viewer/2022052014/602b4fec9066da59bc5f94e0/html5/thumbnails/52.jpg)
14/18
Phase 3: Response Time of a Non-Vulnerable Website
700
800
900
1000
1100
1200
1300
1400
1500
1600
1700
1800
P1
P2
P3
P4
P5
Res
ponse
tim
e (m
s)
Payload number (increasing in size)
Random Crafted
![Page 53: Freezing the Web: A Study of ReDoS Vulnerabilities in ......using Node.js ReDoS analysis of websites Payloads using HTTP requests List of vulner-able websites (Phase 3) Local machines](https://reader034.fdocuments.us/reader034/viewer/2022052014/602b4fec9066da59bc5f94e0/html5/thumbnails/53.jpg)
15/18
Phase 3: Response Time of a Vulnerable Website
0
500
1000
1500
2000
2500
P1
P2
P3
P4
P5
Res
ponse
tim
e (m
s)
Payload number (increasing in size)
Random Crafted
![Page 54: Freezing the Web: A Study of ReDoS Vulnerabilities in ......using Node.js ReDoS analysis of websites Payloads using HTTP requests List of vulner-able websites (Phase 3) Local machines](https://reader034.fdocuments.us/reader034/viewer/2022052014/602b4fec9066da59bc5f94e0/html5/thumbnails/54.jpg)
16/18
Phase 3: Number of Vulnerable Websites
Exploit Number of sites affected
fresh 241forwarded 99
ua-parser-js 41useragent 16
mobile-detect 9platform 8charset 3content 0
In total: 339 (11%) websites are vulnerable
![Page 55: Freezing the Web: A Study of ReDoS Vulnerabilities in ......using Node.js ReDoS analysis of websites Payloads using HTTP requests List of vulner-able websites (Phase 3) Local machines](https://reader034.fdocuments.us/reader034/viewer/2022052014/602b4fec9066da59bc5f94e0/html5/thumbnails/55.jpg)
16/18
Defenses
0
500
1000
1500
2000
2500
3000
1 10 100
1000
10000
100000
Num
ber
of w
ebsi
tes
Accepted header size
charset
![Page 56: Freezing the Web: A Study of ReDoS Vulnerabilities in ......using Node.js ReDoS analysis of websites Payloads using HTTP requests List of vulner-able websites (Phase 3) Local machines](https://reader034.fdocuments.us/reader034/viewer/2022052014/602b4fec9066da59bc5f94e0/html5/thumbnails/56.jpg)
16/18
Defenses
0
500
1000
1500
2000
2500
3000
1 10 100
1000
10000
100000
Num
ber
of w
ebsi
tes
Accepted header size
fresh
forwarded
ua-parser-js
useragent
mobile-detect
platform
charset
content
![Page 57: Freezing the Web: A Study of ReDoS Vulnerabilities in ......using Node.js ReDoS analysis of websites Payloads using HTTP requests List of vulner-able websites (Phase 3) Local machines](https://reader034.fdocuments.us/reader034/viewer/2022052014/602b4fec9066da59bc5f94e0/html5/thumbnails/57.jpg)
17/18
Defenses (2)
Linear time matching algorithms / hybridRust programming language
Timeout on matching regular expressions[Davis et al., USENIX Security, 2018], .NET framework
Tooling support for identifying ReDoSJava programming language [Wustholz et al., TACAS, 2017]
![Page 58: Freezing the Web: A Study of ReDoS Vulnerabilities in ......using Node.js ReDoS analysis of websites Payloads using HTTP requests List of vulner-able websites (Phase 3) Local machines](https://reader034.fdocuments.us/reader034/viewer/2022052014/602b4fec9066da59bc5f94e0/html5/thumbnails/58.jpg)
17/18
Defenses (2)
Linear time matching algorithms / hybridRust programming language
Timeout on matching regular expressions[Davis et al., USENIX Security, 2018], .NET framework
Tooling support for identifying ReDoSJava programming language [Wustholz et al., TACAS, 2017]
![Page 59: Freezing the Web: A Study of ReDoS Vulnerabilities in ......using Node.js ReDoS analysis of websites Payloads using HTTP requests List of vulner-able websites (Phase 3) Local machines](https://reader034.fdocuments.us/reader034/viewer/2022052014/602b4fec9066da59bc5f94e0/html5/thumbnails/59.jpg)
17/18
Defenses (2)
Linear time matching algorithms / hybridRust programming language
Timeout on matching regular expressions[Davis et al., USENIX Security, 2018], .NET framework
Tooling support for identifying ReDoSJava programming language [Wustholz et al., TACAS, 2017]
![Page 60: Freezing the Web: A Study of ReDoS Vulnerabilities in ......using Node.js ReDoS analysis of websites Payloads using HTTP requests List of vulner-able websites (Phase 3) Local machines](https://reader034.fdocuments.us/reader034/viewer/2022052014/602b4fec9066da59bc5f94e0/html5/thumbnails/60.jpg)
18/18
Conclusions
ReDoS is a widespread problem in npm modules,
Npm modules vulnerabilities can be exploited in live websites
11% of websites using Express are vulnerable to ReDoS
ReDoS vulnerabilities can be used to fingerprint web servers
More tools are needed to mitigate the ReDoS risk
![Page 61: Freezing the Web: A Study of ReDoS Vulnerabilities in ......using Node.js ReDoS analysis of websites Payloads using HTTP requests List of vulner-able websites (Phase 3) Local machines](https://reader034.fdocuments.us/reader034/viewer/2022052014/602b4fec9066da59bc5f94e0/html5/thumbnails/61.jpg)
18/18
Conclusions
ReDoS is a widespread problem in npm modules,
Npm modules vulnerabilities can be exploited in live websites
11% of websites using Express are vulnerable to ReDoS
ReDoS vulnerabilities can be used to fingerprint web servers
More tools are needed to mitigate the ReDoS risk
![Page 62: Freezing the Web: A Study of ReDoS Vulnerabilities in ......using Node.js ReDoS analysis of websites Payloads using HTTP requests List of vulner-able websites (Phase 3) Local machines](https://reader034.fdocuments.us/reader034/viewer/2022052014/602b4fec9066da59bc5f94e0/html5/thumbnails/62.jpg)
18/18
Conclusions
ReDoS is a widespread problem in npm modules,
Npm modules vulnerabilities can be exploited in live websites
11% of websites using Express are vulnerable to ReDoS
ReDoS vulnerabilities can be used to fingerprint web servers
More tools are needed to mitigate the ReDoS risk
![Page 63: Freezing the Web: A Study of ReDoS Vulnerabilities in ......using Node.js ReDoS analysis of websites Payloads using HTTP requests List of vulner-able websites (Phase 3) Local machines](https://reader034.fdocuments.us/reader034/viewer/2022052014/602b4fec9066da59bc5f94e0/html5/thumbnails/63.jpg)
18/18
Conclusions
ReDoS is a widespread problem in npm modules,
Npm modules vulnerabilities can be exploited in live websites
11% of websites using Express are vulnerable to ReDoS
ReDoS vulnerabilities can be used to fingerprint web servers
More tools are needed to mitigate the ReDoS risk
![Page 64: Freezing the Web: A Study of ReDoS Vulnerabilities in ......using Node.js ReDoS analysis of websites Payloads using HTTP requests List of vulner-able websites (Phase 3) Local machines](https://reader034.fdocuments.us/reader034/viewer/2022052014/602b4fec9066da59bc5f94e0/html5/thumbnails/64.jpg)
18/18
Conclusions
ReDoS is a widespread problem in npm modules,
Npm modules vulnerabilities can be exploited in live websites
11% of websites using Express are vulnerable to ReDoS
ReDoS vulnerabilities can be used to fingerprint web servers
More tools are needed to mitigate the ReDoS risk
![Page 65: Freezing the Web: A Study of ReDoS Vulnerabilities in ......using Node.js ReDoS analysis of websites Payloads using HTTP requests List of vulner-able websites (Phase 3) Local machines](https://reader034.fdocuments.us/reader034/viewer/2022052014/602b4fec9066da59bc5f94e0/html5/thumbnails/65.jpg)
18/18
Conclusions
ReDoS is a widespread problem in npm modules,
Npm modules vulnerabilities can be exploited in live websites
11% of websites using Express are vulnerable to ReDoS
ReDoS vulnerabilities can be used to fingerprint web servers
More tools are needed to mitigate the ReDoS risk
![Page 66: Freezing the Web: A Study of ReDoS Vulnerabilities in ......using Node.js ReDoS analysis of websites Payloads using HTTP requests List of vulner-able websites (Phase 3) Local machines](https://reader034.fdocuments.us/reader034/viewer/2022052014/602b4fec9066da59bc5f94e0/html5/thumbnails/66.jpg)
18/18
Is Response Time a Good Estimator?
50
100
150
200
250
300
350
400
450
500
0 50 100
150 200
250 300
350 400
450
Res
ponse
tim
e (m
s)
Matching time (ms)
![Page 67: Freezing the Web: A Study of ReDoS Vulnerabilities in ......using Node.js ReDoS analysis of websites Payloads using HTTP requests List of vulner-able websites (Phase 3) Local machines](https://reader034.fdocuments.us/reader034/viewer/2022052014/602b4fec9066da59bc5f94e0/html5/thumbnails/67.jpg)
18/18
Popularity of Vulnerable Websites
0
50
100
150
200
250
300
350
0 100,000
200,000
300,000
400,000
500,000
600,000
700,000
800,000
900,000
Num
ber
of vuln
erable
web
site
s
Popularity ranking
![Page 68: Freezing the Web: A Study of ReDoS Vulnerabilities in ......using Node.js ReDoS analysis of websites Payloads using HTTP requests List of vulner-able websites (Phase 3) Local machines](https://reader034.fdocuments.us/reader034/viewer/2022052014/602b4fec9066da59bc5f94e0/html5/thumbnails/68.jpg)
18/18
Dimensioning Payloads
Module P1 P2 P3 P4 P5100ms 200ms 500ms 1s 2s
fresh 12,000 17,000 27,000 37,500 53,500forwarded 12,000 17,000 26,500 38,000 53,500useragent 500 650 925 1,150 1,450
ua-parser-js 38 39 40 41 42mobile-detect 10,500 15,500 25,000 36,500 50,500
platform 7,500 11,000 17,500 25,000 34,500charset 10,500 15,500 24,000 34,000 48,000content 8,000 11,000 18,000 25,500 35,500