JavaScript web applications and web servers are vulnerable to a specific type of vulnerability/attack called regular expression (regex) denial of service (ReDoS). These vulnerabilities occur when an attacker sends a large amount of complex text to an open input on a JavaScript-based web server or application.

If the server component or application library is not specifically designed to handle various edge cases, the attacker's input ends up blocking the entire application or server for a few seconds or minutes at a time while the server analyzes and pattern matches the input.

Various programming languages and web server technologies have similar problems with the performance of pattern matching operations and ReDoS attacks, and they are exaggerated in the case of JavaScript due to the single-threaded execution model of most JavaScript servers, where each request is processed by the same thread.

Follow-up research published in 2017 showed that 5% of the total number of vulnerabilities found in Node.js libraries and applications were ReDoS vulnerabilities. At a security conference last week, the ReDoS issue was brought to the forefront in the JavaScript community due to years of unresolved issues. Two academics from the Technical University in Darmstadt, Germany, Cristian-Alexandru Staicu and Michael Pradel, say they have found 25 previously unknown vulnerabilities in the popular Node.js module.

Staicu and Pradel say the main reason for these vulnerabilities is a lack of focus on regular expression matching performance, as most developers seem to be focused on accuracy, leaving plenty of holes in the code that attackers can exploit using ReDoS attacks.

After further research, the two devised a way to detect these vulnerabilities on actual websites without actually using the ReDoS exploit code. They used this approach to scan 2,846 popular Node.js-based sites, showing that 339 sites of about 12 percent were vulnerable to at least one ReDoS vulnerability. ReDoS poses a serious threat to the usability of these sites, and we will develop techniques for detecting and mitigating ReDoS vulnerabilities in JavaScript," the research team said. "

Recommended>>
1、Introductory salesforce zerobased development learning ix Introduction to ApprovalProcess
2、Excellent Solution Question 1168 Simple Calculation Problem Solving
3、The Master Takes You on the Path to Enlightenment for HighPaying Programmers The Way of Programming Extra
4、The Road to Concurrent IO Programming in PHP
5、ABIResearch Tencent Cloud TBaaS Ranked No 1 in China Blockchain Services Market

已发送

发送中