freezing the web a study of redos vulnerabilities in
play

Freezing the Web: A Study of ReDoS Vulnerabilities in - PowerPoint PPT Presentation

Freezing the Web: A Study of ReDoS Vulnerabilities in JavaScript-based Web Servers Cristian-Alexandru Staicu Michael Pradel TU Darmstadt www.software-lab.org 15 th August 2018 Regular Expression Denial of Service (ReDoS) i n p u t :


  1. Freezing the Web: A Study of ReDoS Vulnerabilities in JavaScript-based Web Servers Cristian-Alexandru Staicu Michael Pradel TU Darmstadt www.software-lab.org 15 th August 2018

  2. Regular Expression Denial of Service (ReDoS) i n p u t : ” L o r e m i p s u m ” 1/18

  3. Regular Expression Denial of Service (ReDoS) i n p u t : ” L o r e m i p s u m ” input.match(regexp); 1/18

  4. Regular Expression Denial of Service (ReDoS) i n p u t : ” L o r e m p i p r o s u c m e s ” s i n g t i m e : O ( 1 ) input.match(regexp); 1/18

  5. Regular Expression Denial of Service (ReDoS) i n p u t : ” L o r e m p i p r o s u c m e s ” s i n g t i m e : O ( 1 ) input.match(regexp); 1/18

  6. Regular Expression Denial of Service (ReDoS) i n p u t : ” L o r e m p i p r o s u c m e s ” s i n g t i m e : O ( 1 ) input.match(regexp); , ” x 1000 ´ s A o ´ a ˘ ” : t u p n i 1/18

  7. Regular Expression Denial of Service (ReDoS) i n p u t : ” L o r e m p i p r o s u c m e s ” s i n g t i m e : O ( 1 ) input.match(regexp); , ” x 1000 ´ s A ´ o ˘ a processing time: O ( n x ) , x > 1 ” : t u p n i 1/18

  8. Regular Expression Denial of Service (ReDoS) i n p u t : ” L o r e m p i p r o s u c m e s ” s i n g t i m e : O ( 1 ) input.match(regexp); , ” x 1000 ´ s A ´ o ˘ a processing time: O ( n x ) , x > 1 ” : t u p n i 1/18

  9. This Talk ReDoS affects libraries we identify 25 vulnerabilities in popular npm modules 2/18

  10. This Talk ReDoS affects libraries we identify 25 vulnerabilities in popular npm modules ReDoS affects websites hundreds of live websites are vulnerable 2/18

  11. This Talk ReDoS affects libraries we identify 25 vulnerabilities in popular npm modules ReDoS affects websites hundreds of live websites are vulnerable Novel methodology library vulnerability → website vulnerability 2/18

  12. Backtracking-based Matching var regEx = /^a*a*b$/; 3/18

  13. Backtracking-based Matching var regEx = /^a*a*b$/; ǫ ǫ ǫ ǫ ǫ ǫ start 3 4 5 6 7 a ǫ ǫ ǫ 11 10 9 8 ǫ a ǫ b accept 3/18

  14. Backtracking-based Matching var regEx = /^a*a*b$/; ǫ ǫ ǫ ǫ ǫ ǫ start 3 4 5 6 7 a ǫ ǫ ǫ 11 10 9 8 ǫ a ǫ b accept input : ”ab” 3/18

  15. Backtracking-based Matching var regEx = /^a*a*b$/; ǫ ǫ ǫ ǫ ǫ ǫ start 3 4 5 6 7 a ǫ ǫ ǫ 11 10 9 8 ǫ a ǫ b accept input : ”aab” 3/18

  16. Backtracking-based Matching var regEx = /^a*a*b$/; ǫ ǫ ǫ ǫ ǫ ǫ start 3 4 5 6 7 a ǫ ǫ ǫ 11 10 9 8 ǫ a ǫ b accept input : ”aab” 3/18

  17. Backtracking-based Matching var regEx = /^a*a*b$/; ǫ ǫ ǫ ǫ ǫ ǫ start 3 4 5 6 7 a ǫ ǫ ǫ 11 10 9 8 ǫ a ǫ b accept input : ”aaaaaaaaaaaaaaaaaaaa” 3/18

  18. Backtracking-based Matching var regEx = /^a*a*b$/; ǫ ǫ ǫ ǫ ǫ ǫ start 3 4 5 6 7 a ǫ ǫ ǫ 11 10 9 8 ǫ a ǫ b accept input : ”aaaaaaaaaaaaaaaaaaaa” 3/18

  19. Overview ReDoS analysis (Phase 1) Npm modules of libraries 4/18

  20. Overview ReDoS analysis (Phase 1) Npm modules of libraries Module level vulnerabilities (Phase 2) Usage scenarios Exploits creation 4/18

  21. Overview ReDoS analysis (Phase 1) Npm modules of libraries Module level vulnerabilities (Phase 2) Usage scenarios Exploits creation Payloads using HTTP requests List of websites ReDoS analysis List of vulner- (Phase 3) using Node.js of websites able websites 4/18

  22. Overview ReDoS analysis (Phase 1) Npm modules of libraries Module level vulnerabilities (Phase 2) Usage scenarios Exploits creation Payloads using HTTP requests Local machines Live websites List of websites ReDoS analysis List of vulner- (Phase 3) using Node.js of websites able websites 4/18

  23. Setup measure in single instance manually analyze popular setup packages analyze 2,800 websites from fifth most-dependent upon Top 1 million npm package 5/18

  24. Node.js Particularities Events Workers O / I g n i k c o b l file system e1 e2 network Event Loop (JS code) process e3 ... ... callback 6/18

  25. Node.js Particularities Events Workers O / I g n i k c o b l file system e1 e2 network Event Loop (JS code) process e3 Regex.match() ... ... callback 6/18

  26. Node.js Particularities (2) ... ... templates vulnerable engine module strings utility Node.js application headers parser ... DB access 7/18

  27. Ethical Considerations 8/18

  28. Ethical Considerations Few payloads 80 requests in total 8/18

  29. Ethical Considerations Few payloads 80 requests in total Iterative probing most websites use redundancy 8/18

  30. Ethical Considerations Few payloads 80 requests in total Iterative probing most websites use redundancy Safety mechanism stop after timeout or error 8/18

  31. Ethical Considerations Few payloads 80 requests in total Iterative probing most websites use redundancy Safety mechanism stop after timeout or error Vulnerabilities disclosure the majority of them have been fixed 8/18

  32. Phase 1: Npm Analysis Criterion for vulnerable libraries We consider a module to be vulnerable iff we find an input that is at most 80,000 characters long, whose matching time takes more than 5 seconds. 9/18

  33. Phase 1: Npm Analysis Criterion for vulnerable libraries We consider a module to be vulnerable iff we find an input that is at most 80,000 characters long, whose matching time takes more than 5 seconds. Manual analysis of regular expressions and information flow 9/18

  34. Phase 1: Npm Analysis Criterion for vulnerable libraries We consider a module to be vulnerable iff we find an input that is at most 80,000 characters long, whose matching time takes more than 5 seconds. Manual analysis of regular expressions and information flow Manually written exploits 9/18

  35. Phase 1: Vulnerable Regular Expressions 25 ReDoS vulnerabilities 10/18

  36. Phase 1: Vulnerable Regular Expressions 25 ReDoS vulnerabilities 13 advisories 10/18

  37. Phase 1: Vulnerable Regular Expressions 25 ReDoS vulnerabilities 13 advisories One bug bounty 10/18

  38. Phase 1: Vulnerable Regular Expressions 25 ReDoS vulnerabilities 13 advisories One bug bounty Example 1 : content /^([^\/]+\/[^\ s;]+) (?:(?:\s*;\s*boundary =(?:"([^" ]+)"|([^;"]+)))|(?:\s*;\s *[^=]+=(?:(?: "(?:[^" ]+)")|(?:[^;"]+))))*$/i 10/18

  39. Phase 1: Vulnerable Regular Expressions 25 ReDoS vulnerabilities 13 advisories One bug bounty Example 1 : content /^([^\/]+\/[^\ s;]+) (?:(?:\s*;\s*boundary =(?:"([^" ]+)"|([^;"]+)))|(?:\s*;\s *[^=]+=(?:(?: "(?:[^" ]+)")|(?:[^;"]+))))*$/i Example 2 : ua-parser-js /ip[honead ]+(.* os\s([\w]+)*\ slike\smac |;\ sopera)/ 10/18

  40. Phase 2: HTTP-level Payload Creation Local Node.js installation 11/18

  41. Phase 2: HTTP-level Payload Creation Local Node.js installation For each payload, create a usage scenario 11/18

  42. Phase 2: HTTP-level Payload Creation Local Node.js installation For each payload, create a usage scenario var MobileDetect = require("mobile -detect"); var headers = req.headers["user -agent"]; var md = new MobileDetect (headers); md.phone (); 11/18

  43. Phase 2: HTTP-level Payload Creation Local Node.js installation For each payload, create a usage scenario var MobileDetect = require("mobile -detect"); var headers = req.headers["user -agent"]; var md = new MobileDetect (headers); md.phone (); For each scenario, create HTTP level payloads 11/18

  44. Phase 2: HTTP-level Payload Creation Local Node.js installation For each payload, create a usage scenario var MobileDetect = require("mobile -detect"); var headers = req.headers["user -agent"]; var md = new MobileDetect (headers); md.phone (); For each scenario, create HTTP level payloads In total 8 payloads corresponding to 8 popular modules 11/18

  45. Phase 2: Input Dependency 2000 Matching time (ms) 1500 1000 500 ua-parser-js 0 0 1 2 3 4 5 6 7 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 Input size (number of characters) 12/18

  46. Phase 2: Input Dependency 2000 Matching time (ms) 1500 1000 500 ua-parser-js useragent 0 0 1 2 3 4 5 6 7 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 Input size (number of characters) 12/18

  47. Phase 2: Input Dependency 2000 Matching time (ms) charset 1500 fresh forwarded 1000 content mobile-detect platform 500 ua-parser-js useragent 0 0 1 2 3 4 5 6 7 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 Input size (number of characters) 12/18

  48. Phase 3: Websites Analysis P1 100ms 3x 5x 3x 5x 13/18

  49. Phase 3: Websites Analysis P1 P2 100ms 200ms 3x 5x 3x 5x 3x 5x 3x 5x 13/18

Recommend


More recommend