Node.js Apps to be Vulnerable to Redo Attack

Researchers found 25 previously unknown vulnerabilities in popular Node.js modules
21 August 2018   2133

Researchers from the Darmstadt Technical University (Germany) discovered 25 new vulnerabilities in the Node.js. They open web servers and applications for ReDos attacks, leading to denial of service for a few seconds to a minute. This is reported by Bleeping Computer.

At the moment, there are 340 websites that contain at least one of the vulnerabilities.

ReDoS-attacks (Regular Expression Denial of Service) use the shortcomings of code performance when working with regular expressions. An attacker can upload a large and complex piece of text to the server or into the application as input. If the service components are not specifically designed to handle such a variety of data types, it will completely freeze the resource or application for the time it will take to deal with the input array.

Sending few packages will lead to a longer "freezing" of the server.

For such an attack, many programming languages ​​and web services are vulnerable. In the case of JavaScript, the consequences are worse because the language uses a single-threaded execution model, when each request is processed in turn. As a result, ReDoS-attack does not slow down any specific operation, but blocks the entire server.

It has became known about ReDoS-attacks in 2012, but at the time JavaScript, and specifically - Node.js, wasn't widely used in web development, so for more than five years the problem was ignored.

The researchers gave a list of modules in which at least one of the previously unknown vulnerabilities was detected:

Vulnerable modules
Vulnerable modules

They reported the issues to the developers of npm-modules and laid out on the GitHub a proof-of-concept exploit for each of them. Researchers also have created a tool with which it is possible to identify vulnerable sites without conducting a full-fledged attack. Thus, 339 resources were found - 12% of all that are based on Node.js.

Frontend News Digest 12 - 18.10

Building command line spinners in Node.js, perfect architecure for your next node project and Zero update in this issue Frontend News Digest
18 October 2019   129

Greetings! I hope your week went great! Here's new Frontend news digest.

Another version of a super popular Node.js relaesed, get the info bellow! Also, you will be able learn about Firefox new websocket inspector, WordPress update and watch the video how to built classic layout fast in CSS grid

Guides

  • Build Command-Line Spinners in Node.js

CLI spinners creating will improve your Node.js terminal skills

Articles

  • Improving Form Controls in Microsoft Edge and Chromium 

The Chrome and Edge teams worked together on refreshing form controls in Chromium-based browsers; learn what they have made

  • Firefox’s New WebSocket Inspector

Overview of new Firefox's websocket inspector, which is going to be released in Firefox 71 but availbale only in Firefox Developer Edition at the moment.

  • The Perfect Architecture Flow for Your Next Node Project 

Best practices and architectural tips for your next Node project

  • Coloring Your Terminal Using Nodejs

Article on how coloring libraries like Chalk work under the hood.

Updates

  • WordPress 5.2.4 Release Addresses Several Security Issues

Information about security fixes the news WordPress release

  • Node v12.12.0 (Current)

Another update of the the popular JS RTE with some interesting changes, such as a --force-context-aware flag has been added to prevent addons that aren’t context aware from being loaded, the fs module has added opendir() and fs.Dir as ways to asynchronously iterate through directories and JSON module support has also been made experimental again, due to security concerns in the Web-based implementation of the idea.

  • Zero

A graphics pipeline implemented in JavaScript and rendered to the terminal that can run without GPU required.

Video

Build a Classic Layout FAST in CSS Grid

Podcast

  • Jen Simmons on Browser Features 

Discussion between Jen Simmons, designer advocate at Mozilla and two hosts, Dave Rupert and Chris Coyier. about how new features get shipped to browsers, and how you can get your ideas over to browser makers for consideration.