Node.js Apps to be Vulnerable to Redo Attack

Researchers found 25 previously unknown vulnerabilities in popular Node.js modules
21 August 2018   2771

Researchers from the Darmstadt Technical University (Germany) discovered 25 new vulnerabilities in the Node.js. They open web servers and applications for ReDos attacks, leading to denial of service for a few seconds to a minute. This is reported by Bleeping Computer.

At the moment, there are 340 websites that contain at least one of the vulnerabilities.

ReDoS-attacks (Regular Expression Denial of Service) use the shortcomings of code performance when working with regular expressions. An attacker can upload a large and complex piece of text to the server or into the application as input. If the service components are not specifically designed to handle such a variety of data types, it will completely freeze the resource or application for the time it will take to deal with the input array.

Sending few packages will lead to a longer "freezing" of the server.

For such an attack, many programming languages ​​and web services are vulnerable. In the case of JavaScript, the consequences are worse because the language uses a single-threaded execution model, when each request is processed in turn. As a result, ReDoS-attack does not slow down any specific operation, but blocks the entire server.

It has became known about ReDoS-attacks in 2012, but at the time JavaScript, and specifically - Node.js, wasn't widely used in web development, so for more than five years the problem was ignored.

The researchers gave a list of modules in which at least one of the previously unknown vulnerabilities was detected:

Vulnerable modules
Vulnerable modules

They reported the issues to the developers of npm-modules and laid out on the GitHub a proof-of-concept exploit for each of them. Researchers also have created a tool with which it is possible to identify vulnerable sites without conducting a full-fledged attack. Thus, 339 resources were found - 12% of all that are based on Node.js.

Frontend News Digest 21 - 27.03

Embrace modern image formats, how to indicate scroll postion on page with CSS, integrate TypeScript with GraphQL and more
27 March 2020   2526

Greetings! I hope your week went great! Here's new frontend technologies news digest.

Learn how to use the currentColor value in CSS, how to debug a child process in Node and Gatsby.js with Chrome, how to Debug a Node.js Application: Tips, Tricks and Tools and other cool, useful and demanded things, related to all parts of frontend development.

Guides

  • Embracing modern image formats

Learn how modern images formats and <picture> element can reduce image sizes

  • How to use the currentColor value in CSS

A tutorial on a basic CSS feature, great for newbies

  • Indicating Scroll Position on a Page With CSS

This guide will teach you how to indicate scroll position, using only CSS

  • How to debug a child process in Node and Gatsby.js with Chrome

Learn how to patch `jest-worker`package used by Gatsby.js and by patching enable child process debugging using Chrome Dev Tools in this tutorial

  • Integrating TypeScript with GraphQL

Learn how to integrade TypeScript with GraphQL

  • How to Debug a Node.js Application: Tips, Tricks and Tools

Massive tutorial on Node app debugging, with some tips, that can be useful even for skilled developers

Articles

  • Full Third-Party Cookie Blocking and More (in Safari)

Safari’s Intelligent Tracking, has been in beta for some time, introduces significant privacy changes, including cross-site cookies now being blocked by default

Video

  • The Complete AEA DC 2019 Now Online

Giant number of different interesting speeches from An Event Apart session, that was realeased special in a pack for you to stay home

Updates

  • uppload

JS image uploader with 30+ plugins 

  • Node-SQLite

SQLite client library for Node.js applications 

  • Backstage

Open platform for building developer portals