Node.js Apps to be Vulnerable to Redo Attack

Researchers found 25 previously unknown vulnerabilities in popular Node.js modules
21 August 2018   452

Researchers from the Darmstadt Technical University (Germany) discovered 25 new vulnerabilities in the Node.js. They open web servers and applications for ReDos attacks, leading to denial of service for a few seconds to a minute. This is reported by Bleeping Computer.

At the moment, there are 340 websites that contain at least one of the vulnerabilities.

ReDoS-attacks (Regular Expression Denial of Service) use the shortcomings of code performance when working with regular expressions. An attacker can upload a large and complex piece of text to the server or into the application as input. If the service components are not specifically designed to handle such a variety of data types, it will completely freeze the resource or application for the time it will take to deal with the input array.

Sending few packages will lead to a longer "freezing" of the server.

For such an attack, many programming languages ​​and web services are vulnerable. In the case of JavaScript, the consequences are worse because the language uses a single-threaded execution model, when each request is processed in turn. As a result, ReDoS-attack does not slow down any specific operation, but blocks the entire server.

It has became known about ReDoS-attacks in 2012, but at the time JavaScript, and specifically - Node.js, wasn't widely used in web development, so for more than five years the problem was ignored.

The researchers gave a list of modules in which at least one of the previously unknown vulnerabilities was detected:

Vulnerable modules
Vulnerable modules

They reported the issues to the developers of npm-modules and laid out on the GitHub a proof-of-concept exploit for each of them. Researchers also have created a tool with which it is possible to identify vulnerable sites without conducting a full-fledged attack. Thus, 339 resources were found - 12% of all that are based on Node.js.

BIF-2018 to be Held This Week

Representatives of the IT community will gather again in the Belgorod Philharmonic to discuss prospects for the development of the IT industry and modern trends in digital solutions
10 September 2018   366

On September 15, Belgorod will host the second IT-forum, which will bring together more than a thousand participants from different regions of the country. As in the past year, the central part of the event will be held in the Belgorod Philharmonic.

BIF2017BIF-2017

The primary goal of the forum is to show that it is possible to work in our region and at the same time create products that will be relevant all over the world. And every year it becomes easier. In IT there are no boundaries, they exist only in the minds, but these borders can also be erased, and this is how the forum helps. At such events, teams from different cities are formed and they can create joint products.

 

Yevgeny Miroshnikov

Head of the department of information technologies and communications of the regional governor's administration

The educational program has changed this year regarding the format of the presentation and the time of the speeches. Participants now can dive into the topic in a shorter time. The program is almost formed - representatives of VKontakte, GetTaxi, Sberbank-Technologies, Alfa-Bank, Dodo Pizza, Internet Initiatives Development Fund and many other companies will make presentations.

Last year, the forum participants wondered why there was no design course. Indeed, there were only a couple of reports from designers in the digital section. We heed the wishes of the participants and this year we are preparing a full-fledged direction in design, inviting experts working on projects in Artemiy Lebedev's studio, Alfa Bank and other top technological companies.

 

Dmitry Zadochin

Head of the IT Development Center of the Belgorod Informational Fund

In addition to design, the flexible methodologies of project management - Agile and Scrum, will also be discussed in a separate area. For civil servants, There is also a separate section for civil servants dedicated to smart cities.

There is today much talk about smart cities and how information technologies change different spheres of life. At the same time, "smart city" is a collective concept, because there is no clear definition of what it is. At a particular section of the Smart City Day, we'll talk about what technologies help make the life of the city better. The main areas will be health, transportation, and culture.

 

Yevgeny Miroshnikov

Head of the department of information technologies and communications of the regional governor's administration

Yevgeny also added that there is an ambitious goal regarding smart roads on the state level - the number of road deaths must be zero. The forum is planned to hold a council under the governor for innovative technological development, where application solutions will be presented to make the roads safe. There are already unique developments in Belgorod that will soon be announced.

After the completion of the educational program for the forum participants will perform a concert orchestra of wind instruments under the leadership of Yuri Merkulov. And there will be an afterparty in one of the city’s restaurants after the symphony concert.

The event will begin at 10:00 with a panel discussion, after which the speeches will start in five sections.

More information:

  • Website
  • ‎Vkontakte