Web Applications and web servers using JavaScript are vulnerable to a specific type of attack known as a Regex Denial of Service (ReDoS). The attacker usually sends a large regular expression to a JavaScript web-based application, if the application is not designed to handle such cases the attacker could end up freezing the application whilst it sits there using numerous resources trying to analyse the pattern.
Why can ReDos do a lot of Damage to JS Web Servers?
The single threaded event-loop based model in JavaScript actually gives priority when compared to other programming languages since every request to the server is handled by a single thread. With the ReDoS attack this single thread ends up clogging the entire server with the request.
ReDoS attacks have been gaining momentum as most applications nowadays utilize JavaScript in some form or another, this issue went unnoticed for over half-a-decade. A Research paper published in 2017 showed that more than 5% of the total vulnerabilities noticed in NodeJs are ReDoS vulnerabilities. Latest results show that these ReDoS attacks are gaining momentum in the JavaSctipt community since it has been left unaddressed for so many years.
Two Researchers from the University of Darmstadt Germany named Cristian Alexandru Staicu and Michael Pradel found 25 previously unknown vulnerabilities in NodeJs modules.
The exploit packages may cause vulnerable systems to freeze for a number of minutes when the server tries to match the pattern in the regular expression in order to decide what to do with the sent payload.
How many libraries were affected?
The researchers performed a scan of 2,846 popular NodeJS libraries over 300 libraries were found to contain ReDoS vulnerabilities.
“ReDoS poses a serious threat to the availability of these sites,” the research team said. “Our results are a call-to-arms for developing techniques to detect and mitigate ReDoS vulnerabilities in JavaScript.”