ABSTRACT
Node.js has seen rapid adoption in industry and the open-source community. Unfortunately, its event-driven architecture exposes Node.js applications to Event Handler-Poisoning denial of service attacks. Our evaluation of the state of practice in Node.js--- combining a study of 353 publicly reported security vulnerabilities and a survey of 151 representative npm modules --- demonstrates that the community is not equipped to combat this class of attack. We recommend several changes to the state of practice and propose both programming language and runtime approaches to defend against Event Handler-Poisoning attacks.
- New Node.js Foundation Survey Reports New "Full Stack" In Demand Among Enterprise Developers, 2016. https://nodejs.org/en/blog/announcements/nodejsfoundation-survey/.Google Scholar
- F. Bonomi, R. Milito, J. Zhu, and S. Addepalli. Fog Computing and Its Role in the Internet of Things. In Mobile Cloud Computing (MCC), 2012. Google ScholarDigital Library
- E. Cambiaso, G. Papaleo, and M. Aiello. Taxonomy of Slow DoS Attacks to Web Applications. Recent Trends in Computer Networks and Distributed Systems Security, pages 195--204, 2012. Google ScholarCross Ref
- S. A. Crosby and D. S. Wallach. Denial of Service via Algorithmic Complexity Attacks. In USENIX Security, 2003.Google ScholarDigital Library
- S. Ferg. Event-driven programming: introduction, tutorial, history. 2006.Google Scholar
- K. Gallaba, A. Mesbah, and I. Beschastnikh. Don't Call Us, We'll Call You: Characterizing Callbacks in Javascript. In International Symposium on Empirical Software Engineering and Measurement (ESEM), 2015. Google ScholarCross Ref
- D. Goodman and P. Ferguson. Dynamic HTML: The Definitive Reference. O'Reilly, 1 edition, 1998.Google Scholar
- K. Hashiguchi. Algorithms for determining relative star height and star height. Information and Computation, 78(2):124--169, 1988. Google ScholarDigital Library
- Y. Lin, C. Radoi, and D. Dig. Retrofitting Concurrency for Android Applications through Refactoring. In ACM International Symposium on Foundations of Software Engineering (FSE), 2014. Google ScholarDigital Library
- A. Ojamaa and K. Duuna. Assessing the security of Node.js platform. In 7th International Conference for Internet Technology and Secured Transactions (ICITST), pages 348--355, 2012.Google Scholar
- V. S. Pai, P. Druschel, and W. Zwaenepoel. Flash: An Efficient and Portable Web Server. In USENIX Annual Technical Conference (ATC), 1999.Google Scholar
- A. Rathnayake and H. Thielecke. Static Analysis for Regular Expression Exponential Runtime via Substructural Logics. CoRR, 2014.Google Scholar
- R. Rogers, J. Lombardo, Z. Mednieks, and B. Meike. Android application development: Programming with the Google SDK. O'Reilly Media, Inc., 1 edition, 2009.Google Scholar
- A. Roichman and A. Weidman. VAC - ReDoS Regular Expression Denial Of Service. OWASP, 2009.Google Scholar
- A. Silberschatz, P. B. Galvin, and G. Gagne. Operating System Concepts. Wiley Publishing, 9th edition, 2012.Google Scholar
- B. Sullivan. Server-Side JavaScript Injection. BlackHat USA, (July):1--7, 2011.Google Scholar
- R. E. Sweet. The Mesa programming environment. ACM SIGPLAN Notices, 20(7):216--229, 1985. Google ScholarDigital Library
- M. Welsh, D. Culler, and E. Brewer. SEDA: An Architecture for Well-Conditioned, Scalable Internet Services. In SOSP, 2001.Google ScholarDigital Library
- R. Wilhelm, J. Engblom, A. Ermedahl, et al. The Worst-Case Execution-Time Problem - Overview of Methods and Survey of Tools. ACM Transactions on Embedded Computing Systems (TECS), 7(3):36, 2008. Google ScholarDigital Library
- Z. Wu, M. Xie, and H. Wang. Energy Attack on Server Systems. In USENIX WOOT, 2011.Google Scholar
Recommendations
Exploiting input sanitization for regex denial of service
ICSE '22: Proceedings of the 44th International Conference on Software EngineeringWeb services use server-side input sanitization to guard against harmful input. Some web services publish their sanitization logic to make their client interface more usable, e.g., allowing clients to debug invalid requests locally. However, this ...
Mitigating denial of service attacks: a tutorial
This tutorial describes what Denial of Service (DOS) attacks are. how they can be carried out in IP networks, and how one can defend against them. Distributed DoS (DDoS) attacks are included here as a subset of DoS attacks. A DoS attack has two phases: ...
Race detection for event-driven Node.js applications
ASE '21: Proceedings of the 36th IEEE/ACM International Conference on Automated Software EngineeringNode.js has become a widely-used event-driven architecture for server-side and desktop applications. Node.js provides an effective asynchronous event-driven programming model, and supports asynchronous tasks and multi-priority event queues. Unexpected ...
Comments