-
Notifications
You must be signed in to change notification settings - Fork 3
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update README.md #73
Update README.md #73
Conversation
Robocop Report : 13 new vulnerabilities foundName : Web Browser XSS Protection Not Enabled Name : X-Content-Type-Options Header Missing Name : X-Frame-Options Header Not Set Name : Regular Expression Denial of Service (DoS) The Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Many Regular Expression implementations may reach edge cases that causes them to work very slowly (exponentially related to input size), allowing an attacker to exploit this and can cause the program to enter these extreme situations by using a specially crafted input and cause the service to excessively consume CPU, resulting in a Denial of Service. An attacker can provide a long url, which nearly matches the pattern being matched. This will cause the regular expression matching to take a long time, all the while occupying the event loop and preventing it from processing other requests and making the server unavailable (a Denial of Service attack). You can read more about References
Name : Timing Attack The library implemented a character to character comparison, similar to the built-in string comparison mechanism, You can read more about timing attacks in Node.js on the Snyk blog. RemediationUpgrade ReferencesName : Regular Expression Denial of Service (ReDoS) Affected versions of this package are vulnerable to Regular expression Denial of Service (ReDoS). It uses regex the following regex The Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Many Regular Expression implementations may reach extreme situations that cause them to work very slowly (exponentially related to input size), allowing an attacker to exploit this and can cause the program to enter these extreme situations by using a specially crafted input and cause the service to excessively consume CPU, resulting in a Denial of Service. You can read more about RemediationUpgrade ReferencesName : Regular Expression Denial of Service (ReDoS) Affected versions of this package are vulnerable to Regular expression Denial of Service (ReDoS). It uses regex the following regex The Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Many Regular Expression implementations may reach extreme situations that cause them to work very slowly (exponentially related to input size), allowing an attacker to exploit this and can cause the program to enter these extreme situations by using a specially crafted input and cause the service to excessively consume CPU, resulting in a Denial of Service. You can read more about RemediationUpgrade ReferencesName : Regular Expression Denial of Service (ReDoS) Affected versions of this package are vulnerable to Regular expression Denial of Service (ReDoS). It uses regex the following regex The Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Many Regular Expression implementations may reach extreme situations that cause them to work very slowly (exponentially related to input size), allowing an attacker to exploit this and can cause the program to enter these extreme situations by using a specially crafted input and cause the service to excessively consume CPU, resulting in a Denial of Service. You can read more about RemediationUpgrade ReferencesName : Denial of Service (Memory Exhaustion) During parsing, the RemediationUpgrade qs to version 1.0.0 or greater. In these versions, qs introduced a low limit on the index value, preventing such an attack ReferencesName : Denial of Service (Event Loop Blocking) When parsing a string representing a deeply nested object, qs will block the event loop for long periods of time. Such a delay may hold up the server's resources, keeping it from processing other requests in the meantime, thus enabling a Denial-of-Service attack. RemediationUpdate qs to version 1.0.0 or higher. In these versions, qs enforces a max object depth (along with other limits), limiting the event loop length and thus preventing such an attack. ReferencesName : Prototype Override Protection Bypass By default From
Overwriting these properties can impact application logic, potentially allowing attackers to work around security controls, modify data, make the application unstable and more. In versions of the package affected by this vulnerability, it is possible to circumvent this protection and overwrite prototype properties and functions by prefixing the name of the parameter with Example: qs.parse('toString=foo', { allowPrototypes: false })
// {}
qs.parse("]=toString", { allowPrototypes: false })
// {toString = true} <== prototype overwritten For more information, you can check out our blog. Disclosure Timeline
RemediationUpgrade ReferencesName : Remote Memory Exposure Note that while the impact of this vulnerability is high (memory exposure), exploiting it is likely difficult, as the attacker needs to somehow control the body type of the request. One potential exploit scenario is when a request is composed based on JSON input, including the body type, allowing a malicious JSON to trigger the memory leak. DetailsConstructing a var x = new Buffer(100); // uninitialized Buffer of length 100
// vs
var x = new Buffer('100'); // initialized Buffer with value of '100' Initializing a multipart body in such manner will cause uninitialized memory to be sent in the body of the request. Proof of conceptvar http = require('http')
var request = require('request')
http.createServer(function (req, res) {
var data = ''
req.setEncoding('utf8')
req.on('data', function (chunk) {
console.log('data')
data += chunk
})
req.on('end', function () {
// this will print uninitialized memory from the client
console.log('Client sent:\n', data)
})
res.end()
}).listen(8000)
request({
method: 'POST',
uri: 'http://localhost:8000',
multipart: [{ body: 1000 }]
},
function (err, res, body) {
if (err) return console.error('upload failed:', err)
console.log('sent')
}) RemediationUpgrade If a direct dependency update is not possible, use ReferencesName : Uninitialized Memory Exposure A possible memory disclosure vulnerability exists when a value of type This is a result of unobstructed use of the DetailsConstructing a In the following example, the first call would allocate 100 bytes of memory, while the second example will allocate the memory needed for the string "100": // uninitialized Buffer of length 100
x = new Buffer(100);
// initialized Buffer with value of '100'
x = new Buffer('100');
Proof of concept by ChALkeRrequire('request')({
method: 'GET',
uri: 'http://www.example.com',
tunnel: true,
proxy:{
protocol: 'http:',
host:"127.0.0.1",
port:8080,
auth:80
}
}); You can read more about the insecure Similar vulnerabilities were discovered in request, mongoose, ws and sequelize. RemediationUpgrade References |
No description provided.