A Class of Software-Layer DoS Attacks in Node.js Web Apps

Abstract

Application-level DoS attacks are occurring more frequently and raise more serious threats. Such attacks can be performed advantageously in node.js web apps, as these apps are built by third-party npm packages. Adversaries may inject malicious data into its client requests submitted to a victim server. It then may manipulate program states to pass the malicious input to sensitive APIs as long-running operations which are resided in npm modules required in the node.js web app. Once the sensitive APIs (e.g. pattern matching) can be called with hard-to-match input string, it may impose degradation of the worker pool’s throughput of the web server to interrupt web services accessed by Internet users. This attack vector is defined as Module-driven DoS (MDoS).This paper presents a class of software-level DoS so called MDoS, and an automated approach implementing inter-modular analysis to detect vulnerable npm modules exploitable for these vulnerabilities. The proposed method is evaluated on a dataset of 17,000 modules downloaded from the npm ecosystem. As a result, the automated analysis flagged out 355 vulnerable modules. Using manual code inspection found 237 true positives of 35 exposed to the MDoS, including 214 modules exploitable for launching ReDoS and 23 remaining ones suspicious for executing ReadDoS attacks indirectly.