https://github.com/mureinik/loop-li-loop
A repo with the demos and benchmarks from my talk This DoS Goes Loop-di-Loop.
https://github.com/mureinik/loop-li-loop
appsec dos-attack node-js
Last synced: 5 months ago
JSON representation
A repo with the demos and benchmarks from my talk This DoS Goes Loop-di-Loop.
- Host: GitHub
- URL: https://github.com/mureinik/loop-li-loop
- Owner: mureinik
- License: mit
- Created: 2021-01-06T21:31:43.000Z (over 5 years ago)
- Default Branch: main
- Last Pushed: 2025-12-28T20:49:39.000Z (6 months ago)
- Last Synced: 2025-12-31T13:01:56.116Z (6 months ago)
- Topics: appsec, dos-attack, node-js
- Language: JavaScript
- Homepage:
- Size: 12.7 KB
- Stars: 1
- Watchers: 1
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE.md
Awesome Lists containing this project
README
# This DoS Goes Loop-di-Loop
A repo with the demos and benchmarks from my talk This Loop Goes Loop-di-Loop that was featured in [several conferences](./CONFERENCES.md).
## Warning
These demos contain **intentionally vulnerable code**.
Do not run any of them on a machine which can be accessed by external users.
## Installation
Clone the repository:
```
git clone https://github.com/mureinik/loop-di-loop.git
```
Install the dependencies:
```
npm install
```
## Usage
- `lib`: Contains the demos. Each of these files is a standalone mini-application that can be run independently:
- JSON example:
```
node demo-json.js
```
Then hit the endpoint with a POST request:
```
curl -X POST -H "Content-Type: application/json" -d '{"key1": "value1", "key2": "value2"}' http://localhost:3000/json
```
- XML example:
```
node demo-json.js
```
Then hit the endpoint with a POST request:
```
curl -X POST -H "Content-Type: application/xml" -d '' http://localhost:3000/xml
```
- YAML example (mentioned but not discussed deeply in the talk):
```
node demo-yaml.js
```
Then hit the endpoint with a POST request:
```
curl -X POST -d $'line0: &line0 [\"line0\"]\nline1: &line1 [\"line1\"]' http://localhost:3000/yaml
```
- ReDoS example:
```
node demo-redos.js
```
Then hit the endpoint with a GET request:
```
curl http://localhost:3000/regexp?regexp=a%2B&text=aaaa
```
- Storage example:
```
node demo-storage.js
```
Then hit the endpoint with a GET request:
```
curl http://localhost:3000/lorem
```
- `benchmark`: Contains scripts to benchmark the issues demonstrated in the talk. Each of these scripts can be run
independently and will dump a tab-separated result to the standard output. It's recommended to redirect the output to a file:
```
node > /tmp/benchmark.tsv
```