The python tarfile module can end up in an infinite loop when opening maliciously malformed tar files. I came across Denial of Service bug bpo39017 when browsing the python bug tracker for security issues (I didn’t discover this bug myself). The error-reproducing zipfile the reporter uploaded is direct from the fuzzer, but I wanted to understand and isolate the issue by making the smallest tarfile which reproduces the bug…

Quite a while ago, I reported an application Denial of Service vulnerability in the Socket.IO / Engine.IO parser implementations in nodejs and python. A single HTTP POST request can cause extreme CPU and memory usage, but in nodejs, a single HTTP POST request can even kill the server with a Javascript heap out of memory fatal error…

I ran my top-secret REDoS-finding engine over the python code in cpython and found two remotely-exploitable vulnerabilities. Making a request to a malicious web server leads to denial of service (approximately infinite CPU time)…

I wrote a blog post about my experiences fuzz-testing external and internal APIs, and covered some python and Postgres oddities…

One simple way to improve the robustness of any code base is static analysis. It’s not widely used because it carries a (regrettably well-deserved) reputation for being a noisy, blunt instrument, but with small tweaks static analysis can become part of the common development process. In this post, I will explain how we use it to improve the security of our code…