• Python tarfile infinite loop DoS

    July 2020
    The python tarfile module can end up in an infinite loop when opening maliciously malformed tar files. I came across Denial of Service bug bpo39017 when browsing the python bug tracker for security issues (I didn’t discover this bug myself). The error-reproducing zipfile the reporter uploaded is direct from the fuzzer, but I wanted to understand and isolate the issue by making the smallest tarfile which reproduces the bug…
  • SocketIO / EngineIO DoS

    May 2020
    Quite a while ago, I reported an application Denial of Service vulnerability in the Socket.IO / Engine.IO parser implementations in nodejs and python. A single HTTP POST request can cause extreme CPU and memory usage, but in nodejs, a single HTTP POST request can even kill the server with a Javascript heap out of memory fatal error…
  • Two REDoS vulns in cpython

    November 2019
    I ran my top-secret REDoS-finding engine over the python code in cpython and found two remotely-exploitable vulnerabilities. Making a request to a malicious web server leads to denial of service (approximately infinite CPU time)…
  • What The Fuzz

    January 2019
    I wrote a blog post about my experiences fuzz-testing external and internal APIs, and covered some python and Postgres oddities…
  • Avoiding injection with taint analysis

    September 2018
    One simple way to improve the robustness of any code base is static analysis. It’s not widely used because it carries a (regrettably well-deserved) reputation for being a noisy, blunt instrument, but with small tweaks static analysis can become part of the common development process. In this post, I will explain how we use it to improve the security of our code…

[blog by caller] Correspondence welcome at ℬ㏒ {@} ㎈ℓℯℛ.ⓧⓨℤ