--- name: dos-resource-exhaustion description: Find denial of service vulnerabilities through resource exhaustion, algorithmic complexity, memory exhaustion, and file/network resource abuse. Use when auditing code for availability issues. --- # DoS & Resource Exhaustion Audit ## Purpose Identify denial of service vulnerabilities including resource exhaustion, algorithmic complexity attacks (ReDoS), memory exhaustion, and unbounded operations. ## Focus Areas - **ReDoS**: Regular expressions with catastrophic backtracking - **Memory Exhaustion**: Unbounded allocations, missing limits - **CPU Exhaustion**: Algorithmic complexity, nested loops - **File Descriptor Exhaustion**: Unclosed handles, connection leaks - **Zip Bombs**: Decompression bombs, XML bombs ## Critical Patterns ### ReDoS (Regular Expression DoS) ```javascript // VULNERABLE - catastrophic backtracking const regex = /^(a+)+$/; // "aaaaaaaaaaaaaaaaaaaaaaaaaaa!" = DoS const regex = /([a-zA-Z]+)*$/; // Nested quantifiers // SECURE - linear time regex const regex = /^a+$/; // No nested quantifiers ``` ### Unbounded Memory Allocation ```rust // VULNERABLE - user controls allocation size let size: usize = request.get("size").parse()?; let buffer = vec![0u8; size]; // size = 10GB = OOM // SECURE - bounded allocation const MAX_SIZE: usize = 10 * 1024 * 1024; // 10MB let size: usize = request.get("size").parse()?.min(MAX_SIZE); ``` ### Unbounded Loops ```python # VULNERABLE - user controls iteration count count = int(request.args.get('count')) for i in range(count): # count = 10^15 = CPU DoS process() # SECURE - bounded iteration MAX_COUNT = 10000 count = min(int(request.args.get('count')), MAX_COUNT) ``` ### Missing Timeouts ```go // VULNERABLE - no timeout resp, err := http.Get(userProvidedURL) // SECURE - with timeout client := &http.Client{Timeout: 10 * time.Second} resp, err := client.Get(userProvidedURL) ``` ## Output Format ```yaml findings: - title: "ReDoS in email validation regex" severity: high attack_scenario: "Attacker sends crafted email string causing regex backtracking" preconditions: "None - public endpoint" reachability: public impact: "Service unavailability, CPU exhaustion" confidence: high cwe_id: "CWE-1333" affected_assets: - "/api/register" - "src/validation.rs:15" taint_path: "request.email -> regex.match() -> CPU exhaustion" ``` ## Audit Checklist ### Input Validation ``` [ ] Maximum string length enforced [ ] Maximum array/list size enforced [ ] Maximum recursion depth [ ] Maximum request body size [ ] Maximum file upload size [ ] Maximum JSON depth ``` ### Resource Management ``` [ ] Memory allocation bounded [ ] File descriptors closed [ ] Database connections pooled/limited [ ] HTTP client timeouts set [ ] Request timeouts configured [ ] Rate limiting implemented ``` ### Regex Safety ``` [ ] No nested quantifiers: (a+)+, (a*)* [ ] No overlapping alternation: (a|a)+ [ ] No backreferences in alternation [ ] Use possessive quantifiers where available: a++ [ ] Use atomic groups: (?>...) ``` ## Attack Vectors ### Billion Laughs (XML) ```xml ... ]> &lol9; ``` ### Zip Bomb ``` # 42.zip: 42KB compressed → 4.5PB decompressed # Defense: Check decompressed size before full extraction ``` ### Hash Collision DoS ``` # Craft keys that hash to same bucket # O(n) lookup becomes O(n^2) # Defense: Use randomized hash functions ``` ## Severity Guidelines | Issue | Severity | |-------|----------| | ReDoS on public endpoint | High | | Unbounded memory allocation | High | | XML/Zip bomb vulnerability | High | | Missing request timeout | Medium | | Hash collision possible | Medium | | Unbounded loop (authenticated) | Medium | | Missing rate limiting | Low-Medium | ## KYCo Integration Register DoS/resource exhaustion findings: ### 1. Check Active Project ```bash kyco project list ``` ### 2. Register Finding ```bash kyco finding create \ --title "ReDoS in email validation regex" \ --project PROJECT_ID \ --severity high \ --cwe CWE-1333 \ --attack-scenario "Attacker sends crafted email string causing regex backtracking" \ --impact "Service unavailability, CPU exhaustion" \ --assets "/api/register,src/validation.rs:15" ``` ### 3. Import Scanner Results ```bash # Import semgrep ReDoS findings semgrep --config p/security-audit --sarif -o semgrep.sarif . kyco finding import semgrep.sarif --project PROJECT_ID ``` ### Common CWE IDs for DoS - CWE-1333: Inefficient Regular Expression Complexity (ReDoS) - CWE-400: Uncontrolled Resource Consumption - CWE-770: Allocation of Resources Without Limits - CWE-776: Improper Restriction of XML External Entity Reference (XXE bomb) - CWE-409: Improper Handling of Highly Compressed Data (zip bomb)