Скачать или смотреть Exploiting Code Vulnerabilities: Triggering DOS Attacks in Popular Software - DevConf.IN 2025

Speaker Name: Suyash Nalwade and Satish Mane
---
We will explore and demonstrate various code vulnerabilities that attackers can exploit to trigger denial-of-service (DoS) conditions in widely-used software components. Through a series of real-world examples, we will demonstrate the mechanics behind these vulnerabilities and their potential impact on system stability and availability.

The presentation will cover a range of attack vectors, including:
Python setuptools (before 65.5.1): Remote attackers can exploit crafted HTML in a package or custom PackageIndex page to cause a DoS.
Node.js HTTP/2 server: A small amount of malformed HTTP/2 frame packets can make the server completely unavailable, causing significant disruptions in service.
REXML: The Ruby XML toolkit, prior to version 3.3.9, contains a ReDoS vulnerability where excessive digits in hex numeric character references lead to resource exhaustion during XML parsing.
Varnish Cache: Versions before 7.3.2 and 7.4.x before 7.4.3 (and before 6.0.13 LTS) are vulnerable to a Broke Window Attack, where credits exhaustion in the HTTP/2 connection control flow can be leveraged for DoS attacks.
libexpat (through 2.5.0): A resource consumption vulnerability exists when multiple reparsings are triggered for large tokens, leading to system unavailability.

Each case study will include a technical breakdown of the exploit chain, potential mitigation strategies, and how developers can safeguard their systems against similar vulnerabilities. Attendees will gain a deeper understanding of how attackers exploit weak points in code to trigger service disruptions and the necessary precautions to prevent such attacks from impacting production environments.
---

Slides and resources:
https://pretalx.devconf.info/devconf-...