Oh, I think I'm starting to understand your point of view, DDoS' from your React app because it's been subverted. It's just a little odd because I don't see points 2-4 from that section being anything to do with DDoS'ing.
Am I correct in thinking that point #3 you mean URLs that the client can call should originate from the server and not be dynamically-generated in the client? This is to avoid things like erroneous values causing ReDoS'.
It also occurred to me that you don't mention CSP, which would be a very good technique for reducing the chance of invasive XSS via external script calls.
β¦ Independent web developer/designer/blogger
β¦ Lead Framer Developer at Framerly
β¦ Framer Expert & Partner | Advocate at 10x Designers
β¦ Hire me on Contraπ
I don't know much about ReDoS and same for the CSP that's why I didn't write about these. But thanks for your information, people will definitely learn something cool!
ReDos is where you exploit a regex (and these are often used for validation, which can be worrying when it's cited as a way of preventing attacks!) that causes an exponential processing loop that slows the server down (mitigating that with rate limiting makes sense).
CSP is where you add headers from the server to indicate to the browser what kind and from where resources are allowed to be loaded onto the page. Content from any places not explicitly mentioned are blocked. Helps with things like defacing too.
Thanks for writing about this anyway, more awareness of security issues is always good, and it's not an easy topic to write about.
β¦ Independent web developer/designer/blogger
β¦ Lead Framer Developer at Framerly
β¦ Framer Expert & Partner | Advocate at 10x Designers
β¦ Hire me on Contraπ
Oh, I think I'm starting to understand your point of view, DDoS' from your React app because it's been subverted. It's just a little odd because I don't see points 2-4 from that section being anything to do with DDoS'ing.
Am I correct in thinking that point #3 you mean URLs that the client can call should originate from the server and not be dynamically-generated in the client? This is to avoid things like erroneous values causing ReDoS'.
It also occurred to me that you don't mention CSP, which would be a very good technique for reducing the chance of invasive XSS via external script calls.
I don't know much about ReDoS and same for the CSP that's why I didn't write about these. But thanks for your information, people will definitely learn something cool!
ReDos is where you exploit a regex (and these are often used for validation, which can be worrying when it's cited as a way of preventing attacks!) that causes an exponential processing loop that slows the server down (mitigating that with rate limiting makes sense).
CSP is where you add headers from the server to indicate to the browser what kind and from where resources are allowed to be loaded onto the page. Content from any places not explicitly mentioned are blocked. Helps with things like defacing too.
Thanks for writing about this anyway, more awareness of security issues is always good, and it's not an easy topic to write about.
Ah, I see. Will look into these two in future. Thanks for writing about this :)
And yes, it's quite challenging... π₯΄