Claude-skill-registry dos-resource-exhaustion
Find denial of service vulnerabilities through resource exhaustion, algorithmic complexity, memory exhaustion, and file/network resource abuse. Use when auditing code for availability issues.
install
source · Clone the upstream repo
git clone https://github.com/majiayu000/claude-skill-registry
Claude Code · Install into ~/.claude/skills/
T=$(mktemp -d) && git clone --depth=1 https://github.com/majiayu000/claude-skill-registry "$T" && mkdir -p ~/.claude/skills && cp -r "$T/skills/data/dos-resource-exhaustion" ~/.claude/skills/majiayu000-claude-skill-registry-dos-resource-exhaustion && rm -rf "$T"
manifest:
skills/data/dos-resource-exhaustion/SKILL.mdsource content
DoS & Resource Exhaustion Audit
Purpose
Identify denial of service vulnerabilities including resource exhaustion, algorithmic complexity attacks (ReDoS), memory exhaustion, and unbounded operations.
Focus Areas
- ReDoS: Regular expressions with catastrophic backtracking
- Memory Exhaustion: Unbounded allocations, missing limits
- CPU Exhaustion: Algorithmic complexity, nested loops
- File Descriptor Exhaustion: Unclosed handles, connection leaks
- Zip Bombs: Decompression bombs, XML bombs
Critical Patterns
ReDoS (Regular Expression DoS)
// VULNERABLE - catastrophic backtracking const regex = /^(a+)+$/; // "aaaaaaaaaaaaaaaaaaaaaaaaaaa!" = DoS const regex = /([a-zA-Z]+)*$/; // Nested quantifiers // SECURE - linear time regex const regex = /^a+$/; // No nested quantifiers
Unbounded Memory Allocation
// VULNERABLE - user controls allocation size let size: usize = request.get("size").parse()?; let buffer = vec![0u8; size]; // size = 10GB = OOM // SECURE - bounded allocation const MAX_SIZE: usize = 10 * 1024 * 1024; // 10MB let size: usize = request.get("size").parse()?.min(MAX_SIZE);
Unbounded Loops
# VULNERABLE - user controls iteration count count = int(request.args.get('count')) for i in range(count): # count = 10^15 = CPU DoS process() # SECURE - bounded iteration MAX_COUNT = 10000 count = min(int(request.args.get('count')), MAX_COUNT)
Missing Timeouts
// VULNERABLE - no timeout resp, err := http.Get(userProvidedURL) // SECURE - with timeout client := &http.Client{Timeout: 10 * time.Second} resp, err := client.Get(userProvidedURL)
Output Format
findings: - title: "ReDoS in email validation regex" severity: high attack_scenario: "Attacker sends crafted email string causing regex backtracking" preconditions: "None - public endpoint" reachability: public impact: "Service unavailability, CPU exhaustion" confidence: high cwe_id: "CWE-1333" affected_assets: - "/api/register" - "src/validation.rs:15" taint_path: "request.email -> regex.match() -> CPU exhaustion"
Audit Checklist
Input Validation
[ ] Maximum string length enforced [ ] Maximum array/list size enforced [ ] Maximum recursion depth [ ] Maximum request body size [ ] Maximum file upload size [ ] Maximum JSON depth
Resource Management
[ ] Memory allocation bounded [ ] File descriptors closed [ ] Database connections pooled/limited [ ] HTTP client timeouts set [ ] Request timeouts configured [ ] Rate limiting implemented
Regex Safety
[ ] No nested quantifiers: (a+)+, (a*)* [ ] No overlapping alternation: (a|a)+ [ ] No backreferences in alternation [ ] Use possessive quantifiers where available: a++ [ ] Use atomic groups: (?>...)
Attack Vectors
Billion Laughs (XML)
<?xml version="1.0"?> <!DOCTYPE lolz [ <!ENTITY lol "lol"> <!ENTITY lol2 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;"> <!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;"> ... ]> <lolz>&lol9;</lolz>
Zip Bomb
# 42.zip: 42KB compressed → 4.5PB decompressed # Defense: Check decompressed size before full extraction
Hash Collision DoS
# Craft keys that hash to same bucket # O(n) lookup becomes O(n^2) # Defense: Use randomized hash functions
Severity Guidelines
| Issue | Severity |
|---|---|
| ReDoS on public endpoint | High |
| Unbounded memory allocation | High |
| XML/Zip bomb vulnerability | High |
| Missing request timeout | Medium |
| Hash collision possible | Medium |
| Unbounded loop (authenticated) | Medium |
| Missing rate limiting | Low-Medium |
KYCo Integration
Register DoS/resource exhaustion findings:
1. Check Active Project
kyco project list
2. Register Finding
kyco finding create \ --title "ReDoS in email validation regex" \ --project PROJECT_ID \ --severity high \ --cwe CWE-1333 \ --attack-scenario "Attacker sends crafted email string causing regex backtracking" \ --impact "Service unavailability, CPU exhaustion" \ --assets "/api/register,src/validation.rs:15"
3. Import Scanner Results
# Import semgrep ReDoS findings semgrep --config p/security-audit --sarif -o semgrep.sarif . kyco finding import semgrep.sarif --project PROJECT_ID
Common CWE IDs for DoS
- CWE-1333: Inefficient Regular Expression Complexity (ReDoS)
- CWE-400: Uncontrolled Resource Consumption
- CWE-770: Allocation of Resources Without Limits
- CWE-776: Improper Restriction of XML External Entity Reference (XXE bomb)
- CWE-409: Improper Handling of Highly Compressed Data (zip bomb)