Billion laughs vulnerability — case study

Kirubakaran
4 min readJun 12, 2024

Imagine you’re the owner of a popular online store in India, specializing in antique and handmade crafts. Your website “antique & handycraft seller”, built using Go, is heavily loaded by customers to purchase unique gifts for the upcoming holiday season. To handle the orders, you implemented a system that tracks inventory and customer information using JSON, a common format for organizing data online.

Unbeknownst to you, a malicious hacker has discovered a weakness in the way Go processes JSON data. They send a seemingly harmless message to your website, disguised as a customer order. But this message is a digital landmine, designed to exploit the “billion laughs” bug.

As your website processes the message, it’s like a domino effect. Each piece of data within the message replicates, multiplying exponentially. Your servers, the backbone of your online store, begin to choke under the strain of processing this ever-growing mountain of data.

Soon, your website slows to load, then crashes altogether unexpectedly. Customers are greeted with error messages instead of festive Diwali deals. Orders are lost, deliveries delayed, and frustrated customers post their anger on social media. Your reputation takes a hit, and your sales go down during the busiest shopping season of the year.

--

--

Kirubakaran

Software Engineer expertise on C, C++, Golang, Python, Docker, Kubernetes.