Alex Roichman and Adar Weidman form Checkmarx found a new attack vector on Web Applications. By exploiting the Regular Expression Denial of Service (ReDoS) vulnerability an attacker can make a Web application unavailable to its intended users. ReDoS is commonly known as a "bug" in systems, but Alex Roichman and Adar Weidman show how serious it is and how using this technique, various applications can be "ReDoSed". These include, among others, Server-side of Web applications and Client-side Browsers. The art of attacking the Web by ReDoS is by finding inputs which cannot be matched by Regexes and on these Regexes a Regex-based Web systems get stuck.

For further reading:
http://www.checkmarx.com/NewsDetails.aspx?id=23

This is actually very interesting - thanks! Slide 14: true true... that's for many here including me. It's surprising how easy vectors can be crafted to DoS common filters and detection mechanisms. A simple example:

Quote

"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaa... times 2000 ... aaaaaaaaaaaaaa>

I wonder if it's even possible to fix certain types of ReDoS vulns. Depending on the expression and the data to match it seems mandatory to give the raw data a treatment with a simpler regex before hitting the "real" regex. What are your experiences with dossing back-references - necessary for detection of pattern repetition?

I think I will have to spend some quality time with the PHPIDS this weekend ;)



Edited 1 time(s). Last edit at 09/10/2009 02:31PM by .mario.

Of course, DoS by Regex is not a new class of vulnerabilities and I pointed out this in my presentation. What I wanted is to revisit an old attack and show how it can be easily leveraged on the Web.

I also found that programmers and in many cases even security experts are not aware of Regex threats. So I wanted to expose the Regex problem to the application security community and also to encourage development of Regex-safe methodologies and tools.