Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
How do we crash systems, browsers, or otherwise bring things to a halt, and how do we protect those things? 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
DoS by Regex or reDoS
Posted by: Alex Roichman
Date: September 10, 2009 01:46PM

Alex Roichman and Adar Weidman form Checkmarx found a new attack vector on Web Applications. By exploiting the Regular Expression Denial of Service (ReDoS) vulnerability an attacker can make a Web application unavailable to its intended users. ReDoS is commonly known as a "bug" in systems, but Alex Roichman and Adar Weidman show how serious it is and how using this technique, various applications can be "ReDoSed". These include, among others, Server-side of Web applications and Client-side Browsers. The art of attacking the Web by ReDoS is by finding inputs which cannot be matched by Regexes and on these Regexes a Regex-based Web systems get stuck.

For further reading:

Options: ReplyQuote
Re: DoS by Regex or reDoS
Posted by: Anonymous User
Date: September 10, 2009 02:25PM

This is actually very interesting - thanks! Slide 14: true true... that's for many here including me. It's surprising how easy vectors can be crafted to DoS common filters and detection mechanisms. A simple example:


"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaa... times 2000 ... aaaaaaaaaaaaaa>

I wonder if it's even possible to fix certain types of ReDoS vulns. Depending on the expression and the data to match it seems mandatory to give the raw data a treatment with a simpler regex before hitting the "real" regex. What are your experiences with dossing back-references - necessary for detection of pattern repetition?

I think I will have to spend some quality time with the PHPIDS this weekend ;)

Edited 1 time(s). Last edit at 09/10/2009 02:31PM by .mario.

Options: ReplyQuote
Re: DoS by Regex or reDoS
Posted by: Alex Roichman
Date: September 12, 2009 07:50AM

Of course, DoS by Regex is not a new class of vulnerabilities and I pointed out this in my presentation. What I wanted is to revisit an old attack and show how it can be easily leveraged on the Web.

I also found that programmers and in many cases even security experts are not aware of Regex threats. So I wanted to expose the Regex problem to the application security community and also to encourage development of Regex-safe methodologies and tools.

Options: ReplyQuote

Sorry, only registered users may post in this forum.