Regular expression Denial of Service vulnerability

The Regular expression Denial of Service Vulnerability is a type of Denial of Service attack and an algorithmic complexity attack where the attacker exploits a condition where the application starts to work slowly. The attacker executes this condition by uploading large expressions into the server. This condition will hang the system and will deny all the requests to the server. Applications that use regular expressions are vulnerable to this attack. The attacker will try to execute evil Regex in the application to perform regular expression denial of service attack. Using this attack, the attacker can attack end-user browsers, web application firewall, databases and many more.

The attacker will follow the following steps to successfully exploit an application using regular expression denial of service attack:-

  1. creates a javascript code and will search for Evil Regex in the application.
  2. uses a custom URL for exploiting this Evil Regex.
  3. sends a trigger value through a proxy.

Example

The following is a complex expression that can take large time frame to process.

        ^([a-zA-Z0-9])(([\-.]|[_]+)?([a-zA-Z0-9]+))*(@){1}[a-z0-9]+[.]{1}(([a-z]{2,3})|([a-z]{2,3}[.]{1}[a-z]{2,3}))$

    

Impact

The major impact includes Denial of service attack. The attacker can flood the application’s memory to hang the system. The attacker can also hang the web browser of end users.

Mitigation / Precaution

Beagle recommends the following fixes:-

  • Monitor the regular expressions used in the application.
  • Test the dependencies present in the application for any ReDos vulnerabilities. (Regular Expression Denial Of Service)

Latest Articles