Regular expression Denial of Service vulnerability

By
Nash N Sulthan
Published on
24 Jun 2018
1 min read

The Regular expression Denial of Service Vulnerability is a type of Denial of Service attack and an algorithmic complexity attack where the attacker exploits a condition where the application starts to work slowly. The attacker executes this condition by uploading large expressions into the server. This condition will hang the system and will deny all the requests to the server. Applications that use regular expressions are vulnerable to this attack. The attacker will try to execute evil Regex in the application to perform regular expression denial of service attack. Using this attack, the attacker can attack end-user browsers, web application firewall, databases and many more.

The attacker will follow the following steps to successfully exploit an application using regular expression denial of service attack:-

  1. creates a javascript code and will search for Evil Regex in the application.
  2. uses a custom URL for exploiting this Evil Regex.
  3. sends a trigger value through a proxy.

Example

The following is a complex expression that can take large time frame to process.

        ^([a-zA-Z0-9])(([\-.]|[_]+)?([a-zA-Z0-9]+))*(@){1}[a-z0-9]+[.]{1}(([a-z]{2,3})|([a-z]{2,3}[.]{1}[a-z]{2,3}))$

    

Impact

The major impact includes Denial of service attack. The attacker can flood the application’s memory to hang the system. The attacker can also hang the web browser of end users.

Mitigation / Precaution

Beagle recommends the following fixes:-

  • Monitor the regular expressions used in the application.
  • Test the dependencies present in the application for any ReDos vulnerabilities. (Regular Expression Denial Of Service)
Automated human-like penetration testing for your web apps & APIs
Teams using Beagle Security are set up in minutes, embrace release-based CI/CD security testing and save up to 65% with timely remediation of vulnerabilities. Sign up for a free account to see what it can do for you.

Written by
Nash N Sulthan
Nash N Sulthan
Cyber Security Lead Engineer
Find website security issues in a flash
Improve your website's security posture with proactive vulnerability detection.
Free website security assessment
Experience the power of automated penetration testing & contextual reporting.