The Regular expression Denial of Service Vulnerability is a type of Denial of Service attack and an algorithmic complexity attack where the attacker exploits a condition where the application starts to work slowly. The attacker executes this condition by uploading large expressions into the server. This condition will hang the system and will deny all the requests to the server. Applications that use regular expressions are vulnerable to this attack. The attacker will try to execute evil Regex in the application to perform regular expression denial of service attack. Using this attack, the attacker can attack end-user browsers, web application firewall, databases and many more.
The attacker will follow the following steps to successfully exploit an application using regular expression denial of service attack:-
The following is a complex expression that can take large time frame to process.
The major impact includes Denial of service attack. The attacker can flood the application’s memory to hang the system. The attacker can also hang the web browser of end users.
Beagle recommends the following fixes:-