While Regex is wonderful, it can also be difficult to evaluate properly. Poor regex patterns result in mediocre performance incorrect results. But, is it more dangerous than that? Can it also result in vulnerabilities?
The truth is, yes. Badly architected regex patterns are a massive source of vulnerabilities in web apps. Failed input validation, leaky firewalls, and denial of service attacks can all result from poorly designed regex. This article will cover how hackers exploit regex evaluators to launch DoS attacks.
What is ReDoS?
ReDoS, which stands for Regular expression Denial of Service, is a type of denial of service attack.
Denial of Service Attacks (DoS)
A denial of service attack is when an attacker makes an online service slow down or become unavailable to its users. This type of attack is widespread on the modern Internet and can lead to financial losses and damages to a business’s reputation. There are many different types of DoS, one of them being ReDoS.
During a ReDoS attack, a hacker produces a denial of service by providing a regex engine with a string that takes a long time to evaluate. Hackers do this by exploiting so-called “evil regex patterns.”
Stuck in Crafted Input
Most regex evaluators have an exponential-time worst-case complexity. This means that the time it takes to evaluate a particular string grows exponentially in relation to the input string size.
Attackers can provide a crafted input that forces the evaluator’s worst-case time complexity and causes a ReDoS. When a hacker hits an application with a ReDoS, the application server can hang for a long time and become unavailable to legitimate users.
Typically, regex patterns that can cause an application to get stuck in evaluation have two characteristics. First, they often include the repetition of complex subexpressions (the use of “+” and “*” on complex subexpressions). And second, within these repeated subexpressions, there are additional repetition symbols and expressions that match a suffix of another match. Sound confusing? No worries, we’ll go into examples later in this post!
#regex #ddos attack #regular expression #denial of service attacks
