Regex DoS

Regex DoS (ReDoS) is a subset of DoS attacks which targets the application layer ane exploits improper regex to slow down the server. It can occur anywhere, server side, client side, database, or anything in between.

Places where this can be possible:

• When the application has a password policy
• Validating email addresses, username, etc

How to find it:

• Input an invalid escape sequence like \m
• Submit input like "(.+)+\u0001"

Resources

• USENIX-RegexpWIP.ppt (Archive.org url)
  • Simple slides which explain how a regex engine matches the input and the worst case scenario
• Checkmarx ReDoS Presentation (Archive.org url)
  • Evil Regex pattern examples
    1. (a+)+
    2. ([a-zA-Z]+)*
    3. (a|aa)+
    4. (a|a?)+
    5. (.*a){x} | for x > 10 Payload: “aaaaaaaaaaaaaaaaaaX”
• OWASP 2009 - Regex Dos by Adar Weidman
• Microsoft .NET MVC ReDoS (Denial of Service) Vulnerability