Regex DoS

Regex DoS (ReDoS) is a subset of DoS attacks which targets the application layer ane exploits improper regex to slow down the server. It can occur anywhere, server side, client side, database, or anything in between.

Places where this can be possible:

  • When the application has a password policy
  • Validating email addresses, username, etc

How to find it:

  • Input an invalid escape sequence like \m
  • Submit input like "(.+)+\u0001"

Resources