ReDoS (Regular Expression Denial of Service)

ReDOS is an attack method to compromise the Regex vulnerabilities which evaluate arbitrary inputs.

Evil (Vulnerable) Regex

(a+)+
([a-zA-Z]+)*
(a|aa)+
(a|a?)+
(.*a){x} for x \> 10
^(([a-z])+.)+[A-Z]([a-z])+$

<!-- https://regexlib.com/REDetails.aspx?regexp_id=1757&AspxAutoDetectCookieSupport=1 -->
/^([a-zA-Z0-9])(([\-.]|[_]+)?([a-zA-Z0-9]+))*(@){1}[a-z0-9]+[.]{1}(([a-z]{2,3})|([a-z]{2,3}[.]{1}[a-z]{2,3}))$/

Malicious Input

If a target website validates user input with the above vulnerable Regex, we may be able to compromise the target system by the following malicious input:

aaaaaaaaaaaaaaaaaaaaaaaa!

PreviousNetworking NextRsync Pentesting

Last updated 1 year ago