Exploiting Input Sanitization for Regex Denial of Service

Summary

  1. We conducted a black-box study to (ethically) measure ReDoS vulnerabilities in live web services We apply an assumption that client-side sanitization logic, including regexes, is consistent with the sanitization logic on the server-side. We investigated both HTML forms and API specifications. Our result showed that regexes in API specifications pose a greater ReDoS threat. We discovered ReDoS vulnerabilities in several web domains, including domains operated by Microsoft and by Amazon.
  2. To mitigate against ReDoS, we believe that there are better solutions than not publishing regexes at all [9]. This leaves two options: figuring out how to easily turn unsafe regexes into safe regexes (researchers don’t yet know how to do this perfectly) or adopting a safe regex engine for input sanitization.

Background

Regexes

Unsafe Regexes and ReDoS

Two Common Places for Finding Clues

Engineers may reveal sanitization regexes in (at least) three places on the client side: in HTML forms and in JavaScript handlers (figure (a)); and in API specifications (figure (b)).

Approach

Overview of our research methodology

Finding Regexes

Detecting Super-linear Regexes

Fingerprinting Unsafe Regex Use

Results & Discussion

  • API specification-based code generators. API specifications are an important step to designing a web service. Although the safety of regexes isn’t a primary concern during the specification phase, when that specification is used to generate code, software engineers can unintentionally introduce ReDoS vulnerabilities to their web service.
  • Tools which compose API specifications by parsing code. Software engineers using these tools may unintentionally publish the regexes they’re using within the backend.

Conclusion

References

--

--

--

I am a professor in ECE@Purdue. I hold a PhD in computer science from Virginia Tech. I blog about my research findings and share tips for engineering students.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

{UPDATE} Tune Fall Hack Free Resources Generator

Privacy Policy

Blacklisted: When Google Classified the Entire Web as Malware

A multilayered approach to data protection

HKS: You shall not LastPass!

Web Security 05 — X-Frame-Options

{UPDATE} iPiramide Esp Hack Free Resources Generator

Digital documents: what are the prospects for using digital passports

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
James Davis

James Davis

I am a professor in ECE@Purdue. I hold a PhD in computer science from Virginia Tech. I blog about my research findings and share tips for engineering students.

More from Medium

How HTTPS works: part five — manual verification of SSL/TLS certificates

Refresh Tokens and history

Architecting Scalable Game Netcode with AWS and Linode for Unity3d

AWS S3 & Unity Part 2