AttackFlow Findings Dictionary

Finding A Way To Try AttackFlow Enterprise Edition?

If so, click to download 15 days full version for free!

Use of Dangerous Regular Expressions

The attacker can force application into a denial of service state

Severity

High

Fix Cost

Medium

Trust Level

Low

Regular expressions are very useful when finding patterns in strings. The technique is also extensively used for security when finding bad user input or accept them in only expected format, which is by the way, by far more secure than the first.

On the other hand, regular expressions can be quite complex and the engine that runs them should be as efficient as possible. However, it is this complexity that can sometimes produce denial of service opportunities for attackers.

For example, the code snippet below can take 6-7 seconds to complete with an input like aaaaaaaaaaaaaaaaaaaaaaaa! in a decent computer;

                                     
if (Regex.IsMatch(input, "(a+)+k"))
{
// matches
}

The same situation occurs with a code below;

if (Regex.IsMatch(input, @"([a-zA-Z0-9]+)+#"))
{
// matches
}                    
            

This long computing sessions are due to the repetitive groupings used in the regular expression patterns.

Regular expressions are very useful when finding patterns in strings. The technique is also extensively used for security when finding bad user input or accept them in only expected format, which is by the way, by far more secure than the first.

On the other hand, regular expressions can be quite complex and the engine that runs them should be as efficient as possible. However, it is this complexity that can sometimes produce denial of service opportunities for attackers.

For example, the code snippet below can take 17 seconds to complete in a decent computer, not to mention %100 CPU;


String pattern = "^(([a-z])+.)+[A-Z]([a-z])+$";
String input = "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa!";
System.out.println(input.matches(pattern));
    

This long computing sessions are due to the repetitive/cascading groupings used in the regular expression patterns.

Finding A Way To Purchase AttackFlow Enterprise Edition?

If so, click to buy now for yearly subscriptions!