ReDoS (Regular Expression Denial of Service)

Last modified: 2023-10-12

ReDOS is an attack method to compromise the Regex vulnerabilities which evaluate arbitrary inputs.

Evil (Vulnerable) Regex

(a+)+
([a-zA-Z]+)*
(a|aa)+
(a|a?)+
(.*a){x} for x \> 10
^(([a-z])+.)+[A-Z]([a-z])+$

<!-- https://regexlib.com/REDetails.aspx?regexp_id=1757&AspxAutoDetectCookieSupport=1 -->
/^([a-zA-Z0-9])(([\-.]|[_]+)?([a-zA-Z0-9]+))*(@){1}[a-z0-9]+[.]{1}(([a-z]{2,3})|([a-z]{2,3}[.]{1}[a-z]{2,3}))$/

Malicious Input

If a target website validates user input with the above vulnerable Regex, we may be able to compromise the target system by the following malicious input:

aaaaaaaaaaaaaaaaaaaaaaaa!

ReDoS (Regular Expression Denial of Service)

Evil (Vulnerable) Regex

Malicious Input

References

ON THIS PAGE

Protocol

Port Forwarding

WiFi

Attack

Tool

VPN

Others

ReDoS (Regular Expression Denial of Service)

Evil (Vulnerable) Regex

Malicious Input

References

ON THIS PAGE