Regular Expression Denial of Service

2009.09.23

Credit: Alex Roichman

Risk: Medium

Local: No

Remote: Yes

CVE: CVE-2009-3275 | CVE-2009-3276 | CVE-2009-3277

CWE: CWE-134

Checkmarx Research Lab presents a new attack vector on Web applications. By
exploiting the Regular Expression Denial of Service (ReDoS) vulnerability an
attacker can make a Web application unavailable to its intended users. ReDoS
is commonly known as a ?bug? in systems, but Alex Roichman and Adar Weidman
from Checkmarx show how serious it is and how using this technique, various
applications can be ?ReDoSed?. These include, among others, Server-side of
Web applications and Client-side Browsers. The art of attacking the Web by
ReDoS is by finding inputs which cannot be matched by Regexes and on these
Regexes a Regex-based Web systems get stuck.
For further reading:
http://www.checkmarx.com/NewsDetails.aspx?id=23&cat=3
AlexRoichman
Chief Architect, Checkmarx Ltd.
Mobile: +972 547745198 Fax: +972-3-6870794 Website: www.Checkmarx.com

References:

http://www.securityfocus.com/archive/1/archive/1/506419/100/0/threaded

http://www.checkmarx.com/Upload/Documents/PDF/Checkmarx_OWASP_IL_2009_ReDoS.pdf

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Regular Expression Denial of Service

References:

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.