You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Developers who have novice injection/security knowledge
Link area (below video)
Prerequisites
Injection Fundamentals Playlist
At the end of this experience, you’ll be able to
Evaluate the programming language’s execution context for Regular Expression Denial Of Service
(ReDoS) vulnerabilities
Inject a docker container to witness ReDoS
Leverage the “Three Questions” approach to spot major injection issues
Understand how injection mitigations (i.e., whitelisting) can actually create vulnerabilities
Ready? Come join me!
Injection Discovery
When reviewing code, you can spot major injection risks by
Linear Approach
“Three Questions” Approach
Injection Discovery (Linear Approach)
List execution contexts for a given piece of code
For each execution context in the list, find syntactic and semantic injection risks
Injection Discovery (Three Questions Approach)
Are there any injection risks that…
Would allow remote code execution (RCE)?
Ex: Syntactic injection within the shell context
Would allow sensitive data disclosure?
Ex: Semantic injection within the curl context (SSRF)
Would allow my mitigations to be used against me?
Usually found within the programming language’s execution context (Ex:
Javascript Context)
New code example
Mitigation transition
ReDoS Ex. (Assignment Prep)
varuserDefinedEmail='AAAAAAAAAAAAAAAAAA';varwhitelistRegex=/^([a-zA-Z0-9])(([\-.]|[_]+)?([a-zA-Z0-9]+))*(@){1}[a-z0-9]+[.]{1}(([a-z]{2,3})|([a-z]{2,3}[.]{1}[a-z]{2,3}))$/;console.time('Email Regex Took');varisValid=whitelistRegex.test(userDefinedEmail);console.timeEnd('Email Regex Took');// If isValid is false, halt execution of input
Intent of code
Mitigate injection risks by whitelisting accepted characters
Assignment scenario
Assume that whitelistRegex doesn’t accept any “malicious” characters from userDefinedEmail
How else can userDefinedEmail be exploited?
Hints
What other string property should be validated?
Denial of Service (DoS) takes place when input is too ______?
ReDoS Ex. (Assignment Prep CONT.)
Answers
Denial Of Service (DoS) takes place when input is too large
whitelistRegex is vulnerable to Regular Express Denial Of Service (ReDoS)
Learn ReDoS by example
ReDoS Ex. (Javascript Context Assignment)
// Warning: Be very careful while doing this assignment, it can stall your computer!// Assignment 1: Set `userDefinedEmail` to `A` and note the time. Then, repeat with 3// `A`s. What pattern do you notice with the time?// Assignment 2: Set `userDefinedEmail` to 18 `A`s and note the time. Then, repeat with 20// `A`s. What pattern do you notice with the time?// Assignment 3: Approximately how many characters should we allow in `userDefinedEmail`?// --------------------------------------------------------------------------------------varuserDefinedEmail='AAAAAAAAAAAAAAAAAA';varwhitelistRegex=/^([a-zA-Z0-9])(([\-.]|[_]+)?([a-zA-Z0-9]+))*(@){1}[a-z0-9]+[.]{1}(([a-z]{2,3})|([a-z]{2,3}[.]{1}[a-z]{2,3}))$/;console.time('Email Regex Took');varisValid=whitelistRegex.test(userDefinedEmail);console.timeEnd('Email Regex Took');// If isValid is false, halt execution of input// Run: "EX_NUM=1 docker-compose up"// File: "ep11-injection-fundamentals-part-3/src/1/app.js"
ReDoS Ex. (Javascript Context Answers)
Assignment 1
It decreases
Assignment 2
As a percentage increase, the processing time drastically increases
Assignment 3
We should approximately allow 18 characters (at a minimum)
CPU dependent
The preferable solution is to restrict the email length to a sane number AND leverage an input
validation library (i.e. validate.js)
More to come in the injection mitigation tutorials
Course Takeaways
ReDoS (Regular Expression Denial Of Service) is a key risk within the programming language’s
execution context (E.g., Javascript Execution Context)