Skip to content

Commit

Permalink
Regular Expression ReDoS
Browse files Browse the repository at this point in the history
  • Loading branch information
swisskyrepo committed Apr 25, 2024
1 parent 43a8c6a commit 53d9014
Show file tree
Hide file tree
Showing 2 changed files with 37 additions and 0 deletions.
1 change: 1 addition & 0 deletions API Key Leaks/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -75,6 +75,7 @@ Use : https://github.com/ozguralp/gmapsapiscanner/
Impact:
* Consuming the company's monthly quota or can over-bill with unauthorized usage of this service and do financial damage to the company
* Conduct a denial of service attack specific to the service if any limitation of maximum bill control settings exist in the Google account
Expand Down
36 changes: 36 additions & 0 deletions Regular Expression/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,36 @@
# Regular Expression

> Regular Expression Denial of Service (ReDoS) is a type of attack that exploits the fact that certain regular expressions can take an extremely long time to process, causing applications or services to become unresponsive or crash.

## Denial of Service - ReDoS

* [tjenkinson/redos-detector](https://github.com/tjenkinson/redos-detector) - A CLI and library which tests with certainty if a regex pattern is safe from ReDoS attacks. Supported in the browser, Node and Deno.
* [doyensec/regexploit](https://github.com/doyensec/regexploit) - Find regular expressions which are vulnerable to ReDoS (Regular Expression Denial of Service)
* [devina.io/redos-checker](https://devina.io/redos-checker) - Examine regular expressions for potential Denial of Service vulnerabilities


### Evil Regex

Evil Regex contains:

* Grouping with repetition
* Inside the repeated group:
* Repetition
* Alternation with overlapping

**Examples**

* `(a+)+`
* `([a-zA-Z]+)*`
* `(a|aa)+`
* `(a|a?)+`
* `(.*a){x}` for x \> 10

These regular expressions can be exploited with `aaaaaaaaaaaaaaaaaaaaaaaa!`


## References

* [Regular expression Denial of Service - ReDoS - OWASP - Adar Weidman](https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS)
* [OWASP Validation Regex Repository - OWASP](https://wiki.owasp.org/index.php/OWASP_Validation_Regex_Repository)

0 comments on commit 53d9014

Please sign in to comment.