This website uses cookies

To provide the highest level of service we use cookies on this site.
Your continued use of the site means that you agree to their use in accordance with our terms and conditions.

Pentest Chronicles

The Silent Threat of ReDoS: 2023
Real-Life Pentest Case.

MATEUSZ LEWCZAK

August 28, 2023

Regular Expression Denial of Service (ReDoS) is a type of vulnerability that arises when an attacker submits a specially crafted input to an application that utilizes regular expressions to validate or process user input.


The attacker's input aims to activate a slow or inefficient regex pattern, leading the application to consume excessive resources, such as CPU time or memory. This can result in denial of service (DoS) or system slowdowns. ReDoS attacks are especially concerning because they can be launched with ease and have the potential to inflict considerable financial harm to the affected organization. This vulnerability can disrupt vital business operations or lead to extended downtime, culminating in revenue and productivity losses.

During a pentest on a real application, I encountered this specific bug. In the examined feature, I could control both the Regex pattern and the content being searched. The HTTP request carrying both parameters was as follows:


Once the application verified the provided content against the patterns, it forwarded the data for additional processing:


However, the match was unsuccessful, we would receive an error:


There are several vulnerable patterns that can lead to Denial of Service. However, I employed a straightforward yet highly effective one.


In this pattern, the group "(B|C+)" matches either "B" or multiple instances of "C". The outermost quantifier "+" permits the group's repetition, meaning the group can nest within itself. Such nesting can result in an exponential rise in potential matches that the regex engine has to assess. Consequently, when the input has a significant number of "C" characters, the regex engine might get caught in a backtracking loop, trying to determine all "B" and "C" pattern combinations. This excessive evaluation can cause the system to overutilize its resources, leading to a DoS or system slowdown.

Understanding this, the next step was to transmit an HTTP request to initiate the attack:


In this case the application would then search for the given pattern in a default field, causing server responses to become increasingly lengthy with each additional "C" character. The Intruder tool in Burp Suite, set in Character blocks mode, offers a visual representation of this phenomenon. Notably, after about fourteen "C" characters, the application's response time begins to surge significantly. By the twenty-sixth "C", it becomes unresponsive:


Today, when quite a lot of applications are hosted in the cloud not infrequently using Function as a Service (e.g. AWS Lambda) every millisecond of running function is charged. This poses a very high financial risk to the application and may even eventually lead to the actual blocking of access to the application.

The vulnerable code that implements the described function could look like the following:


From the above, the function interprets each parameter individually, compiles every pattern, and uses the findall function to detect all patterns in the designated default parameter.

When facing issues like ReDoS, companies may want to change parts of their system that attackers might misuse. However, changing everything isn't always the best or even an option. A good solution? Add a timeout feature. This stops any task that takes too long. Also, by breaking down big tasks into smaller parts, it's much easier to find and fix problems related to the RegEx pattern.

In our modern digital world, it's vital for businesses to take steps in cybersecurity. Make sure your company is prepared for this kind of attacks, keep your online info, your reputation, and your profits safe.

#CyberSecurity #PenetrationTesting #Vulnerability #WebSecurity #PentestChronicles



Next Pentest Chronicles

When Usernames Become Passwords: A Real-World Case Study of Weak Password Practices

Michał WNękowicz

9 June 2023

In today's world, ensuring the security of our accounts is more crucial than ever. Just as keys protect the doors to our homes, passwords serve as the first line of defense for our data and assets. It's easy to assume that technical individuals, such as developers and IT professionals, always use strong, unique passwords to keep ...

SOCMINT – or rather OSINT of social media

Tomasz Turba

October 15 2022

SOCMINT is the process of gathering and analyzing the information collected from various social networks, channels and communication groups in order to track down an object, gather as much partial data as possible, and potentially to understand its operation. All this in order to analyze the collected information and to achieve that goal by making …

PyScript – or rather Python in your browser + what can be done with it?

michał bentkowski

10 september 2022

PyScript – or rather Python in your browser + what can be done with it? A few days ago, the Anaconda project announced the PyScript framework, which allows Python code to be executed directly in the browser. Additionally, it also covers its integration with HTML and JS code. An execution of the Python code in …

Any questions?

Happy to get a call or email
and help!

Terms and conditions
© 2023 Securitum. All rights reserved.