Last year on one of the dutch OWASP chapters Adar Weidman gave a very interesting presentation about reDOS.
The principle behind a reDOS is feeding a regex input that will cause it to spawn a huge number of treads eventually exhausting all resources on the system. Take a look at the OWASP page for more information.
Ever since the presentation I was intrigued by the vulnerability, but did not really see much of it in the field (or I didn't search hard enough).
I mostly forgot about it until I read this post a few months ago. Apparently these things are more widespread than I suspected...
For those interested in regexes, lacking knowledge, and wanting to play with them:
http://xenon.stanford.edu/~xusch/regexp/analyzer.html
http://www.regular-expressions.info/
No comments:
Post a Comment