You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
.NET appears to display regular expressions used on the server-side in the HTML for user-friendly client-side validation.
We can leverage this to help the tester identify Regular Expression Denial of Service vulnerabilities (ReDoS) by simply looking at the HTML and organise the matches via the usual "unique as text, unique as html and all as html".
.NET appears to display regular expressions used on the server-side in the HTML for user-friendly client-side validation.
We can leverage this to help the tester identify Regular Expression Denial of Service vulnerabilities (ReDoS) by simply looking at the HTML and organise the matches via the usual "unique as text, unique as html and all as html".
Something similar to:
https://github.com/7a/owtf/blob/master/plugins/web/grep/Application_Configuration_Management%40OWASP-CM-004.py
Where regular expressions (yeah, we should review those XD) are defined here:
https://github.com/7a/owtf/blob/master/framework/config/framework_config.cfg
I think the pattern to look for is ".validationexpression" based examples from:
http://msdn.microsoft.com/en-us/magazine/ff646973.aspx
http://www.abemiester.com/AbeMiester/post/RegEx-DOS-attack-Regular-Expressions-Now-you-have-3-problems.aspx
Examples of bad regexes (external plugin?):
https://github.com/EnDe/ReDoS/blob/master/ReDoS.txt
More background:
https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS
http://en.wikipedia.org/wiki/ReDoS
http://www.slideshare.net/source-code-analysis/redos-regular-expression-denial-of-service-attacks
http://www.cs.bham.ac.uk/~hxt/research/reg-exp-sec.pdf
Interesting: Ruby also seems affected but not PHP
http://www.mail-archive.com/[email protected]/msg00683.html
The text was updated successfully, but these errors were encountered: