mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-12-22 12:26:17 +00:00
Regular Expression ReDoS
This commit is contained in:
parent
43a8c6a037
commit
53d9014b2b
@ -75,6 +75,7 @@ Use : https://github.com/ozguralp/gmapsapiscanner/
|
|||||||
|
|
||||||
|
|
||||||
Impact:
|
Impact:
|
||||||
|
|
||||||
* Consuming the company's monthly quota or can over-bill with unauthorized usage of this service and do financial damage to the company
|
* Consuming the company's monthly quota or can over-bill with unauthorized usage of this service and do financial damage to the company
|
||||||
* Conduct a denial of service attack specific to the service if any limitation of maximum bill control settings exist in the Google account
|
* Conduct a denial of service attack specific to the service if any limitation of maximum bill control settings exist in the Google account
|
||||||
|
|
||||||
|
36
Regular Expression/README.md
Normal file
36
Regular Expression/README.md
Normal file
@ -0,0 +1,36 @@
|
|||||||
|
# Regular Expression
|
||||||
|
|
||||||
|
> Regular Expression Denial of Service (ReDoS) is a type of attack that exploits the fact that certain regular expressions can take an extremely long time to process, causing applications or services to become unresponsive or crash.
|
||||||
|
|
||||||
|
|
||||||
|
## Denial of Service - ReDoS
|
||||||
|
|
||||||
|
* [tjenkinson/redos-detector](https://github.com/tjenkinson/redos-detector) - A CLI and library which tests with certainty if a regex pattern is safe from ReDoS attacks. Supported in the browser, Node and Deno.
|
||||||
|
* [doyensec/regexploit](https://github.com/doyensec/regexploit) - Find regular expressions which are vulnerable to ReDoS (Regular Expression Denial of Service)
|
||||||
|
* [devina.io/redos-checker](https://devina.io/redos-checker) - Examine regular expressions for potential Denial of Service vulnerabilities
|
||||||
|
|
||||||
|
|
||||||
|
### Evil Regex
|
||||||
|
|
||||||
|
Evil Regex contains:
|
||||||
|
|
||||||
|
* Grouping with repetition
|
||||||
|
* Inside the repeated group:
|
||||||
|
* Repetition
|
||||||
|
* Alternation with overlapping
|
||||||
|
|
||||||
|
**Examples**
|
||||||
|
|
||||||
|
* `(a+)+`
|
||||||
|
* `([a-zA-Z]+)*`
|
||||||
|
* `(a|aa)+`
|
||||||
|
* `(a|a?)+`
|
||||||
|
* `(.*a){x}` for x \> 10
|
||||||
|
|
||||||
|
These regular expressions can be exploited with `aaaaaaaaaaaaaaaaaaaaaaaa!`
|
||||||
|
|
||||||
|
|
||||||
|
## References
|
||||||
|
|
||||||
|
* [Regular expression Denial of Service - ReDoS - OWASP - Adar Weidman](https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS)
|
||||||
|
* [OWASP Validation Regex Repository - OWASP](https://wiki.owasp.org/index.php/OWASP_Validation_Regex_Repository)
|
Loading…
Reference in New Issue
Block a user