Alex, it isn't a new technique in web-application security. If you queried
Google, or did some research on recent (2007) Blackhat talks, you'll probably
noticed that this is very well known and understood technique. Even Charles
Miller talked about it (on the OSX Safari exploits). So the claim
On Thu, 10 Sep 2009, Alex Roichman wrote:
The art of attacking the Web by ReDoS is by finding inputs which cannot
be matched by Regexes and on these Regexes a Regex-based Web systems get
stuck.
It is a shame your presentation assumes a primitive NFA implementation
and does not take
Oops. PCRE in my response should have read Perl. PCRE implementation
is different from the implementation included in Perl--and rather
ironically it seems PCRE is vulnerable.
--
Pavel Kankovsky aka Peak / Jeremiah 9:21\
For death is come up into our MS
Hi Thierry,
With all due respect - this is known to be a vulnerability
class since over a century.
The referenced web page is titled, ReDoS (Regular Expression Denial
of Service) Revisited. The authors cite work as early as 2003 in
their paper.
Can we please stop the attitude of inventing
Checkmarx Research Lab presents a new attack vector on Web applications. By
exploiting the Regular Expression Denial of Service (ReDoS) vulnerability an
attacker can make a Web application unavailable to its intended users. ReDoS
is commonly known as a “bug” in systems, but Alex Roichman and Adar
Alex Roichman wrote:
Checkmarx Research Lab presents a new attack vector on Web applications. By
exploiting the Regular Expression Denial of Service (ReDoS) vulnerability an
attacker can make a Web application unavailable to its intended users. ReDoS
is commonly known as a “bug” in systems
something new and funky.
It's the impact of something that makes it a vulnerability no the
name.
GE Alex Roichman wrote:
Checkmarx Research Lab presents a new attack vector on Web applications. By
exploiting the Regular Expression Denial of Service (ReDoS) vulnerability an
attacker can
that while you are factually correct, you misread
their post. They shared their research with us.
Gadi.
GE Alex Roichman wrote:
Checkmarx Research Lab presents a new attack vector on Web applications. By
exploiting the Regular Expression Denial of Service (ReDoS) vulnerability
