Sébastien,
You're on fire man, thanks for the new contribution =)
Please read inline,
2009/10/19 Sébastien Duquette <ekse...@gmail.com>:
> Hi,
>
> I started playing a bit with w3af and I wanted to implement a plugin.
> I chose the ReDoS (Regular Expression Denial of Service) attack that
> was presented recently at OWASP (details can be found here
> http://www.checkmarx.com/NewsDetails.aspx?id=23). Basically, ReDoS can
> be found when some regular expressions take an exponential time to
> check some patterns. It will thus take twice the time to check a
> pattern each time you add a character to a specific part of the
> pattern.
>
> For example :
>
> If aaaaaaaa! takes 2 second to check, then aaaaaaaaA! (one more
> character) will take 2 seconds and so on.
First time I head about this, I can't believe I missed it. I just
performed some tests in python by following the slides, and this is
what I found:
- re.match('^[a-zA-Z]+(([\'\,\.\- ][a-zA-Z
])?[a-zA-Z]*)*$','aaaaaaa!')>>> re.match('^[a-zA-Z]+(([\'\,\.\-
][a-zA-Z ])?[a-zA-Z]*)*$','aaaaaaaaaaaaaaa!')
Runs "instantly"
- re.match('^[a-zA-Z]+(([\'\,\.\- ][a-zA-Z
])?[a-zA-Z]*)*$','aaaaaaaaaaaaaaaaaaaaaaa!')
Runs in ~4 seconds.
- re.match('^[a-zA-Z]+(([\'\,\.\- ][a-zA-Z
])?[a-zA-Z]*)*$','aaaaaaaaaaaaaaaaaaaaaaaaa!')
Runs in ~12 seconds.
I suffered from this in the past. w3af had some regular expressions
that took A LOT OF TIME to run when specially crafted HTML was being
parsed. At this moment, I think that I've filtered most of this
regular expressions.
> I tried to find an elegant way to implement this. I looked at the
> osCommanding plugin because it has a test on time delay. In this
> plugin, the time delay is changed between the runs with a simple
> regular expression. I did something somewhat similar, I double some
> characters from the original pattern in the next request (X and 9).
>
> So, a...@a.aaaaaaaaaaaaaaaaaaaaaax! will be changed to
> a...@a.aaaaaaaaaaaaaaaaaaaaaaxx!.
>
> I then check if the response time of the second request is longer than
> 1.5 time the original one.
Nice, I like the plugin and the implementation method. Here are some
minor comments on the plugin source:
- Since there is only one way of auditing this using black-box: time
delays, I simply removed the "_with_time_delay" method and put
everything inside "audit".
- Removed some debug "print"s
- Added a reference to the redos slides in the plugin long description
Could you please send me a vulnerable PHP script, so I can add it to
my test scripts?
> The plugin works in it's current form on a test installation. I know
> there is a lot of room for improvement. I want to add more patterns
> and also adjust the length of the patterns. I would greatly appreciate
> feedback.
I think that the length of the strings are ok (at least they add some
delay on my laptop + python regex). The plugin was perfect, I changed
only minor things, and now I just commited it to the trunk:
http://w3af.svn.sourceforge.net/w3af/?rev=3098&view=rev
If you have enhancements for the plugin, please let me know =)
Cheers,
> Thanks,
>
> Sébastien Duquette
>
> ------------------------------------------------------------------------------
> Come build with us! The BlackBerry(R) Developer Conference in SF, CA
> is the only developer event you need to attend this year. Jumpstart your
> developing skills, take BlackBerry mobile applications to market and stay
> ahead of the curve. Join us from November 9 - 12, 2009. Register now!
> http://p.sf.net/sfu/devconference
> _______________________________________________
> W3af-develop mailing list
> W3af-develop@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/w3af-develop
>
>
--
Andrés Riancho
Founder, Bonsai - Information Security
http://www.bonsai-sec.com/
http://w3af.sf.net/
------------------------------------------------------------------------------
Come build with us! The BlackBerry(R) Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay
ahead of the curve. Join us from November 9 - 12, 2009. Register now!
http://p.sf.net/sfu/devconference
_______________________________________________
W3af-develop mailing list
W3af-develop@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-develop
