English

Static Detection of DoS Vulnerabilities in Programs that use Regular Expressions (Extended Version)

Cryptography and Security 2017-01-17 v1 Formal Languages and Automata Theory Programming Languages Software Engineering

Abstract

In an algorithmic complexity attack, a malicious party takes advantage of the worst-case behavior of an algorithm to cause denial-of-service. A prominent algorithmic complexity attack is regular expression denial-of-service (ReDoS), in which the attacker exploits a vulnerable regular expression by providing a carefully-crafted input string that triggers worst-case behavior of the matching algorithm. This paper proposes a technique for automatically finding ReDoS vulnerabilities in programs. Specifically, our approach automatically identifies vulnerable regular expressions in the program and determines whether an "evil" input string can be matched against a vulnerable regular expression. We have implemented our proposed approach in a tool called REXPLOITER and found 41 exploitable security vulnerabilities in Java web applications.

Keywords

Cite

@article{arxiv.1701.04045,
  title  = {Static Detection of DoS Vulnerabilities in Programs that use Regular Expressions (Extended Version)},
  author = {Valentin Wüstholz and Oswaldo Olivo and Marijn J. H. Heule and Isil Dillig},
  journal= {arXiv preprint arXiv:1701.04045},
  year   = {2017}
}
R2 v1 2026-06-22T17:50:32.847Z