Static Detection of DoS Vulnerabilities in Programs that use Regular Expressions (Extended Version)
Abstract
In an algorithmic complexity attack, a malicious party takes advantage of the worst-case behavior of an algorithm to cause denial-of-service. A prominent algorithmic complexity attack is regular expression denial-of-service (ReDoS), in which the attacker exploits a vulnerable regular expression by providing a carefully-crafted input string that triggers worst-case behavior of the matching algorithm. This paper proposes a technique for automatically finding ReDoS vulnerabilities in programs. Specifically, our approach automatically identifies vulnerable regular expressions in the program and determines whether an "evil" input string can be matched against a vulnerable regular expression. We have implemented our proposed approach in a tool called REXPLOITER and found 41 exploitable security vulnerabilities in Java web applications.
Cite
@article{arxiv.1701.04045,
title = {Static Detection of DoS Vulnerabilities in Programs that use Regular Expressions (Extended Version)},
author = {Valentin Wüstholz and Oswaldo Olivo and Marijn J. H. Heule and Isil Dillig},
journal= {arXiv preprint arXiv:1701.04045},
year = {2017}
}