Re: Re[2]: Regular Expression Denial of Service

[Jeffrey Walton <noloader () gmail com>]

Hi Thierry,

> With all due respect - this is known to be a vulnerability
> class since over  a  century.
The referenced web page is titled, "ReDoS (Regular Expression Denial
of Service) Revisited". The authors cite work as early as 2003 in
their paper.

> Can we please stop the  attitude of inventing
> acronyms for vulnerabilites, ...
Having a bad day?

> It's  the  impact  of  something  that makes it a vulnerability
> no the name.
In my humble opinion, the novelty is that Checkermax, a firm which
specializes in source code analysis, may be staging a tool to help
solve or alleviate the problem. At minimum, the firm has added to the
body of knowledge.

If you've ever had the pleasure of working behind someone who thinks
K&R terseness is cool, you will welcome any and all tools to perform
static and dynamic analysis. These folks live in a fantasy world where
function calls do not fail and bad guys do not exist.

Jeff

On Fri, Sep 11, 2009 at 1:06 PM, Thierry Zoller <Thierry () zoller lu> wrote:
> Hi ,
>
> With all due respect - this is known to be a vulnerability class since
> over  a  century.  Just  because  it  doesn't  have a acronym à la XSS
> doesn't mean it's not known to be a vulnerability. Can we please stop
> the  attitude of inventing acronyms for vulnerabilites, making it look
> like it's something new and funky.
>
> It's  the  impact  of  something  that makes it a vulnerability no the
> name.
>
>
> GE> Alex Roichman wrote:
> > > Checkmarx Research Lab presents a new attack vector on Web applications. By
> > > exploiting the Regular Expression Denial of Service (ReDoS) vulnerability an
> > > attacker can make a Web application unavailable to its intended users. ReDoS
> > > is commonly known as a “bug” in systems, but Alex Roichman and Adar Weidman
> > > from Checkmarx show how serious it is and how using this technique, various
> > > applications can be “ReDoSed”. These include, among others, Server-side of
> > > Web applications and Client-side Browsers. The art of attacking the Web by
> > > ReDoS is by finding inputs which cannot be matched by Regexes and on these
> > > Regexes a Regex-based Web systems get stuck.
> > >
> > > For further reading:
> > > http://www.checkmarx.com/NewsDetails.aspx?id=23&cat=3
>
> GE> Alex, nice work. Thank you for sharing it with us.
>
> GE> I'd recommend taking a look at Ilja van Sprundel's work with regular
> GE> expression bugs in his Unusual bugs presentation.
> GE> ... Where he played a bit with Google Code Search back in 2007, I think.
> GE> He helped Google out by giving them his research, of course.
>
> GE> I found two versions online:
> GE> http://www.ruxcon.org.au/files/2006/unusual_bugs.pdf
> GE> http://www.slideshare.net/amiable_indian/unusual-bugs
>
> GE> Ilja and I later discussed creating a real regex fuzzer to discover
> GE> vulnerabilities, but I at least never had the time to play with it. He
> GE> might have, I am CC:ing him.
>
> GE> My best to Adar,
>
> GE> Gadi Evron,
> GE> http://www.gadievron.com/
>
>
>
> --
> http://blog.zoller.lu
> Thierry Zoller