Bugtraq mailing list archives
Re: Re[2]: Regular Expression Denial of Service
From: Jeffrey Walton <noloader () gmail com>
Date: Fri, 11 Sep 2009 17:35:56 -0400
Hi Thierry,
With all due respect - this is known to be a vulnerability class since over a century.
The referenced web page is titled, "ReDoS (Regular Expression Denial of Service) Revisited". The authors cite work as early as 2003 in their paper.
Can we please stop the attitude of inventing acronyms for vulnerabilites, ...
Having a bad day?
It's the impact of something that makes it a vulnerability no the name.
In my humble opinion, the novelty is that Checkermax, a firm which specializes in source code analysis, may be staging a tool to help solve or alleviate the problem. At minimum, the firm has added to the body of knowledge. If you've ever had the pleasure of working behind someone who thinks K&R terseness is cool, you will welcome any and all tools to perform static and dynamic analysis. These folks live in a fantasy world where function calls do not fail and bad guys do not exist. Jeff On Fri, Sep 11, 2009 at 1:06 PM, Thierry Zoller <Thierry () zoller lu> wrote:
Hi , With all due respect - this is known to be a vulnerability class since over a century. Just because it doesn't have a acronym à la XSS doesn't mean it's not known to be a vulnerability. Can we please stop the attitude of inventing acronyms for vulnerabilites, making it look like it's something new and funky. It's the impact of something that makes it a vulnerability no the name. GE> Alex Roichman wrote:Checkmarx Research Lab presents a new attack vector on Web applications. By exploiting the Regular Expression Denial of Service (ReDoS) vulnerability an attacker can make a Web application unavailable to its intended users. ReDoS is commonly known as a “bug” in systems, but Alex Roichman and Adar Weidman from Checkmarx show how serious it is and how using this technique, various applications can be “ReDoSed”. These include, among others, Server-side of Web applications and Client-side Browsers. The art of attacking the Web by ReDoS is by finding inputs which cannot be matched by Regexes and on these Regexes a Regex-based Web systems get stuck. For further reading: http://www.checkmarx.com/NewsDetails.aspx?id=23&cat=3GE> Alex, nice work. Thank you for sharing it with us. GE> I'd recommend taking a look at Ilja van Sprundel's work with regular GE> expression bugs in his Unusual bugs presentation. GE> ... Where he played a bit with Google Code Search back in 2007, I think. GE> He helped Google out by giving them his research, of course. GE> I found two versions online: GE> http://www.ruxcon.org.au/files/2006/unusual_bugs.pdf GE> http://www.slideshare.net/amiable_indian/unusual-bugs GE> Ilja and I later discussed creating a real regex fuzzer to discover GE> vulnerabilities, but I at least never had the time to play with it. He GE> might have, I am CC:ing him. GE> My best to Adar, GE> Gadi Evron, GE> http://www.gadievron.com/ -- http://blog.zoller.lu Thierry Zoller
Current thread:
- Regular Expression Denial of Service Alex Roichman (Sep 11)
- Re: Regular Expression Denial of Service Gadi Evron (Sep 11)
- Re[2]: Regular Expression Denial of Service Thierry Zoller (Sep 11)
- Re: Regular Expression Denial of Service Gadi Evron (Sep 11)
- Re: Re[2]: Regular Expression Denial of Service Jeffrey Walton (Sep 14)
- Re[2]: Regular Expression Denial of Service Thierry Zoller (Sep 11)
- Re: Regular Expression Denial of Service Pavel Kankovsky (Sep 14)
- Re: Regular Expression Denial of Service Pavel Kankovsky (Sep 14)
- <Possible follow-ups>
- Re: Regular Expression Denial of Service hackerwebzine (Sep 28)
- Re: Regular Expression Denial of Service Gadi Evron (Sep 11)