Skip to main content

Regular Expression Denial of Service

What is Regular Expression Delial of Service (ReDoS)#

Regular Expression Denial of Service occurs when attackers can control either the regular expression or data in a way that intentionally generates performance bad enough to harm system availability.

When can ReDoS affect my application#

ReDoS impacts applications that parse data with regular expressions and is most common in regular expressions with back references.

How do I know if/where my application has a ReDoS vulnerability#

Contrast Assess can detect ReDoS vulnerabilities at test time.

How do I fix ReDoS#

Developers should not permit remote users to control the regular expression itself. The developer should provide the regular expression, which can be improved as needed.

How do people attack X flaws#

When attackers can control a regular expression, they can submit a regex and data that will consume 100% CPU and block all other operations. The following code attempts to validate an email address but also locks a system up completely.

/("[^"]*"|[^@])*@[^@]*/