Static Detection of DoS Vulnerabilities in Programs that use Regular Expressions (Extended Version)
In an algorithmic complexity attack, a malicious party takes advantage of the worst-case behavior of an algorithm to cause denial-of-service. A prominent algorithmic complexity attack is regular expression denial-of-service (ReDoS), in which the attacker exploits a vulnerable regular expression by p...
Saved in:
Main Authors | , , , |
---|---|
Format | Journal Article |
Language | English |
Published |
15.01.2017
|
Subjects | |
Online Access | Get full text |
Cover
Loading…
Summary: | In an algorithmic complexity attack, a malicious party takes advantage of the
worst-case behavior of an algorithm to cause denial-of-service. A prominent
algorithmic complexity attack is regular expression denial-of-service (ReDoS),
in which the attacker exploits a vulnerable regular expression by providing a
carefully-crafted input string that triggers worst-case behavior of the
matching algorithm. This paper proposes a technique for automatically finding
ReDoS vulnerabilities in programs. Specifically, our approach automatically
identifies vulnerable regular expressions in the program and determines whether
an "evil" input string can be matched against a vulnerable regular expression.
We have implemented our proposed approach in a tool called REXPLOITER and found
41 exploitable security vulnerabilities in Java web applications. |
---|---|
DOI: | 10.48550/arxiv.1701.04045 |