Injection Fundamentals: What Is ReDoS?
Note: For the exercises, the course directory has changed! It's now https://github.com/SecuringTheStack/tutorials/tree...
Injection Fundamentals: What Is ReDoS
Table Of Contents toc
- Injection Fundamentals: What Is ReDoS
- Intro
- Injection Discovery
- Injection Discovery (Linear Approach)
- Injection Discovery (Three Questions Approach)
- ReDoS Ex. (Assignment Prep)
- ReDoS Ex. (Assignment Prep CONT.)
- ReDoS Ex. (Javascript Context Assignment)
- ReDoS Ex. (Javascript Context Answers)
- Course Takeaways
- Next Steps
- Error Log
- Additional Resources
- Knowledge Dependency Tree
Intro
- Who is this for?
- Developers who have novice injection/security knowledge
- Link area (below video)
- Prerequisites
Injection Fundamentals Playlist
- At the end of this experience, you'll be able to
- Evaluate the programming language's execution context for Regular Expression Denial Of Service (ReDoS) vulnerabilities
- Inject a docker container to witness ReDoS
- Leverage the "Three Questions" approach to spot major injection issues
- Understand how injection mitigations (i.e., whitelisting) can actually create vulnerabilities
- Ready? Come join me!
Injection Discovery
- When reviewing code, you can spot major injection risks by
- Linear Approach
- "Three Questions" Approach
Injection Discovery (Linear Approach)
- List execution contexts for a given piece of code
- For each execution context in the list, find syntactic and semantic injection risks
Injection Discovery (Three Questions Approach)
- Are there any injection risks that…
- Would allow remote code execution (RCE)?
- Ex: Syntactic injection within the shell context
- Would allow sensitive data disclosure?
- Ex: Semantic injection within the curl context (SSRF)
- Would allow my mitigations to be used against me?
- Usually found within the programming language's execution context (Ex: Javascript Context)
- New code example
- Mitigation transition
- Would allow remote code execution (RCE)?
ReDoS Ex. (Assignment Prep)
var userDefinedEmail= 'AAAAAAAAAAAAAAAAAA';
var whitelistRegex = /^([a-zA-Z0-9])(([\-.]|[_]+)?([a-zA-Z0-9]+))*(@){1}[a-z0-9]+[.]{1}(([a-z]{2,3})|([a-z]{2,3}[.]{1}[a-z]{2,3}))$/;
console.time('Email Regex Took');
var isValid = whitelistRegex.test(userDefinedEmail);
console.timeEnd('Email Regex Took');
// If isValid is false, halt execution of input
- Intent of code
- Mitigate injection risks by whitelisting accepted characters
- Assignment scenario
- Assume that
whitelistRegex
doesn't accept any "malicious" characters fromuserDefinedEmail
- How else can
userDefinedEmail
be exploited?- Hints
- What other string property should be validated?
- Denial of Service (DoS) takes place when input is too ____?
- Hints
- Assume that
ReDoS Ex. (Assignment Prep CONT.)
- Answers
- Denial Of Service (DoS) takes place when input is too large
whitelistRegex
is vulnerable to Regular Express Denial Of Service (ReDoS)- Learn ReDoS by example
ReDoS Ex. (Javascript Context Assignment)
// Warning: Be very careful while doing this assignment, it can stall your computer!
// Assignment 1: Set `userDefinedEmail` to `A` and note the time. Then, repeat with 3
// `A`s. What pattern do you notice with the time?
// Assignment 2: Set `userDefinedEmail` to 18 `A`s and note the time. Then, repeat with 20
// `A`s. What pattern do you notice with the time?
// Assignment 3: Approximately how many characters should we allow in `userDefinedEmail`?
// --------------------------------------------------------------------------------------
var userDefinedEmail= 'AAAAAAAAAAAAAAAAAA';
var whitelistRegex = /^([a-zA-Z0-9])(([\-.]|[_]+)?([a-zA-Z0-9]+))*(@){1}[a-z0-9]+[.]{1}(([a-z]{2,3})|([a-z]{2,3}[.]{1}[a-z]{2,3}))$/;
console.time('Email Regex Took');
var isValid = whitelistRegex.test(userDefinedEmail);
console.timeEnd('Email Regex Took');
// If isValid is false, halt execution of input
// Run: "EX_NUM=1 docker-compose up"
// File: "ep11-injection-fundamentals-part-3/src/1/app.js"
ReDoS Ex. (Javascript Context Answers)
- Assignment 1
- It decreases
- Assignment 2
- As a percentage increase, the processing time drastically increases
- Assignment 3
- We should approximately allow 18 characters (at a minimum)
- CPU dependent
- The preferable solution is to restrict the email length to a sane number AND leverage an input validation library (i.e.
validate.js
)- More to come in the injection mitigation tutorials
- We should approximately allow 18 characters (at a minimum)
Course Takeaways
- ReDoS (Regular Expression Denial Of Service) is a key risk within the programming language's execution context (E.g., Javascript Execution Context)
- To mitigate injection, we must
- Validate any inputs through a whitelist
- Look for edge cases within that whitelist
Next Steps
- Additional assignment:
- Read
snyk.io/blog/redos-and-catastrophic-backtracking
- Link within
Additional Resources
- Link within
- Find any custom regexs in a codebase that are vulnerable
- Read
- Review links below video
Additional resources
Error Log
- None so far :)
Additional Resources
- Please submit a PR with any additional resources
Referenced In Tutorial
General
- https://www.owasp.org/download/jmanico/owasp_podcast_56.mp3
- https://www.checkmarx.com/wp-content/uploads/2015/03/ReDoS-Attacks.pdf
- https://stackoverflow.com/questions/12841970/how-can-i-recognize-an-evil-regex
Javascript
Java
Knowledge Dependency Tree
- Coming soon!