Injection Fundamentals: What Is ReDoS?

Note: For the exercises, the course directory has changed! It's now https://github.com/SecuringTheStack/tutorials/tree...

Injection Fundamentals: What Is ReDoS

Table Of Contents toc

Intro

  • Who is this for?
    • Developers who have novice injection/security knowledge
  • Link area (below video)
    • Prerequisites
    • Injection Fundamentals Playlist
  • At the end of this experience, you'll be able to
    1. Evaluate the programming language's execution context for Regular Expression Denial Of Service (ReDoS) vulnerabilities
    2. Inject a docker container to witness ReDoS
    3. Leverage the "Three Questions" approach to spot major injection issues
    4. Understand how injection mitigations (i.e., whitelisting) can actually create vulnerabilities
  • Ready? Come join me!

Injection Discovery

  • When reviewing code, you can spot major injection risks by
    1. Linear Approach
    2. "Three Questions" Approach

Injection Discovery (Linear Approach)

  1. List execution contexts for a given piece of code
  2. For each execution context in the list, find syntactic and semantic injection risks

Injection Discovery (Three Questions Approach)

  • Are there any injection risks that…
    1. Would allow remote code execution (RCE)?
      • Ex: Syntactic injection within the shell context
    2. Would allow sensitive data disclosure?
      • Ex: Semantic injection within the curl context (SSRF)
    3. Would allow my mitigations to be used against me?
      • Usually found within the programming language's execution context (Ex: Javascript Context)
      • New code example
        • Mitigation transition

ReDoS Ex. (Assignment Prep)

  • Intent of code
    • Mitigate injection risks by whitelisting accepted characters
  • Assignment scenario
    • Assume that whitelistRegex doesn't accept any "malicious" characters from userDefinedEmail
    • How else can userDefinedEmail be exploited?
      • Hints
        1. What other string property should be validated?
        2. Denial of Service (DoS) takes place when input is too ____?

ReDoS Ex. (Assignment Prep CONT.)

  • Answers
    • Denial Of Service (DoS) takes place when input is too large
    • whitelistRegex is vulnerable to Regular Express Denial Of Service (ReDoS)
      • Learn ReDoS by example

ReDoS Ex. (Javascript Context Assignment)

ReDoS Ex. (Javascript Context Answers)

  • Assignment 1
    • It decreases
  • Assignment 2
    • As a percentage increase, the processing time drastically increases
  • Assignment 3
    • We should approximately allow 18 characters (at a minimum)
      • CPU dependent
      • The preferable solution is to restrict the email length to a sane number AND leverage an input validation library (i.e. validate.js)
        • More to come in the injection mitigation tutorials

Course Takeaways

  • ReDoS (Regular Expression Denial Of Service) is a key risk within the programming language's execution context (E.g., Javascript Execution Context)
  • To mitigate injection, we must
    • Validate any inputs through a whitelist
    • Look for edge cases within that whitelist

Next Steps

  • Additional assignment:
    • Read snyk.io/blog/redos-and-catastrophic-backtracking
      • Link within Additional Resources
    • Find any custom regexs in a codebase that are vulnerable
  • Review links below video
    • Additional resources

Error Log

  • None so far :)

Additional Resources

  • Please submit a PR with any additional resources

Referenced In Tutorial

General

Javascript

Java

Knowledge Dependency Tree

  • Coming soon!