Static Detection of DoS Vulnerabilities in Programs that use Regular Expressions (Extended Version)

TL;DR

This paper introduces REXPLOITER, a tool that automatically detects ReDoS vulnerabilities in programs by identifying vulnerable regexes and testing for malicious input strings, revealing 41 security flaws in Java web apps.

Contribution

The paper presents an automated technique and tool for detecting ReDoS vulnerabilities in programs, addressing a significant security concern.

Findings

Identified 41 exploitable vulnerabilities in Java web applications.

Successfully automated detection of vulnerable regular expressions.

Demonstrated effectiveness of REXPLOITER in real-world scenarios.

Abstract

In an algorithmic complexity attack, a malicious party takes advantage of the worst-case behavior of an algorithm to cause denial-of-service. A prominent algorithmic complexity attack is regular expression denial-of-service (ReDoS), in which the attacker exploits a vulnerable regular expression by providing a carefully-crafted input string that triggers worst-case behavior of the matching algorithm. This paper proposes a technique for automatically finding ReDoS vulnerabilities in programs. Specifically, our approach automatically identifies vulnerable regular expressions in the program and determines whether an "evil" input string can be matched against a vulnerable regular expression. We have implemented our proposed approach in a tool called REXPLOITER and found 41 exploitable security vulnerabilities in Java web applications.