Availability / rDOS

Description

reDOS (Regular Expression Denial of Service) is a type of vulnerability that occurs when an attacker supplies a malicious input string to a system that uses regular expressions for pattern matching. The regular expression is crafted in such a way that it causes the pattern matching engine to enter into an inefficient state, leading to excessive CPU or memory consumption, and potentially causing a denial of service (DoS) condition.

Risks

The primary risk of reDOS vulnerabilities is the potential for attackers to exploit them to disrupt the availability of a service or application by causing excessive resource consumption.
Inefficient regular expressions can lead to significant performance degradation, impacting the responsiveness and overall performance of the affected system.

Solution

Input Validation: Implement strict input validation to ensure that user-supplied input adheres to expected formats and limits. This helps prevent attackers from supplying malicious input that triggers reDOS vulnerabilities.
Timeouts and Limits: Implement timeouts and resource limits to prevent excessive resource consumption by regular expression matching. This can help mitigate the impact of reDOS attacks by limiting the amount of CPU time or memory allocated to processing each request.
Rate Limiting: Implement rate limiting measures to restrict the number of requests processed within a certain time frame. This can help mitigate the impact of reDOS attacks by limiting the rate at which malicious requests can be processed.