-
-
Notifications
You must be signed in to change notification settings - Fork 662
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Request for Adding Regular Expression Denial of Service Check to ASVS #1562
Comments
Just a comment - keep adding those issues, we will analyze them when can find reasonable amount of time for that, this is nice input material! :) |
(Just to second Elar's point, really appreciate all the effort you are putting in @ImanSharaf, thanks!!!) What do you think about the following:
Do you have a good link reference that could go with this as it is a painfully complicated topic? |
Thank you for your positive feedback and for considering the addition of a ReDoS check to ASVS. I appreciate your dedication to making the standard as comprehensive as possible. For the reference, what do you think about this one? In a ReDoS attack, an attacker exploits weaknesses in a poorly designed regular expression by providing input that takes an extremely long time to process. This can cause the application to become unresponsive or slow, consuming excessive computational resources and potentially leading to a denial of service condition. The main reason behind the vulnerability to ReDoS attacks lies in the use of "greedy" or "catastrophic backtracking" regular expressions. These expressions can lead to an exponential increase in processing time when matching certain inputs, especially those containing multiple repeating characters. To simplify, imagine a poorly designed regular expression that is trying to match a pattern in a user's input. If the input contains repeating characters or a specific sequence that triggers the vulnerability, the regular expression engine might take an excessive amount of time to process the input, causing other users to experience delays or even making the application unresponsive. To prevent ReDoS attacks, it is important to:
To detect ReDoS vulnerabilities in JavaScript code, follow these steps:
Also, we always can use SASTs to help us find suspicious regexes. |
Ok so @ImanSharaf it would be good if you could look through the document you linked to and open a PR here with any changes/enhancements you feel are necessary based on your comment here. Maybe even consider transforming it into an official OWASP Cheat Sheet? |
For category it waits: #1643 |
Hi @ImanSharaf, are you ok with this and would you accept my suggested proposal for now:
|
Josh I think this is a great idea for a new requirement. I made it more concise. Verify that regular expressions are free from elements causing exponential backtracking, and ensure untrusted input is sanitized to mitigate ReDOS / Runaway Regex attacks. |
Created #1712 with Jim's wording. CWE-1333 seems correct and as per my comment here I think it neatly fits into the sanitization category, |
I noticed that the ASVS is missing a check for Regular Expression Denial of Service (ReDoS) vulnerabilities. As you know, ReDoS attacks can have a serious impact on application availability and performance, and are often overlooked in security testing.
ReDoS attacks occur when an attacker can manipulate an application's input in such a way that causes a regular expression pattern to take an extremely long time to process, leading to a denial of service condition. Since regular expressions are commonly used in applications for input validation, search functions, and more, it is crucial that ReDoS vulnerabilities are detected and mitigated.
I strongly recommend that the ASVS be updated to include a ReDoS check, a sample check could be the following:
The text was updated successfully, but these errors were encountered: