Regarding the ReDOS exploit strings & the un-reproducibility #1372
Description
Hi there,
I am submitting this issue as the team is unable to see any impact by using the "exploit strings" i provided.
Look at the following regular expression:
(?i:(?:(?:(?:^[\"'`\\\\]*?[^\"'`]+[\"'`])+|(?:^[\"'`\\\\]*?[\d\"'`]+)+)\s*?(?:n(?:and|ot)|
(?:x?x)?or|between|\|\||like|and|div|&&)\s*?[\w\"'`][+&!@(),.-]|\@(?:[\w-]+\s(?:between|like|
x?or|and|div)\s*?[^\w\s]|\w+\s+(?:between|like|x?or|and|div)\s*?[\"'`\d]+)|[\"'`]\s*?(?:b
etween|like|x?or|and|div)\s*?[\"'`]?\d|[^\w\s:]\s*?\d\W+[^\w\s]\s*?[\"'`].|[^\w\s]\w+\s*?[|-]\s*
?[\"'`]\s*?\w|\Winformation_schema|\\\\x(?:23|27|3d)|table_name\W|^.?[\"'`]$))
This is indeed a very long regular expression to reverse into a string by hand when you are looking at tons of such regular expressions.
However, the only vulnerable part of the regular expression is the following:
(?:^[\"'`\\\\]*?[^\"'`]+[\"'`])+|(?:^[\"'`\\\\]*?[\d\"'`]+)+)\s*?(?:n(?:and|ot)
This part will cause the regex engine to backtrack a lot because of the alternate and adjacent sub-patterns and character classes matching the same characters.
I focused only on finding vulnerabilities and not on writing exploits and that way, I was able to find and verify 5 vulnerabilities under and hour.
I assumed you guys would understand what I was trying to convey without making a ready-to-use exploit public, open to abuse.
The strings I mentioned are exploits for the vulnerable parts of the regular expressions, they aren't complete attack vectors as I mentioned in my interview with Portswigger:
The researcher added: “It should be noted that I haven’t released the full exploit strings yet because the vulnerabilities still exist and can be abused. The exploits mentioned in my blog are just for the vulnerable parts of the regular expressions and won’t have any effect on an implementation of ModSecurity.”
I hope it makes sense now.