Blind regex injection: Theoretical exploit offers new means of forcing web apps to spill secrets

guest · Feb 12, 2020

Blind regex injection: Theoretical exploit offers new means of forcing web apps to spill secrets
Fresh attack vector lacks working exploit… for now
February 12, 2020
https://portswigger.net/daily-swig/...rs-new-way-to-force-web-apps-to-spill-secrets

Web applications with regex-enabled search may soon be forced to defend against a new exploit class, after a security researcher unveiled what he’s calling ‘blind regular expression injection attacks’.
During the OWASP Night 2020/02 event in Tokyo last week, Japanese security researcher Takashi Yoneuchi revealed the fruits of his occasional research into the field of blind regex injection.
ReDoS 101
Web apps with a search function often make use of regular expressions, or ‘regex’, which allow the user (or developer) to define a search pattern.

In some scenarios, specially crafted strings can force computations that overwhelm an app’s regex engine, causing the underlying web servers to work themselves to a standstill.
This is known as a ‘regular expression denial-of-service’ (ReDoS) attack.
Click to expand...

Blind regex injection
Taking ReDoS attacks a step further, Yoneuchi – an undergraduate at the University of Tokyo’s Department of Information Science and member of various Japanese CTF teams – has posited a new attack vector that uses “regular expression injection cleverly, like blind SQL injection”.

In a technical blog post published this week, Yoneuchi explained how blind regex injection might work on a sample vulnerable application: [...]
Theoretical exploit
For now, at least, web developers can rest easy, as there is no working exploit. However, although this attack is still theoretical, Yoneuchi said developers should nonetheless take care when allowing user input inside regular expressions.
Click to expand...

Log in or Sign up

Blind regex injection: Theoretical exploit offers new means of forcing web apps to spill secrets

guest Guest

Log in or Sign up

Blind regex injection: Theoretical exploit offers new means of forcing web apps to spill secrets

guest Guest

Useful Searches