You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Due to weakly implemented RegEx Sometimes it is possible to perform a DoS attack by making this expression to evaluate an expression which will make the application work relatively slow.
Usually this attack is explored and exploited when the source code is available and you can figure out what regular expressions are used in the code at what fields.
For example, at the mobile no input field, what is the regex that validates the mobile no input field.
However, you can also try to find this in Black/Gray Box engagements.
Method
Open the JavaScript files and search for the "RegExp(" function and try to figure out what function utilize that particular Regex.
Evaluation
https://github.com/2bdenny/ReScue
This is a good tool to evaluate and identify if the given regex is vulnerable or not.
This tool will also provide a string that will make the vulnerable RegEx go into potential ReDoS Attacks.
It is important to understand how RegEx works and not only with ReDoS attack but it is useful overall.
Resources
Some of the good websites to learn about Regex are
https://rexegg.com
https://regexone.com
https://speakerdeck.com/harshbothra/having-fun-with-regex
https://javascript.info/regexp-catastrophic-backtracking