Exploiting input sanitization for regex denial of service
Efe Barlas, Xin Du, James C. Davis
2022Proceedings of the 44th International Conference on Software Engineering17 citationsDOIOpen Access PDF
Abstract
Web services use server-side input sanitization to guard against harmful input. Some web services publish their sanitization logic to make their client interface more usable, e.g., allowing clients to debug invalid requests locally. However, this usability practice poses a security risk. Specifically, services may share the regexes they use to sanitize input strings -and regex-based denial of service (ReDoS) is an emerging threat. Although prominent service outages caused by ReDoS have spurred interest in this topic, we know little about the degree to which live web services are vulnerable to ReDoS.
Topics & Concepts
Computer scienceGuard (computer science)Denial-of-service attackUsabilityComputer securityWeb serviceUSableWorld Wide WebPublicationInternet privacyThe InternetOperating systemAdvertisingProgramming languageBusinessWeb Application Security VulnerabilitiesSecurity and Verification in ComputingDigital and Cyber Forensics