software composition analysis
Product
SAST
Catch vulnerabilities as you develop DAST
Test live web applications like an attacker SCA
Secure open-source and supply chain MAST
Secure mobile apps from code to store Compliance
Align with standards while shipping secure code
Resources
Vulnerability database Healthy Package
Blog News
Documentation
Pricing Partners About Us Log In
software composition analysis

Java : DOS attack via regular expressions possible

Classification

CWE CWE-400

Overview

The regexp used is unreliable, which can be computationally intensive for some inputs. Regular expression denial of service (ReDOS) attack is possible.

Regular expressions are widely used in applications to validate the user-supplied data. Expressions containing structures like (( )+)+ cause execution of a significant amount of iterations. By inputting a certain type of string an attacker can disrupt the application operation. All implementations of regular expressions have such vulnerabilities.

References

  1. OWASP: Regular expression Denial of Service
  2. Runaway Regular Expressions: Catastrophic Backtracking – regular-expressions.info
  3. saferegex – Tool for testing regular expressions for ReDoS vulnerabilities
  4. CWE-400: Uncontrolled Resource Consumption
  5. Catastrophic Backtracking

See also

Java : Excessive session timeout
Java : XSS due to insufficient validation
Java : Weak random number generator