Revealer: Detecting and Exploiting Regular Expression Denial-of-Service Vulnerabilities

Liu, Yinxi; Zhang, Mingxue; Meng, Weiyi

doi:10.1109/sp40001.2021.00062

Cited by 18 publications

(15 citation statements)

References 29 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…Three prevalent types are DNS cache poisoning, DNS spoofing, and DNS ID hijacking. DNS cache poisoning involves manipulating the information stored in the DNS cache, providing incorrect name-to-IP mappings and diverting requests to malicious sites [179]. DNS spoofing entails faking the IP address of a computer to misdirect requests.…”

Section: Figure 13 Replay Attackmentioning

confidence: 99%

“…The primary objective of malicious personnel is to mimic legitimate and regular traffic as possible, for them to exploit and compromise the application. The most common protocols at the application layer includes the Hypertext Transfer Protocol (HTTP), Hypertext Transfer Protocol Secure (HTTPS) [32], File Transfer Protocol (FTP), Simple Mail Transfer Protocol (SMTP), Post Office Protocol version 3 (POP3), Internet Message Access Protocol (IMAP) [33], Domain Name System (DNS) [34]- [38] , Simple Network Management Protocol (SNMP), Telnet , and DHCP (Dynamic Host Configuration Protocol (DHCP). HTTPS is commonly employed to ensure the security of data in transit [39]- [41].…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Performance, privacy, and security issues of TCP/IP at the application layer: A comprehensive survey

Timothy Murkomen

2024

GSC Adv. Res. Rev.

View full text Add to dashboard Cite

TCP/IP is the backbone of modern network communication, connecting devices across the world. TCP/IP at its core is a suite of protocols that enables the transmission of data between computers, facilitating the foundation of the interconnected global network. At the Application Layer of TCP/IP is where the interaction between software applications and the network occurs. The user-centric protocols such as HTTP, SMTP, FTP, POP3, IMAP and DNS facilitate various tasks at this layer such as web browsing, email communication, and file transfer. This comprehensive survey conducted an exploration of the performance, security and privacy issues at the application layer of the TCP/IP. It initiated by providing a background of TCP/IP model, it’s architecture and the core characteristics, with major focus on the application layer. This paper aimed to discuss the state-of-the-art of performance, privacy and security concerns in TCP/IP application layer. It also proposed future research areas to equip researchers, practitioners, policy makers and the decision makers with tangible knowledge, offering guidance in navigating the performance, privacy and security concerns in TCP/IP Application Layer. It aimed to discuss the current performance, privacy and security research gaps at the Application Layer of the TCP/IP Model. The findings of this research sheds light on the performance, privacy and security issues while suggesting the countermeasures to strengthen and optimize the overall performance, security and privacy of TCP/IP model at the application layer. The paper finally suggests future directions and research areas at the TCP/IP application layer.

show abstract

Section: Figure 13 Replay Attackmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Performance, privacy, and security issues of TCP/IP at the application layer: A comprehensive survey

Timothy Murkomen

2024

GSC Adv. Res. Rev.

View full text Add to dashboard Cite

show abstract

“…Figure 2 illustrates an example of exponential behavior. Many researchers have proposed tools to identify regex-input pairs with worst-case polynomial or exponential behavior [27,30,77,87,89,94,100,101,111,114]. Using the typical Spencer algorithm [97], viz.…”

Section: Regexes and Regex-based Denial Of Servicementioning

confidence: 99%

“…The ReDoS problem has been considered from several perspectives. Theoretically, the properties of problematic regexes under different search models have been established, including both Kleeneregular semantics [89,111,114] and extended semantics [77]. In terms of the supply chain, Davis et al showed that up to 10% of the regexes in open-source modules are problematically ambiguous [45][46][47].…”

Section: Introductionmentioning

confidence: 99%

Exploiting input sanitization for regex denial of service

Barlas

Davis

2022

Proceedings of the 44th International Conference on Software Engineering

View full text Add to dashboard Cite

Web services use server-side input sanitization to guard against harmful input. Some web services publish their sanitization logic to make their client interface more usable, e.g., allowing clients to debug invalid requests locally. However, this usability practice poses a security risk. Specifically, services may share the regexes they use to sanitize input strings -and regex-based denial of service (ReDoS) is an emerging threat. Although prominent service outages caused by ReDoS have spurred interest in this topic, we know little about the degree to which live web services are vulnerable to ReDoS.In this paper, we conduct the first black-box study measuring the extent of ReDoS vulnerabilities in live web services. We apply the Consistent Sanitization Assumption: that client-side sanitization logic, including regexes, is consistent with the sanitization logic on the server-side. We identify a service's regex-based input sanitization in its HTML forms or its API, find vulnerable regexes among these regexes, craft ReDoS probes, and pinpoint vulnerabilities. We analyzed the HTML forms of 1,000 services and the APIs of 475 services. Of these, 355 services publish regexes; 17 services publish unsafe regexes; and 6 services are vulnerable to ReDoS through their APIs (6 domains; 15 subdomains). Both Microsoft and Amazon Web Services patched their web services as a result of our disclosure. Since these vulnerabilities were from API specifications, not HTML forms, we proposed a ReDoS defense for a popular API validation library, and our patch has been merged. To summarize: in client-visible sanitization logic, some web services advertise Re-DoS vulnerabilities in plain sight. Our results motivate short-term patches and long-term fundamental solutions."Make measurable what cannot be measured. " -Galileo Galilei CCS CONCEPTS• Security and privacy → Denial-of-service attacks; Web application security; • General and reference → Empirical studies; Measurement; Validation.

show abstract

“…There is an increasing interest in studying the security of Node.js, both in academia and in industry. Most prior work has concentrated on so-called soft-ware supply chain security, i.e., studying security problems that are prevalent in libraries: injections [22,32,44], hidden property abuse [49], prototype pollution [31,32], malicious packages [19,50], running untrusted code [10,47,48], Re-DoS [17,18,33,43], code debloating [28]. There is also initial evidence that these problems in libraries affect websites in production [31,43].…”

Section: Nodejs Ecosystem Securitymentioning

confidence: 99%

Silent Spring: Prototype Pollution Leads to Remote Code Execution in Node.js

Shcherbakov¹,

Balliu²,

Staicu³

2022

Preprint

View full text Add to dashboard Cite

Prototype pollution is a dangerous vulnerability affecting prototype-based languages like JavaScript and the Node.js platform. It refers to the ability of an attacker to inject properties into an object's root prototype at runtime and subsequently trigger the execution of legitimate code gadgets that access these properties on the object's prototype, leading to attacks such as DoS, privilege escalation, and remote code execution (RCE). While there is anecdotal evidence that prototype pollution leads to RCE, current research does not tackle the challenge of gadget detection, thus only showing feasibility of DoS attacks against Node.js libraries.In this paper, we set out to study the problem in a holistic way, from the detection of prototype pollution to detection of gadgets, with the ambitious goal of finding end-to-end exploits beyond DoS, in full-fledged Node.js applications. We build the first multi-staged framework that uses multi-label static taint analysis to identify prototype pollution in Node.js libraries and applications, as well as a hybrid approach to detect universal gadgets, notably, by analyzing the Node.js source code. We implement our framework on top of GitHub's static analysis framework CodeQL to find 11 universal gadgets in core Node.js APIs, leading to code execution. Furthermore, we use our methodology in a study of 15 popular Node.js applications to identify prototype pollutions and gadgets. We manually exploit RCE in two high-profile applications. Our results provide alarming evidence that prototype pollution in combination with powerful universal gadgets lead to RCE in Node.js.

show abstract

Revealer: Detecting and Exploiting Regular Expression Denial-of-Service Vulnerabilities

Cited by 18 publications

References 29 publications

Performance, privacy, and security issues of TCP/IP at the application layer: A comprehensive survey

Performance, privacy, and security issues of TCP/IP at the application layer: A comprehensive survey

Exploiting input sanitization for regex denial of service

Silent Spring: Prototype Pollution Leads to Remote Code Execution in Node.js

Contact Info

Product

Resources

About