mirror of
				https://github.com/HackTricks-wiki/hacktricks.git
				synced 2025-10-10 18:36:50 +00:00 
			
		
		
		
	Add content from: Research Update: Enhanced src/pentesting-web/regular-express...
This commit is contained in:
		
							parent
							
								
									5cfdf5154d
								
							
						
					
					
						commit
						dfb0310cf1
					
				| @ -1,6 +1,6 @@ | ||||
| # Mutation Testing for Solidity with Slither (slither-mutate) | ||||
| 
 | ||||
| {{#include ../../../banners/hacktricks-training.md}} | ||||
| {{#include ../../banners/hacktricks-training.md}} | ||||
| 
 | ||||
| Mutation testing "tests your tests" by systematically introducing small changes (mutants) into your Solidity code and re-running your test suite. If a test fails, the mutant is killed. If the tests still pass, the mutant survives, revealing a blind spot in your test suite that line/branch coverage cannot detect. | ||||
| 
 | ||||
| @ -123,4 +123,4 @@ Guidance: Treat survivors that affect value transfers, accounting, or access con | ||||
| - [Arkis DeFi Prime Brokerage Security Review (Appendix C)](https://github.com/trailofbits/publications/blob/master/reviews/2024-12-arkis-defi-prime-brokerage-securityreview.pdf) | ||||
| - [Slither (GitHub)](https://github.com/crytic/slither) | ||||
| 
 | ||||
| {{#include ../../../banners/hacktricks-training.md}} | ||||
| {{#include ../../banners/hacktricks-training.md}} | ||||
|  | ||||
| @ -8,7 +8,12 @@ A **Regular Expression Denial of Service (ReDoS)** happens when someone takes ad | ||||
| 
 | ||||
| ## The Problematic Regex Naïve Algorithm | ||||
| 
 | ||||
| **Check the details in [https://owasp.org/www-community/attacks/Regular*expression_Denial_of_Service*-\_ReDoS](https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS)** | ||||
| **Check the details in [https://owasp.org/www-community/attacks/Regular*expression_Denial_of_Service*-_ReDoS](https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS)** | ||||
| 
 | ||||
| ### Engine behavior and exploitability | ||||
| 
 | ||||
| - Most popular engines (PCRE, Java `java.util.regex`, Python `re`, JavaScript `RegExp`) use a **backtracking** VM. Crafted inputs that create many overlapping ways to match a subpattern force exponential or high-polynomial backtracking. | ||||
| - Some engines/libraries are designed to be **ReDoS-resilient** by construction (no backtracking), e.g. **RE2** and ports based on finite automata that provide worst‑case linear time; using them for untrusted input removes the backtracking DoS primitive. See the references at the end for details. | ||||
| 
 | ||||
| ## Evil Regexes <a href="#evil-regexes" id="evil-regexes"></a> | ||||
| 
 | ||||
| @ -18,10 +23,36 @@ An evil regular expression pattern is that one that can **get stuck on crafted i | ||||
| - ([a-zA-Z]+)\* | ||||
| - (a|aa)+ | ||||
| - (a|a?)+ | ||||
| - (.\*a){x} for x > 10 | ||||
| - (.*a){x} for x > 10 | ||||
| 
 | ||||
| All those are vulnerable to the input `aaaaaaaaaaaaaaaaaaaaaaaa!`. | ||||
| 
 | ||||
| ### Practical recipe to build PoCs | ||||
| 
 | ||||
| Most catastrophic cases follow this shape: | ||||
| 
 | ||||
| - Prefix that gets you into the vulnerable subpattern (optional). | ||||
| - Long run of a character that causes ambiguous matches inside nested/overlapping quantifiers (e.g., many `a`, `_`, or spaces). | ||||
| - A final character that forces overall failure so the engine must backtrack through all possibilities (often a character that won’t match the last token, like `!`). | ||||
| 
 | ||||
| Minimal examples: | ||||
| 
 | ||||
| - `(a+)+$` vs input `"a"*N + "!"` | ||||
| - `\w*_*\w*$` vs input `"v" + "_"*N + "!"` | ||||
| 
 | ||||
| Increase N and observe super‑linear growth. | ||||
| 
 | ||||
| #### Quick timing harness (Python) | ||||
| 
 | ||||
| ```python | ||||
| import re, time | ||||
| pat = re.compile(r'(\w*_)\w*$') | ||||
| for n in [2**k for k in range(8, 15)]: | ||||
|     s = 'v' + '_'*n + '!' | ||||
|     t0=time.time(); pat.search(s); dt=time.time()-t0 | ||||
|     print(n, f"{dt:.3f}s") | ||||
| ``` | ||||
| 
 | ||||
| ## ReDoS Payloads | ||||
| 
 | ||||
| ### String Exfiltration via ReDoS | ||||
| @ -30,7 +61,7 @@ In a CTF (or bug bounty) maybe you **control the Regex a sensitive information ( | ||||
| 
 | ||||
| - In [**this post**](https://portswigger.net/daily-swig/blind-regex-injection-theoretical-exploit-offers-new-way-to-force-web-apps-to-spill-secrets) you can find this ReDoS rule: `^(?=<flag>)((.*)*)*salt$` | ||||
|   - Example: `^(?=HTB{sOmE_fl§N§)((.*)*)*salt$` | ||||
| - In [**this writeup**](https://github.com/jorgectf/Created-CTF-Challenges/blob/main/challenges/TacoMaker%20%40%20DEKRA%20CTF%202022/solver/solver.html) you can find this one:`<flag>(((((((.*)*)*)*)*)*)*)!` | ||||
| - In [**this writeup**](https://github.com/jorgectf/Created-CTF-Challenges/blob/main/challenges/TacoMaker%20@%20DEKRA%20CTF%202022/solver/solver.html) you can find this one:`<flag>(((((((.*)*)*)*)*)*)*)!` | ||||
| - In [**this writeup**](https://ctftime.org/writeup/25869) he used: `^(?=${flag_prefix}).*.*.*.*.*.*.*.*!!!!$` | ||||
| 
 | ||||
| ### ReDoS Controlling Input and Regex | ||||
| @ -67,19 +98,35 @@ Regexp (a+)*$ took 723 milliseconds. | ||||
| */ | ||||
| ``` | ||||
| 
 | ||||
| ### Language/engine notes for attackers | ||||
| 
 | ||||
| - JavaScript (browser/Node): Built‑in `RegExp` is a backtracking engine and commonly exploitable when regex+input are attacker‑influenced. | ||||
| - Python: `re` is backtracking. Long ambiguous runs plus a failing tail often yield catastrophic backtracking. | ||||
| - Java: `java.util.regex` is backtracking. If you only control input, look for endpoints using complex validators; if you control patterns (e.g., stored rules), ReDoS is usually trivial. | ||||
| - Engines such as **RE2/RE2J/RE2JS** or the **Rust regex** crate are designed to avoid catastrophic backtracking. If you hit these, focus on other bottlenecks (e.g., enormous patterns) or find components still using backtracking engines. | ||||
| 
 | ||||
| ## Tools | ||||
| 
 | ||||
| - [https://github.com/doyensec/regexploit](https://github.com/doyensec/regexploit) | ||||
|   - Find vulnerable regexes and auto‑generate evil inputs. Examples: | ||||
|     - `pip install regexploit` | ||||
|     - Analyze one pattern interactively: `regexploit` | ||||
|     - Scan Python/JS code for regexes: `regexploit-py path/` and `regexploit-js path/` | ||||
| - [https://devina.io/redos-checker](https://devina.io/redos-checker) | ||||
| - [https://github.com/davisjam/vuln-regex-detector](https://github.com/davisjam/vuln-regex-detector) | ||||
|   - End‑to‑end pipeline to extract regexes from a project, detect vulnerable ones, and validate PoCs in the target language. Useful for hunting through large codebases. | ||||
| - [https://github.com/tjenkinson/redos-detector](https://github.com/tjenkinson/redos-detector) | ||||
|   - Simple CLI/JS library that reasons about backtracking to report if a pattern is safe. | ||||
| 
 | ||||
| > Tip: When you only control input, generate strings with doubling lengths (e.g., 2^k characters) and track latency. Exponential growth strongly indicates a viable ReDoS. | ||||
| 
 | ||||
| ## References | ||||
| 
 | ||||
| - [https://owasp.org/www-community/attacks/Regular*expression_Denial_of_Service*-\_ReDoS](https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS) | ||||
| - [https://owasp.org/www-community/attacks/Regular*expression_Denial_of_Service*-_ReDoS](https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS) | ||||
| - [https://portswigger.net/daily-swig/blind-regex-injection-theoretical-exploit-offers-new-way-to-force-web-apps-to-spill-secrets](https://portswigger.net/daily-swig/blind-regex-injection-theoretical-exploit-offers-new-way-to-force-web-apps-to-spill-secrets) | ||||
| - [https://github.com/jorgectf/Created-CTF-Challenges/blob/main/challenges/TacoMaker%20%40%20DEKRA%20CTF%202022/solver/solver.html](https://github.com/jorgectf/Created-CTF-Challenges/blob/main/challenges/TacoMaker%20%40%20DEKRA%20CTF%202022/solver/solver.html) | ||||
| - [https://github.com/jorgectf/Created-CTF-Challenges/blob/main/challenges/TacoMaker%20@%20DEKRA%20CTF%202022/solver/solver.html](https://github.com/jorgectf/Created-CTF-Challenges/blob/main/challenges/TacoMaker%20@%20DEKRA%20CTF%202022/solver/solver.html) | ||||
| - [https://ctftime.org/writeup/25869](https://ctftime.org/writeup/25869) | ||||
| - SoK (2024): A Literature and Engineering Review of Regular Expression Denial of Service (ReDoS) — [https://arxiv.org/abs/2406.11618](https://arxiv.org/abs/2406.11618) | ||||
| - Why RE2 (linear‑time regex engine) — [https://github.com/google/re2/wiki/WhyRE2](https://github.com/google/re2/wiki/WhyRE2) | ||||
| 
 | ||||
| {{#include ../banners/hacktricks-training.md}} | ||||
| 
 | ||||
| 
 | ||||
| 
 | ||||
|  | ||||
		Loading…
	
	
			
			x
			
			
		
	
		Reference in New Issue
	
	Block a user