NSConclave, profile picture
Uploaded byNSConclave
855 views

Regular Expression Injection

Regular Expression Injection occurs when an attacker supplies malicious input that modifies the intended regular expression in a way that breaks the program's specifications. This can impact control flow, leak information, or cause denial-of-service vulnerabilities. The document discusses regular expressions, how to find regular expression injection issues through error-based or blind injection techniques, demonstrates an example exploit, and provides mitigation strategies like input validation before using regular expressions and killing expressions that take too long.

Embed presentation

Download to read offline
Regular Expression Injection By : Elton J. Crasto 21/05/2020
Who am I? Name: Elton Crasto Designation: Security Analyst Twitter: @xd1810
Objectives:- 1. What is Regular Expression? 2. What is Regular Expression Injection? 3. ReDos? 4. How do we Find it? 5. Exploit Demo 6. Mitigation
What is Regular Expression? Regular Expressions (regex) are widely used to match strings of text. For example, the grep utility supports regular expressions for finding patterns in the specified text.
What is Regular Expression?
What is Regular Expression? /[w._+-]+@[w.-]+.[a-zA-Z]{2,4}/ Eg: elton@net-square.com https://www.w3schools.com/jsref/jsref_obj_regexp.asp
Regular Expression vs UI validation? Main difference between them is : An attacker can easily perform an HTTP request without using a browser (using proxy like Burp)and then send a payload that can compromise our application. Regex is difficult to set up correctly.
What is Regular Expression Injection? An attacker may supply a malicious input that modifies the original regular expression in such a way that the regex fails to comply with the program's specification. This attack is called a Regex injection or Regular Expression Injection, might affect control flow, cause information leaks, or result in denial-of-service (DOS) or ReDOS vulnerabilities.
ReDOS? ReDoS stands for Regular Expression Denial of Service. The ReDoS is an algorithmic complexity attack that produces a denial of service by providing a regular expression that takes a very long time to evaluate. For example : Regex: ^((ab)*)+$ (this regex searches for ab and its repetition) input:abababababab
ReDOS? Now we can complicate things very easily by throwing in abababa as the input. This extra a in the end will cause all kinds of trouble since it does not match the pattern and it will make the regex engine run all kinds of permutation looking for a possible match.
How do we find it? Mostly like all injections we find it with help of methods such as A.Error Based B.Blind Based [Fairly new] Error-based is an in-band Injection technique that relies on error messages thrown by the server to obtain information about the structure of the regex. Blind-Based is injection technique that relies on time take to respond by the server based on input.
Exploit Demo Detection:- Below we have an application which has 2 types of logs , private and public . Private logs can only be seen by admin and public can be seen by all Registered users.
Exploit Demo Now on inputting any character the application uses regex to find letters in public logs.But What if i want to see private logs too. So we try inputting all characters to see which one isn't escaped. Eg: !@#$%^&*()_+abcdefg....etc On putting * we get to see an error which shows us the regex code used.
Exploit Demo Exploit: Now that we know what the regex is all we have to do is bypass it by tampering with the input to complete the regex. For example for the above regex which uses .*<input>.* .We can easily bypass it with . * ) | ( . * Which gives us the following output:-
Mitigation ● Input validation/sanitization should be done and then sent to regex. String sanitized = subject.replaceAll("[ + * / ]"); Pattern regex = Pattern.compile(sanitized); ● If a regular expression takes too long, kill it at once, and inform the user that the regular expression was taking too long.
References ● https://www.w3schools.com/jsref/js ref_obj_regexp.asp ● https://www.geeksforgeeks.org/un derstanding-redos-attack/ ● https://www.ntu.edu.sg/home/ehch ua/programming/howto/Regexe.ht ml ● https://dzone.com/articles/regular- expressions-denial
Thank You Questions?

More Related Content

PPTX
Windows Registry
byprimeteacher32
 
PDF
LDAP Injection
byNSConclave
 
PDF
4 palo alto licenses
byMostafa El Lathy
 
PDF
Phân tích mã độc cơ bản - báo cáo thực tập
byPhạm Trung Đức
 
PPTX
How Scylla Manager Handles Backups
byScyllaDB
 
PDF
Hướng dẫn cấu hình cài đặt sử dụng thiết bị lưu trữ nas synology
byNguyen Minh
 
PPTX
HTTP HOST header attacks
byDefconRussia
 
PDF
Local DNS with pfSense 2.4 - pfSense Hangout April 2018
byNetgate
 
Windows Registry
byprimeteacher32
 
LDAP Injection
byNSConclave
 
4 palo alto licenses
byMostafa El Lathy
 
Phân tích mã độc cơ bản - báo cáo thực tập
byPhạm Trung Đức
 
How Scylla Manager Handles Backups
byScyllaDB
 
Hướng dẫn cấu hình cài đặt sử dụng thiết bị lưu trữ nas synology
byNguyen Minh
 
HTTP HOST header attacks
byDefconRussia
 
Local DNS with pfSense 2.4 - pfSense Hangout April 2018
byNetgate
 

What's hot

DOCX
Beezo Share - Đồ Án Thực Tập Công Cụ Giám Sát Mạng Python
byBeezo
 
PPTX
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization
byBlueHat Security Conference
 
PPTX
MySQL Monitoring using Prometheus & Grafana
byYoungHeon (Roy) Kim
 
PPTX
Palo Alto Networks 28.5.2013
byBelsoft
 
PPTX
Terraform
byAn Nguyen
 
DOCX
Đề tài: Tìm hiểu hệ thống phát hiện xâm nhập IDS-SNORT, 9đ
byDịch vụ viết bài trọn gói ZALO: 0909232620
 
PDF
Flink Forward Berlin 2017: Tzu-Li (Gordon) Tai - Managing State in Apache Flink
byFlink Forward
 
PPT
Chapter 9: SCSI Drives and File Systems
byaskme
 
PDF
11 palo alto user-id concepts
byMostafa El Lathy
 
PPTX
Backup & restore in windows
byJab Vtl
 
PDF
Velocity 2015 linux perf tools
byBrendan Gregg
 
PDF
Flash for Apache Spark Shuffle with Cosco
byDatabricks
 
PPTX
Introduction to HTTP/2
byIdo Flatow
 
PDF
Providing Local DNS with pfSense - pfSense Hangout August 2016
byNetgate
 
PDF
Quản trị mạng linux full
byjackjohn45
 
PPTX
End to End Security With Palo Alto Networks (Onur Kasap, engineer Palo Alto N...
byBAKOTECH
 
PDF
Creating a DMZ - pfSense Hangout January 2016
byNetgate
 
PPTX
Hashicorp-Certified-Terraform-Associate-v3-edited.pptx
byssuser0d6c88
 
PDF
01- intro to firewall concepts
byMostafa El Lathy
 
PDF
Raft presentation
byPatroclos Christou
 
Beezo Share - Đồ Án Thực Tập Công Cụ Giám Sát Mạng Python
byBeezo
 
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization
byBlueHat Security Conference
 
MySQL Monitoring using Prometheus & Grafana
byYoungHeon (Roy) Kim
 
Palo Alto Networks 28.5.2013
byBelsoft
 
Terraform
byAn Nguyen
 
Đề tài: Tìm hiểu hệ thống phát hiện xâm nhập IDS-SNORT, 9đ
byDịch vụ viết bài trọn gói ZALO: 0909232620
 
Flink Forward Berlin 2017: Tzu-Li (Gordon) Tai - Managing State in Apache Flink
byFlink Forward
 
Chapter 9: SCSI Drives and File Systems
byaskme
 
11 palo alto user-id concepts
byMostafa El Lathy
 
Backup & restore in windows
byJab Vtl
 
Velocity 2015 linux perf tools
byBrendan Gregg
 
Flash for Apache Spark Shuffle with Cosco
byDatabricks
 
Introduction to HTTP/2
byIdo Flatow
 
Providing Local DNS with pfSense - pfSense Hangout August 2016
byNetgate
 
Quản trị mạng linux full
byjackjohn45
 
End to End Security With Palo Alto Networks (Onur Kasap, engineer Palo Alto N...
byBAKOTECH
 
Creating a DMZ - pfSense Hangout January 2016
byNetgate
 
Hashicorp-Certified-Terraform-Associate-v3-edited.pptx
byssuser0d6c88
 
01- intro to firewall concepts
byMostafa El Lathy
 
Raft presentation
byPatroclos Christou
 

Similar to Regular Expression Injection

PPTX
Regular Expression Denial of Service RegexDoS
byMichael Hidalgo
 
PPTX
APMG juni 2014 - Regular Expression
byByte
 
ODP
OISF: Regular Expressions (Regex) Overview
byThreatReel Podcast
 
ODP
DerbyCon 7.0 Legacy: Regular Expressions (Regex) Overview
byThreatReel Podcast
 
ODP
CiNPA Security SIG - Regex Presentation
byThreatReel Podcast
 
PDF
Don't Fear the Regex LSP15
bySandy Smith
 
PDF
Don't Fear the Regex WordCamp DC 2017
bySandy Smith
 
PDF
Don't Fear the Regex - Northeast PHP 2015
bySandy Smith
 
PPTX
Regex Primer
byzaimorkai
 
PDF
A3 sec -_regular_expressions
bya3sec
 
PPTX
regularexpression-180328061400.pptx hehe
byanthonykharl6
 
PPTX
Regular Expression
byvaluebound
 
PDF
Coffee 'n code: Regexes
byPhil Ewels
 
ODP
Regex Presentation
byarnolambert
 
ODP
Regex Presentation
byarnolambert
 
PPTX
Regular Expressions
byAkhil Kaushik
 
PPTX
Regular expressions
byBrij Kishore
 
DOCX
Python - Regular Expressions
byMukesh Tekwani
 
PDF
Python Regular Expressions
byBMS Institute of Technology and Management
 
PDF
Regular expressions
bykeeyre
 
Regular Expression Denial of Service RegexDoS
byMichael Hidalgo
 
APMG juni 2014 - Regular Expression
byByte
 
OISF: Regular Expressions (Regex) Overview
byThreatReel Podcast
 
DerbyCon 7.0 Legacy: Regular Expressions (Regex) Overview
byThreatReel Podcast
 
CiNPA Security SIG - Regex Presentation
byThreatReel Podcast
 
Don't Fear the Regex LSP15
bySandy Smith
 
Don't Fear the Regex WordCamp DC 2017
bySandy Smith
 
Don't Fear the Regex - Northeast PHP 2015
bySandy Smith
 
Regex Primer
byzaimorkai
 
A3 sec -_regular_expressions
bya3sec
 
regularexpression-180328061400.pptx hehe
byanthonykharl6
 
Regular Expression
byvaluebound
 
Coffee 'n code: Regexes
byPhil Ewels
 
Regex Presentation
byarnolambert
 
Regex Presentation
byarnolambert
 
Regular Expressions
byAkhil Kaushik
 
Regular expressions
byBrij Kishore
 
Python - Regular Expressions
byMukesh Tekwani
 
Python Regular Expressions
byBMS Institute of Technology and Management
 
Regular expressions
bykeeyre
 

More from NSConclave

PDF
RED-TEAM_Conclave
byNSConclave
 
PPTX
Create a Custom Plugin in Burp Suite using the Extension
byNSConclave
 
PPTX
IOT SECURITY ASSESSMENT Pentester's Approach
byNSConclave
 
PPTX
Debugging Android Native Library
byNSConclave
 
PPTX
Burp Suite Extension Development
byNSConclave
 
PDF
Log Analysis
byNSConclave
 
PDF
HTML5 Messaging (Post Message)
byNSConclave
 
PDF
Node.js Deserialization
byNSConclave
 
PDF
RIA Cross Domain Policy
byNSConclave
 
PDF
Python Deserialization Attacks
byNSConclave
 
PDF
Sandboxing
byNSConclave
 
PDF
NoSql Injection
byNSConclave
 
PDF
Thick Client Testing Advanced
byNSConclave
 
PDF
Thick Client Testing Basics
byNSConclave
 
PDF
Markdown
byNSConclave
 
PDF
Docker 101
byNSConclave
 
PDF
Security Architecture Consulting - Hiren Shah
byNSConclave
 
PDF
OSINT: Open Source Intelligence - Rohan Braganza
byNSConclave
 
PDF
Lets get started with car hacking - Ankit Joshi
byNSConclave
 
PDF
Advanced Wireless Reconnaissance And Testing - Rohit Jadav
byNSConclave
 
RED-TEAM_Conclave
byNSConclave
 
Create a Custom Plugin in Burp Suite using the Extension
byNSConclave
 
IOT SECURITY ASSESSMENT Pentester's Approach
byNSConclave
 
Debugging Android Native Library
byNSConclave
 
Burp Suite Extension Development
byNSConclave
 
Log Analysis
byNSConclave
 
HTML5 Messaging (Post Message)
byNSConclave
 
Node.js Deserialization
byNSConclave
 
RIA Cross Domain Policy
byNSConclave
 
Python Deserialization Attacks
byNSConclave
 
Sandboxing
byNSConclave
 
NoSql Injection
byNSConclave
 
Thick Client Testing Advanced
byNSConclave
 
Thick Client Testing Basics
byNSConclave
 
Markdown
byNSConclave
 
Docker 101
byNSConclave
 
Security Architecture Consulting - Hiren Shah
byNSConclave
 
OSINT: Open Source Intelligence - Rohan Braganza
byNSConclave
 
Lets get started with car hacking - Ankit Joshi
byNSConclave
 
Advanced Wireless Reconnaissance And Testing - Rohit Jadav
byNSConclave
 

Recently uploaded

PDF
Monitoring your MySQL Server's Health Trends
byIgor Donchovski
 
PDF
2026 Safety Roadmap: Systems, Skills, and Scale for EHS Leaders
byTECH EHS Solution
 
PPTX
Device Repair and Maintenance Management
byAxisTechnolabs
 
PPTX
HR Software for Construction: Smarter Workforce & Payroll Management
byhelixtahr
 
PDF
Attendance Dashboard – Time & Attendance Analytics
byHajir Pro
 
PDF
apidays Australia 2025 | Build Your First MCP Server with Postman Flows
byapidays
 
PPTX
Recent Data Breaches in Cyber World.pptx
byyoshuaImmanuel1
 
PDF
On Demand Grocery Delivery App Development.pdf
byV3CUBE TECHNOLABS
 
PDF
Azure DevOps Services: Complete Guide to DevOps Tools, Automation & End-to-En...
byjohncarterjn
 
PDF
Artificial Intelligence Planning (Harinath Palavalli)
byHarinath Palavalli
 
PDF
Taxi App UIUX Design for Seamless Ride Booking.pdf
byV3CUBE TECHNOLABS
 
PDF
Water Delivery App Development Solutions.pdf
byeSiteWorld TechnoLabs Pvt. Ltd.
 
PDF
Project Tracking in Software Project Management
bySahanaBarveen1
 
PPTX
BUSY Software Business Management Solution.pptx
byMoving Cloud
 
PDF
apidays Amsterdam 2025 | Making AI work for you as an API Product Manager
byapidays
 
PDF
Build a Scalable On-Demand Courier Service App.pdf
byV3CUBE TECHNOLABS
 
PDF
The Growing Impact of Blockchain and Web3 on Digital Ownership With Paul Inou...
byPaul Inouye
 
PDF
apidays Amsterdam 2025 | APIs with a Purpose
byapidays
 
PPTX
Best Digital Marketing Company in Lucknow
bydigitallearning9277
 
PDF
Image and video processing: From Mars to Hollywood with a stop at the hospita...
byHarinath Palavalli
 
Monitoring your MySQL Server's Health Trends
byIgor Donchovski
 
2026 Safety Roadmap: Systems, Skills, and Scale for EHS Leaders
byTECH EHS Solution
 
Device Repair and Maintenance Management
byAxisTechnolabs
 
HR Software for Construction: Smarter Workforce & Payroll Management
byhelixtahr
 
Attendance Dashboard – Time & Attendance Analytics
byHajir Pro
 
apidays Australia 2025 | Build Your First MCP Server with Postman Flows
byapidays
 
Recent Data Breaches in Cyber World.pptx
byyoshuaImmanuel1
 
On Demand Grocery Delivery App Development.pdf
byV3CUBE TECHNOLABS
 
Azure DevOps Services: Complete Guide to DevOps Tools, Automation & End-to-En...
byjohncarterjn
 
Artificial Intelligence Planning (Harinath Palavalli)
byHarinath Palavalli
 
Taxi App UIUX Design for Seamless Ride Booking.pdf
byV3CUBE TECHNOLABS
 
Water Delivery App Development Solutions.pdf
byeSiteWorld TechnoLabs Pvt. Ltd.
 
Project Tracking in Software Project Management
bySahanaBarveen1
 
BUSY Software Business Management Solution.pptx
byMoving Cloud
 
apidays Amsterdam 2025 | Making AI work for you as an API Product Manager
byapidays
 
Build a Scalable On-Demand Courier Service App.pdf
byV3CUBE TECHNOLABS
 
The Growing Impact of Blockchain and Web3 on Digital Ownership With Paul Inou...
byPaul Inouye
 
apidays Amsterdam 2025 | APIs with a Purpose
byapidays
 
Best Digital Marketing Company in Lucknow
bydigitallearning9277
 
Image and video processing: From Mars to Hollywood with a stop at the hospita...
byHarinath Palavalli
 

Regular Expression Injection

  • 1.
    Regular Expression Injection By: Elton J. Crasto 21/05/2020
  • 2.
    Who am I? Name:Elton Crasto Designation: Security Analyst Twitter: @xd1810
  • 3.
    Objectives:- 1. Whatis Regular Expression? 2. What is Regular Expression Injection? 3. ReDos? 4. How do we Find it? 5. Exploit Demo 6. Mitigation
  • 4.
    What is Regular Expression? RegularExpressions (regex) are widely used to match strings of text. For example, the grep utility supports regular expressions for finding patterns in the specified text.
  • 5.
  • 6.
    What is Regular Expression? /[w._+-]+@[w.-]+.[a-zA-Z]{2,4}/ Eg:elton@net-square.com https://www.w3schools.com/jsref/jsref_obj_regexp.asp
  • 7.
    Regular Expression vs UIvalidation? Main difference between them is : An attacker can easily perform an HTTP request without using a browser (using proxy like Burp)and then send a payload that can compromise our application. Regex is difficult to set up correctly.
  • 8.
    What is Regular Expression Injection? Anattacker may supply a malicious input that modifies the original regular expression in such a way that the regex fails to comply with the program's specification. This attack is called a Regex injection or Regular Expression Injection, might affect control flow, cause information leaks, or result in denial-of-service (DOS) or ReDOS vulnerabilities.
  • 9.
    ReDOS? ReDoS stands forRegular Expression Denial of Service. The ReDoS is an algorithmic complexity attack that produces a denial of service by providing a regular expression that takes a very long time to evaluate. For example : Regex: ^((ab)*)+$ (this regex searches for ab and its repetition) input:abababababab
  • 10.
    ReDOS? Now we cancomplicate things very easily by throwing in abababa as the input. This extra a in the end will cause all kinds of trouble since it does not match the pattern and it will make the regex engine run all kinds of permutation looking for a possible match.
  • 11.
    How do wefind it? Mostly like all injections we find it with help of methods such as A.Error Based B.Blind Based [Fairly new] Error-based is an in-band Injection technique that relies on error messages thrown by the server to obtain information about the structure of the regex. Blind-Based is injection technique that relies on time take to respond by the server based on input.
  • 12.
    Exploit Demo Detection:- Belowwe have an application which has 2 types of logs , private and public . Private logs can only be seen by admin and public can be seen by all Registered users.
  • 13.
    Exploit Demo Now oninputting any character the application uses regex to find letters in public logs.But What if i want to see private logs too. So we try inputting all characters to see which one isn't escaped. Eg: !@#$%^&*()_+abcdefg....etc On putting * we get to see an error which shows us the regex code used.
  • 14.
    Exploit Demo Exploit: Now thatwe know what the regex is all we have to do is bypass it by tampering with the input to complete the regex. For example for the above regex which uses .*<input>.* .We can easily bypass it with . * ) | ( . * Which gives us the following output:-
  • 15.
    Mitigation ● Inputvalidation/sanitization should be done and then sent to regex. String sanitized = subject.replaceAll("[ + * / ]"); Pattern regex = Pattern.compile(sanitized); ● If a regular expression takes too long, kill it at once, and inform the user that the regular expression was taking too long.
  • 16.
    References ● https://www.w3schools.com/jsref/js ref_obj_regexp.asp ●https://www.geeksforgeeks.org/un derstanding-redos-attack/ ● https://www.ntu.edu.sg/home/ehch ua/programming/howto/Regexe.ht ml ● https://dzone.com/articles/regular- expressions-denial
  • 17.