Jump to content

brainXploit 10: Vulnerability hunt 2

Recommended Posts


According to the SOURCE: Microsoft Secure Blog, a quick search on Google with the following keywords reveals a few interesting links.


"regular expression" "microsoft secure blog"

Found links:

The first link presents SDL Regex Fuzzer, a tool of Microsoft from the SDL Tools suite.

In the article of the second link, it is mentioned that:


The subexpression (\.[a-zA-Z0-9\-\._]+){2,} in the pattern contains a grouping expression with repetition (\.[a-zA-Z0-9\-\._]+) that is itself repeated via the expression {2,}. The worst-case operation time for such a regex construction is exponential time O(2n)O(2n), and this could allow an attacker to craft a relatively short input value that would hang the application in an exponential processing loop.

The given regular expression is susceptible to a ReDoS attack (Regular expression DoS). This can be tested with the "SDL Regex Fuzzer" tool of Microsoft.

This can be tested with SDL Regex Fuzzer like in the following screenshot :


The answer is thus that this code is susceptible to ReDoS attack.

  • Like 1

Share this post

Link to post
Share on other sites

Please sign in to comment

You will be able to leave a comment after signing in

Sign In Now