kristoffersantiago 36 Report post Posted March 16, 2017 The vulnerability hunt webinar with Google's Kostya Serebryany is not 'til Tuesday. But for now, prepare yourself with this regex brainXploit challenge: brainXploit Rules: https://community.elearnsecurity.com/topic/3505-brainxploit/ Share this post Link to post Share on other sites
Nomad 1 Report post Posted April 2, 2017 ' ' inside of " " ,not " " inside of other " " ? Share this post Link to post Share on other sites
morfal 6 Report post Posted May 31, 2017 According to the SOURCE: Microsoft Secure Blog, a quick search on Google with the following keywords reveals a few interesting links. "regular expression" "microsoft secure blog" Found links: https://blogs.microsoft.com/microsoftsecure/2010/10/12/new-tool-sdl-regex-fuzzer/ https://blogs.microsoft.com/microsoftsecure/2014/10/09/vuln-hunt-find-the-security-vulnerability-challenge-2/ The first link presents SDL Regex Fuzzer, a tool of Microsoft from the SDL Tools suite. In the article of the second link, it is mentioned that: Quote The subexpression (\.[a-zA-Z0-9\-\._]+){2,} in the pattern contains a grouping expression with repetition (\.[a-zA-Z0-9\-\._]+) that is itself repeated via the expression {2,}. The worst-case operation time for such a regex construction is exponential time O(2n)O(2n), and this could allow an attacker to craft a relatively short input value that would hang the application in an exponential processing loop. The given regular expression is susceptible to a ReDoS attack (Regular expression DoS). This can be tested with the "SDL Regex Fuzzer" tool of Microsoft. This can be tested with SDL Regex Fuzzer like in the following screenshot : The answer is thus that this code is susceptible to ReDoS attack. 1 Share this post Link to post Share on other sites
