ReDoSHunter
ReDoSHunter is a combined static and dynamic approach for regular expression DoS detection.
LATEST NOTE (updated at 2021.09.13):
-
ReDoSHunter is an open-source project that serves for the research purpose. The vulnerabilities exposed by ReDoSHunter should EXPLICITLY acknowledge the use of ReDoSHunter.
-
Though ReDoSHunter is open sourced and allows commercial usage, recently we noticed an extensive usage of ReDoSHunter for profit. Therefore, we highlight that any exposed and confirmed new CVEs need to be co-owned by the major author (Yeting LI), and the profit from exposing new CVEs using ReDoSHunter should also half-preserved by ReDoSHunter authors. For further questions, please contact Yeting LI at email.
You can find more information in the paper ReDoSHunter: A Combined Static and Dynamic Approach for Regular Expression DoS Detection.
@inproceedings {Li2021ReDoSHunter,
author = {Yeting Li and Zixuan Chen and Jialun Cao and Zhiwu Xu and Qiancheng Peng and Haiming Chen and Liyuan Chen and Shing-Chi Cheung},
title = {ReDoSHunter: A Combined Static and Dynamic Approach for Regular Expression DoS Detection},
booktitle = {30th {USENIX} Security Symposium ({USENIX} Security 21)},
year = {2021},
isbn = {978-1-939133-24-3},
pages = {3847--3864},
url = {https://www.usenix.org/conference/usenixsecurity21/presentation/li-yeting},
publisher = {{USENIX} Association},
month = aug,
}
Usage
1. Detect a single regular expression (cannot set timeout)
The main function is in ./src/main/java/cn/ac/ios/ReDoSMain.java
For example, if you type String regex = "^(a+)+b"; then run this file,
If the input regex is vulnerable, you will get:
^(a+)+b
Is attack success: true
Attack time: 1016 (ms)
Vulnerability Position: ^►(▻a+◅)+◄b
Attack String: "a"+"a"*32+" "
Vulnerability Source: There is a nested quantifier node a+ in (a+)+.
Vulnerability Degree: EXPONENT
2. Test regexes from datasets (can set timeout)
The file structure is
ReDosHunter
├─ ...
├─ data
│ ├─ expr # The results will show here!
│ │ ├─ empty.txt # This file is only used to keep an empty folder in github.
│ │ └─ ...
│ ├─ paper_dataset # Corpus, RegexLib, Snort are the data set used in our paper.
│ │ ├─ corpus.txt
│ │ ├─ regexlib.txt
│ │ ├─ snort.txt
│ │ └─ test.txt # put your dataset here!
│ └─ ...
└─ ...
The main function is in ./src/main/java/cn/ac/ios/Test.java
You can change String filename in the main function and run this file.
3. The parameters of static detection & dynamic verification
The default parameter is: 15 threads are used for static detection and 1 thread is used for dynamic verification. For a regular expression, the upper limit time of static detection is 60s. Other parameters are in ./src/main/java/cn/ac/ios/Bean/AttackBean.java.
Static detection contains five patterns (i.e., NQ, EOD, EOA, POA, SLQ in our paper): By default, The five patterns are all detected. If you want to detect not all patterns, change the parameter options in the checkReDoS function.
Dynamic verification is divided into two modes: S mode (default): for each regular expression, if one attack string attack is successful, stop the verification of other attack strings. M mode: verify all attack strings. The change method is to change the parameter model in the validateReDoS function.
Both static detection and dynamic verification support regular expressions under different languages. Java (default), python, JavaScript and PCRE. If you want to change language, please change the language parameter in the checkReDoS and validateReDoS functions.
License
Check the LICENSE.md file.
159 Dec 28, 2022
270 Sep 19, 2022
16 Dec 22, 2022
55 Nov 9, 2022
3 Apr 23, 2022
443 Dec 31, 2022
39 Oct 17, 2022
53 Nov 10, 2022
1k Dec 30, 2022
4 Sep 20, 2022
2.8k Jan 7, 2023
26 Nov 22, 2022
3 Sep 18, 2022
3.4k Dec 30, 2022
4 Dec 30, 2022
105 Dec 23, 2022
22 Dec 8, 2022
3.8k Dec 31, 2022
153 Jan 3, 2023