Now a new report on the old problem was presented by specialists from the Darmstadt Technical University. They warn that the ReDoS problem is still very dangerous: 25 previously unknown vulnerabilities were discovered in the popular Node.js. That is, attackers can attack vulnerable sites by exploiting bugs in any of these solutions.
Exploitation of problems leads to the fact that the site "hangs" for a few seconds or minutes, while the server tries to determine what to do with the array of text from the exploit. Similarly, many regex filters are installed on input areas, since this is part of the filters against XSS. In the end, if the attacker continues to direct the resource to exploits, the "hang" can last a very long time.
Specialists write that the developers mostly focus their efforts on accuracy, but almost do not pay attention to performance, leaving attackers a wide field of activity for ReDOS attacks.
Coming to these disappointing conclusions, experts at the Darmstadt Technical University decided to check whether many "live" sites are vulnerable to ReDoS. Having scanned 2846 popular resources working on Node.js, they found 339 sites vulnerable to at least one of the identified problems. Thus, if we extrapolate this sample, about 12% of the total number of such sites are vulnerable to ReDoS.
Researchers have already notified about the vulnerabilities of the developers of the modules, and some of them have already prepared patches. Also on GitHub was published a proof-of-concept exploit for testing potentially vulnerable libraries. In the same repository, you can find links to the corresponding "patches", if available.