Web applications and servers that work with JavaScript are vulnerable to ReDoS attacks

Researchers warn that web applications and servers running with JavaScript are still vulnerable to ReDoS attacks. Such attacks work at the expense of denial of service when parsing text by a vulnerable regular expression. The abbreviation comes from the same place: regular expression (regex) and denial of service (DoS) give a total of ReDoS.

For the first time, ReDoS vulnerabilities and attacks related to JavaScript were described back in 2012, but then JavaScript and Node.js were not distributed as widely as today. As a result, the problem was virtually ignored for many years, and the situation only worsened. So, in 2017 a study was conducted, the results of which showed: 5% of all vulnerabilities in libraries and applications Node.js is ReDoS.

Now a new report on the old problem was presented by specialists from the Darmstadt Technical University. They warn that the ReDoS problem is still very dangerous: 25 previously unknown vulnerabilities were discovered in the popular Node.js. That is, attackers can attack vulnerable sites by exploiting bugs in any of these solutions.

Exploitation of problems leads to the fact that the site "hangs" for a few seconds or minutes, while the server tries to determine what to do with the array of text from the exploit. Similarly, many regex filters are installed on input areas, since this is part of the filters against XSS. In the end, if the attacker continues to direct the resource to exploits, the "hang" can last a very long time.

Specialists write that the developers mostly focus their efforts on accuracy, but almost do not pay attention to performance, leaving attackers a wide field of activity for ReDOS attacks.

Coming to these disappointing conclusions, experts at the Darmstadt Technical University decided to check whether many "live" sites are vulnerable to ReDoS. Having scanned 2846 popular resources working on Node.js, they found 339 sites vulnerable to at least one of the identified problems. Thus, if we extrapolate this sample, about 12% of the total number of such sites are vulnerable to ReDoS.

Researchers have already notified about the vulnerabilities of the developers of the modules, and some of them have already prepared patches. Also on GitHub was published a proof-of-concept exploit for testing potentially vulnerable libraries. In the same repository, you can find links to the corresponding "patches", if available.