Asymmetric Denial of Service

Asymmetric Denial of Service - ReDoS

Need

Prevent server crashes by avoiding expensive regular expression operations

Context

• Usage of Elixir (v1.10+) for building scalable and fault-tolerant applications

• Usage of Regex module for regular expressions

Description

1. Non compliant code

defmodule MyApp.Service do
  def check_email_format(email) do
    Regex.match?(~r/([a-z0-9]+)*@([a-z0-9]+)*(.com)*/, email)
  end
end

This code is vulnerable because it uses a regular expression that can be exploited in a ReDoS attack. An attacker can provide an email string that causes excessive backtracking, leading to an excessive consumption of CPU resources and potentially causing the server to crash.

2. Steps

• Avoid using quantifiers in your regular expressions that could lead to excessive backtracking.

• Use a simpler, non-capturing regular expression to validate the email format.

3. Secure code example

defmodule MyApp.Service do
  def check_email_format(email) do
    Regex.match?(~r/[a-z0-9]+@[a-z0-9]+\.com/, email)
  end
end

This code is safe because it uses a non-capturing regular expression to validate the email format, thus avoiding the risk of excessive backtracking and ReDoS attacks.

References

• 211. Asymmetric Denial of Service - ReDoS

On this page