CAPEC-492 Detail

CAPEC-492

Name

Regular Expression Exponential Blowup

Status

Draft

Published

2014-06-23
00h00 +00:00

Modified

2022-02-22
00h00 +00:00

Official links

CAPEC Mitre.org

Alerte pour un CAPEC

Stay informed of any changes for a specific CAPEC.

Notifications manage

List of Notifications

Alerte pour un CAPEC

Stay informed of any changes for a specific CAPEC.

Parameters

You can specify a title that will be retrieved in the alerts that will be sent out.

Specify the CAPEC ID you wish to monitor.

Planning

Month

Next run calculation

Day

Weekday

Hour

Minute

Creation date

Last execution

Next execution

Functionality requiring a connection

This feature, which allows you to receive alerts, is only active when you are logged into your account.

Descriptions CAPEC

An adversary may execute an attack on a program that uses a poor Regular Expression(Regex) implementation by choosing input that results in an extreme situation for the Regex. A typical extreme situation operates at exponential time compared to the input size. This is due to most implementations using a Nondeterministic Finite Automaton(NFA) state machine to be built by the Regex algorithm since NFA allows backtracking and thus more complex regular expressions.

Informations CAPEC

Prerequisites

This type of an attack requires the ability to identify hosts running a poorly implemented Regex, and the ability to send crafted input to exploit the regular expression.

Mitigations

Test custom written Regex with fuzzing to determine if the Regex is a poor one. Add timeouts to processes that handle the Regex logic. If an evil Regex is found rewrite it as a good Regex.

Related Weaknesses

CWE-ID	Weakness Name
CWE-400	Uncontrolled Resource Consumption The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.
CWE-1333	Inefficient Regular Expression Complexity The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles.

References

REF-421

Regular Expression Denial of Service Attacks and Defenses
Bryan Sullivan.
http://msdn.microsoft.com/en-au/magazine/ff646973.aspx

Submission

Name	Organization	Date	Date release
CAPEC Content Team	The MITRE Corporation	2014-06-23 +00:00

Modifications

Name	Organization	Date	Comment
CAPEC Content Team	The MITRE Corporation	2019-04-04 +00:00	Updated Related_Weaknesses
CAPEC Content Team	The MITRE Corporation	2019-09-30 +00:00	Updated Related_Attack_Patterns
CAPEC Content Team	The MITRE Corporation	2020-12-17 +00:00	Updated Taxonomy_Mappings
CAPEC Content Team	The MITRE Corporation	2021-06-24 +00:00	Updated Related_Weaknesses
CAPEC Content Team	The MITRE Corporation	2022-02-22 +00:00	Updated Description, Extended_Description