CAPEC 492 Regular Expression Exponential Blowup

Draft Standard Unknown Risk

Description

An adversary may execute an attack on a program that uses a poor Regular Expression(Regex) implementation by choosing input that results in an extreme situation for the Regex. A typical extreme situation operates at exponential time compared to the input size. This is due to most implementations using a Nondeterministic Finite Automaton(NFA) state machine to be built by the Regex algorithm since NFA allows backtracking and thus more complex regular expressions.

CAPEC 492 Regular Expression Exponential Blowup

Description

Mitigations

Test Custom Written Regex With Fuzzing To Determine If The Regex Is A Poor One. Add Timeouts To Processes That Handle The Regex Logic. If An Evil Regex Is Found Rewrite It As A Good Regex.

Consequences

Consequence Information

Relationships

Parent CAPECs

CAPEC 492 Regular Expression Exponential Blowup

Description

Mitigations

Test Custom Written Regex With Fuzzing To Determine If The Regex Is A Poor One. Add Timeouts To Processes That Handle The Regex Logic. If An Evil Regex Is Found Rewrite It As A Good Regex.

Consequences

Consequence Information

Relationships

Parent CAPECs

Iscriviti alla newsletter