all InfoSec news
Exploiting Input Sanitization for Regex Denial of Service. (arXiv:2303.01996v1 [cs.CR])
cs.CR updates on arXiv.org arxiv.org
Web services use server-side input sanitization to guard against harmful
input. Some web services publish their sanitization logic to make their client
interface more usable, e.g., allowing clients to debug invalid requests
locally. However, this usability practice poses a security risk. Specifically,
services may share the regexes they use to sanitize input strings -- and
regex-based denial of service (ReDoS) is an emerging threat. Although prominent
service outages caused by ReDoS have spurred interest in this topic, we know
little …
client clients debug denial of service emerging emerging threat exploiting guard input interface locally logic may outages practice redos regex requests risk security security risk server service services share strings threat usability web web services