Fresh attack vector lacks working exploit… for now

Blind regular expression injection offers a new means of forcing web apps to spill secrets

Web applications with regex-enabled search may soon be forced to defend against a new exploit class, after a security researcher unveiled what he’s calling ‘blind regular expression injection attacks’.

During the OWASP Night 2020/02 event in Tokyo last week, Japanese security researcher Takashi Yoneuchi revealed the fruits of his occasional research into the field of blind regex injection.

By building on established regex security research, this so-called ‘algorithmic complexity attack’ has the potential to force apps to leak sensitive user information.

ReDoS 101

Web apps with a search function often make use of regular expressions, or ‘regex’, which allow the user (or developer) to define a search pattern.

In some scenarios, specially crafted strings can force computations that overwhelm an app’s regex engine, causing the underlying web servers to work themselves to a standstill.

This is known as a ‘regular expression denial-of-service’ (ReDoS) attack.

Blind regex injection

Taking ReDoS attacks a step further, Yoneuchi – an undergraduate at the University of Tokyo’s Department of Information Science and member of various Japanese CTF teams – has posited a new attack vector that uses “regular expression injection cleverly, like blind SQL injection”.

As outlined in OWASP documentation, a blind SQL injection attack asks a target database true or false questions and determines the answer based on the application’s response.

A common way to determine if an attack was successful is to use an SQL sleep command to cause a delay within the application.

READ MORE ModSecurity developers fix ReDoS flaw in Core Rule Set library

In the context of this new exploit, it is suggested that an attacker could force an app to leak sensitive information by using ReDoS to determine secrets based on a time delay that’s caused when executing the regular expression.

More specifically, the ‘backtracking’ feature that is exploited to cause ReDoS is once again leveraged in blind regex injection – only this time the attacker evaluates the response based on a timeout.

In a technical blog post published this week, Yoneuchi explained how blind regex injection might work on a sample vulnerable application:

In the case of our sample application, which has a timeout for evaluation of regex, this payload takes two seconds if SECRET matches R, and a little time if not. Here comes timing attack technique.

We can know whether an arbitrary regular expression matches SECRET or not through regular expression injection. For instance, we can leak the length of SECRET by testing how long the evaluation of ^(?=.{1})((.*)*)*salt$, ^(?=.{2})((.*)*)*salt$, … takes.

The value of SECRET can be revealed by checking whether nth character of SECRET is c or not, for all n in [1, len(SECRET)] and c in possible characters in SECRET.

This example would broadly place blind regex injection in the same family as XS-Leaks – a class of side-channel techniques that can be used to infer and gather information about users, often based upon network timing of the responses.

Offering further insight into the potential secret-stealing capabilities of this technique, Yoneuchi said: “Search features with regular expressions [would] be threatened. Suppose that there’s a Twitter-like application which allows us to search tweets with regex, and authorization will be done after searching by regular expressions.

“If that application uses backtracking engines and prevents ReDoS by setting timeouts for the evaluation of regular expressions, attackers might leak tweets from private accounts by blind regex injection.”

Theoretical exploit

For now, at least, web developers can rest easy, as there is no working exploit. However, although this attack is still theoretical, Yoneuchi said developers should nonetheless take care when allowing user input inside regular expressions.

“There’s still no working exploit for real-world applications, although I provided a sample vulnerable application and gave a PoC that exploits it in my article,” the researcher told The Daily Swig via email this week.

“I’m working on building exploits for real applications, but I have little time to spend. This is why I published this idea. I hope other bug hunters find real-world examples.”

If research were to continue in this field, Yoneuchi said blind regex injection could become another powerful tool in security researchers’ arsenal.

“I believe that if we can craft a ReDoS payload that has an attacker-controllable upper bound of the number of backtracking, blind regex injection attacks will turn into a more powerful method,” he said.

“This is because it is difficult to conduct these kind[s] of attacks without timeouts. Attackers have to control the time consumed by the evaluation of [regular expressions] carefully without timeouts.”

YOU MIGHT ALSO LIKE AV Oracle: New hacking technique leverages antivirus to steal secrets