.NET Tutorials, Forums, Interview Questions And Answers
Welcome :Guest
 
Sign In
Register
 
Win Surprise Gifts!!!
Congratulations!!!


Top 5 Contributors of the Month
Kaviya Balasubramanian
satyapriyanayak
SP
abhays
Sasi Prabhu

Home >> Articles >> Security >> Post New Resource Bookmark and Share   

 Subscribe to Articles

SDL Regex Fuzzer

Posted By:Sunil Yadav       Posted Date: March 01, 2011    Points: 200    Category: Security    URL: http://www.sunilyadav.net  

This article explains how we can use SDL Regex Fuzzer to evaluate regular expressions for potential vulnerabilities.
 

SDL Regex Fuzzer is a tool to help test regular expressions for potential denial of service vulnerabilities also known as ReDos attack. SDL Regex Fuzzer uses the .NET traditional NFA regex engine to perform its analysis.

More info http://msdn.microsoft.com/en-us/library/e347654k.aspx

What is ReDos attack?

ReDos (Regular Expression Denial of service) is the attack carried out to make system unresponsive or unavailable to the desired user(s).It is the result of poorly coded or handled regular expressions. Some of the regular expressions that can be used in a dos attack are listed below.
  • (a+)+
  • ([a-zA-Z]+)*
  • (a|aa)+
  • (a|a?)+
  • (.*a){x} | for x > 10

The entire above are susceptible to the input aaaaaaaaaaaaaaaaaaaaaaaa! (The minimum input length might change slightly, when using faster or slower machines).

Reference: http://en.wikipedia.org/wiki/ReDoS

Last week when I was doing PT for the custom form developed in asp.net 2.0 environment, I found change password functionality vulnerable to ReDos (Regular Expression) attack.

ReDos is caused by the below expressions.

New password = ([a-zA-Z]+)*

Re-Entered New password = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa!


Source code:

String userName = txtusername.Text;
String password = txtpassword.Text;
Regex testPassword = new Regex(userName);
Match match = testPassword.Match(password);
if (match.Success)
{
lblMsg.Text="Do not include name in password.";
}

To avoid Redos attack you should handle the regex expressions used in the code.

Microsoft provides a tool called as SDL Regex Fuzzer which helps evaluating the evil Regex expressions.

SDL Regex Fuzzer testing must be performed during Microsoft security development lifecycle (SDL) Verification Phase.



Consider the below image which shows how the SDL Regex Fuzzer used to evaluate the regular expressions.





Download: http://www.microsoft.com/downloads/en/details.aspx?FamilyID=8737519c-52d3-4291-9034-caa71855451f

Download SDL Tools: http://www.microsoft.com/security/sdl/getstarted/tools.aspx

References:



 Subscribe to Articles

     

Further Readings:

Responses

No response found. Be the first to respond this post

Post Comment

You must Sign In To post reply
Find More Articles on C#, ASP.Net, Vb.Net, SQL Server and more Here

Hall of Fame    Twitter   Terms of Service    Privacy Policy    Contact Us    Archives   Tell A Friend