Time based Regex Injection
The technique I will introduce this time is Time based Regex Injection.
This is a recently announced technique on February 5th.
Based on ReDOS vulnerability, This technique makes it possible to extract the full part of string to be compared.
The research and presentation above was based on Python.
I researched for a short period of time how it could be used on JavaScript.
Regex DOS
1 | /* blocks Event loop */ |
Traditional ReDOS vulnerabilities are thought to be to the point of ruining the nodejs event loop, which consists of single threads, making it difficult to affect services based on php or python or etc… that respond to requests by forking the process.
Blind injection
1 | 'secretmessage'.match('se(((((.+)+)+)+)+)!'); |
In The Time based Regex injection, By adjusting the delay time of the ReDOS to the appropriate level depending on the situation.
We can determine the contents of the string being compared through search time.
The result itself is similar to the Blind SQL Injection.
methods using regex
The methods that use regular expressions as factors in JavaScript include the exec method and test method of RegExp, match method, place method and split method of String.
forward search
1 | const app = require('express')(); |
The above is a server script for testing.
1 | import requests, sys |
The above is the script to use for testing (forward search).
When It matches the navigation string, takes more time to distinguish the string.
1 | $ python forward.py 3 |
This is how you actually figure out a string through latency.
But there’s some limitation at this method.
| Followed chars | Load | Delay time (seconds) |
|---|---|---|
| 1 | - | - |
| 2 | - | - |
| 3 | 220 | 1.30 |
| 4 | 77 | 1.21 |
| 5 | 38 | 1.55 |
| 6 | 22 | 1.10 |
| 7 | 15 | 1.20 |
| 8 | 11 | 1.21 |
| 9 | 9 | 1.86 |
| 10 | 7 | 1.11 |
| 11 | 6 | 1.55 |
| 12 | 5 | 1.09 |
| 13 | 5 | 5.56 |
| 14 | 4 | 1.19 |
| 15 | 4 | 4.53 |
| 16 | 4 | 19.02 |
| 17 | 3 | 0.61 |
| 18 | 3 | 1.86 |
| 19 | 3 | 5.23 |
The above shows statistics on the relationship between these delays and the remaining characters.
This is greatly affected by the performance of your computer, so please take this as a simple reference.
The above regular expression was used to determine the value of the string to be compared.
However, if there is a limit to this method, if the remaining string is less than three characters, the length of the string required for navigation increases rapidly, and in real life the remaining three letters are less reliable because of the overhead or limiting input values.
Below is another form of regular expression to overcome these limitations.
backward search
1 | import requests, sys |
You can use the previous information you found to determine whether the string on the back is included!
1 | $ python backward.py 'THIS-IS-SECRET-' 40 |
The search shows that the remaining four characters are consist of D T A.
After we get this information, we can create a combination of 4^4 (256) for brute-force in the worst case.
| Followed chars | Load | Delay time (seconds) |
|---|---|---|
| 1 | 785 | 1.38 |
| 2 | 224 | 0.53 |
| 3 | 80 | 1.36 |
| 4 | 38 | 1.39 |
| 5 | 22 | 1.58 |
| 6 | 15 | 1.33 |
| 7 | 11 | 1.34 |
| 8 | 9 | 2.04 |
| 9 | 7 | 1.42 |
| 10 | 6 | 1.75 |
| 11 | 5 | 1.17 |
| 12 | 5 | 5.55 |
| 13 | 4 | 1.20 |
| 14 | 4 | 4.63 |
| 15 | 4 | 19.9 |
| 16 | 3 | 0.65 |
| 17 | 3 | 1.86 |
| 18 | 3 | 5.68 |
| 19 | 3 | 17.4 |
The above shows statistics on the relationship between delay time and the remaining characters in the rear navigation.
Likewise, the performance of your computer is greatly affected, so please take this as a simple reference.
Review
This is a quite general technique.
And maybe It would be a good choice to analyze how to affect using this in the various libraries.