**Note: The content in this article is only for educational purposes and understanding of cybersecurity concepts. It should enable people and organizations to have a better grip on threats and know how to protect themselves against them. Please use this information responsibly.**
DoS (Denial of Service) occurs when an application is overwhelmed by processing inputs that require extensive computational resources, ultimately exhausting system resources and rendering the service unresponsive. This can happen when user input is not properly sanitized, allowing attackers to exploit vulnerabilities that force the application into resource-intensive operations. Over time, this leads to degraded performance, increased response times, or complete service disruption, often requiring manual intervention to restore functionality.
This walkthrough will guide you through identifying and exploiting such a vulnerability in VAmPI, a vulnerable REST API, using a specialized tool called Regexploit. The focus will be on exploiting the email validation endpoint, which uses a regular expression to check the format of email addresses. By sending carefully crafted, malformed input strings, you will observe how the application becomes unresponsive due to the computational load imposed by the regex validation. This attack demonstrates the risks associated with poorly designed input validation systems and emphasizes the need for secure coding practices to prevent such vulnerabilities. Let’s get started with the step-by-step guide!
Walkthrough
- Identifying the Vulnerable Endpoint
Review the application to find endpoints where regular expressions are used to validate user inputs. Common examples include email validation and password complexity checks.
- Testing VAmPI Endpoints:
After testing various endpoints in VAmPI, it was found that the Update users email endpoint (PUT /users/v1/:username/email) uses a regex to validate email addresses.
This endpoint returns a 400 Bad Request response when an improperly formatted email is provided.
To update your email, you have to be logged in first. You can follow these steps to register and login using this link below:
- Submit Malformed Email Strings
Send random different email strings designed to stress test the regex validation to the ‘Update users email’ endpoint.
Example payload:
{
“email”: “aaaaaaaaaaaaaaaaaaaaaaaaaaaaa!”
}
Response Analysis:
The application may become unresponsive, especially with longer input strings. This indicates the regex is taking a long time to validate the input.
Generating malicious string using Regexploit
Regexploit is a tool designed to identify and exploit vulnerabilities in regular expressions, particularly those that can cause denial of service (DoS) through excessive backtracking.
- Install the regexploit: pip install regexploit
Locate the Regular Expression: To identify the regular expression (regex) used for email validation in VAmPI, we need to examine the codebase. The relevant regex pattern is found in the users.py file, which is part of the VAmPI API’s backend code. Specifically, it’s located within the api_views folder.
So we will check regex in “api_views/users.py” in the VAmPI GitHub repository.
Found the regular expression here:
^([0-9a-zA-Z]([-.\w]*[0-9a-zA-Z])*@{1}([0-9a-zA-Z][-\w]*[0-9a-zA-Z]\.)+[a-zA-Z]{2,9})$
This pattern is used to validate email addresses when users attempt to update their email through the API. Each part of the pattern plays a role in ensuring the email meets specific formatting rules, but its complexity also makes it vulnerable to excessive backtracking, especially when dealing with malformed or lengthy input strings. This is what can lead to a Denial of Service when exploited.
In the next step, we will analyze this regex using the Regexploit tool to generate a malicious input string capable of causing the application to slow down or crash.
- Generate a Malicious String using the command:
regexploit
After this, it will ask you to enter the regex, which you paste into the input of regexploit found in step 2.
The analysis provided by Regexploit identifies that the regex pattern used for email validation has a high potential for causing performance issues due to its complex structure and the possibility of excessive backtracking. The tool suggests an example input string (‘0’ + ‘0’ * 3456) that can be used to test the regex and potentially cause it to hang or crash, demonstrating a RegEx-based Denial of Service (ReDoS) attack.
The expression ‘0’ + ‘0’ * 3456 is Python syntax for creating a string that starts with a single ‘0’ followed by 3,456 additional ‘0’ characters, resulting in a total string length of 3,457 characters. This specific input is crafted to exploit the regex pattern used in the VAmPI email validation.
- Generate the output using the following command and store it in a file:
python3 -c “print(‘0’ *3457)” > zeroes.txt
- Open the zeroes.txt, copy all the zeroes and paste it into the email field of the Update users email endpoint:
Endpoint: PUT /users/v1/:username/email
Send the Request.
Observe the application’s response. The API should hang or become unresponsive, indicating a successful DoS attack.
The longer the input string, the longer the application will take to recover, potentially requiring a restart of the service. You can confirm that no API endpoint is working now.
For example, try API endpoint: /users/v1/_debug. You will find the application not working.
Conclusion
This walkthrough demonstrates how an unrestricted resource consumption vulnerability, specifically DoS, can be exploited to overwhelm an application. By sending specially crafted inputs that require extensive computational resources to process, an attacker can cause the application to become unresponsive. This highlights the importance of proper input sanitization and efficient validation mechanisms to prevent such vulnerabilities and ensure the stability and security of the application.
