ReDos attacks in ExpressJS

ReDos attacks in ExpressJS

A ReDos (Regular expression Denial of Service) takes advantage of the regular expressions complexity to block the Node.js Event Loop.

A ReDos (Regular expression Denial of Service) takes advantage of the regular expressions complexity to block the Node.js Event Loop.

This kind of attack (described on this page), simple passes strings via HTTP that force the JavaScript interpreter to evaluate a regular expression with increasing complexity so that it will take more and more computational time.

More specifically, when we use regular expressions within ExpressJS paths and we perform a validation on them, we might be exposed to this kind of attack if such regular expressions either contain repeated groupings or within the repeated group there are further repetitions or alternatives.

Some examples:

  1. (a-z+)+
  2. ([a-zA-Z]+)*
  3. (ala?)+
  4. ([a-z0-9]+)+

In ExpressJS you can avoid using these regular expressions in the paths of the routes replacing them with generic parameters where possible and if a regular expression is to be used, use it with a certain length. For example:

app.get('/:lang([a-z]{2})?', (req, res) => {});

In this case, the parsing stops after the second character of the string, so even using complex strings the interpreter is not forced to process them in their entirety. For forms, on the other hand, we recommend using a nonce token to prevent the form from being sent remotely.