This blog is all about Cyber Security and IT

Regular Expression Denial of Service

What is ReDos

Due to weakly implemented RegEx Sometimes it is possible to perform a DoS attack by making this expression to evaluate an expression which will make the application work relatively slow.

Usually this attack is explored and exploited when the source code is available and you can figure out what regular expressions are used in the code at what fields.

For example, at the mobile no input field, what is the regex that validates the mobile no input field.
However, you can also try to find this in Black/Gray Box engagements.


Open the JavaScript files and search for the "RegExp(" function and try to figure out what function utilize that particular Regex.


This is a good tool to evaluate and identify if the given regex is vulnerable or not.
This tool will also provide a string that will make the vulnerable RegEx go into potential ReDoS Attacks.

It is important to understand how RegEx works and not only with ReDoS attack but it is useful overall.


Some of the good websites to learn about Regex are




Post a Comment