Regexploit is a tool designed to find regular expressions that are vulnerable to Regular Expression Denial of Service (ReDoS) attacks. It identifies patterns that can lead to catastrophic backtracking and provides example malicious strings to trigger such vulnerabilities.

Who should use Regexploit?

Developers, security researchers, and anyone maintaining systems that process user-supplied input against regular expressions can use Regexploit. It helps proactively identify and mitigate ReDoS vulnerabilities in applications and codebases.

What makes Regexploit stand out from other regex tools?

Regexploit specifically focuses on identifying ReDoS vulnerabilities by analyzing the worst-case complexity of regex patterns. It generates specific malicious strings that exploit catastrophic backtracking, rather than just validating regex syntax or general performance.

When should I integrate Regexploit into my workflow?

Use Regexploit during code reviews, security audits, or as part of a CI/CD pipeline to scan new or modified regular expressions for ReDoS vulnerabilities. It can also analyze existing Python, JavaScript/TypeScript, C#, YAML, and JSON codebases for issues.

How does Regexploit determine regex vulnerability?

The tool analyzes the regular expression's backtracking procedure to determine its worst-case complexity, such as cubic or exponential. If the complexity is sufficiently high, it flags the regex as vulnerable and constructs an example input string designed to trigger catastrophic backtracking.

github.com · 02 APR '21

Regexploit

Item: Regexploit
Rating: 5
Author: Simon Frey

Regexploit helps identify regular expressions vulnerable to Regular Expression Denial of Service (ReDoS). It detects patterns that can lead to catastrophic backtracking and provides example malicious strings to trigger such vulnerabilities, which is crucial for preventing DoS attacks.

Visit github.com →

Questions & Answers

What is Regexploit?: Regexploit is a tool designed to find regular expressions that are vulnerable to Regular Expression Denial of Service (ReDoS) attacks. It identifies patterns that can lead to catastrophic backtracking and provides example malicious strings to trigger such vulnerabilities.
Who should use Regexploit?: Developers, security researchers, and anyone maintaining systems that process user-supplied input against regular expressions can use Regexploit. It helps proactively identify and mitigate ReDoS vulnerabilities in applications and codebases.
What makes Regexploit stand out from other regex tools?: Regexploit specifically focuses on identifying ReDoS vulnerabilities by analyzing the worst-case complexity of regex patterns. It generates specific malicious strings that exploit catastrophic backtracking, rather than just validating regex syntax or general performance.
When should I integrate Regexploit into my workflow?: Use Regexploit during code reviews, security audits, or as part of a CI/CD pipeline to scan new or modified regular expressions for ReDoS vulnerabilities. It can also analyze existing Python, JavaScript/TypeScript, C#, YAML, and JSON codebases for issues.
How does Regexploit determine regex vulnerability?: The tool analyzes the regular expression's backtracking procedure to determine its worst-case complexity, such as cubic or exponential. If the complexity is sufficiently high, it flags the regex as vulnerable and constructs an example input string designed to trigger catastrophic backtracking.