# ReDoS (Regular Expression Denial of Service)

ReDOS is an attack method to compromise the Regex vulnerabilities which evaluate arbitrary inputs.

### Evil (Vulnerable) Regex <a href="#evil-vulnerable-regex" id="evil-vulnerable-regex"></a>

```shellscript
(a+)+
([a-zA-Z]+)*
(a|aa)+
(a|a?)+
(.*a){x} for x \> 10
^(([a-z])+.)+[A-Z]([a-z])+$

<!-- https://regexlib.com/REDetails.aspx?regexp_id=1757&AspxAutoDetectCookieSupport=1 -->
/^([a-zA-Z0-9])(([\-.]|[_]+)?([a-zA-Z0-9]+))*(@){1}[a-z0-9]+[.]{1}(([a-z]{2,3})|([a-z]{2,3}[.]{1}[a-z]{2,3}))$/
```

### Malicious Input <a href="#malicious-input" id="malicious-input"></a>

If a target website validates user input with the above vulnerable Regex, we may be able to compromise the target system by the following malicious input:

```shellscript
aaaaaaaaaaaaaaaaaaaaaaaa!
```

### References <a href="#references" id="references"></a>

* [OWASP](https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS)