ReDoS (Regular Expression Denial of Service) is a cyberattack that uses complex search patterns to freeze a website or application. By sending a specific input to a vulnerable search or validation field, an attacker can force the system to spend hours on a single calculation. This exhausts the server's CPU and makes the site unavailable to legitimate users.
What is ReDoS?
ReDoS is an algorithmic complexity attack. It exploits how certain computer programs, called regex engines, handle regular expressions (regex). Regex is the standard tool developers use to find or validate text, such as checking if an email address is formatted correctly.
Most regex engines use a method called "backtracking." When a search pattern is inefficiently written (an "evil regex"), the engine may try billions of different combinations to find a match. An attacker can trigger this by providing a "crafted input" that almost matches the pattern but fails at the very end. The result is a system that hangs, slows down, or crashes entirely.
Why ReDoS matters
This attack is particularly dangerous because it does not require a massive botnet to bring down a server. A single request can be enough to stall an application.
- Financial Impact: Outages can lead to [average losses of $50,000 per attack] (TechRepublic).
- Widespread Vulnerability: Security research shows that [over 10% of popular GitHub projects are vulnerable to ReDoS] (Imperva).
- High Risk for SEO: If your site's search or form fields are attacked, your server could crash, leading to crawl errors and lost rankings.
- Automated Traffic: Malicious actors use bots to find these flaws; [bots currently account for 40% of all web traffic] (Cloudflare).
- Infrastructure Risk: Even security tools are not immune. For example, [Cloudflare's web application firewall was brought down by a ReDoS in 2019] (The Cloudflare Blog).
How ReDoS works
Most regex engines build a "Nondeterministic Finite Automaton" (NFA) to process patterns. This engine tries to match the input character by character. If it hits a wall, it "backtracks" to a previous step and tries a different path.
The danger occurs when a pattern is "Evil." This usually involves: 1. Grouping with repetition (e.g., a repeated group inside another repeated group). 2. Overlapping options (e.g., the engine cannot tell which part of the pattern should match a specific character).
For an input like aaaaaaaaaaaaaaaaX, an inefficient pattern could force the engine to check 65,536 variations. For every additional "a" added to that string, the work for the server doubles.
Best practices
Follow these steps to protect your tools and websites from ReDoS:
- Set Timeouts: Limit how long any regex search is allowed to run. A timeout of 100 or 200 milliseconds can stop an attack before it consumes all CPU resources.
- Limit Input Length: Prevent users from submitting extremely long strings into search bars or form fields.
- Use Safe Engines: Switch to non-backtracking engines like Google’s RE2 or the Rust regex crate. These run in "linear time," meaning they stay fast regardless of the input.
- Anchor Your Regex: Use
^and$to tell the engine exactly where a match should begin and end. This narrows the "search space" and reduces computation. - Avoid Nested Quantifiers: Do not use patterns like
(a+)+. These are the primary cause of "catastrophic backtracking."
Common mistakes
Mistake: Using "Evil Regex" patterns found in online repositories.
Fix: Always test patterns from sites like RegExLib or OWASP against long, repetitive strings before using them in production.
Mistake: Assuming short inputs are safe.
Fix: A string as short as 30 characters can crash a server if the regex pattern is poorly designed.
Mistake: Failing to sanitize user-provided patterns.
Fix: Never allow a user to submit their own regular expression (Regex Injection) to your server without extreme restrictions.
Mistake: Relying solely on client-side validation.
Fix: Attackers can bypass browser checks. You must have security measures (like timeouts) on the server side as well.
Examples
Example scenario (The "a" Trap):
An application uses the pattern ^(a+)+$. This looks for strings of "a" characters. If a user enters aaaaaaaaaaaaaaaaaaaaaaaa!, the server will enter an exponential loop trying to find a match that does not exist.
Example scenario (Email Validation): Many websites use complex patterns to validate emails. Some of these patterns, such as those found in early versions of popular libraries, contain sub-expressions that overlap. An attacker can provide an "email" with hundreds of characters that triggers a ReDoS.
FAQ
Is ReDoS the same as a DDoS attack? No. A DDoS attack uses thousands of computers to overwhelm a server with traffic. A ReDoS attack is more efficient; it often requires just one computer and one carefully crafted request to achieve a similar result.
How do I know if my SEO tool is vulnerable? Look for features that allow custom search patterns or complex filtering. If the tool is built on languages like JavaScript, Python, or Java without specific "timeouts" for regex processing, it could be at risk.
Can a ReDoS attack steal my data? Usually, no. ReDoS is generally about availability. It "denies service" by making the server too busy to respond. However, the resulting crash might lead to other security vulnerabilities or sensitive data exposure if the system does not fail Gracefully.
Can ReDoS happen in a web browser? Yes. If a website uses an evil regex in its front-end code, an attacker can provide input that hangs the user's browser, making the page unresponsive.
