7. For the input aaaaX there are 16 possible paths in the above
graph.
But for aaaaaaaaaaaaaaaaX there are 65536 possible paths
RegExp: ^(a+)+$
Where is the problem?
a
a
2 51 4
3
a a
a
a
a
a
9. • OpenID like auth, but we trust only local host
• EXT HOST send AUTENICATED, if OK
• We can set EXT HOST URL
• RegExp to check RESPOND:
/[^w]AUTHENTICATED[^w]*$/
RegExp Engine Issues Example
14. RegExp attack (Step 2)
http://192.168.22.129/?pingback=http://192.168.130
responded with:
blablabla !AUTHENTICATED!n … blablan
!AUTHENTICATED!n
TO LOCAL HOST->login:pass
3
http://192.168.22.129/?pingback=
-> http://192.168.22.129/?pingback=http://192.168.130
RegExp body =~ /[^w]AUTHENTICATED[^w]*$/ PASSED AGAIN
15. RegExp attack (Final Step)
[Problem is]:
body =~ /[^w]AUTHENTICATED[^w]*$/
• Normal RegExp engine stop after first line ($ - EOL):
blablabla !AUTHENTICATED!n … blabla
• Ruby interpreter $ as just EOL character, but scans next
lines in the “file”
http://192.168.22.129/?pingback=http://192.168.130
responded with:
blablabla !AUTHENTICATED!n … blablan
!AUTHENTICATED!n
16. • ReDoS Static Analysis – RXXR
– http://www.cs.bham.ac.uk/~hxt/research/rxxr.shtml
• Issues – know features of platform/language
How to mitigate
18. Cryptography is cool
Bitcoin – distributed cryptocurrency
Kryptos - encrypted sculpture. One of the most
famous unsolved codes in the world
Crypto is widely used – wireless
(WiFi,GSM,RFID etc.), banking, games (X-
Box, PS3 etc.), e-mail anti-spam (DKIM)
19. I changed all my passwords to "incorrect",
So whenever I forget,
It will tell me "Your password is incorrect."
some ideas need audit
20. Wrong usage is bad
Using hash algorithms as crypto, and weak or custom
realizations of crypto algorithms
Neutralization all advantages of crypto through user
comfort
The believe, that crypto will secure you by itself
Low level of understanding, why you need crypto
21. • User can send points to other user
• All URL options/values signed by secret key
• All transactions are visible to all
SHA Length Extension Example
28. • Use HMAC for signing
• Use SHA-256 etc
• Don’t create own crypto (only if you are
not a genius in mathematic, but even
you’re don’t do it!)
How to mitigate
30. Review
• RegExp is powerful tool:
–Even for DoS
–Some engines work not as expected
• Cryptography isn’t safe by itself:
–Use industry standards
–Understand how crypto is working
–Make sure that your
implementation/improvement isn’t
broken