Preventing ReDoS attacks in .NET 5
Marcin Hoppe at Dotnetos Conference 2020
Regular expressions are a powerful text processing tool. In Web applications, they are often the front line of defense and validate untrusted input data.
Unfortunately, some regular expressions can become an attack vector themselves. Certain patterns exhibit behavior known as catastrophic backtracking, leading to degradation of performance and excessive resource consumption. The impact can be significant enough to cause denial of service (DoS). This class of vulnerabilities is often called regular expression DoS, or ReDoS.
.NET 5 has several mechanisms and performance improvements to prevent ReDoS attacks. In this talk, Marcin will walk you through the details of .NET regular expression implementation, demonstrate impact of a ReDoS, and show how .NET 5 can help you protect your applications from those costly attacks.
Marcin Hoppe is a software engineer with a deep interest in information security. He leads the Product Security team at Auth0, an identity platform for application builders. He's an open source contributor. He leads the Open Source Security Foundation Vulnerability Disclosures Working Group and he's a member of the Node.js Ecosystem Security Working Group under the OpenJS Foundation.
He's focused on running the bug bounty program for third-party Node.js packages. Passionate about building secure applications and promoting security best practices.
You can find him on Twitter: https://twitter.com/marcin_hoppe
Unfortunately, some regular expressions can become an attack vector themselves. Certain patterns exhibit behavior known as catastrophic backtracking, leading to degradation of performance and excessive resource consumption. The impact can be significant enough to cause denial of service (DoS). This class of vulnerabilities is often called regular expression DoS, or ReDoS.
.NET 5 has several mechanisms and performance improvements to prevent ReDoS attacks. In this talk, Marcin will walk you through the details of .NET regular expression implementation, demonstrate impact of a ReDoS, and show how .NET 5 can help you protect your applications from those costly attacks.
Marcin Hoppe is a software engineer with a deep interest in information security. He leads the Product Security team at Auth0, an identity platform for application builders. He's an open source contributor. He leads the Open Source Security Foundation Vulnerability Disclosures Working Group and he's a member of the Node.js Ecosystem Security Working Group under the OpenJS Foundation.
He's focused on running the bug bounty program for third-party Node.js packages. Passionate about building secure applications and promoting security best practices.
You can find him on Twitter: https://twitter.com/marcin_hoppe