Module 2

Secure Software Development (Computer Science)

Unit 4

Exploring Programming Language Concepts

Learning Outcomes

  • Explain how and when to use regular expressions in solutions.
  • Describe how and when to use recursion in solutions.
  • Discuss the security implications of both approaches.

e-Portfolio Component: Programming language concepts

Read Larson (2018) and Weidman (n.d.) then answer the questions below, adding them as evidence to your e-portfolio. You may want to complete this activity in conjunction with or after completing Seminar 2 preparation.

1. What is ReDOS and what part do ‘Evil Regex’ play?

  • ReDOS, or Regular expression Denial Of Service, is a phenomenon that arises when a regular expression is constructed in a manner that leads to an application's excessive utilization of computational resources, culminating in a denial of service (DoS) attack (OWASP Foundation, N.D.).
  • This situation can occur when a regular expression incorporates a pattern that permits multiple matching possibilities, thereby resulting in an exponential increase in potential matches.
  • 'Evil Regex' refers to regular expressions that are intentionally designed to exploit ReDOS vulnerabilities. These expressions may contain specific patterns or constructs that trigger excessive backtracking, causing the application to become overwhelmed.

2. What are the common problems associated with the use of regex? How can these be mitigated?

Common Regex Problems:
  • Complexity and Readability: Regex can become very complex and hard to read or maintain, especially for larger expressions.
  • Incorrect Syntax: Errors in regex syntax can lead to unexpected behavior or failures.
  • Performance Issues: Poorly designed regex patterns can impact performance and consume unnecessary resources.
  • Security Vulnerabilities: Regex can be used to inject malicious code or perform other attacks if not properly sanitized and validated.
Mitigating Regex Problems:
  • Use a well-tested regex library that provides built-in protections against ReDOS and other vulnerabilities.
  • Conduct regular code reviews to identify potential regex-related security issues.
  • Test regex thoroughly with different inputs to ensure it behaves as expected and doesn't cause excessive backtracking.
  • Avoid overly complex patterns and try to break down regex into smaller, manageable components.

3. How and why could regex be used as part of a security solution?

  • Regex is often used to validate inputs to ensure they meet certain criteria and prevent malformed or malicious data from being processed.
  • Regex is used to identify specific patterns within data, such as email addresses, phone numbers etc.
  • Regex is used when working with files for search and replace.
  • Regex can be used to detect and block SQL injection, cross-site scripting (XSS), or other injection-based attacks by ensuring that input doesn’t contain malicious patterns.
References:

OWASP Foundation (N.D.) Regular expression Denial of Service - ReDoS. Available from: https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS [Accessed 11 October 2024].

Meeting Notes

Meeting 1
  • Date: 25 August 2024
  • Time (UK): 14:00–15:00
  • Venue: Google Meet
  • Attendees: Adriaan Joubert, Hristo Todorov, and Shraddha Gore
  • Agenda:
    • Allocated work between teammates.
    • Decided on the scope of each section.
  • Next steps:
    • Schedule a meeting to work together on the collaborative sections.

Reflection

  • Unit 4 was relatively less demanding. As a software engineer, I am familiar with regular expressions. However, the concept of 'evil' regular expressions was new to me. This prompted me to reflect on the potential for inadvertently creating such expressions in my own work.

Email

sg24002@essex.ac.uk

Phone

-

Address

Mumbai, India