Hello, welcome to the Tuesday, August 21st, 2018 edition of the Sandcent Storm Center's Stormcast. My name is Johannes Ulrich, and I'm recording from Stockholm, Germany.

An old saying in the Unix world is that if you have a problem and you're trying to solve it with a regular expression, well, you end up with two problems.

Regular expressions are very handy if you're trying to validate complex patterns, but that comes at a cost.

Regular expressions are also very complex to analyze. This often leads to regular expression denial of service or redos vulnerabilities.

In a recent paper published last week at Eusenix, some German researchers took a look at this

problem for Node.js modules. As part of the work, they found 25 popular notable Node.js modules.

Again, this is just the denial of service attack, but a simple request may keep your server

busy for at least several seconds in some cases longer.

As part of the paper, they published a couple of the

regular expressions that they found to be vulnerable. Not all of them are terribly complex.

One for example just looks for spaces followed by a comma followed by spaces. So sometimes

it may be possible to use something else than a regular expression.

And that's really your first solution here. Whenever you use a regular expression, think if you can

accomplish the same thing without it, for example, by checking if certain characters are just

present, or to see if a string, for example, is numeric or not.

And usually you have some C-LIP functions that can accomplish that much more efficiently.

Another way to mitigate this problem somewhat is just to limit the overall size of the string.

So limiting it to something reasonable can also help with this

vulnerability or at least limit the impact of it.

And then we got a couple more details about the SSH username enumeration.

Did he wrote up some of the things that we know about it so far he has

played with it quite a bit now one thing you may have noticed is that there are no real good

...