StandardDraft

CAPEC-492Regular Expression Exponential Blowup

Abstraction
Standard
Status
Draft

Description

An adversary may execute an attack on a program that uses a poor Regular Expression(Regex) implementation by choosing input that results in an extreme situation for the Regex. A typical extreme situation operates at exponential time compared to the input size. This is due to most implementations using a Nondeterministic Finite Automaton(NFA) state machine to be built by the Regex algorithm since NFA allows backtracking and thus more complex regular expressions.

Related weaknesses· 2

CWE-400CWE-1333

Related attack patterns· 1

CAPEC-130 (ChildOf)

Exploits2

TypeTargetConfidenceTier
WeaknessUncontrolled Resource Consumptioncwe-400100%live
WeaknessInefficient Regular Expression Complexitycwe-1333100%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CAPEC
Exponential Data Expansion
CAPEC
Quadratic Data Expansion
CAPEC
Overflow Buffers
CAPEC
Serialized Data Parameter Blowup
CAPEC
Buffer Overflow via Parameter Expansion
CAPEC
Filter Failure through Buffer Overflow
Sourced from MITRE CAPEC. Curated by Adam Lundqvist, SQUR.