The application appears to be utilizing user input to dynamically build regular expressions (regex).
The following request appears to be including user input when constructing regex expressions:
GET /WebAPI/featureextraction/query/prevalence/10/OPTUM?domain=demographic$
HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64)
AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/55.0.2883.87
Safari/537.36
Accept: / Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/json
Authorization: null X-Requested-With: XMLHttpRequest
Connection: close
Cache-Control: no-transform
The server response indicates that the $ character is being interpreted as part of a regular expression:
HTTP/1.1 500
Connection: close
Content-Length: 18127
{
"payload":
{
"cause": null,
"stackTrace": [
{
"methodName": "appendReplacement",
"fileName": "Matcher.java",
"lineNumber": 857,
"className": "java.util.regex.Matcher",
"nativeMethod": false
},
…
…
{
"methodName": "run",
"fileName": "Thread.java",
"lineNumber": 748,
"className": "java.lang.Thread",
"nativeMethod": false
}
],
"message": "Illegal group reference",
"localizedMessage": "Illegal group reference",
"suppressed": []
},
Error Indicating a Failed Regular Expression
It did not appear that this finding could be abused by an anyone, however, there may be instances where a person could submit a regex value which would consume excessive system resources, creating a denial of service condition.
Recommendation(s)
The application should ensure that user input is not directly utilized when creating server side evaluations. In cases where this functionality is desired, the input should be sufficiently validated to ensure it is of well-formed and expected content, rejecting values which do not meet pre-defined constraints.
ReferencesCWE-20:
Improper Input Validation: https://cwe.mitre.org/data/definitions/20.html
The application appears to be utilizing user input to dynamically build regular expressions (regex).
The following request appears to be including user input when constructing regex expressions:
GET /WebAPI/featureextraction/query/prevalence/10/OPTUM?domain=demographic$
HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64)
AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/55.0.2883.87
Safari/537.36
Accept: / Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/json
Authorization: null X-Requested-With: XMLHttpRequest
Connection: close
Cache-Control: no-transform
The server response indicates that the $ character is being interpreted as part of a regular expression:
HTTP/1.1 500
Connection: close
Content-Length: 18127
{
"payload":
{
"cause": null,
"stackTrace": [
{
"methodName": "appendReplacement",
"fileName": "Matcher.java",
"lineNumber": 857,
"className": "java.util.regex.Matcher",
"nativeMethod": false
},
…
…
{
"methodName": "run",
"fileName": "Thread.java",
"lineNumber": 748,
"className": "java.lang.Thread",
"nativeMethod": false
}
],
"message": "Illegal group reference",
"localizedMessage": "Illegal group reference",
"suppressed": []
},
Error Indicating a Failed Regular Expression
It did not appear that this finding could be abused by an anyone, however, there may be instances where a person could submit a regex value which would consume excessive system resources, creating a denial of service condition.
Recommendation(s)
The application should ensure that user input is not directly utilized when creating server side evaluations. In cases where this functionality is desired, the input should be sufficiently validated to ensure it is of well-formed and expected content, rejecting values which do not meet pre-defined constraints.
ReferencesCWE-20:
Improper Input Validation: https://cwe.mitre.org/data/definitions/20.html