If the server component or an app library is not specifically designed to handle various edge cases, the attacker’s input can end up blocking the entire app or server for seconds or minutes at a time, while the server analyzes and pattern-matches the input.
When a ReDoS attack hits, this ends up clogging the entire server, rather than slowing down one particular operation.
ReDoS attacks known since 2012, but gaining momentum
Subsequent research published in 2017 revealed that 5% of the total vulnerabilities found in Node.js libraries and applications were ReDoS vulnerabilities.
But according to research presented at a security conference last week, the ReDoS issue is…