Steps to Reproduce
It’s possible in versions of Angular starting from 1.4.9 to conduct a Regular Expression Denial of Service (ReDoS) attack via the <input type="url"> element. If a malicious actor carefully composes an insecure regular expression that is used by the input[url] function, catastrophic backtracking and monopolization of system resources can occur. A proof of concept demonstrating this exploit is available on StackBlitz.
Addressing the Issue
The fix for this exploit is available in AngularJS XLTS/NES versions 1.9.1 and 1.5.17; site owners should update to these versions.
Learning and Prevention
ReDoS attacks have the target system attempt to solve a regular expression pattern match that will take a long time (thereby denying service to legitimate users of the system). It’s a form of a Denial of Service (DDoS) attack.
In the attack, the regular expression engine executes a set of steps as it attempts to find a match. Some of these steps can be accomplished quickly while others, especially those that fail, take much longer. In this case, when the browser attempts to resolve a regular expression carefully crafted by the attacker, the browser may spend an extraordinary amount of time returning a result as it backtracks to try alternative matches.
Conclusion
The fix described in this vulnerability is present in 1.9.1 and is also immediately available to HeroDevs AngularJS Never-Ending Support clients who are still on Angular 1.5. If you would like the peace-of-mind that comes from a HeroDevs Never-Ending Support subscription, contact our sales team today.
Resources
NIST 2023-26118 entry
