ReDOS – Vulnerability found, but DOS not possible
I have an API which is protected by AWS Cloudfront. I found a ReDos in one of my API Endpoints. The endpoint looks like this:
https://mywebsite.com/api/myendpoint?apikey=xxxx&namefilter=yyyy
The user specifies the apiKey and a namefilter. The Api then searches a list of Assets by the assetname with the given regex namefilter.
There is only little sanitation for the namefilter.
It is possible to send the following regex: ^((((a+)+)+)+)+$
And it is possible to create an Asset with the assetname: aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa!
Now it is obvious, that the endpoint is vulnerable to ReDOS. When I send the request with the regex payload ^((((a+)+)+)+)+$ the request gets cancelled after 1min 30sec and throws a 503 error from AWS Cloudfront.
I tried to DOS my server by sending 100 requests but it responded like nothing happens.
Is a ReDOS with AWS Cloudfront impossible or do I just send too few requests?
