ReScue is under testing & debugging now.
Using ReScue
Download the zip, decompress it, then:
cd release/
java -jar ReScue.jar
Sample output should be:
Input regex: (?=(a+)+b)aaabx
(?=(a+)+b)aaabx
1: <14 : 4.0 : aaabx>
===Initiate End===
Node Coverage: 14/14
find attack string when cross
===Genetic Algorithm End===
Node Coverage: 14/14
Vulnerable: babaaabbaaaaaaaaaaaaaaaa
100027 : 4001.08 : babaaabbaaaaaaaaaaaaaaaa
100017 : 7144.071428571428 : aaaaaaaaaaaaa
1000029 : aaaaaaaaaaaaaaaaa
1000244 : 27 : aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
100000246 : aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
TIME: 20.548258612 (s)
Attack success, attack string is:
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
Directory
ReScue
├─jars # Put dependencies here (prefuse.jar, etc.)
├─release # ReScue.jar
├─src/cn/edu/nju/moon/redos/
│ ├─attackers
│ │ ├─ga
│ │ │ ├─crossovers
│ │ │ ├─initiators
│ │ │ ├─mutators
│ │ │ └─selectors
│ │ └─pp
│ ├─regex
│ ├─tester # Main classes are here
│ └─utils
└─test
├─data # Put regexes txt files here
└─scripts
└─extractor # Scripts to extract regexes from projects' source
Dependencies
- JDK 1.8 and Python3
- The prefuse visualization toolkit: prefuse.jar
- junit-4.12.jar
- hamcrest-core-1.3.jar
- commons-lang-2.6.jar
Confirmed ReDoS vulnerabilities
ReDoS vulnerabilities under testing
Document Build Instructions
- This is a temporary solution
- The main class for ReScue is located in
cn.edu.nju.moon.redos.tester.RedosTester.java - To build the
jarfile, create ajava projectinEclipseon directoryReScueand useFile - Export-Runnable JAR File - Launch configuration: RedosTesterto generate it - Do not forget to import dependencies in
Java Build Path