False negative: /^.*.*.*a.*$/

[ChALkeR]

Enter a regular expression to analyze:
/^.*.*.*a.*$/
3. pattern = "^.*.*.*a.*$"
NFA constructed in: 1ms
EDA analysis performed in: 12ms
Does not contain EDA
IDA analysis performed in: 792ms
Does not contain IDA
Total analysis time: 805

False negatives: /^.*.*.*a.*$/, /^.*.*a.*$/. Obviously block on a long string of non-a characters.
Ok: /^.*.*.*a$/, /^.*.*a$/, /^.*.*.*a/, etc.

Looks like .* at the end confuses the tool in some cases.
/cc @davisjam

[davisjam]

How are you invoking?

With driver.Main -i /tmp/query-weideman-RegexStaticAnalysis-32079.regex --test-eda-exploit-string=false --ida=true --timeout=0 --simple I get a three-pump attack recommendation. The attack string exhibits catastrophic backtracking in java.

[ChALkeR]

@davisjam I launched ./run.sh 😝

[davisjam]

Ah, I never trust the user interface!

[ChALkeR]

@davisjam Apparently, --simple changes the result.

To clarify: it works correctly with --simple, but gives wrong output when not using --simple.

[davisjam]

The flags are somewhat a mystery to me. I picked the ones I posted above because they seemed to work ;-).

[davisjam]

If @NicolaasWeideman were to post recommendations if multiple variations of flags would be suitable that would be great. No need for dynamic validation since we're interested in JavaScript behavior anyway. But if alternatives to the flags I listed above might result in other vulnerabilities I'd love to hear it.