[Esapi-user] [Esapi-dev] ESAPI URL validation RX is vulnerable to DoS

[Jim Manico]

August, thanks for putting this issue in the Google tracker

 

http://code.google.com/p/owasp-esapi-java/issues/detail?id=158

 

I'll have a new URL validation function done using the Java URL class
shortly. I'll submit a patch for review before committing it.

 

Thanks Mostafa + August,

Jim

 

From: esapi-dev-bounces at lists.owasp.org
[mailto:esapi-dev-bounces at lists.owasp.org] On Behalf Of Mostafa Siraj
Sent: Thursday, October 14, 2010 6:39 PM
To: Esapi-dev at lists.owasp.org; esapi-user at lists.owasp.org
Subject: [Esapi-dev] ESAPI URL validation RX is vulnerable to DoS

 

Hello,

Microsoft release a regex fuzzer tool, the tool purpose is to identify weak
regular expressions that are vulnerable to Denial of Service (DoS)

I tested the tool against the default regular expressions in
validation.properties on ESAPI and found that 
Validator.URL is vulnerable to DoS

Validator.URL=
^(ht|f)tp(s?)\\:\\/\\/[0-9a-zA-Z]([-.\\w]*[0-9a-zA-Z])*(:(0-9)*)*(\\/?)([a-z
A-Z0-9\\-\\.\\?\\,\\:\\'\\/\\\\\\+=&%\\$#_]*)?$

Attack Vector=
https\:\/\/8\\\.\.-\w-..w\-hw\w\\\-www-ww-w\.-\w-y.---w\.-ww\-..fw\\\\.--w-w
.-\.\w.ww-i\\\9.\.-w--.w..-\-w-\w-a.-\-.\-ww\F\-\2.-O.\.w.ww..w.www1-w-ww\-w
-----w--w.\..8w-w-..-.w\..9:0-90-90-90-90-90-90-90-90-90-9:0-90-90-90-90-90-
90-9:0-90-90-90-90-90-90-90-90-90-9:0-90-90-90-90-90-90-90-90-90-9:0-90-90-9
0-90-90-90-9\/a8bL=gqolzH+#wM029=z$z:rb42,#D6WKAz_l#T_;#w#lweJ=$%ya.:=$a:d/3
lw,A94i8S5;+va'gwU;%Z8,2V450#bLrltP+dt;zk%AVgk+5'A##xk=A.#=2=e2H_?x+99/Azch9
n:e=6E2+:a61?+,;\1f2oTKG0,R=D_zdC&ZsjiIv#G1H1tz8$4,#zFfnv93MAx#50++?NB:A=PSe
#&vXPQ7/Ac/O+cz'j;14y=Y'\qe\/_#Kn6Pc.y4%jF;=pt'Z_2_%U0i0n%RYTaqtqfLv4+#Lq%=s
+A?W#X?Qx17Z2ge=3I,;A:_a:MBf,2E0N++=u6CzeE8FZ?L0j'#aS1h;\+?a,yz&b6z5.kD+_k8f
=0&5+5=6p/zSPj3YRY0%_k#\Cxp#L.+k;3x?h?9+,.sr-

You can download Microsoft Regex Fuzzer from this link
<http://www.microsoft.com/downloads/en/details.aspx?FamilyID=8737519c-52d3-4
291-9034-caa71855451f> 

You can test the vulnerable regular expression against the attack vector
using any Regex tool like Rad <http://www.radsoftware.com.au/regexdesigner/>


An article that shows how regular expression DoS can be used to harm SaS
investors is here
<http://blogs.msdn.com/b/sdl/archive/2010/10/12/new-tool-sdl-regex-fuzzer.as
px> 


-- 

Best Regards,

Mostafa Siraj <http://twitter.com/mostafasiraj> 

 

Our deepest fear is not that we are inadequate. Our deepest fear is that we
are powerful beyond measure. It is our light, not our darkness, that most
frightens us. We ask ourselves, who am I to be brilliant, gorgeous,
talented, and fabulous?Actually, who are you not to be? You are a child of
God. Your playing small doesn't serve the world. There's nothing enlightened
about shrinking so that other people won't feel insecure around you. We are
all meant to shine, as children do. We are born to make manifest the glory
of God that is within us. It's not just in some of us, it's in everyone. And
as we let our own light shine, we unconsciously give other people permission
to do the same. As we are liberated from our own fear, our presence
automatically liberates others. - Nelson Mandela

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/esapi-user/attachments/20101029/7e625a17/attachment.html