[Esapi-user] ESAPI URL validation RX is vulnerable to DoS

Mostafa Siraj mostafa.siraj at gmail.com
Thu Oct 14 09:09:22 EDT 2010


Microsoft release a regex fuzzer tool, the tool purpose is to identify weak
regular expressions that are vulnerable to Denial of Service (DoS)

I tested the tool against the default regular expressions in
validation.properties on ESAPI and found that
Validator.URL is vulnerable to DoS


Attack Vector=
You can download Microsoft Regex Fuzzer from this
You can test the vulnerable regular expression against the attack vector
using any Regex tool like Rad <http://www.radsoftware.com.au/regexdesigner/>
An article that shows how regular expression DoS can be used to harm SaS
investors is here<http://blogs.msdn.com/b/sdl/archive/2010/10/12/new-tool-sdl-regex-fuzzer.aspx>

 Best Regards,
Mostafa Siraj <http://twitter.com/mostafasiraj>

Our deepest fear is not that we are inadequate. Our deepest fear is that we
are powerful beyond measure. It is our light, not our darkness, that most
frightens us. We ask ourselves, who am I to be brilliant, gorgeous,
talented, and fabulous?Actually, who are you not to be? You are a child of
God. Your playing small doesn't serve the world. There's nothing enlightened
about shrinking so that other people won't feel insecure around you. We are
all meant to shine, as children do. We are born to make manifest the glory
of God that is within us. It's not just in some of us, it's in everyone. And
as we let our own light shine, we unconsciously give other people permission
to do the same. As we are liberated from our own fear, our presence
automatically liberates others. - Nelson Mandela
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/esapi-user/attachments/20101014/def95196/attachment.html 

More information about the Esapi-user mailing list