[Esapi-user] RegEx

Jeff Williams jeff.williams at owasp.org
Wed Jan 26 16:40:33 EST 2011

Come on Jim, this regex DOS isn't a problem with the speed of regex, it's a
problem of using safe regex in the first place.

Also - the example just doesn't work.  I tested the ESAPI Validator.URL
regex against the provided attack string a million times and I get the exact
same speed as before.  Takes 0. 000295 ms per match operation.  Always check
your evidence counselor.  I find you in contempt of court.  Judgement: his
honor.  Please see the clerk to pay your fine and court costs. Do not pass
go and do not collect $200.

My main point is that validation is critically important to security, and
people often push back because they perceive a possible performance problem.
When you look at the time it takes to connect to a database, execute
queries, generate UI components, etc...  the idea that you can better your
performance by skimping on validation is dangerous lunacy.


-----Original Message-----
From: esapi-user-bounces at lists.owasp.org
[mailto:esapi-user-bounces at lists.owasp.org] On Behalf Of Jim Manico
Sent: Wednesday, January 26, 2011 3:50 PM
To: Jeff Williams
Cc: ESAPI-Developers; ESAPI Users List
Subject: [Esapi-user] RegEx

> A regex doesn't take anywhere close to a tenth of a second.  

PS: This is absolutely, positively an incorrect statement. (Or worse, a
misleading statement).

The evidence, your honor:

Maybe when you get up to "billions of request" you will start using test
cases of this nature. (joking)

;)  Jim
Esapi-user mailing list
Esapi-user at lists.owasp.org

More information about the Esapi-user mailing list