jeff.williams at owasp.org
Wed Jan 26 16:40:33 EST 2011
Come on Jim, this regex DOS isn't a problem with the speed of regex, it's a
problem of using safe regex in the first place.
Also - the example just doesn't work. I tested the ESAPI Validator.URL
regex against the provided attack string a million times and I get the exact
same speed as before. Takes 0. 000295 ms per match operation. Always check
your evidence counselor. I find you in contempt of court. Judgement: his
honor. Please see the clerk to pay your fine and court costs. Do not pass
go and do not collect $200.
My main point is that validation is critically important to security, and
people often push back because they perceive a possible performance problem.
When you look at the time it takes to connect to a database, execute
queries, generate UI components, etc... the idea that you can better your
performance by skimping on validation is dangerous lunacy.
From: esapi-user-bounces at lists.owasp.org
[mailto:esapi-user-bounces at lists.owasp.org] On Behalf Of Jim Manico
Sent: Wednesday, January 26, 2011 3:50 PM
To: Jeff Williams
Cc: ESAPI-Developers; ESAPI Users List
Subject: [Esapi-user] RegEx
> A regex doesn't take anywhere close to a tenth of a second.
PS: This is absolutely, positively an incorrect statement. (Or worse, a
The evidence, your honor:
Maybe when you get up to "billions of request" you will start using test
cases of this nature. (joking)
Esapi-user mailing list
Esapi-user at lists.owasp.org
More information about the Esapi-user