[Esapi-user] RegExDOS and ESAPI

Jim Manico jim.manico at owasp.org
Wed Jan 26 17:07:04 EST 2011


Nice comments, Jeff. Thanks for playing ball and using the Google code
tracker - we need more of this.

***

Comment #5 on issue 158 by planetlevel: ESAPI URL validation RX is
vulnerable to DoS
http://code.google.com/p/owasp-esapi-java/issues/detail?id=158

I think perhaps there are two things going on here. First is the \w
inside the character set. This seems to be a wrong attempt to include
alphanumeric characters. The second thing is the double escape \\ syntax
that you have to use with Java.  The real regex (as seen by Java) is:

^(ht|f)tp(s?)\:\/\/[0-9a-zA-Z]([-.\w]*[0-9a-zA-Z])*(:(0-9)*)*(\/?)([a-zA-Z0-9\-\.\?\,\:\'\/\\\+=&%\$#_]*)?$

I suspect that the tool was using the escaped version which may have
caused misfires. Testing the regex against the provided attack does not
seem to cause a DOS problem on Java.


More information about the Esapi-user mailing list