[Esapi-user] RegExDOS and ESAPI

Jim Manico jim.manico at owasp.org
Wed Jan 26 17:07:04 EST 2011

Nice comments, Jeff. Thanks for playing ball and using the Google code
tracker - we need more of this.


Comment #5 on issue 158 by planetlevel: ESAPI URL validation RX is
vulnerable to DoS

I think perhaps there are two things going on here. First is the \w
inside the character set. This seems to be a wrong attempt to include
alphanumeric characters. The second thing is the double escape \\ syntax
that you have to use with Java.  The real regex (as seen by Java) is:


I suspect that the tool was using the escaped version which may have
caused misfires. Testing the regex against the provided attack does not
seem to cause a DOS problem on Java.

More information about the Esapi-user mailing list