[Owasp-ireland] RegEx is Evil.

Eoin eoin.keary at owasp.org
Tue Sep 22 10:22:15 EDT 2009


http://www.checkmarx.com/Upload/Documents/PDF/Checkmarx_OWASP_IL_2009_ReDoS.pdf

Interesting topic on DoS via RegEx. Based on the exponential nature of the
regex engine while it consumes the input.
Such that even:

Regex: ^\d*[0-9](|.\d*[0-9]|)*$  (Decimal validation) can crash upon a
payload of  1111111111111111111111111!






-- 
Eoin Keary CISSP CISA
https://www.owasp.org/index.php/OWASP_Ireland_AppSec_2009_Conference

OWASP Code Review Guide Lead Author
OWASP Ireland Chapter Lead
OWASP Global Committee Member (Industry)

http://asg.ie/
https://twitter.com/EoinKeary
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-ireland/attachments/20090922/76ccfbba/attachment.html 


More information about the Owasp-ireland mailing list