[Owasp-leaders] Question on Regex

Ofer Shezaf ofer at shezaf.com
Thu Oct 15 01:48:15 EDT 2009

RegEx denial of service attacks are prevalent, serious an often overlooked.
Alex Roichman from Checkmarx revisited the subject in a recent very
interesting presentation at OWASP Israel 2009. While not new to anyone who
read the classic "Mastering regular expressions", Alex went well beyond just
summarizing the known research on the subject.


One pretty disturbing finding he made was the OWASP Validation Regex
(http://www.owasp.org/index.php/OWASP_Validation_Regex_Repository) included
RegExps vulnerable to DoS. Being attacked in a public conference, my
response was that this finding emphasizes the openness of OWASP, and as the
project was an orphan, he is more than welcome to take it over, correct and
enhance. I suspect that many protection solutions, whether external ) to the
code (read WAFs or built into the code (read input validation frameworks)
are vulnerable.


You can find the presentation here:


~ Ofer


Ofer Shezaf [shezaf at xiom.com, +972-54-4431119]


Xiom.com, The WAF info center, http://www.xiom.com

Founder, OWASP Israel 

Leader, WASC Web Hacking Incidents Database Project


From: owasp-leaders-bounces at lists.owasp.org
[mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of Eoin
Sent: Thursday, October 15, 2009 7:08 AM
To: owasp-leaders at lists.owasp.org
Subject: Re: [Owasp-leaders] Question on Regex


I remember reading about RegEx DoS recently

Shall this have any impact on your discussions?

2009/10/14 McGovern, James F. (eBusiness) <James.McGovern at thehartford.com>

Having a debate with some developers and I wanted to understand if there was
any security perspectives that have merit when it comes to using Regex. So,
I noted that ESAPI for example, has a single properties file where regex
compilation happens in each validation action and not via uber-singleton
upfront compilation. Is this developer religion? 

This communication, including attachments, is for the exclusive use of
addressee and may contain proprietary, confidential and/or privileged
information.  If you are not the intended recipient, any use, copying,
disclosure, dissemination or distribution is strictly prohibited.  If you
are not the intended recipient, please notify the sender immediately by
return e-mail, delete this communication and destroy all copies.

OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org


OWASP Code Review Guide Lead Author
OWASP Ireland Chapter Lead
OWASP Global Committee Member (Industry)


-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20091015/64b7029d/attachment-0001.html 

More information about the OWASP-Leaders mailing list