[Owasp-leaders] Question on Regex

Eoin eoin.keary at owasp.org
Thu Oct 15 02:08:52 EDT 2009


Ofer, thanks for this. I was too tied up to write such a long email :)



2009/10/15 Ofer Shezaf <ofer at shezaf.com>

>  RegEx denial of service attacks are prevalent, serious an often
> overlooked. Alex Roichman from Checkmarx revisited the subject in a recent
> very interesting presentation at OWASP Israel 2009. While not new to anyone
> who read the classic “Mastering regular expressions”, Alex went well beyond
> just summarizing the known research on the subject.
>
>
>
> One pretty disturbing finding he made was the OWASP Validation Regex
> Repository (
> http://www.owasp.org/index.php/OWASP_Validation_Regex_Repository) included
> RegExps vulnerable to DoS. Being attacked in a public conference, my
> response was that this finding emphasizes the openness of OWASP, and as the
> project was an orphan, he is more than welcome to take it over, correct and
> enhance. I suspect that many protection solutions, whether external ) to the
> code (read WAFs or built into the code (read input validation frameworks)
> are vulnerable.
>
>
>
> You can find the presentation here:
> http://www.owasp.org/images/f/f1/OWASP_IL_2009_ReDoS.ppt
>
>
>
> ~ Ofer
>
>
>
> Ofer Shezaf [shezaf at xiom.com, +972-54-4431119]
>
>
>
> Xiom.com, The WAF info center, http://www.xiom.com
>
> Founder, OWASP Israel
>
> Leader, WASC Web Hacking Incidents Database Project
>
>
>
> *From:* owasp-leaders-bounces at lists.owasp.org [mailto:
> owasp-leaders-bounces at lists.owasp.org] *On Behalf Of *Eoin
> *Sent:* Thursday, October 15, 2009 7:08 AM
> *To:* owasp-leaders at lists.owasp.org
> *Subject:* Re: [Owasp-leaders] Question on Regex
>
>
>
> I remember reading about RegEx DoS recently
>
> Shall this have any impact on your discussions?
>
> 2009/10/14 McGovern, James F. (eBusiness) <James.McGovern at thehartford.com>
>
> Having a debate with some developers and I wanted to understand if there
> was any security perspectives that have merit when it comes to using Regex.
> So, I noted that ESAPI for example, has a single properties file where regex
> compilation happens in each validation action and not via uber-singleton
> upfront compilation. Is this developer religion?
>
> ************************************************************
>
> This communication, including attachments, is for the exclusive use of addressee and may contain proprietary, confidential and/or privileged information.  If you are not the intended recipient, any use, copying, disclosure, dissemination or distribution is strictly prohibited.  If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this communication and destroy all copies.
>
> ************************************************************
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
>
>
> --
> Eoin Keary CISSP CISA
> https://www.owasp.org/index.php/OWASP_Ireland_AppSec_2009_Conference
>
> OWASP Code Review Guide Lead Author
> OWASP Ireland Chapter Lead
> OWASP Global Committee Member (Industry)
>
> http://asg.ie/
> https://twitter.com/EoinKeary
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>


-- 
Eoin Keary CISSP CISA
https://www.owasp.org/index.php/OWASP_Ireland_AppSec_2009_Conference

OWASP Code Review Guide Lead Author
OWASP Ireland Chapter Lead
OWASP Global Committee Member (Industry)

http://asg.ie/
https://twitter.com/EoinKeary
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20091015/e8d182a7/attachment.html 


More information about the OWASP-Leaders mailing list