[Owasp-leaders] Question on Regex

Kåre Presttun kaare at mnemonic.no
Tue Oct 20 09:10:53 EDT 2009


Hi.

Part of the problem is how the regex function itself is designed.
The way it is implemented in some languages (Java, Perl, PHP,
Python, Ruby.....) makes it easy to make the complexity explode
and you have a DOS. Others like awk, Tcl and GNU grep does not
behave this way. Russ Cox has written i nice paper on it:
http://swtch.com/~rsc/regexp/regexp1.html

- Kåre

On 15.10.2009 08:08, Eoin wrote:
> Ofer, thanks for this. I was too tied up to write such a long email :)
> 
> 
>  
> 2009/10/15 Ofer Shezaf <ofer at shezaf.com <mailto:ofer at shezaf.com>>
> 
>     RegEx denial of service attacks are prevalent, serious an often
>     overlooked. Alex Roichman from Checkmarx revisited the subject in a
>     recent very interesting presentation at OWASP Israel 2009. While not
>     new to anyone who read the classic “Mastering regular expressions”,
>     Alex went well beyond just summarizing the known research on the
>     subject.
> 
>      
> 
>     One pretty disturbing finding he made was the OWASP Validation Regex
>     Repository
>     (http://www.owasp.org/index.php/OWASP_Validation_Regex_Repository)
>     included RegExps vulnerable to DoS. Being attacked in a public
>     conference, my response was that this finding emphasizes the
>     openness of OWASP, and as the project was an orphan, he is more than
>     welcome to take it over, correct and enhance. I suspect that many
>     protection solutions, whether external ) to the code (read WAFs or
>     built into the code (read input validation frameworks) are vulnerable.
> 
>      
> 
>     You can find the presentation here:
>     http://www.owasp.org/images/f/f1/OWASP_IL_2009_ReDoS.ppt
> 
>      
> 
>     ~ Ofer
> 
>      
> 
>     Ofer Shezaf [shezaf at xiom.com <mailto:shezaf at xiom.com>, +972-54-4431119]
> 
>      
> 
>     Xiom.com, The WAF info center, http://www.xiom.com
>     <http://www.xiom.com/>
> 
>     Founder, OWASP Israel
> 
>     Leader, WASC Web Hacking Incidents Database Project
> 
>      
> 
>     *From:* owasp-leaders-bounces at lists.owasp.org
>     <mailto:owasp-leaders-bounces at lists.owasp.org>
>     [mailto:owasp-leaders-bounces at lists.owasp.org
>     <mailto:owasp-leaders-bounces at lists.owasp.org>] *On Behalf Of *Eoin
>     *Sent:* Thursday, October 15, 2009 7:08 AM
> 
>     *To:* owasp-leaders at lists.owasp.org
>     <mailto:owasp-leaders at lists.owasp.org>
>     *Subject:* Re: [Owasp-leaders] Question on Regex
> 
>      
> 
>     I remember reading about RegEx DoS recently
> 
>     Shall this have any impact on your discussions?
> 
>     2009/10/14 McGovern, James F. (eBusiness)
>     <James.McGovern at thehartford.com <mailto:James.McGovern at thehartford.com>>
> 
>     Having a debate with some developers and I wanted to understand if
>     there was any security perspectives that have merit when it comes to
>     using Regex. So, I noted that ESAPI for example, has a single
>     properties file where regex compilation happens in each validation
>     action and not via uber-singleton upfront compilation. Is this
>     developer religion?
> 
>     ************************************************************
> 
>     This communication, including attachments, is for the exclusive use of addressee and may contain proprietary, confidential and/or privileged information.  If you are not the intended recipient, any use, copying, disclosure, dissemination or distribution is strictly prohibited.  If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this communication and destroy all copies.
> 
>     ************************************************************
> 
> 
>     _______________________________________________
>     OWASP-Leaders mailing list
>     OWASP-Leaders at lists.owasp.org <mailto:OWASP-Leaders at lists.owasp.org>
>     https://lists.owasp.org/mailman/listinfo/owasp-leaders
> 
> 
> 
> 
>     -- 
>     Eoin Keary CISSP CISA
>     https://www.owasp.org/index.php/OWASP_Ireland_AppSec_2009_Conference
> 
>     OWASP Code Review Guide Lead Author
>     OWASP Ireland Chapter Lead
>     OWASP Global Committee Member (Industry)
> 
>     http://asg.ie/
>     https://twitter.com/EoinKeary
> 
> 
>     _______________________________________________
>     OWASP-Leaders mailing list
>     OWASP-Leaders at lists.owasp.org <mailto:OWASP-Leaders at lists.owasp.org>
>     https://lists.owasp.org/mailman/listinfo/owasp-leaders
> 
> 
> 
> 
> -- 
> Eoin Keary CISSP CISA
> https://www.owasp.org/index.php/OWASP_Ireland_AppSec_2009_Conference
> 
> OWASP Code Review Guide Lead Author
> OWASP Ireland Chapter Lead
> OWASP Global Committee Member (Industry)
> 
> http://asg.ie/
> https://twitter.com/EoinKeary
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders




More information about the OWASP-Leaders mailing list