[Owasp-leaders] Method for statically detecting Regex's subject to Regex DOS?

Michael Hidalgo michael.hidalgo at owasp.org
Mon Nov 9 16:13:38 UTC 2015

Hi Dave,
Dinis and I wrote an article about this subject, we published it on DZONE (

Fortunately, Microsoft .NET 4.5 provides a countermeasure to "avoid" the
problem. They introduced a matchTimeout argument on top of the  IsMatch
method :

Regex.IsMatch(emailAddress, EmailRegexPattern,



That prevents the DoS. I'm not sure if other programming languages
(i.e Java) that implement the naive backtracking algorithm, provides a
similar countermeasure, I think it's going to be for the second part
of the article :)

Microsoft has a Regex fuzzing tool
http://www.microsoft.com/en-us/download/details.aspx?id=20095, however
when I tested it a while back, it did not work for groups on top of
the RegEx.

It will be great to have something like that, specifically since
several programming languages using the same backtracking algorithm.


On Mon, Nov 9, 2015 at 9:01 AM, Dave Wichers <dave.wichers at owasp.org> wrote:

> OWASP has this article, which is great:
> https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDo
> S
> And wikipedia has a good article too: https://en.wikipedia.org/wiki/ReDoS
> But, it unfortunately they only describe the problem and don¹t describe
> how to fix it.
> There is another good article on the subject linked from wikipedia:
> https://msdn.microsoft.com/en-au/magazine/ff646973.aspx
> But it too just describes the problem (very well), and then describes
> fuzzing as a technique that might be able to detect these problems.
> What I¹m looking for (which I¹m not sure exists), is some way of
> validating a regex to determine if its vulnerable or not, ideally with a
> static check (like use of a Regex). If we could figure out a way (and it
> doesn¹t have to be perfect), developers could use it to validate user
> supplied data before constructing regex¹s out of them (which I¹ve seen in
> real apps, and why I¹m asking). And static analysis tools (like maybe
> FindSecBugs or SonarQube) could also validate statically constructed
> regexs and warn the developers that the regexs they are building into
> their apps are (or might be) subject to ReDos.
> I suspect this problem is Œtoo hard¹ for a simple regex. I see there is a
> tool written here: http://www.cs.bham.ac.uk/~hxt/research/rxxr.shtml that
> people could use to detect ReDox is arbitrary regexs. I wonder if we could
> come up with a simple white list regex that prevents regexdos while
> allowing most of the types of regexs people would want to build.
> Any suggestions out there? (that we can then update our OWASP article
> with)?
> Thanks, Dave
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders


*Michael Hidalgo. OWASP Chapter Leader & Researcher*

*Blog: http://michaelhidalgocr.blogspot.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20151109/efdee099/attachment.html>

More information about the OWASP-Leaders mailing list