[Owasp-leaders] Method for statically detecting Regex's subject to Regex DOS?

Dave Wichers dave.wichers at owasp.org
Mon Nov 9 17:25:04 UTC 2015


Thanks for this info. I’ve added your article to the OWASP ReDoS page. I
think OWASP should campaign to get this feature added to Java (Jim ???
Milton ???).

In the mean time, for Java, if you have to do this by hand, here’s a stack
overflow article on how to do it:


From:  Michael Fallas <michael.hidalgo at owasp.org>
Date:  Monday, November 9, 2015 at 11:13 AM
To:  Dave Wichers <dave.wichers at owasp.org>
Cc:  "owasp-leaders at lists.owasp.org" <owasp-leaders at lists.owasp.org>
Subject:  Re: [Owasp-leaders] Method for statically detecting Regex's
subject to Regex DOS?

Hi Dave, 
Dinis and I wrote an article about this subject, we published it on DZONE

Fortunately, Microsoft .NET 4.5 provides a countermeasure to "avoid" the
problem. They introduced a matchTimeout argument on top of the  IsMatch
method :

Regex.IsMatch(emailAddress, EmailRegexPattern,

That prevents the DoS. I'm not sure if other programming languages (i.e
Java) that implement the naive backtracking algorithm, provides a similar
countermeasure, I think it's going to be for the second part of the article

Microsoft has a Regex fuzzing tool
http://www.microsoft.com/en-us/download/details.aspx?id=20095, however when
I tested it a while back, it did not work for groups on top of the RegEx.

It will be great to have something like that, specifically since several
programming languages using the same backtracking algorithm.


On Mon, Nov 9, 2015 at 9:01 AM, Dave Wichers <dave.wichers at owasp.org> wrote:
> OWASP has this article, which is great:
> https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDo
> S
> And wikipedia has a good article too: https://en.wikipedia.org/wiki/ReDoS
> But, it unfortunately they only describe the problem and don¹t describe
> how to fix it.
> There is another good article on the subject linked from wikipedia:
> https://msdn.microsoft.com/en-au/magazine/ff646973.aspx
> But it too just describes the problem (very well), and then describes
> fuzzing as a technique that might be able to detect these problems.
> What I¹m looking for (which I¹m not sure exists), is some way of
> validating a regex to determine if its vulnerable or not, ideally with a
> static check (like use of a Regex). If we could figure out a way (and it
> doesn¹t have to be perfect), developers could use it to validate user
> supplied data before constructing regex¹s out of them (which I¹ve seen in
> real apps, and why I¹m asking). And static analysis tools (like maybe
> FindSecBugs or SonarQube) could also validate statically constructed
> regexs and warn the developers that the regexs they are building into
> their apps are (or might be) subject to ReDos.
> I suspect this problem is Œtoo hard¹ for a simple regex. I see there is a
> tool written here: http://www.cs.bham.ac.uk/~hxt/research/rxxr.shtml that
> people could use to detect ReDox is arbitrary regexs. I wonder if we could
> come up with a simple white list regex that prevents regexdos while
> allowing most of the types of regexs people would want to build.
> Any suggestions out there? (that we can then update our OWASP article
> with)?
> Thanks, Dave
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders

Michael Hidalgo.
OWASP Chapter Leader & Researcher

Blog: http://michaelhidalgocr.blogspot.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20151109/0cf9d5d9/attachment-0001.html>

More information about the OWASP-Leaders mailing list