[Owasp-leaders] Method for statically detecting Regex's subject to Regex DOS?

Jim Manico jim.manico at owasp.org
Mon Nov 9 17:32:49 UTC 2015

I do not work for Oracle, but Matt Konda is a member of one of the Java 
Community Security teams, maybe he can help?

I also replied to your note to Milton. I think this is a great idea, Dave.

- Jim

On 11/9/15 7:25 AM, Dave Wichers wrote:
> Michael,
> Thanks for this info. I’ve added your article to the OWASP ReDoS page. 
> I think OWASP should campaign to get this feature added to Java (Jim 
> ???  Milton ???).
> In the mean time, for Java, if you have to do this by hand, here’s a 
> stack overflow article on how to do it: 
> http://stackoverflow.com/questions/910740/cancelling-a-long-running-regex-match
> -Dave
> From: Michael Fallas <michael.hidalgo at owasp.org 
> <mailto:michael.hidalgo at owasp.org>>
> Date: Monday, November 9, 2015 at 11:13 AM
> To: Dave Wichers <dave.wichers at owasp.org <mailto:dave.wichers at owasp.org>>
> Cc: "owasp-leaders at lists.owasp.org 
> <mailto:owasp-leaders at lists.owasp.org>" <owasp-leaders at lists.owasp.org 
> <mailto:owasp-leaders at lists.owasp.org>>
> Subject: Re: [Owasp-leaders] Method for statically detecting Regex's 
> subject to Regex DOS?
> Hi Dave,
> Dinis and I wrote an article about this subject, we published it on 
> DZONE (https://dzone.com/articles/regular-expressions-denial).
> Fortunately, Microsoft .NET 4.5 provides a countermeasure to "avoid" 
> the problem. They introduced a matchTimeout argument on top of the 
>  IsMatch method :
> Regex.IsMatch(emailAddress, EmailRegexPattern,
> RegexOptions.IgnoreCase,
> TimeSpan.FromSeconds(5));
> That prevents the DoS. I'm not sure if other programming languages 
> (i.e Java) that implement the naive backtracking algorithm, provides a 
> similar countermeasure, I think it's going to be for the second part 
> of the article :)
> Microsoft has a Regex fuzzing tool 
> http://www.microsoft.com/en-us/download/details.aspx?id=20095, however 
> when I tested it a while back, it did not work for groups on top of 
> the RegEx.
> It will be great to have something like that, specifically since 
> several programming languages using the same backtracking algorithm.
> Thnaks.
> On Mon, Nov 9, 2015 at 9:01 AM, Dave Wichers <dave.wichers at owasp.org 
> <mailto:dave.wichers at owasp.org>> wrote:
>     OWASP has this article, which is great:
>     https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDo
>     S
>     And wikipedia has a good article too:
>     https://en.wikipedia.org/wiki/ReDoS
>     But, it unfortunately they only describe the problem and don¹t
>     describe
>     how to fix it.
>     There is another good article on the subject linked from wikipedia:
>     https://msdn.microsoft.com/en-au/magazine/ff646973.aspx
>     But it too just describes the problem (very well), and then describes
>     fuzzing as a technique that might be able to detect these problems.
>     What I¹m looking for (which I¹m not sure exists), is some way of
>     validating a regex to determine if its vulnerable or not, ideally
>     with a
>     static check (like use of a Regex). If we could figure out a way
>     (and it
>     doesn¹t have to be perfect), developers could use it to validate user
>     supplied data before constructing regex¹s out of them (which I¹ve
>     seen in
>     real apps, and why I¹m asking). And static analysis tools (like maybe
>     FindSecBugs or SonarQube) could also validate statically constructed
>     regexs and warn the developers that the regexs they are building into
>     their apps are (or might be) subject to ReDos.
>     I suspect this problem is Œtoo hard¹ for a simple regex. I see
>     there is a
>     tool written here:
>     http://www.cs.bham.ac.uk/~hxt/research/rxxr.shtml
>     <http://www.cs.bham.ac.uk/%7Ehxt/research/rxxr.shtml> that
>     people could use to detect ReDox is arbitrary regexs. I wonder if
>     we could
>     come up with a simple white list regex that prevents regexdos while
>     allowing most of the types of regexs people would want to build.
>     Any suggestions out there? (that we can then update our OWASP article
>     with)?
>     Thanks, Dave
>     _______________________________________________
>     OWASP-Leaders mailing list
>     OWASP-Leaders at lists.owasp.org <mailto:OWASP-Leaders at lists.owasp.org>
>     https://lists.owasp.org/mailman/listinfo/owasp-leaders
> -- 
> *Michael Hidalgo.
> OWASP Chapter Leader & Researcher*
> *Blog: http://michaelhidalgocr.blogspot.com 
> <http://michaelhidalgocr.blogspot.com/>*
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders

Jim Manico
Global Board Member
OWASP Foundation

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20151109/ddebb982/attachment-0001.html>

More information about the OWASP-Leaders mailing list