[Owasp-leaders] Method for statically detecting Regex's subject to Regex DOS?

Kevin W. Wall kevin.w.wall at gmail.com
Mon Nov 9 17:44:15 UTC 2015


Hi Dave,

There is also DoSSafeRegexTest (https://gist.GitHub.com/anonymous/6309969),
which is mentioned on this ESAPI-DEV mailing list thread discussing ReDoS.
See
https://lists.owasp.org/pipermail/esapi-dev/2010-October/001129.html
for more details.

-kevin
Sent from my Droid; please excuse typos.
On Nov 9, 2015 11:17 AM, "Michael Hidalgo" <michael.hidalgo at owasp.org>
wrote:

> Hi Dave,
> Dinis and I wrote an article about this subject, we published it on DZONE (
> https://dzone.com/articles/regular-expressions-denial).
>
> Fortunately, Microsoft .NET 4.5 provides a countermeasure to "avoid" the
> problem. They introduced a matchTimeout argument on top of the  IsMatch
> method :
>
> Regex.IsMatch(emailAddress, EmailRegexPattern,
>
>                        RegexOptions.IgnoreCase,
>
>                        TimeSpan.FromSeconds(5));
>
>
>
> That prevents the DoS. I'm not sure if other programming languages (i.e Java) that implement the naive backtracking algorithm, provides a similar countermeasure, I think it's going to be for the second part of the article :)
>
>
> Microsoft has a Regex fuzzing tool http://www.microsoft.com/en-us/download/details.aspx?id=20095, however when I tested it a while back, it did not work for groups on top of the RegEx.
>
>
> It will be great to have something like that, specifically since several programming languages using the same backtracking algorithm.
>
>
> Thnaks.
>
>
> On Mon, Nov 9, 2015 at 9:01 AM, Dave Wichers <dave.wichers at owasp.org>
> wrote:
>
>> OWASP has this article, which is great:
>>
>> https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDo
>> S
>> And wikipedia has a good article too: https://en.wikipedia.org/wiki/ReDoS
>>
>> But, it unfortunately they only describe the problem and don¹t describe
>> how to fix it.
>>
>> There is another good article on the subject linked from wikipedia:
>> https://msdn.microsoft.com/en-au/magazine/ff646973.aspx
>>
>> But it too just describes the problem (very well), and then describes
>> fuzzing as a technique that might be able to detect these problems.
>>
>> What I¹m looking for (which I¹m not sure exists), is some way of
>> validating a regex to determine if its vulnerable or not, ideally with a
>> static check (like use of a Regex). If we could figure out a way (and it
>> doesn¹t have to be perfect), developers could use it to validate user
>> supplied data before constructing regex¹s out of them (which I¹ve seen in
>> real apps, and why I¹m asking). And static analysis tools (like maybe
>> FindSecBugs or SonarQube) could also validate statically constructed
>> regexs and warn the developers that the regexs they are building into
>> their apps are (or might be) subject to ReDos.
>>
>> I suspect this problem is Œtoo hard¹ for a simple regex. I see there is a
>> tool written here: http://www.cs.bham.ac.uk/~hxt/research/rxxr.shtml that
>> people could use to detect ReDox is arbitrary regexs. I wonder if we could
>> come up with a simple white list regex that prevents regexdos while
>> allowing most of the types of regexs people would want to build.
>>
>> Any suggestions out there? (that we can then update our OWASP article
>> with)?
>>
>> Thanks, Dave
>>
>>
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>
>
>
> --
>
>
> *Michael Hidalgo. OWASP Chapter Leader & Researcher*
>
> *Blog: http://michaelhidalgocr.blogspot.com
> <http://michaelhidalgocr.blogspot.com/>*
>
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20151109/af89898c/attachment.html>


More information about the OWASP-Leaders mailing list