You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@struts.apache.org by Greg Lindholm <gr...@gmail.com> on 2010/06/01 03:26:49 UTC
Re: Regular Expression Denial of Service Attacks and Defenses
Hi abhishek,
The meaning of the expression is explained in the article; the point
is not the usefulness of the expression but that it is "badly formed"
so that the regex engine can take an extremely long time to determine
that the test string does not match the expression (also explained in
the article). The upshot is that regex expressions that "fail slowly"
can be used by the bad guys to mount a Denial of Service attack
against your site.
The problem with the expression "^(\d+)+$" is that it is trying to
match groups of digits and a string of digits can be grouped in many
permutations. If you try to match it against a long sting of digits
(say 30) followed by a non-digit the regex engine will attempt to
match every possible permutation before it gives up and decides it
doesn't match which can take a very long time.
On Mon, May 31, 2010 at 7:43 AM, abhishek jain
<ab...@gmail.com> wrote:
> Hi Greg,
> just a doubt , on looking at first sight i dont understand what does the
> regex "^(\d+)+$" do additionally.
> As it should be equivalent to "^(\d+)$"
>
> I am more perlish (from perl) biased which says the regex is greedy and
> hence it will anyway to the maximum match,
> pl. clarify,
>
> thanks
> abhishek
>
> On Fri, May 28, 2010 at 12:42 AM, Greg Lindholm <gr...@gmail.com>wrote:
>
>> This link is to an article that talks of how Denial of Service attacks
>> can target vulnerable Regular Expressions.
>>
>> Regular Expression Denial of Service Attacks and Defenses
>> http://msdn.microsoft.com/en-us/magazine/ff646973.aspx
>> (Not sure if you need to login to see this page, I hope not.)
>>
>> A friend tested the example expression "^(\d+)+$" using the Java Regex
>> library and discovered it is vulnerable and a badly formed 30
>> character string was taking over 2 minutes to determine that it didn't
>> match.
>>
>> Struts 2 (and many other frameworks) use regular expressions in
>> validation. I'm wondering if anyone has checked to see if any of the
>> built in regex expressions are vulnerable, I'm thinking specifically
>> of the email address validation?
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
>> For additional commands, e-mail: user-help@struts.apache.org
>>
>>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org