Fun with regexes

Last year on one of the dutch OWASP chapters Adar Weidman gave a very interesting presentation about reDOS.

The principle behind a reDOS is feeding a regex input that will cause it to spawn a huge number of treads eventually exhausting all resources on the system. Take a look at the OWASP page for more information.

Ever since the presentation I was intrigued by the vulnerability, but did not really see much of it in the field (or I didn't search hard enough).

I mostly forgot about it until I read this post a few months ago. Apparently these things are more widespread than I suspected...

For those interested in regexes, lacking knowledge, and wanting to play with them:
http://xenon.stanford.edu/~xusch/regexp/analyzer.html
http://www.regular-expressions.info/

No comments:

Post a Comment