struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Greg Lindholm <greg.lindh...@gmail.com>
Subject Regular Expression Denial of Service Attacks and Defenses
Date Thu, 27 May 2010 19:12:36 GMT
This link is to an article that talks of how Denial of Service attacks
can target vulnerable Regular Expressions.

Regular Expression Denial of Service Attacks and Defenses
http://msdn.microsoft.com/en-us/magazine/ff646973.aspx
(Not sure if you need to login to see this page, I hope not.)

A friend tested the example expression "^(\d+)+$" using the Java Regex
library and discovered it is vulnerable and a badly formed 30
character string was taking over 2 minutes to determine that it didn't
match.

Struts 2 (and many other frameworks) use regular expressions in
validation.  I'm wondering if anyone has checked to see if any of the
built in regex expressions are vulnerable, I'm thinking specifically
of the email address validation?

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org


Mime
View raw message