.NET Junkie

05 May 10

Protecting against Regex DOS attacks

Bryan Sullivan describes in the May issue of his MSDN article a denial of service attack that abuses regular expressions. As Bryan explains, a poorly written regex can bring your server to its knees.

Bryan demonstrates that even the simplest regular expressions can bring your server to its knees. Here are some examples of regular expressions that can easily cause this to happen:

^(\d+)+$
^(\d+)*$
^(\d*)*$
^(\d+|\s+)*$
^(\d|\d\d)+$
^(\d|\d?)+$

Read more about the causes and the cures here.

- .NET General, Security - No comments / No trackbacks - § ¶

The code samples on my weblog are colorized using javascript, but you disabled javascript (for my website) on your browser. If you're interested in viewing the posted code snippets in color, please enable javascript.

No comments:

No trackbacks:

Trackback link:

Please enable javascript to generate a trackback url

Name:

Remember personal info?
Yes
No

Email:

URL:

Comment:

Before sending a comment, you have to answer correctly a simple question everyone knows the answer to. This completely baffles automated spam bots.
give the sum of the following numbers: 200, 30 and 4

(Register your username / Log in)

Notify:		Yes, send me email when someone replies.
Hide email:		Yes, hide my email address.

Small print: All html tags except <b> and <i> will be removed from your comment. You can make links by just typing the url or mail-address.

«	September 2010
S	M	T	W	T	F	S
			1	2	3	4
5	6	7	8	9	10	11
12	13	14	15	16	17	18
19	20	21	22	23	24	25
26	27	28	29	30

Protecting against Regex DOS attacks

Bryan Sullivan describes in the May issue of his MSDN article a denial of service attack that abuses regular expressions. As Bryan explains, a poorly written regex can bring your server to its knees.

Visitors

Calendar

Archives

Books I've read