|C# 3.5||Yes||[ Source ] [ Results ]|
|IronPython 2.6||Yes||[ Source ] [ Results ]|
|Java for Windows||Yes||[ Source ] [ Results ]|
|Perl 5.10.1||No||[ Source ] [ Results ]|
|PHP 5.3.2||No||[ Source ] [ Results ]|
|PHP 5.3.2 (with mb_ereg)||Yes||[ Source ] [ Results ]|
|Python 2.6 for Windows||Yes||[ Source ] [ Results ]|
The ReDoS problem is particularly acute for Web applications which run on Web servers and other network servers which use regular expressions for input validation. In the real world, the ReDoS problem appears to show up most often in regular expressions used to validate email addresses.
The following is a simple example of a regular expression which can cause a denial of service attack:
^(a+)+$The test string "aaaaaaaaaaaaaaaaaaaaaaa!" (23 a's followed by an exclaimation point) will typically take 1 second to execute with a regular expression matcher that suffers from the ReDoS problem. Increasing the number of "a" characters in a test string to 44 will drive up the execution time to more than 1 million seconds which is approximately 277 hours.
The following WikiPedia article provides more information about the ReDoS attack problem:
Author: Richard M. Smith
Please send comments, questions, suggestions, etc. to firstname.lastname@example.org