Protecting against Regex DOS attacks

Bryan Sullivan describes in the May issue of his MSDN article a denial of service attack that abuses regular expressions. As Bryan explains, a poorly written regex can bring your server to its knees.

Bryan demonstrates that even the simplest regular expressions can bring your server to its knees. Here are some examples of regular expressions that can easily cause this to happen:

^(\d+)+$
^(\d+)*$
^(\d*)*$
^(\d+|\s+)*$
^(\d|\d\d)+$
^(\d|\d?)+$

Read more about the causes and the cures here.

UPDATE 2012-06-04: .NET 4.5 contains a RegEx.Timeout property to specify a maximum duration for the regex.

Comments

Wish to comment?

I'm sorry, but commenting is currently turned off for this blog post.

Found a typo?

The MarkDown file of this blog post can be found here. I accept pull requests.

Buy my book

I coauthored the book Dependency Injection Principles, Practices, and Patterns. If you're interested to learn more about DI and software design in general, consider reading my book. Besides English, the book is available in Chinese, Italian, Polish, and Russian.