RE: Exploring Regular Expression Denial of Service

Cite

DEF CON

Davisson, Eric (XlogicX)

Formal Metadata

Title

RE: Exploring Regular Expression Denial of Service

Alternative Title

REvisiting RE DoS

Title of Series

DEF CON 23

Number of Parts

109

Author

Davisson, Eric (XlogicX)

License

CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.

Identifiers

10.5446/36363 (DOI)

Publisher

DEF CON

Release Date

2015

Language

English

Content Metadata

Subject Area

Computer Science

Genre

Conference/Talk

Abstract

Regular Expression Denial of Service has existed for well over a decade, but has not received the love it deserves lately. There are some proof of concept attacks out there currently, most of which are ineffective due to implementation optimizations. Regardless of the effectiveness most of these PoC's are geared only to NFA engines. This talk will demonstrate working PoC's that bypass optimizations. Both NFA and DFA engines will get love. Tools will be released (with demonstration) that benchmark NFA/DFA engines and automate creation of 'evil strings' given an arbitrary regular expression. Attendees can expect a review of regex and a deep under the hood explanation of both regex engines before abuses ensue. ^ Not a security researcher