This link is to an article that talks of how Denial of Service attacks can target vulnerable Regular Expressions.
Regular Expression Denial of Service Attacks and Defenses http://msdn.microsoft.com/en-us/magazine/ff646973.aspx (Not sure if you need to login to see this page, I hope not.) A friend tested the example expression "^(\d+)+$" using the Java Regex library and discovered it is vulnerable and a badly formed 30 character string was taking over 2 minutes to determine that it didn't match. Struts 2 (and many other frameworks) use regular expressions in validation. I'm wondering if anyone has checked to see if any of the built in regex expressions are vulnerable, I'm thinking specifically of the email address validation? --------------------------------------------------------------------- To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
