Note that the OWASP page [1] (see below) is just an excerpt of Adar's original
paper.
http://www.checkmarx.com/white_papers/redos-regular-expression-denial-of-service/
Andrés, I don't have a solution for python, but you can use the regex and
patterns
as described in https://github.com/EnDe/ReDoS (which is inspired by chekmarx'
paper:).
Hope this helps
Achim
Am 02.08.2012 15:24, schrieb Andres Riancho:
> Carlos,
>
> On Wed, Aug 1, 2012 at 10:04 PM, Carlos Pantelides
> <carlos_panteli...@yahoo.com> wrote:
>> Andres:
>>
>> I'm in the oven, I'll try to read the links and make something up.
>> Meanwhile, what are you asking for is a language or library that suffers for
>> this kind of vulnerability, aren't you?
>>
>> I did not try the javascript code [1], isn't what are you asking for?
>
> Yes, the thing is that I want to test the redos.py plugin [0] and
> can't do it with javascript. I need something that runs on the
> server-side. I cried for help on twitter and some people pointed me to
> Java, telling me that it is vulnerable. I'll test it out in a bit,
> need some time to setup tomcat, etc.
>
> [0]
> https://sourceforge.net/apps/trac/w3af/browser/trunk/plugins/audit/redos.py
>
>>
>> Carlos Pantelides
>>
>> @dev4sec
>>
>>
>> http://seguridad-agile.blogspot.com/
>> ________________________________
>> From: Andres Riancho <andres.rian...@gmail.com>
>> To: "w3af-develop@lists.sourceforge.net"
>> <W3af-develop@lists.sourceforge.net>; w3af-us...@lists.sourceforge.net
>> Sent: Wednesday, August 1, 2012 3:40 PM
>> Subject: Re: [W3af-users] Regular expression DoS
>>
>> Ping! Someone can help me out?
>>
>> On Thu, Jul 26, 2012 at 1:59 PM, Andres Riancho
>> <andres.rian...@gmail.com> wrote:
>>> Lists,
>>>
>>> I'm trying to write a unittest for our redos audit plugin [0] that
>>> aims to find regular expression denial of service as explained here
>>> [1]. My problem at this point, and this is why I'm contacting you, is
>>> that I know for a fact that both PHP and Python are safe against this
>>> vulnerability (because of their regex engines being safe), but I want
>>> to have a unittest that really verifies that the plugin works and can
>>> identify the vulnerability... which programming language should I use
>>> to code the vulnerable script?
>>>
>>> Thanks!
>>>
>>> [0]
>>> https://sourceforge.net/apps/trac/w3af/browser/trunk/plugins/audit/redos.py
>>> [1]
>>> https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS
>>>
>>> Regards,
>>> --
>>> Andrés Riancho
>>> Project Leader at w3af - http://w3af.org/
>>> Web Application Attack and Audit Framework
>>> Twitter: @w3af
>>> GPG: 0x93C344F3
>>
>>
>>
>> --
>> Andrés Riancho
>> Project Leader at w3af - http://w3af.org/
>> Web Application Attack and Audit Framework
>> Twitter: @w3af
>> GPG: 0x93C344F3
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
W3af-develop mailing list
W3af-develop@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-develop
