Good,
I am no friend of the regular expressiones, it is probably because except the simplest, they tend to be a hell of characters in a single line that can save you work but give you more than one headache.Ā Also added to the number of examples on the internet of different regex for all kinds of scenarios, because things can go very wrong almost without realizing.
ĀæWhy it can go wrong?, because because more that seems it not, solving a RegExp, it must be processed the same and this process, depending on the input data may give rise to very long process times or inclisve memory leaks.
ĀæWhat now you looks so nice that copying a line of internet and put it in your code?
TheĀ MSDN Magazinearticle: “Regular Expression Denial of Service Attacks and proactive” deals with this topic and also shows how bad RegExp implementation can lead to DoS attacks.
In addition, the results of an evaluation of a RegExp we can create a bug directly inĀ Team Foundation Server 2010.Ā This tool is part ofĀ SDLĀ (Security Development Lifecycle) and integration with TFS is minimal, us allows create Bugs in Team Foundation Server.
For example, if we analyze the RegExp “^(\d|\d?)”+$“,Ā with one of the more ugly forms I’ve seen in a long timeĀ “:
From it we can create a Bug in our Team Project
with the fields:
Title:Ā Exponential execution time in regular expression pattern ^(\d|\d?)+$
Description:Ā The regular expression pattern ^(\d|\d?)+$ can operate in a worst – case exponential execution time, potentially causing a denial of service to the application.
and leave it as a point to be solved without it slipĀ 
So now you know, before using a RegExp, give a review with this tool to analyze vulnerabilities.
Greetings @ Here
The Bruno
Ā Ā 
Ā 
Download:Ā http://www.microsoft.com/download/en/details.aspx?id=20095
Reference:Ā http://msdn.microsoft.com/en-us/site/ff646973
Security Development LifeCycle:Ā http://blogs.msdn.com/b/sdl/archive/2010/10/12/new-tool-sdl-regex-fuzzer.aspx
El Bruno 
Leave a comment