SDL Regex Fuzzer

Posted by on November 1, 2010

Updated 11/2/2010
Microsoft has released a new “Free” tool called the SDL Regex Fuzzer. You can download the tool from Microsoft’s Download Center here: http://www.microsoft.com/downloads/en/details.aspx?FamilyID=8737519c-52d3-4291-9034-caa71855451f. The Regex Fuzzer is used to test regular expressions to see if they are vulnerable to Denial of Service Attacks (ReDoS). A Regular expression denial of service attack uses a specially crafted value for the regex to parse that ends up using a large amount of resources. This could be particularly dangerous in a cloud situation where the users pay for the CPU usage and other resources. Running those resources up could run the bill up as well. This tool can be added to the SDL process to verify regular expressions before they get into production.

Update:
More information about ReDoS can be found here: http://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS

When I first ran the application, I received a MethodNotFound exception in System.Threading. Installing .Net 3.5 SP1 resolved this issue.

Comments

Comments are closed.