[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Regular Expression Denial of Service

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Re: Regular Expression Denial of Service
From: hackerwebzine@xxxxxxxxx
Date: Mon, 28 Sep 2009 07:19:06 -0600

Alex, it isn't a new technique in web-application security. If you queried 
Google, or did some research on recent (2007) Blackhat talks, you'll probably 
noticed that this is very well known and understood technique. Even Charles 
Miller talked about it (on the OSX Safari exploits). So the claim that security 
researchers are not aware of it, it somewhat misleading. I personally (and many 
others too) used the same techniques, albeit slightly different for over 8 
years when auditing applications. Since you seem to propose a serious "new" 
research area, i expect you to research it's history first before claiming 
"new" research, at least I would appreciate it.

Prev by Date: [SECURITY] [DSA 1897-1] New horde3 packages fix arbitrary code execution
Next by Date: [MajorSecurity Advisory #57]PHP <=5.3 - preg_match() full path disclosure
Previous by thread: Re: Regular Expression Denial of Service
Next by thread: [ MDVSA-2009:230 ] pidgin
Index(es):
- Date
- Thread