SDL Regex Fuzzer is a free security testing tool developed by Microsoft to detect vulnerabilities in regular expressions that could lead to a Regular Expression Denial of Service (ReDoS) attack. It was built to be utilized during the verification stage of the Microsoft Security Development Lifecycle (SDL) process. What is SDL Regex Fuzzer?
Regular expressions (regex) are strings used to match patterns in text (such as validating an email address or phone number). However, if a regular expression is poorly constructed—especially when it contains nested repetitions or overlapping groupings (e.g., (a+)+)—certain inputs can cause the regex engine to evaluate combinations in exponential time. This phenomenon is called catastrophic backtracking.
If an attacker identifies such a flawed regex in an application, they can intentionally feed it a malicious string. The application’s server will get stuck in an infinite or highly complex calculation loop, consuming maximum CPU resources and causing a Denial of Service (DoS) for legitimate users.
The SDL Regex Fuzzer was designed specifically to find these catastrophic backtracking flaws in .NET framework applications before code is shipped into production. How It Works
The tool automates the process of finding problematic string patterns that trigger ReDoS. Instead of requiring a developer to manually guess what input might break their regex, the fuzzer handles data generation automatically: Review of Microsoft SDL Tools – 0xdabbad00 –
Leave a Reply