ReDoS (Regular Expression Denial of Service) Scanner

Scan one or more regex patterns for catastrophic backtracking risk, simulate evil inputs, and suggest safer rewrites

Paste one regular expression per line and optionally set flags, maximum evil-input length, and simulation runs. The scanner uses both static heuristics and near-miss input simulation to estimate whether the pattern can degrade toward catastrophic backtracking.

How to use it:

  • Regex List: one pattern per line, without surrounding slashes
  • Flags: optional JavaScript regex flags such as i, m, or u
  • Max Evil Input Length: longest generated near-miss attack string
  • Simulation Runs: how many repeated match attempts to use during benchmarking

What it reports:

  • static anti-pattern findings
  • worst simulated near-miss execution time
  • a risk score and risk level
  • a safer rewrite suggestion

Example Results

1 examples

Check whether a login-validation regex can be exploited with catastrophic backtracking

Score a risky nested-quantifier pattern, simulate near-miss input, and review a safer rewrite before it reaches production.

{
  "summary": {
    "patterns": 2,
    "critical": 1
  },
  "results": [
    {
      "pattern": "(a+)+$",
      "riskLevel": "critical"
    }
  ]
}
View input parameters
{ "regexList": "(a+)+$\n^(\\w+\\s?)*$", "flags": "", "maxEvilInputLength": 32, "simulationRuns": 200 }

Key Facts

Category
Security & Validation
Input Types
textarea, text, number
Output Type
json
Sample Coverage
4
API Ready
Yes

Overview

The ReDoS Scanner is a security utility that evaluates regular expressions for catastrophic backtracking vulnerabilities. By combining static heuristics with near-miss input simulations, it identifies risky patterns, benchmarks worst-case execution times, and provides safer rewrite suggestions to prevent Regular Expression Denial of Service attacks.

When to Use

  • Auditing user-submitted regular expressions before allowing them to execute on your server.
  • Reviewing complex nested quantifiers in legacy codebases during security audits.
  • Testing input validation patterns for potential performance bottlenecks under edge-case conditions.

How It Works

  • Paste one or more regular expressions into the input field, one per line, without surrounding slashes.
  • Optionally specify JavaScript regex flags, maximum evil input length, and the number of simulation runs.
  • The scanner analyzes the patterns using static heuristics and generates near-miss attack strings to benchmark execution time.
  • Review the generated JSON report detailing risk levels, worst-case execution times, and suggested safer rewrites.

Use Cases

Securing Node.js backend APIs against ReDoS attacks by validating custom routing or input validation regexes.
Integrating into a DevSecOps workflow to statically analyze and benchmark regex patterns before deployment.
Optimizing slow-performing search or parsing scripts by identifying and rewriting inefficient regex patterns.

Examples

1. Evaluating a login validation regex

Backend Developer
Background
A developer is implementing a new email and username validation schema on a Node.js server.
Problem
Nested quantifiers in the validation regex might expose the server to ReDoS attacks if a malicious user submits a carefully crafted payload.
How to Use
Paste the regex ^(\w+\s?)*$ into the Regex List, set Max Evil Input Length to 64, and run the scan.
Example Config
Flags: (empty), Max Evil Input Length: 64, Simulation Runs: 200
Outcome
The scanner flags the pattern as 'critical', reports the worst simulated execution time, and suggests a non-backtracking alternative.

2. Auditing legacy text parsing scripts

Security Engineer
Background
A security team is reviewing an older application that uses complex regular expressions to parse large log files.
Problem
The team needs to identify which specific regex patterns are causing intermittent CPU spikes during log processing.
How to Use
Paste multiple regex patterns into the Regex List (one per line), configure the simulation runs to 500, and execute the benchmark.
Example Config
Flags: g, Max Evil Input Length: 128, Simulation Runs: 500
Outcome
A JSON report is generated detailing the risk score for each pattern, isolating the exact regex causing the CPU spikes, and providing safer rewrites.

Try with Samples

regex
Web String Processing Python Samples
Web Python string processing examples including string split/join, regular expressions, and string replacement
preferred input family regex
regex
Windows String Processing - C++ Samples
Comprehensive C++ string processing examples for Windows platform including concatenation, regular expressions, and replacement operations
preferred input family regex
regex
Android String Processing Java Samples
Android Java string processing examples including string split and join, regular expressions, and string replacement
preferred input family regex
regex
Android String Processing Kotlin Samples
Android Kotlin string processing examples including string split and join, regular expressions, and string replacement
preferred input family regex
regex

FAQ

What is catastrophic backtracking?

It occurs when a regular expression engine evaluates a complex pattern against a near-miss string, causing execution time to grow exponentially and potentially crashing the application.

How does the scanner generate evil inputs?

It analyzes the regex structure to craft specific near-miss strings designed to trigger worst-case backtracking scenarios up to your specified maximum length.

Do I need to include slashes in my regex?

No, paste the raw pattern without the surrounding forward slashes (e.g., (a+)+$ instead of /(a+)+$/).

What do the simulation runs do?

The simulation runs dictate how many times the regex engine attempts to match the generated evil input, providing a reliable benchmark for execution time.

Can this tool fix my vulnerable regex automatically?

The tool provides a safer rewrite suggestion in its JSON output, but you should always test the suggested pattern to ensure it meets your specific validation requirements.

API Documentation

Request Endpoint

POST /en/api/tools/redos-regex-scanner

Request Parameters

Parameter Name Type Required Description
regexList textarea Yes -
flags text No -
maxEvilInputLength number No -
simulationRuns number No -

Response Format

{
  "key": {...},
  "metadata": {
    "key": "value"
  },
  "error": "Error message (optional)",
  "message": "Notification message (optional)"
}
JSON Data: JSON Data

AI MCP Documentation

Add this tool to your MCP server configuration: 

{
  "mcpServers": {
    "elysiatools-redos-regex-scanner": {
      "name": "redos-regex-scanner",
      "description": "Scan one or more regex patterns for catastrophic backtracking risk, simulate evil inputs, and suggest safer rewrites",
      "baseUrl": "https://elysiatools.com/mcp/sse?toolId=redos-regex-scanner",
      "command": "",
      "args": [],
      "env": {},
      "isActive": true,
      "type": "sse"
    }
  }
}

You can chain multiple tools, e.g.: `https://elysiatools.com/mcp/sse?toolId=png-to-webp,jpg-to-webp,gif-to-webp`, max 20 tools.

If you encounter any issues, please contact us at [email protected]