UD5 Toolkit
Cloze Test Generator - Online Remove Words for Learning
Paste a passage and automatically remove every nth word to create a fill‑in‑the‑blank exercise. For teaching and self‑study.
Regex Injection / ReDoS Tester - Online Safe Pattern Test
ReDoS Vulnerability Tester
Detect Regular Expression Denial of Service (ReDoS) vulnerabilities & regex injection risks. Safely test patterns with timeout protection and static analysis.
Web Worker Sandbox
5s Timeout
/
/
Flags:
Presets:
Attack string generated based on pattern analysis
Testing in sandboxed worker...
No test results yet
Enter a regex pattern and click "Run ReDoS Test" to begin.
--
Ready
Run a test to assess vulnerability.
Execution Time
--
0ms
10ms
100ms
1s
5s+
Waiting...
Detected Vulnerability Patterns
No patterns analyzed yet.
Fix Suggestions
Sandbox idle
Frequently Asked Questions
What is a ReDoS attack?
ReDoS (Regular Expression Denial of Service) is a type of attack that exploits the backtracking behavior of regex engines. By crafting a malicious input string, an attacker can cause a regex to take exponentially long to evaluate—potentially seconds, minutes, or even hours—consuming CPU resources and denying service to legitimate users. This is especially dangerous on server-side applications where a single slow regex can block the entire event loop or thread pool.
Which regex patterns are vulnerable to ReDoS?
The most common dangerous patterns include:
1. Nested quantifiers: (a+)+, (x*)*, (.+){2,}
2. Overlapping alternation: (a|aa|aaa)+b — where branches can match the same characters
3. Quantified optional groups: (x?)+, ([,-]?)+
4. Greedy quantifiers before optional parts: .*=.* on input with no =
5. Multiple overlapping
The common trait: exponential backtracking when the regex engine tries all possible ways to split the match.
1. Nested quantifiers: (a+)+, (x*)*, (.+){2,}
2. Overlapping alternation: (a|aa|aaa)+b — where branches can match the same characters
3. Quantified optional groups: (x?)+, ([,-]?)+
4. Greedy quantifiers before optional parts: .*=.* on input with no =
5. Multiple overlapping
.* patterns: .*.*.*The common trait: exponential backtracking when the regex engine tries all possible ways to split the match.
How does this tester detect ReDoS vulnerabilities?
This tool uses a two-pronged approach:
1. Static Analysis: Scans the regex pattern for known dangerous structures (nested quantifiers, overlapping alternation, etc.) using pattern-matching rules.
2. Safe Execution Test: Runs the regex against an auto-generated attack string inside a sandboxed Web Worker with a 5-second timeout. If the worker is terminated due to timeout, it confirms a severe ReDoS vulnerability. If it completes, the execution time is measured and compared against safe thresholds.
The combination of static analysis and empirical testing provides a comprehensive vulnerability assessment.
1. Static Analysis: Scans the regex pattern for known dangerous structures (nested quantifiers, overlapping alternation, etc.) using pattern-matching rules.
2. Safe Execution Test: Runs the regex against an auto-generated attack string inside a sandboxed Web Worker with a 5-second timeout. If the worker is terminated due to timeout, it confirms a severe ReDoS vulnerability. If it completes, the execution time is measured and compared against safe thresholds.
The combination of static analysis and empirical testing provides a comprehensive vulnerability assessment.
What is regex injection and how is it related?
Regex injection occurs when user-supplied input is directly incorporated into a regular expression without proper sanitization. An attacker can inject:
• ReDoS patterns: e.g., injecting (a+)+ to cause denial of service
• Pattern-altering metacharacters: e.g., | to bypass filters, .* to match everything
• Unexpected flags or modifiers
Prevention: Always escape user input before using it in regex patterns (use regexEscape() utilities), validate and limit input length, and avoid constructing dynamic regex from untrusted sources whenever possible.
• ReDoS patterns: e.g., injecting (a+)+ to cause denial of service
• Pattern-altering metacharacters: e.g., | to bypass filters, .* to match everything
• Unexpected flags or modifiers
Prevention: Always escape user input before using it in regex patterns (use regexEscape() utilities), validate and limit input length, and avoid constructing dynamic regex from untrusted sources whenever possible.
How can I fix a ReDoS-vulnerable regex?
1. Remove unnecessary nesting: Change (a+)+ to a+
2. Simplify alternation: Change (a|aa|aaa)+ to a+
3. Use possessive quantifiers (not supported in JS, but can be simulated with atomic groups in some engines): a++ instead of a+
4. Limit repetition: Use {1,10} instead of + or * when possible
5. Use non-backtracking constructs: Leverage lookahead assertions carefully
6. Pre-validate input length: Limit the length of strings passed to complex regex
7. Use a DFA-based regex library (like re2 for Node.js) that guarantees linear-time matching
This tool provides specific fix suggestions based on the detected patterns.
2. Simplify alternation: Change (a|aa|aaa)+ to a+
3. Use possessive quantifiers (not supported in JS, but can be simulated with atomic groups in some engines): a++ instead of a+
4. Limit repetition: Use {1,10} instead of + or * when possible
5. Use non-backtracking constructs: Leverage lookahead assertions carefully
6. Pre-validate input length: Limit the length of strings passed to complex regex
7. Use a DFA-based regex library (like re2 for Node.js) that guarantees linear-time matching
This tool provides specific fix suggestions based on the detected patterns.
Are all regex engines equally vulnerable?
No. Regex engines fall into two categories:
Backtracking engines (vulnerable): JavaScript (V8, SpiderMonkey, JSC), Python (re module), PHP (pcre), Ruby, Perl, .NET (by default). These can exhibit exponential worst-case behavior.
DFA/Thompson NFA engines (resistant): Go (regexp), Rust (regex crate), RE2 (C++/Node.js binding), PostgreSQL ~ operator. These guarantee O(n) time complexity.
Since JavaScript is widely used for both frontend and backend (Node.js), ReDoS is a critical concern for web developers. Chrome's V8 has some optimizations but is not immune to ReDoS.
Backtracking engines (vulnerable): JavaScript (V8, SpiderMonkey, JSC), Python (re module), PHP (pcre), Ruby, Perl, .NET (by default). These can exhibit exponential worst-case behavior.
DFA/Thompson NFA engines (resistant): Go (regexp), Rust (regex crate), RE2 (C++/Node.js binding), PostgreSQL ~ operator. These guarantee O(n) time complexity.
Since JavaScript is widely used for both frontend and backend (Node.js), ReDoS is a critical concern for web developers. Chrome's V8 has some optimizations but is not immune to ReDoS.
Security note: All regex testing is performed in an isolated Web Worker with a hard 5-second timeout. Your browser's main thread is never blocked. No data is sent to any server — everything runs locally in your browser. For production regex security, consider using RE2 or similar DFA-based engines, and always validate user input length.
Syllogism Logic Checker – Online Categorical Logic Validator
Enter two premises and a conclusion (All A are B, Some C are not B, etc.) to check validity using Venn diagram rules.
Love Calculator - Online Fun Romance Compatibility Test
Enter two names and get a playful love compatibility percentage. Purely for entertainment! All calculation happens instantly in your browser.
Currency Name ↔ Code Converter - Online USD/EUR Lookup
Find the currency code (USD, EUR, JPY) for any country or reverse‑lookup the country from a code. Static reference.
Math Expression Evaluator - Online Type & Calculate
Type a mathematical expression like 'sqrt(16)+sin(pi/2)' and get the result instantly. Supports popular functions. Local.
Homophone Checker - Online Sound‑Alike Words Tool
Type a word to see all its homophones with definitions. Avoid embarrassing mistakes (their/there/they’re). Static dictionary.
A/B Test Significance Calculator - Online Simple Stats Tool
Check if your A/B test results are statistically significant using chi-squared test. Enter visitors & conversions for control/variant. Results in plain English.
Currency Converter - Online Exchange Rate (Manual Update)
Convert between currencies using manually updated or default rates. Great for estimation when offline. Local settings.
Static Currency Converter - Online Fixed Rates Table
Convert currencies using a built‑in table of approximate fixed rates. Useful for quick estimates without live data. Local.
Shoelace Length Calculator – Online Eyelet Pairs & Pattern
Enter number of eyelet pairs and lacing style to find the correct shoelace length in inches/cm. Never buy too short.
Text to Binary String - Online 0s and 1s Converter
Convert any text to a long string of binary digits. Perfect for learning binary representation. Local conversion.
Web Share Level 2 Tester - Online Share Files
Test sharing multiple files (images, PDFs) using the Web Share API. Check if the browser supports file sharing. Demo page.
Abrasive Disc Size & Hole Pattern Lookup – Online ROS Compatibility
Enter your sander model or hole count to find compatible hook‑and‑loop discs. Stop buying the wrong sandpaper.
Wax Melt Calculator – Online Oil & Dye Amounts
Calculate the amount of wax, fragrance oil, and dye for silicone mold cavities. Perfect scent throw.
Leap Year Checker - Online Verify February 29
Enter a year to check if it is a leap year. Shows the rule explanation and next/previous leap years. Simple reference.
Number to Words Converter - Online Full English
Type a number and see its full English word representation (e.g., 123 → one hundred twenty‑three). Supports large numbers.
Advanced Case Converter – Online snake_case camelCase kebab-case
Convert text between various programming case styles. Includes SCREAMING_SNAKE, PascalCase, etc.
Number to Words Converter - Online Write Out Currency
Convert a numeric amount into English words, perfect for writing checks or legal documents. Supports USD/GBP styles.
Periodic Table Speller - Online Write Words with Elements
Type a word and see if it can be spelled using chemical element symbols. Geeky custom message creator. Copy or share.
Number to English Words (Decimal) – Online Check Writer
Convert a number like 1234.56 to English words 'one thousand two hundred thirty-four and 56/100'. For checks.
HMAC Generator - Online SHA‑256/512 Message Authentication
Create an HMAC (Hash‑based Message Authentication Code) using SHA‑256 or SHA‑512 with a secret key. Verify data integrity. Local.
Eye Prescription Converter - Glasses to Contact Lens Rx Tool
Approximate conversion from eyeglass prescription to contact lens power. Uses vertex distance formula. For educational purposes only, consult your optometrist.
Shamir's Secret Sharing Demo - Online Split & Recover Secret
Split a secret string into N shares where K are needed to recover. Educational cryptography demo. Uses simple XOR-based scheme. Local.
String Art Pattern Preview - Online Thread Layout on Circle
Design circular string art by ticking nails and seeing simulated thread lines. Adjust number of nails and steps. Export pattern. Local only.
UK Tax Code Checker - Online Understand Your Code
Enter your UK tax code and see an explanation of what the numbers and letters mean. Simple educational reference. No data stored.
Email Permutator - Online Generate All Possible Addresses
Enter a first name and last name, plus a domain, to generate common email address patterns. For finding contacts.
Bead Loom Pattern Designer – Online Grid & Thread
Click grid to place beads, choose colors, generate a loom pattern. Download as image.
False Friends Language Quiz – Online English/Spanish etc.
Show a word and guess the correct translation, but watch out for false friends. Avoid embarrassment.
Language Cheat Sheet Generator - Online Phrase Card for Travel
Select a destination language and generate a printable mini phrasebook with essential greetings, directions, food, and emergency phrases. Local only.
Polygon Area Calculator - Online Irregular Shape Tool
Calculate the area of an irregular polygon by entering its vertex coordinates. Uses the shoelace formula. Pure math.