Skip to content
A tool for generating worst-case inputs to commonly used algorithms
Python Java C# Erlang HTML Shell
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.
docs new file: Mar 27, 2019
exploits Merge branch 'pdf-update' into 'master' Jul 30, 2019
input Added tests for regular expression parser and redos exploit Apr 12, 2019
options Added ability to add custom option values with preset values Mar 27, 2019
output Made some tests faster and added parellel test option Apr 10, 2019
targets resolve merge conflicts Aug 8, 2019
test Added support for more regex constructs May 10, 2019
.coveragerc Added test file and note about how to add future tests Apr 15, 2019
.gitignore Updated regex parser to support character class Apr 11, 2019 update CONTRIBUTING to include tests for exploits Apr 10, 2019 update installation instructions to mention that macOS users may need… Apr 10, 2019
LICENSE added BSD 3-clause license Mar 22, 2018 resolve merge conflicts Aug 8, 2019 Added test file and note about how to add future tests Apr 15, 2019
acsploit.png fixup images May 2, 2018 Added option to read in a file containing regex patterns Apr 18, 2019 Fixed how terminating strings are found May 1, 2019 modified: Mar 27, 2019
requirements.txt move redos from progressbar2 to tqdm Jul 30, 2019

ACsploit: a tool for generating worst-case inputs for algorithms

ACsploit is an interactive command-line utility to generate worst-case inputs to commonly used algorithms. These worst-case inputs are designed to result in the target program utilizing a large amount of resources (e.g. time or memory).

ACsploit is designed to be easy to contribute to. Future features will include adding arbitrary constraints to inputs, creating an API, and hooking into running programs to feed worst-case input directly to functions of interest.

Join us on the ACsploit Slack here!



Start ACsploit with python3 From there, you can use the help command to see what commands are available. You can call help on any of them to learn more about how to use that command, such as help set.

To see the available exploits, use the show command. To stage one for use, use use [exploit_name]. To see a description of the exploit, run info. At any point, you can run options to see the current input, output, and exploit options, and then use set [option_name] [value] to set an option. To see detailed descriptions of the options, use options describe.

Tab completion is enabled for exploit and option names.

Finally, use run to generate output from the exploit.

ACsploit supports abbreviated commands, bash commands using !, CTRL+R history search, and more.

Command-line Options

--load-file SCRIPT runs the commands in SCRIPT as if they had been entered in an interactive ACsploit session and then exits. # can be used for comments as in Python.

--debug enables debug mode, in which ACsploit prints stack-traces when errors occur.


Documents are generated using pdoc3 and can be found in the docs directory.

Generating Documents

Run pip3 install pdoc3 to install the documentation dependencies and then run python


Caution should be used in generating and accessing ACsploit exploits. Using unreasonable exploit parameters may cause denial of service on generation. Additionally, the canned exploits (e.g. compression bombs) may cause denial of service if accessed by relevant applications.


Tests for ACsploit can be invoked by running python -m pytest test. Alternatively, individual tests can be invoked by running python -m pytest test/path/to/

To run the tests and obtain an HTML coverage report run the following:

<<<<<<< HEAD
python -m pytest --cov=exploits --cov=input --cov=output --cov-report html:cov test/
python -m pytest --cov=. --cov-report html:cov test/
>>>>>>> master

Finally to run the tests in parellel the -n flag can be used followed by the number of tests to run in parallel. On Linux and Mac the following works:

python -m pytest -n`nproc` --cov=. --cov-report html:cov test/

Contributing to ACsploit

We welcome community contributions to all aspects of ACsploit! For guidelines on contributing, please see Contributing

You can’t perform that action at this time.