Broken link: extra semicolon. Correct one is
This kind of malfunction was described (though not in terms of “attack”) in the book Mastering Regular Expressions published by O'Reilly in the 1997. The defense is thirty years older than that: converting the NFA to a DFA using Thompson’s algorithm (yes, that Thompson), though this would mean constraining the regular expression to be truly regular (per Chomsky’s hierarchy), so backlinks (\1) and some other “extended regexp” features are out. Shame on OWASP for not mentioning it, actually.