Difference between revisions of "Regular Expression Security Cheatsheet"
From OWASP
(→Introduction) |
|||
| Line 10: | Line 10: | ||
== Cheatsheet == | == Cheatsheet == | ||
| − | + | Here is a link to GitHub RegEx repository: | |
=== [https://github.com/attackercan/regexp-security-cheatsheet https://github.com/attackercan/regexp-security-cheatsheet] === | === [https://github.com/attackercan/regexp-security-cheatsheet https://github.com/attackercan/regexp-security-cheatsheet] === | ||
<br><br> | <br><br> | ||
| Line 16: | Line 16: | ||
== SAST == | == SAST == | ||
| − | In order to save time for security practitioners, Static Application Security Testing tool was written. You can use the following code to | + | In order to save time for security practitioners, Static Application Security Testing tool was written. You can use the following code to analyze all regular expressions from your project:<br> |
<code> | <code> | ||
grep -iorP "reg_\w+\s*\((\s*['\"](.*?)['\"])," * > regexp.txt && php index.php --file="./regexp.txt" | grep -iorP "reg_\w+\s*\((\s*['\"](.*?)['\"])," * > regexp.txt && php index.php --file="./regexp.txt" | ||
Revision as of 16:40, 9 October 2016
Contents
Regular Expression Security Cheatsheet
Introduction
This cheatsheet can be effectively used by security specialists and programmers to reveal unwanted constructions in regular expressions, which can cause bypass of written rules.
Despite original work was focused on finding "weak places" in regular expressions of Intrusion Detection Systems (WAFs), it can be effectively applied to any other code.
Cheatsheet
Here is a link to GitHub RegEx repository:
https://github.com/attackercan/regexp-security-cheatsheet
SAST
In order to save time for security practitioners, Static Application Security Testing tool was written. You can use the following code to analyze all regular expressions from your project:
grep -iorP "reg_\w+\s*\((\s*['\"](.*?)['\"])," * > regexp.txt && php index.php --file="./regexp.txt"
SAST can be downloaded from here:
https://github.com/attackercan/regexp-security-cheatsheet/tree/master/RegexpSecurityParser
Authors and Primary Editors
Vladimir Ivanov
@httpsonly
