This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Regular Expression Security Cheatsheet"
From OWASP
(→Authors and Primary Editors) |
m (Project cleanup) |
||
| (12 intermediate revisions by 2 users not shown) | |||
| Line 3: | Line 3: | ||
== Introduction == | == Introduction == | ||
| − | This cheatsheet can be effectively used by security specialists and programmers to reveal unwanted constructions in | + | This cheatsheet can be effectively used by security specialists and programmers to reveal unwanted constructions in regular expressions. This can cause bypass of intended validation rules.<br> |
| − | + | <br> | |
== Cheatsheet == | == Cheatsheet == | ||
| − | + | Here is a link to the GitHub RegEx repository: | |
=== [https://github.com/attackercan/regexp-security-cheatsheet https://github.com/attackercan/regexp-security-cheatsheet] === | === [https://github.com/attackercan/regexp-security-cheatsheet https://github.com/attackercan/regexp-security-cheatsheet] === | ||
| − | + | <br><br> | |
== SAST == | == SAST == | ||
| − | In order to save time for security practitioners, Static Application Security Testing tool was written. You can use the following code to | + | In order to save time for security practitioners, Static Application Security Testing tool was written. You can use the following code to analyze all regular expressions from your project:<br> |
<code> | <code> | ||
grep -iorP "reg_\w+\s*\((\s*['\"](.*?)['\"])," * > regexp.txt && php index.php --file="./regexp.txt" | grep -iorP "reg_\w+\s*\((\s*['\"](.*?)['\"])," * > regexp.txt && php index.php --file="./regexp.txt" | ||
| Line 21: | Line 21: | ||
SAST can be downloaded from here: | SAST can be downloaded from here: | ||
=== [https://github.com/attackercan/regexp-security-cheatsheet/tree/master/RegexpSecurityParser https://github.com/attackercan/regexp-security-cheatsheet/tree/master/RegexpSecurityParser] === | === [https://github.com/attackercan/regexp-security-cheatsheet/tree/master/RegexpSecurityParser https://github.com/attackercan/regexp-security-cheatsheet/tree/master/RegexpSecurityParser] === | ||
| − | + | <br><br> | |
| − | |||
| − | |||
=Authors and Primary Editors= | =Authors and Primary Editors= | ||
| Line 30: | Line 28: | ||
[http://twitter.com/httpsonly @httpsonly] | [http://twitter.com/httpsonly @httpsonly] | ||
| − | == | + | {{taggedDocument| type=delete| comment=Tagged via fixme/delete.}} |
| − | |||
| − | |||
| − | |||
Latest revision as of 14:51, 15 July 2019
Regular Expression Security Cheatsheet
Introduction
This cheatsheet can be effectively used by security specialists and programmers to reveal unwanted constructions in regular expressions. This can cause bypass of intended validation rules.
Cheatsheet
Here is a link to the GitHub RegEx repository:
https://github.com/attackercan/regexp-security-cheatsheet
SAST
In order to save time for security practitioners, Static Application Security Testing tool was written. You can use the following code to analyze all regular expressions from your project:
grep -iorP "reg_\w+\s*\((\s*['\"](.*?)['\"])," * > regexp.txt && php index.php --file="./regexp.txt"
SAST can be downloaded from here:
https://github.com/attackercan/regexp-security-cheatsheet/tree/master/RegexpSecurityParser
Authors and Primary Editors
Vladimir Ivanov
@httpsonly
