This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Regular Expression Security Cheatsheet
Regular Expression Security Cheatsheet
Introduction
This cheatsheet can be effectively used by security specialists and programmers to reveal unwanted constructions in their regular expressions, which can cause bypass of their rules.
Despite original work was focused on finding "weak places" in regular expressions of Intrusion Detection Systems (WAFs), it can be effectively applied to any other code.
Cheatsheet
Due to the fact, that OWASP's MediaWiki styling could not compete to Markdown, I decided not to include full table here, but provide a link to GitHub repository instead:
https://github.com/attackercan/regexp-security-cheatsheet
SAST
In order to save time for security practitioners, Static Application Security Testing tool was written. You can use the following code to analyse all regular expressions from your PHP project:
grep -iorP "reg_\w+\s*\((\s*['\"](.*?)['\"])," * > regexp.txt && php index.php --file="./regexp.txt"
SAST can be downloaded from here:
https://github.com/attackercan/regexp-security-cheatsheet/tree/master/RegexpSecurityParser
(c) Vladimir Ivanov @httpsonly
Authors and Primary Editors
Vladimir Ivanov
@httpsonly
Other Cheatsheets
OWASP Cheat Sheets Project Homepage