This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Regular Expression Security Cheatsheet"

From OWASP
Jump to: navigation, search
(Introduction)
m (Project cleanup)
 
(4 intermediate revisions by one other user not shown)
Line 3: Line 3:
 
== Introduction ==
 
== Introduction ==
  
This cheatsheet can be effectively used by security specialists and programmers to reveal unwanted constructions in regular expressions, which can cause bypass of written rules.<br>
+
This cheatsheet can be effectively used by security specialists and programmers to reveal unwanted constructions in regular expressions. This can cause bypass of intended validation rules.<br>
Despite original work was focused on finding "weak places" in regular expressions of Intrusion Detection Systems (WAFs), it can be effectively applied to any other code.
 
<br>
 
 
<br>
 
<br>
  
 
== Cheatsheet ==  
 
== Cheatsheet ==  
  
Due to the fact, that OWASP's MediaWiki styling could not compete to Markdown, I decided not to include full table here, but provide a link to GitHub repository instead:
+
Here is a link to the GitHub RegEx repository:
 
=== [https://github.com/attackercan/regexp-security-cheatsheet https://github.com/attackercan/regexp-security-cheatsheet] ===
 
=== [https://github.com/attackercan/regexp-security-cheatsheet https://github.com/attackercan/regexp-security-cheatsheet] ===
 
<br><br>
 
<br><br>
Line 16: Line 14:
 
== SAST ==
 
== SAST ==
  
In order to save time for security practitioners, Static Application Security Testing tool was written. You can use the following code to analyse all regular expressions from your PHP project:<br>
+
In order to save time for security practitioners, Static Application Security Testing tool was written. You can use the following code to analyze all regular expressions from your project:<br>
 
<code>
 
<code>
 
grep -iorP "reg_\w+\s*\((\s*['\"](.*?)['\"])," * > regexp.txt && php index.php --file="./regexp.txt"
 
grep -iorP "reg_\w+\s*\((\s*['\"](.*?)['\"])," * > regexp.txt && php index.php --file="./regexp.txt"
Line 29: Line 27:
 
Vladimir Ivanov<br>
 
Vladimir Ivanov<br>
 
[http://twitter.com/httpsonly @httpsonly]
 
[http://twitter.com/httpsonly @httpsonly]
 +
 +
{{taggedDocument| type=delete| comment=Tagged via fixme/delete.}}

Latest revision as of 14:51, 15 July 2019

Regular Expression Security Cheatsheet

Introduction

This cheatsheet can be effectively used by security specialists and programmers to reveal unwanted constructions in regular expressions. This can cause bypass of intended validation rules.

Cheatsheet

Here is a link to the GitHub RegEx repository:

https://github.com/attackercan/regexp-security-cheatsheet



SAST

In order to save time for security practitioners, Static Application Security Testing tool was written. You can use the following code to analyze all regular expressions from your project:
grep -iorP "reg_\w+\s*\((\s*['\"](.*?)['\"])," * > regexp.txt && php index.php --file="./regexp.txt"

SAST can be downloaded from here:

https://github.com/attackercan/regexp-security-cheatsheet/tree/master/RegexpSecurityParser



Authors and Primary Editors

Vladimir Ivanov
@httpsonly


This page has been recommended for deletion.
You can help OWASP by improving it or discussing it on its Talk page. See FixME
Comment: Tagged via fixme/delete.