This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Regular Expression Security Cheatsheet

From OWASP
Revision as of 16:40, 9 October 2016 by Jmanico (talk | contribs)

Jump to: navigation, search

Regular Expression Security Cheatsheet

Introduction

This cheatsheet can be effectively used by security specialists and programmers to reveal unwanted constructions in regular expressions, which can cause bypass of written rules.
Despite original work was focused on finding "weak places" in regular expressions of Intrusion Detection Systems (WAFs), it can be effectively applied to any other code.

Cheatsheet

Here is a link to GitHub RegEx repository:

https://github.com/attackercan/regexp-security-cheatsheet



SAST

In order to save time for security practitioners, Static Application Security Testing tool was written. You can use the following code to analyze all regular expressions from your project:
grep -iorP "reg_\w+\s*\((\s*['\"](.*?)['\"])," * > regexp.txt && php index.php --file="./regexp.txt"

SAST can be downloaded from here:

https://github.com/attackercan/regexp-security-cheatsheet/tree/master/RegexpSecurityParser



Authors and Primary Editors

Vladimir Ivanov
@httpsonly