IT Security Stack Exchange
IT Security Stack Exchange

Questions tagged [regex]

security concerns around regular expressions; using them as security-critical filters, processing user-supplied regexes, vulnerabilities in regex parsers, etc.

Regular Expressions are a common tool for pattern matching over text data. They are a very flexible and powerful tool, giving rise to a wide range of applications, but also the potential to introduce vulnerabilities into your application through the sloppy use of regexes.

22 questions
96
votes
6 answers

Is it safe to let a user type a regex as a search input?

I was in a mall a few days ago and I searched for a shop on an indication panel. Out of curiosity, I tried a search with (.+) and was a bit surprised to get the list of all the shops in the mall. I've read a bit about evil regexes but it seems that…
Xavier59
  • 2,874
  • 3
  • 17
  • 34
39
votes
7 answers

Is it possible to detect 100% of SQLi with a simple regex?

I'm wondering if it is possible to detect 100% of the possible SQLi attacks using a simple regex. In other words, using very simple PHP code as an example: if (preg_match("/select/i", $input)) { attack_log("Possible SELECT SQLi…
reed
  • 15,398
  • 6
  • 43
  • 64
3
votes
1 answer

Email pattern ReDoS

I would like to verify that the input from the user complies to the format of email address (in Java application). On the following page there is verbose regex that should properly validate the email http://emailregex.com/ (RFC 5322 Official…
RenatoIvancic
  • 131
  • 3
2
votes
2 answers

How do I bypass a regex filter that filters all html to avoid xss?

How do I bypass a regex filter that filters all html to avoid xss? I've tried using things like <img src="aa" onerror="alert(1)"> but still no luck. This is for a CTF challenge btw. The regex is: <[\s\S]*> and the validator is running on a…
ctfhard
  • 21
  • 2
2
votes
0 answers

Can a Regex without characters [(+*{}? be dangerous?

I want to create some functionality for non dangerous regex. I want to accept only very few regex cases where it is safe to assume that they are not malicious (but still giving the user some flexibility). Is this possible avoiding the [(+*{}?…
Fabian Enrique Gutierrez
  • 21
  • 2
2
votes
0 answers

Brute force hex password with exactly two special characters using JohnTheRipper

I want to optimize the way I'm using John the Ripper. I have a password with a know length (9) that consists only of (lower-case) hex characters and exactly two special characters. First I tried using the --increment=ASCII option combined with a…
Norbert
  • 121
  • 3
1
vote
3 answers

Mailcleaner - Fail2ban - mc-exim-filter configuration

I'm using Fail2ban on a Mailcleaner server which works pretty good, but I want to update it to ban hosts who want to spoof our addresses. I'm using the "original" mc-exim-filter, but I don't really understand how regular expressions work. Here is an…
Krisztian
  • 13
  • 2
1
vote
1 answer

Possible to bypass this regex for XSS?

When testing for XSS, is it at all possible to bypass the below regex? I doubt it because it only accepts uppercase and lowercase letters, but maybe? /^[A-Za-z]+$/
Jordan Baron
  • 9
  • 1
1
vote
0 answers

Regex DoS: Is OWASP's characterization of "evil regexes" complete?

OWASP defines "evil regex" (here) as follows: Evil Regexes A Regex is called "evil" if it can stuck on crafted input. Evil Regex pattern contains: Grouping with repetition Inside the repeated group: …
Shuzheng
  • 1,097
  • 4
  • 22
  • 37
1
vote
0 answers

OAuth access token/API key patterns for large web sites

First off, let me preface this post by saying I'm not a security expert. I'm trying to build regular expressions to find OAuth 2.0 access tokens and API Keys for common web sites such as Google, Twitter, Facebook, Slack etc. that may have been…
Geoff Williams
  • 111
  • 3
1
vote
1 answer

Is this regular expression vulnerable to DoS?

FindBugs flagged the following email address validation regex as vulnerable to DoS: ^[\w!#$%&'*+/=?`{|}~^-]+(?:\.[\w!#$%&'*+/=?`{|}~^-]+)*@(?:[a-zA-Z0-9-]+\.)+[a-zA-Z]{2,6}$ Here's an easier to read version that substitutes CHARS for…
Duncan Jones
  • 1,647
  • 1
  • 10
  • 14
1
vote
1 answer

Alternative forms for special characters in terminal

I was solving a problem on a popular hacking for fun website, when I got following idea: Is it possible to represent - for example a '/' (just the slash) in the terminal (linux) in another way - for example hexadecimal: example: cd /etc/ as cd %2F…
OcK
  • 13
  • 3
0
votes
0 answers

Bypass XSS filter in data- attribute

My web application allows users to make custom divs with whitelisted attributes. One of them is data-{user-input}. Recently I have seen the following XSS payload: [[div data-test/onmouseover=alert(1)]] So I added the following code: for attr…
The Modern Gamer
  • 3
  • 3
0
votes
0 answers

Stopping a Subscription Bomb

Are there any methods for stopping a subscription bomb other than issuing a new email address? Creating gmail filters is only getting us so far as there are more emails coming in than we can keep up with. It feels like a losing battle. Is there a…
dzzl
  • 11
  • 2
0
votes
2 answers

Is it possible to exploit preg_match similar to preg_replace PHP?

I'm currently working on a website and want to prevent characters being inputted, i am using following code if (!preg_match("/^[a-zA-Z0-9_!,()& -\/]*$/" is it possible to exploit this and if so how? would like to know ways to prevent too…
Anon
  • 1
1
2