Questions tagged [regex]
security concerns around regular expressions; using them as security-critical filters, processing user-supplied regexes, vulnerabilities in regex parsers, etc.
26 questions
0
votes
1
answer
123
views
Complex Regex Pattern as Authentication Key
System Overview:
You have three components under your control:
A relay server (public-facing, CDN-proxied).
A web server that dynamically generates frontend code (HTML/JS).
A frontend that embeds ...
8
votes
1
answer
2k
views
Why should one use globs over regex when doing filename pattern matching?
I see that some tools that have to match filenames only support regex and not globs. Would these tools be using globs improve their security?
Is there a security aspect to using globs over regex when ...
- 181
1
vote
1
answer
177
views
ReDOS - Vulnerability found, but DOS not possible
I have an API which is protected by AWS Cloudfront. I found a ReDos in one of my API Endpoints. The endpoint looks like this:
https://mywebsite.com/api/myendpoint?apikey=xxxx&namefilter=yyyy
The ...
- 11
1
vote
0
answers
129
views
Is it possible to bypass a html <> regex? [closed]
I need to bypass a regex filter that filters all between <>
I tried almost everything, so this is my last chance.
The regex look like this: result.replace(/<[^>]*>?/gm, '');
I need to ...
- 11
0
votes
4
answers
684
views
How to bypass regex block of request?
I was asked the following question at a job interview recently:
You need to reach a web server at the IP address 20.21.22.23 via browser using HTTP. Browser checks the IP address and blocks requests ...
- 1
0
votes
0
answers
267
views
Stopping a Subscription Bomb
Are there any methods for stopping a subscription bomb other than issuing a new email address? Creating gmail filters is only getting us so far as there are more emails coming in than we can keep up ...
- 21
2
votes
2
answers
7k
views
How do I bypass a regex filter that filters all html to avoid xss?
How do I bypass a regex filter that filters all html to avoid xss? I've tried using things like <img src="aa" onerror="alert(1)"> but still no luck. This is for a CTF ...
- 21
0
votes
2
answers
2k
views
Is it possible to exploit preg_match similar to preg_replace PHP? [closed]
I'm currently working on a website and want to prevent characters being inputted, i am using following code
if (!preg_match("/^[a-zA-Z0-9_!,()& -\/]*$/"
is it possible to exploit this ...
- 1
1
vote
3
answers
973
views
Mailcleaner - Fail2ban - mc-exim-filter configuration
I'm using Fail2ban on a Mailcleaner server which works pretty good, but I want to update it to ban hosts who want to spoof our addresses. I'm using the "original" mc-exim-filter, but I don't ...
- 13
3
votes
1
answer
1k
views
Email pattern ReDoS
I would like to verify that the input from the user complies to the format of email address (in Java application).
On the following page there is verbose regex that should properly validate the email ...
- 131
0
votes
3
answers
4k
views
Source of RegEx examples of Secret Detection patterns in repositories? [closed]
Where can I find RegEx that can pattern match common secret strings?
I have a product that scans repos and commits and in case a developer tries to commit a secret (i.e. passwords, keys). It scans for ...
- 21
1
vote
1
answer
1k
views
Possible to bypass this regex for XSS?
When testing for XSS, is it at all possible to bypass the below regex? I doubt it because it only accepts uppercase and lowercase letters, but maybe?
/^[A-Za-z]+$/
0
votes
0
answers
129
views
Is it safe to pass user input through rails gsub?
Are there risks associated with using gsub on user input? Can it be used for regular expression DoS?
- 101
1
vote
0
answers
310
views
Regex DoS: Is OWASP's characterization of "evil regexes" complete?
OWASP defines "evil regex" (here) as follows:
Evil Regexes
A Regex is called "evil" if it can stuck on crafted input.
Evil Regex pattern contains:
Grouping with repetition
...
- 1,317
0
votes
1
answer
492
views
What is the following regex trying to protect against?
I am looking at a Java web application that compares all incoming request params and cookies against the following regex. If it matches, it is considered "an attack" and refuses the request. I'm ...
- 105