Regexp Security Cheatsheet

Related tags

Miscellaneous regexp-security-cheatsheet
Overview

Regexp Security Cheatsheet

Research was done to find "weak places" in regular expressions of Web Application Firewalls (WAFs).
Repository contains SAST, which can help you to find security vulnerabilities in custom regular expressions in own projects.
Contribution is highly welcomed.

High severity issues:

# Requirement Vulnerable regex example Bypass example
1 Regexp should avoid using ^ (alternative: \A) and $ (alternative: \Z) symbols, which are metacharacters for start and end of a string. It is possible to bypass regex by inserting any symbol in front or after regexp. (^a|a$) %20a%20
2 Regexp should be case-insensitive: (?i: or /regex/i. It is possible to bypass regex using upper or lower cases in words. Modsecurity transformation commands (which are applied on string before regex pattern is applied) can also be included in tests to cover more regexps. http hTtP
3 In case modifier /m is not (globally) specified, regexp should avoid using dot . symbol, which means every symbol except newline (\n). It is possible to bypass regex using newline injection. a.*b a%0Ab
4 Regexp should not be vulnerable to ReDoS. OWASP ReDoS article 1. Find various evil patterns. 2. Generate evil string using e.g. “SDL Regex Fuzzer” (a+)+ aaaaaaaaaaaaaaaaaaaa!
5 Number of repetitions of set or group {} should be carefully used, as one can bypass such limitation by lowering or increasing specified numbers. a{1,5} aaaaaa (6 times)
6 Nonstandard ranges (almost everything except a-z, 0-9, a-f, etc) [A-z] = [a-zA-Z] + [\]^_` aaa[\]^_`aaa
7 Regexp should only use plus “+” metacharacter in places where it is necessary, as it means “one or more”. Alternative metacharacter star “*”, which means “zero or more” is generally preferred. a'\s+\d a'5
8 Usage of newline wildcards should be reasonable. \r\n characters can often be bypassed by either substitution, or by using newline alternative \v, \f and others. Wildcard \b has different meanings while using it in square brackets (“backspace”) and in plain regex (“word boundary”) - RegexLib a[^\n]*$ a\n? a\r?
9 Regexp should be applied to right scope of inputs: Cookies names and values, Argument names and values, Header names and values, Files argument names and content. Modsecurity: grep -oP 'SecRule(.*?)"' -n Other WAFs: manual observation. Argument values Cookie names and values
10 Regular expression writers should be careful while using only whitespace character (%20) as separators. Rule can be bypassed e.g. with newline character, tabulation, by skipping whitespace, or alternatives. a\s(not[whitespace]|and)\sb a not b
11 Nonstandard combinations of operators a||b any_string
12 Special cases: whitespaces before operators (a |b)c ac
13 Usage of wrong syntax in POSIX character classes a[digit]b aab
14 Opposite usage of brackets [], () and {} [SYSTEM|PUBLIC] or (a-z123) SYSTEM or abcdef

Medium severity issues (non-expected behaviour: manual observation needed):

# Requirement Vulnerable regex example Bypass example
15 Check backlinks, and bear in mind that \11 can be backlink -OR- 0x09 (\d{1})=\1 1!=2
16 Unsafe usage of comments a(?#some comment about wildcards:\)(\w*)b afffb
17 Excessive usage of metacharacters in [] [\w+]
18 Rarely used wildcards. All wildcards except popular: A,Z,b,r,n,t,wW,sS,dD,u,x \a = 0x07; \e = 0x1B; \R = \r|\n|\r\n; \xXX = 0xXX; \ddd = 0oddd; \cX, \x{XXXX}, \H, \V, \G
19 Excessive escaping, e.g. escaping symbol which is not a wildcard \q
20 Unsafe usage of recursion, IF statements, etc (?R, (?(id)true|false), ...
21 Unsafe usage of ranges [\0-9] = \0\1\2\3...$%&'...789
Experimental rules (probably to be removed):
# Requirement Vulnerable regex example Bypass example
X Greediness of regular expressions should be considered. Highlight of this topic is well done in Chapter 9 of Jan Goyvaert’s tutorial. While greediness itself does not create bypasses, bad implementation of regexp Greediness can raise False Positive rate. This can cause excessive log-file flooding, forcing vulnerable rule or even whole WAF to be switched off.
X Best Practice from slides of Ivan Novikov: Modsecurity should avoid using t:base64Decode function (t:base64DecodeExt instead). t:base64Decode detected=bypassed

Vladimir Ivanov @httpsonly

You might also like...
List of Magento extensions with known security issues.
List of Magento extensions with known security issues.

Magento Vulnerability Database List of Magento 1 and 2 integrations with known security issues. Objective: easily identify insecure 3rd party software

Sansec 184 Dec 7, 2022
A simple way to know if you are on the list of major security breaches like "HIBP", but it is specific for Iran.

Leakfa.com A simple way to know if you are on the list of major security breaches like "HIBP", but it is specific for Iran. Service content This produ

Leakfa 100 Nov 20, 2022
This package is considered feature-complete, and is now in security-only maintenance mode

laminas-soap This package is considered feature-complete, and is now in security-only maintenance mode, following a decision by the Technical Steering

Laminas Project 46 Dec 18, 2022
Major Security Vulnerability on PrestaShop Websites - CVE-2022-31101
Major Security Vulnerability on PrestaShop Websites - CVE-2022-31101

Fix Major Security Vulnerability on PrestaShop Websites 🚀 CVE-2022-31101 detector and fixer! A newly found exploit could allow remote attackers to ta

Mathias Reker ⚡️ 25 Nov 22, 2022
BjyAuthorize - Acl security for ZF2

BjyAuthorize - Acl security for ZF2 Deprecated This package is now officially deprecated and will not receive any future updates or bug fixes. As long

Ben Youngblood 279 Aug 27, 2022
A Laravel 9 package that allows you enforce security of your artisan commands by authenticating users before running.

Introduction This package allows you as a developer to restrict who can and cannot run artisan commands, especially in a production environment. For e

YOo Slim 2 Sep 15, 2022
FilterGuard is a simple PHP library for sanitizing data. It provides methods to sanitize strings, integers, floats, booleans, arrays, and objects. The library helps protect against common security vulnerabilities such as XSS and SQL injection.

FilterGuard FilterGuard is a simple PHP library for data sanitization. It provides methods to sanitize strings, integers, floats, boolean values, arra

Dobren Dragojević 6 Jun 11, 2023
PHP regexp pattern matching Unicode emojis

Emoji pattern This package provides regexp patterns to match Unicode emojis. All forms of emojis are matched, including: Single-character emoji ( 👍 )

Incenteev 7 Nov 5, 2022
Cheatsheet for some Php knowledge you will frequently encounter in modern projects.
Cheatsheet for some Php knowledge you will frequently encounter in modern projects.

Cheatsheet for some Php knowledge you will frequently encounter in modern projects.

Arnaud Becher 1.1k Jan 2, 2023
A bookmarkable, searchable cheatsheet for all of Laravel's default Artisan commands.

artisan.page A bookmarkable, searchable cheatsheet for all of Laravel's default Artisan commands. Generation The generation of the manifest files is d

James Brooks 284 Dec 25, 2022
A multitool library offering access to recommended security related libraries, standardised implementations of security defences, and secure implementations of commonly performed tasks.

SecurityMultiTool A multitool library offering access to recommended security related libraries, standardised implementations of security defences, an

Pádraic Brady 131 Oct 30, 2022
SecLists is the security tester's companion. It's a collection of multiple types of lists used during security assessments, collected in one place. List types include usernames, passwords, URLs, sensitive data patterns, fuzzing payloads, web shells, and many more.
SecLists is the security tester's companion. It's a collection of multiple types of lists used during security assessments, collected in one place. List types include usernames, passwords, URLs, sensitive data patterns, fuzzing payloads, web shells, and many more.

About SecLists SecLists is the security tester's companion. It's a collection of multiple types of lists used during security assessments, collected i

Daniel Miessler 44.1k Jan 7, 2023
Exploiting and fixing security vulnerabilities of an old version of E-Class. Project implemented as part of the class YS13 Cyber-Security.

Open eClass 2.3 Development of XSS, CSRF, SQLi, RFI attacks/defences of an older,vulnerable version of eclass. Project implemented as part of the clas

Aristi_Papastavrou 11 Apr 23, 2022
phpcs-security-audit is a set of PHP_CodeSniffer rules that finds vulnerabilities and weaknesses related to security in PHP code

phpcs-security-audit v3 About phpcs-security-audit is a set of PHP_CodeSniffer rules that finds vulnerabilities and weaknesses related to security in

Floe design + technologies 655 Jan 3, 2023
Laravel Security was created by, and is maintained by Graham Campbell, and is a voku/anti-xss wrapper for Laravel, using graham-campbell/security-core
Laravel Security was created by, and is maintained by Graham Campbell, and is a voku/anti-xss wrapper for Laravel, using graham-campbell/security-core

Laravel Security Laravel Security was created by, and is maintained by Graham Campbell, and is a voku/anti-xss wrapper for Laravel, using graham-campb

Graham Campbell 170 Nov 20, 2022
phpcs-security-audit is a set of PHP_CodeSniffer rules that finds vulnerabilities and weaknesses related to security in PHP code

phpcs-security-audit is a set of PHP_CodeSniffer rules that finds vulnerabilities and weaknesses related to security in PHP code.

Floe design + technologies 654 Dec 28, 2022
SecLists is the security tester's companion. It's a collection of multiple types of lists used during security assessments
SecLists is the security tester's companion. It's a collection of multiple types of lists used during security assessments

SecLists is the security tester's companion. It's a collection of multiple types of lists used during security assessments, collected in one place. List types include usernames, passwords, URLs, sensitive data patterns, fuzzing payloads, web shells, and many more. The goal is to enable a security tester to pull this repository onto a new testing box and have access to every type of list that may be needed.

Daniel Miessler 44k Jan 3, 2023
A multitool library offering access to recommended security related libraries, standardised implementations of security defences, and secure implementations of commonly performed tasks.

SecurityMultiTool A multitool library offering access to recommended security related libraries, standardised implementations of security defences, an

Pádraic Brady 131 Oct 30, 2022
The Security component provides a complete security system for your web application.

Security Component The Security component provides a complete security system for your web application. It ships with facilities for authenticating us

Symfony 1.2k Jan 1, 2023
Owner
Vlad I
Vlad I
GitHub
Cheatsheet for some Php knowledge you will frequently encounter in modern projects.

Cheatsheet for some Php knowledge you will frequently encounter in modern projects.

Arnaud Becher 1.1k Jan 2, 2023
Exploiting and fixing security vulnerabilities of an old version of E-Class. Project implemented as part of the class YS13 Cyber-Security.

Open eClass 2.3 Development of XSS, CSRF, SQLi, RFI attacks/defences of an older,vulnerable version of eclass. Project implemented as part of the clas

Aristi_Papastavrou 11 Apr 23, 2022
[READ-ONLY] CakePHP Utility classes such as Inflector, Text, Hash, Security and Xml. This repo is a split of the main code that can be found in https://github.com/cakephp/cakephp

CakePHP Utility Classes This library provides a range of utility classes that are used throughout the CakePHP framework What's in the toolbox? Hash A

CakePHP 112 Feb 15, 2022
Here are few exercises to practice how to implement API Security with NGINX App-Protect WAF.

api-security-lab This repo contains files for customers and partners to practice an API Security with NGINX App-Protect WAF. To demonstrate the capabi

null 4 Mar 30, 2022
A PHP dependency vulnerabilities scanner based on the Security Advisories Database.

Enlightn Security Checker The Enlightn Security Checker is a command line tool that checks if your application uses dependencies with known security v

Enlightn 242 Dec 26, 2022
Your performance & security consultant, an artisan command away.

Enlightn A Laravel Tool To Boost Your App's Performance & Security Introduction Think of Enlightn as your performance and security consultant. Enlight

Enlightn 726 Jan 1, 2023
A curated list of resources for learning about application security

Awesome AppSec A curated list of resources for learning about application security. Contains books, websites, blog posts, and self-assessment quizzes.

Paragon Initiative Enterprises 5.4k Jan 7, 2023
Harden request headers, login interface and passwords to increase backend security.

JvMTECH.NeosHardening Package for Neos CMS Harden request headers, login interface and passwords to increase backend security. Installation composer r

Jung von Matt TECH 3 May 4, 2022
A htaccess boilerplate for all Magento Community installations. Features focus on speed, SEO and security.

magento-htaccess A htaccess boilerplate for all Magento Community installations. Features focus on speed, SEO and security. The file should be placed

Creare 114 Sep 18, 2022
A Magento community sourced security pre-flight checklist.

Magento Security Checklist This is a community sourced checklist of security measures to take before launching your store. Think of it as a pre-flight

Talesh Seeparsan 119 Oct 27, 2022