Questions tagged [regex]
security concerns around regular expressions; using them as security-critical filters, processing user-supplied regexes, vulnerabilities in regex parsers, etc.
26 questions
0votes
1answer
96views
Complex Regex Pattern as Authentication Key
System Overview: You have three components under your control: A relay server (public-facing, CDN-proxied). A web server that dynamically generates frontend code (HTML/JS). A frontend that embeds ...
8votes
1answer
2kviews
Why should one use globs over regex when doing filename pattern matching?
I see that some tools that have to match filenames only support regex and not globs. Would these tools be using globs improve their security? Is there a security aspect to using globs over regex when ...
- 181
1vote
1answer
119views
ReDOS - Vulnerability found, but DOS not possible
I have an API which is protected by AWS Cloudfront. I found a ReDos in one of my API Endpoints. The endpoint looks like this: https://mywebsite.com/api/myendpoint?apikey=xxxx&namefilter=yyyy The ...
1vote
0answers
89views
Is it possible to bypass a html <> regex? [closed]
I need to bypass a regex filter that filters all between <> I tried almost everything, so this is my last chance. The regex look like this: result.replace(/<[^>]*>?/gm, ''); I need to ...
- 11
0votes
4answers
495views
How to bypass regex block of request?
I was asked the following question at a job interview recently: You need to reach a web server at the IP address 20.21.22.23 via browser using HTTP. Browser checks the IP address and blocks requests ...
- 1
0votes
0answers
250views
Stopping a Subscription Bomb
Are there any methods for stopping a subscription bomb other than issuing a new email address? Creating gmail filters is only getting us so far as there are more emails coming in than we can keep up ...
- 21
2votes
2answers
6kviews
How do I bypass a regex filter that filters all html to avoid xss?
How do I bypass a regex filter that filters all html to avoid xss? I've tried using things like <img src="aa" onerror="alert(1)"> but still no luck. This is for a CTF ...
- 21
0votes
2answers
2kviews
Is it possible to exploit preg_match similar to preg_replace PHP? [closed]
I'm currently working on a website and want to prevent characters being inputted, i am using following code if (!preg_match("/^[a-zA-Z0-9_!,()& -\/]*$/" is it possible to exploit this ...
- 1
1vote
3answers
926views
Mailcleaner - Fail2ban - mc-exim-filter configuration
I'm using Fail2ban on a Mailcleaner server which works pretty good, but I want to update it to ban hosts who want to spoof our addresses. I'm using the "original" mc-exim-filter, but I don't ...
3votes
1answer
998views
Email pattern ReDoS
I would like to verify that the input from the user complies to the format of email address (in Java application). On the following page there is verbose regex that should properly validate the email ...
0votes
1answer
3kviews
Source of RegEx examples of Secret Detection patterns in repositories?
Where can I find RegEx that can pattern match common secret strings? I have a product that scans repos and commits and in case a developer tries to commit a secret (i.e. passwords, keys). It scans for ...
1vote
1answer
1kviews
Possible to bypass this regex for XSS?
When testing for XSS, is it at all possible to bypass the below regex? I doubt it because it only accepts uppercase and lowercase letters, but maybe? /^[A-Za-z]+$/
0votes
0answers
112views
Is it safe to pass user input through rails gsub?
Are there risks associated with using gsub on user input? Can it be used for regular expression DoS?
- 101
1vote
0answers
282views
Regex DoS: Is OWASP's characterization of "evil regexes" complete?
OWASP defines "evil regex" (here) as follows: Evil Regexes A Regex is called "evil" if it can stuck on crafted input. Evil Regex pattern contains: Grouping with repetition ...
- 1,297
0votes
1answer
466views
What is the following regex trying to protect against?
I am looking at a Java web application that compares all incoming request params and cookies against the following regex. If it matches, it is considered "an attack" and refuses the request. I'm ...
