Home

Awesome

Regexp Security Cheatsheet


Sponsored by ScanFactory - platform that monitors external attack surface using 16 most trusted security scanners


Research was done to find "weak places" in regular expressions of Web Application Firewalls (WAFs).
Repository contains SAST, which can help you to find security vulnerabilities in custom regular expressions in own projects.
Contribution is highly welcomed.
This repo was first presented during BlackHat USA 2016 talk - PDF

High severity issues:

#RequirementVulnerable regex exampleBypass example
1Regexp should avoid using ^ (alternative: \A) and $ (alternative: \Z) symbols, which are metacharacters for start and end of a string. It is possible to bypass regex by inserting any symbol in front or after regexp.(^a|a$)%20a%20
2Regexp should be case-insensitive: (?i: or /regex/i. It is possible to bypass regex using upper or lower cases in words. Modsecurity transformation commands (which are applied on string before regex pattern is applied) can also be included in tests to cover more regexps.httphTtP
3In case modifier /m is not (globally) specified, regexp should avoid using dot . symbol, which means every symbol except newline (\n). It is possible to bypass regex using newline injection.a.*ba%0Ab
4Regexp should not be vulnerable to ReDoS. OWASP ReDoS article 1. Find various evil patterns. 2. Generate evil string using e.g. “SDL Regex Fuzzer”(a+)+aaaaaaaaaaaaaaaaaaaa!
5Number of repetitions of set or group {} should be carefully used, as one can bypass such limitation by lowering or increasing specified numbers.a{1,5}aaaaaa (6 times)
6Nonstandard ranges (almost everything except a-z, 0-9, a-f, etc)[A-z] = [a-zA-Z] + [\]^_` aaa[\]^_`aaa
7Regexp should only use plus “+” metacharacter in places where it is necessary, as it means “one or more”. Alternative metacharacter star “*”, which means “zero or more” is generally preferred.a'\s+\da'5
8Usage of newline wildcards should be reasonable. \r\n characters can often be bypassed by either substitution, or by using newline alternative \v, \f and others. Wildcard \b has different meanings while using it in square brackets (“backspace”) and in plain regex (“word boundary”) - RegexLiba[^\n]*$a\n? a\r?
9Regexp should be applied to right scope of inputs: Cookies names and values, Argument names and values, Header names and values, Files argument names and content. Modsecurity: grep -oP 'SecRule(.*?)"' -n Other WAFs: manual observation.Argument valuesCookie names and values
10Regular expression writers should be careful while using only whitespace character (%20) as separators. Rule can be bypassed e.g. with newline character, tabulation, by skipping whitespace, or alternatives.a\s(not[whitespace]|and)\sba not b
11Nonstandard combinations of operatorsa||bany_string
12Special cases: whitespaces before operators(a |b)cac
13Usage of wrong syntax in POSIX character classesa[digit]baab
14Opposite usage of brackets [], () and {}[SYSTEM|PUBLIC] or (a-z123)SYSTEM or abcdef

Medium severity issues (non-expected behaviour: manual observation needed):

#RequirementVulnerable regex exampleBypass example
15Check backlinks, and bear in mind that \11 can be backlink -OR- 0x09(\d{1})=\11!=2
16Unsafe usage of commentsa(?#some comment about wildcards:\)(\w*)bafffb
17Excessive usage of metacharacters in [][\w+]
18Rarely used wildcards. All wildcards except popular: A,Z,b,r,n,t,wW,sS,dD,u,x\a = 0x07; \e = 0x1B; \R = \r|\n|\r\n; \xXX = 0xXX; \ddd = 0oddd; \cX, \x{XXXX}, \H, \V, \G
19Excessive escaping, e.g. escaping symbol which is not a wildcard\q
20Unsafe usage of recursion, IF statements, etc(?R, (?(id)true|false), ...
21Unsafe usage of ranges[\0-9] = \0\1\2\3...$%&'...789
Experimental rules (probably to be removed):
#RequirementVulnerable regex exampleBypass example
XGreediness of regular expressions should be considered. Highlight of this topic is well done in Chapter 9 of Jan Goyvaert’s tutorial. While greediness itself does not create bypasses, bad implementation of regexp Greediness can raise False Positive rate. This can cause excessive log-file flooding, forcing vulnerable rule or even whole WAF to be switched off.
XBest Practice from slides of Ivan Novikov: Modsecurity should avoid using t:base64Decode function (t:base64DecodeExt instead).t:base64Decodedetected=bypassed

Vladimir Ivanov @httpsonly