Avast WEBforum

Business Products => Archive (Legacy) => Avast Business => Avast Server Protection => Topic started by: polonus on September 19, 2013, 10:52:51 PM

Title: Regular expressions galore online!
Post by: polonus on September 19, 2013, 10:52:51 PM

Nice resources for all sorts of regular expressions to detect code flaws, check on input/output of server to client, to browse expression and to test these online against files.
Link: http://regexlib.com/
A real expert for this specialty goes under the nick Mike, he attributed scores of regular expressions.
Reference here: http://www.regular-expressions.info/reference.html
For instance this one /((\%3C)|<)((\%69)|i|(\%49))((\%6D)|m|(\%4D))((\%67)|g|(\%47))[^\n]+((\%3E)|>)/I (used in SQL injection detection)
looking for angled bracket or hex equivalent, the letter img in combination with various hex variants of uppercase and lowercase ASCII and any character other than a new line following and closing angled bracket or hex equivalent (%3E|>) etc. etc.

My firekeeper extension alarms as follows for this expression:
=== Triggered rule ===
alert(url_content:"%3C"; url_content:"%2F"; url_content:"%3E"; msg:"Suspicious looking GET request containing %3C, %3E, and %2F. Suspiciously HTML-like."; reference:url,http://ha.ckers.org/xss.html; reference:url,http://en.wikipedia.org/wiki/Cross-site_scripting;)

=== Request URL ===
http://www.google.com/search?client=flock&channel={flock:context}&q=%2F%28%28%5C%253C%29%7C%3C%29%28%28%5C%2569%29%7Ci%7C%28%5C%2549%29%29%28%28%5C%256D%29%7Cm%7C%28%5C%254D%29%29%28%28%5C%2567%29%7Cg%7C%28%5C%2547%29%29%5B%5E%5Cn%5D%2B%28%28%5C%253E%29%7C%3E%29%2FI&ie=utf-8&oe=utf-8&aq=t

"as had to be demonstrated"

Enjoy,

polonus