Author Topic: Regular expressions galore online!  (Read 2678 times)

0 Members and 1 Guest are viewing this topic.

Offline polonus

  • Avast √úberevangelist
  • Probably Bot
  • *****
  • Posts: 33485
  • malware fighter
Regular expressions galore online!
« on: September 19, 2013, 10:52:51 PM »
Nice resources for all sorts of regular expressions to detect code flaws, check on input/output of server to client, to browse expression and to test these online against files.
Link: http://regexlib.com/
A real expert for this specialty goes under the nick Mike, he attributed scores of regular expressions.
Reference here: http://www.regular-expressions.info/reference.html
For instance this one /((\%3C)|<)((\%69)|i|(\%49))((\%6D)|m|(\%4D))((\%67)|g|(\%47))[^\n]+((\%3E)|>)/I (used in SQL injection detection)
looking for angled bracket or hex equivalent, the letter img in combination with various hex variants of uppercase and lowercase ASCII and any character other than a new line following and closing angled bracket or hex equivalent (%3E|>) etc. etc.

My firekeeper extension alarms as follows for this expression:
=== Triggered rule ===
alert(url_content:"%3C"; url_content:"%2F"; url_content:"%3E"; msg:"Suspicious looking GET request containing %3C, %3E, and %2F. Suspiciously HTML-like."; reference:url,http://ha.ckers.org/xss.html; reference:url,http://en.wikipedia.org/wiki/Cross-site_scripting;)

=== Request URL ===
http://www.google.com/search?client=flock&channel={flock:context}&q=%2F%28%28%5C%253C%29%7C%3C%29%28%28%5C%2569%29%7Ci%7C%28%5C%2549%29%29%28%28%5C%256D%29%7Cm%7C%28%5C%254D%29%29%28%28%5C%2567%29%7Cg%7C%28%5C%2547%29%29%5B%5E%5Cn%5D%2B%28%28%5C%253E%29%7C%3E%29%2FI&ie=utf-8&oe=utf-8&aq=t

"as had to be demonstrated"

Enjoy,

polonus
« Last Edit: September 19, 2013, 11:10:56 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!