Regular Expression is also known as Rational Expression or Regex.
Regular expression is a sequence of characters that define a search pattern. Usually such patterns are used by string searching algorithms for “find” or “find and replace” operations on strings, or for input validation. It is a technique developed in theoretical computer science and formal language theory. (Wikipedia)
All most all major languages (.net, java, perl, python, PHP, c++ etc ) supports regular expression.
Majority of security vulnerabilities like XSS (Cross Site Scripting), SQL Injection, Malicious file upload, Denial of service etc. can be mitigated by input validation. Regular expression is one way to do input validation and its knowledge become necessity for doing manual secure source code review.
There are several online regex pattern checking tool that can be used to see what all patterns are allowed/disallowed using regular expression validation technique. Regex101 is one of such tool which is very popular among Security Consultants, Developers and Functional Testers. Using tools like Regex101, one can get to know the allowed type of numbers, characters, lowercase, uppercase etc.
The below mentioned expressions are widely used Regex and their description is mentioned for ease of understanding.
Expression | Description |
^ | Start of string |
* | 0 or more |
+ | 1 or more |
? | 0 or 1 |
. | Any char but \n |
{5} | Exactly 5 |
{5, } | 5 or more |
{5, 7} | 5 or 6 or 7 |
{5|7} | 5 or 7 |
[567] | 5 or 6 or 7. same as {5, 7} |
[^56] | Not 5 or 6 |
[a-z] | lowercase a-z |
[A-Z] | uppercase A-Z |
[0-9] | digit 0-9 |
\d | Digit |
\D | Not digit |
\w | A-Z, a-z, 0-9 |
\W | Not A-Z, a-z, 0-9 |
\s | White Space (\t\r\n\f) |
\S | Not (\t\r\n\f) |
reg[ex] | “rege” or “regx” |
regex? | “rege” or “regex” |
regex* | “rege” w/ 0 or more x |
regex+ | “rege” w/ 1 or more x |
[Rr]egex | “Regex” or “regex” |
\d{5} | Exactly 5 digits |
\d{5, } | 5 or more digits |
[aeiou] | Any 1 vowel |
( 0 [3-9] | 1[0-9] | 2[0-5] ) | Numbers 03-25 |
Good Reads:
OWASP Regexp Security Checklist
Exploiting Regular Expressions
Suman Tiwari is a Cyber Security Professional by Profession and photographer by passion.
His Linkedin profile can be visited here for more details.