Post on 22-Jan-2018
Chapters 12, 13, 14
Ryne McCall
(a little) Security
Regular expressions
Unicode (maybe)
Security
Security
spectrummore
secure
more
usable
Security ==
Laziness
OWASP top ten•A1-Injection
•A2-Broken Authentication and Session Management
•A3-Cross-Site Scripting (XSS)
•A4-Insecure Direct Object References
•A5-Security Misconfiguration
•A6-Sensitive Data Exposure
•A7-Missing Function Level Access Control
•A8-Cross-Site Request Forgery (CSRF)
•A9-Using Components with Known Vulnerabilities
•A10-Unvalidated Redirects and Forwards
Regular expressions
Agenda
•What are they?
•Best practices
•Problems
History
–Larry Wall
“...we saw how everyone borrowed Perl
5 compatible regular expressions, and
we figured - well, you know, they're a
real big mess, and we're sorry, but
we're changing them now, now that
you've just borrowed them.”
What are they?
PCRE functions•preg_filter — Perform a regular expression search and replace
•preg_grep — Return array entries that match the pattern
•preg_last_error — Returns the error code of the last PCRE regex
execution
•preg_match_all — Perform a global regular expression match
•preg_match — Perform a regular expression match
•preg_quote — Quote regular expression characters
•preg_replace_callback — Perform a regular expression search and
replace using a callback
•preg_replace — Perform a regular expression search and replace
•preg_split — Split string by a regular expression
PCRE functions•preg_filter — Perform a regular expression search and replace
•preg_grep — Return array entries that match the pattern
•preg_last_error — Returns the error code of the last PCRE regex
execution
•preg_match_all — Perform a global regular expression match
•preg_match — Perform a regular expression match
•preg_quote — Quote regular expression characters
•preg_replace_callback — Perform a regular expression search and
replace using a callback
•preg_replace — Perform a regular expression search and replace
•preg_split — Split string by a regular expression
preg_matchint preg_match (
string $pattern ,
string $subject
[, array &$matches]
)
/………/
/………/
/app/A. foo
B. bar
C. apple
D. app
/app/A. foo
B. bar
C. apple
D. app
/a|b/A. a
B. b
C. ab
D. x
/a|b/A. a
B. b
C. ab
D. x
/a+/A. a
B. aaa
C. baaab
D. b
/a+/A. a
B. aaa
C. baaab
D. b
/a*/A. a
B. aaa
C. baaab
D. b
/a*/A. a
B. aaa
C. baaab
D. b
/^app$/A. foo
B. bar
C. apple
D. app
/^app$/A. foo
B. bar
C. apple
D. app
/^ab?c$/A. aac
B. abc
C. ac
D. acc
/^ab?c$/A. aac
B. abc
C. ac
D. acc
/^a.c$/A. aac
B. abc
C. ac
D. acc
/^a.c$/A. aac
B. abc
C. ac
D. acc
/^(?!(?:(?:\\x22?\\x5C[\\x00-
\\x7E]\\x22?)|(?:\\x22?[^\\x5C\\x22]\\x22?)){255,})(?!(?:(?:\\x22?\\x5C[\\x00-
\\x7E]\\x22?)|(?:\\x22?[^\\x5C\\x22]\\x22?)){65,}@)(?:(?:[\\x21\\x23-
\\x27\\x2A\\x2B\\x2D\\x2F-\\x39\\x3D\\x3F\\x5E-\\x7E]+)|(?:\\x2 2(?:[\\x01-
\\x08\\x0B\\x0C\\x0E-\\x1F\\x21\\x23-\\x5B\\x5D-\\x7F]|(?:\\x5C[\\x00-
\\x7F]))*\\x22))(?:\\.(?:(?:[\\x21\\x23-\\x27\\x2A\\x2B\\x2D\\x2F-\\x39\\x3D\\x3F\\x5E-
\\x7E]+)|(?:\\x22(?:[\\x01-\\x08\\x0B\\x0C\\x0E-\\x1F\\x21\\x23-\\x5B\\x5D-
\\x7F]|(?:\\x5C[\\x00-\ \x7F]))*\\x22)))*@(?:(?:(?!.*[^.]{64,})(?:(?:(?:xn--)?[a-z0-
9]+(?:-+[a-z0-9]+)*\\.){1,126}){1,}(?:(?:[a-z][a-z0-9]*)|(?:(?:xn--)[a-z0-9]+))(?:-+[a-z0-
9]+)*)|(?:\\[(?:(?:IPv6:(?:(?:[a-f0-9]{1,4}(?::[a-f0-9]{1,4}){7})|(?:(?!(?:.*[a-f0-
9][:\\]]){7,})(?:[a-f0-9]{1,4}(?: :[a-f0-9]{1,4}){0,5})?::(?:[a-f0-9]{1,4}(?::[a-f0-
9]{1,4}){0,5})?)))|(?:(?:IPv6:(?:(?:[a-f0-9]{1,4}(?::[a-f0-9]{1,4}){5}:)|(?:(?!(?:.*[a-f0-
9]:){5,})(?:[a-f0-9]{1,4}(?::[a-f0-9]{1,4}){0,3})?::(?:[a-f0-9]{1,4}(?::[a-f0-
9]{1,4}){0,3}:)?)))?(?:(?:25[0-5])|(?:2[0-4][0-9 ])|(?:1[0-9]{2})|(?:[1-9]?[0-
9]))(?:\\.(?:(?:25[0-5])|(?:2[0-4][0-9])|(?:1[0-9]{2})|(?:[1-9]?[0-9]))){3}))\\]))$/iD
/[[:alpha:]]/ or /[A-Za-z]/A. a
B. b
C. c
D. -
/[[:alpha:]]/ or /[A-Za-z]/A. a
B. b
C. c
D. -
/^[[:alpha:]]+\d*$/A. abc123
B. a
C. ~abc123~
D. 123abc
/^[[:alpha:]]+\d*$/A. abc123
B. a
C. ~abc123~
D. 123abc
/a{2,4}/A. a
B. aa
C. aaaa
D. b
/a{2,4}/A. a
B. aa
C. aaaa
D. b
/^([[:alpha:]]\d)+[[:alpha:]]*$/
A. a0
B. a0xyz
C. 0a1b
D. a0b1xyz
/^([[:alpha:]]\d)+[[:alpha:]]*$/
A. a0
B. a0xyz
C. 0a1b
D. a0b1xyz
/(\d{3})-(\d{3})-(\d{4})/
Best practices
– Jamie Zawinski
“Some people, when
confronted with a problem,
think "I know, I'll use regular
expressions." Now they have
two problems.”
/good text/A. good text; evil text
B. evil text good text
C. good text'; evil text
D. good text
/good text/A. good text; evil text
B. evil text good text
C. good text'; evil text
D. good text
phone-number.php
Problems
Thanks