Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Having Fun with RegEx

Harsh Bothra
September 26, 2020

Having Fun with RegEx

Regular Expression based attacks is a less travelled road due to a gap of understanding basic regex directive. This talk is about getting familiar with regex directives and how to use them to speed up the penetration testing process.

Harsh Bothra

September 26, 2020
Tweet

More Decks by Harsh Bothra

Other Decks in Technology

Transcript

  1. Having Fun with Regex By: Harsh Bothra

  2. Ex’s are everywhere aren’t they!

  3. Boring Part – Who Am I ? The same guy

    who bored you last time. For new guys: • Cyber Security Analyst at @Detox Technologies • Synack Red Teamer • Bugcrowd Top 150 & MVP Q1 Q2 • Lazy Bug Bounty Hunter • Speaker at various Conferences & Chapters • Author of Multiple Hacking Books • Poet | Writer | Learner
  4. Agenda • Revealing the Face of Monster – Regex •

    Regex for Cyber Security • Basic Regex Directives • Playing around Regex • ReDoS Attacks • Finding out Regex in Pentesting Engagements • Q/As
  5. Revealing the Face of Monster Regex

  6. REGEX DIRECTIVES [] {} ()

  7. Directives (1) Alphabets : a-z A-Z Digits : 0-9 \d

    : any digit from 0-9 \D : any Non-digit character . (DOT) : wildcard – match any character \. : to match . (dot) itself - (hyphen) : Range Match specific characters: [characters to match]
  8. Directives (2) Exclusions: [^chars_to_exclude] Repetition: char{m,n} Kleene Star : *

    (Zero or More Repetition) Kleene Plus : + (One or More Repetition) Optional Characters: ? \? : match ? Itself White Spaces: \s Non-White Spaces: \S
  9. Directives (3) Starting : ^ Ending : $ Grouping: ()

    Nested Grouping: (group1(group2)) Conditionals: (a|b) Case Insensitive: \i Global Search: \g
  10. Let’s See things in Action

  11. https://regexone.com/ https://regexr.com/ https://regex101.com/

  12. ReDoSAttacks & Regex in Pentesting

  13. Q/A are welcomed !

  14. Get in Touch at @harshbothra_ Website – https://harshbothra.tech Twitter -

    @harshbothra_ Instagram - @harshbothra_ Medium - @hbothra22 LinkedIn - @harshbothra SpeakerDeck - @harshbothra Email – [email protected] THANKS