Overly Permissive Regular Expression

Thank you for visiting OWASP.org. We have migrated our community to a new web platform and regretably the content for this page needed to be programmatically ported from its previous wiki page. There’s still some work to be done.

Description

The tested application is using a regular expression that is to broad in scope for the sufficient restriction of the set of allowed values.

Risk Factors

Overly Permissive Regular Expressions are a very common flaw in applications where regular expressions are used to restrict user input. Because of their overall complexity, developers using regular expressions will often use the wildcard character, or fail to restrict the number of characters allowed in the request.

This exploit is the opening that a malicious user needs to begin an injection attack, either client or server side. When an attacker can get inappropriate values into the backend processing system, there is much more of a chance of finding an injection flaw in a system.

Examples

For example, consider this expression to match a floating point number in text:

   [-+]?([0-9])*\.?([0-9]*)

While it does allow for floating point numbers, the greedy * token will allow for the pattern to start anywhere in the string, leaving an opening for injection.

References

Category:Vulnerability Category:Input Validation Vulnerability