Recently, I discuss a lot about security, especially about code injection. And in these discussions, we talked a lot about regex are the only way to check if a string contains malicious code.
Curious as I am, I tried during hours to find some regex which can check if the string contains (one of them, not a big regex which can check all the cases) :
- SQL
- HTML
- Javascript
I only find for SQL, but it was on a random comment online, not even a post.
So, do you know where can I find these kind of regex?
Thanks a lot for your help!
Top comments (3)
It depends on what cases you want the tool to handle, also you didn't mention about the target you want to protect, is it the DOM, some backend api or something else?
Generally there are different ways to sanitize data and prevent things like XSS
Example github.com/cure53/DOMPurify
The context is more to have a tool to know if the string contains malicious content
Sanitize will help to protect the app, but I want to be notified if there is a real attack. I want to avoid false positive notifications
There are so many payloads and maybe your regex can stop few of them but at the same time the attacker has ability to understand what type of filtering is on place. Later he/she can modify the payload according to that. But this method looks more applicable. I am not a developer just a guy who is into wen application security and penetration testing
1: block all the common payloads to prevent script kiddies
2: encoding the user input (search queries, )