DEV Community

Maxime Guilbert
Maxime Guilbert

Posted on

Where can I find regex to prevent code injection?

Recently, I discuss a lot about security, especially about code injection. And in these discussions, we talked a lot about regex are the only way to check if a string contains malicious code.

Curious as I am, I tried during hours to find some regex which can check if the string contains (one of them, not a big regex which can check all the cases) :

  • SQL
  • HTML
  • Javascript

I only find for SQL, but it was on a random comment online, not even a post.

So, do you know where can I find these kind of regex?

Thanks a lot for your help!

Discussion (3)

Collapse
sidrathi47 profile image
Sidharth Rathi

It depends on what cases you want the tool to handle, also you didn't mention about the target you want to protect, is it the DOM, some backend api or something else?

Generally there are different ways to sanitize data and prevent things like XSS

Example github.com/cure53/DOMPurify

Collapse
mxglt profile image
Maxime Guilbert Author

The context is more to have a tool to know if the string contains malicious content

Sanitize will help to protect the app, but I want to be notified if there is a real attack. I want to avoid false positive notifications

Collapse
sudoehtisham profile image
Ehtisham-sudo

There are so many payloads and maybe your regex can stop few of them but at the same time the attacker has ability to understand what type of filtering is on place. Later he/she can modify the payload according to that. But this method looks more applicable. I am not a developer just a guy who is into wen application security and penetration testing

1: block all the common payloads to prevent script kiddies
2: encoding the user input (search queries, )