Aaron Esau (arinerron)

Aaron's Blog

Regular Expresions for Source Code Analysis

Some codebases are stunningly large. Because there's no way to read over every line of code, I use complex search queries to look for interesting, potentially vulnerable code.

I recently started to keep track of some of the better queries I've written while doing penetration tests at work so that I could publish them here.

Regular Expressions for Matching Interesting Code

Just to clarify a couple confusing columns:

noise: we can't write perfect regular expressions. I try to measure the amount of noise--uninteresting code on a scale of [low, medium, high].
type: if your editor supports simple queries (Eclipse, Netbeans), these queries can be simple to use. Otherwise, rely on the regular expression queries.

vuln	lang	noise	type	files	query
XSS		low	regex	`(backend)`	<(a\|span\|p\|img\|button\|script\|style\|input\|form\|i\|b\|u\|iframe\|body\|base\|select\|label\|div\|td\|tr\|table) (.?href\|.?src\|onload\|id\|title)=[``'"].*?[{\+``"']
XSS		med	regex	`(backend)`	`<a href=['"].*?[{\+"']`
SQLi		med	regex	`(backend)`	`(((SELECT\|DELETE)[^\S].?[^\S]FROM[^\S]\|INSERT[^\S].?[^\S]INTO))(.?[^\S]WHERE.?(=\|IS))?`
Secrets		med	regex		`(secret\|pass(word)?\|API_?KEY)\s?=[^=]?\s?("(.?)"\|'(.?)')?`
Cmd Inj		med	regex		`(Process\.Start\|[^\S]system\|execve\|(\.getRuntime\|runtime\|[^\S]rt).exec)$("([^"]?)"\|.?)$`
XSS	ASP.NET	high	regex	`*.ts`	`<[\S ]{1,5}>?.(\$\{.?\})`
XSS	ASP.NET	high	regex	`*.cs`	`<(a\|span\|p\|img\|button\|script\|style\|input\|form\|i\|b\|u)( \|>).(\{.?\})`
XSS	ASP.NET	med	regex	`*.cs`	`(\.Append\()?.?(<(a\|span\|p\|img\|button\|script\|style\|input\|form\|i\|b\|u)( \|>)).?([^\$]?".?\+.?[^\$]?")`
SQLi	ASP.NET	high	regex	`*.cs`	`(ExecuteSQLCommand)`
XXE	ASP.NET	high	regex	`*.cs`	`XmlDocument\(`
rXSS	Java	med	simple	`.java, .jsp`	`<%=request.getParameter%>`
rXSS	Java	low	regex		`<%=((?!Constant\|getContext\|Globals\|Sanitize\|StringEscapeUtils\|new (Long\|Integer\|Boolean)\|application\.getAttribute).)*?%>`
SQLi	Java	med	regex	`.java, .jsp`	`^(?!\s(\/\/\|\<logic\|\\|\{\|logger\|whereTo\|The\|\(like\|\/\\|if\|boolean\|Voter\|see\:\|return\|\<bean\|bp\.set\|Action\|public\ \|\<input\|\<label\|\<\%\|2\.\|private)).+where.`
CRLFi	Java	high	simple	`.java, .jsp`	`.setHeader(`
Double Formatting	Python	low	regex	`*.py`	`[^%\S]f'.*%[a-zA-Z]`

This table is pretty small right now. As I do more penetration tests at work over this summer, I will continue to update this table.