Quickly testing RegExes and “Util – Text RegEx using FuzzDb.h2″ O2 script
If you want to quickly test a RegEx for possible security blind spots, here are a couple script samples that migth help you.
While writing these examples I ended up writing a mini tool which you can now access via the O2 Script Util – Text RegEx using FuzzDb.h2 and looks like this:
Source Code Snippets
Here are a couple script examples on how to test regexes with O2:
Here is a simple example:
var regExString = @"['""].*|[+\-*/%=&|^~'""]";
var payload1 = "this is ok";
var payload2 = "this is' ok";
var result1 = payload1.regEx(regExString);
var result2 = payload2.regEx(regExString);
return "{0} {1}".format(result1, result2);
Now add the fuzzDb payloads
var regExString = @"['""].*|[+\-*/%=&|^~'""]"; var matches = new List<string>(); var fuzzDb = new API_FuzzDB(); foreach(var payload in fuzzDb.payloads_Xss()) if (payload.regEx(regExString).isFalse()) matches.add(payload); foreach(var payload in fuzzDb.payloads_SQLi_Generic()) if (payload.regEx(regExString).isFalse()) matches.add(payload); return matches; //O2File:API_FuzzDB.cs
You can also test for what happens when the payloads are encoded
var regExString = @"['""].*|[+\-*/%=&|^~'""]"; var matches = new List<string>(); var fuzzDb = new API_FuzzDB(); foreach(var payload in fuzzDb.payloads_Xss()) if (payload.regEx(regExString.urlEncode()).isFalse()) matches.add(payload.urlEncode()); return matches; //O2File:API_FuzzDB.cs
Next step is to build a Gui:
var topPanel = panel.clear().add_Panel();
var actionsPanel = topPanel.insert_Above(40,"actions");
var dataGridView = topPanel.add_DataGridView()
.add_Columns("Payload", "Result");
var stop = false;
var sqli_payloads = false;
var xss_payloads = false;
var regExString = @"['""].*[+\-*/%=&|^~'""]";
Action startFuzzing =
()=>{
var fuzzDb = new API_FuzzDB();
var startFuzzingLink = actionsPanel.link("Start Fuzzing").enabled(false);;
var statusLabel = actionsPanel.controls<Label>(true).last();
Action<List<string>> testPayloads =
(payloads)=> {
foreach(var payload in payloads)
{
if (stop)
break;
statusLabel.set_Text("testing payload: {0}".format(payload));
if (payload.regEx(regExString).isFalse())
dataGridView.add_Row(payload, false);
}
};
if (sqli_payloads)
testPayloads(fuzzDb.payloads_Xss());
if (xss_payloads)
testPayloads(fuzzDb.payloads_Xss());
stop = false;
startFuzzingLink.enabled(true);
statusLabel.set_Text("Tests completed");
};
actionsPanel.add_Label("RegEx To test").top(3)
.append_TextBox(regExString).onTextChange((text)=> regExString = text).width(200)
.append_CheckBox("Xss", (value)=> xss_payloads= value).tick().top(1)
.append_CheckBox("Sqli", (value)=> sqli_payloads= value).tick()
.append_Link("Start Fuzzing", ()=> startFuzzing()).font_bold().top(3)
.append_Link("stop", ()=> stop = true)
.append_Link("clear table", ()=> dataGridView.remove_Rows() )
.append_Label("...").autoSize().top(3);
startFuzzing();
return "ok";
//O2File:API_FuzzDB.cs
Final version
Here is a version with a couple more features (see screenshot above)
var topPanel = "Util - Text RegEx using FuzzDb".popupWindow(1000,400);
//var topPanel = panel.clear().add_Panel();
var actionsPanel = topPanel.insert_Above(40,"actions");
var dataGridView = topPanel.add_DataGridView()
.add_Columns("Payload", "Result");
var stop = false;
var sqli_payloads = false;
var xss_payloads = false;
var withUrlEncoding = false;
var regExString = @"['""].*[+\-*/%=&|^~'""]";
Action startFuzzing =
()=>{
var fuzzDb = new API_FuzzDB();
var startFuzzingLink = actionsPanel.link("Start Fuzzing").enabled(false);;
var statusLabel = actionsPanel.controls<Label>(true).last();
Action<List<string>> testPayloads =
(payloads)=> {
foreach(var payload in payloads)
{
if (stop)
break;
statusLabel.set_Text("testing payload: {0}".format(payload));
if (payload.regEx(regExString).isFalse())
dataGridView.add_Row(payload, false);
if (withUrlEncoding)
{
var encodedPayload = payload.urlEncode();
statusLabel.set_Text("testing payload: {0}".format(encodedPayload));
if (encodedPayload.regEx(regExString).isFalse())
dataGridView.add_Row(encodedPayload, false);
this.sleep(100);
}
}
};
if (sqli_payloads)
testPayloads(fuzzDb.payloads_SQLi_Generic());
if (xss_payloads)
testPayloads(fuzzDb.payloads_Xss());
// we could also apply the transformation into the entire list like this
//testPayloads( fuzzDb.payloads_Xss().Select((value)=> value.urlEncode()) );
stop = false;
startFuzzingLink.enabled(true);
statusLabel.set_Text("Tests completed");
};
actionsPanel.add_Label("RegEx To test").top(3)
.append_TextBox(regExString).onTextChange((text)=> regExString = text).width(200)
.append_CheckBox("Xss", (value)=> xss_payloads= value).tick().top(1)
.append_CheckBox("Sqli", (value)=> sqli_payloads= value)//.tick()
.append_CheckBox("with UrlEncoding", (value)=> withUrlEncoding= value)//.tick()
.append_Link("Start Fuzzing", ()=> startFuzzing()).font_bold().top(3)
.append_Link("stop", ()=> stop = true)
.append_Link("clear table", ()=> dataGridView.remove_Rows() )
.append_Label("...").autoSize().top(3);
startFuzzing();
return "ok";
//O2File:API_FuzzDB.cs
About
The O2 platform represents a new paradigm for how to perform, document and distribute Web Application security reviews. O2 is designed to Automate Security Consultants Knowledge and Workflows and to Allow non-security experts to access and consume Security Knowledge.
O2 can also be a very powerful prototyping and fast-development tool for .NET. Most O2 APIs are written using a Fluent API design, and its core has been published as a separate project called FluentSharp (hosted at CodePlex)
Download
Windows ClickOnce Installer:
Mailing List
The best place to keep updated with the lastest news and developers it to subscribe to the OWASP O2 Platform Mailing list (you can read its archives here)
