OWASP O2 Platform Blog

Quickly testing RegExes and “Util – Text RegEx using FuzzDb.h2” O2 script

If you want to quickly test a RegEx for possible security blind spots, here are a couple script samples that migth help you.

While writing these examples I ended up writing a mini tool which you can now access via the O2 Script Util – Text RegEx using FuzzDb.h2 and looks like this:

Source Code Snippets

Here are a couple script examples on how to test regexes with O2:

Here is a simple example:

var regExString = @"['""].*|[+\-*/%=&|^~'""]";

var payload1 = "this is ok";
var payload2 = "this is' ok";

var result1 = payload1.regEx(regExString);
var result2 = payload2.regEx(regExString);
return "{0} {1}".format(result1, result2);

Now add the fuzzDb payloads

var regExString = @"['""].*|[+\-*/%=&|^~'""]";

var matches = new List<string>();

var fuzzDb  = new API_FuzzDB();

foreach(var payload in fuzzDb.payloads_Xss())
    if (payload.regEx(regExString).isFalse())
        matches.add(payload);

foreach(var payload in fuzzDb.payloads_SQLi_Generic())
    if (payload.regEx(regExString).isFalse())
        matches.add(payload);
       
return matches;

//O2File:API_FuzzDB.cs

You can also test for what happens when the payloads are encoded


var regExString = @"['""].*|[+\-*/%=&|^~'""]";

var matches = new List<string>();

var fuzzDb  = new API_FuzzDB();

foreach(var payload in fuzzDb.payloads_Xss())
    if (payload.regEx(regExString.urlEncode()).isFalse())
        matches.add(payload.urlEncode());
       
return matches;
//O2File:API_FuzzDB.cs

Next step is to build a Gui:

var topPanel = panel.clear().add_Panel();

var actionsPanel = topPanel.insert_Above(40,"actions");
var dataGridView = topPanel.add_DataGridView()
                           .add_Columns("Payload", "Result");

var stop = false;
var sqli_payloads = false;
var xss_payloads = false;
var regExString = @"['""].*[+\-*/%=&|^~'""]";

Action startFuzzing =
    ()=>{
            var fuzzDb  = new API_FuzzDB();
            var startFuzzingLink = actionsPanel.link("Start Fuzzing").enabled(false);;
            var statusLabel = actionsPanel.controls<Label>(true).last();
           
            Action<List<string>> testPayloads =
                (payloads)=> {
                                foreach(var payload in payloads)
                                {               
                                    if (stop)
                                        break;
                                    statusLabel.set_Text("testing payload: {0}".format(payload));                                   
                                    if (payload.regEx(regExString).isFalse())               
                                        dataGridView.add_Row(payload, false);
                                }
                            };
            if (sqli_payloads)           
                testPayloads(fuzzDb.payloads_Xss());
            if (xss_payloads)           
                testPayloads(fuzzDb.payloads_Xss());   
               
            stop = false;
            startFuzzingLink.enabled(true);
            statusLabel.set_Text("Tests completed");
        };
       
actionsPanel.add_Label("RegEx To test").top(3)
            .append_TextBox(regExString).onTextChange((text)=> regExString = text).width(200)
            .append_CheckBox("Xss", (value)=> xss_payloads= value).tick().top(1)
            .append_CheckBox("Sqli", (value)=> sqli_payloads= value).tick()
            .append_Link("Start Fuzzing", ()=> startFuzzing()).font_bold().top(3)
            .append_Link("stop", ()=> stop = true)
            .append_Link("clear table", ()=> dataGridView.remove_Rows() )           
            .append_Label("...").autoSize().top(3);
           


startFuzzing();       
       
return "ok";
//O2File:API_FuzzDB.cs

Final version

Here is a version with a couple more features (see screenshot above)

var topPanel = "Util - Text RegEx using FuzzDb".popupWindow(1000,400);
//var topPanel = panel.clear().add_Panel();

var actionsPanel = topPanel.insert_Above(40,"actions");
var dataGridView = topPanel.add_DataGridView()
                           .add_Columns("Payload", "Result");

var stop = false;
var sqli_payloads = false;
var xss_payloads = false;
var withUrlEncoding = false;
var regExString = @"['""].*[+\-*/%=&|^~'""]";

Action startFuzzing =
    ()=>{
            var fuzzDb  = new API_FuzzDB();           
            var startFuzzingLink = actionsPanel.link("Start Fuzzing").enabled(false);;
            var statusLabel = actionsPanel.controls<Label>(true).last();
           
            Action<List<string>> testPayloads =
                (payloads)=> {
                                foreach(var payload in payloads)
                                {               
                                    if (stop)
                                        break;
                                    statusLabel.set_Text("testing payload: {0}".format(payload));                                   
                                    if (payload.regEx(regExString).isFalse())               
                                        dataGridView.add_Row(payload, false);
                                    if (withUrlEncoding)
                                    {
                                        var encodedPayload = payload.urlEncode();
                                        statusLabel.set_Text("testing payload: {0}".format(encodedPayload));                                   
                                        if (encodedPayload.regEx(regExString).isFalse())               
                                            dataGridView.add_Row(encodedPayload, false);
                                        this.sleep(100);   
                                    }
                                       
                                }
                            };
            if (sqli_payloads)           
                testPayloads(fuzzDb.payloads_SQLi_Generic());
            if (xss_payloads)           
                testPayloads(fuzzDb.payloads_Xss());   
            // we could also apply the transformation into the entire list like this
            //testPayloads( fuzzDb.payloads_Xss().Select((value)=> value.urlEncode())  );
            stop = false;
            startFuzzingLink.enabled(true);
            statusLabel.set_Text("Tests completed");
        };
       
actionsPanel.add_Label("RegEx To test").top(3)
            .append_TextBox(regExString).onTextChange((text)=> regExString = text).width(200)
            .append_CheckBox("Xss", (value)=> xss_payloads= value).tick().top(1)
            .append_CheckBox("Sqli", (value)=> sqli_payloads= value)//.tick()
            .append_CheckBox("with UrlEncoding", (value)=> withUrlEncoding= value)//.tick()
            .append_Link("Start Fuzzing", ()=> startFuzzing()).font_bold().top(3)
            .append_Link("stop", ()=> stop = true)
            .append_Link("clear table", ()=> dataGridView.remove_Rows() )           
            .append_Label("...").autoSize().top(3);
           


startFuzzing();       
       
return "ok";
//O2File:API_FuzzDB.cs

December 7, 2011 - Posted by | FuzzDB, XSS

No comments yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: