-
Notifications
You must be signed in to change notification settings - Fork 19
/
OWASP-regex.xml
123 lines (104 loc) · 6.52 KB
/
OWASP-regex.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
<?xml version="1.0"? encoding="utf-8"><xss>
<!-- from: http://www.owasp.org/index.php/OWASP_Validation_Regex_Repository
date: 19-mar-09
-->
<attack><label>OWASP Validation Regex</label>
<name>url</name>
<code><![CDATA[^((((https?|ftps?|gopher|telnet|nntp)://)|(mailto:|news:))(%[0-9A-Fa-f]{2}|[-()_.!~*';/?:@&=+$,A-Za-z0-9])+)([).!';/?:,][[:blank:]])?$]]></code>
<desc></desc>
</attack><label>OWASP Validation Regex</label>
<attack><label>OWASP Validation Regex</label>
<name>IP</name>
<code><![CDATA[^(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$]]></code>
<desc></desc>
</attack><label>OWASP Validation Regex</label>
<attack><label>OWASP Validation Regex</label>
<name>e-mail</name>
<code><![CDATA[^[\w\-\+\&\*]+(?:\.[\w\-\_\+\&\*]+)*@(?:[\w-]+\.)+[a-zA-Z]{2,7}$]]></code>
<desc></desc>
</attack><label>OWASP Validation Regex</label>
<attack><label>OWASP Validation Regex</label>
<name>safetext</name>
<code><![CDATA[^[a-zA-Z0-9\s.\-]+$]]></code>
<desc>Lower and upper case letters and all digits</desc>
</attack><label>OWASP Validation Regex</label>
<attack><label>OWASP Validation Regex</label>
<name>date</name>
<code><![CDATA[^(?:(?:(?:0?[13578]|1[02])(\/|-|\.)31)\1|(?:(?:0?[1,3-9]|1[0-2])(\/|-|\.)(?:29|30)\2))(?:(?:1[6-9]|[2-9]\d)?\d{2})$|^(?:0?2(\/|-|\.)29\3(?:(?:(?:1[6-9]|[2-9]\d)?(?:0[48]|[2468][048]|[13579][26])|(?:(?:16|[2468][048]|[3579][26])00))))$|^(?:(?:0?[1-9])|(?:1[0-2]))(\/|-|\.)(?:0?[1-9]|1\d|2[0-8])\4(?:(?:1[6-9]|[2-9]\d)?\d{2})$]]></code>
<desc>Date in US format with support for leap years</desc>
</attack><label>OWASP Validation Regex</label>
<attack><label>OWASP Validation Regex</label>
<name>creditcard</name>
<code><![CDATA[^((4\d{3})|(5[1-5]\d{2})|(6011)|(7\d{3}))-?\d{4}-?\d{4}-?\d{4}|3[4,7]\d{13}$]]></code>
<desc></desc>
</attack><label>OWASP Validation Regex</label>
<attack><label>OWASP Validation Regex</label>
<name>password</name>
<code><![CDATA[^(?=.*\d)(?=.*[a-z])(?=.*[A-Z]).{4,8}$]]></code>
<desc>4 to 8 character password requiring numbers and both lowercase and uppercase letters</desc>
</attack><label>OWASP Validation Regex</label>
<attack><label>OWASP Validation Regex</label>
<name>English_digitwords</name>
<code><![CDATA[^(zero|one|two|three|four|five|six|seven|eight|nine)$]]></code>
<desc>The English words representing the digits 0 to 9</desc>
</attack><label>OWASP Validation Regex</label>
<attack><label>OWASP Validation Regex</label>
<name>English_daywords</name>
<code><![CDATA[^(Mo|Tu|We|Th|Fr|Sa|Su)$]]></code>
<desc>English 23 character abbreviations for the days of the week</desc>
</attack><label>OWASP Validation Regex</label>
<attack><label>OWASP Validation Regex</label>
<name>English_monthwords</name>
<code><![CDATA[^(Jan|Feb|Mar|Apr|May|Jun|Jul|Aug|Sep|Oct|Nov|Dec)$]]></code>
<desc>English 3 character abbreviations for the months</desc>
</attack><label>OWASP Validation Regex</label>
<attack><label>OWASP Validation Regex</label>
<name>Frensh_digitwords</name>
<code><![CDATA[^(z[eé]ro|un|deux|trois|quatre|cing|six|sept|huit|neuf)$]]></code>
<desc>The Frensh words representing the digits 0 to 9</desc>
</attack><label>OWASP Validation Regex</label>
<attack><label>OWASP Validation Regex</label>
<name>German_digitwords</name>
<code><![CDATA[^(null|eins|zwei|drei|vier|f(ue|ü)nf|sechs|sieben|acht|neun)$]]></code>
<desc>The German words representing the digits 0 to 9</desc>
</attack><label>OWASP Validation Regex</label>
<attack><label>OWASP Validation Regex</label>
<name>Spanish_digitwords</name>
<code><![CDATA[^(cero|uno|dos|tres|cuatro|cinco|seis|siete|ocho|nueve)$]]></code>
<desc>The Spanish words representing the digits 0 to 9</desc>
</attack><label>OWASP Validation Regex</label>
<attack><label>OWASP Validation Regex</label>
<name>US_zip</name>
<code><![CDATA[^\d{5}(-\d{4})?$]]></code>
<desc>US zip code with optional dash-four</desc>
</attack><label>OWASP Validation Regex</label>
<attack><label>OWASP Validation Regex</label>
<name>US_phone</name>
<code><![CDATA[^\D?(\d{3})\D?\D?(\d{3})\D?(\d{4})$]]></code>
<desc>US phone number with or without dashes</desc>
</attack><label>OWASP Validation Regex</label>
<attack><label>OWASP Validation Regex</label>
<name>US_state</name>
<code><![CDATA[^(AE|AL|AK|AP|AS|AZ|AR|CA|CO|CT|DE|DC|FM|FL|GA|GU|HI|ID|IL|IN|IA|KS|KY|LA|ME|MH|MD|MA|MI|MN|MS|MO|MP|MT|NE|NV|NH|NJ|NM|NY|NC|ND|OH|OK|OR|PW|PA|PR|RI|SC|SD|TN|TX|UT|VT|VI|VA|WA|WV|WI|WY)$]]></code>
<desc>Two letter state abbreviations</desc>
</attack><label>OWASP Validation Regex</label>
<attack><label>OWASP Validation Regex</label>
<name>US_ssn</name>
<code><![CDATA[^\d{3}-\d{2}-\d{4}$]]></code>
<desc>9 digit social security number with dashes</desc>
</attack><label>OWASP Validation Regex</label>
<!-- Some additional examples that have not been vetted
// HTML HEX CODE ^#?([a-f]|[A-F]|[0-9]){3}(([a-f]|[A-F]|[0-9]){3})?$
// FLOATING POINT ^[-+]?[0-9]+[.]?[0-9]*([eE][-+]?[0-9]+)?$
// PERSON NAME ^[a-zA-Z]+(([\'\,\.\- ][a-zA-Z ])?[a-zA-Z]*)*$
// MAC ADDRESS ^([0-9a-fA-F][0-9a-fA-F]:){5}([0-9a-fA-F][0-9a-fA-F])$
// GUID ^[A-Z0-9]{8}-[A-Z0-9]{4}-[A-Z0-9]{4}-[A-Z0-9]{4}-[A-Z0-9]{12}$
// IP ADDRESS ^\b((25[0-5]|2[0-4]\d|[01]\d\d|\d?\d)\.){3}(25[0-5]|2[0-4]\d|[01]\d\d|\d?\d)\b$
// IP ADDRESS (^\b(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\b$
// REASONABLE DOMAIN NAME ^([a-zA-Z0-9]([a-zA-Z0-9\-]{0,61}[a-zA-Z0-9])?\.)+[a-zA-Z]{2,6}$
// RFC 1918 NON ROUTABLE IP ^(((25[0-5]|2[0-4][0-9]|19[0-1]|19[3-9]|18[0-9]|17[0-1]|17[3-9]|1[0-6][0-9]|1[1-9]|[2-9][0-9]|[0-9])\.(25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9][0-9]|[0-9]))|(192\.(25[0-5]|2[0-4][0-9]|16[0-7]|169|1[0-5][0-9]|1[7-9][0-9]|[1-9][0-9]|[0-9]))|(172\.(25[0-5]|2[0-4][0-9]|1[0-9][0-9]|1[0-5]|3[2-9]|[4-9][0-9]|[0-9])))\.(25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9][0-9]|[0-9])\.(25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9][0-9]|[0-9])$
// VALID WINDOWS FILENAME ^(?!^(PRN|AUX|CLOCK\$|NUL|CON|COM\d|LPT\d|\..*)(\..+)?$)[^\x00-\x1f\\?*:\";|/]+$
// Java Classname ^(([a-z])+.)+[A-Z]([a-z])+$
// ANY PLATFORM FILENAME ^(([a-zA-Z]:|\\)\\)?(((\.)|(\.\.)|([^\\/:\*\?"\|<>\. ](([^\\/:\*\?"\|<>\. ])|([^\\/:\*\?"\|<>]*[^\\/:\*\?"\|<>\. ]))?))\\)*[^\\/:\*\?"\|<>\. ](([^\\/:\*\?"\|<>\. ])|([^\\/:\*\?"\|<>]*[^\\/:\*\?"\|<>\. ]))?$
-->
</xss>