RegEx question

  • Thread starter Thread starter Shawn B.
  • Start date Start date
S

Shawn B.

Greetings,

I have a troubling issue that I'm not sure how to approach at this point.

Given the HTML tag (any tag will do):

<div id='divSomething' onmouseover='...'>Next we write
onmouseover='alert(message);' ...</div>


I want to write a Regular Expression that only will search the opening div
tag for the "onmouseover" text. My current expression:
(<.*?(ONMOUSEOVER)\s*=.*?>)

will incorrectly detect:
<div id='divSomething'>Next we write onmouseover='alert(message);' ...</div>


Any ideas how I can limit to only the opening tag?


Thanks,
Shawn
 
Shawn B. said:
Given the HTML tag (any tag will do):

<div id='divSomething' onmouseover='...'>Next we write
onmouseover='alert(message);' ...</div>

I want to write a Regular Expression that only will search the opening div
tag for the "onmouseover" text. My current expression:
(<.*?(ONMOUSEOVER)\s*=.*?>)

will incorrectly detect:
<div id='divSomething'>Next we write onmouseover='alert(message);' ...</div>

Any ideas how I can limit to only the opening tag?
Click to expand...

The easy way to do this is to replace the the first .* with a [^>]* -
"look for any number of characters that aren't the > character",
instead of "look for any number of any character." That is,

(<[^>]*?(ONMOUSEOVER)\s*=.*?>)
 
(?i)(?<=<[\w]+[^<\>=]+)(onmouseover)=(?:["']?([^"'>=]*)["']?)

This regular expression will capture the entire attribute name and value.
The name ("onmouseover" will be in Group 1, and the value in Group 2.

--
HTH,

Kevin Spencer
Microsoft MVP
Ministry of Software Development
http://unclechutney.blogspot.com

Never trust a dunderhead with a blunderbuss.


Jon Shemitz said:
Shawn B. said:
Given the HTML tag (any tag will do):

<div id='divSomething' onmouseover='...'>Next we write
onmouseover='alert(message);' ...</div>

I want to write a Regular Expression that only will search the opening
div
tag for the "onmouseover" text. My current expression:
(<.*?(ONMOUSEOVER)\s*=.*?>)

will incorrectly detect:
<div id='divSomething'>Next we write onmouseover='alert(message);'
...</div>

Any ideas how I can limit to only the opening tag?
Click to expand...

The easy way to do this is to replace the the first .* with a [^>]* -
"look for any number of characters that aren't the > character",
instead of "look for any number of any character." That is,

(<[^>]*?(ONMOUSEOVER)\s*=.*?>)
Click to expand...
 
(?i)(? said:
This regular expression will capture the entire attribute name and value.
The name ("onmouseover" will be in Group 1, and the value in Group 2.
Click to expand...

Using Regulator, the above expression does not work on the following test
cases:

<SCRIPT NAME=Happy VALUE='happier' ATTR="happiest"
onClick='dosomething();'>CONENT</SCRIPT>
<SCRIPT name=ha onclick = 'asdf'>asdf</SCRIPT>
<tag>var x = asdf.onclick="";</tag>



It should detect #1 and #2 but ignore #3


Thanks,
Shawn
 
I don't have the original question you asked, and I'm not sure you specified
what the rules should be. Neither do I have the original Regular Expression
I posted for you. The one you posted is modified. So, I can't tell you what
rules I assumed for those which were not provided, nor can I tell you
whether the change you made to the regular expression has anything to do
with it.

Therefore, I went back into my personal library, and found a Regular
Expression I once created for another project, which identifies all
attribute names and values (in 2 groups) in a block of HTML text. The
original was this, to capture *all* attribute names and values:

(?i)\s+(?:(\w+)=(?:["']?([^"'>=]*)["']?)(?=\s|/?>)|\s*(?=\s|/?>))

The first group is defined by the sequence: (\w+) (any sequence of one or
more alpha-numeric characters).

I replaced that with the following:

(?i)\s+(?:(onclick)=(?:["']?([^"'>=]*)["']?)(?=\s|/?>)|\s*(?=\s|/?>))

This will only capture attributes with a name of "onclick"
(case-insensitive)

Upon testing it with your script sample below, it correctly identified only
ONE of the attributes, the first one. The reason it didn't identify the
second one you said that it should is that the second one is not correct
syntactically. In HTML, the '=' character in an attribute may not be
preceded or followed by any spaces.

--
HTH,

Kevin Spencer
Microsoft MVP
Logostician
http://unclechutney.blogspot.com

Parabola is a mate of plane.


Shawn B. said:
(?i)(?<=<[\w]+[^<\>=]+)(onclick)=(?:["']?([^"'>=]*)["']?)

This regular expression will capture the entire attribute name and value.
The name ("onmouseover" will be in Group 1, and the value in Group 2.
Click to expand...

Using Regulator, the above expression does not work on the following test
cases:

<SCRIPT NAME=Happy VALUE='happier' ATTR="happiest"
onClick='dosomething();'>CONENT</SCRIPT>
<SCRIPT name=ha onclick = 'asdf'>asdf</SCRIPT>
<tag>var x = asdf.onclick="";</tag>



It should detect #1 and #2 but ignore #3


Thanks,
Shawn
Click to expand...
 
Kevin, thanks for your reply. Actually, I'm trying to look for cross site
scripting vulnerabilities on input fields. While the '=' preceded or
superceded by a space isn't valid html, the browser (IE) will still render
it and treat it the same, and it is a perfectly valid detection evasion
technique. The expression you provided actually still allows a few false
positives to go through on our system but I did find an express that works
flawlessly:

(<[^>]*?(ONMOUSEOVER)\s*=.*?>)

This expression catches every one of our known vulnerabilities and does not
catch any of our known false positives. However, I'll take a closer look at
your expression and figure out if we can adapt it to other parts of our
scanning engine.


Thanks,
Shawn



Kevin Spencer said:
I don't have the original question you asked, and I'm not sure you
specified what the rules should be. Neither do I have the original Regular
Expression I posted for you. The one you posted is modified. So, I can't
tell you what rules I assumed for those which were not provided, nor can I
tell you whether the change you made to the regular expression has anything
to do with it.

Therefore, I went back into my personal library, and found a Regular
Expression I once created for another project, which identifies all
attribute names and values (in 2 groups) in a block of HTML text. The
original was this, to capture *all* attribute names and values:

(?i)\s+(?:(\w+)=(?:["']?([^"'>=]*)["']?)(?=\s|/?>)|\s*(?=\s|/?>))

The first group is defined by the sequence: (\w+) (any sequence of one or
more alpha-numeric characters).

I replaced that with the following:

(?i)\s+(?:(onclick)=(?:["']?([^"'>=]*)["']?)(?=\s|/?>)|\s*(?=\s|/?>))

This will only capture attributes with a name of "onclick"
(case-insensitive)

Upon testing it with your script sample below, it correctly identified
only ONE of the attributes, the first one. The reason it didn't identify
the second one you said that it should is that the second one is not
correct syntactically. In HTML, the '=' character in an attribute may not
be preceded or followed by any spaces.

--
HTH,

Kevin Spencer
Microsoft MVP
Logostician
http://unclechutney.blogspot.com

Parabola is a mate of plane.


Shawn B. said:
(?i)(?<=<[\w]+[^<\>=]+)(onclick)=(?:["']?([^"'>=]*)["']?)

This regular expression will capture the entire attribute name and
value. The name ("onmouseover" will be in Group 1, and the value in
Group 2.
Click to expand...

Using Regulator, the above expression does not work on the following test
cases:

<SCRIPT NAME=Happy VALUE='happier' ATTR="happiest"
onClick='dosomething();'>CONENT</SCRIPT>
<SCRIPT name=ha onclick = 'asdf'>asdf</SCRIPT>
<tag>var x = asdf.onclick="";</tag>



It should detect #1 and #2 but ignore #3


Thanks,
Shawn
Click to expand...
Click to expand...
 
My pleasure, Shawn. As always, figuring out the business rules is the
hardest part!

--
HTH,

Kevin Spencer
Microsoft MVP
Logostician
http://unclechutney.blogspot.com

Parabola is a mate of plane.


Shawn B. said:
Kevin, thanks for your reply. Actually, I'm trying to look for cross site
scripting vulnerabilities on input fields. While the '=' preceded or
superceded by a space isn't valid html, the browser (IE) will still render
it and treat it the same, and it is a perfectly valid detection evasion
technique. The expression you provided actually still allows a few false
positives to go through on our system but I did find an express that works
flawlessly:

(<[^>]*?(ONMOUSEOVER)\s*=.*?>)

This expression catches every one of our known vulnerabilities and does
not catch any of our known false positives. However, I'll take a closer
look at your expression and figure out if we can adapt it to other parts
of our scanning engine.


Thanks,
Shawn



Kevin Spencer said:
I don't have the original question you asked, and I'm not sure you
specified what the rules should be. Neither do I have the original Regular
Expression I posted for you. The one you posted is modified. So, I can't
tell you what rules I assumed for those which were not provided, nor can I
tell you whether the change you made to the regular expression has
anything to do with it.

Therefore, I went back into my personal library, and found a Regular
Expression I once created for another project, which identifies all
attribute names and values (in 2 groups) in a block of HTML text. The
original was this, to capture *all* attribute names and values:

(?i)\s+(?:(\w+)=(?:["']?([^"'>=]*)["']?)(?=\s|/?>)|\s*(?=\s|/?>))

The first group is defined by the sequence: (\w+) (any sequence of one or
more alpha-numeric characters).

I replaced that with the following:

(?i)\s+(?:(onclick)=(?:["']?([^"'>=]*)["']?)(?=\s|/?>)|\s*(?=\s|/?>))

This will only capture attributes with a name of "onclick"
(case-insensitive)

Upon testing it with your script sample below, it correctly identified
only ONE of the attributes, the first one. The reason it didn't identify
the second one you said that it should is that the second one is not
correct syntactically. In HTML, the '=' character in an attribute may not
be preceded or followed by any spaces.

--
HTH,

Kevin Spencer
Microsoft MVP
Logostician
http://unclechutney.blogspot.com

Parabola is a mate of plane.


Shawn B. said:
(?i)(?<=<[\w]+[^<\>=]+)(onclick)=(?:["']?([^"'>=]*)["']?)

This regular expression will capture the entire attribute name and
value. The name ("onmouseover" will be in Group 1, and the value in
Group 2.


Using Regulator, the above expression does not work on the following
test cases:

<SCRIPT NAME=Happy VALUE='happier' ATTR="happiest"
onClick='dosomething();'>CONENT</SCRIPT>
<SCRIPT name=ha onclick = 'asdf'>asdf</SCRIPT>
<tag>var x = asdf.onclick="";</tag>



It should detect #1 and #2 but ignore #3


Thanks,
Shawn
Click to expand...
Click to expand...
Click to expand...
 
Back
Top