Common Weakness Enumeration

A Community-Developed List of Software Weakness Types

CWE/SANS Top 25 Most Dangerous Software Errors
Home > CWE List > CWE- Individual Dictionary Definition (2.11)  

CWE-185: Incorrect Regular Expression

Weakness ID: 185
Abstraction: Class
Status: Draft
Presentation Filter:
+ Description

Description Summary

The software specifies a regular expression in a way that causes data to be improperly matched or compared.

Extended Description

When the regular expression is used in protection mechanisms such as filtering or validation, this may allow an attacker to bypass the intended restrictions on the incoming data.

+ Time of Introduction
  • Implementation
+ Applicable Platforms



+ Common Consequences

Technical Impact: Unexpected state; Varies by context

When the regular expression is not correctly specified, data might have a different format or type than the rest of the program expects, producing resultant weaknesses or errors.

Access Control

Technical Impact: Bypass protection mechanism

In PHP, regular expression checks can sometimes be bypassed with a null byte, leading to any number of weaknesses.

+ Demonstrative Examples

Example 1

The following code takes phone numbers as input, and uses a regular expression to reject invalid phone numbers.

(Bad Code)
Example Language: Perl 
$phone = GetPhoneNumber();
if ($phone =~ /\d+-\d+/) {
# looks like it only has hyphens and digits
system("lookup-phone $phone");
else {
error("malformed number!");

An attacker could provide an argument such as: "; ls -l ; echo 123-456" This would pass the check, since "123-456" is sufficient to match the "\d+-\d+" portion of the regular expression.

+ Observed Examples
Regexp isn't "anchored" to the beginning or end, which allows spoofed values that have trusted values as substrings.
Regexp for IP address isn't anchored at the end, allowing appending of shell metacharacters.
Bypass access restrictions via multiple leading slash, which causes a regular expression to fail.
Local user DoS via invalid regular expressions.
chain: Malformed input generates a regular expression error that leads to information exposure.
Certain strings are later used in a regexp, leading to a resultant crash.
MFV. Regular expression intended to protect against directory traversal reduces ".../...//" to "../".
Malformed regexp syntax leads to information exposure in error message.
Code injection due to improper quoting of regular expression.
Null byte bypasses PHP regexp check.
Null byte bypasses PHP regexp check.
+ Potential Mitigations

Phase: Architecture and Design

Strategy: Refactoring

Regular expressions can become error prone when defining a complex language even for those experienced in writing grammars. Determine if several smaller regular expressions simplify one large regular expression. Also, subject the regular expression to thorough testing techniques such as equivalence partitioning, boundary value analysis, and robustness. After testing and a reasonable confidence level is achieved, a regular expression may not be foolproof. If an exploit is allowed to slip through, then record the exploit and refactor the regular expression.

+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfCategoryCategory19Data Processing Errors
Weaknesses for Simplified Mapping of Published Vulnerabilities (primary)1003
ChildOfCategoryCategory171Cleansing, Canonicalization, and Comparison Errors
Development Concepts (primary)699
ChildOfWeakness ClassWeakness Class697Insufficient Comparison
Research Concepts (primary)1000
ChildOfCategoryCategory990SFP Secondary Cluster: Tainted Input to Command
Software Fault Pattern (SFP) Clusters (primary)888
CanPrecedeWeakness BaseWeakness Base182Collapse of Data into Unsafe Value
Research Concepts1000
CanPrecedeWeakness BaseWeakness Base187Partial Comparison
Research Concepts1000
ParentOfWeakness BaseWeakness Base186Overly Restrictive Regular Expression
Development Concepts (primary)699
Research Concepts (primary)1000
ParentOfWeakness BaseWeakness Base625Permissive Regular Expression
Development Concepts (primary)699
Research Concepts (primary)1000
MemberOfViewView884CWE Cross-section
CWE Cross-section (primary)884
+ Relationship Notes

While there is some overlap with whitelist/blacklist problems, this entry is intended to deal with incorrectly written regular expressions, regardless of their intended use. Not every regular expression is intended for use as a whitelist or blacklist. In addition, whitelists and blacklists can be implemented using other mechanisms besides regular expressions.

+ Research Gaps

Regexp errors are likely a primary factor in many MFVs, especially those that require multiple manipulations to exploit. However, they are rarely diagnosed at this level of detail.

+ Taxonomy Mappings
Mapped Taxonomy NameNode IDFitMapped Node Name
PLOVERRegular Expression Error
+ References
[REF-11] M. Howard and D. LeBlanc. "Writing Secure Code". Chapter 10, "Using Regular Expressions for Checking Input" Page 350. 2nd Edition. Microsoft. 2002.
+ Content History
Submission DateSubmitterOrganizationSource
PLOVERExternally Mined
Modification DateModifierOrganizationSource
2008-07-01Eric DalciCigitalExternal
updated Time_of_Introduction
2008-09-08CWE Content TeamMITREInternal
updated Description, Name, Relationships, Observed_Example, Other_Notes, Taxonomy_Mappings
2009-12-28CWE Content TeamMITREInternal
updated Common_Consequences, Other_Notes
2010-02-16CWE Content TeamMITREInternal
updated References
2010-04-05CWE Content TeamMITREInternal
updated Description
2011-03-29CWE Content TeamMITREInternal
updated Observed_Examples
2011-06-01CWE Content TeamMITREInternal
updated Common_Consequences
2012-05-11CWE Content TeamMITREInternal
updated Demonstrative_Examples, Related_Attack_Patterns, Relationships
2012-10-30CWE Content TeamMITREInternal
updated Potential_Mitigations
2014-06-23CWE Content TeamMITREInternal
updated Applicable_Platforms, Common_Consequences, Other_Notes, Relationship_Notes
2014-07-30CWE Content TeamMITREInternal
updated Demonstrative_Examples, Relationships
2015-12-07CWE Content TeamMITREInternal
updated Relationships
Previous Entry Names
Change DatePrevious Entry Name
2008-09-09Regular Expression Error

More information is available — Please select a different filter.
Page Last Updated: May 05, 2017