[Owasp-appsensor-project] Do we need a Blacklist Regex Repository?

Bennetts, Simon Simon.Bennetts at sage.com
Wed Feb 22 09:30:37 UTC 2012

I'm a big fan of this sort of thing.
I'd much rather we had a set of well defined, well maintained libraries / repositories / other building blocks that people can easily reuse then every tool maintaining their own lists.
The (small) amount of reuse in security products has always disappointed me.


"The confidence that people have in security is inversely proportional to how much they know about it."

From: owasp-appsensor-project-bounces at lists.owasp.org [mailto:owasp-appsensor-project-bounces at lists.owasp.org] On Behalf Of Ryan Barnett
Sent: 21 February 2012 21:19
To: owasp-appsensor-project at lists.owasp.org
Subject: [Owasp-appsensor-project] Do we need a Blacklist Regex Repository?

I wanted to send this to the list for feedback.  I have been thinking quite a bit on a this particular issue, especially after the recent thread on the SQL Injection detection RegExes -

I think that we (OWASP) need to develop a Blacklist Regex Repository for detecting common attack payloads (SQL injection, XSS, RFI, etc...).  Something similar to this old Validation RegEx Repo but for attacks -

My thinking is that we should focus on the RegEx Repo and then various other projects can import/use them (AppSensor, ModSecurity CRS, etc..).  I would like to get good participation from the Breaker community to help vet the RegExs.  I know they will never be 100% foolproof but looking at some of the "example" blacklist RegExs floating around in various project code makes me cringe...  We can do better.

Not sure if this should be a stand-alone project or not (probably) but I would like your feedback.


Ryan Barnett
Trustwave SpiderLabs
ModSecurity Project Leader
OWASP ModSecurity CRS Project Leader

If you've received this email by mistake, we're sorry for bothering you. It may contain information that's confidential, so please delete it without sharing it. And if you let us know, we can try to stop it from happening again. Thank you. 

We may monitor any emails sent or received by us, or on our behalf. If we do, this will be in line with relevant law and our own policies.

Sage (UK) Limited. Registered in England at North Park, Newcastle upon Tyne, NE13 9AA. Registered number 1045967.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-appsensor-project/attachments/20120222/69a2eade/attachment-0001.html>

More information about the Owasp-appsensor-project mailing list