I see your regex and in my opinion it will work great (if the flavor is "PCRE2 (PHP >=7.3)"), thanks again. I would write exactly the same for my needs.
As I said earlier, the performance of regexes is determined by the syntax and what works for "PCRE2 (PHP >=7.3)" will not work for "Java8" (and vice versa).
That is why and based on my practical experience in writing Plugins, as well as on the documentation provided by the vendor (regex examples in it) I want to know exactly what I need to do, and not try 100 different options each time. And each time think why it does not work:
because it is a bug, because it is a feature (syntax) or because I made a mistake in the regex.
Original Message:
Sent: 04-25-2025 07:32
From: Cezmi Cal
Subject: What type of regular expressions are used when writing plugins and manual mitigations?
Hi Siarhei,
As I said at the first reply, this is my opinion. Till today, my all regex written according to that favor worked without any problem.
Additionally, I encountered documentation bugs previously and this case may be one of them too :)
BTW, could you try the regexes that I shared? I hope they worked.
------------------------------
Cezmi Cal
Consultant
Barikat Internet Guvenligi Bilisim Ticaret A.S.
Ankara
Original Message:
Sent: 04-25-2025 05:29
From: Siarhei Charvinski
Subject: What type of regular expressions are used when writing plugins and manual mitigations?
Hi Cezmi
thank you for your answer, but why, if the "PCRE2 (PHP >=7.3)" favor is used, is the official articles clearly specifying a non-working regex syntax?
We know that the "/" symbol in this case needs to be escaped with the "\" symbol.
------------------------------
Siarhei Charvinski
Expert
FE VELCOM
Minsk
Original Message:
Sent: 04-25-2025 05:10
From: Cezmi Cal
Subject: What type of regular expressions are used when writing plugins and manual mitigations?
hello Siarhei,
as i know the used flavor is "PCRE2 (PHP >=7.3)" of listed flavors on the regex101.
can you test the regexes as listed below?
example1: "\/([0-9]{5,6})(\/.*)"
example2: "(dir1\/appliances\/product_id).(12502)(.asp)"
------------------------------
Cezmi Cal
Consultant
Barikat Internet Guvenligi Bilisim Ticaret A.S.
Ankara
Original Message:
Sent: 04-25-2025 04:37
From: Siarhei Charvinski
Subject: What type of regular expressions are used when writing plugins and manual mitigations?
Hello.
What type (flavor) of regex (for testing regexes on 101regex) is used when writing Plugins (Profiling) and Manual mitigations for CVE?
The question arose because it was not possible to find a single working regex flavor for the examples given in the article of the imperva:
https://docs.imperva.com/bundle/z-kb-articles-knowledgebase-support/page/290689766.html
Example 1:
If a URL has a 5 to 6 digit dynamic prefix and looks like: /98983/url/index.asp, the following plugin will convert it as if the URL was: /url/index.asp?replaced=98983
Path Regular Expression="/([0-9]{5,6}/)(/.*)"
Path Replace="$2"
Parameter Value="$1"
Parameter Name="replaced"
In this example, the regex will not work because of two consecutive "//"
Example 2:
Using the URL dir1/appliances/product_id.12502.asp, the following plugin will convert it as if the URL was dir1/appliances/product_id.asp/ProductNumber=12502
Path Regular Expression =" (dir1/appliances/product_id.)(12502)(.asp) "
Path Replace ="$1$3"
Parameter Value ="$2"
Parameter Name ="ProductNumber"
In this example, the regex will convert the URL as dir1/appliances/product_id..asp/ProductNumber=12502 (two consecutive dots)
The idea is that we have previously noticed that some of the written (with the same syntax) regexes work as expected, and some do not.
We suspect that the problem is not in the incorrectness of the examples provided, but in the incorrectly chosen syntax (flavor) of the regular expressions.
#On-PremisesWAF(formerlySecuresphere)
------------------------------
Siarhei Charvinski
Expert
FE VELCOM
Minsk
------------------------------