Improving Web Application Security: Threats and - CGISecurity

272 Part III: Building Secure Web ApplicationsTable 10.2 Useful Regular Expression Fields (continued)FormatField ExpressionSamplesE-mail \w+([-+.]\w+)*@\w+ someone@([-.]\w+)*\.\w+([-.]\w+)* example.comDescriptionValidates an e-mail address.URLZip CodePasswordNonnegativeintegersCurrency(nonnegative)Currency(positive ornegative)^(http|https|ftp)\://[a-zA-Z0-9\-\.]+\.[a-zA-Z]{2,3}(:[a-zA-Z0-9]*)?/?([a-zA-Z0-9\-\._\?\,\'/\\\+&%\$#\=~])*$^(\d{5}-\d{4}|\d{5}|\d{9})$|^([a-zA-Z]\d[a-zA-Z]\d[a-zA-Z]\d)$^(?=.*\d)(?=.*[a-z])(?=.*[A-Z]).{8,10}$\d+ 0"\d+(\.\d\d)?""(-)?\d+(\.\d\d)?"986Validates a URL.Validates a U.S. ZIP code allowing 5or 9 digits.Validates a strong password. Mustbe between 8 and 10 characters.Must contain a combination ofuppercase, lowercase, and numericdigits, with no special characters.Validates for integers greater thanzero.Validates for a positive currencyamount. Requires two digits afterthe decimal point.Validates for a positive or negativecurrency amount. Requires two digitsafter the decimal point.Cross-Site ScriptingXSS attacks exploit vulnerabilities in Web page validation by injecting client-sidescript code. This code is subsequently sent back to an unsuspecting user andexecuted by the browser. Because the browser downloads the script code from atrusted site, the browser has no way of identifying that the code is not legitimate, andInternet Explorer security zones provide no defense. XSS attacks also work overHTTP or HTTPS (SSL) connections. One of the most serious exploits occurs when anattacker writes script to retrieve the authentication cookie that provides access to thetrusted site and posts it to a Web address known to the attacker. This allows theattacker to spoof the legitimate user’s identity and gain illicit access to the Web site.