Burp Suite User Forum

Login to post

Advanced Scope Control does not follow correct regex syntax

iustin | Last updated: Jan 04, 2021 12:05AM UTC

Hi, I noticed the advanced scope control mentions you can insert regex, but it does not actually follow correct regex syntax. Asterisk `*`, should be treated as a quantifier, matching zero to unlimited times, however Burp seems to treat it as a wildcard. This behaviour will cause the following valid regex pattern to fail: `[a-z]*\.portswigger\.net` Should match subdomains only containing letters, however burp simply matches all subdomains. You can confirm what the correct output would be by visiting this link: https://regex101.com/r/cO8lqs/24847 I found this when I noticed the following invalid regex syntax was actually matching all subdomains: `^*\.portswigger\.net` This isn't valid regex, since it basically matches ^ (start of line), zero to unlimited times. Which does not really make sense. However, Burp treats it as a wildcard and matches all subdomains. You can confirm how this is invalid regex by visiting this link: https://regex101.com/r/lf2FkU/1 Personally, this does not affect me, since I never had to use advanced regex with Burp, such as the first pattern I showed. I thought, I'd let you know anyways in order to see if this is intended behaviour or not.

Hannah, PortSwigger Agent | Last updated: Jan 14, 2021 02:56PM UTC

Hi We use the standard Java Pattern to generate a Matcher for the search term, so it should be standards-compliant.

You need to Log in to post a reply. Or register here, for free.