MatchTheRegex

Description

Solution

1. Step 1Derive the pattern
   The comment ^p.....F!? indicates any string starting with p and ending with F or F?! with six total letters. Try picoCTF!.
   Learn more

   Regular expressions (regex) are patterns that describe sets of strings. In the pattern ^p.....F!?, each meta-character has a specific meaning: ^ anchors the match to the start of the string; . matches any single character; F matches the literal letter F; and !? makes the exclamation mark optional (zero or one occurrences). Counting the dots tells you the total length of the required input.

   This challenge illustrates a critical security mistake: client-side validation. When the regex check runs in JavaScript in the browser, any user can read the source and reverse-engineer the required input. The server should always re-validate input server-side and never expose the validation logic - or the answer - to the client. Use our Regex Tester to test regex patterns against strings and verify that your input matches.

   Finding validation logic in HTML comments or JavaScript is a standard recon step in web CTFs. Always right-click → View Page Source and search for comments (<!--), TODO, password, or regex. Browser DevTools also expose minified JavaScript that can be pretty-printed and searched.

   Client-side validation implemented in JavaScript has a second weakness beyond readability: it can be bypassed entirely by sending the HTTP request directly, skipping the browser. Tools like curlor Burp Suite's Repeater allow you to craft POST requests with any body content and submit them straight to the server endpoint, bypassing all JavaScript checks. If the server doesn't independently validate the input, any client-side restriction is meaningless.

   Regex itself can be a source of security vulnerabilities. ReDoS (Regular Expression Denial of Service) occurs when a server-side regex with catastrophic backtracking is given specially crafted input that causes exponential evaluation time. For example, the pattern (a+)+applied to a string of repeated 'a' characters followed by a non-matching character causes the regex engine to explore an exponential number of possibilities. A single malicious HTTP request can pin a CPU core indefinitely. OWASP tracks this as a DoS vulnerability and recommends using timeout wrappers or non-backtracking regex engines for user-supplied patterns.

2. Step 2Submit picoCTF!
   Entering picoCTF! (or picoCTF!? as hinted) passes the regex and displays the flag.
   Learn more

   Once you understand the regex, satisfying it is trivial. The pattern ^p.....F!? accepts "picoCTF" (7 characters: p-i-c-o-C-T-F) with an optional trailing !. The string picoCTF! matches: ^p (starts with p), five dots filled by i,c,o,C,T, then F, then ! satisfying !?.

   This kind of challenge teaches regex literacy - a universally useful skill. Regex is used in log analysis, input sanitization, search tools (grep -E), programming language parsers, and security tools like YARA rules and Snort/Suricata signatures. Understanding regex lets you both write better validation and spot weak validation that can be bypassed.

   Regex-based input validation is also frequently incomplete in ways that enable injection attacks. For example, a regex that checks for valid email format might not prevent SQL injection if the email is then embedded directly in a query. The correct pattern is to validate format with regex and sanitize separately for the target context - they are distinct concerns. A string can pass format validation and still be dangerous to pass to a database query, shell command, or HTML renderer.

   When auditing web applications for weak validation, browser DevTools' Console tab lets you execute JavaScript directly against the page's context. You can call validation functions with custom inputs (validate('test')), inspect the result, and iterate quickly without modifying any files. This is faster than editing source and reloading for testing regex behavior or understanding what a validation function actually accepts.

Alternate Solution

Flag

picoCTF{succ3s...ad436ed}

Any string that satisfies the secret regex unlocks the flag; picoCTF! works fine.