Regex Tester

Regular expressions in CTF challenges

Regex appears in CTFs in two contexts: challenges that ask you to supply a matching string (like MatchTheRegex), and challenges where you use regex yourself to extract flag patterns from large blobs of output.

When a challenge asks for a string that satisfies a regex, inspect the page source or server response to find the hidden pattern, then construct a matching input. Common requirements include a minimum length, specific character classes, or anchors that force the string to start or end a certain way.

When you need to extract a flag from output (e.g., strings from a binary), picoCTF\{[^}]+\} captures any flag-format string. The quick-pattern buttons above include this and other useful patterns.

Challenges solved with this tool: picoCTF 2023 - MatchTheRegex.

Understanding regex flag behavior is important when constructing or escaping patterns. The global (g) flag makes the engine find all matches rather than stopping at the first. The case-insensitive (i) flag lets you match without worrying about letter case. The dotall (s) flag makes . match newline characters, which is essential when a flag spans multiple lines in a multi-line output dump.

Named capture groups ((?<name>...)) are helpful for extracting structured data from challenge output. For instance, (?<flag>picoCTF{[^}]+}) lets you reference the captured flag as groups.flag in code, making scripted extraction clean and readable.

When regex is used as a filter in a web challenge (e.g., to block SQL injection keywords), look for gaps in the pattern. Common bypasses include using different character cases when the i flag is absent, inserting comments (/**/ in SQL), or splitting the blocked keyword across an encoding boundary. Test your bypass string against the server's actual regex here to confirm it slips through before submitting.