Regex for Security Cheat Sheet

Battle-tested regular expressions for finding secrets, scraping endpoints from source, spotting ReDoS, and recon with grep/ripgrep. (24 payloads)

Try it interactively with the Regex Tester

Secret & Key Detection

(7)

AKIA[0-9A-Z]{16}

AWS Access Key ID. Pair with a secret-key regex nearby to confirm a live credential pair.git history, .env, JS bundles

(?i)aws(.{0,20})?(secret|sk)(.{0,20})?['\"][0-9a-zA-Z/+]{40}['\"]

AWS Secret Access Key (40-char base64) near an 'aws/secret' keyword to reduce false positives.config files

eyJ[A-Za-z0-9_-]+\.eyJ[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+

JWT (header.payload.signature). Decode the first two base64url segments to read claims.localStorage, Authorization headers, URLs

-----BEGIN (?:RSA |EC |OPENSSH |DSA )?PRIVATE KEY-----

Exposed private key material — one of the highest-severity findings.repos, backups, /.ssh

AIza[0-9A-Za-z_-]{35}

Google API key. Test scope with the relevant Google API to gauge impact.client-side JS

xox[baprs]-[0-9A-Za-z-]{10,48}

Slack token (bot/app/user). Validate with auth.test before reporting.source, CI logs

gh[pousr]_[0-9A-Za-z]{36,}

GitHub personal-access / OAuth / app token (ghp_, gho_, ghu_, ghs_, ghr_).commits, Actions logs

Extracting from JS & Source

(5)

https?://[^\s\"'<>)]+

Pull every absolute URL from a JS bundle to map APIs, CDNs, and third parties.linkfinder-style recon

[\"'](\/[a-zA-Z0-9_?&=\/.-]+)[\"']

Extract relative paths/endpoints quoted in JavaScript — the classic LinkFinder regex for API discovery.endpoint enumeration

[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}

Harvest email addresses for OSINT and user enumeration.pages, docs, metadata

[a-z0-9.-]+\.s3(?:[.-][a-z0-9-]+)?\.amazonaws\.com

Find S3 bucket hostnames referenced in source; test for public/list access.cloud recon

(?:\b25[0-5]|\b2[0-4][0-9]|\b1?[0-9]?[0-9])(?:\.(?:25[0-5]|2[0-4][0-9]|1?[0-9]?[0-9])){3}

IPv4 address matcher for pulling internal IPs leaked in JS/comments.internal-host discovery

Validation Patterns & Their Bypasses

(4)

^[a-zA-Z0-9_]+$

A safe allowlist must be anchored at BOTH ends. Without ^ and $ an attacker appends payloads after a valid prefix.the fix, not a bypass

validvalue%0a<script>alert(1)</script>

If a 'validation' regex uses ^...$ without the multiline flag awareness, a newline (%0a) can let the second line slip past line-anchored checks.multiline anchor bypass

<ScRiPt>

Case-insensitive payloads defeat case-sensitive blocklists; always test mixed case against tag/keyword filters.blocklist evasion

java\u0000script:

Null bytes / unicode escapes can break naive 'javascript:' filters that match the literal ASCII string.scheme-filter bypass

ReDoS — Catastrophic Backtracking

(4)

^(a+)+$

Classic evil regex. Input like 'aaaaaaaaaaaaaaaaaaaa!' causes exponential backtracking and hangs the engine.nested quantifiers

^(\d+)*$

Another exponential pattern; a long digit string followed by a non-digit triggers a DoS.avoid (X+)* / (X*)*

^(.*a){25}$

Polynomial blowup via repeated greedy groups — feed a long string with no trailing 'a'.test inputs of 30-50k chars

aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa!

Generic ReDoS trigger: a long run of the repeated char plus one non-matching char to force maximum backtracking.send against a suspected evil regex

grep / ripgrep Recon Recipes

(4)

rg -i --no-heading -o '(api[_-]?key|secret|token|passwd|password)\s*[=:]\s*[\x27\"][^\x27\"]+' .

Sweep a codebase for assigned secrets (key/secret/token/password = value).source review

rg -o 'AKIA[0-9A-Z]{16}' -g '!node_modules' .

Hunt AWS keys across a repo while skipping dependencies.fast triage

grep -rEho 'https?://[^\"]+' dist/ | sort -u

List unique URLs from built JS for endpoint mapping.post-build recon

git log -p | rg -i 'BEGIN .*PRIVATE KEY|AKIA[0-9A-Z]{16}'

Scan full git history (not just HEAD) for secrets committed and later deleted.history is forever

ShareX LinkedIn Reddit

Level up your security testing

Install the CLI

npx payload-playground

Explore All Tools

Encoding, hashing, JWT & more

Browse Cheat Sheets

Quick-reference payload guides

Related Tools

Regex Tester

Related Cheat Sheets

XSS Cheat Sheet WAF Bypass Cheat Sheet

Frequently asked questions

What is the Regex for Security Cheat Sheet?+

It's a quick-reference collection of 24 Security Regex payloads for testing Regex for Security vulnerabilities during authorized penetration testing, bug bounties, and CTFs. Every payload is copy-ready and grouped by attack context.

How do I use these Security Regex payloads?+

Copy any payload straight into your authorized test, or use the Regex Tester to apply them interactively. Only test systems you have explicit permission to assess.

Are these Security Regex payloads free to use?+

Yes — this cheat sheet and all Security Regex payloads are completely free, with no account required. Everything runs in your browser.

$loading...