Search code examples
regexencodingbase64mask

Regex for unusual Base64 mask

I am looking for a regex that will detect different Base64 masks used in malicious software, like

  • 0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ+/
  • 0ABcDEFGHIJKLMNOPQRSTUVWXYZabCdefghijklmnopqrstuvwxyz123456789+/

But my simple regex also matches on repetitive charachters like "ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ"

 [a-zA-Z0-9+/]{64}

Is there a way to match non repeating 64 characters using regex?

Solution

  • If you're looking to validate you have 64 character and detect that none of them are duplicate characters in any position in the string such as

    Good string: 0ABcDEFGHIJKLMNOPQRSTUVWXYZabCdefghijklmnopqrstuvwxyz123456789+/

    Bad string 0ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefGhijklmnopqrstuvwxyz123456789+/ because the G appears twice

    Then you could use this regex:

    ^(?=.{64}$)(?!.*?(.)(?=.*?\1))

    enter image description here

    The regex will return a match if the input string has 64 unique characters.

    • ^ match the beginning of the string
    • (?=.{64}$) look ahead to ensure there are 64 characters in the string
    • (?! force negative look ahead which will return false if the interal expression is true
    • .*? move foreword to any character
    • (.) capture a single character and place into capture group 1
    • (?= open positive look ahead to see if any characters after the current character in group 1 is the same
    • .*? skip any number of characters until you find the next
    • \1 back reference to the capture group 1 to ensure that character isn't a duplicate
    • ) close positive look ahead
    • ) close the negative look ahead