Regex › JavaScript Regex for Pentesters
JavaScript regex and reading patterns in bundles
JavaScript has regex built into the language, and reading the patterns inside an app’s code tells you what it accepts and rejects — which is where client-side validation bypasses begin. This lesson covers JS regex syntax and the methods you’ll see in real bundles.
You'll learn to
- Write and read JavaScript regex literals
- Use the core regex methods
- Spot validation patterns in bundle code
Regex literals and methods
const re = /[a-z]+/i; // a regex literal: pattern between slashes, i = flags
re.test("Hello"); // true/false — does it match?
"a1b2".match(/\d/g); // ['1','2'] — all matches with the g flag
"a-b-c".replace(/-/g, "_"); // 'a_b_c'
"k=v&x=y".split(/&/); // ['k=v','x=y']
[..."id=5".matchAll(/(\w+)=(\w+)/g)]; // groups + positions
A regex literal sits between slashes with flags after: /pattern/gi. test returns a boolean; match and matchAll extract; replace rewrites; split divides. These are the methods you’ll see whenever an app processes text.
Reading validation in the wild
// Typical validation you'll find in a bundle:
const isEmail = /^[^@]+@[^@]+\.[^@]+$/.test(input);
const isPhone = /^\d{10}$/.test(input);
Checkpoint
Why is client-side JavaScript regex validation not a security control?
Because it runs in the browser, which the attacker fully controls. They can read the pattern, modify the page, or simply call the server's API directly, bypassing the client check entirely. The regex tells you what the developers expected as valid input, which is useful intelligence, but only server-side validation actually enforces anything. The client check is a UX convenience to give users fast feedback.
Try it yourself
In the browser console, write a regex literal that matches a 10-digit phone number anchored at both ends, and test it against a valid and an invalid input. Then test the same pattern without the anchors and observe how a longer string containing 10 digits now passes.
Key takeaways
- Regex literals sit between slashes with flags after: /pattern/gi.
- test returns a boolean; match/matchAll extract; replace and split transform.
- Client-side validation is UX, not security — the server must re-validate.
- Reading a bundle’s patterns reveals what the client accepts, and its gaps.
Quick quiz
Next, the web-application security patterns regex powers — and why regex security controls so often fail.