Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

New PL3 rule 920490 to protect against content-type charset bypassing #1392

Merged
merged 14 commits into from May 9, 2019

Conversation

Projects
None yet
2 participants
@dune73
Copy link
Collaborator

commented May 5, 2019

PL3: The little known x-up-devcap-post-charset request header can be used to submit
a request with a different encoding as an alternative to the charset parameter in
the Content-Type header. This can be used to circumvent charset restrictions on
the Content-Type header.
Note that this only works in combination with a User-Agent prefix.

This rule is based on a blog post by Soroush Dalili:
https://soroush.secproject.com/blog/2019/05/x-up-devcap-post-charset-header-in-aspnet-to-bypass-wafs-again/

chain"
SecRule REQUEST_HEADERS:User-Agent "@beginsWith up" \
"t:none,\
t:lowercase,\

This comment has been minimized.

Copy link
@fgsch

fgsch May 5, 2019

Collaborator

For 2 chars, I think using @\rx would be faster than doing the lowercase transformation.

This comment has been minimized.

Copy link
@dune73

dune73 May 6, 2019

Author Collaborator

I have updated to @rx based on your remark and my tests elsewhere.

It does not matter much, though, as this is only executed if the x-up-devcap-post-charset request header is present.

This comment has been minimized.

Copy link
@fgsch

fgsch May 6, 2019

Collaborator

You left the lowercase transformation though.

This comment has been minimized.

Copy link
@dune73

dune73 May 6, 2019

Author Collaborator

How pedantic of you!

This comment has been minimized.

Copy link
@fgsch

fgsch May 6, 2019

Collaborator

Sowry!

@dune73 dune73 force-pushed the dune73:rule-vs-x-up-devcap-post-charset branch from d3ef252 to c542d3f May 6, 2019

@dune73

This comment has been minimized.

Copy link
Collaborator Author

commented May 6, 2019

Travis got the hiccups for PR #1392 after merging PR #1391 (failing on the 3 new tests in 1391). Rebased my branch against v3.2/dev and force pushed to my remote branch. Now it works.

@dune73 dune73 removed the Needs action label May 7, 2019

@dune73

This comment has been minimized.

Copy link
Collaborator Author

commented May 7, 2019

@fgs: U OK with (squashing + ) merging?

@fgsch

This comment has been minimized.

Copy link
Collaborator

commented May 8, 2019

Remove:

setvar:'tx.msg=%{rule.msg}',\
setvar:'tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/EVASION-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'"

Otherwise looks good to me.

@dune73 dune73 merged commit b96d00f into SpiderLabs:v3.2/dev May 9, 2019

1 check passed

continuous-integration/travis-ci/pr The Travis CI build passed
Details
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.