Also cover pre http/1.0 requests

coreruleset · Mar 8, 2019 · 80d2338 · 80d2338
1 parent db58456
commit 80d2338
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 1 deletion.
diff --git a/rules/REQUEST-921-PROTOCOL-ATTACK.conf b/rules/REQUEST-921-PROTOCOL-ATTACK.conf
@@ -30,7 +30,7 @@ SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:921012,phase:2,pass,nolog,skipAf
 # [ References ]
 # http://projects.webappsec.org/HTTP-Request-Smuggling
 #
-SecRule ARGS_NAMES|ARGS|XML:/* "@rx (?:\n|\r)+(?:get|post|head|options|connect|put|delete|trace|track|patch|propfind|propatch|mkcol|copy|move|lock|unlock)\s+[^\s]+\s+http" \
+SecRule ARGS_NAMES|ARGS|XML:/* "@rx [\n\r]+(?:get|post|head|options|connect|put|delete|trace|track|patch|propfind|propatch|mkcol|copy|move|lock|unlock)\s+[^\s]+(?:\s+http|[\r\n])" \
     "id:921110,\
     phase:2,\
     block,\

diff --git a/util/regression-tests/tests/REQUEST-921-PROTOCOL-ATTACK/921110.yaml b/util/regression-tests/tests/REQUEST-921-PROTOCOL-ATTACK/921110.yaml
@@ -60,6 +60,23 @@
     test_title: 921110-4
     desc: "HTTP Response Splitting"
     stages:
+    -
+      stage:
+        input:
+          dest_addr: 127.0.0.1
+          headers:
+            Host: "localhost"
+            Cache-Control: "no-cache, no-store, must-revalidate"
+          method: POST
+          port: 80
+          data: "var=aaa%0d%0aGet+/foo%0d"
+          version: HTTP/1.0
+        output:
+          log_contains: id "921110"
+  -
+    test_title: 921110-5
+    desc: "HTTP Response Splitting"
+    stages:
     -
       stage:
         input: