-
-
Notifications
You must be signed in to change notification settings - Fork 344
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat(re2): rewrites rule 942130 with re2 support
Signed-off-by: Felipe Zipitria <felipe.zipitria@owasp.org>
- Loading branch information
Showing
5 changed files
with
206 additions
and
61 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
52 changes: 52 additions & 0 deletions
52
tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942131.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,52 @@ | ||
--- | ||
meta: | ||
author: "Felipe Zipitria" | ||
description: SQL Tautology | ||
enabled: true | ||
name: 942131.yaml | ||
tests: | ||
- test_title: 942131-1 | ||
desc: "SQL Injection Attack: SQL Tautology" | ||
stages: | ||
- stage: | ||
input: | ||
dest_addr: 127.0.0.1 | ||
headers: | ||
Host: localhost | ||
User-Agent: OWASP ModSecurity Core Rule Set | ||
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 | ||
method: GET | ||
uri: "/?a=11!=1" | ||
version: HTTP/1.1 | ||
output: | ||
log_contains: id "942131" | ||
- test_title: 942131-2 | ||
desc: "SQL Injection Attack: SQL Tautology" | ||
stages: | ||
- stage: | ||
input: | ||
dest_addr: 127.0.0.1 | ||
headers: | ||
Host: localhost | ||
User-Agent: OWASP ModSecurity Core Rule Set | ||
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 | ||
method: GET | ||
uri: "/?a=1!=11" | ||
version: HTTP/1.1 | ||
output: | ||
log_contains: id "942131" | ||
- test_title: 942131-3 | ||
desc: "SQL Injection Attack: SQL Tautology" | ||
stages: | ||
- stage: | ||
input: | ||
dest_addr: 127.0.0.1 | ||
headers: | ||
Host: localhost | ||
User-Agent: OWASP ModSecurity Core Rule Set | ||
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 | ||
method: GET | ||
uri: "/?a=11!=11" | ||
version: HTTP/1.1 | ||
output: | ||
no_log_contains: id "942131" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,62 @@ | ||
##! This is a data file used to generate a regular expression for a CRS rule. | ||
##! The generation of the regular expression happens with the help of | ||
##! util/regexp-assemble/regexp-assemble.py. | ||
##! The ID of the rule in question is part of the file name of this data file. | ||
##! Read more about the format of this data file and the use of the assembly | ||
##! script in util/regexp-assemble/README.md. | ||
##! | ||
##! Lines starting with `##!` are comments and will be skipped, | ||
##! empty lines will be ignored completely. | ||
##! In addition, the quote character `'` at the beginning of a line will | ||
##! cause the line to be interpreted as literal by the cmdline preprocessor only. | ||
##! | ||
##! Five special comments are at your disposal to influence the assembled expression: | ||
##! - `##!+`: the flag comment | ||
##! - `##!^`: the prefix comment | ||
##! - `##!$`: the suffix comment | ||
##! - `##!>`: the preprocessor comment | ||
##! - `##!<`: the block preprocessor end comment | ||
##! | ||
##! Currently supported preprocessors: | ||
##! - cmdline [windows|unix] (file scope) | ||
##! Please refer to util/regexp-assemble/README.md for a full explanation | ||
|
||
|
||
##! General comments: | ||
##! | ||
##! The idea behind this expressions is to capture simple logic based (un)equalities that | ||
##! are used to quickly test SQL Logic that always returns FALSE. | ||
|
||
##! Prefix: captures the initial part that will be unmatched on the right hand side of the logicl construct. | ||
##! This goes into the first rule of the chain: | ||
##! [\s'\"`()]*?\b([\d\w]+)\b[\s'\"`()]*? | ||
|
||
##!+ i | ||
|
||
##! These expressions try to match the logic using the negative operator, | ||
##! so when the operator targets a false operation, the initial match | ||
##! should *not* be present after the operator, effectively meaning TRUE | ||
##! | ||
##! Examples: | ||
##! '1' <= '2' | ||
##! 'a' not like 'b' | ||
##! | ||
##! SQL Comparison Operators: =, !=, <=, >=, <>, <, >, !>, !<, ^ | ||
|
||
\!=[\s'\"`()]*?(?:\b%{tx.lhs_942131}\b) | ||
<>[\s'\"`()]*?(?:\b%{tx.lhs_942131}\b) | ||
<[\s'\"`()]*?(?:\b%{tx.lhs_942131}\b) | ||
\!<[\s'\"`()]*?(?:\b%{tx.lhs_942131}\b) | ||
>[\s'\"`()]*?(?:\b%{tx.lhs_942131}\b) | ||
\!>[\s'\"`()]*?(?:\b%{tx.lhs_942131}\b) | ||
<=[\s'\"`()]*?(?:\b%{tx.lhs_942131}\b) | ||
>=[\s'\"`()]*?(?:\b%{tx.lhs_942131}\b) | ||
\^[\s'\"`()]*?(?:\b%{tx.lhs_942131}\b) | ||
|
||
is\s+not[\s'\"`()]*?(?:\b%{tx.lhs_942131}\b) | ||
not\s+like[\s'\"`()]*?(?:d\b%{tx.lhs_942131}\b) | ||
|
||
##! String based regexp. | ||
|
||
not\s+rlike[\s'\"`()]*?(?:\b%{tx.lhs_942131}\b) | ||
not\s+regexp[\s'\"`()]*?(?:\b%{tx.lhs_942131}\b) |