Merge pull request #3237 from theMiddleBlue/fix-C9K-230327

feat: new rule 920620
coreruleset · Jun 12, 2023 · b501f1a · b501f1a
2 parents ec3d6be + 9d160f9
commit b501f1a
Show file tree

Hide file tree

Showing 2 changed files with 49 additions and 0 deletions.
diff --git a/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf b/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf
@@ -1264,6 +1264,38 @@ SecRule REQUEST_URI_RAW "@contains #" \
     severity:'CRITICAL',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
+#
+# The following rule (920620) checks for the presence of 2 or more request Content-Type headers.
+# Content-Type confusion poses a significant security risk to a web application. It occurs when 
+# the server and client have different interpretations of the Content-Type header, leading to 
+# miscommunication, potential exploitation and WAF bypass.
+#
+# Using Apache, when multiple Content-Type request headers are received, the server combines them 
+# into a single header with the values separated by commas. For example, if a client sends multiple
+# Content-Type headers with values "application/json" and "text/plain", Apache will combine them
+# into a single header like this: "Content-Type: application/json, text/plain".
+#
+# On the other hand, Nginx handles multiple Content-Type headers differently. It preserves each 
+# header as a separate entity without combining them. So, if a client sends multiple Content-Type
+# headers, Nginx will keep them separate, maintaining the original values.
+#
+SecRule &REQUEST_HEADERS:Content-Type "@gt 1" \
+    "id:920620,\
+    phase:1,\
+    block,\
+    t:none,\
+    msg:'Multiple Content-Type Request Headers',\
+    logdata:'%{MATCHED_VAR}',\
+    tag:'application-multi',\
+    tag:'language-multi',\
+    tag:'platform-multi',\
+    tag:'attack-protocol',\
+    tag:'paranoia-level/1',\
+    tag:'OWASP_CRS',\
+    ver:'OWASP_CRS/4.0.0-rc1',\
+    severity:'CRITICAL',\
+    setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
+
 
 SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:920013,phase:1,pass,nolog,skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT"
 SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:920014,phase:2,pass,nolog,skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT"

diff --git a/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920620.yaml b/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920620.yaml
@@ -0,0 +1,17 @@
+---
+meta:
+  author: "Andrea (theMiddle) Menin"
+  enabled: false
+  name: "920620.yaml"
+  description: "Tests for 920620"
+tests:
+  - test_title: 920620-1
+    desc: Multiple Content-Type request headers
+    stages:
+      - stage:
+          input:
+            dest_addr: "127.0.0.1"
+            port: 80
+            encoded_request: "R0VUIC9nZXQgSFRUUC8xLjENCkhvc3Q6IGxvY2FsaG9zdA0KVXNlci1BZ2VudDogT1dBU1AgQ1JTIHRlc3QgYWdlbnQNCkFjY2VwdDogdGV4dC94bWwsYXBwbGljYXRpb24veG1sLGFwcGxpY2F0aW9uL3hodG1sK3htbCx0ZXh0L2h0bWw7cT0wLjksdGV4dC9wbGFpbjtxPTAuOCxpbWFnZS9wbmcsKi8qO3E9MC41DQpDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL2pzb24NCkNvbnRlbnQtVHlwZTogYXBwbGljYXRpb24veG1sDQoNCg=="
+          output:
+            log_contains: "id \"920620\""