New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: new rule 920620 #3237
feat: new rule 920620 #3237
Conversation
Can you add a comment about the different behavior of various implementations / webservers in the light of multiple CT headers. Why is this still a draft? |
sure!
I'm trying to understand how to test it (same key name in yaml for the header list seems to be a problem) |
Got you. Makes sense. It's tricky. Ultimately, we might have to go without a test for the time being. After all, the rule is very clear and easy to understand. It's more like most webserver do not even expose the weakness to ModSec. |
@theMiddleBlue Until Go-FTW / the test parser supports multiple identical headers (whichever one is causing the issue - it looks like maybe Go-FTW just doesn't understand the YAML if you have the same header twice?), if you want to avoid doing I got it working with this as a 'test' test:
where
(with It doesn't work against Apache, though, as Apache seems to combine the headers into one, which triggers many of our other content type header rules anyway (I think this was already discussed a few weeks ago, anyway):
But the test works against Nginx 🙂 |
thx @RedXanadu |
Sorry @theMiddleBlue, I should have made that clearer: the example was just a very quick test 😅 Here's one which uses the correct CRS testing user agent, accept header, endpoint, etc., so should be ok to use for real:
<=>
You could set |
thanks @RedXanadu |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Re-tested against the modsec3-nginx container. New rule works as expected 😄 curl request with multiple CT headers detected. Great job!
Glad this is fixed. Thank you guys. |
this PR adds a detection rule for private security issue C9K-230327