Permalink
Browse files

Initial import.

  • Loading branch information...
1 parent 850f8e9 commit 2881737228088040e77495bbcc23f5007f138a65 @ivanr ivanr committed Jul 2, 2012
Showing with 1,561 additions and 0 deletions.
  1. +18 −0 baseline-detection/README
  2. +3 −0 baseline-detection/TODO
  3. +8 −0 baseline-detection/b00-01-normal.test
  4. +7 −0 baseline-detection/b01-01-query-string.test
  5. +7 −0 baseline-detection/b02-01-request-hostname-uri.test
  6. +8 −0 baseline-detection/b02-02-request-hostname-header.test
  7. +8 −0 baseline-detection/b03-01-header.test
  8. +8 −0 baseline-detection/b03-02-header-user-agent.test
  9. +8 −0 baseline-detection/b03-03-header-referer.test
  10. +8 −0 baseline-detection/b03-04-header-cookie.test
  11. +8 −0 baseline-detection/b03-05-header-authorization-username.test
  12. +8 −0 baseline-detection/b03-06-header-authorization-password.test
  13. +8 −0 baseline-detection/b04-01-request-filename.test
  14. +8 −0 baseline-detection/b05-01-request-method.test
  15. +8 −0 baseline-detection/b06-01-request-protocol.test
  16. +19 −0 baseline-detection/b07-01-trailing-header-cookie.test
  17. +13 −0 baseline-detection/b08-01-request-body-urlencoded-param-value.test
  18. +13 −0 baseline-detection/b08-02-request-body-urlencoded-param-name.test
  19. +16 −0 baseline-detection/b09-01-request-body-json.test
  20. +24 −0 baseline-detection/b10-01-multipart-preamble.test
  21. +24 −0 baseline-detection/b10-02-multipart-param-name.test
  22. +23 −0 baseline-detection/b10-03-multipart-param-filename.test
  23. +23 −0 baseline-detection/b10-04-multipart-file-contents.test
  24. +25 −0 baseline-detection/b10-05-multipart-epilogue.test
  25. +19 −0 hostname-evasion/TODO
  26. +35 −0 multipart-evasion/README
  27. +8 −0 multipart-evasion/TODO
  28. +24 −0 multipart-evasion/m00-01-normal.test
  29. +25 −0 multipart-evasion/m01-01-invalid-separator.test
  30. +25 −0 multipart-evasion/m01-02-invalid-separator.test
  31. +26 −0 multipart-evasion/m02-01-invalid-parameter-name.test
  32. +27 −0 multipart-evasion/m02-02-invalid-parameter-name.test
  33. +25 −0 multipart-evasion/m03-01-multiple-boundaries.test
  34. +25 −0 multipart-evasion/m03-02-multiple-boundaries.test
  35. +25 −0 multipart-evasion/m03-03-multiple-boundaries.test
  36. +25 −0 multipart-evasion/m04-whitespace-after-parameter-name.test
  37. +27 −0 multipart-evasion/m05-whitespace-before-parameter-value.test
  38. +26 −0 multipart-evasion/m06-whitespace-after-parameter-value.test
  39. +26 −0 multipart-evasion/m07-01-special-chars-in-boundary.test
  40. +28 −0 multipart-evasion/m07-02-special-chars-in-boundary.test
  41. +25 −0 multipart-evasion/m08-01-quoted-boundary.test
  42. +25 −0 multipart-evasion/m08-02-whitespace-in-quoted-boundary.test
  43. +25 −0 multipart-evasion/m08-03-whitespace-in-quoted-boundary.test
  44. +26 −0 multipart-evasion/m08-04-quote-in-quoted-boundary.test
  45. +26 −0 multipart-evasion/m08-05-quote-in-quoted-boundary.test
  46. +25 −0 multipart-evasion/m08-06-partial-quote.test
  47. +25 −0 multipart-evasion/m08-07-partial-quote.test
  48. +24 −0 multipart-evasion/m08-08-whitespace-after-boundary.test
  49. +30 −0 multipart-evasion/m09-data-after-last-boundary.test
  50. +24 −0 multipart-evasion/m10-boundary-case-sensitivity.test
  51. +23 −0 multipart-evasion/m11-01-invalid-multipart-type.test
  52. +23 −0 multipart-evasion/m11-02-invalid-multipart-type.test
  53. +23 −0 multipart-evasion/m11-03-invalid-multipart-type.test
  54. +23 −0 multipart-evasion/m11-04-invalid-multipart-type.test
  55. +23 −0 multipart-evasion/m11-05-invalid-multipart-type.test
  56. +23 −0 multipart-evasion/m11-06-invalid-multipart-type.test
  57. +28 −0 multipart-evasion/m12-01-disposition-multiple-param-names.test
  58. +25 −0 multipart-evasion/m12-02-disposition-name-no-quotes.test
  59. +25 −0 multipart-evasion/m12-03-disposition-name-single-quotes.test
  60. +25 −0 multipart-evasion/m12-04-disposition-name-partial-quote.test
  61. +25 −0 multipart-evasion/m12-05-disposition-name-partial-quote.test
  62. +27 −0 multipart-evasion/m13-01-disposition-folding.test
  63. +29 −0 multipart-evasion/m13-02-disposition-folding-isspace.test
  64. +31 −0 multipart-evasion/m14-01-disposition-php-quoting.test
  65. +254 −0 run-test.pl
View
@@ -0,0 +1,18 @@
+These tests are designed to establish a baseline by determining what
+parts of a request are being inspected.
+
+To run the tests:
+
+ 1. Configure the WAF to block the pattern "UNION SELECT", using any
+ status code other than 200
+
+ 2. Run the baseline test and check that it returns OK
+
+ ../run-test.pl 192.168.3.100:8080 b00-01-normal.test
+
+ 3. Run all tests and record results:
+
+ ../run-test.pl 192.168.3.100:8080 *.test
+
+ 4. When a test reports MISSED, that means that the device did not detect
+ the attack payload.
View
@@ -0,0 +1,3 @@
+
+- Compressed request body
+
@@ -0,0 +1,8 @@
+# This test is used to ensure a request without an attack
+# results with a normal (200) response.
+#
+# @OK RESPONSE_STATUS ^200$
+# @Unknown
+#
+GET /?b00-01 HTTP/1.0
+
@@ -0,0 +1,7 @@
+# Attack in query string.
+#
+# @OK RESPONSE_STATUS !^200$
+# @Missed
+#
+GET /?b01-01%20UNION%20SELECT HTTP/1.0
+
@@ -0,0 +1,7 @@
+# Attack in request hostname (URI)
+#
+# @OK RESPONSE_STATUS !^200$
+# @Missed
+#
+GET http://UNION%20SELECT.com/?b02-01 HTTP/1.0
+
@@ -0,0 +1,8 @@
+# Attack in request hostname (header)
+#
+# @OK RESPONSE_STATUS !^200$
+# @Missed
+#
+GET /?b02-02 HTTP/1.0
+Host: UNION%20SELECT.com
+
@@ -0,0 +1,8 @@
+# Attack in random header.
+#
+# @OK RESPONSE_STATUS !^200$
+# @Missed
+#
+GET /?b03-01 HTTP/1.0
+Host: UNION%20SELECT
+
@@ -0,0 +1,8 @@
+# Attack in User-Agent request header.
+#
+# @OK RESPONSE_STATUS !^200$
+# @Missed
+#
+GET /?b03-02 HTTP/1.0
+User-Agent: UNION%20SELECT
+
@@ -0,0 +1,8 @@
+# Attack in User-Agent request header.
+#
+# @OK RESPONSE_STATUS !^200$
+# @Missed
+#
+GET /?b03-03 HTTP/1.0
+Referer: UNION%20SELECT
+
@@ -0,0 +1,8 @@
+# Attack payload in cookie
+#
+# @OK RESPONSE_STATUS !^200$
+# @Missed
+#
+GET /?b03-04 HTTP/1.0
+Cookie: name=UNION%20SELECT
+
@@ -0,0 +1,8 @@
+# Attack payload in basic auth username
+#
+# @OK RESPONSE_STATUS !^200$
+# @Missed
+#
+GET /?b03-05 HTTP/1.0
+Authorization: Basic VU5JT04gU0VMRUNUOnRlc3Q=
+
@@ -0,0 +1,8 @@
+# Attack payload in basic auth password
+#
+# @OK RESPONSE_STATUS !^200$
+# @Missed
+#
+GET /?b03-06 HTTP/1.0
+Authorization: Basic dGVzdDpVTklPTiBTRUxFQ1Q=
+
@@ -0,0 +1,8 @@
+# Attack in request filename
+#
+# @OK RESPONSE_STATUS !^200$
+# @Missed
+#
+GET /UNION%20SELECT?b04-01 HTTP/1.0
+
+
@@ -0,0 +1,8 @@
+# Attack in request method
+#
+# @OK RESPONSE_STATUS !^200$
+# @Missed
+#
+UNION%20SELECT /?b05-01 HTTP/1.0
+
+
@@ -0,0 +1,8 @@
+# Attack in request protocol
+#
+# @OK RESPONSE_STATUS !^200$
+# @Missed
+#
+GET /?b06-01 UNION%20SELECT/1.0
+
+
@@ -0,0 +1,19 @@
+# Attack payload in trailing request header.
+#
+# @OK RESPONSE_STATUS !^200$
+# @Missed
+#
+POST /?b07-1 HTTP/1.1
+Transfer-Encoding: chunked
+Content-Type: application/x-www-form-urlencoded
+User-Agent: Mozilla
+Cookie: name=value
+
+9
+012345678
+1
+9
+0
+Cookie: name=UNION%20SELECT
+
+
@@ -0,0 +1,13 @@
+# Attack payload in request body (parameter value)
+#
+# @OK RESPONSE_STATUS !^200$
+# @Missed
+#
+POST /?b08-1 HTTP/1.1
+Content-Length: 19
+Content-Type: application/x-www-form-urlencoded
+User-Agent: Mozilla
+
+name=UNION%20SELECT
+
+
@@ -0,0 +1,13 @@
+# Attack payload in request body (parameter name)
+#
+# @OK RESPONSE_STATUS !^200$
+# @Missed
+#
+POST /?b08-2 HTTP/1.1
+Content-Length: 20
+Content-Type: application/x-www-form-urlencoded
+User-Agent: Mozilla
+
+UNION%20SELECT=value
+
+
@@ -0,0 +1,16 @@
+# Attack payload in request body (JSON). We encode a few characters
+# to prevent the device from blindly looking into request body.
+#
+# @OK RESPONSE_STATUS !^200$
+# @Missed
+#
+POST /?b09-1 HTTP/1.1
+Content-Length: 41
+Content-Type: application/json
+User-Agent: Mozilla
+
+{
+ "name": "\u0055NION SE\u004cECT"
+}
+
+
@@ -0,0 +1,24 @@
+# Attack payload in preamble
+#
+# @OK RESPONSE_STATUS !^200$
+# @Missed
+#
+POST /?b10-01 HTTP/1.0
+Content-Type: multipart/form-data; boundary=0000
+Content-Length: 286
+
+UNION SELECT
+--0000
+Content-Disposition: form-data; name="name"
+
+John Smith
+--0000
+Content-Disposition: form-data; name="email"
+
+john.smith@example.com
+--0000
+Content-Disposition: form-data; name="image"; filename="image.jpg"
+Content-Type: image/jpeg
+
+BINARYDATA
+--0000--
@@ -0,0 +1,24 @@
+# Attack payload in param name
+#
+# @OK RESPONSE_STATUS !^200$
+# @Missed
+#
+POST /?b10-02 HTTP/1.0
+Content-Type: multipart/form-data; boundary=0000
+Content-Length: 281
+
+--0000
+Content-Disposition: form-data; name="UNION SELECT"
+
+John Smith
+--0000
+Content-Disposition: form-data; name="email"
+
+john.smit@example.com
+--0000
+Content-Disposition: form-data; name="image"; filename="image.jpg"
+Content-Type: image/jpeg
+
+BINARYDATA
+--0000--
+
@@ -0,0 +1,23 @@
+# Attack payload in param filename.
+#
+# @OK RESPONSE_STATUS !^200$
+# @Missed
+#
+POST /?b10-03 HTTP/1.0
+Content-Type: multipart/form-data; boundary=0000
+Content-Length: 276
+
+--0000
+Content-Disposition: form-data; name="name"
+
+John Smit
+--0000
+Content-Disposition: form-data; name="email"
+
+john.smit@example.com
+--0000
+Content-Disposition: form-data; name="image"; filename="UNION SELECT"
+Content-Type: image/jpeg
+
+BINARYDATA
+--0000--
@@ -0,0 +1,23 @@
+# Attack payload in file contents
+#
+# @OK RESPONSE_STATUS !^200$
+# @Missed
+#
+POST /?b10-04 HTTP/1.0
+Content-Type: multipart/form-data; boundary=0000
+Content-Length: 275
+
+--0000
+Content-Disposition: form-data; name="name"
+
+John Smith
+--0000
+Content-Disposition: form-data; name="email"
+
+john.smit@example.com
+--0000
+Content-Disposition: form-data; name="image"; filename="image.jpg"
+Content-Type: image/jpeg
+
+UNION SELECT
+--0000--
@@ -0,0 +1,25 @@
+# Attack payload in epilogue.
+#
+# @OK RESPONSE_STATUS !^200$
+# @Missed
+#
+POST /?b10-05 HTTP/1.0
+Content-Type: multipart/form-data; boundary=0000
+Content-Length: 287
+
+--0000
+Content-Disposition: form-data; name="name"
+
+John Smith
+--0000
+Content-Disposition: form-data; name="email"
+
+john.smith@example.com
+--0000
+Content-Disposition: form-data; name="image"; filename="image.jpg"
+Content-Type: image/jpeg
+
+BINARYDATA
+--0000--
+UNION SELECT
+
View
@@ -0,0 +1,19 @@
+Hostname Evasion Tests
+----------------------
+
+- Use a different hostname in the request line and Host header
+- Case sensitivity
+- Multiple dots
+- Trailing dot(s)
+- Append port information
+- Experiment with invalid port numbers (e.g., overflow)
+- Use different IP address formats
+- Encode characters
+- %uHHHH
+- %HH
+- UTF-8
+- Punycode
+- Use whitespace before and after hostname, between labels
+- Multiple Host headers
+- Header folding with the Host header
+- Trailing Host header
View
@@ -0,0 +1,35 @@
+These tests are designed to test multipart/form-data parsers for sensitivity
+to partially malformed requests. The tests purposefully do not contain any attack
+patterns. The idea is to only test one aspect of processing at a time. If we
+determine a weakness in a particular implementation, we can attempt to craft an
+exploit for it.
+
+The test mXX-modsecurity-evasion.test contains an example of one such
+exploit.
+
+To run the tests:
+
+ 1. Configure the WAF to:
+
+ 1.1. Be extra sensitive to malformed traffic
+ 1.2. Block with any response other than 200
+
+ 2. Run the baseline test and check that it returns OK
+
+ ../run-test.pl 192.168.3.100:8080 m00-01-normal.test
+
+ 3. Run all tests and record results:
+
+ ../run-test.pl 192.168.3.100:8080 *.test
+
+ 4. Examine WAF warnings and error messages
+
+ 4.1. Ensure that no requests were blocked for any issue other than
+ malformed multipart/form-data traffic
+ 4.2. Repeat tests as necessary
+ 4.3. Record the final set of warnings and errors, as they may
+ be helpful in determining whether a weakness is a genuine
+ weakness and whether it can be exploited. Use an export feature
+ where available, screenshots of admin interfaces as last
+ resort.
+
View
@@ -0,0 +1,8 @@
+
+- Use different character set for a part (e.g., Content-Type: text/plain;charset=...)
+
+- Use Content-Transfer-Encoding
+
+- Field names can be encoded using RFC 2047?
+
+
Oops, something went wrong.

0 comments on commit 2881737

Please sign in to comment.