Skip to content
Fetching latest commit…
Cannot retrieve the latest commit at this time.
..
Failed to load latest commit information.
README
TODO
m00-01-normal.test
m01-01-invalid-separator.test
m01-02-invalid-separator.test
m02-01-invalid-parameter-name.test
m02-02-invalid-parameter-name.test
m03-01-multiple-boundaries.test
m03-02-multiple-boundaries.test
m03-03-multiple-boundaries.test
m04-whitespace-after-parameter-name.test
m05-whitespace-before-parameter-value.test
m06-whitespace-after-parameter-value.test
m07-01-special-chars-in-boundary.test
m07-02-special-chars-in-boundary.test
m08-01-quoted-boundary.test
m08-02-whitespace-in-quoted-boundary.test
m08-03-whitespace-in-quoted-boundary.test
m08-04-quote-in-quoted-boundary.test
m08-05-quote-in-quoted-boundary.test
m08-06-partial-quote.test
m08-07-partial-quote.test
m08-08-whitespace-after-boundary.test
m09-data-after-last-boundary.test
m10-boundary-case-sensitivity.test
m11-01-invalid-multipart-type.test
m11-02-invalid-multipart-type.test
m11-03-invalid-multipart-type.test
m11-04-invalid-multipart-type.test
m11-05-invalid-multipart-type.test
m11-06-invalid-multipart-type.test
m12-01-disposition-multiple-param-names.test
m12-02-disposition-name-no-quotes.test
m12-03-disposition-name-single-quotes.test
m12-04-disposition-name-partial-quote.test
m12-05-disposition-name-partial-quote.test
m13-01-disposition-folding.test
m13-02-disposition-folding-isspace.test
m14-01-disposition-php-quoting.test

README

These tests are designed to test multipart/form-data parsers for sensitivity
to partially malformed requests. The tests purposefully do not contain any attack
patterns. The idea is to only test one aspect of processing at a time. If we
determine a weakness in a particular implementation, we can attempt to craft an
exploit for it.

The test mXX-modsecurity-evasion.test contains an example of one such
exploit.

To run the tests:

 1. Configure the WAF to:

   1.1. Be extra sensitive to malformed traffic
   1.2. Block with any response other than 200

 2. Run the baseline test and check that it returns OK

   ../run-test.pl 192.168.3.100:8080 m00-01-normal.test

 3. Run all tests and record results:

   ../run-test.pl 192.168.3.100:8080 *.test

 4. Examine WAF warnings and error messages

   4.1. Ensure that no requests were blocked for any issue other than
        malformed multipart/form-data traffic
   4.2. Repeat tests as necessary
   4.3. Record the final set of warnings and errors, as they may
        be helpful in determining whether a weakness is a genuine
        weakness and whether it can be exploited. Use an export feature
        where available, screenshots of admin interfaces as last
        resort.

Something went wrong with that request. Please try again.