Test: 061 - target REQUEST_FILENAME - recreation of CVE-2024-1019

[Sebitosh]

Description

#27

This tests is for target REQUEST_FILENAME (used 56 times in CRS v4.8.0). It tests the target from phase 1 to 4. The tests uses 3 requests as input with uris:

/in/uri/attack to verify the presence at the base

/attack/in/uri to verify the presence earlier in the path

/in/uri/is%3Fattack as a recreation of CVE-2024-1019

[Sebitosh]

Amended this with an additional negative test:

/in/uri/is?attack to verify content behind the ? does not appear in the target

[airween]

If the ? is in the test, then it must appear in go-ftw request, see an example in CRS.

[Sebitosh]

If the ? is in the test, then it must appear in go-ftw request, see an example in CRS.

Do you mean we should change the uris to:

/in/uri/attack?x=value

/attack/in/uri?x=value

/in/uri/is%3Fattack?x=value

To include ? ?

[airween]

If the ? is in the test, then it must appear in go-ftw request, see an example in CRS.

Do you mean we should change the uris to:

/in/uri/attack?x=value

/attack/in/uri?x=value

/in/uri/is%3Fattack?x=value

To include ? ?

Yes.

[Sebitosh]

Done ! Used ?arg=value to be more explicit

[Sebitosh]

Rebased & regenerated