Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

升级到1.5.0.8后,同样的测试用的一条请求,1.5.0.8的post_mod似乎失效,无法拦截。 #8

Closed
someonebw opened this issue May 10, 2017 · 9 comments
Closed

升级到1.5.0.8后,同样的测试用的一条请求,1.5.0.8的post_mod似乎失效,无法拦截。 #8

someonebw opened this issue May 10, 2017 · 9 comments

Comments

@someonebw
Copy link

No description provided.

@starjun
Copy link
Owner

starjun commented May 10, 2017

post做了修改,post_Mod只会对content-type 为 application/x-www-form-urlencoded 这种的进行过滤(非表单上传/raw类型),而不像以前的对post整体的body体进行过滤。表单上传后面会增加新的过滤。

@starjun starjun closed this as completed May 10, 2017
@someonebw
Copy link
Author

那我来重新做一下测试看看,是不是这个情况。

@someonebw
Copy link
Author

还是不行啊。有没有即时聊天工具,供技术交流?

#api/debug调用结果。
{"_worker_id":0,"_Openstar_version":"v 1.5.0.8","_ip":"172.19.100.7","_ngx_configure":" --prefix=/opt/openresty/nginx --with-debug --with-cc-opt='-DNGX_LUA_USE_ASSERT -DNGX_LUA_ABORT_AT_PANIC -O2' --add-module=../ngx_devel_kit-0.3.0 --add-module=../echo-nginx-module-0.60 --add-module=../xss-nginx-module-0.05 --add-module=../ngx_coolkit-0.2rc3 --add-module=../set-misc-nginx-module-0.31 --add-module=../form-input-nginx-module-0.12 --add-module=../encrypted-session-nginx-module-0.06 --add-module=../srcache-nginx-module-0.31 --add-module=../ngx_lua-0.10.7 --add-module=../ngx_lua_upstream-0.06 --add-module=../headers-more-nginx-module-0.32 --add-module=../array-var-nginx-module-0.05 --add-module=../memc-nginx-module-0.17 --add-module=../redis2-nginx-module-0.13 --add-module=../redis-nginx-module-0.3.7 --add-module=../rds-json-nginx-module-0.14 --add-module=../rds-csv-nginx-module-0.07 --with-ld-opt=-Wl,-rpath,/opt/openresty/luajit/lib --pid-path=/var/run/nginx.pid --with-http_ssl_module","_ngx_version":1011002,"_worker_count":1,"_ngxVar":{"query_string":"","request_completion":"","request_time":"0.000","pid":"5927","host":"172.19.100.10","nginx_version":"1.11.2","request_uri":"/api/debug","remote_addr":"172.19.100.7","document_root":"/opt/openresty/nginx/html","connection":"9","http_host":"172.19.100.10:5460","request_method":"GET","msec":"1494406833.846","pipe":".","server_name":"localhost:5460","time_iso8601":"2017-05-10T17:00:33+08:00","uri":"/api/debug","server_addr":"172.19.100.10","realpath_root":"/opt/openresty/nginx/html","bytes_sent":"0","connection_requests":"1","request":"GET /api/debug HTTP/1.1","server_protocol":"HTTP/1.1","scheme":"http","document_uri":"/api/debug","request_filename":"/opt/openresty/nginx/html/api/debug","body_bytes_sent":"0","proxy_protocol_port":"","status":"000","hostname":"localhost.localdomain","time_local":"10/May/2017:17:00:33 +0800","request_length":"389","server_port":"5460","request_id":"71c788220b07184188ed2ec955b8d56a","proxy_protocol_addr":"","remote_port":"63094","limit_rate":"0"},"_ngx_prefix":"/opt/openresty/nginx/","_lua_version":"LuaJIT 2.1.0-beta2","_headers":{"host":"172.19.100.10:5460","accept-language":"zh-CN,zh;q=0.8","connection":"keep-alive","accept":"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8","accept-encoding":"gzip, deflate, sdch","upgrade-insecure-requests":"1","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2979.0 Safari/537.36"},"_args":{},"_pid":5927,"_ngx_lua_version":10007}

#waf的配置,修改了一个地方more_set_headers 'Server: OpenStar 1.5.0.8';用于测试反馈。

#nginx配置,修改了一个地方,worker_processes 1;

#our.conf,proxy_pass是ok的。
#################### passport waf_cc by zhouj #################

2016年6月9日 11:26:36 up

upstream passport_web {
server 172.19.92.97:8080 max_fails=1 fail_timeout=10s;

}

server {
listen 80;
server_name www.test10.com;
access_log logs/mytest.access.log main;
error_log logs/mytest.debug.log debug;

#proxy_next_upstream http_502 http_504 http_404 error timeout invalid_header;

location ~* \.(gif|jpg|png|jpeg|bmp|css|js|flv|ico|swf|woff)$ {
    proxy_pass http://passport_web;
    access_log off;
    proxy_redirect off;
    proxy_set_header Host $host;
    proxy_set_header   X-Real-IP        $remote_addr;
    #proxy_set_header   X-Forwarded-For  $remote_addr;
    proxy_set_header   X-Forwarded-For  $proxy_add_x_forwarded_for;
    proxy_cache_valid 200 302 6h;
    proxy_cache_valid 301 1d;
    proxy_cache_valid any 1m;
    expires 30d;
    }

location /WebGoat {
    #92.97的8080端口,是允许的tomcat。
    proxy_pass http://172.19.92.97:8080/WebGoat;
    proxy_set_header   Host             $host;
    proxy_set_header   X-Real-IP        $remote_addr;
    #proxy_set_header   X-Forwarded-For  $remote_addr;
    proxy_set_header   X-Forwarded-For  $proxy_add_x_forwarded_for;
    }

}
####################################################

###############
#post_mod.json增加一个新的过滤规则
{
"state": "on",
"hostname": ["*",""],
"post_str": ["testpostbodydrop","jio"],
"action": "deny"
}

###############

#############request#############
###包头增加你说的字段Content-Type: application/x-www-form-urlencoded

POST /WebGoat/login.mvc HTTP/1.1
Host: www.test10.com
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2979.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate, sdch
Accept-Language: zh-CN,zh;q=0.8
Cookie: JSESSIONID=16B05686B08E321935090255506F7514
Connection: close
Content-Length: 16

testpostbodydrop

#############request#############

#############response##########
####直接透传过去了,这里405是97机器后台报的错误。没有被post_mod过滤掉。
##################
HTTP/1.1 405 Method Not Allowed
Date: Wed, 10 May 2017 09:14:21 GMT
Content-Type: text/html;charset=utf-8
Content-Length: 1047
Connection: close
Allow: GET
Content-Language: en
Server: OpenStar 1.5.0.8

<title>Apache Tomcat/7.0.59 - Error report</title><style></style>

HTTP Status 405 - Request method 'POST' not supported

type Status report

message Request method 'POST' not supported

description The specified HTTP method is not allowed for the requested resource.

Apache Tomcat/7.0.59

################################

@starjun
Copy link
Owner

starjun commented May 10, 2017

POST /WebGoat/login.mvc HTTP/1.1
Host: www.test10.com
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2979.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate, sdch
Accept-Language: zh-CN,zh;q=0.8
Cookie: JSESSIONID=16B05686B08E321935090255506F7514
Connection: close
Content-Length: 16

a=testpostbodydrop&b=ddd

%%%%%%%%%%
试试上面的 post_Mod 是过滤值内容而不是过滤post的key.

一些web编程你在看看资料去

@starjun starjun reopened this May 10, 2017
@someonebw
Copy link
Author

qq 20170510180613

@someonebw
Copy link
Author

qq 20170510180804
qq 20170510180811
qq 20170510180819

@someonebw
Copy link
Author

用你给的例子是一样的效果。

@starjun
Copy link
Owner

starjun commented May 10, 2017

通过api检查 base 开关情况,检查各个mod规则情况,确定waf.conf在our.conf之前引用。
排查问题......

@starjun starjun closed this as completed May 10, 2017
@someonebw
Copy link
Author

uri拦截是生效的,说明waf是加载正常的,our.conf引用,用的是默认配置的位置。

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@someonebw @starjun