owasp core rules sets简介
考察一款WAF的有效性,最关键的一点就是攻击的防御情况
我们看看owasp ModSecurity对漏洞防御的checklist:
扫描器scanner。
恶意爬虫crawler。
webshell (Trojans)。
shell上传:文件上传。
shell连接:get|post|cookie。
SQLi/blindSQLi/reflected SQLi/stored SQLi: get|post|referer|cookie|x_forwarded_for|ua|basic-authorization。
LFI/RFI:get lfi/rfi、post lfi/rfi、cookie lrfi/rfi、data://URI、php://input、php://filter、getdirectory traversal、post directory traversal。
File Upload:php、asp(x)、jsp、RCE、struts2、nginx CVE、PHP CGI、get rce、post rce。
XSS/reflected XSS/stored XSS/DOM XSS/CSRF/flash xss/json xss:get、post
code injection:get code injection、post code injection
XPath injection
LDAP injection
XML injection
expression language injection
server side includes injection
server side request forgery
HTTP响应拆分
CRLF注入
服务器解析漏洞
敏感信息泄漏:info leak、svn/cvs、后台暴露
http parameter pollution参数污染
brute force暴力破解(weak password)
DoS
slow HTTP DoS
URL Redirect
session fixation会话固定/ easily-guessable session IDs
会话劫持
垃圾评论
防病毒
access control(vertical, horizontal)/Unauthorized File Exposure(download)
logic flaws逻辑漏洞
协议异常:
不合规范的RequestLine
异常文件名
请求体解析错误
multipart请求体解析错误
Content-Length异常
Content-Enoding异常
Range异常
Request-Range异常
Expect异常
Connection异常
Pragma, Cache-Control
Host异常
User -Agent异常
Accpet异常
X-Forwarded-For异常
编码异常,url编码异常,utf-8异常 charset设置缺失或不一致
Cookie Domain/httponly/secure设置错误
安全头设置错误 X-XSS-Protection, X-FRAME-OPTIONS, X-Content-Type-Options
协议限制
允许请求方法 GET/POST/HEAD
允许协议版本HTTP/1.0 or HTTP/1.1
允许Content-Type
允许的文件后缀名
允许的请求头
长度限制
参数名长度限制
参数值长度限制
参数个数限制
参数的总大小
上传文件大小限制
上传文件总大小限制
编码限制
恶意代理
CRS规则集测试case
90x文件:排除误报
91x文件:检测恶意客户端规则
92x文件:检测违反协议的规则
93x和94x文件:检测运行程序攻击(SQL)或命令执行攻击规则
95x文件:检测出站数据泄露规则,nginx和nginx plus不支持
.data 文件:规则使用的数据
^[\w\d/\.\-\+]+(?:\s?;\s?(?:boundary|charset)\s?=\s?['\"\w\d_\-]+)?$
920200 命中id规则: ^bytes=(?:(?:\d+)?\-(?:\d+)?\s*,?\s*){6}
curl -H "Range: bytes=100-200 , 100-200, 100-200, 100-200, 100-200, 100-200, " http://my.olwaf.cn:8080 -v
返回403 命中规则未知
curl -H 'Content-Type: aaaaaaaaaa;boundary=-----------aaaaaaaaa"' http://my.olwaf.cn:8080 -v
命中921130(?:\bhttp\/(?:0\.9|1\.[01])|<(?:html|meta)\b)规则
curl --cookie "test=<html>aaaaaaaa</html>
命中REQUEST-930-APPLICATION-ATTACK-LFI.conf,id规则930120 ,lfi-os-files.data system32/inetsrv/config/applicationhost.config
curl --cookie "system32/inetsrv/config/applicationhost.config=.ssh/id_dsa.pub" http://my.olwaf.cn:8080 -v
REQUEST-932-APPLICATION-ATTACK-RCE.conf
命中932130(?:\$(?:\((?:\(.*\)|.*)\)|\{.*\})|[<>]\(.*\))
curl --cookie "<(adasdas)=Test-ComputerSecureChannel" http://my.olwaf.cn:8080 -v
命中[932160] Rule action was DENY, ......................................................,
client: 112.65.119.119, server: my.olwaf.cn, request: "GET /?Test-ComputerSecureChannel HTTP/1.1", host: " my.olwaf.cn:8080"
curl --cookie "usr/bin/python3=Test-ComputerSecureChannel" http://my.olwaf.cn:8080/?Test-ComputerSecureChannel -v
[932170^\(\s*\)\s+{] Rule action was DENY, ......................................................,
client: 112.65.119.119, server: my.olwaf.cn, request: "GET /?Test-ComputerSecureChannel HTTP/1.1", host: " my.olwaf.cn:8080"
curl --cookie "( ) {=Test-ComputerSecureCha" http://my.olwaf.cn:8080/?Test-ComputerSecureChannel -v
REQUEST-933-APPLICATION-ATTACK-PHP.conf
[933110.*\.(?:php\d*|phtml)\.*$] Rule action was DENY, ......................................................,
client: 112.65.119.119, server: my.olwaf.cn, request: "GET / HTTP/1.1", host: " my.olwaf.cn:8080"
curl -H "X-Filename: s.phtml." http://my.olwaf.cn:8080 -v
[933120] Rule action was DENY, ......................................................,
client: 112.65.119.119, server: my.olwaf.cn, request: "GET /?Test-ComputerSecureChannel HTTP/1.1", host: " my.olwaf.cn:8080"
curl --cookie "auto_globals_jit=Test-ComputerSecureCha" http://my.olwaf.cn:8080/?Test-ComputerSecureChannel -v
[lua] actions.lua:30: [933190] Rule action was DENY, ......................................................,
client: 112.65.119.119, server: my.olwaf.cn, request: "GET /?Test-ComputerSecureChannel HTTP/1.1", host: " my.olwaf.cn:8080"
curl --cookie "?>=Test-ComputerSecureCha" http://my.olwaf.cn:8080/?Test-ComputerSecureChannel -v
actions.lua:33: [933111.*\.(?:php\d*|phtml)\..*$] Rule action was DENY, ......................................................,
client: 112.65.119.119, server: my.olwaf.cn, request: "GET / HTTP/1.1", host: " my.olwaf.cn:8080"
curl -H "X-Filename: a.phtml.adsas" http://my.olwaf.cn:8080 -v
REQUEST-941-APPLICATION-ATTACK-XSS.conf
941320<(?:a|abbr|acronym|address|applet|area|audioscope|b|base|basefront|bdo|bgsound|big|blackface|blink|blockquote|body|bq|br|button|caption|center|cite|code|col|colgroup|comment|dd|del|dfn|dir|div|dl|dt|em|embed|fieldset|fn|font|form|frame|frameset|h1|head|hr|html|i|iframe|ilayer|img|input|ins|isindex|kdb|keygen|label|layer|legend|li|limittext|link|listing|map|marquee|menu|meta|multicol|nobr|noembed|noframes|noscript|nosmartquotes|object|ol|optgroup|option|p|param|plaintext|pre|q|rt|ruby|s|samp|script|select|server|shadow|sidebar|small|spacer|span|strike|strong|style|sub|sup|table|tbody|td|textarea|tfoot|th|thead|title|tr|tt|u|ul|var|wbr|xml|xmp)\W]
Rule action was DENY, ......................................................,
client: 112.65.119.119, server: my.olwaf.cn, request: "GET /?<keygen> HTTP/1.1", host: " my.olwaf.cn:8080"
curl " http://my.olwaf.cn:8080/?<keygen>" -v
2019/04/04 14:40:04 [alert] 5666#0: *1230 [lua] actions.lua:33: [941150(?i)\b(?:s(?:tyle|rc)|href)\b[\s\S]*?=] Rule action was DENY,
......................................................,
client: 112.65.119.119, server: my.olwaf.cn, request: "GET / HTTP/1.1", host: " my.olwaf.cn:8080"
curl --user-agent "sdas src =qqqqqqqqqqq" http://my.olwaf.cn:8080 -v
REQUEST-942-APPLICATION-ATTACK-SQLI.conf
2019/04/04 15:07:46 [alert] 4466#0: *87 [lua] actions.lua:33: [942432((?:[~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;"'?’‘`<>][^~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;"'?’‘`<>]*?){2})] Rule action was DENY,
......................................................, client: 112.65.119.119, server: my.olwaf.cn, request: "GET /?$> HTTP/1.1", host: " my.olwaf.cn:8080"
curl " http://my.olwaf.cn:8080/?$>" -v
2019/05/06 15:22:26 [alert] 4482#0: *175 [lua] actions.lua:33: [942421((?:[~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;"'?’‘`<>][^~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;"'?’‘`<>]*?){3})] Rule action was DENY,
......................................................, client: 112.65.119.119, server: my.olwaf.cn, request: "GET / HTTP/1.1",
host: " my.olwaf.cn:8080"
curl --cookie "[][=qqqqqqqqqqq" http://my.olwaf.cn:8080 -v
2019/04/04 15:25:46 [alert] 4482#0: *204 [lua] actions.lua:33: [942110(^\s*["'`;]+|["'`]+\s*$)] Rule action was DENY,
......................................................, client: 112.65.119.119, server: my.olwaf.cn, request: "GET /?; HTTP/1.1",
host: " my.olwaf.cn:8080"
curl " http://my.olwaf.cn:8080/?;" -v
2019/04/04 15:54:39 [alert] 4482#0: *404 [lua] actions.lua:33: [942150(?i)\b(?:c(?:o(?:n(?:v(?:ert(?:_tz)?)?|cat(?:_ws)?|nection_id)|(?:mpres)?s|ercibility|(?:un)?t|llation|alesce)|ur(?:rent_(?:time(?:stamp)?|date|user)|(?:dat|tim)e)|h(?:ar(?:(?:acter)?_length|set)?|r)|iel(?:ing)?|ast|r32)|s(?:u(?:b(?:str(?:ing(?:_index)?)?|(?:dat|tim)e)|m)|t(?:d(?:dev_(?:sam|po)p)?|r(?:_to_date|cmp))|e(?:c(?:_to_time|ond)|ssion_user)|ys(?:tem_user|date)|ha[12]?|oundex|chema|ig?n|leep|pace|qrt)|i(?:s(?:_(?:ipv(?:4(?:_(?:compat|mapped))?|6)|n(?:ot(?:_null)?|ull)|(?:free|used)_lock)|null)|n(?:et(?:6_(?:aton|ntoa)|_(?:aton|ntoa))|s(?:ert|tr)|terval)?|f(?:null)?)|d(?:a(?:t(?:e(?:_(?:format|add|sub)|diff)?|abase)|y(?:of(?:month|week|year)|name)?)|e(?:(?:s_(?:de|en)cryp|faul)t|grees|code)|count|ump)|l(?:o(?:ca(?:l(?:timestamp)?|te)|g(?:10|2)?|ad_file|wer)|ast(?:_(?:inser_id|day))?|e(?:(?:as|f)t|ngth)|case|trim|pad|n)|u(?:n(?:compress(?:ed_length)?|ix_timestamp|hex)|tc_(?:time(?:stamp)?|date)|p(?:datexml|per)|uid(?:_short)?|case|ser)|t(?:ime(?:_(?:format|to_sec)|stamp(?:diff|add)?|diff)?|o(?:(?:second|day)s|_base64|n?char)|r(?:uncate|im)|an)|m(?:a(?:ke(?:_set|date)|ster_pos_wait|x)|i(?:(?:crosecon)?d|n(?:ute)?)|o(?:nth(?:name)?|d)|d5)|r(?:e(?:p(?:lace|eat)|lease_lock|verse)|a(?:wtohex|dians|nd)|o(?:w_count|und)|ight|trim|pad)|f(?:i(?:eld(?:_in_set)?|nd_in_set)|rom_(?:unixtime|base64|days)|o(?:und_rows|rmat)|loor)|p(?:o(?:w(?:er)?|sition)|eriod_(?:diff|add)|rocedure_analyse|assword|g_sleep|i)|a(?:s(?:cii(?:str)?|in)|es_(?:de|en)crypt|dd(?:dat|tim)e|(?:co|b)s|tan2?|vg)|b(?:i(?:t_(?:length|count|x?or|and)|n(?:_to_num)?)|enchmark)|e(?:x(?:tract(?:value)?|p(?:ort_set)?)|nc(?:rypt|ode)|lt)|g(?:r(?:oup_conca|eates)t|et_(?:format|lock))|v(?:a(?:r(?:_(?:sam|po)p|iance)|lues)|ersion)|o(?:(?:ld_passwo)?rd|ct(?:et_length)?)|we(?:ek(?:ofyear|day)?|ight_string)|n(?:o(?:t_in|w)|ame_const|ullif)|h(?:ex(?:toraw)?|our)|qu(?:arter|ote)|year(?:week)?|xmltype)\W*\(]
Rule action was DENY, ......................................................,
client: 112.65.119.119, server: my.olwaf.cn, request: "GET / HTTP/1.1", host: " my.olwaf.cn:8080"
curl --cookie 'truncate ( space (=aaaaaaaaaaa' " http://my.olwaf.cn:8080" -v
2019/04/04 16:18:16 [alert] 4482#0: *550 [lua] actions.lua:33: [942210(?i:(?:(?:n(?:and|ot)|(?:x?x)?or|between|\|\||like|and|div|&&)[\s(]+\w+[\s)]*?[!=+]+[\s\d]*?["'`=()]|\/\w+;?\s+(?:between|having|select|like|x?or|and|div)\W|\d+\s*?(?:between|like|x?or|and|div)\s*?\d+\s*?[\-+]|--\s*?(?:(?:insert|update)\s*?\w{2,}|alter|drop)|#\s*?(?:(?:insert|update)\s*?\w{2,}|alter|drop)|;\s*?(?:(?:insert|update)\s*?\w{2,}|alter|drop)|\@.+=\s*?\(\s*?select|\d\s+group\s+by.+\(|[^\w]SET\s*?\@\w+))]
Rule action was DENY, ......................................................, client: 112.65.119.119, server: my.olwaf.cn,
request: "GET / HTTP/1.1", host: " my.olwaf.cn:8080"
curl --cookie '123 group by a (=aaaaaaaaaaa' " http://my.olwaf.cn:8080" -v
2019/05/06 16:22:30 [alert] 4478#0: *580 [lua] actions.lua:33: [942150(?i)\b(?:c(?:o(?:n(?:v(?:ert(?:_tz)?)?|cat(?:_ws)?|nection_id)|(?:mpres)?s|ercibility|(?:un)?t|llation|alesce)|ur(?:rent_(?:time(?:stamp)?|date|user)|(?:dat|tim)e)|h(?:ar(?:(?:acter)?_length|set)?|r)|iel(?:ing)?|ast|r32)|s(?:u(?:b(?:str(?:ing(?:_index)?)?|(?:dat|tim)e)|m)|t(?:d(?:dev_(?:sam|po)p)?|r(?:_to_date|cmp))|e(?:c(?:_to_time|ond)|ssion_user)|ys(?:tem_user|date)|ha[12]?|oundex|chema|ig?n|leep|pace|qrt)|i(?:s(?:_(?:ipv(?:4(?:_(?:compat|mapped))?|6)|n(?:ot(?:_null)?|ull)|(?:free|used)_lock)|null)|n(?:et(?:6_(?:aton|ntoa)|_(?:aton|ntoa))|s(?:ert|tr)|terval)?|f(?:null)?)|d(?:a(?:t(?:e(?:_(?:format|add|sub)|diff)?|abase)|y(?:of(?:month|week|year)|name)?)|e(?:(?:s_(?:de|en)cryp|faul)t|grees|code)|count|ump)|l(?:o(?:ca(?:l(?:timestamp)?|te)|g(?:10|2)?|ad_file|wer)|ast(?:_(?:inser_id|day))?|e(?:(?:as|f)t|ngth)|case|trim|pad|n)|u(?:n(?:compress(?:ed_length)?|ix_timestamp|hex)|tc_(?:time(?:stamp)?|date)|p(?:datexml|per)|uid(?:_short)?|case|ser)|t(?:ime(?:_(?:format|to_sec)|stamp(?:diff|add)?|diff)?|o(?:(?:second|day)s|_base64|n?char)|r(?:uncate|im)|an)|m(?:a(?:ke(?:_set|date)|ster_pos_wait|x)|i(?:(?:crosecon)?d|n(?:ute)?)|o(?:nth(?:name)?|d)|d5)|r(?:e(?:p(?:lace|eat)|lease_lock|verse)|a(?:wtohex|dians|nd)|o(?:w_count|und)|ight|trim|pad)|f(?:i(?:eld(?:_in_set)?|nd_in_set)|rom_(?:unixtime|base64|days)|o(?:und_rows|rmat)|loor)|p(?:o(?:w(?:er)?|sition)|eriod_(?:diff|add)|rocedure_analyse|assword|g_sleep|i)|a(?:s(?:cii(?:str)?|in)|es_(?:de|en)crypt|dd(?:dat|tim)e|(?:co|b)s|tan2?|vg)|b(?:i(?:t_(?:length|count|x?or|and)|n(?:_to_num)?)|enchmark)|e(?:x(?:tract(?:value)?|p(?:ort_set)?)|nc(?:rypt|ode)|lt)|g(?:r(?:oup_conca|eates)t|et_(?:format|lock))|v(?:a(?:r(?:_(?:sam|po)p|iance)|lues)|ersion)|o(?:(?:ld_passwo)?rd|ct(?:et_length)?)|we(?:ek(?:ofyear|day)?|ight_string)|n(?:o(?:t_in|w)|ame_const|ullif)|h(?:ex(?:toraw)?|our)|qu(?:arter|ote)|year(?:week)?|xmltype)\W*\(]
Rule action was DENY, ......................................................, client: 112.65.119.119, server: my.olwaf.cn,
request: "GET / HTTP/1.1", host: " my.olwaf.cn:8080"
curl --cookie 'uncompressed_length (=aaaaaaaaaaa' " http://my.olwaf.cn:8080/" -v
2019/05/06 17:03:30 [alert] 4482#0: *822 [lua] actions.lua:33: [942300(?i:(?:(?:n(?:and|ot)|(?:x?x)?or|between|\|\||like|and|div|&&)\s+\s*?\w+\(|\)\s*?when\s*?\d+\s*?then|["'`]\s*?(?:--|\{|#)|cha?r\s*?\(\s*?\d|\/\*!\s?\d+))]
Rule action was DENY, ......................................................, client: 112.65.119.119, server: my.olwaf.cn, request: "GET / HTTP/1.1", host: " my.olwaf.cn:8080"
curl --cookie ') when 890 then=aaaaaaaaaaa' " http://my.olwaf.cn:8080/" -v
curl "http://my.olwaf.cn:8080/?) when 890 then" -v
2019/04/04 18:04:01 [alert] 30940#0: *11 [lua] actions.lua:33: [944100java\.lang\.(?:runtime|processbuilder)]
Rule action was DENY, ......................................................,
client: 112.65.119.119, server: my.olwaf.cn, request: "GET / HTTP/1.1", host: " my.olwaf.cn:8080"
curl --cookie "java.lang.runtime=weblogicsession" "http://my.olwaf.cn:8080" -v
2019/04/04 18:11:30 [alert] 30945#0: *56 [lua] actions.lua:33: [944300(?:cnVudGltZQ|HJ1bnRpbWU|BydW50aW1l|cHJvY2Vzc2J1aWxkZXI|HByb2Nlc3NidWlsZGVy|Bwcm9jZXNzYnVpbGRlcg|Y2xvbmV0cmFuc2Zvcm1lcg|GNsb25ldHJhbnNmb3JtZXI|BjbG9uZXRyYW5zZm9ybWVy|Zm9yY2xvc3VyZQ|GZvcmNsb3N1cmU|Bmb3JjbG9zdXJl|aW5zdGFudGlhdGVmYWN0b3J5|Gluc3RhbnRpYXRlZmFjdG9yeQ|BpbnN0YW50aWF0ZWZhY3Rvcnk|aW5zdGFudGlhdGV0cmFuc2Zvcm1lcg|Gluc3RhbnRpYXRldHJhbnNmb3JtZXI|BpbnN0YW50aWF0ZXRyYW5zZm9ybWVy|aW52b2tlcnRyYW5zZm9ybWVy|Gludm9rZXJ0cmFuc2Zvcm1lcg|BpbnZva2VydHJhbnNmb3JtZXI|cHJvdG90eXBlY2xvbmVmYWN0b3J5|HByb3RvdHlwZWNsb25lZmFjdG9yeQ|Bwcm90b3R5cGVjbG9uZWZhY3Rvcnk|cHJvdG90eXBlc2VyaWFsaXphdGlvbmZhY3Rvcnk|HByb3RvdHlwZXNlcmlhbGl6YXRpb25mYWN0b3J5|Bwcm90b3R5cGVzZXJpYWxpemF0aW9uZmFjdG9yeQ|d2hpbGVjbG9zdXJl|HdoaWxlY2xvc3VyZQ|B3aGlsZWNsb3N1cmU)]
Rule action was DENY, ......................................................, client: 112.65.119.119, server: my.olwaf.cn, request: "GET / HTTP/1.1", host: " my.olwaf.cn:8080"
curl --cookie "cHJvdG90eXBlY2xvbmVmYWN0b3J5=weblogicsession" " http://my.olwaf.cn:8080" -v
2019/04/04 18:13:05 [alert] 30945#0: *66 [lua] actions.lua:33: [944240(?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)]
Rule action was DENY, ......................................................, client: 112.65.119.119, server: my.olwaf.cn, request: "GET / HTTP/1.1", host: " my.olwaf.cn:8080"
curl --cookie "prototypeserializationfactory=weblogicsession" " http://my.olwaf.cn:8080" -v
REQUEST-944-APPLICATION-ATTACK-JAVA.conf文件规则,例如如下规则:
SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|! REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \
"@rx java\b.+(?:runtime|processbuilder)" \
"id:944250,\
phase:2,\
block,\
log,\
msg:'Remote Command Execution: Suspicious Java method detected',\
logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',\
t:lowercase,\
tag:'application-multi',\
tag:'language-java',\
tag:'platform-multi',\
tag:'attack-rce',\
tag:'OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION',\
tag:'WASCTC/WASC-31',\
tag:'OWASP_TOP_10/A1',\
tag:'PCI/6.5.2',\
tag:'paranoia-level/2',\
ver:'OWASP_CRS/3.1.0',\
severity:'CRITICAL',\
setvar:'tx.msg=%{rule.msg}',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',\
setvar:'tx.%{ rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'"
经过函数解析结果:
ARGS
ARGS_NAMES
REQUEST_COOKIES
! --[[
REQUEST_COOKIES 此部分由下面部分解析
/__utm/ ]]--
REQUEST_COOKIES_NAMES
REQUEST_BODY
REQUEST_HEADERS
! parse parse parse
REQUEST_COOKIES parse parse parse
"!"不等号部分在此部分解析
经过parse_operator函数解析operator:
rx
经过parse_actions函数解析其他参数:
944250
id
2
phase
block
log
logdata
lowercase
t
application-multi
tag
language-java
tag
platform-multi
tag
attack-rce
tag
OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION
tag
WASCTC/WASC-31
tag
OWASP_TOP_10/A1
tag
PCI/6.5.2
tag
paranoia-level/2
tag
OWASP_CRS/3.1.0
ver
CRITICAL
severity
tx.msg=%{rule.msg}
setvar
tx.rce_score=+%{tx.critical_anomaly_score}
setvar
tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}
setvar
tx.%{ rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}
命中crs规则log日志
2019/05/29 21:35:52 [alert] 4885#0: *33 [lua] util.lua:303: wafLog(): [WAFLogTarget]{"AttackURL":"http:\/\/ my.olwaf.cn\/","WafId":"dr2018012211225601","AttackTime":1559136952.41,"ResourceRecord":" my.olwaf.cn","logLevel":"INFO","actionType":"Block","rule":".*\\.(?:php\\d*|phtml)\\.*$","AttackIp":"10.96.3.72","ruleType":"crs_php sql","param":"933110_REQUEST_HEADERS_\" my.olwaf.cn:8080\"\"s.phtml.\"\"*\/*\"\"curl\/7.19.7 (x86_64-redhat-linux-gnu) libcurl\/7.19.7 NSS\/3.14.0.0 zlib\/1.2.3 libidn\/1.18 libssh2\/1.4.2\""}[WAFLogTarget], client: 10.96.3.72, server: my.olwaf.cn, request: "GET / HTTP/1.1", host: " my.olwaf.cn:8080"
2019/05/24 18:00:11 [alert] 30748#0: *1 [lua] util.lua:303: wafLog(): [WAFLogTarget]{"AttackURL":"http:\/\/ my.olwaf.cn\/","WafId":"dr2018012211225601","AttackTime":1558692011.931,"ResourceRecord":" my.olwaf.cn","logLevel":"INFO","actionType":"Block",
"AttackIp":"10.96.3.72", "ruleType":"crs_scanner","param":"913100_REQUEST_HEADERS"}[WAFLogTarget], client: 10.96.3.72, server: my.olwaf.cn, request: "GET / HTTP/1.1", host: " my.olwaf.cn:8080"
2019/05/29 21:35:59 [alert] 4881#0: *67 [lua] util.lua:303: wafLog(): [WAFLogTarget]{"AttackURL":"http:\/\/ my.olwaf.cn\/","WafId":"dr2018012211225601","AttackTime":1559136959.771,"ResourceRecord":" my.olwaf.cn","logLevel":"INFO","actionType":"Block","rule":".*\\.(?:php\\d*|phtml)\\.*$","AttackIp":"10.96.3.72", "ruleType":"crs_php sql","param":"933110_REQUEST_HEADERS_\" my.olwaf.cn:8080\"\"s.phtml.\"\"*\/*\"\"curl\/7.19.7 (x86_64-redhat-linux-gnu) libcurl\/7.19.7 NSS\/3.14.0.0 zlib\/1.2.3 libidn\/1.18 libssh2\/1.4.2\""}[WAFLogTarget], client: 10.96.3.72, server: my.olwaf.cn, request: "GET / HTTP/1.1", host: " my.olwaf.cn:8080"
2019/05/29 21:39:01 [alert] 4884#0: *77 [lua] util.lua:303: wafLog(): [WAFLogTarget]{"AttackURL":"http:\/\/ my.olwaf.cn\/?<adugen>","WafId":"dr2018012211225601","AttackTime":1559137141.989,"ResourceRecord":" my.olwaf.cn","logLevel":"INFO","actionType":"Block","rule":"<(?:a|abbr|acronym|address|applet|area|audioscope|b|base|basefront|bdo|bgsound|big|blackface|blink|blockquote|body|bq|br|button|caption|center|cite|code|col|colgroup|comment|dd|del|dfn|dir|div|dl|dt|em|embed|fieldset|fn|font|form|frame|frameset|h1|head|hr|html|i|iframe|ilayer|img|input|ins|isindex|kdb|keygen|adugen|label|layer|legend|li|limittext|link|listing|map|marquee|menu|meta|multicol|nobr|noembed|noframes|noscript|nosmartquotes|object|ol|optgroup|option|p|param|plaintext|pre|q|rt|ruby|s|samp|script|select|server|shadow|sidebar|small|spacer|span|strike|strong|style|sub|sup|table|tbody|td|textarea|tfoot|th|thead|title|tr|tt|u|ul|var|wbr|xml|xmp)\\W","AttackIp":"10.96.3.72", "ruleType":"crs_xss", "param":"941320_REQUEST_ARGS_<adugen>"}[WAFLogTarget], client: 10.96.3.72, server: my.olwaf.cn, request: "GET /?<adugen> HTTP/1.1", host: " my.olwaf.cn:8080"
2019/05/29 21:52:34 [alert] 6319#0: *75 [lua] util.lua:303: wafLog(): [WAFLogTarget]{"AttackURL":"http:\/\/ my.olwaf.cn\/?<maimaipi>","WafId":"dr2018012211225601","AttackTime":1559137954.622,"ResourceRecord":" my.olwaf.cn","logLevel":"INFO","actionType":"Block","rule":"<(?:a|abbr|acronym|address|applet|area|audioscope|b|base|basefront|bdo|bgsound|big|blackface|blink|blockquote|body|bq|br|button|caption|center|cite|code|col|colgroup|comment|dd|del|dfn|dir|div|dl|dt|em|embed|fieldset|fn|font|form|frame|frameset|h1|head|hr|html|i|iframe|ilayer|img|input|ins|isindex|kdb|keygen|maimaipi|label|layer|legend|li|limittext|link|listing|map|marquee|menu|meta|multicol|nobr|noembed|noframes|noscript|nosmartquotes|object|ol|optgroup|option|p|param|plaintext|pre|q|rt|ruby|s|samp|script|select|server|shadow|sidebar|small|spacer|span|strike|strong|style|sub|sup|table|tbody|td|textarea|tfoot|th|thead|title|tr|tt|u|ul|var|wbr|xml|xmp)\\W","AttackIp":"10.96.3.72"," ruleType":"crs_xss", "param":"941320_REQUEST_ARGS_<blackface>"}[WAFLogTarget], client: 10.96.3.72, server: my.olwaf.cn, request: "GET /?<blackface> HTTP/1.1",
host: " my.olwaf.cn:8080"
Project Honeypot crs Trustwate SpiderLabs
https://www.jianshu.com/p/d22f3914d153
自定义规则举例
SecRule FILES "!\\.(?i:jpe?g|gif|png|bmp)$" "deny,tag:'WEB_ATTACK/FILEUPLOAD',msg:'upload
no-picture file',id:0000001,phase:2“
1
2
SecRule FILES "@contains %00" "deny,tag:'WEB_ATTACK/FILEUPLOAD',msg:'filename
has null character',id:0000002,phase:2"
DDoS Protection
这边的防护属于 L7 防御,单个 IP 在某指定段时间访问过于频繁就予以屏蔽。
有个优点是这边的屏蔽只计算动态访问而不考虑静态文件,因为 Nginx 处理静态文件非常高效一般不是瓶颈。
SecAction \
"id:900700,\
phase:1,\
nolog,\
pass,\
t:none,\
setvar:'tx.dos_burst_time_slice=10',\
setvar:'tx.dos_counter_threshold=20',\
setvar:'tx.dos_block_timeout=86400'"
异常得分
CRS使用可配置的异常计分模型,每条触发的规则都会增加异常分数,如果分数超过配置的异常阈值,则事务被阻塞,异常级别如下:
Critical:异常得分5,表示可能应用程序攻击,主要由93x 94x文件生成。
Error:异常得分4,表示可能数据泄露,主要有95x文件生成,暂不支持nginx和nginx plus。
Warning:异常得分3,表示可能恶意客户端,主要由91x文件生成的。
Notice:异常得分2,表示可能违反协议,主要由92x文件生成。
默认情况下,CRS阻塞所有异常值为5或更高的入站流量,意味着任何引发事务的关键规则都将被丢弃,三次或更多的通知级违规也会导致事务被阻塞。
除了 OWASP CRS 之外, Trustwave SpiderLabs 商业规则集还提供了其他保护,例如针对 WordPress、Joomla、SharePoint 和其他应用程序的特定规则集。
REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf会话固定攻击
请求可以触发:
curl "http://my.olwaf.cn:8080/?<meta http-equiv%3dset-cookie content=sessionattack%3d123456;expires%3dFri, 30 Dec 2015 12:00:00 GMT; path%3d/>" -v 命中默认规则和920100
但是误报一条log:
[WAFLogTarget]{"AttackURL":"http:\/\/ my.olwaf.cn\/?<meta http-equiv%3dset-cookie content=sessionattack%3d123456;expires%3dFri, 30 Dec 2015 12:00:00 GMT; path%3d\/>","WafId":"dr2018012211225601","AttackTime":1563975927.62,"ResourceRecord":" my.olwaf.cn","logLevel":"INFO","actionType":"Log","rule":"^(?i)(get|option|delete|put)(\\s{2,})","AttackIp":"10.96.3.72","ruleType":"protocol","param":"GET \/?<meta http-equiv%3dset-cookie content=sessionattack%3d123456;expires%3dFri, 30 Dec 2015 12:00:00 GMT; path%3d\/> HTTP\/1.1"}[WAFLogTarget], client: 10.96.3.72, server: my.olwaf.cn, request: "GET /?<meta http-equiv%3dset-cookie content=sessionattack%3d123456;expires%3dFri, 30 Dec 2015 12:00:00 GMT; path%3d/> HTTP/1.1", host: " my.olwaf.cn:8080"
curl --cookie "http-equiv+set-cookie=aaaaaaaa" "http://my.olwaf.cn:8080" -v
curl http://my.olwaf.cn:8080/?weblogicsession -v
“jsessionid”
“aspsessionid”
“asp.net_sessionid”
“phpsession”
“phpsessid”
“weblogicsession”
“session_id”
“session-id”
“cfid”
“cftoken”
“cfs id”
“jservsession”
“jwsession
---------------------------------------------------------------------------------
不能触发:但会命中921130
curl --cookie "SESSIONID=<meta http-equiv="set-cookie" content=sessionattack=123456;expires=Friday,12-Jan-200118:18:18GMT;path=/>" "http://my.olwaf.cn:8080" -v
cookie被拆分成table:
path/>
expiresFriday,12-Jan-200118:18:18GMT
http-equivset-cookie
SESSIONID<meta
contentsessionattack=123456
^(?:jsessionid|aspsessionid|asp.net_sessionid|phpsession|phpsessid|weblogicsession|session_id|session-id|cfid|cftoken|cfsid|jservsession|jwsession)备注:此规则会把目标字符串转换成小写和
(?i:\.cookie\b.*?;\W*?(?:expires|domain)\W*?=|\bhttp-equiv\W+set-cookie\b)规则与如下字段匹配:
/>
Friday,12-Jan-200118:18:18GMT
set-cookie
<meta
sessionattack=123456
path
expires
http-equiv
SESSIONID
content
----------------------------------------------------------------------------------
会命中921130
curl --cookie "SESSION=<meta http-equiv%3dset-cookie content=sessionattack%3d123456;expires%3dFri, 30 Dec 2015 12:00:00 GMT; path%3d/>" "http://my.olwaf.cn:8080" -v
(?i:\.cookie\b.*?;\W*?(?:expires|domain)\W*?=|\bhttp-equiv\W+set-cookie\b)规则与如下字段一一匹配
<meta
sessionattack%3d123456
SESSION
http-equiv%3dset-cookie content
^(?:jsessionid|aspsessionid|asp\.net_sessionid|phpsession|phpsessid|weblogicsession|session_id|session-id|cfid|cftoken|cfsid|jservsession|jwsession)规则与如下字段匹配:
session
http-equiv=set-cookie content
curl --referer "https://attacktest/" http://my.olwaf.cn:8080/?weblogicsession -v 拦截并记录 Possible Session Fixation Attack: SessionID Parameter Name with Off-Domain Referer","logdata":"Matched Data: https:\/\/sadasd\/ found within TX: ","id":"943110
curl http://my.olwaf.cn:8080/?weblogicsession -v 拦截并记录 Matched Data: 0 found within REQUEST_HEADERS: 0","match":0,"msg":"Possible Session Fixation Attack: SessionID Parameter Name with No Referer
严谨模式下以上请求全部命中!
以下为常用测试case
curl -d "param1=value1¶m2=value2" -H "Content-Type: application/x-www-form-urlencoded" -X POST http://localhost:3000/data curl -H "Content-Type:application/json" -X POST -d '{"abc": "admin", "passwd":"12345678"}' http://my.olwaf.cn:8080 -v curl http://my.olwaf.cn:8080/olwaf_http_error/note.xml?aaa=test -v curl --cookie "SESSION=123fsakjjd1;" http://my.olwaf.cn:8080/olwaf_http_error/note.xml?aaa=test -vcurl --cookie "SESSION=123fsakqwerty; "http://my.olwaf.cn:8080/olwaf_http_error/note.xml?aaa=test -v curl --cookie "SESSION=123fsakqwerty; "http://my.olwaf.cn:8080/olwaf_http_error/note.xml?aaa=test -v curl --cookie "SESSION=123fsakqwerty; c=5; path=/;"http://my.olwaf.cn:8080/olwaf_http_error/note.xml?aaa=test -vcurl --referer " www.nytimes.com.us" --cookie "JSESSIONID=123fsakqwerty; c=5; path=/;" http://my.olwaf.cn:8080/waf_http_error/note.xml?aaa=test -v curl -X "POST" -H "Content-Type: " --referer " www.nytimes.com.us" --cookie "JSESSIONID=123fsakqwerty; c=5; path=/;" http://my.olwaf.cn:8080/olwaf_http_error/note.xml?aaa=test -v curl -H "Origin: http://www.aibi.com" http://my.olwaf.cn:8080 -v curl -H "Origin: http://www.test.com" -X POST -d '{"abc": "admin", "passwd":"12345678"}' http://my.olwaf.cn:8080 -v curl -H "X-Forwarded-For: client1, client2, client3" -X POST -d '{"abc": "admin", "passwd":"12345678"}' http://my.olwaf.cn:8080 -v curl -H "TEST: client1, client2, client3, aibi" -X POST -d '{"abc": "admin", "passwd":"12345678"}' http://my.olwaf.cn:8080 -v curl -H "Content-Type:application/json" -X POST -d '{"abc": "admin", "passwd":"12345678"}' http://my.olwaf.cn:8080 -v curl -H "TEST: client1, client2, client3, aibi" -X POST -d "abc=admin&passwd=12345678" http://my.olwaf.cn:8080 -v GET /index.html?id=1%29%29%29%20AND%204854%3D4854%20AND%20%28%28%289491%3D9491 GET /index.html?id=1%EF%BC%87%20AND%208116%3D9451%20AND%20%EF%BC%87syvX%EF%BC%87%3D%EF%BC%87syvX HTTP/1.1\r\n GET /index.html?id=1%22%29%20AND%202421%3D6292%20AND%20%28%22Afhp%22%20LIKE%20%22Afhp HTTP/1.1\r\n
curl "http://my.olwaf.cn:8080/index.html?a=b&b=cc <DIV STYLE=behaviour: url(' http://www.how-to-hack.org/exploit.html');>"