当前位置: 代码迷 >> 综合 >> owasp core rules sets规则集深度分析与测试
  详细解决方案

owasp core rules sets规则集深度分析与测试

热度:99   发布时间:2023-12-12 02:17:27.0

owasp core rules sets简介

考察一款WAF的有效性,最关键的一点就是攻击的防御情况

我们看看owasp ModSecurity对漏洞防御的checklist:


扫描器scanner。

恶意爬虫crawler。

webshell (Trojans)。     

shell上传:文件上传。

shell连接:get|post|cookie。

SQLi/blindSQLi/reflected SQLi/stored SQLi: get|post|referer|cookie|x_forwarded_for|ua|basic-authorization。

LFI/RFI:get lfi/rfi、post lfi/rfi、cookie lrfi/rfi、data://URI、php://input、php://filter、getdirectory traversal、post directory traversal。

File Upload:php、asp(x)、jsp、RCE、struts2、nginx CVE、PHP CGI、get rce、post rce。

XSS/reflected XSS/stored XSS/DOM XSS/CSRF/flash xss/json xss:get、post

code injection:get code injection、post code injection

XPath injection

LDAP injection

XML injection

expression language injection

server side includes injection

server side request forgery

HTTP响应拆分

CRLF注入

服务器解析漏洞

敏感信息泄漏:info leak、svn/cvs、后台暴露

http parameter pollution参数污染

brute force暴力破解(weak password)

DoS

slow HTTP DoS

URL Redirect  

session fixation会话固定/ easily-guessable session IDs

会话劫持

垃圾评论

防病毒

access control(vertical, horizontal)/Unauthorized File Exposure(download)

logic flaws逻辑漏洞

协议异常:

不合规范的RequestLine

异常文件名

请求体解析错误

multipart请求体解析错误

Content-Length异常

Content-Enoding异常

Range异常

Request-Range异常

Expect异常

Connection异常

Pragma, Cache-Control

Host异常

User -Agent异常

Accpet异常

X-Forwarded-For异常

编码异常,url编码异常,utf-8异常   charset设置缺失或不一致

Cookie Domain/httponly/secure设置错误

安全头设置错误 X-XSS-Protection, X-FRAME-OPTIONS, X-Content-Type-Options

协议限制

允许请求方法 GET/POST/HEAD

允许协议版本HTTP/1.0 or HTTP/1.1

允许Content-Type

允许的文件后缀名

允许的请求头

长度限制

参数名长度限制

参数值长度限制

参数个数限制

参数的总大小

上传文件大小限制

上传文件总大小限制

编码限制

恶意代理

CRS规则集测试case

90x文件:排除误报
91x文件:检测恶意客户端规则
92x文件:检测违反协议的规则
93x和94x文件:检测运行程序攻击(SQL)或命令执行攻击规则
95x文件:检测出站数据泄露规则,nginx和nginx plus不支持
.data 文件:规则使用的数据


^[\w\d/\.\-\+]+(?:\s?;\s?(?:boundary|charset)\s?=\s?['\"\w\d_\-]+)?$ 
920200 命中id规则: ^bytes=(?:(?:\d+)?\-(?:\d+)?\s*,?\s*){6} 
curl -H "Range: bytes=100-200 , 100-200, 100-200, 100-200, 100-200, 100-200, " http://my.olwaf.cn:8080 -v 
返回403 命中规则未知
curl -H 'Content-Type: aaaaaaaaaa;boundary=-----------aaaaaaaaa"' http://my.olwaf.cn:8080 -v 

命中921130(?:\bhttp\/(?:0\.9|1\.[01])|<(?:html|meta)\b)规则
curl --cookie "test=<html>aaaaaaaa</html>

命中REQUEST-930-APPLICATION-ATTACK-LFI.conf,id规则930120 ,lfi-os-files.data  system32/inetsrv/config/applicationhost.config 
curl --cookie "system32/inetsrv/config/applicationhost.config=.ssh/id_dsa.pub" http://my.olwaf.cn:8080 -v 

REQUEST-932-APPLICATION-ATTACK-RCE.conf 
命中932130(?:\$(?:\((?:\(.*\)|.*)\)|\{.*\})|[<>]\(.*\)) 
curl --cookie "<(adasdas)=Test-ComputerSecureChannel" http://my.olwaf.cn:8080 -v 

命中[932160] Rule action was DENY, ......................................................, 
client: 112.65.119.119, server: my.olwaf.cn, request: "GET /?Test-ComputerSecureChannel HTTP/1.1", host: " my.olwaf.cn:8080" 
curl --cookie "usr/bin/python3=Test-ComputerSecureChannel" http://my.olwaf.cn:8080/?Test-ComputerSecureChannel -v 

[932170^\(\s*\)\s+{] Rule action was DENY, ......................................................, 
client: 112.65.119.119, server: my.olwaf.cn, request: "GET /?Test-ComputerSecureChannel HTTP/1.1", host: " my.olwaf.cn:8080" 
curl --cookie "( ) {=Test-ComputerSecureCha" http://my.olwaf.cn:8080/?Test-ComputerSecureChannel -v 

REQUEST-933-APPLICATION-ATTACK-PHP.conf 
[933110.*\.(?:php\d*|phtml)\.*$] Rule action was DENY, ......................................................, 
client: 112.65.119.119, server: my.olwaf.cn, request: "GET / HTTP/1.1", host: " my.olwaf.cn:8080" 
curl -H "X-Filename: s.phtml." http://my.olwaf.cn:8080 -v 

[933120] Rule action was DENY, ......................................................, 
client: 112.65.119.119, server: my.olwaf.cn, request: "GET /?Test-ComputerSecureChannel HTTP/1.1", host: " my.olwaf.cn:8080" 
curl --cookie "auto_globals_jit=Test-ComputerSecureCha" http://my.olwaf.cn:8080/?Test-ComputerSecureChannel -v 

[lua] actions.lua:30: [933190] Rule action was DENY, ......................................................, 
 client: 112.65.119.119, server: my.olwaf.cn, request: "GET /?Test-ComputerSecureChannel HTTP/1.1", host: " my.olwaf.cn:8080" 
curl --cookie "?>=Test-ComputerSecureCha" http://my.olwaf.cn:8080/?Test-ComputerSecureChannel -v 

actions.lua:33: [933111.*\.(?:php\d*|phtml)\..*$] Rule action was DENY, ......................................................, 
client: 112.65.119.119, server: my.olwaf.cn, request: "GET / HTTP/1.1", host: " my.olwaf.cn:8080" 
curl -H "X-Filename: a.phtml.adsas" http://my.olwaf.cn:8080 -v 

REQUEST-941-APPLICATION-ATTACK-XSS.conf 
941320<(?:a|abbr|acronym|address|applet|area|audioscope|b|base|basefront|bdo|bgsound|big|blackface|blink|blockquote|body|bq|br|button|caption|center|cite|code|col|colgroup|comment|dd|del|dfn|dir|div|dl|dt|em|embed|fieldset|fn|font|form|frame|frameset|h1|head|hr|html|i|iframe|ilayer|img|input|ins|isindex|kdb|keygen|label|layer|legend|li|limittext|link|listing|map|marquee|menu|meta|multicol|nobr|noembed|noframes|noscript|nosmartquotes|object|ol|optgroup|option|p|param|plaintext|pre|q|rt|ruby|s|samp|script|select|server|shadow|sidebar|small|spacer|span|strike|strong|style|sub|sup|table|tbody|td|textarea|tfoot|th|thead|title|tr|tt|u|ul|var|wbr|xml|xmp)\W] 
Rule action was DENY, ......................................................, 
client: 112.65.119.119, server: my.olwaf.cn, request: "GET /?<keygen> HTTP/1.1", host: " my.olwaf.cn:8080" 
curl " http://my.olwaf.cn:8080/?<keygen>" -v 

2019/04/04 14:40:04 [alert] 5666#0: *1230 [lua] actions.lua:33: [941150(?i)\b(?:s(?:tyle|rc)|href)\b[\s\S]*?=] Rule action was DENY, 
......................................................, 
client: 112.65.119.119, server: my.olwaf.cn, request: "GET / HTTP/1.1", host: " my.olwaf.cn:8080" 
curl --user-agent "sdas src =qqqqqqqqqqq" http://my.olwaf.cn:8080 -v 


REQUEST-942-APPLICATION-ATTACK-SQLI.conf 
2019/04/04 15:07:46 [alert] 4466#0: *87 [lua] actions.lua:33: [942432((?:[~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;"'?’‘`<>][^~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;"'?’‘`<>]*?){2})] Rule action was DENY, 
......................................................, client: 112.65.119.119, server: my.olwaf.cn, request: "GET /?$> HTTP/1.1", host: " my.olwaf.cn:8080" 
curl  " http://my.olwaf.cn:8080/?$>" -v 


2019/05/06 15:22:26 [alert] 4482#0: *175 [lua] actions.lua:33: [942421((?:[~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;"'?’‘`<>][^~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;"'?’‘`<>]*?){3})] Rule action was DENY, 
 ......................................................, client: 112.65.119.119, server: my.olwaf.cn, request: "GET / HTTP/1.1", 
 host: " my.olwaf.cn:8080" 
curl --cookie "[][=qqqqqqqqqqq" http://my.olwaf.cn:8080 -v 


2019/04/04 15:25:46 [alert] 4482#0: *204 [lua] actions.lua:33: [942110(^\s*["'`;]+|["'`]+\s*$)] Rule action was DENY, 
......................................................, client: 112.65.119.119, server: my.olwaf.cn, request: "GET /?; HTTP/1.1", 
host: " my.olwaf.cn:8080" 

curl  " http://my.olwaf.cn:8080/?;" -v 


2019/04/04 15:54:39 [alert] 4482#0: *404 [lua] actions.lua:33: [942150(?i)\b(?:c(?:o(?:n(?:v(?:ert(?:_tz)?)?|cat(?:_ws)?|nection_id)|(?:mpres)?s|ercibility|(?:un)?t|llation|alesce)|ur(?:rent_(?:time(?:stamp)?|date|user)|(?:dat|tim)e)|h(?:ar(?:(?:acter)?_length|set)?|r)|iel(?:ing)?|ast|r32)|s(?:u(?:b(?:str(?:ing(?:_index)?)?|(?:dat|tim)e)|m)|t(?:d(?:dev_(?:sam|po)p)?|r(?:_to_date|cmp))|e(?:c(?:_to_time|ond)|ssion_user)|ys(?:tem_user|date)|ha[12]?|oundex|chema|ig?n|leep|pace|qrt)|i(?:s(?:_(?:ipv(?:4(?:_(?:compat|mapped))?|6)|n(?:ot(?:_null)?|ull)|(?:free|used)_lock)|null)|n(?:et(?:6_(?:aton|ntoa)|_(?:aton|ntoa))|s(?:ert|tr)|terval)?|f(?:null)?)|d(?:a(?:t(?:e(?:_(?:format|add|sub)|diff)?|abase)|y(?:of(?:month|week|year)|name)?)|e(?:(?:s_(?:de|en)cryp|faul)t|grees|code)|count|ump)|l(?:o(?:ca(?:l(?:timestamp)?|te)|g(?:10|2)?|ad_file|wer)|ast(?:_(?:inser_id|day))?|e(?:(?:as|f)t|ngth)|case|trim|pad|n)|u(?:n(?:compress(?:ed_length)?|ix_timestamp|hex)|tc_(?:time(?:stamp)?|date)|p(?:datexml|per)|uid(?:_short)?|case|ser)|t(?:ime(?:_(?:format|to_sec)|stamp(?:diff|add)?|diff)?|o(?:(?:second|day)s|_base64|n?char)|r(?:uncate|im)|an)|m(?:a(?:ke(?:_set|date)|ster_pos_wait|x)|i(?:(?:crosecon)?d|n(?:ute)?)|o(?:nth(?:name)?|d)|d5)|r(?:e(?:p(?:lace|eat)|lease_lock|verse)|a(?:wtohex|dians|nd)|o(?:w_count|und)|ight|trim|pad)|f(?:i(?:eld(?:_in_set)?|nd_in_set)|rom_(?:unixtime|base64|days)|o(?:und_rows|rmat)|loor)|p(?:o(?:w(?:er)?|sition)|eriod_(?:diff|add)|rocedure_analyse|assword|g_sleep|i)|a(?:s(?:cii(?:str)?|in)|es_(?:de|en)crypt|dd(?:dat|tim)e|(?:co|b)s|tan2?|vg)|b(?:i(?:t_(?:length|count|x?or|and)|n(?:_to_num)?)|enchmark)|e(?:x(?:tract(?:value)?|p(?:ort_set)?)|nc(?:rypt|ode)|lt)|g(?:r(?:oup_conca|eates)t|et_(?:format|lock))|v(?:a(?:r(?:_(?:sam|po)p|iance)|lues)|ersion)|o(?:(?:ld_passwo)?rd|ct(?:et_length)?)|we(?:ek(?:ofyear|day)?|ight_string)|n(?:o(?:t_in|w)|ame_const|ullif)|h(?:ex(?:toraw)?|our)|qu(?:arter|ote)|year(?:week)?|xmltype)\W*\(] 
 Rule action was DENY, ......................................................, 
 client: 112.65.119.119, server: my.olwaf.cn, request: "GET / HTTP/1.1", host: " my.olwaf.cn:8080" 
curl --cookie 'truncate ( space (=aaaaaaaaaaa' " http://my.olwaf.cn:8080" -v 


  
2019/04/04 16:18:16 [alert] 4482#0: *550 [lua] actions.lua:33: [942210(?i:(?:(?:n(?:and|ot)|(?:x?x)?or|between|\|\||like|and|div|&&)[\s(]+\w+[\s)]*?[!=+]+[\s\d]*?["'`=()]|\/\w+;?\s+(?:between|having|select|like|x?or|and|div)\W|\d+\s*?(?:between|like|x?or|and|div)\s*?\d+\s*?[\-+]|--\s*?(?:(?:insert|update)\s*?\w{2,}|alter|drop)|#\s*?(?:(?:insert|update)\s*?\w{2,}|alter|drop)|;\s*?(?:(?:insert|update)\s*?\w{2,}|alter|drop)|\@.+=\s*?\(\s*?select|\d\s+group\s+by.+\(|[^\w]SET\s*?\@\w+))] 
 Rule action was DENY, ......................................................, client: 112.65.119.119, server: my.olwaf.cn, 
 request: "GET / HTTP/1.1", host: " my.olwaf.cn:8080" 
curl --cookie '123 group by a (=aaaaaaaaaaa' " http://my.olwaf.cn:8080" -v 


2019/05/06 16:22:30 [alert] 4478#0: *580 [lua] actions.lua:33: [942150(?i)\b(?:c(?:o(?:n(?:v(?:ert(?:_tz)?)?|cat(?:_ws)?|nection_id)|(?:mpres)?s|ercibility|(?:un)?t|llation|alesce)|ur(?:rent_(?:time(?:stamp)?|date|user)|(?:dat|tim)e)|h(?:ar(?:(?:acter)?_length|set)?|r)|iel(?:ing)?|ast|r32)|s(?:u(?:b(?:str(?:ing(?:_index)?)?|(?:dat|tim)e)|m)|t(?:d(?:dev_(?:sam|po)p)?|r(?:_to_date|cmp))|e(?:c(?:_to_time|ond)|ssion_user)|ys(?:tem_user|date)|ha[12]?|oundex|chema|ig?n|leep|pace|qrt)|i(?:s(?:_(?:ipv(?:4(?:_(?:compat|mapped))?|6)|n(?:ot(?:_null)?|ull)|(?:free|used)_lock)|null)|n(?:et(?:6_(?:aton|ntoa)|_(?:aton|ntoa))|s(?:ert|tr)|terval)?|f(?:null)?)|d(?:a(?:t(?:e(?:_(?:format|add|sub)|diff)?|abase)|y(?:of(?:month|week|year)|name)?)|e(?:(?:s_(?:de|en)cryp|faul)t|grees|code)|count|ump)|l(?:o(?:ca(?:l(?:timestamp)?|te)|g(?:10|2)?|ad_file|wer)|ast(?:_(?:inser_id|day))?|e(?:(?:as|f)t|ngth)|case|trim|pad|n)|u(?:n(?:compress(?:ed_length)?|ix_timestamp|hex)|tc_(?:time(?:stamp)?|date)|p(?:datexml|per)|uid(?:_short)?|case|ser)|t(?:ime(?:_(?:format|to_sec)|stamp(?:diff|add)?|diff)?|o(?:(?:second|day)s|_base64|n?char)|r(?:uncate|im)|an)|m(?:a(?:ke(?:_set|date)|ster_pos_wait|x)|i(?:(?:crosecon)?d|n(?:ute)?)|o(?:nth(?:name)?|d)|d5)|r(?:e(?:p(?:lace|eat)|lease_lock|verse)|a(?:wtohex|dians|nd)|o(?:w_count|und)|ight|trim|pad)|f(?:i(?:eld(?:_in_set)?|nd_in_set)|rom_(?:unixtime|base64|days)|o(?:und_rows|rmat)|loor)|p(?:o(?:w(?:er)?|sition)|eriod_(?:diff|add)|rocedure_analyse|assword|g_sleep|i)|a(?:s(?:cii(?:str)?|in)|es_(?:de|en)crypt|dd(?:dat|tim)e|(?:co|b)s|tan2?|vg)|b(?:i(?:t_(?:length|count|x?or|and)|n(?:_to_num)?)|enchmark)|e(?:x(?:tract(?:value)?|p(?:ort_set)?)|nc(?:rypt|ode)|lt)|g(?:r(?:oup_conca|eates)t|et_(?:format|lock))|v(?:a(?:r(?:_(?:sam|po)p|iance)|lues)|ersion)|o(?:(?:ld_passwo)?rd|ct(?:et_length)?)|we(?:ek(?:ofyear|day)?|ight_string)|n(?:o(?:t_in|w)|ame_const|ullif)|h(?:ex(?:toraw)?|our)|qu(?:arter|ote)|year(?:week)?|xmltype)\W*\(] 
 Rule action was DENY, ......................................................, client: 112.65.119.119, server: my.olwaf.cn, 
request: "GET / HTTP/1.1", host: " my.olwaf.cn:8080" 
curl --cookie 'uncompressed_length (=aaaaaaaaaaa' " http://my.olwaf.cn:8080/" -v 


2019/05/06 17:03:30 [alert] 4482#0: *822 [lua] actions.lua:33: [942300(?i:(?:(?:n(?:and|ot)|(?:x?x)?or|between|\|\||like|and|div|&&)\s+\s*?\w+\(|\)\s*?when\s*?\d+\s*?then|["'`]\s*?(?:--|\{|#)|cha?r\s*?\(\s*?\d|\/\*!\s?\d+))] 
 Rule action was DENY, ......................................................, client: 112.65.119.119, server: my.olwaf.cn, request: "GET / HTTP/1.1", host: " my.olwaf.cn:8080" 

curl --cookie ') when 890 then=aaaaaaaaaaa' " http://my.olwaf.cn:8080/" -v 
curl "http://my.olwaf.cn:8080/?) when 890 then" -v 

2019/04/04 18:04:01 [alert] 30940#0: *11 [lua] actions.lua:33: [944100java\.lang\.(?:runtime|processbuilder)] 
Rule action was DENY, ......................................................, 
client: 112.65.119.119, server: my.olwaf.cn, request: "GET / HTTP/1.1", host: " my.olwaf.cn:8080" 

curl --cookie "java.lang.runtime=weblogicsession" "http://my.olwaf.cn:8080" -v 


2019/04/04 18:11:30 [alert] 30945#0: *56 [lua] actions.lua:33: [944300(?:cnVudGltZQ|HJ1bnRpbWU|BydW50aW1l|cHJvY2Vzc2J1aWxkZXI|HByb2Nlc3NidWlsZGVy|Bwcm9jZXNzYnVpbGRlcg|Y2xvbmV0cmFuc2Zvcm1lcg|GNsb25ldHJhbnNmb3JtZXI|BjbG9uZXRyYW5zZm9ybWVy|Zm9yY2xvc3VyZQ|GZvcmNsb3N1cmU|Bmb3JjbG9zdXJl|aW5zdGFudGlhdGVmYWN0b3J5|Gluc3RhbnRpYXRlZmFjdG9yeQ|BpbnN0YW50aWF0ZWZhY3Rvcnk|aW5zdGFudGlhdGV0cmFuc2Zvcm1lcg|Gluc3RhbnRpYXRldHJhbnNmb3JtZXI|BpbnN0YW50aWF0ZXRyYW5zZm9ybWVy|aW52b2tlcnRyYW5zZm9ybWVy|Gludm9rZXJ0cmFuc2Zvcm1lcg|BpbnZva2VydHJhbnNmb3JtZXI|cHJvdG90eXBlY2xvbmVmYWN0b3J5|HByb3RvdHlwZWNsb25lZmFjdG9yeQ|Bwcm90b3R5cGVjbG9uZWZhY3Rvcnk|cHJvdG90eXBlc2VyaWFsaXphdGlvbmZhY3Rvcnk|HByb3RvdHlwZXNlcmlhbGl6YXRpb25mYWN0b3J5|Bwcm90b3R5cGVzZXJpYWxpemF0aW9uZmFjdG9yeQ|d2hpbGVjbG9zdXJl|HdoaWxlY2xvc3VyZQ|B3aGlsZWNsb3N1cmU)] 
 Rule action was DENY, ......................................................, client: 112.65.119.119, server: my.olwaf.cn, request: "GET / HTTP/1.1", host: " my.olwaf.cn:8080" 
curl --cookie "cHJvdG90eXBlY2xvbmVmYWN0b3J5=weblogicsession" " http://my.olwaf.cn:8080" -v 


2019/04/04 18:13:05 [alert] 30945#0: *66 [lua] actions.lua:33: [944240(?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)] 
 Rule action was DENY, ......................................................, client: 112.65.119.119, server: my.olwaf.cn, request: "GET / HTTP/1.1", host: " my.olwaf.cn:8080" 
curl --cookie "prototypeserializationfactory=weblogicsession" " http://my.olwaf.cn:8080" -v


REQUEST-944-APPLICATION-ATTACK-JAVA.conf文件规则,例如如下规则:
SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|! REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \ 
    "@rx java\b.+(?:runtime|processbuilder)" \ 
    "id:944250,\ 
    phase:2,\ 
    block,\ 
    log,\ 
    msg:'Remote Command Execution: Suspicious Java method detected',\ 
    logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',\ 
    t:lowercase,\ 
    tag:'application-multi',\ 
    tag:'language-java',\ 
    tag:'platform-multi',\ 
    tag:'attack-rce',\ 
    tag:'OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION',\ 
    tag:'WASCTC/WASC-31',\ 
    tag:'OWASP_TOP_10/A1',\ 
    tag:'PCI/6.5.2',\ 
    tag:'paranoia-level/2',\ 
    ver:'OWASP_CRS/3.1.0',\ 
    severity:'CRITICAL',\ 
    setvar:'tx.msg=%{rule.msg}',\ 
    setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ 
    setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',\ 
    setvar:'tx.%{ rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'" 

经过函数解析结果: 
 ARGS                 
 ARGS_NAMES           
 REQUEST_COOKIES      
 !                                         --[[ 
 REQUEST_COOKIES             此部分由下面部分解析 
 /__utm/                               ]]-- 
 REQUEST_COOKIES_NAMES 
 REQUEST_BODY         
 REQUEST_HEADERS       
 !                                                                parse parse parse 
 REQUEST_COOKIES                            parse parse parse 

"!"不等号部分在此部分解析 

经过parse_operator函数解析operator: 
rx       
经过parse_actions函数解析其他参数: 
 944250                                    
 id                                        
 2                                         
 phase                                     
 block                                      
 log                                        
 logdata                                    
 lowercase                                  
 t                                          
 application-multi                          
 tag                                        
 language-java                              
 tag                                        
 platform-multi                             
 tag                                        
 attack-rce                                 
 tag                                        
 OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION     
 tag                                        
 WASCTC/WASC-31                             
 tag                                        
 OWASP_TOP_10/A1                            
 tag                                        
 PCI/6.5.2                                  
 tag                                        
 paranoia-level/2                           
 tag                                        
 OWASP_CRS/3.1.0                            
 ver                                        
 CRITICAL                                   
 severity                                   
 tx.msg=%{rule.msg}                         
 setvar                                     
 tx.rce_score=+%{tx.critical_anomaly_score}                               
 setvar                                                                   
 tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}                       
 setvar                                                                   
 tx.%{ rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{MATCHED_VAR} 
命中crs规则log日志


2019/05/29 21:35:52 [alert] 4885#0: *33 [lua] util.lua:303: wafLog(): [WAFLogTarget]{"AttackURL":"http:\/\/ my.olwaf.cn\/","WafId":"dr2018012211225601","AttackTime":1559136952.41,"ResourceRecord":" my.olwaf.cn","logLevel":"INFO","actionType":"Block","rule":".*\\.(?:php\\d*|phtml)\\.*$","AttackIp":"10.96.3.72","ruleType":"crs_php sql","param":"933110_REQUEST_HEADERS_\" my.olwaf.cn:8080\"\"s.phtml.\"\"*\/*\"\"curl\/7.19.7 (x86_64-redhat-linux-gnu) libcurl\/7.19.7 NSS\/3.14.0.0 zlib\/1.2.3 libidn\/1.18 libssh2\/1.4.2\""}[WAFLogTarget], client: 10.96.3.72, server: my.olwaf.cn, request: "GET / HTTP/1.1", host: " my.olwaf.cn:8080" 


2019/05/24 18:00:11 [alert] 30748#0: *1 [lua] util.lua:303: wafLog(): [WAFLogTarget]{"AttackURL":"http:\/\/ my.olwaf.cn\/","WafId":"dr2018012211225601","AttackTime":1558692011.931,"ResourceRecord":" my.olwaf.cn","logLevel":"INFO","actionType":"Block", 
"AttackIp":"10.96.3.72", "ruleType":"crs_scanner","param":"913100_REQUEST_HEADERS"}[WAFLogTarget], client: 10.96.3.72, server: my.olwaf.cn, request: "GET / HTTP/1.1", host: " my.olwaf.cn:8080" 


2019/05/29 21:35:59 [alert] 4881#0: *67 [lua] util.lua:303: wafLog(): [WAFLogTarget]{"AttackURL":"http:\/\/ my.olwaf.cn\/","WafId":"dr2018012211225601","AttackTime":1559136959.771,"ResourceRecord":" my.olwaf.cn","logLevel":"INFO","actionType":"Block","rule":".*\\.(?:php\\d*|phtml)\\.*$","AttackIp":"10.96.3.72", "ruleType":"crs_php sql","param":"933110_REQUEST_HEADERS_\" my.olwaf.cn:8080\"\"s.phtml.\"\"*\/*\"\"curl\/7.19.7 (x86_64-redhat-linux-gnu) libcurl\/7.19.7 NSS\/3.14.0.0 zlib\/1.2.3 libidn\/1.18 libssh2\/1.4.2\""}[WAFLogTarget], client: 10.96.3.72, server: my.olwaf.cn, request: "GET / HTTP/1.1", host: " my.olwaf.cn:8080" 


2019/05/29 21:39:01 [alert] 4884#0: *77 [lua] util.lua:303: wafLog(): [WAFLogTarget]{"AttackURL":"http:\/\/ my.olwaf.cn\/?<adugen>","WafId":"dr2018012211225601","AttackTime":1559137141.989,"ResourceRecord":" my.olwaf.cn","logLevel":"INFO","actionType":"Block","rule":"<(?:a|abbr|acronym|address|applet|area|audioscope|b|base|basefront|bdo|bgsound|big|blackface|blink|blockquote|body|bq|br|button|caption|center|cite|code|col|colgroup|comment|dd|del|dfn|dir|div|dl|dt|em|embed|fieldset|fn|font|form|frame|frameset|h1|head|hr|html|i|iframe|ilayer|img|input|ins|isindex|kdb|keygen|adugen|label|layer|legend|li|limittext|link|listing|map|marquee|menu|meta|multicol|nobr|noembed|noframes|noscript|nosmartquotes|object|ol|optgroup|option|p|param|plaintext|pre|q|rt|ruby|s|samp|script|select|server|shadow|sidebar|small|spacer|span|strike|strong|style|sub|sup|table|tbody|td|textarea|tfoot|th|thead|title|tr|tt|u|ul|var|wbr|xml|xmp)\\W","AttackIp":"10.96.3.72", "ruleType":"crs_xss", "param":"941320_REQUEST_ARGS_<adugen>"}[WAFLogTarget], client: 10.96.3.72, server: my.olwaf.cn, request: "GET /?<adugen> HTTP/1.1", host: " my.olwaf.cn:8080" 


2019/05/29 21:52:34 [alert] 6319#0: *75 [lua] util.lua:303: wafLog(): [WAFLogTarget]{"AttackURL":"http:\/\/ my.olwaf.cn\/?<maimaipi>","WafId":"dr2018012211225601","AttackTime":1559137954.622,"ResourceRecord":" my.olwaf.cn","logLevel":"INFO","actionType":"Block","rule":"<(?:a|abbr|acronym|address|applet|area|audioscope|b|base|basefront|bdo|bgsound|big|blackface|blink|blockquote|body|bq|br|button|caption|center|cite|code|col|colgroup|comment|dd|del|dfn|dir|div|dl|dt|em|embed|fieldset|fn|font|form|frame|frameset|h1|head|hr|html|i|iframe|ilayer|img|input|ins|isindex|kdb|keygen|maimaipi|label|layer|legend|li|limittext|link|listing|map|marquee|menu|meta|multicol|nobr|noembed|noframes|noscript|nosmartquotes|object|ol|optgroup|option|p|param|plaintext|pre|q|rt|ruby|s|samp|script|select|server|shadow|sidebar|small|spacer|span|strike|strong|style|sub|sup|table|tbody|td|textarea|tfoot|th|thead|title|tr|tt|u|ul|var|wbr|xml|xmp)\\W","AttackIp":"10.96.3.72"," ruleType":"crs_xss", "param":"941320_REQUEST_ARGS_<blackface>"}[WAFLogTarget], client: 10.96.3.72, server: my.olwaf.cn, request: "GET /?<blackface> HTTP/1.1", 
host: " my.olwaf.cn:8080" 
Project Honeypot crs  Trustwate SpiderLabs 
https://www.jianshu.com/p/d22f3914d153 


自定义规则举例

SecRule FILES "!\\.(?i:jpe?g|gif|png|bmp)$" "deny,tag:'WEB_ATTACK/FILEUPLOAD',msg:'upload 
no-picture file',id:0000001,phase:2“
1
2
SecRule FILES "@contains %00" "deny,tag:&#039;WEB_ATTACK/FILEUPLOAD',msg:'filename
has null character',id:0000002,phase:2"
DDoS Protection
这边的防护属于 L7 防御,单个 IP 在某指定段时间访问过于频繁就予以屏蔽。
有个优点是这边的屏蔽只计算动态访问而不考虑静态文件,因为 Nginx 处理静态文件非常高效一般不是瓶颈。
SecAction \
 "id:900700,\
  phase:1,\
  nolog,\
  pass,\
  t:none,\
  setvar:'tx.dos_burst_time_slice=10',\
  setvar:'tx.dos_counter_threshold=20',\
  setvar:'tx.dos_block_timeout=86400'"


异常得分

CRS使用可配置的异常计分模型,每条触发的规则都会增加异常分数,如果分数超过配置的异常阈值,则事务被阻塞,异常级别如下:
Critical:异常得分5,表示可能应用程序攻击,主要由93x 94x文件生成。
Error:异常得分4,表示可能数据泄露,主要有95x文件生成,暂不支持nginx和nginx plus。
Warning:异常得分3,表示可能恶意客户端,主要由91x文件生成的。
Notice:异常得分2,表示可能违反协议,主要由92x文件生成。
默认情况下,CRS阻塞所有异常值为5或更高的入站流量,意味着任何引发事务的关键规则都将被丢弃,三次或更多的通知级违规也会导致事务被阻塞。
除了 OWASP CRS 之外, Trustwave SpiderLabs 商业规则集还提供了其他保护,例如针对 WordPress、Joomla、SharePoint 和其他应用程序的特定规则集。 


REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf会话固定攻击
请求可以触发: 
curl "http://my.olwaf.cn:8080/?<meta http-equiv%3dset-cookie content=sessionattack%3d123456;expires%3dFri, 30 Dec 2015 12:00:00 GMT; path%3d/>" -v 命中默认规则和920100 
但是误报一条log: 
[WAFLogTarget]{"AttackURL":"http:\/\/ my.olwaf.cn\/?<meta http-equiv%3dset-cookie content=sessionattack%3d123456;expires%3dFri, 30 Dec 2015 12:00:00 GMT; path%3d\/>","WafId":"dr2018012211225601","AttackTime":1563975927.62,"ResourceRecord":" my.olwaf.cn","logLevel":"INFO","actionType":"Log","rule":"^(?i)(get|option|delete|put)(\\s{2,})","AttackIp":"10.96.3.72","ruleType":"protocol","param":"GET \/?<meta http-equiv%3dset-cookie content=sessionattack%3d123456;expires%3dFri, 30 Dec 2015 12:00:00 GMT; path%3d\/> HTTP\/1.1"}[WAFLogTarget], client: 10.96.3.72, server: my.olwaf.cn, request: "GET /?<meta http-equiv%3dset-cookie content=sessionattack%3d123456;expires%3dFri, 30 Dec 2015 12:00:00 GMT; path%3d/> HTTP/1.1", host: " my.olwaf.cn:8080" 
curl --cookie "http-equiv+set-cookie=aaaaaaaa" "http://my.olwaf.cn:8080" -v 
curl http://my.olwaf.cn:8080/?weblogicsession -v 
“jsessionid” 
“aspsessionid” 
“asp.net_sessionid” 
“phpsession” 
“phpsessid” 
“weblogicsession” 
“session_id” 
“session-id” 
“cfid” 
“cftoken” 
“cfs id” 
“jservsession” 
“jwsession 
--------------------------------------------------------------------------------- 
不能触发:但会命中921130 
curl --cookie "SESSIONID=<meta http-equiv="set-cookie" content=sessionattack=123456;expires=Friday,12-Jan-200118:18:18GMT;path=/>" "http://my.olwaf.cn:8080" -v 
cookie被拆分成table: 
path/> 
expiresFriday,12-Jan-200118:18:18GMT 
http-equivset-cookie 
SESSIONID<meta 
contentsessionattack=123456 
^(?:jsessionid|aspsessionid|asp.net_sessionid|phpsession|phpsessid|weblogicsession|session_id|session-id|cfid|cftoken|cfsid|jservsession|jwsession)备注:此规则会把目标字符串转换成小写和 
(?i:\.cookie\b.*?;\W*?(?:expires|domain)\W*?=|\bhttp-equiv\W+set-cookie\b)规则与如下字段匹配: 
/> 
Friday,12-Jan-200118:18:18GMT 
set-cookie 
<meta 
sessionattack=123456 
path 
expires 
http-equiv 
SESSIONID 
content 
---------------------------------------------------------------------------------- 
会命中921130 
curl --cookie "SESSION=<meta http-equiv%3dset-cookie content=sessionattack%3d123456;expires%3dFri, 30 Dec 2015 12:00:00 GMT; path%3d/>" "http://my.olwaf.cn:8080" -v 
(?i:\.cookie\b.*?;\W*?(?:expires|domain)\W*?=|\bhttp-equiv\W+set-cookie\b)规则与如下字段一一匹配 
<meta 
sessionattack%3d123456 
SESSION 
http-equiv%3dset-cookie content 
^(?:jsessionid|aspsessionid|asp\.net_sessionid|phpsession|phpsessid|weblogicsession|session_id|session-id|cfid|cftoken|cfsid|jservsession|jwsession)规则与如下字段匹配: 
session 
http-equiv=set-cookie content 


curl --referer "https://attacktest/" http://my.olwaf.cn:8080/?weblogicsession -v  拦截并记录 Possible Session Fixation Attack: SessionID Parameter Name with Off-Domain Referer","logdata":"Matched Data: https:\/\/sadasd\/ found within TX: ","id":"943110 

curl  http://my.olwaf.cn:8080/?weblogicsession -v 拦截并记录 Matched Data: 0 found within REQUEST_HEADERS: 0","match":0,"msg":"Possible Session Fixation Attack: SessionID Parameter Name with No Referer 

严谨模式下以上请求全部命中! 


以下为常用测试case

curl -d "param1=value1&param2=value2" -H "Content-Type: application/x-www-form-urlencoded" -X POST http://localhost:3000/data curl -H "Content-Type:application/json" -X POST -d '{"abc": "admin", "passwd":"12345678"}'  http://my.olwaf.cn:8080 -v curl http://my.olwaf.cn:8080/olwaf_http_error/note.xml?aaa=test -v curl --cookie "SESSION=123fsakjjd1;" http://my.olwaf.cn:8080/olwaf_http_error/note.xml?aaa=test -vcurl --cookie "SESSION=123fsakqwerty; "http://my.olwaf.cn:8080/olwaf_http_error/note.xml?aaa=test -v curl --cookie "SESSION=123fsakqwerty; "http://my.olwaf.cn:8080/olwaf_http_error/note.xml?aaa=test -v curl --cookie "SESSION=123fsakqwerty; c=5; path=/;"http://my.olwaf.cn:8080/olwaf_http_error/note.xml?aaa=test -vcurl --referer " www.nytimes.com.us" --cookie "JSESSIONID=123fsakqwerty; c=5; path=/;" http://my.olwaf.cn:8080/waf_http_error/note.xml?aaa=test -v curl -X "POST" -H "Content-Type: " --referer " www.nytimes.com.us" --cookie "JSESSIONID=123fsakqwerty; c=5; path=/;" http://my.olwaf.cn:8080/olwaf_http_error/note.xml?aaa=test -v curl -H "Origin: http://www.aibi.com" http://my.olwaf.cn:8080 -v curl -H "Origin: http://www.test.com" -X POST -d '{"abc": "admin", "passwd":"12345678"}'  http://my.olwaf.cn:8080 -v curl -H "X-Forwarded-For: client1, client2, client3" -X POST -d '{"abc": "admin", "passwd":"12345678"}'  http://my.olwaf.cn:8080 -v curl -H "TEST: client1, client2, client3, aibi" -X POST -d '{"abc": "admin", "passwd":"12345678"}'  http://my.olwaf.cn:8080 -v curl -H "Content-Type:application/json" -X POST -d '{"abc": "admin", "passwd":"12345678"}'  http://my.olwaf.cn:8080 -v curl -H "TEST: client1, client2, client3, aibi" -X POST -d "abc=admin&passwd=12345678"  http://my.olwaf.cn:8080 -v GET /index.html?id=1%29%29%29%20AND%204854%3D4854%20AND%20%28%28%289491%3D9491 GET /index.html?id=1%EF%BC%87%20AND%208116%3D9451%20AND%20%EF%BC%87syvX%EF%BC%87%3D%EF%BC%87syvX HTTP/1.1\r\n GET /index.html?id=1%22%29%20AND%202421%3D6292%20AND%20%28%22Afhp%22%20LIKE%20%22Afhp HTTP/1.1\r\n
curl "http://my.olwaf.cn:8080/index.html?a=b&b=cc <DIV STYLE=behaviour: url(' http://www.how-to-hack.org/exploit.html&#39;);>" 

  相关解决方案