Added libinjection SQLi rule for last path segment #1329
Conversation
The new rule is a sibling of rule 942100 that adds a libinjection of the last path segment
theMiddleBlue
left a comment
theMiddleBlue
left a comment
There was a problem hiding this comment.
Thanks @theseion
I've understood the problem and this seems to be a good start. You just need to fix a bit the rule, and idk if this is suitable for PL1 (let's see what others dev say about it).
| setvar:'tx.msg=%{rule.msg}',\ | ||
| setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQL_INJECTION-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}',\ | ||
| chain" | ||
| SecRule TX:1 "@detectSQLi" |
There was a problem hiding this comment.
missing action on the chained SecRule (3rd argument)
There was a problem hiding this comment.
Thanks. I've just pushed a commit where the setvar actions have been moved to the chained rule, as they would be evaluated every time otherwise.
I thought about putting the rule in PL1 but I don't know what the implications are for FP's.
|
I don't understand why the test fails. Chained rules don't need ID's AFAIK. |
|
if I'm not wrong, it always needs an action. for example, you can move |
- only log when actually blocking and not on every request - remove all slashes from the beginning of REQUEST_FILENAME (there may be more than one)
|
Sorry about the noise. This should conclude any updates to the rule for now, I have it running in production. |
|
Since this uses |
Suggested by @spartantri, as the chained rule deosn't perform anti-evasion transformations.
|
Thanks. I've pushed an update with |
|
Tests please. Tons of them 😄 |
| severity:'CRITICAL',\ | ||
| chain" | ||
| SecRule TX:1 "@detectSQLi" \ | ||
| "setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ |
There was a problem hiding this comment.
If this is PL2 you need to increment pl2.
Suggested by @fgsch
| # | ||
| # This is a sibling of rule 942100 that adds checking of the last path segment. | ||
| # | ||
| SecRule REQUEST_FILENAME "@rx ^/+(.*)$" \ |
There was a problem hiding this comment.
I don't think this do what you think it does. REQUEST_FILENAME will have the whole path, not the last segment.
Please update the comment.
Can you explain a bit more why you are using rx and not simply passing the path to detectSQLi?
There was a problem hiding this comment.
Thanks for pointing that out. I don't think there is a variable then, which holds that information, is there? I'll update the regular expression to parse out the last segment then.
libinjection is more likely to fail when passing the path, at least that is what my tests showed. E.g. the following string produces a match 999999.1 union select unhex(hex(version())) -- and 1=1 while this doesn't /999999.1 union select unhex(hex(version())) -- and 1=1 (tested directly with libinjection). So to be safe I don't want the slashes in there.
Maybe I could pass the entire path with the slashes replaced... But I don't know what that would do to the detection capabilities.
There was a problem hiding this comment.
There was a problem hiding this comment.
Sorry, I pasted the wrong link. I've updated it now.
Can you use that instead and squash the commits?
|
put it in PL3 pls. this will lead to much FP. we run PL2 as default. for example: aggregation on js or css wont be supported anymore. |
|
Sure. Out of curiosity, could you give an example of what you mean by aggregation? |
|
@theseion sure /sites/default/files/advagg_js/js__8Cefk7UudAKRWCZ23BiLQNs5GDGwHszGZfd5m3bBkno__2XMzkOnobbuTwYFViZn-Z2zlJnQLv6vUbBpBt-8Bpsw__dwrExSTRu6UuvuQxBPkJ0DQAptvitAf5_8JXXxvP9nQ.js i can give you a lot of pages where stuff like that is very common. take a look at the url https://www.land.nrw/ its the page for the state north rhine westphalia in germany hosted by the government. |
|
@emphazer will this FP on sqli or xss? |
|
Thanks for the reviews and explanations evryone! I've pushed an update where all your concerns should be addressed. |
|
I think this is on the right track but I'd like to see some tests. |
|
@emphazer are you saying libinjection will detect |
|
@fgsch no, thats just an example. |
|
@emphazer The format for this aggregator is fixed ( |
|
here are 2 examples which matched |
|
@emphazer I stand corrected. You are right. |
|
@theseion have you seen my comment at #1329 (comment)? |
Yes but I hadn't seen the update. That edit makes more sense ;) |
|
@theseion great, thank you! let us know if you need a hand or two :) |
|
Very nice contribution @theseion, we'd love to include this in the next release. Paranoia Level 3 seems alright to prevent false positives in the default install. Let us know if you have any trouble with the tests. |
|
@theseion any updates on this? |
|
Not yet, sorry. It's on my list though. |
|
Hey @theseion. Any way we can entice you to complete this? 😉 |
|
Hm... Wine? 😜 I know, I should be working on this... I haven't forgotten, I promise. |
|
Here we go:
|
|
This is a welcome PR and it's time we merge this. Summing up the remaining issues:
If you have time to do this within the next week, please do @theseion. If not, I'll take it over and probably push a new PR with the same functionality. |
|
No, I won't have time this week, sorry. Thanks for your help! |
|
OK. Feel free to bring the wine to the next CRS meetup. ;) |
7 participants
The new rule is a sibling of rule 942100 that adds a libinjection
of the last path segment
Fixes #1328