From a30f1f639c603de991531bd6dec00f507c80368e Mon Sep 17 00:00:00 2001 From: dune73 Date: Mon, 2 Mar 2020 20:07:09 +0100 Subject: [PATCH 1/2] New ldap injection rule 921200 --- rules/REQUEST-921-PROTOCOL-ATTACK.conf | 30 +++ .../REQUEST-921-PROTOCOL-ATTACK/921200.yaml | 174 ++++++++++++++++++ 2 files changed, 204 insertions(+) create mode 100644 tests/regression/tests/REQUEST-921-PROTOCOL-ATTACK/921200.yaml diff --git a/rules/REQUEST-921-PROTOCOL-ATTACK.conf b/rules/REQUEST-921-PROTOCOL-ATTACK.conf index 68593633a..70a92e474 100644 --- a/rules/REQUEST-921-PROTOCOL-ATTACK.conf +++ b/rules/REQUEST-921-PROTOCOL-ATTACK.conf @@ -219,6 +219,36 @@ SecRule REQUEST_FILENAME "@rx [\n\r]" \ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" +# +# -=[ LDAP Injection ]=- +# +# [ Rule Logic ] +# +# This is a rule trying to prevent LDAP injection. It is based on a BlackHat presentation by Alonso Parada +# and regex writing by Denis Kolegov. +# +# [ References ] +# * https://www.blackhat.com/presentations/bh-europe-08/Alonso-Parada/Whitepaper/bh-eu-08-alonso-parada-WP.pdf +# * https://blog.ripstech.com/2017/joomla-takeover-in-20-seconds-with-ldap-injection-cve-2017-14596/ +# * https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/276#issue-126581660 + +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx ^[^:\(\)\&\|\!\<\>\~]*\)\s*(?:\((?:[^,\(\)\=\&\|\!\<\>\~]+[><~]?=|\s*[&!|]\s*(?:\)|\()?\s*)|\)\s*\(\s*[\&\|\!]\s*|[&!|]\s*\([^\(\)\=\&\|\!\<\>\~]+[><~]?=[^:\(\)\&\|\!\<\>\~]*)" \ + "id:921200,\ + phase:2,\ + block,\ + capture,\ + t:none,t:htmlEntityDecode,\ + msg:'LDAP Injection Attack',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-ldap',\ + tag:'platform-multi',\ + ctl:auditLogParts=+E,\ + ver:'OWASP_CRS/3.2.0',\ + severity:'CRITICAL',\ + setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + + SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:921013,phase:1,pass,nolog,skipAfter:END-REQUEST-921-PROTOCOL-ATTACK" SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:921014,phase:2,pass,nolog,skipAfter:END-REQUEST-921-PROTOCOL-ATTACK" # diff --git a/tests/regression/tests/REQUEST-921-PROTOCOL-ATTACK/921200.yaml b/tests/regression/tests/REQUEST-921-PROTOCOL-ATTACK/921200.yaml new file mode 100644 index 000000000..fd98119c1 --- /dev/null +++ b/tests/regression/tests/REQUEST-921-PROTOCOL-ATTACK/921200.yaml @@ -0,0 +1,174 @@ +--- + meta: + author: "Christian Folini" + description: "LDAP injection" + enabled: true + name: 921200.yaml + tests: + - + test_title: 921200-1 + desc: "Testing for FP, this should not trigger" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + port: 80 + method: POST + data: "foo=(%26(objectCategory=computer) (userAccountControl:1.2.840.113556.1.4.803:=8192))" + uri: "/" + output: + no_log_contains: id "921200" + - + test_title: 921200-2 + desc: "Testing for FP, this should not trigger" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + port: 80 + method: POST + data: "foo=(objectSID=S-1-5-21-73586283-152049171-839522115-1111)" + uri: "/" + output: + no_log_contains: id "921200" + - + test_title: 921200-3 + desc: "Testing for FP, this should not trigger" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + port: 80 + method: POST + data: "foo=(userAccountControl:1.2.840.113556.1.4.803:=67108864)(%26(objectCategory=group)(groupType:1.2.840.113556.1.4.803:=2147483648))" + uri: "/" + output: + no_log_contains: id "921200" + - + test_title: 921200-4 + desc: "Testing for rule, this should trigger" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + port: 80 + method: POST + data: "foo=bar)(&)" + uri: "/" + port: 80 + output: + log_contains: id "921200" + - + test_title: 921200-5 + desc: "Testing for rule, this should trigger" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + port: 80 + method: POST + data: "foo=printer)(uid=*)" + uri: "/" + port: 80 + output: + log_contains: id "921200" + - + test_title: 921200-6 + desc: "Testing for rule, this should trigger" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + port: 80 + method: POST + data: "foo=void)(objectClass=users))(&(objectClass=void)" + uri: "/" + port: 80 + output: + log_contains: id "921200" + - + test_title: 921200-7 + desc: "Testing for rule, this should trigger" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + port: 80 + method: POST + data: "foo=eb9adbd87d)!(sn=*" + uri: "/" + port: 80 + output: + log_contains: id "921200" + - + test_title: 921200-8 + desc: "Testing for rule, this should trigger" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + port: 80 + method: POST + data: "foo=*)!(sn=*" + uri: "/" + port: 80 + output: + log_contains: id "921200" + - + test_title: 921200-9 + desc: "Testing for rule, this should trigger" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + port: 80 + method: POST + data: "foo=*)(uid=*))(|(uid=*" + uri: "/" + port: 80 + output: + log_contains: id "921200" + - + test_title: 921200-10 + desc: "Testing for rule, this should trigger" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + port: 80 + method: POST + data: "foo=aaa*aaa)(cn>=bob)" + uri: "/" + port: 80 + output: + log_contains: id "921200" From 7cd9c60854f04021a1ebc7f0e5029196d2031313 Mon Sep 17 00:00:00 2001 From: dune73 Date: Mon, 2 Mar 2020 20:24:26 +0100 Subject: [PATCH 2/2] Fixes for 2 tests in 921200 --- .../regression/tests/REQUEST-921-PROTOCOL-ATTACK/921200.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/regression/tests/REQUEST-921-PROTOCOL-ATTACK/921200.yaml b/tests/regression/tests/REQUEST-921-PROTOCOL-ATTACK/921200.yaml index fd98119c1..80094eab0 100644 --- a/tests/regression/tests/REQUEST-921-PROTOCOL-ATTACK/921200.yaml +++ b/tests/regression/tests/REQUEST-921-PROTOCOL-ATTACK/921200.yaml @@ -65,7 +65,7 @@ User-Agent: "ModSecurity CRS 3 Tests" port: 80 method: POST - data: "foo=bar)(&)" + data: "foo=bar)(%26)" uri: "/" port: 80 output: @@ -99,7 +99,7 @@ User-Agent: "ModSecurity CRS 3 Tests" port: 80 method: POST - data: "foo=void)(objectClass=users))(&(objectClass=void)" + data: "foo=void)(objectClass=users))(%26(objectClass=void)" uri: "/" port: 80 output: