Skip to content
This repository was archived by the owner on May 14, 2020. It is now read-only.

Commit 4280ccb

Browse files
theMiddleBluetheMiddleBlue
committed
fix rule regex due to remove t:removeComments
1 parent 2ee292e commit 4280ccb

File tree

2 files changed

+98
-12
lines changed

2 files changed

+98
-12
lines changed

rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf

Lines changed: 4 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -699,16 +699,18 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
699699

700700
#
701701
# Prevent 941180 bypass by using JavaScript global variables
702+
# Refer to: https://www.secjuice.com/bypass-xss-filters-using-javascript-global-variables/
703+
#
702704
# Examples:
703705
# - /?search=/?a=";+alert(self["document"]["cookie"]);//
704706
# - /?search=/?a=";+document+/*foo*/+.+/*bar*/+cookie;//
705707
#
706-
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS|XML:/* "@rx (?:self|document|this|top|window)\s*\)*(?:\[[^\]]+\]|\.\s*document|\.\s*cookie)" \
708+
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS|XML:/* "@rx (?:self|document|this|top|window)\s*(?:/\*|[\[)]).+?(?:\]|\*/)" \
707709
"id:941370,\
708710
phase:2,\
709711
block,\
710712
capture,\
711-
t:none,t:removeComments,t:urlDecodeUni,\
713+
t:none,t:urlDecodeUni,t:compressWhitespace,\
712714
msg:'JavaScript global variable found',\
713715
logdata:'Matched Data: Suspicious JS global variable found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
714716
tag:'application-multi',\

util/regression-tests/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941370.yaml

Lines changed: 94 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -7,7 +7,7 @@
77
tests:
88
-
99
test_title: 941370-1
10-
desc: "Filter bypass using JS global variable"
10+
desc: "Bypass using comment in syntax and multiple whitespaces"
1111
stages:
1212
-
1313
stage:
@@ -17,13 +17,13 @@
1717
Host: localhost
1818
method: GET
1919
port: 80
20-
data: "a=\";document+%2f%2A+foo+%2A%2f+%5B+%22cookie%22+%5D;%2f%2f"
20+
data: "a=document+%2F%2Afoo%2A%2F+.+++++cookie"
2121
version: HTTP/1.1
2222
output:
2323
log_contains: id "941370"
2424
-
2525
test_title: 941370-2
26-
desc: "Filter bypass using JS global variable"
26+
desc: "Bypass using comments in syntax"
2727
stages:
2828
-
2929
stage:
@@ -33,13 +33,13 @@
3333
Host: localhost
3434
method: POST
3535
port: 80
36-
data: "a=\";window+%2f%2A+foo+%2A%2f+.+document+.+%2f%2A+bar+%2A%2f+cookie%2f%2f"
36+
data: "a=document%2F%2Afoo%2A%2F.%2F%2Abar%2A%2Fcookie"
3737
version: HTTP/1.1
3838
output:
3939
log_contains: id "941370"
4040
-
4141
test_title: 941370-3
42-
desc: "Filter bypass using JS global variable"
42+
desc: "Bypass using JavaScript global variables"
4343
stages:
4444
-
4545
stage:
@@ -49,13 +49,13 @@
4949
Host: localhost
5050
method: GET
5151
port: 80
52-
data: "a=document.cookie"
52+
data: "a=window%5B%22alert%22%5D%28window%5B%22document%22%5D%5B%22cookie%22%5D%29"
5353
version: HTTP/1.1
5454
output:
5555
log_contains: id "941370"
5656
-
5757
test_title: 941370-4
58-
desc: "Filter bypass using JS global variable"
58+
desc: "Bypass using JavaScript global variables and comments in syntax"
5959
stages:
6060
-
6161
stage:
@@ -65,13 +65,13 @@
6565
Host: localhost
6666
method: GET
6767
port: 80
68-
data: "a=document .cookie"
68+
data: "a=self%5B%2F%2Afoo%2A%2F%22alert%22%5D%28self%5B%22document%22%2F%2Abar%2A%2F%5D%5B%22cookie%22%5D%29"
6969
version: HTTP/1.1
7070
output:
7171
log_contains: id "941370"
7272
-
7373
test_title: 941370-5
74-
desc: "Filter bypass using JS global variable"
74+
desc: "Bypass using JavaScript global variables and string concatenation"
7575
stages:
7676
-
7777
stage:
@@ -81,8 +81,92 @@
8181
Host: localhost
8282
method: GET
8383
port: 80
84-
data: "a=document%5B%27cookie%27%5D"
84+
data: "a=self%5B%2F%2Afoo%2A%2F%22alert%22%5D%28self%5B%22document%22%2F%2Abar%2A%2F%5D%5B%22cookie%22%5D%29"
8585
version: HTTP/1.1
8686
output:
8787
log_contains: id "941370"
8888

89+
-
90+
test_title: 941370-6
91+
desc: "Bypass using JavaScript global variables and comments in syntax"
92+
stages:
93+
-
94+
stage:
95+
input:
96+
dest_addr: 127.0.0.1
97+
headers:
98+
Host: localhost
99+
method: GET
100+
port: 80
101+
data: "a=self++%2F%2Ajhb%2A%2F++%5B++%2F%2Abar%2A%2F++%22alert%22%5D%28%22xss%22%29"
102+
version: HTTP/1.1
103+
output:
104+
log_contains: id "941370"
105+
106+
-
107+
test_title: 941370-7
108+
desc: "Bypass using JavaScript global variables and jQuery globalEval"
109+
stages:
110+
-
111+
stage:
112+
input:
113+
dest_addr: 127.0.0.1
114+
headers:
115+
Host: localhost
116+
method: GET
117+
port: 80
118+
data: "a=self%5B%22%24%22%5D%5B%22globalEval%22%5D%28%22alert%281%29%22%29"
119+
version: HTTP/1.1
120+
output:
121+
log_contains: id "941370"
122+
123+
-
124+
test_title: 941370-8
125+
desc: "Bypass using JavaScript global variables and hex escape sequence"
126+
stages:
127+
-
128+
stage:
129+
input:
130+
dest_addr: 127.0.0.1
131+
headers:
132+
Host: localhost
133+
method: GET
134+
port: 80
135+
data: "a=self%5B%22%5Cx24%22%5D"
136+
version: HTTP/1.1
137+
output:
138+
log_contains: id "941370"
139+
140+
-
141+
test_title: 941370-9
142+
desc: "Bypass trying to access document.cookie using alternative syntax like (document)['cookie']"
143+
stages:
144+
-
145+
stage:
146+
input:
147+
dest_addr: 127.0.0.1
148+
headers:
149+
Host: localhost
150+
method: GET
151+
port: 80
152+
data: "a=%28document%29%5B%22cookie%22%5D"
153+
version: HTTP/1.1
154+
output:
155+
log_contains: id "941370"
156+
157+
-
158+
test_title: 941370-10
159+
desc: "Bypass trying to access document.cookie using alternative syntax and comments like (document/*foo*/)['cookie']"
160+
stages:
161+
-
162+
stage:
163+
input:
164+
dest_addr: 127.0.0.1
165+
headers:
166+
Host: localhost
167+
method: GET
168+
port: 80
169+
data: "a=%28document%2F%2Afoo%2A%2F%29%5B%22cookie%22%5D"
170+
version: HTTP/1.1
171+
output:
172+
log_contains: id "941370"

0 commit comments

Comments
 (0)