Merge pull request #1591 from theMiddleBlue/bkp-extension-and-more

fgsch · web-flow · commit e761ae610ae2 · 2019-11-04T23:19:49.000Z
New rule 920500: block backup extensions
diff --git a/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf b/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf
@@ -1030,6 +1030,31 @@ SecRule REQUEST_BASENAME "@rx \.([^.]+)$" \
         "t:none,t:urlDecodeUni,t:lowercase,\
         setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
+#
+# Backup or "working" file extension
+# example: index.php~, /index.php~/foo/
+#
+SecRule REQUEST_FILENAME "@rx \.[^.~]+~(?:/.*|)$" \
+    "id:920500,\
+    phase:2,\
+    block,\
+    t:none,t:urlDecodeUni,\
+    msg:'Attempt to access a backup or working file',\
+    logdata:'%{TX.0}',\
+    tag:'application-multi',\
+    tag:'language-multi',\
+    tag:'platform-multi',\
+    tag:'attack-protocol',\
+    tag:'paranoia-level/1',\
+    tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/POLICY/EXT_RESTRICTED',\
+    tag:'WASCTC/WASC-15',\
+    tag:'OWASP_TOP_10/A7',\
+    tag:'PCI/6.5.10',\
+    ver:'OWASP_CRS/3.2.0',\
+    severity:'CRITICAL',\
+    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
+
 #
 # Restricted HTTP headers
 #
diff --git a/util/regression-tests/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920500.yaml b/util/regression-tests/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920500.yaml
@@ -0,0 +1,49 @@
+---
+  meta:
+    author: "Andrea Menin"
+    enabled: true
+    name: "920500.yaml"
+    description: "Tests for backup or working file extensions"
+  tests:
+    - test_title: 920500-1
+      desc: "Check request filename ends with ~"
+      stages:
+        - stage:
+            input:
+              dest_addr: "127.0.0.1"
+              port: 80
+              method: "GET"
+              uri: "/index.php~"
+              headers:
+                  User-Agent: "ModSecurity CRS 3 Tests"
+                  Host: "localhost"
+            output:
+              log_contains: "id \"920500\""
+    - test_title: 920500-2
+      desc: "Check request filename contains file that ends with ~ but not at end of string (bypass)"
+      stages:
+        - stage:
+            input:
+              dest_addr: "127.0.0.1"
+              port: 80
+              method: "GET"
+              uri: "/index.php~/foo/bar/"
+              headers:
+                  User-Agent: "ModSecurity CRS 3 Tests"
+                  Host: "localhost"
+            output:
+              log_contains: "id \"920500\""
+    - test_title: 920500-3
+      desc: "Rules 920500 should not block user dir such as /~user/"
+      stages:
+        - stage:
+            input:
+              dest_addr: "127.0.0.1"
+              port: 80
+              method: "GET"
+              uri: "/~user/"
+              headers:
+                  User-Agent: "ModSecurity CRS 3 Tests"
+                  Host: "localhost"
+            output:
+              no_log_contains: "id \"920500\""
