From 9619804f2c210b0e804332ce3eaea2b827505d0d Mon Sep 17 00:00:00 2001 From: "Federico G. Schwindt" Date: Thu, 31 Oct 2019 16:43:21 +0900 Subject: [PATCH 1/2] Revert #578 Stop decoding things twice. See #590 for details. --- rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf | 2 +- rules/REQUEST-921-PROTOCOL-ATTACK.conf | 10 +++++----- rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf | 8 ++++---- rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf | 4 ++-- rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf | 10 +++++----- ...EQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf | 4 ++-- 6 files changed, 19 insertions(+), 19 deletions(-) diff --git a/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf b/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf index 7033c7923..1bc899897 100644 --- a/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf +++ b/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf @@ -1522,7 +1522,7 @@ SecRule REQUEST_URI|REQUEST_HEADERS|ARGS|ARGS_NAMES "@rx (?:^|[^\\\\])\\\\[cdegh phase:2,\ block,\ capture,\ - t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,\ + t:none,t:htmlEntityDecode,t:lowercase,\ log,\ msg:'Abnormal character escapes in request',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ diff --git a/rules/REQUEST-921-PROTOCOL-ATTACK.conf b/rules/REQUEST-921-PROTOCOL-ATTACK.conf index 338ac33a3..5fc70c476 100644 --- a/rules/REQUEST-921-PROTOCOL-ATTACK.conf +++ b/rules/REQUEST-921-PROTOCOL-ATTACK.conf @@ -35,7 +35,7 @@ SecRule ARGS_NAMES|ARGS|XML:/* "@rx [\n\r]+(?:get|post|head|options|connect|put| phase:2,\ block,\ capture,\ - t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,\ + t:none,t:htmlEntityDecode,t:lowercase,\ msg:'HTTP Request Smuggling Attack',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ @@ -68,7 +68,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME phase:2,\ block,\ capture,\ - t:none,t:urlDecodeUni,t:lowercase,\ + t:none,t:lowercase,\ msg:'HTTP Response Splitting Attack',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ @@ -90,7 +90,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME phase:2,\ block,\ capture,\ - t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,\ + t:none,t:htmlEntityDecode,t:lowercase,\ msg:'HTTP Response Splitting Attack',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ @@ -154,7 +154,7 @@ SecRule ARGS_NAMES "@rx [\n\r]" \ phase:2,\ block,\ capture,\ - t:none,t:urlDecodeUni,t:htmlEntityDecode,\ + t:none,t:htmlEntityDecode,\ msg:'HTTP Header Injection Attack via payload (CR/LF detected)',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ @@ -176,7 +176,7 @@ SecRule ARGS_GET_NAMES|ARGS_GET "@rx [\n\r]+(?:\s|location|refresh|(?:set-)?cook phase:1,\ block,\ capture,\ - t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,\ + t:none,t:htmlEntityDecode,t:lowercase,\ msg:'HTTP Header Injection Attack via payload (CR/LF and header-name detected)',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ diff --git a/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf b/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf index 933fa0fd3..7cc6adfc9 100644 --- a/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf +++ b/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf @@ -318,7 +318,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME phase:2,\ block,\ capture,\ - t:none,t:urlDecodeUni,t:cmdLine,t:lowercase,\ + t:none,t:cmdLine,t:lowercase,\ msg:'Remote Command Execution: Windows PowerShell Command Found',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ @@ -358,7 +358,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME phase:2,\ block,\ capture,\ - t:none,t:urlDecodeUni,t:cmdLine,\ + t:none,t:cmdLine,\ msg:'Remote Command Execution: Unix Shell Expression Found',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ @@ -406,7 +406,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME phase:2,\ block,\ capture,\ - t:none,t:urlDecodeUni,t:cmdLine,\ + t:none,t:cmdLine,\ msg:'Remote Command Execution: Windows FOR/IF Command Found',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ @@ -498,7 +498,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME phase:2,\ block,\ capture,\ - t:none,t:urlDecodeUni,t:cmdLine,t:normalizePath,t:lowercase,\ + t:none,t:cmdLine,t:normalizePath,t:lowercase,\ msg:'Remote Command Execution: Unix Shell Code Found',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ diff --git a/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf b/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf index 2c4233574..9558d2f41 100644 --- a/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf +++ b/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf @@ -48,7 +48,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME phase:2,\ block,\ capture,\ - t:none,t:urlDecodeUni,t:lowercase,\ + t:none,t:lowercase,\ msg:'PHP Injection Attack: PHP Open Tag Found',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ @@ -117,7 +117,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME phase:2,\ block,\ capture,\ - t:none,t:urlDecodeUni,t:normalisePath,t:lowercase,\ + t:none,t:normalisePath,t:lowercase,\ msg:'PHP Injection Attack: Configuration Directive Found',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ diff --git a/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf b/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf index 5dbe1459f..ef1ba9930 100644 --- a/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf +++ b/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf @@ -624,7 +624,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME phase:2,\ block,\ capture,\ - t:none,t:urlDecodeUni,t:lowercase,t:urlDecode,t:htmlEntityDecode,t:jsDecode,\ + t:none,t:lowercase,t:urlDecode,t:htmlEntityDecode,t:jsDecode,\ msg:'US-ASCII Malformed Encoding XSS Filter - Attack Detected.',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ @@ -656,7 +656,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME phase:2,\ block,\ capture,\ - t:none,t:urlDecodeUni,t:urlDecode,t:htmlEntityDecode,t:jsDecode,\ + t:none,t:urlDecode,t:htmlEntityDecode,t:jsDecode,\ msg:'UTF-7 Encoding IE XSS - Attack Detected.',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ @@ -885,7 +885,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU phase:2,\ block,\ capture,\ - t:none,t:urlDecodeUni,t:jsDecode,t:lowercase,\ + t:none,t:jsDecode,t:lowercase,\ msg:'Possible XSS Attack Detected - HTML Tag Handler',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ @@ -910,7 +910,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU phase:2,\ block,\ capture,\ - t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhitespace,\ + t:none,t:htmlEntityDecode,t:compressWhitespace,\ msg:'IE XSS Filters - Attack Detected.',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ @@ -938,7 +938,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU phase:2,\ block,\ capture,\ - t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhitespace,\ + t:none,t:htmlEntityDecode,t:compressWhitespace,\ msg:'IE XSS Filters - Attack Detected.',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ diff --git a/rules/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf b/rules/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf index 4bb7f4dec..a32cedbcf 100644 --- a/rules/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf +++ b/rules/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf @@ -56,7 +56,7 @@ SecRule ARGS_NAMES "@rx ^(?:jsessionid|aspsessionid|asp\.net_sessionid|phpsessio phase:2,\ block,\ capture,\ - t:none,t:urlDecodeUni,t:lowercase,\ + t:none,t:lowercase,\ msg:'Possible Session Fixation Attack: SessionID Parameter Name with Off-Domain Referer',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ @@ -85,7 +85,7 @@ SecRule ARGS_NAMES "@rx ^(?:jsessionid|aspsessionid|asp\.net_sessionid|phpsessio phase:2,\ block,\ capture,\ - t:none,t:urlDecodeUni,t:lowercase,\ + t:none,t:lowercase,\ msg:'Possible Session Fixation Attack: SessionID Parameter Name with No Referer',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ From c67ed8bc40c6579b95536655b9c121be4246df38 Mon Sep 17 00:00:00 2001 From: "Federico G. Schwindt" Date: Thu, 31 Oct 2019 17:08:04 +0900 Subject: [PATCH 2/2] Adjust test --- .../tests/REQUEST-941-APPLICATION-ATTACK-XSS/941350.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941350.yaml b/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941350.yaml index 6f154ba45..012d2ed68 100644 --- a/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941350.yaml +++ b/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941350.yaml @@ -15,7 +15,7 @@ dest_addr: 127.0.0.1 method: GET port: 80 - uri: /xx?id=%25252bADw-script%25252bAD4- + uri: /xx?id=%252bADw-script%252bAD4- headers: Accept: "*/*" Host: localhost