Skip to content

Commit cdb34d7

Browse files
terrancedejesusterrancedejesus
committed
removed constructor requirement
1 parent 0d483ba commit cdb34d7

File tree

1 file changed

+5
-5
lines changed

1 file changed

+5
-5
lines changed

rules/network/initial_access_react_server_components_rce_attempt.toml

Lines changed: 5 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -76,16 +76,16 @@ network where http.request.method == "POST" and
7676
// Successful CVE-2025-55182 RCE - command output in digest
7777
(
7878
http.response.status_code in (500, 303) and
79-
http.response.body.content like "*E{\"digest\"*" and
79+
http.response.body.content like~ "*E{\"digest\"*" and
8080
http.request.body.content regex~ """.*\$[0-9]+:[a-zA-Z_0-9]+:[a-zA-Z_0-9]+.*"""
81-
8281
) or
83-
// Prototype pollution patterns specific to RSC Flight exploitation
84-
( http.request.body.content regex~ """.*\$[0-9]+:[a-zA-Z_0-9]+:[a-zA-Z_0-9]+.*""" and (
82+
// Prototype pollution attempts in RSC Flight data (never legitimate)
83+
(
84+
http.request.body.content regex~ """.*\$[0-9]+:[a-zA-Z_0-9]+:[a-zA-Z_0-9]+.*""" and
8585
(
8686
http.request.body.content like~ "*__proto__*" or
8787
http.request.body.content like~ "*prototype*"
88-
) and http.request.body.content like~ "*constructor*")
88+
)
8989
)
9090
)
9191
'''

0 commit comments

Comments
 (0)