owasp core rules sets简介
考察一款WAF的有效性,最关键的一点就是攻击的防御情况
我们看看owasp ModSecurity对漏洞防御的checklist:
扫描器scanner。
恶意爬虫crawler。
webshell?(Trojans)。? ? ?
shell上传:文件上传。
shell连接:get|post|cookie。
SQLi/blindSQLi/reflected SQLi/stored?SQLi: get|post|referer|cookie|x_forwarded_for|ua|basic-authorization。
LFI/RFI:get?lfi/rfi、post lfi/rfi、cookie lrfi/rfi、data://URI、php://input、php://filter、getdirectory traversal、post?directory traversal。
File?Upload:php、asp(x)、jsp、RCE、struts2、nginx CVE、PHP CGI、get?rce、post rce。
XSS/reflected?XSS/stored?XSS/DOM XSS/CSRF/flash xss/json xss:get、post
code injection:get?code injection、post code injection
XPath?injection
LDAP injection
XML injection
expression language injection
server side includes injection
server side request forgery
HTTP响应拆分
CRLF注入
服务器解析漏洞
敏感信息泄漏:info leak、svn/cvs、后台暴露
http parameter pollution参数污染
brute force暴力破解(weak password)
DoS
slow?HTTP?DoS
URL?Redirect??
session fixation会话固定/?easily-guessable session?IDs
会话劫持
垃圾评论
防病毒
access control(vertical,?horizontal)/Unauthorized?File?Exposure(download)
logic flaws逻辑漏洞
协议异常:
不合规范的RequestLine
异常文件名
请求体解析错误
multipart请求体解析错误
Content-Length异常
Content-Enoding异常
Range异常
Request-Range异常
Expect异常
Connection异常
Pragma,?Cache-Control
Host异常
User -Agent异常
Accpet异常
X-Forwarded-For异常
编码异常,url编码异常,utf-8异常? ?charset设置缺失或不一致
Cookie?Domain/httponly/secure设置错误
安全头设置错误 X-XSS-Protection, X-FRAME-OPTIONS, X-Content-Type-Options
协议限制
允许请求方法?GET/POST/HEAD
允许协议版本HTTP/1.0?or?HTTP/1.1
允许Content-Type
允许的文件后缀名
允许的请求头
长度限制
参数名长度限制
参数值长度限制
参数个数限制
参数的总大小
上传文件大小限制
上传文件总大小限制
编码限制
恶意代理
CRS规则集测试case
90x文件:排除误报 91x文件:检测恶意客户端规则 92x文件:检测违反协议的规则 93x和94x文件:检测运行程序攻击(SQL)或命令执行攻击规则 95x文件:检测出站数据泄露规则,nginx和nginx plus不支持 .data 文件:规则使用的数据
^[\w\d/\.\-\+]+(?:\s?;\s?(?:boundary|charset)\s?=\s?['\"\w\d_\-]+)?$? 920200 命中id规则: ^bytes=(?:(?:\d+)?\-(?:\d+)?\s*,?\s*){6}? curl -H "Range: bytes=100-200 , 100-200, 100-200, 100-200, 100-200, 100-200, " http://my.olwaf.cn:8080 -v? 返回403 命中规则未知 curl -H 'Content-Type: aaaaaaaaaa;boundary=-----------aaaaaaaaa"' http://my.olwaf.cn:8080 -v?
命中921130(?:\bhttp\/(?:0\.9|1\.[01])|<(?:html|meta)\b)规则 curl --cookie "test=<html>aaaaaaaa</html>
命中REQUEST-930-APPLICATION-ATTACK-LFI.conf,id规则930120 ,lfi-os-files.data??system32/inetsrv/config/applicationhost.config? curl --cookie "system32/inetsrv/config/applicationhost.config=.ssh/id_dsa.pub" http://my.olwaf.cn:8080 -v?
REQUEST-932-APPLICATION-ATTACK-RCE.conf? 命中932130(?:\$(?:\((?:\(.*\)|.*)\)|\{.*\})|[<>]\(.*\))? curl --cookie "<(adasdas)=Test-ComputerSecureChannel" http://my.olwaf.cn:8080 -v?
命中[932160] Rule action was DENY, ......................................................,? client: 112.65.119.119, server: my.olwaf.cn, request: "GET /?Test-ComputerSecureChannel HTTP/1.1", host: " my.olwaf.cn:8080"? curl --cookie "usr/bin/python3=Test-ComputerSecureChannel" http://my.olwaf.cn:8080/?Test-ComputerSecureChannel -v?
[932170^\(\s*\)\s+{] Rule action was DENY, ......................................................,? client: 112.65.119.119, server: my.olwaf.cn, request: "GET /?Test-ComputerSecureChannel HTTP/1.1", host: " my.olwaf.cn:8080"? curl --cookie "( ) {=Test-ComputerSecureCha" http://my.olwaf.cn:8080/?Test-ComputerSecureChannel -v?
REQUEST-933-APPLICATION-ATTACK-PHP.conf? [933110.*\.(?:php\d*|phtml)\.*$] Rule action was DENY, ......................................................,? client: 112.65.119.119, server: my.olwaf.cn, request: "GET / HTTP/1.1", host: " my.olwaf.cn:8080"? curl -H "X-Filename: s.phtml." http://my.olwaf.cn:8080 -v?
[933120] Rule action was DENY, ......................................................,? client: 112.65.119.119, server: my.olwaf.cn, request: "GET /?Test-ComputerSecureChannel HTTP/1.1", host: " my.olwaf.cn:8080"? curl --cookie "auto_globals_jit=Test-ComputerSecureCha" http://my.olwaf.cn:8080/?Test-ComputerSecureChannel -v?
[lua] actions.lua:30: [933190] Rule action was DENY, ......................................................,? ?client: 112.65.119.119, server: my.olwaf.cn, request: "GET /?Test-ComputerSecureChannel HTTP/1.1", host: " my.olwaf.cn:8080"? curl --cookie "?>=Test-ComputerSecureCha" http://my.olwaf.cn:8080/?Test-ComputerSecureChannel -v?
actions.lua:33: [933111.*\.(?:php\d*|phtml)\..*$] Rule action was DENY, ......................................................,? client: 112.65.119.119, server: my.olwaf.cn, request: "GET / HTTP/1.1", host: " my.olwaf.cn:8080"? curl -H "X-Filename: a.phtml.adsas" http://my.olwaf.cn:8080 -v?
REQUEST-941-APPLICATION-ATTACK-XSS.conf? 941320<(?:a|abbr|acronym|address|applet|area|audioscope|b|base|basefront|bdo|bgsound|big|blackface|blink|blockquote|body|bq|br|button|caption|center|cite|code|col|colgroup|comment|dd|del|dfn|dir|div|dl|dt|em|embed|fieldset|fn|font|form|frame|frameset|h1|head|hr|html|i|iframe|ilayer|img|input|ins|isindex|kdb|keygen|label|layer|legend|li|limittext|link|listing|map|marquee|menu|meta|multicol|nobr|noembed|noframes|noscript|nosmartquotes|object|ol|optgroup|option|p|param|plaintext|pre|q|rt|ruby|s|samp|script|select|server|shadow|sidebar|small|spacer|span|strike|strong|style|sub|sup|table|tbody|td|textarea|tfoot|th|thead|title|tr|tt|u|ul|var|wbr|xml|xmp)\W]? Rule action was DENY, ......................................................,? client: 112.65.119.119, server: my.olwaf.cn, request: "GET /?<keygen> HTTP/1.1", host: " my.olwaf.cn:8080"? curl " http://my.olwaf.cn:8080/?<keygen>" -v?
2019/04/04 14:40:04 [alert] 5666#0: *1230 [lua] actions.lua:33: [941150(?i)\b(?:s(?:tyle|rc)|href)\b[\s\S]*?=] Rule action was DENY,? ......................................................,? client: 112.65.119.119, server: my.olwaf.cn, request: "GET / HTTP/1.1", host: " my.olwaf.cn:8080"? curl --user-agent "sdas src =qqqqqqqqqqq" http://my.olwaf.cn:8080 -v?
REQUEST-942-APPLICATION-ATTACK-SQLI.conf? 2019/04/04 15:07:46 [alert] 4466#0: *87 [lua] actions.lua:33: [942432((?:[~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;"'′’‘`<>][^~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;"'′’‘`<>]*?){2})] Rule action was DENY,? ......................................................, client: 112.65.119.119, server: my.olwaf.cn, request: "GET /?$> HTTP/1.1", host: " my.olwaf.cn:8080"? curl??" http://my.olwaf.cn:8080/?$>" -v?
2019/05/06?15:22:26 [alert] 4482#0: *175 [lua] actions.lua:33: [942421((?:[~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;"'′’‘`<>][^~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;"'′’‘`<>]*?){3})] Rule action was DENY,? ?......................................................, client: 112.65.119.119, server: my.olwaf.cn, request: "GET / HTTP/1.1",? ?host: " my.olwaf.cn:8080"? curl --cookie "[][=qqqqqqqqqqq" http://my.olwaf.cn:8080 -v?
2019/04/04 15:25:46 [alert] 4482#0: *204 [lua] actions.lua:33: [942110(^\s*["'`;]+|["'`]+\s*$)] Rule action was DENY,? ......................................................, client: 112.65.119.119, server: my.olwaf.cn, request: "GET /?; HTTP/1.1",? host: " my.olwaf.cn:8080"?
curl??" http://my.olwaf.cn:8080/?;" -v?
2019/04/04 15:54:39 [alert] 4482#0: *404 [lua] actions.lua:33: [942150(?i)\b(?:c(?:o(?:n(?:v(?:ert(?:_tz)?)?|cat(?:_ws)?|nection_id)|(?:mpres)?s|ercibility|(?:un)?t|llation|alesce)|ur(?:rent_(?:time(?:stamp)?|date|user)|(?:dat|tim)e)|h(?:ar(?:(?:acter)?_length|set)?|r)|iel(?:ing)?|ast|r32)|s(?:u(?:b(?:str(?:ing(?:_index)?)?|(?:dat|tim)e)|m)|t(?:d(?:dev_(?:sam|po)p)?|r(?:_to_date|cmp))|e(?:c(?:_to_time|ond)|ssion_user)|ys(?:tem_user|date)|ha[12]?|oundex|chema|ig?n|leep|pace|qrt)|i(?:s(?:_(?:ipv(?:4(?:_(?:compat|mapped))?|6)|n(?:ot(?:_null)?|ull)|(?:free|used)_lock)|null)|n(?:et(?:6_(?:aton|ntoa)|_(?:aton|ntoa))|s(?:ert|tr)|terval)?|f(?:null)?)|d(?:a(?:t(?:e(?:_(?:format|add|sub)|diff)?|abase)|y(?:of(?:month|week|year)|name)?)|e(?:(?:s_(?:de|en)cryp|faul)t|grees|code)|count|ump)|l(?:o(?:ca(?:l(?:timestamp)?|te)|g(?:10|2)?|ad_file|wer)|ast(?:_(?:inser_id|day))?|e(?:(?:as|f)t|ngth)|case|trim|pad|n)|u(?:n(?:compress(?:ed_length)?|ix_timestamp|hex)|tc_(?:time(?:stamp)?|date)|p(?:datexml|per)|uid(?:_short)?|case|ser)|t(?:ime(?:_(?:format|to_sec)|stamp(?:diff|add)?|diff)?|o(?:(?:second|day)s|_base64|n?char)|r(?:uncate|im)|an)|m(?:a(?:ke(?:_set|date)|ster_pos_wait|x)|i(?:(?:crosecon)?d|n(?:ute)?)|o(?:nth(?:name)?|d)|d5)|r(?:e(?:p(?:lace|eat)|lease_lock|verse)|a(?:wtohex|dians|nd)|o(?:w_count|und)|ight|trim|pad)|f(?:i(?:eld(?:_in_set)?|nd_in_set)|rom_(?:unixtime|base64|days)|o(?:und_rows|rmat)|loor)|p(?:o(?:w(?:er)?|sition)|eriod_(?:diff|add)|rocedure_analyse|assword|g_sleep|i)|a(?:s(?:cii(?:str)?|in)|es_(?:de|en)crypt|dd(?:dat|tim)e|(?:co|b)s|tan2?|vg)|b(?:i(?:t_(?:length|count|x?or|and)|n(?:_to_num)?)|enchmark)|e(?:x(?:tract(?:value)?|p(?:ort_set)?)|nc(?:rypt|ode)|lt)|g(?:r(?:oup_conca|eates)t|et_(?:format|lock))|v(?:a(?:r(?:_(?:sam|po)p|iance)|lues)|ersion)|o(?:(?:ld_passwo)?rd|ct(?:et_length)?)|we(?:ek(?:ofyear|day)?|ight_string)|n(?:o(?:t_in|w)|ame_const|ullif)|h(?:ex(?:toraw)?|our)|qu(?:arter|ote)|year(?:week)?|xmltype)\W*\(]? ?Rule action was DENY, ......................................................,? ?client: 112.65.119.119, server: my.olwaf.cn, request: "GET / HTTP/1.1", host: " my.olwaf.cn:8080"? curl --cookie 'truncate ( space (=aaaaaaaaaaa' " http://my.olwaf.cn:8080" -v?
?? 2019/04/04 16:18:16 [alert] 4482#0: *550 [lua] actions.lua:33: [942210(?i:(?:(?:n(?:and|ot)|(?:x?x)?or|between|\|\||like|and|div|&&)[\s(]+\w+[\s)]*?[!=+]+[\s\d]*?["'`=()]|\/\w+;?\s+(?:between|having|select|like|x?or|and|div)\W|\d+\s*?(?:between|like|x?or|and|div)\s*?\d+\s*?[\-+]|--\s*?(?:(?:insert|update)\s*?\w{2,}|alter|drop)|#\s*?(?:(?:insert|update)\s*?\w{2,}|alter|drop)|;\s*?(?:(?:insert|update)\s*?\w{2,}|alter|drop)|\@.+=\s*?\(\s*?select|\d\s+group\s+by.+\(|[^\w]SET\s*?\@\w+))]? ?Rule action was DENY, ......................................................, client: 112.65.119.119, server: my.olwaf.cn,? ?request: "GET / HTTP/1.1", host: " my.olwaf.cn:8080"? curl --cookie '123 group by a (=aaaaaaaaaaa' " http://my.olwaf.cn:8080" -v?
2019/05/06?16:22:30 [alert] 4478#0: *580 [lua] actions.lua:33: [942150(?i)\b(?:c(?:o(?:n(?:v(?:ert(?:_tz)?)?|cat(?:_ws)?|nection_id)|(?:mpres)?s|ercibility|(?:un)?t|llation|alesce)|ur(?:rent_(?:time(?:stamp)?|date|user)|(?:dat|tim)e)|h(?:ar(?:(?:acter)?_length|set)?|r)|iel(?:ing)?|ast|r32)|s(?:u(?:b(?:str(?:ing(?:_index)?)?|(?:dat|tim)e)|m)|t(?:d(?:dev_(?:sam|po)p)?|r(?:_to_date|cmp))|e(?:c(?:_to_time|ond)|ssion_user)|ys(?:tem_user|date)|ha[12]?|oundex|chema|ig?n|leep|pace|qrt)|i(?:s(?:_(?:ipv(?:4(?:_(?:compat|mapped))?|6)|n(?:ot(?:_null)?|ull)|(?:free|used)_lock)|null)|n(?:et(?:6_(?:aton|ntoa)|_(?:aton|ntoa))|s(?:ert|tr)|terval)?|f(?:null)?)|d(?:a(?:t(?:e(?:_(?:format|add|sub)|diff)?|abase)|y(?:of(?:month|week|year)|name)?)|e(?:(?:s_(?:de|en)cryp|faul)t|grees|code)|count|ump)|l(?:o(?:ca(?:l(?:timestamp)?|te)|g(?:10|2)?|ad_file|wer)|ast(?:_(?:inser_id|day))?|e(?:(?:as|f)t|ngth)|case|trim|pad|n)|u(?:n(?:compress(?:ed_length)?|ix_timestamp|hex)|tc_(?:time(?:stamp)?|date)|p(?:datexml|per)|uid(?:_short)?|case|ser)|t(?:ime(?:_(?:format|to_sec)|stamp(?:diff|add)?|diff)?|o(?:(?:second|day)s|_base64|n?char)|r(?:uncate|im)|an)|m(?:a(?:ke(?:_set|date)|ster_pos_wait|x)|i(?:(?:crosecon)?d|n(?:ute)?)|o(?:nth(?:name)?|d)|d5)|r(?:e(?:p(?:lace|eat)|lease_lock|verse)|a(?:wtohex|dians|nd)|o(?:w_count|und)|ight|trim|pad)|f(?:i(?:eld(?:_in_set)?|nd_in_set)|rom_(?:unixtime|base64|days)|o(?:und_rows|rmat)|loor)|p(?:o(?:w(?:er)?|sition)|eriod_(?:diff|add)|rocedure_analyse|assword|g_sleep|i)|a(?:s(?:cii(?:str)?|in)|es_(?:de|en)crypt|dd(?:dat|tim)e|(?:co|b)s|tan2?|vg)|b(?:i(?:t_(?:length|count|x?or|and)|n(?:_to_num)?)|enchmark)|e(?:x(?:tract(?:value)?|p(?:ort_set)?)|nc(?:rypt|ode)|lt)|g(?:r(?:oup_conca|eates)t|et_(?:format|lock))|v(?:a(?:r(?:_(?:sam|po)p|iance)|lues)|ersion)|o(?:(?:ld_passwo)?rd|ct(?:et_length)?)|we(?:ek(?:ofyear|day)?|ight_string)|n(?:o(?:t_in|w)|ame_const|ullif)|h(?:ex(?:toraw)?|our)|qu(?:arter|ote)|year(?:week)?|xmltype)\W*\(]? ?Rule action was DENY, ......................................................, client: 112.65.119.119, server: my.olwaf.cn,? request: "GET / HTTP/1.1", host: " my.olwaf.cn:8080"? curl --cookie 'uncompressed_length (=aaaaaaaaaaa' " http://my.olwaf.cn:8080/" -v?
2019/05/06?17:03:30 [alert] 4482#0: *822 [lua] actions.lua:33: [942300(?i:(?:(?:n(?:and|ot)|(?:x?x)?or|between|\|\||like|and|div|&&)\s+\s*?\w+\(|\)\s*?when\s*?\d+\s*?then|["'`]\s*?(?:--|\{|#)|cha?r\s*?\(\s*?\d|\/\*!\s?\d+))]? ?Rule action was DENY, ......................................................, client: 112.65.119.119, server: my.olwaf.cn, request: "GET / HTTP/1.1", host: " my.olwaf.cn:8080"?
curl --cookie ') when 890 then=aaaaaaaaaaa' " http://my.olwaf.cn:8080/" -v? curl "http://my.olwaf.cn:8080/?) when 890 then" -v?
2019/04/04 18:04:01 [alert] 30940#0: *11 [lua] actions.lua:33: [944100java\.lang\.(?:runtime|processbuilder)]? Rule action was DENY, ......................................................,? client: 112.65.119.119, server: my.olwaf.cn, request: "GET / HTTP/1.1", host: " my.olwaf.cn:8080"?
curl --cookie "java.lang.runtime=weblogicsession" "http://my.olwaf.cn:8080" -v?
2019/04/04 18:11:30 [alert] 30945#0: *56 [lua] actions.lua:33: [944300(?:cnVudGltZQ|HJ1bnRpbWU|BydW50aW1l|cHJvY2Vzc2J1aWxkZXI|HByb2Nlc3NidWlsZGVy|Bwcm9jZXNzYnVpbGRlcg|Y2xvbmV0cmFuc2Zvcm1lcg|GNsb25ldHJhbnNmb3JtZXI|BjbG9uZXRyYW5zZm9ybWVy|Zm9yY2xvc3VyZQ|GZvcmNsb3N1cmU|Bmb3JjbG9zdXJl|aW5zdGFudGlhdGVmYWN0b3J5|Gluc3RhbnRpYXRlZmFjdG9yeQ|BpbnN0YW50aWF0ZWZhY3Rvcnk|aW5zdGFudGlhdGV0cmFuc2Zvcm1lcg|Gluc3RhbnRpYXRldHJhbnNmb3JtZXI|BpbnN0YW50aWF0ZXRyYW5zZm9ybWVy|aW52b2tlcnRyYW5zZm9ybWVy|Gludm9rZXJ0cmFuc2Zvcm1lcg|BpbnZva2VydHJhbnNmb3JtZXI|cHJvdG90eXBlY2xvbmVmYWN0b3J5|HByb3RvdHlwZWNsb25lZmFjdG9yeQ|Bwcm90b3R5cGVjbG9uZWZhY3Rvcnk|cHJvdG90eXBlc2VyaWFsaXphdGlvbmZhY3Rvcnk|HByb3RvdHlwZXNlcmlhbGl6YXRpb25mYWN0b3J5|Bwcm90b3R5cGVzZXJpYWxpemF0aW9uZmFjdG9yeQ|d2hpbGVjbG9zdXJl|HdoaWxlY2xvc3VyZQ|B3aGlsZWNsb3N1cmU)]? ?Rule action was DENY, ......................................................, client: 112.65.119.119, server: my.olwaf.cn, request: "GET / HTTP/1.1", host: " my.olwaf.cn:8080"? curl --cookie "cHJvdG90eXBlY2xvbmVmYWN0b3J5=weblogicsession" " http://my.olwaf.cn:8080" -v?
2019/04/04 18:13:05 [alert] 30945#0: *66 [lua] actions.lua:33: [944240(?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)]? ?Rule action was DENY, ......................................................, client: 112.65.119.119, server: my.olwaf.cn, request: "GET / HTTP/1.1", host: " my.olwaf.cn:8080"? curl --cookie "prototypeserializationfactory=weblogicsession" " http://my.olwaf.cn:8080" -v
REQUEST-944-APPLICATION-ATTACK-JAVA.conf文件规则,例如如下规则: SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|! REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \? ????"@rx java\b.+(?:runtime|processbuilder)" \? ????"id:944250,\? ????phase:2,\? ????block,\? ????log,\? ????msg:'Remote Command Execution: Suspicious Java method detected',\? ????logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',\? ????t:lowercase,\? ????tag:'application-multi',\? ????tag:'language-java',\? ????tag:'platform-multi',\? ????tag:'attack-rce',\? ????tag:'OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION',\? ????tag:'WASCTC/WASC-31',\? ????tag:'OWASP_TOP_10/A1',\? ????tag:'PCI/6.5.2',\? ????tag:'paranoia-level/2',\? ????ver:'OWASP_CRS/3.1.0',\? ????severity:'CRITICAL',\? ????setvar:'tx.msg=%{rule.msg}',\? ????setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\? ????setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',\? ????setvar:'tx.%{ rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'"?
经过函数解析结果:? ?ARGS????????????????? ?ARGS_NAMES??????????? ?REQUEST_COOKIES?????? ?! ????????????????????????????????????????--[[? ?REQUEST_COOKIES ????????????此部分由下面部分解析? ?/__utm/ ??????????????????????????????]]--? ?REQUEST_COOKIES_NAMES? ?REQUEST_BODY????????? ?REQUEST_HEADERS ?????? ?! ???????????????????????????????????????????????????????????????parse parse parse? ?REQUEST_COOKIES ???????????????????????????parse parse parse?
"!"不等号部分在此部分解析?
经过parse_operator函数解析operator:? rx ?????? 经过parse_actions函数解析其他参数:? ?944250???????????????????????????????????? ?id???????????????????????????????????????? ?2????????????????????????????????????????? ?phase????????????????????????????????????? ?block?????????????????????????????????????? ?log???????????????????????????????????????? ?logdata???????????????????????????????????? ?lowercase?????????????????????????????????? ?t?????????????????????????????????????????? ?application-multi?????????????????????????? ?tag???????????????????????????????????????? ?language-java?????????????????????????????? ?tag???????????????????????????????????????? ?platform-multi????????????????????????????? ?tag???????????????????????????????????????? ?attack-rce????????????????????????????????? ?tag???????????????????????????????????????? ?OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION????? ?tag???????????????????????????????????????? ?WASCTC/WASC-31????????????????????????????? ?tag???????????????????????????????????????? ?OWASP_TOP_10/A1???????????????????????????? ?tag???????????????????????????????????????? ?PCI/6.5.2?????????????????????????????????? ?tag???????????????????????????????????????? ?paranoia-level/2??????????????????????????? ?tag???????????????????????????????????????? ?OWASP_CRS/3.1.0???????????????????????????? ?ver???????????????????????????????????????? ?CRITICAL??????????????????????????????????? ?severity??????????????????????????????????? ?tx.msg=%{rule.msg}????????????????????????? ?setvar????????????????????????????????????? ?tx.rce_score=+%{tx.critical_anomaly_score}??????????????????????????????? ?setvar??????????????????????????????????????????????????????????????????? ?tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}??????????????????????? ?setvar??????????????????????????????????????????????????????????????????? ?tx.%{ rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}? 命中crs规则log日志
2019/05/29 21:35:52 [alert] 4885#0: *33 [lua] util.lua:303: wafLog(): [WAFLogTarget]{"AttackURL":"http:\/\/ my.olwaf.cn\/","WafId":"dr2018012211225601","AttackTime":1559136952.41,"ResourceRecord":" my.olwaf.cn","logLevel":"INFO","actionType":"Block","rule":".*\\.(?:php\\d*|phtml)\\.*$","AttackIp":"10.96.3.72","ruleType":"crs_php sql","param":"933110_REQUEST_HEADERS_\" my.olwaf.cn:8080\"\"s.phtml.\"\"*\/*\"\"curl\/7.19.7 (x86_64-redhat-linux-gnu) libcurl\/7.19.7 NSS\/3.14.0.0 zlib\/1.2.3 libidn\/1.18 libssh2\/1.4.2\""}[WAFLogTarget], client: 10.96.3.72, server: my.olwaf.cn, request: "GET / HTTP/1.1", host: " my.olwaf.cn:8080"?
2019/05/24 18:00:11 [alert] 30748#0: *1 [lua] util.lua:303: wafLog(): [WAFLogTarget]{"AttackURL":"http:\/\/ my.olwaf.cn\/","WafId":"dr2018012211225601","AttackTime":1558692011.931,"ResourceRecord":" my.olwaf.cn","logLevel":"INFO","actionType":"Block",? "AttackIp":"10.96.3.72", "ruleType":"crs_scanner","param":"913100_REQUEST_HEADERS"}[WAFLogTarget], client: 10.96.3.72, server: my.olwaf.cn, request: "GET / HTTP/1.1", host: " my.olwaf.cn:8080"?
2019/05/29 21:35:59 [alert] 4881#0: *67 [lua] util.lua:303: wafLog(): [WAFLogTarget]{"AttackURL":"http:\/\/ my.olwaf.cn\/","WafId":"dr2018012211225601","AttackTime":1559136959.771,"ResourceRecord":" my.olwaf.cn","logLevel":"INFO","actionType":"Block","rule":".*\\.(?:php\\d*|phtml)\\.*$","AttackIp":"10.96.3.72", "ruleType":"crs_php sql","param":"933110_REQUEST_HEADERS_\" my.olwaf.cn:8080\"\"s.phtml.\"\"*\/*\"\"curl\/7.19.7 (x86_64-redhat-linux-gnu) libcurl\/7.19.7 NSS\/3.14.0.0 zlib\/1.2.3 libidn\/1.18 libssh2\/1.4.2\""}[WAFLogTarget], client: 10.96.3.72, server: my.olwaf.cn, request: "GET / HTTP/1.1", host: " my.olwaf.cn:8080"?
2019/05/29 21:39:01 [alert] 4884#0: *77 [lua] util.lua:303: wafLog(): [WAFLogTarget]{"AttackURL":"http:\/\/ my.olwaf.cn\/?<adugen>","WafId":"dr2018012211225601","AttackTime":1559137141.989,"ResourceRecord":" my.olwaf.cn","logLevel":"INFO","actionType":"Block","rule":"<(?:a|abbr|acronym|address|applet|area|audioscope|b|base|basefront|bdo|bgsound|big|blackface|blink|blockquote|body|bq|br|button|caption|center|cite|code|col|colgroup|comment|dd|del|dfn|dir|div|dl|dt|em|embed|fieldset|fn|font|form|frame|frameset|h1|head|hr|html|i|iframe|ilayer|img|input|ins|isindex|kdb|keygen|adugen|label|layer|legend|li|limittext|link|listing|map|marquee|menu|meta|multicol|nobr|noembed|noframes|noscript|nosmartquotes|object|ol|optgroup|option|p|param|plaintext|pre|q|rt|ruby|s|samp|script|select|server|shadow|sidebar|small|spacer|span|strike|strong|style|sub|sup|table|tbody|td|textarea|tfoot|th|thead|title|tr|tt|u|ul|var|wbr|xml|xmp)\\W","AttackIp":"10.96.3.72", "ruleType":"crs_xss", "param":"941320_REQUEST_ARGS_<adugen>"}[WAFLogTarget], client: 10.96.3.72, server: my.olwaf.cn, request: "GET /?<adugen> HTTP/1.1", host: " my.olwaf.cn:8080"?
2019/05/29 21:52:34 [alert] 6319#0: *75 [lua] util.lua:303: wafLog(): [WAFLogTarget]{"AttackURL":"http:\/\/ my.olwaf.cn\/?<maimaipi>","WafId":"dr2018012211225601","AttackTime":1559137954.622,"ResourceRecord":" my.olwaf.cn","logLevel":"INFO","actionType":"Block","rule":"<(?:a|abbr|acronym|address|applet|area|audioscope|b|base|basefront|bdo|bgsound|big|blackface|blink|blockquote|body|bq|br|button|caption|center|cite|code|col|colgroup|comment|dd|del|dfn|dir|div|dl|dt|em|embed|fieldset|fn|font|form|frame|frameset|h1|head|hr|html|i|iframe|ilayer|img|input|ins|isindex|kdb|keygen|maimaipi|label|layer|legend|li|limittext|link|listing|map|marquee|menu|meta|multicol|nobr|noembed|noframes|noscript|nosmartquotes|object|ol|optgroup|option|p|param|plaintext|pre|q|rt|ruby|s|samp|script|select|server|shadow|sidebar|small|spacer|span|strike|strong|style|sub|sup|table|tbody|td|textarea|tfoot|th|thead|title|tr|tt|u|ul|var|wbr|xml|xmp)\\W","AttackIp":"10.96.3.72"," ruleType":"crs_xss", "param":"941320_REQUEST_ARGS_<blackface>"}[WAFLogTarget], client: 10.96.3.72, server: my.olwaf.cn, request: "GET /?<blackface> HTTP/1.1",? host: " my.olwaf.cn:8080"? Project Honeypot crs??Trustwate SpiderLabs? https://www.jianshu.com/p/d22f3914d153?
自定义规则举例
SecRule FILES "!\\.(?i:jpe?g|gif|png|bmp)$" "deny,tag:'WEB_ATTACK/FILEUPLOAD',msg:'upload? no-picture file',id:0000001,phase:2“ 1 2 SecRule FILES "@contains %00" "deny,tag:'WEB_ATTACK/FILEUPLOAD',msg:'filename has null character',id:0000002,phase:2" DDoS Protection 这边的防护属于 L7 防御,单个 IP 在某指定段时间访问过于频繁就予以屏蔽。 有个优点是这边的屏蔽只计算动态访问而不考虑静态文件,因为 Nginx 处理静态文件非常高效一般不是瓶颈。 SecAction \ ?"id:900700,\ ? phase:1,\ ? nolog,\ ? pass,\ ? t:none,\ ? setvar:'tx.dos_burst_time_slice=10',\ ? setvar:'tx.dos_counter_threshold=20',\ ? setvar:'tx.dos_block_timeout=86400'"
异常得分
CRS使用可配置的异常计分模型,每条触发的规则都会增加异常分数,如果分数超过配置的异常阈值,则事务被阻塞,异常级别如下: Critical:异常得分5,表示可能应用程序攻击,主要由93x 94x文件生成。 Error:异常得分4,表示可能数据泄露,主要有95x文件生成,暂不支持nginx和nginx plus。 Warning:异常得分3,表示可能恶意客户端,主要由91x文件生成的。 Notice:异常得分2,表示可能违反协议,主要由92x文件生成。 默认情况下,CRS阻塞所有异常值为5或更高的入站流量,意味着任何引发事务的关键规则都将被丢弃,三次或更多的通知级违规也会导致事务被阻塞。 除了 OWASP CRS 之外, Trustwave SpiderLabs 商业规则集还提供了其他保护,例如针对 WordPress、Joomla、SharePoint 和其他应用程序的特定规则集。?
REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf会话固定攻击 请求可以触发:? curl "http://my.olwaf.cn:8080/?<meta http-equiv%3dset-cookie content=sessionattack%3d123456;expires%3dFri, 30 Dec 2015 12:00:00 GMT; path%3d/>" -v 命中默认规则和920100? 但是误报一条log:? [WAFLogTarget]{"AttackURL":"http:\/\/ my.olwaf.cn\/?<meta http-equiv%3dset-cookie content=sessionattack%3d123456;expires%3dFri, 30 Dec 2015 12:00:00 GMT; path%3d\/>","WafId":"dr2018012211225601","AttackTime":1563975927.62,"ResourceRecord":" my.olwaf.cn","logLevel":"INFO","actionType":"Log","rule":"^(?i)(get|option|delete|put)(\\s{2,})","AttackIp":"10.96.3.72","ruleType":"protocol","param":"GET \/?<meta http-equiv%3dset-cookie content=sessionattack%3d123456;expires%3dFri, 30 Dec 2015 12:00:00 GMT; path%3d\/> HTTP\/1.1"}[WAFLogTarget], client: 10.96.3.72, server: my.olwaf.cn, request: "GET /?<meta http-equiv%3dset-cookie content=sessionattack%3d123456;expires%3dFri, 30 Dec 2015 12:00:00 GMT; path%3d/> HTTP/1.1", host: " my.olwaf.cn:8080"? curl --cookie "http-equiv+set-cookie=aaaaaaaa" "http://my.olwaf.cn:8080" -v? curl http://my.olwaf.cn:8080/?weblogicsession -v? “jsessionid”? “aspsessionid”? “asp.net_sessionid”? “phpsession”? “phpsessid”? “weblogicsession”? “session_id”? “session-id”? “cfid”? “cftoken”? “cfs id”? “jservsession”? “jwsession? ---------------------------------------------------------------------------------? 不能触发:但会命中921130? curl --cookie "SESSIONID=<meta http-equiv="set-cookie" content=sessionattack=123456;expires=Friday,12-Jan-200118:18:18GMT;path=/>" "http://my.olwaf.cn:8080" -v? cookie被拆分成table:? path/>? expiresFriday,12-Jan-200118:18:18GMT? http-equivset-cookie? SESSIONID<meta? contentsessionattack=123456? ^(?:jsessionid|aspsessionid|asp.net_sessionid|phpsession|phpsessid|weblogicsession|session_id|session-id|cfid|cftoken|cfsid|jservsession|jwsession)备注:此规则会把目标字符串转换成小写和? (?i:\.cookie\b.*?;\W*?(?:expires|domain)\W*?=|\bhttp-equiv\W+set-cookie\b)规则与如下字段匹配:? />? Friday,12-Jan-200118:18:18GMT? set-cookie? <meta? sessionattack=123456? path? expires? http-equiv? SESSIONID? content? ----------------------------------------------------------------------------------? 会命中921130? curl --cookie "SESSION=<meta http-equiv%3dset-cookie content=sessionattack%3d123456;expires%3dFri, 30 Dec 2015 12:00:00 GMT; path%3d/>" "http://my.olwaf.cn:8080" -v? (?i:\.cookie\b.*?;\W*?(?:expires|domain)\W*?=|\bhttp-equiv\W+set-cookie\b)规则与如下字段一一匹配? <meta? sessionattack%3d123456? SESSION? http-equiv%3dset-cookie content? ^(?:jsessionid|aspsessionid|asp\.net_sessionid|phpsession|phpsessid|weblogicsession|session_id|session-id|cfid|cftoken|cfsid|jservsession|jwsession)规则与如下字段匹配:? session? http-equiv=set-cookie content?
curl --referer "https://attacktest/" http://my.olwaf.cn:8080/?weblogicsession -v??拦截并记录?Possible Session Fixation Attack: SessionID Parameter Name with Off-Domain Referer","logdata":"Matched Data: https:\/\/sadasd\/ found within TX: ","id":"943110?
curl??http://my.olwaf.cn:8080/?weblogicsession -v 拦截并记录?Matched Data: 0 found within REQUEST_HEADERS: 0","match":0,"msg":"Possible Session Fixation Attack: SessionID Parameter Name with No Referer?
严谨模式下以上请求全部命中!?
以下为常用测试case
curl -d "param1=value1¶m2=value2" -H "Content-Type: application/x-www-form-urlencoded" -X POST http://localhost:3000/data?
curl -H "Content-Type:application/json" -X POST -d '{"abc": "admin", "passwd":"12345678"}'??http://my.olwaf.cn:8080 -v?
curl http://my.olwaf.cn:8080/olwaf_http_error/note.xml?aaa=test -v?
curl --cookie "SESSION=123fsakjjd1;" http://my.olwaf.cn:8080/olwaf_http_error/note.xml?aaa=test -v
curl --cookie "SESSION=123fsakqwerty; "http://my.olwaf.cn:8080/olwaf_http_error/note.xml?aaa=test -v?
curl --cookie "SESSION=123fsakqwerty; "http://my.olwaf.cn:8080/olwaf_http_error/note.xml?aaa=test -v?
curl --cookie "SESSION=123fsakqwerty; c=5; path=/;"http://my.olwaf.cn:8080/olwaf_http_error/note.xml?aaa=test -v
curl --referer " www.nytimes.com.us" --cookie "JSESSIONID=123fsakqwerty; c=5; path=/;" http://my.olwaf.cn:8080/waf_http_error/note.xml?aaa=test -v?
curl -X "POST" -H "Content-Type: " --referer " www.nytimes.com.us" --cookie "JSESSIONID=123fsakqwerty; c=5; path=/;" http://my.olwaf.cn:8080/olwaf_http_error/note.xml?aaa=test -v?
curl -H "Origin: http://www.aibi.com" http://my.olwaf.cn:8080 -v?
curl -H "Origin: http://www.test.com" -X POST -d '{"abc": "admin", "passwd":"12345678"}'??http://my.olwaf.cn:8080 -v?
curl -H "X-Forwarded-For: client1, client2, client3" -X POST -d '{"abc": "admin", "passwd":"12345678"}'??http://my.olwaf.cn:8080 -v?
curl -H "TEST: client1, client2, client3, aibi" -X POST -d '{"abc": "admin", "passwd":"12345678"}'??http://my.olwaf.cn:8080 -v?
curl -H "Content-Type:application/json" -X POST -d '{"abc": "admin", "passwd":"12345678"}'??http://my.olwaf.cn:8080 -v?
curl -H "TEST: client1, client2, client3, aibi" -X POST -d "abc=admin&passwd=12345678"??http://my.olwaf.cn:8080 -v?
?GET /index.html?id=1%29%29%29%20AND%204854%3D4854%20AND%20%28%28%289491%3D9491?
?GET /index.html?id=1%EF%BC%87%20AND%208116%3D9451%20AND%20%EF%BC%87syvX%EF%BC%87%3D%EF%BC%87syvX HTTP/1.1\r\n?
?GET /index.html?id=1%22%29%20AND%202421%3D6292%20AND%20%28%22Afhp%22%20LIKE%20%22Afhp HTTP/1.1\r\n
curl "http://my.olwaf.cn:8080/index.html?a=b&b=cc <DIV STYLE=behaviour: url(' http://www.how-to-hack.org/exploit.html');>"?
|