[PHP知识库]owasp core rules sets规则集深度分析与测试

owasp core rules sets简介

考察一款WAF的有效性，最关键的一点就是攻击的防御情况

我们看看owasp ModSecurity对漏洞防御的checklist：

扫描器scanner。

恶意爬虫crawler。

webshell?（Trojans）。? ? ?

shell上传：文件上传。

shell连接：get|post|cookie。

SQLi/blindSQLi/reflected SQLi/stored?SQLi: get|post|referer|cookie|x_forwarded_for|ua|basic-authorization。

LFI/RFI：get?lfi/rfi、post lfi/rfi、cookie lrfi/rfi、data://URI、php://input、php://filter、getdirectory traversal、post?directory traversal。

File?Upload：php、asp(x)、jsp、RCE、struts2、nginx CVE、PHP CGI、get?rce、post rce。

XSS/reflected?XSS/stored?XSS/DOM XSS/CSRF/flash xss/json xss：get、post

code injection：get?code injection、post code injection

XPath?injection

LDAP injection

XML injection

expression language injection

server side includes injection

server side request forgery

HTTP响应拆分

CRLF注入

服务器解析漏洞

敏感信息泄漏：info leak、svn/cvs、后台暴露

http parameter pollution参数污染

brute force暴力破解(weak password)

DoS

slow?HTTP?DoS

URL?Redirect??

session fixation会话固定/?easily-guessable session?IDs

会话劫持

垃圾评论

防病毒

access control(vertical,?horizontal)/Unauthorized?File?Exposure(download)

logic flaws逻辑漏洞

协议异常：

不合规范的RequestLine

异常文件名

请求体解析错误

multipart请求体解析错误

Content-Length异常

Content-Enoding异常

Range异常

Request-Range异常

Expect异常

Connection异常

Pragma，?Cache-Control

Host异常

User -Agent异常

Accpet异常

X-Forwarded-For异常

编码异常，url编码异常，utf-8异常? ?charset设置缺失或不一致

Cookie?Domain/httponly/secure设置错误

安全头设置错误 X-XSS-Protection， X-FRAME-OPTIONS， X-Content-Type-Options

协议限制

允许请求方法?GET/POST/HEAD

允许协议版本HTTP/1.0?or?HTTP/1.1

允许Content-Type

允许的文件后缀名

允许的请求头

长度限制

参数名长度限制

参数值长度限制

参数个数限制

参数的总大小

上传文件大小限制

上传文件总大小限制

编码限制

恶意代理

CRS规则集测试case

90x文件：排除误报
91x文件：检测恶意客户端规则
92x文件：检测违反协议的规则
93x和94x文件：检测运行程序攻击(SQL)或命令执行攻击规则
95x文件：检测出站数据泄露规则，nginx和nginx plus不支持
.data 文件：规则使用的数据

^[\w\d/\.\-\+]+(?:\s?;\s?(?:boundary|charset)\s?=\s?['\"\w\d_\-]+)?$?
920200 命中id规则： ^bytes=(?:(?:\d+)?\-(?:\d+)?\s*,?\s*){6}?
curl -H "Range: bytes=100-200 , 100-200, 100-200, 100-200, 100-200, 100-200, " http://my.olwaf.cn:8080 -v?
返回403 命中规则未知
curl -H 'Content-Type: aaaaaaaaaa;boundary=-----------aaaaaaaaa"' http://my.olwaf.cn:8080 -v?

命中921130(?:\bhttp\/(?:0\.9|1\.[01])|<(?:html|meta)\b)规则
curl --cookie "test=<html>aaaaaaaa</html>

命中REQUEST-930-APPLICATION-ATTACK-LFI.conf，id规则930120 ，lfi-os-files.data??system32/inetsrv/config/applicationhost.config?
curl --cookie "system32/inetsrv/config/applicationhost.config=.ssh/id_dsa.pub" http://my.olwaf.cn:8080 -v?

REQUEST-932-APPLICATION-ATTACK-RCE.conf?
命中932130(?:\$(?:\((?:\(.*\)|.*)\)|\{.*\})|[<>]\(.*\))?
curl --cookie "<(adasdas)=Test-ComputerSecureChannel" http://my.olwaf.cn:8080 -v?

命中[932160] Rule action was DENY, ......................................................,?
client: 112.65.119.119, server: my.olwaf.cn, request: "GET /?Test-ComputerSecureChannel HTTP/1.1", host: " my.olwaf.cn:8080"?
curl --cookie "usr/bin/python3=Test-ComputerSecureChannel" http://my.olwaf.cn:8080/?Test-ComputerSecureChannel -v?

[932170^\(\s*\)\s+{] Rule action was DENY, ......................................................,?
client: 112.65.119.119, server: my.olwaf.cn, request: "GET /?Test-ComputerSecureChannel HTTP/1.1", host: " my.olwaf.cn:8080"?
curl --cookie "( ) {=Test-ComputerSecureCha" http://my.olwaf.cn:8080/?Test-ComputerSecureChannel -v?

REQUEST-933-APPLICATION-ATTACK-PHP.conf?
[933110.*\.(?:php\d*|phtml)\.*$] Rule action was DENY, ......................................................,?
client: 112.65.119.119, server: my.olwaf.cn, request: "GET / HTTP/1.1", host: " my.olwaf.cn:8080"?
curl -H "X-Filename: s.phtml." http://my.olwaf.cn:8080 -v?

[933120] Rule action was DENY, ......................................................,?
client: 112.65.119.119, server: my.olwaf.cn, request: "GET /?Test-ComputerSecureChannel HTTP/1.1", host: " my.olwaf.cn:8080"?
curl --cookie "auto_globals_jit=Test-ComputerSecureCha" http://my.olwaf.cn:8080/?Test-ComputerSecureChannel -v?

[lua] actions.lua:30: [933190] Rule action was DENY, ......................................................,?
?client: 112.65.119.119, server: my.olwaf.cn, request: "GET /?Test-ComputerSecureChannel HTTP/1.1", host: " my.olwaf.cn:8080"?
curl --cookie "?>=Test-ComputerSecureCha" http://my.olwaf.cn:8080/?Test-ComputerSecureChannel -v?

actions.lua:33: [933111.*\.(?:php\d*|phtml)\..*$] Rule action was DENY, ......................................................,?
client: 112.65.119.119, server: my.olwaf.cn, request: "GET / HTTP/1.1", host: " my.olwaf.cn:8080"?
curl -H "X-Filename: a.phtml.adsas" http://my.olwaf.cn:8080 -v?

REQUEST-941-APPLICATION-ATTACK-XSS.conf?
941320<(?:a|abbr|acronym|address|applet|area|audioscope|b|base|basefront|bdo|bgsound|big|blackface|blink|blockquote|body|bq|br|button|caption|center|cite|code|col|colgroup|comment|dd|del|dfn|dir|div|dl|dt|em|embed|fieldset|fn|font|form|frame|frameset|h1|head|hr|html|i|iframe|ilayer|img|input|ins|isindex|kdb|keygen|label|layer|legend|li|limittext|link|listing|map|marquee|menu|meta|multicol|nobr|noembed|noframes|noscript|nosmartquotes|object|ol|optgroup|option|p|param|plaintext|pre|q|rt|ruby|s|samp|script|select|server|shadow|sidebar|small|spacer|span|strike|strong|style|sub|sup|table|tbody|td|textarea|tfoot|th|thead|title|tr|tt|u|ul|var|wbr|xml|xmp)\W]?
Rule action was DENY, ......................................................,?
client: 112.65.119.119, server: my.olwaf.cn, request: "GET /?<keygen> HTTP/1.1", host: " my.olwaf.cn:8080"?
curl " http://my.olwaf.cn:8080/?<keygen>" -v?

2019/04/04 14:40:04 [alert] 5666#0: *1230 [lua] actions.lua:33: [941150(?i)\b(?:s(?:tyle|rc)|href)\b[\s\S]*?=] Rule action was DENY,?
......................................................,?
client: 112.65.119.119, server: my.olwaf.cn, request: "GET / HTTP/1.1", host: " my.olwaf.cn:8080"?
curl --user-agent "sdas src =qqqqqqqqqqq" http://my.olwaf.cn:8080 -v?

REQUEST-942-APPLICATION-ATTACK-SQLI.conf?
2019/04/04 15:07:46 [alert] 4466#0: *87 [lua] actions.lua:33: [942432((?:[~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;"'′’‘`<>][^~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;"'′’‘`<>]*?){2})] Rule action was DENY,?
......................................................, client: 112.65.119.119, server: my.olwaf.cn, request: "GET /?$> HTTP/1.1", host: " my.olwaf.cn:8080"?
curl??" http://my.olwaf.cn:8080/?$>" -v?

2019/05/06?15:22:26 [alert] 4482#0: *175 [lua] actions.lua:33: [942421((?:[~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;"'′’‘`<>][^~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;"'′’‘`<>]*?){3})] Rule action was DENY,?
?......................................................, client: 112.65.119.119, server: my.olwaf.cn, request: "GET / HTTP/1.1",?
?host: " my.olwaf.cn:8080"?
curl --cookie "[][=qqqqqqqqqqq" http://my.olwaf.cn:8080 -v?

2019/04/04 15:25:46 [alert] 4482#0: *204 [lua] actions.lua:33: [942110(^\s*["'`;]+|["'`]+\s*$)] Rule action was DENY,?
......................................................, client: 112.65.119.119, server: my.olwaf.cn, request: "GET /?; HTTP/1.1",?
host: " my.olwaf.cn:8080"?

curl??" http://my.olwaf.cn:8080/?;" -v?

2019/04/04 15:54:39 [alert] 4482#0: *404 [lua] actions.lua:33: [942150(?i)\b(?:c(?:o(?:n(?:v(?:ert(?:_tz)?)?|cat(?:_ws)?|nection_id)|(?:mpres)?s|ercibility|(?:un)?t|llation|alesce)|ur(?:rent_(?:time(?:stamp)?|date|user)|(?:dat|tim)e)|h(?:ar(?:(?:acter)?_length|set)?|r)|iel(?:ing)?|ast|r32)|s(?:u(?:b(?:str(?:ing(?:_index)?)?|(?:dat|tim)e)|m)|t(?:d(?:dev_(?:sam|po)p)?|r(?:_to_date|cmp))|e(?:c(?:_to_time|ond)|ssion_user)|ys(?:tem_user|date)|ha[12]?|oundex|chema|ig?n|leep|pace|qrt)|i(?:s(?:_(?:ipv(?:4(?:_(?:compat|mapped))?|6)|n(?:ot(?:_null)?|ull)|(?:free|used)_lock)|null)|n(?:et(?:6_(?:aton|ntoa)|_(?:aton|ntoa))|s(?:ert|tr)|terval)?|f(?:null)?)|d(?:a(?:t(?:e(?:_(?:format|add|sub)|diff)?|abase)|y(?:of(?:month|week|year)|name)?)|e(?:(?:s_(?:de|en)cryp|faul)t|grees|code)|count|ump)|l(?:o(?:ca(?:l(?:timestamp)?|te)|g(?:10|2)?|ad_file|wer)|ast(?:_(?:inser_id|day))?|e(?:(?:as|f)t|ngth)|case|trim|pad|n)|u(?:n(?:compress(?:ed_length)?|ix_timestamp|hex)|tc_(?:time(?:stamp)?|date)|p(?:datexml|per)|uid(?:_short)?|case|ser)|t(?:ime(?:_(?:format|to_sec)|stamp(?:diff|add)?|diff)?|o(?:(?:second|day)s|_base64|n?char)|r(?:uncate|im)|an)|m(?:a(?:ke(?:_set|date)|ster_pos_wait|x)|i(?:(?:crosecon)?d|n(?:ute)?)|o(?:nth(?:name)?|d)|d5)|r(?:e(?:p(?:lace|eat)|lease_lock|verse)|a(?:wtohex|dians|nd)|o(?:w_count|und)|ight|trim|pad)|f(?:i(?:eld(?:_in_set)?|nd_in_set)|rom_(?:unixtime|base64|days)|o(?:und_rows|rmat)|loor)|p(?:o(?:w(?:er)?|sition)|eriod_(?:diff|add)|rocedure_analyse|assword|g_sleep|i)|a(?:s(?:cii(?:str)?|in)|es_(?:de|en)crypt|dd(?:dat|tim)e|(?:co|b)s|tan2?|vg)|b(?:i(?:t_(?:length|count|x?or|and)|n(?:_to_num)?)|enchmark)|e(?:x(?:tract(?:value)?|p(?:ort_set)?)|nc(?:rypt|ode)|lt)|g(?:r(?:oup_conca|eates)t|et_(?:format|lock))|v(?:a(?:r(?:_(?:sam|po)p|iance)|lues)|ersion)|o(?:(?:ld_passwo)?rd|ct(?:et_length)?)|we(?:ek(?:ofyear|day)?|ight_string)|n(?:o(?:t_in|w)|ame_const|ullif)|h(?:ex(?:toraw)?|our)|qu(?:arter|ote)|year(?:week)?|xmltype)\W*\(]?
?Rule action was DENY, ......................................................,?
?client: 112.65.119.119, server: my.olwaf.cn, request: "GET / HTTP/1.1", host: " my.olwaf.cn:8080"?
curl --cookie 'truncate ( space (=aaaaaaaaaaa' " http://my.olwaf.cn:8080" -v?

??
2019/04/04 16:18:16 [alert] 4482#0: *550 [lua] actions.lua:33: [942210(?i:(?:(?:n(?:and|ot)|(?:x?x)?or|between|\|\||like|and|div|&&)[\s(]+\w+[\s)]*?[!=+]+[\s\d]*?["'`=()]|\/\w+;?\s+(?:between|having|select|like|x?or|and|div)\W|\d+\s*?(?:between|like|x?or|and|div)\s*?\d+\s*?[\-+]|--\s*?(?:(?:insert|update)\s*?\w{2,}|alter|drop)|#\s*?(?:(?:insert|update)\s*?\w{2,}|alter|drop)|;\s*?(?:(?:insert|update)\s*?\w{2,}|alter|drop)|\@.+=\s*?\(\s*?select|\d\s+group\s+by.+\(|[^\w]SET\s*?\@\w+))]?
?Rule action was DENY, ......................................................, client: 112.65.119.119, server: my.olwaf.cn,?
?request: "GET / HTTP/1.1", host: " my.olwaf.cn:8080"?
curl --cookie '123 group by a (=aaaaaaaaaaa' " http://my.olwaf.cn:8080" -v?

2019/05/06?16:22:30 [alert] 4478#0: *580 [lua] actions.lua:33: [942150(?i)\b(?:c(?:o(?:n(?:v(?:ert(?:_tz)?)?|cat(?:_ws)?|nection_id)|(?:mpres)?s|ercibility|(?:un)?t|llation|alesce)|ur(?:rent_(?:time(?:stamp)?|date|user)|(?:dat|tim)e)|h(?:ar(?:(?:acter)?_length|set)?|r)|iel(?:ing)?|ast|r32)|s(?:u(?:b(?:str(?:ing(?:_index)?)?|(?:dat|tim)e)|m)|t(?:d(?:dev_(?:sam|po)p)?|r(?:_to_date|cmp))|e(?:c(?:_to_time|ond)|ssion_user)|ys(?:tem_user|date)|ha[12]?|oundex|chema|ig?n|leep|pace|qrt)|i(?:s(?:_(?:ipv(?:4(?:_(?:compat|mapped))?|6)|n(?:ot(?:_null)?|ull)|(?:free|used)_lock)|null)|n(?:et(?:6_(?:aton|ntoa)|_(?:aton|ntoa))|s(?:ert|tr)|terval)?|f(?:null)?)|d(?:a(?:t(?:e(?:_(?:format|add|sub)|diff)?|abase)|y(?:of(?:month|week|year)|name)?)|e(?:(?:s_(?:de|en)cryp|faul)t|grees|code)|count|ump)|l(?:o(?:ca(?:l(?:timestamp)?|te)|g(?:10|2)?|ad_file|wer)|ast(?:_(?:inser_id|day))?|e(?:(?:as|f)t|ngth)|case|trim|pad|n)|u(?:n(?:compress(?:ed_length)?|ix_timestamp|hex)|tc_(?:time(?:stamp)?|date)|p(?:datexml|per)|uid(?:_short)?|case|ser)|t(?:ime(?:_(?:format|to_sec)|stamp(?:diff|add)?|diff)?|o(?:(?:second|day)s|_base64|n?char)|r(?:uncate|im)|an)|m(?:a(?:ke(?:_set|date)|ster_pos_wait|x)|i(?:(?:crosecon)?d|n(?:ute)?)|o(?:nth(?:name)?|d)|d5)|r(?:e(?:p(?:lace|eat)|lease_lock|verse)|a(?:wtohex|dians|nd)|o(?:w_count|und)|ight|trim|pad)|f(?:i(?:eld(?:_in_set)?|nd_in_set)|rom_(?:unixtime|base64|days)|o(?:und_rows|rmat)|loor)|p(?:o(?:w(?:er)?|sition)|eriod_(?:diff|add)|rocedure_analyse|assword|g_sleep|i)|a(?:s(?:cii(?:str)?|in)|es_(?:de|en)crypt|dd(?:dat|tim)e|(?:co|b)s|tan2?|vg)|b(?:i(?:t_(?:length|count|x?or|and)|n(?:_to_num)?)|enchmark)|e(?:x(?:tract(?:value)?|p(?:ort_set)?)|nc(?:rypt|ode)|lt)|g(?:r(?:oup_conca|eates)t|et_(?:format|lock))|v(?:a(?:r(?:_(?:sam|po)p|iance)|lues)|ersion)|o(?:(?:ld_passwo)?rd|ct(?:et_length)?)|we(?:ek(?:ofyear|day)?|ight_string)|n(?:o(?:t_in|w)|ame_const|ullif)|h(?:ex(?:toraw)?|our)|qu(?:arter|ote)|year(?:week)?|xmltype)\W*\(]?
?Rule action was DENY, ......................................................, client: 112.65.119.119, server: my.olwaf.cn,?
request: "GET / HTTP/1.1", host: " my.olwaf.cn:8080"?
curl --cookie 'uncompressed_length (=aaaaaaaaaaa' " http://my.olwaf.cn:8080/" -v?

2019/05/06?17:03:30 [alert] 4482#0: *822 [lua] actions.lua:33: [942300(?i:(?:(?:n(?:and|ot)|(?:x?x)?or|between|\|\||like|and|div|&&)\s+\s*?\w+\(|\)\s*?when\s*?\d+\s*?then|["'`]\s*?(?:--|\{|#)|cha?r\s*?\(\s*?\d|\/\*!\s?\d+))]?
?Rule action was DENY, ......................................................, client: 112.65.119.119, server: my.olwaf.cn, request: "GET / HTTP/1.1", host: " my.olwaf.cn:8080"?

curl --cookie ') when 890 then=aaaaaaaaaaa' " http://my.olwaf.cn:8080/" -v?
curl "http://my.olwaf.cn:8080/?) when 890 then" -v?

2019/04/04 18:04:01 [alert] 30940#0: *11 [lua] actions.lua:33: [944100java\.lang\.(?:runtime|processbuilder)]?
Rule action was DENY, ......................................................,?
client: 112.65.119.119, server: my.olwaf.cn, request: "GET / HTTP/1.1", host: " my.olwaf.cn:8080"?

curl --cookie "java.lang.runtime=weblogicsession" "http://my.olwaf.cn:8080" -v?

2019/04/04 18:11:30 [alert] 30945#0: *56 [lua] actions.lua:33: [944300(?:cnVudGltZQ|HJ1bnRpbWU|BydW50aW1l|cHJvY2Vzc2J1aWxkZXI|HByb2Nlc3NidWlsZGVy|Bwcm9jZXNzYnVpbGRlcg|Y2xvbmV0cmFuc2Zvcm1lcg|GNsb25ldHJhbnNmb3JtZXI|BjbG9uZXRyYW5zZm9ybWVy|Zm9yY2xvc3VyZQ|GZvcmNsb3N1cmU|Bmb3JjbG9zdXJl|aW5zdGFudGlhdGVmYWN0b3J5|Gluc3RhbnRpYXRlZmFjdG9yeQ|BpbnN0YW50aWF0ZWZhY3Rvcnk|aW5zdGFudGlhdGV0cmFuc2Zvcm1lcg|Gluc3RhbnRpYXRldHJhbnNmb3JtZXI|BpbnN0YW50aWF0ZXRyYW5zZm9ybWVy|aW52b2tlcnRyYW5zZm9ybWVy|Gludm9rZXJ0cmFuc2Zvcm1lcg|BpbnZva2VydHJhbnNmb3JtZXI|cHJvdG90eXBlY2xvbmVmYWN0b3J5|HByb3RvdHlwZWNsb25lZmFjdG9yeQ|Bwcm90b3R5cGVjbG9uZWZhY3Rvcnk|cHJvdG90eXBlc2VyaWFsaXphdGlvbmZhY3Rvcnk|HByb3RvdHlwZXNlcmlhbGl6YXRpb25mYWN0b3J5|Bwcm90b3R5cGVzZXJpYWxpemF0aW9uZmFjdG9yeQ|d2hpbGVjbG9zdXJl|HdoaWxlY2xvc3VyZQ|B3aGlsZWNsb3N1cmU)]?
?Rule action was DENY, ......................................................, client: 112.65.119.119, server: my.olwaf.cn, request: "GET / HTTP/1.1", host: " my.olwaf.cn:8080"?
curl --cookie "cHJvdG90eXBlY2xvbmVmYWN0b3J5=weblogicsession" " http://my.olwaf.cn:8080" -v?

2019/04/04 18:13:05 [alert] 30945#0: *66 [lua] actions.lua:33: [944240(?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)]?
?Rule action was DENY, ......................................................, client: 112.65.119.119, server: my.olwaf.cn, request: "GET / HTTP/1.1", host: " my.olwaf.cn:8080"?
curl --cookie "prototypeserializationfactory=weblogicsession" " http://my.olwaf.cn:8080" -v

REQUEST-944-APPLICATION-ATTACK-JAVA.conf文件规则，例如如下规则：
SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|! REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \?
????"@rx java\b.+(?:runtime|processbuilder)" \?
????"id:944250,\?
????phase:2,\?
????block,\?
????log,\?
????msg:'Remote Command Execution: Suspicious Java method detected',\?
????logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',\?
????t:lowercase,\?
????tag:'application-multi',\?
????tag:'language-java',\?
????tag:'platform-multi',\?
????tag:'attack-rce',\?
????tag:'OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION',\?
????tag:'WASCTC/WASC-31',\?
????tag:'OWASP_TOP_10/A1',\?
????tag:'PCI/6.5.2',\?
????tag:'paranoia-level/2',\?
????ver:'OWASP_CRS/3.1.0',\?
????severity:'CRITICAL',\?
????setvar:'tx.msg=%{rule.msg}',\?
????setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\?
????setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',\?
????setvar:'tx.%{ rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'"?

经过函数解析结果：?
?ARGS?????????????????
?ARGS_NAMES???????????
?REQUEST_COOKIES??????
?! ????????????????????????????????????????--[[?
?REQUEST_COOKIES ????????????此部分由下面部分解析?
?/__utm/ ??????????????????????????????]]--?
?REQUEST_COOKIES_NAMES?
?REQUEST_BODY?????????
?REQUEST_HEADERS ??????
?! ???????????????????????????????????????????????????????????????parse parse parse?
?REQUEST_COOKIES ???????????????????????????parse parse parse?

"!"不等号部分在此部分解析?

经过parse_operator函数解析operator：?
rx ??????
经过parse_actions函数解析其他参数：?
?944250????????????????????????????????????
?id????????????????????????????????????????
?2?????????????????????????????????????????
?phase?????????????????????????????????????
?block??????????????????????????????????????
?log????????????????????????????????????????
?logdata????????????????????????????????????
?lowercase??????????????????????????????????
?t??????????????????????????????????????????
?application-multi??????????????????????????
?tag????????????????????????????????????????
?language-java??????????????????????????????
?tag????????????????????????????????????????
?platform-multi?????????????????????????????
?tag????????????????????????????????????????
?attack-rce?????????????????????????????????
?tag????????????????????????????????????????
?OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION?????
?tag????????????????????????????????????????
?WASCTC/WASC-31?????????????????????????????
?tag????????????????????????????????????????
?OWASP_TOP_10/A1????????????????????????????
?tag????????????????????????????????????????
?PCI/6.5.2??????????????????????????????????
?tag????????????????????????????????????????
?paranoia-level/2???????????????????????????
?tag????????????????????????????????????????
?OWASP_CRS/3.1.0????????????????????????????
?ver????????????????????????????????????????
?CRITICAL???????????????????????????????????
?severity???????????????????????????????????
?tx.msg=%{rule.msg}?????????????????????????
?setvar?????????????????????????????????????
?tx.rce_score=+%{tx.critical_anomaly_score}???????????????????????????????
?setvar???????????????????????????????????????????????????????????????????
?tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}???????????????????????
?setvar???????????????????????????????????????????????????????????????????
?tx.%{ rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}?
命中crs规则log日志

2019/05/29 21:35:52 [alert] 4885#0: *33 [lua] util.lua:303: wafLog(): [WAFLogTarget]{"AttackURL":"http:\/\/ my.olwaf.cn\/","WafId":"dr2018012211225601","AttackTime":1559136952.41,"ResourceRecord":" my.olwaf.cn","logLevel":"INFO","actionType":"Block","rule":".*\\.(?:php\\d*|phtml)\\.*$","AttackIp":"10.96.3.72","ruleType":"crs_php sql","param":"933110_REQUEST_HEADERS_\" my.olwaf.cn:8080\"\"s.phtml.\"\"*\/*\"\"curl\/7.19.7 (x86_64-redhat-linux-gnu) libcurl\/7.19.7 NSS\/3.14.0.0 zlib\/1.2.3 libidn\/1.18 libssh2\/1.4.2\""}[WAFLogTarget], client: 10.96.3.72, server: my.olwaf.cn, request: "GET / HTTP/1.1", host: " my.olwaf.cn:8080"?

2019/05/24 18:00:11 [alert] 30748#0: *1 [lua] util.lua:303: wafLog(): [WAFLogTarget]{"AttackURL":"http:\/\/ my.olwaf.cn\/","WafId":"dr2018012211225601","AttackTime":1558692011.931,"ResourceRecord":" my.olwaf.cn","logLevel":"INFO","actionType":"Block",?
"AttackIp":"10.96.3.72", "ruleType":"crs_scanner","param":"913100_REQUEST_HEADERS"}[WAFLogTarget], client: 10.96.3.72, server: my.olwaf.cn, request: "GET / HTTP/1.1", host: " my.olwaf.cn:8080"?

2019/05/29 21:35:59 [alert] 4881#0: *67 [lua] util.lua:303: wafLog(): [WAFLogTarget]{"AttackURL":"http:\/\/ my.olwaf.cn\/","WafId":"dr2018012211225601","AttackTime":1559136959.771,"ResourceRecord":" my.olwaf.cn","logLevel":"INFO","actionType":"Block","rule":".*\\.(?:php\\d*|phtml)\\.*$","AttackIp":"10.96.3.72", "ruleType":"crs_php sql","param":"933110_REQUEST_HEADERS_\" my.olwaf.cn:8080\"\"s.phtml.\"\"*\/*\"\"curl\/7.19.7 (x86_64-redhat-linux-gnu) libcurl\/7.19.7 NSS\/3.14.0.0 zlib\/1.2.3 libidn\/1.18 libssh2\/1.4.2\""}[WAFLogTarget], client: 10.96.3.72, server: my.olwaf.cn, request: "GET / HTTP/1.1", host: " my.olwaf.cn:8080"?

2019/05/29 21:39:01 [alert] 4884#0: *77 [lua] util.lua:303: wafLog(): [WAFLogTarget]{"AttackURL":"http:\/\/ my.olwaf.cn\/?<adugen>","WafId":"dr2018012211225601","AttackTime":1559137141.989,"ResourceRecord":" my.olwaf.cn","logLevel":"INFO","actionType":"Block","rule":"<(?:a|abbr|acronym|address|applet|area|audioscope|b|base|basefront|bdo|bgsound|big|blackface|blink|blockquote|body|bq|br|button|caption|center|cite|code|col|colgroup|comment|dd|del|dfn|dir|div|dl|dt|em|embed|fieldset|fn|font|form|frame|frameset|h1|head|hr|html|i|iframe|ilayer|img|input|ins|isindex|kdb|keygen|adugen|label|layer|legend|li|limittext|link|listing|map|marquee|menu|meta|multicol|nobr|noembed|noframes|noscript|nosmartquotes|object|ol|optgroup|option|p|param|plaintext|pre|q|rt|ruby|s|samp|script|select|server|shadow|sidebar|small|spacer|span|strike|strong|style|sub|sup|table|tbody|td|textarea|tfoot|th|thead|title|tr|tt|u|ul|var|wbr|xml|xmp)\\W","AttackIp":"10.96.3.72", "ruleType":"crs_xss", "param":"941320_REQUEST_ARGS_<adugen>"}[WAFLogTarget], client: 10.96.3.72, server: my.olwaf.cn, request: "GET /?<adugen> HTTP/1.1", host: " my.olwaf.cn:8080"?

2019/05/29 21:52:34 [alert] 6319#0: *75 [lua] util.lua:303: wafLog(): [WAFLogTarget]{"AttackURL":"http:\/\/ my.olwaf.cn\/?<maimaipi>","WafId":"dr2018012211225601","AttackTime":1559137954.622,"ResourceRecord":" my.olwaf.cn","logLevel":"INFO","actionType":"Block","rule":"<(?:a|abbr|acronym|address|applet|area|audioscope|b|base|basefront|bdo|bgsound|big|blackface|blink|blockquote|body|bq|br|button|caption|center|cite|code|col|colgroup|comment|dd|del|dfn|dir|div|dl|dt|em|embed|fieldset|fn|font|form|frame|frameset|h1|head|hr|html|i|iframe|ilayer|img|input|ins|isindex|kdb|keygen|maimaipi|label|layer|legend|li|limittext|link|listing|map|marquee|menu|meta|multicol|nobr|noembed|noframes|noscript|nosmartquotes|object|ol|optgroup|option|p|param|plaintext|pre|q|rt|ruby|s|samp|script|select|server|shadow|sidebar|small|spacer|span|strike|strong|style|sub|sup|table|tbody|td|textarea|tfoot|th|thead|title|tr|tt|u|ul|var|wbr|xml|xmp)\\W","AttackIp":"10.96.3.72"," ruleType":"crs_xss", "param":"941320_REQUEST_ARGS_<blackface>"}[WAFLogTarget], client: 10.96.3.72, server: my.olwaf.cn, request: "GET /?<blackface> HTTP/1.1",?
host: " my.olwaf.cn:8080"?
Project Honeypot crs??Trustwate SpiderLabs?
https://www.jianshu.com/p/d22f3914d153?

自定义规则举例

SecRule FILES "!\\.(?i:jpe?g|gif|png|bmp)$" "deny,tag:'WEB_ATTACK/FILEUPLOAD',msg:'upload?
no-picture file',id:0000001,phase:2“
1
2
SecRule FILES "@contains %00" "deny,tag:&#039;WEB_ATTACK/FILEUPLOAD',msg:'filename
has null character',id:0000002,phase:2"
DDoS Protection
这边的防护属于 L7 防御，单个 IP 在某指定段时间访问过于频繁就予以屏蔽。
有个优点是这边的屏蔽只计算动态访问而不考虑静态文件，因为 Nginx 处理静态文件非常高效一般不是瓶颈。
SecAction \
?"id:900700,\
? phase:1,\
? nolog,\
? pass,\
? t:none,\
? setvar:'tx.dos_burst_time_slice=10',\
? setvar:'tx.dos_counter_threshold=20',\
? setvar:'tx.dos_block_timeout=86400'"

异常得分

CRS使用可配置的异常计分模型，每条触发的规则都会增加异常分数，如果分数超过配置的异常阈值，则事务被阻塞，异常级别如下:
Critical：异常得分5，表示可能应用程序攻击，主要由93x 94x文件生成。
Error：异常得分4，表示可能数据泄露，主要有95x文件生成，暂不支持nginx和nginx plus。
Warning：异常得分3，表示可能恶意客户端，主要由91x文件生成的。
Notice:异常得分2，表示可能违反协议，主要由92x文件生成。
默认情况下，CRS阻塞所有异常值为5或更高的入站流量，意味着任何引发事务的关键规则都将被丢弃，三次或更多的通知级违规也会导致事务被阻塞。
除了 OWASP CRS 之外， Trustwave SpiderLabs 商业规则集还提供了其他保护，例如针对 WordPress、Joomla、SharePoint 和其他应用程序的特定规则集。?

REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf会话固定攻击
请求可以触发：?
curl "http://my.olwaf.cn:8080/?<meta http-equiv%3dset-cookie content=sessionattack%3d123456;expires%3dFri, 30 Dec 2015 12:00:00 GMT; path%3d/>" -v 命中默认规则和920100?
但是误报一条log：?
[WAFLogTarget]{"AttackURL":"http:\/\/ my.olwaf.cn\/?<meta http-equiv%3dset-cookie content=sessionattack%3d123456;expires%3dFri, 30 Dec 2015 12:00:00 GMT; path%3d\/>","WafId":"dr2018012211225601","AttackTime":1563975927.62,"ResourceRecord":" my.olwaf.cn","logLevel":"INFO","actionType":"Log","rule":"^(?i)(get|option|delete|put)(\\s{2,})","AttackIp":"10.96.3.72","ruleType":"protocol","param":"GET \/?<meta http-equiv%3dset-cookie content=sessionattack%3d123456;expires%3dFri, 30 Dec 2015 12:00:00 GMT; path%3d\/> HTTP\/1.1"}[WAFLogTarget], client: 10.96.3.72, server: my.olwaf.cn, request: "GET /?<meta http-equiv%3dset-cookie content=sessionattack%3d123456;expires%3dFri, 30 Dec 2015 12:00:00 GMT; path%3d/> HTTP/1.1", host: " my.olwaf.cn:8080"?
curl --cookie "http-equiv+set-cookie=aaaaaaaa" "http://my.olwaf.cn:8080" -v?
curl http://my.olwaf.cn:8080/?weblogicsession -v?
“jsessionid”?
“aspsessionid”?
“asp.net_sessionid”?
“phpsession”?
“phpsessid”?
“weblogicsession”?
“session_id”?
“session-id”?
“cfid”?
“cftoken”?
“cfs id”?
“jservsession”?
“jwsession?
---------------------------------------------------------------------------------?
不能触发：但会命中921130?
curl --cookie "SESSIONID=<meta http-equiv="set-cookie" content=sessionattack=123456;expires=Friday,12-Jan-200118:18:18GMT;path=/>" "http://my.olwaf.cn:8080" -v?
cookie被拆分成table：?
path/>?
expiresFriday,12-Jan-200118:18:18GMT?
http-equivset-cookie?
SESSIONID<meta?
contentsessionattack=123456?
^(?:jsessionid|aspsessionid|asp.net_sessionid|phpsession|phpsessid|weblogicsession|session_id|session-id|cfid|cftoken|cfsid|jservsession|jwsession)备注:此规则会把目标字符串转换成小写和?
(?i:\.cookie\b.*?;\W*?(?:expires|domain)\W*?=|\bhttp-equiv\W+set-cookie\b)规则与如下字段匹配：?
/>?
Friday,12-Jan-200118:18:18GMT?
set-cookie?
<meta?
sessionattack=123456?
path?
expires?
http-equiv?
SESSIONID?
content?
----------------------------------------------------------------------------------?
会命中921130?
curl --cookie "SESSION=<meta http-equiv%3dset-cookie content=sessionattack%3d123456;expires%3dFri, 30 Dec 2015 12:00:00 GMT; path%3d/>" "http://my.olwaf.cn:8080" -v?
(?i:\.cookie\b.*?;\W*?(?:expires|domain)\W*?=|\bhttp-equiv\W+set-cookie\b)规则与如下字段一一匹配?
<meta?
sessionattack%3d123456?
SESSION?
http-equiv%3dset-cookie content?
^(?:jsessionid|aspsessionid|asp\.net_sessionid|phpsession|phpsessid|weblogicsession|session_id|session-id|cfid|cftoken|cfsid|jservsession|jwsession)规则与如下字段匹配：?
session?
http-equiv=set-cookie content?

curl --referer "https://attacktest/" http://my.olwaf.cn:8080/?weblogicsession -v??拦截并记录?Possible Session Fixation Attack: SessionID Parameter Name with Off-Domain Referer","logdata":"Matched Data: https:\/\/sadasd\/ found within TX: ","id":"943110?

curl??http://my.olwaf.cn:8080/?weblogicsession -v 拦截并记录?Matched Data: 0 found within REQUEST_HEADERS: 0","match":0,"msg":"Possible Session Fixation Attack: SessionID Parameter Name with No Referer?

严谨模式下以上请求全部命中！?

以下为常用测试case

curl -d "param1=value1&param2=value2" -H "Content-Type: application/x-www-form-urlencoded" -X POST http://localhost:3000/data?

curl -H "Content-Type:application/json" -X POST -d '{"abc": "admin", "passwd":"12345678"}'??http://my.olwaf.cn:8080 -v?

curl http://my.olwaf.cn:8080/olwaf_http_error/note.xml?aaa=test -v?

curl --cookie "SESSION=123fsakjjd1;" http://my.olwaf.cn:8080/olwaf_http_error/note.xml?aaa=test -v

curl --cookie "SESSION=123fsakqwerty; "http://my.olwaf.cn:8080/olwaf_http_error/note.xml?aaa=test -v?

curl --cookie "SESSION=123fsakqwerty; "http://my.olwaf.cn:8080/olwaf_http_error/note.xml?aaa=test -v?

curl --cookie "SESSION=123fsakqwerty; c=5; path=/;"http://my.olwaf.cn:8080/olwaf_http_error/note.xml?aaa=test -v

curl --referer " www.nytimes.com.us" --cookie "JSESSIONID=123fsakqwerty; c=5; path=/;" http://my.olwaf.cn:8080/waf_http_error/note.xml?aaa=test -v?

curl -X "POST" -H "Content-Type: " --referer " www.nytimes.com.us" --cookie "JSESSIONID=123fsakqwerty; c=5; path=/;" http://my.olwaf.cn:8080/olwaf_http_error/note.xml?aaa=test -v?

curl -H "Origin: http://www.aibi.com" http://my.olwaf.cn:8080 -v?

curl -H "Origin: http://www.test.com" -X POST -d '{"abc": "admin", "passwd":"12345678"}'??http://my.olwaf.cn:8080 -v?

curl -H "X-Forwarded-For: client1, client2, client3" -X POST -d '{"abc": "admin", "passwd":"12345678"}'??http://my.olwaf.cn:8080 -v?

curl -H "TEST: client1, client2, client3, aibi" -X POST -d '{"abc": "admin", "passwd":"12345678"}'??http://my.olwaf.cn:8080 -v?

curl -H "Content-Type:application/json" -X POST -d '{"abc": "admin", "passwd":"12345678"}'??http://my.olwaf.cn:8080 -v?

curl -H "TEST: client1, client2, client3, aibi" -X POST -d "abc=admin&passwd=12345678"??http://my.olwaf.cn:8080 -v?
?GET /index.html?id=1%29%29%29%20AND%204854%3D4854%20AND%20%28%28%289491%3D9491?
?GET /index.html?id=1%EF%BC%87%20AND%208116%3D9451%20AND%20%EF%BC%87syvX%EF%BC%87%3D%EF%BC%87syvX HTTP/1.1\r\n?
?GET /index.html?id=1%22%29%20AND%202421%3D6292%20AND%20%28%22Afhp%22%20LIKE%20%22Afhp HTTP/1.1\r\n
curl "http://my.olwaf.cn:8080/index.html?a=b&b=cc <DIV STYLE=behaviour: url(' http://www.how-to-hack.org/exploit.html&#39;);>"?