diff --git a/rules/REQUEST-921-PROTOCOL-ATTACK.conf b/rules/REQUEST-921-PROTOCOL-ATTACK.conf index 68593633a..70a92e474 100644 --- a/rules/REQUEST-921-PROTOCOL-ATTACK.conf +++ b/rules/REQUEST-921-PROTOCOL-ATTACK.conf @@ -219,6 +219,36 @@ SecRule REQUEST_FILENAME "@rx [\n\r]" \ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" +# +# -=[ LDAP Injection ]=- +# +# [ Rule Logic ] +# +# This is a rule trying to prevent LDAP injection. It is based on a BlackHat presentation by Alonso Parada +# and regex writing by Denis Kolegov. +# +# [ References ] +# * https://www.blackhat.com/presentations/bh-europe-08/Alonso-Parada/Whitepaper/bh-eu-08-alonso-parada-WP.pdf +# * https://blog.ripstech.com/2017/joomla-takeover-in-20-seconds-with-ldap-injection-cve-2017-14596/ +# * https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/276#issue-126581660 + +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx ^[^:\(\)\&\|\!\<\>\~]*\)\s*(?:\((?:[^,\(\)\=\&\|\!\<\>\~]+[><~]?=|\s*[&!|]\s*(?:\)|\()?\s*)|\)\s*\(\s*[\&\|\!]\s*|[&!|]\s*\([^\(\)\=\&\|\!\<\>\~]+[><~]?=[^:\(\)\&\|\!\<\>\~]*)" \ + "id:921200,\ + phase:2,\ + block,\ + capture,\ + t:none,t:htmlEntityDecode,\ + msg:'LDAP Injection Attack',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-ldap',\ + tag:'platform-multi',\ + ctl:auditLogParts=+E,\ + ver:'OWASP_CRS/3.2.0',\ + severity:'CRITICAL',\ + setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + + SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:921013,phase:1,pass,nolog,skipAfter:END-REQUEST-921-PROTOCOL-ATTACK" SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:921014,phase:2,pass,nolog,skipAfter:END-REQUEST-921-PROTOCOL-ATTACK" # diff --git a/tests/regression/tests/REQUEST-921-PROTOCOL-ATTACK/921200.yaml b/tests/regression/tests/REQUEST-921-PROTOCOL-ATTACK/921200.yaml new file mode 100644 index 000000000..80094eab0 --- /dev/null +++ b/tests/regression/tests/REQUEST-921-PROTOCOL-ATTACK/921200.yaml @@ -0,0 +1,174 @@ +--- + meta: + author: "Christian Folini" + description: "LDAP injection" + enabled: true + name: 921200.yaml + tests: + - + test_title: 921200-1 + desc: "Testing for FP, this should not trigger" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + port: 80 + method: POST + data: "foo=(%26(objectCategory=computer) (userAccountControl:1.2.840.113556.1.4.803:=8192))" + uri: "/" + output: + no_log_contains: id "921200" + - + test_title: 921200-2 + desc: "Testing for FP, this should not trigger" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + port: 80 + method: POST + data: "foo=(objectSID=S-1-5-21-73586283-152049171-839522115-1111)" + uri: "/" + output: + no_log_contains: id "921200" + - + test_title: 921200-3 + desc: "Testing for FP, this should not trigger" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + port: 80 + method: POST + data: "foo=(userAccountControl:1.2.840.113556.1.4.803:=67108864)(%26(objectCategory=group)(groupType:1.2.840.113556.1.4.803:=2147483648))" + uri: "/" + output: + no_log_contains: id "921200" + - + test_title: 921200-4 + desc: "Testing for rule, this should trigger" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + port: 80 + method: POST + data: "foo=bar)(%26)" + uri: "/" + port: 80 + output: + log_contains: id "921200" + - + test_title: 921200-5 + desc: "Testing for rule, this should trigger" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + port: 80 + method: POST + data: "foo=printer)(uid=*)" + uri: "/" + port: 80 + output: + log_contains: id "921200" + - + test_title: 921200-6 + desc: "Testing for rule, this should trigger" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + port: 80 + method: POST + data: "foo=void)(objectClass=users))(%26(objectClass=void)" + uri: "/" + port: 80 + output: + log_contains: id "921200" + - + test_title: 921200-7 + desc: "Testing for rule, this should trigger" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + port: 80 + method: POST + data: "foo=eb9adbd87d)!(sn=*" + uri: "/" + port: 80 + output: + log_contains: id "921200" + - + test_title: 921200-8 + desc: "Testing for rule, this should trigger" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + port: 80 + method: POST + data: "foo=*)!(sn=*" + uri: "/" + port: 80 + output: + log_contains: id "921200" + - + test_title: 921200-9 + desc: "Testing for rule, this should trigger" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + port: 80 + method: POST + data: "foo=*)(uid=*))(|(uid=*" + uri: "/" + port: 80 + output: + log_contains: id "921200" + - + test_title: 921200-10 + desc: "Testing for rule, this should trigger" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + headers: + Host: "localhost" + User-Agent: "ModSecurity CRS 3 Tests" + port: 80 + method: POST + data: "foo=aaa*aaa)(cn>=bob)" + uri: "/" + port: 80 + output: + log_contains: id "921200"