Skip to content
This repository has been archived by the owner on May 14, 2020. It is now read-only.

New ldap injection rule 921200 (fixes issue #276) #1707

Merged
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
30 changes: 30 additions & 0 deletions rules/REQUEST-921-PROTOCOL-ATTACK.conf
Original file line number Diff line number Diff line change
Expand Up @@ -219,6 +219,36 @@ SecRule REQUEST_FILENAME "@rx [\n\r]" \
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"


#
# -=[ LDAP Injection ]=-
#
# [ Rule Logic ]
#
# This is a rule trying to prevent LDAP injection. It is based on a BlackHat presentation by Alonso Parada
# and regex writing by Denis Kolegov.
#
# [ References ]
# * https://www.blackhat.com/presentations/bh-europe-08/Alonso-Parada/Whitepaper/bh-eu-08-alonso-parada-WP.pdf
# * https://blog.ripstech.com/2017/joomla-takeover-in-20-seconds-with-ldap-injection-cve-2017-14596/
# * https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/276#issue-126581660

SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx ^[^:\(\)\&\|\!\<\>\~]*\)\s*(?:\((?:[^,\(\)\=\&\|\!\<\>\~]+[><~]?=|\s*[&!|]\s*(?:\)|\()?\s*)|\)\s*\(\s*[\&\|\!]\s*|[&!|]\s*\([^\(\)\=\&\|\!\<\>\~]+[><~]?=[^:\(\)\&\|\!\<\>\~]*)" \
"id:921200,\
phase:2,\
block,\
capture,\
t:none,t:htmlEntityDecode,\
msg:'LDAP Injection Attack',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-ldap',\
tag:'platform-multi',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.2.0',\
severity:'CRITICAL',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"


SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:921013,phase:1,pass,nolog,skipAfter:END-REQUEST-921-PROTOCOL-ATTACK"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:921014,phase:2,pass,nolog,skipAfter:END-REQUEST-921-PROTOCOL-ATTACK"
#
Expand Down
174 changes: 174 additions & 0 deletions tests/regression/tests/REQUEST-921-PROTOCOL-ATTACK/921200.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,174 @@
---
meta:
author: "Christian Folini"
description: "LDAP injection"
enabled: true
name: 921200.yaml
tests:
-
test_title: 921200-1
desc: "Testing for FP, this should not trigger"
stages:
- stage:
input:
dest_addr: "127.0.0.1"
headers:
Host: "localhost"
User-Agent: "ModSecurity CRS 3 Tests"
port: 80
method: POST
data: "foo=(%26(objectCategory=computer) (userAccountControl:1.2.840.113556.1.4.803:=8192))"
uri: "/"
output:
no_log_contains: id "921200"
-
test_title: 921200-2
desc: "Testing for FP, this should not trigger"
stages:
- stage:
input:
dest_addr: "127.0.0.1"
headers:
Host: "localhost"
User-Agent: "ModSecurity CRS 3 Tests"
port: 80
method: POST
data: "foo=(objectSID=S-1-5-21-73586283-152049171-839522115-1111)"
uri: "/"
output:
no_log_contains: id "921200"
-
test_title: 921200-3
desc: "Testing for FP, this should not trigger"
stages:
- stage:
input:
dest_addr: "127.0.0.1"
headers:
Host: "localhost"
User-Agent: "ModSecurity CRS 3 Tests"
port: 80
method: POST
data: "foo=(userAccountControl:1.2.840.113556.1.4.803:=67108864)(%26(objectCategory=group)(groupType:1.2.840.113556.1.4.803:=2147483648))"
uri: "/"
output:
no_log_contains: id "921200"
-
test_title: 921200-4
desc: "Testing for rule, this should trigger"
stages:
- stage:
input:
dest_addr: "127.0.0.1"
headers:
Host: "localhost"
User-Agent: "ModSecurity CRS 3 Tests"
port: 80
method: POST
data: "foo=bar)(%26)"
uri: "/"
port: 80
output:
log_contains: id "921200"
-
test_title: 921200-5
desc: "Testing for rule, this should trigger"
stages:
- stage:
input:
dest_addr: "127.0.0.1"
headers:
Host: "localhost"
User-Agent: "ModSecurity CRS 3 Tests"
port: 80
method: POST
data: "foo=printer)(uid=*)"
uri: "/"
port: 80
output:
log_contains: id "921200"
-
test_title: 921200-6
desc: "Testing for rule, this should trigger"
stages:
- stage:
input:
dest_addr: "127.0.0.1"
headers:
Host: "localhost"
User-Agent: "ModSecurity CRS 3 Tests"
port: 80
method: POST
data: "foo=void)(objectClass=users))(%26(objectClass=void)"
uri: "/"
port: 80
output:
log_contains: id "921200"
-
test_title: 921200-7
desc: "Testing for rule, this should trigger"
stages:
- stage:
input:
dest_addr: "127.0.0.1"
headers:
Host: "localhost"
User-Agent: "ModSecurity CRS 3 Tests"
port: 80
method: POST
data: "foo=eb9adbd87d)!(sn=*"
uri: "/"
port: 80
output:
log_contains: id "921200"
-
test_title: 921200-8
desc: "Testing for rule, this should trigger"
stages:
- stage:
input:
dest_addr: "127.0.0.1"
headers:
Host: "localhost"
User-Agent: "ModSecurity CRS 3 Tests"
port: 80
method: POST
data: "foo=*)!(sn=*"
uri: "/"
port: 80
output:
log_contains: id "921200"
-
test_title: 921200-9
desc: "Testing for rule, this should trigger"
stages:
- stage:
input:
dest_addr: "127.0.0.1"
headers:
Host: "localhost"
User-Agent: "ModSecurity CRS 3 Tests"
port: 80
method: POST
data: "foo=*)(uid=*))(|(uid=*"
uri: "/"
port: 80
output:
log_contains: id "921200"
-
test_title: 921200-10
desc: "Testing for rule, this should trigger"
stages:
- stage:
input:
dest_addr: "127.0.0.1"
headers:
Host: "localhost"
User-Agent: "ModSecurity CRS 3 Tests"
port: 80
method: POST
data: "foo=aaa*aaa)(cn>=bob)"
uri: "/"
port: 80
output:
log_contains: id "921200"