8000 RCE detection bypass at PL1 · Issue #1513 · coreruleset/coreruleset · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

RCE detection bypass at PL1 #1513

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
CRS-migration-bot opened this issue May 13, 2020 · 7 comments
Closed

RCE detection bypass at PL1 #1513

CRS-migration-bot opened this issue May 13, 2020 · 7 comments
Labels
➖ False Negative - Evasion PR available this issue is referenced by an active pull request

Comments

@CRS-migration-bot
Copy link

Issue originally created by user dune73 on date 2019-08-19 07:06:16.
Link to original issue: SpiderLabs/owasp-modsecurity-crs#1513.

The following bypass was pasted on twitter.

{ 1 }; ;+$u+cat+/etc$u/passwd$u
{ 2 }; ;+$u+cat+/etc$u/passwd+\#

https://twitter.com/spyerror/status/1162826904833089541?s=19

According to franbuehler, this passes on PL1, but is being detected on PL2.

Type of Issue

RCE rule detection bypass

Description

See above.

Your Environment

CRS 3.1

Confirmation

[X] I have removed any personal data (email addresses, IP addresses,
passwords, domain names) from any logs posted.
@CRS-migration-bot CRS-migration-bot added ➖ False Negative - Evasion PR available this issue is referenced by an active pull request labels May 13, 2020
@CRS-migration-bot
Copy link
Author

User franbuehler commented on date 2019-08-19 07:34:37:

First command gets the following scores:
individual paranoia level scores: 0, 13, 11, 13

Second command:
individual paranoia level scores: 0, 18, 11, 13

@CRS-migration-bot
8000
Copy link
Author

User marcstern commented on date 2019-08-20 06:30:12:

This evasion technique (and several others) can be defeated with the t:bash transformation - see https://www.approach.be/en/modsecurity.html

@CRS-migration-bot
Copy link
Author

User dune73 commented on date 2019-08-20 06:38:17:

If only it would be merged ...

@CRS-migration-bot
Copy link
Author

User theMiddleBlue commented on date 2019-09-07 00:05:37:

IIRC we already talk about that in a meeting (refer to https://www.secjuice.com/web-application-firewall-waf-evasion/). If you agree, I would try to catch this bypass technique in PL1.

@CRS-migration-bot
Copy link
Author

User github-actions[bot] commented on date 2020-02-19 00:02:20:

This issue has been open 120 days with no activity. Remove the stale label or comment, or this will be closed in 14 days

@CRS-migration-bot
Copy link
Author

User theMiddleBlue commented on date 2020-02-24 13:47:01:

still in progress...

@CRS-migration-bot CRS-migration-bot mentioned this issue May 13, 2020
Closed
@theMiddleBlue
Copy link
Contributor

replaced by #1783

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
➖ False Negative - Evasion PR available this issue is referenced by an active pull request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@theMiddleBlue @CRS-migration-bot
0