8000 New HTTP Parameter Pollution Rules by dune73 · Pull Request #2747 · coreruleset/coreruleset · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

New HTTP Parameter Pollution Rules #2747

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
Aug 15, 2022
Merged

New HTTP Parameter Pollution Rules #2747

merged 4 commits into from
Aug 15, 2022

Conversation

dune73
Copy link
Member
@dune73 dune73 commented Aug 10, 2022
edited
Loading

This is a little set new pair of rules that prevents parameter pollution bypasses in bug bounty findings Z05OZUCH and 5UXE4RK0.

The issues reported bypass existing parameter pollution rule 921180 via the following constructs:

1 - foo[1]a=bar&foo[1]b=<evil> - parameter parsers often cut after the closing of the array. 921180 PL3 takes the full name, though.
2 - foo[1]x[1]=bar&foo[1]x[2]=<evil> - extension of 1, came up with this myself, this has the advantage that the parameter name does end with ] just like a valid array notation.
3 - foo[1]=bar&foo[2]=<evil> - simple parameter parsers don't do arrays
4 - foo=bar&foo[1]=<evil> - simple parameter parsers don't do arrays
5 - foo[1]=bar&foo[1]acb]=<evil> - simple parameter parsers don't do arrays

New rule 921210 PL3 prevents case 1 and case 2, while still allowing foo[1] and foo[1][2] (= array notation). They will not allow 3-dimensional arrays though (foo[1][2][3]).

New rule 921220 PL4 disallows the [ character in parameter names. This effectively disallows array parameter (names). This prevents case 3, 4 and 5. Applications that make use of array parameters will have to disable this rule. Ideally via a rule exclusion for each array parameter name.

I would prefer to detect case 4 at PL3 while still allowing array parameter (names), however, this is seriously difficult and I can not see how this could be done without a construct over several helper rules. On top, case 4 only works against a stupid parameter parser, something that should not run behind a PL3 WAF.

I would also like to detect case 5 at PL3, but I could not get a regex that detects this while still allowing 2-dimensional arrays. The only way I could think of would make use of a look-around.

This fixes #2618.

This was referenced Aug 10, 2022
Closed
Merged
@dune73 dune73 changed the title New HTTP Parameter Rules New HTTP Parameter Pollution Rules Aug 11, 2022
RedXanadu
RedXanadu approved these changes Aug 15, 2022
View reviewed changes
Copy link
Member
@RedXanadu RedXanadu left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

New rules make sense and look good.
New tests make sense.
PR looks good.
99F8

@RedXanadu RedXanadu added the ⭐ bug bounty Comes from our Bug Bounty program label Aug 15, 2022
@lifeforms lifeforms merged commit cac22dd into coreruleset:v4.0/dev Aug 15, 2022
@fzipi fzipi mentioned this pull request Sep 5, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@RedXanadu RedXanadu RedXanadu approved these changes

Assignees
No one assigned
Labels
⭐ bug bounty Comes from our Bug Bounty program
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Parameter Pollution: email[]aa=&email[]bb=
3 participants
@dune73 @RedXanadu @lifeforms
0