-
-
Notifications
You must be signed in to change notification settings - Fork 407
feat: add new rule to catch invalid character in multipart headers (v3) #3797
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Merged
Merged
Changes from all commits
Commits
Show all changes
3 commits
Select commit
Hold shift + click to select a range
File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
169 changes: 169 additions & 0 deletions
169
tests/regression/tests/REQUEST-922-MULTIPART-ATTACK/922130.yaml
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,169 @@ | ||
| --- | ||
| meta: | ||
| author: "Ervin Hegedus" | ||
| description: Test Multipart/form-data | ||
| name: 922130.yaml | ||
| tests: | ||
| - test_title: 922130-1 | ||
| desc: | | ||
| Positive test: special character in multipart header. | ||
| Request is a multipart request with 2 Content-Disposition headers, | ||
| where the first one contains a 0x0E character at the first position. | ||
| --boundary | ||
| \x0EContent-Disposition: form-data; name="file"; filename="1.php" | ||
| Content-Disposition: form-data; name="post" | ||
|
|
||
| <?php var_dump(file_get_contents("/etc/passwd")); | ||
| --boundary-- | ||
| stages: | ||
| - stage: | ||
| input: | ||
| dest_addr: 127.0.0.1 | ||
| port: 80 | ||
| uri: "/post" | ||
| version: "HTTP/1.1" | ||
| encoded_request: "UE9TVCAvcG9zdCBIVFRQLzEuMQ0KQWNjZXB0OiAqLyoNCkNvbm5lY3Rpb246IGNsb3NlDQpDb250ZW50LUxlbmd0aDogMTg1DQpDb250ZW50LVR5cGU6IG11bHRpcGFydC9mb3JtLWRhdGE7IGJvdW5kYXJ5PWJvdW5kYXJ5DQpIb3N0OiBsb2NhbGhvc3QNClVzZXItQWdlbnQ6IE9XQVNQIENSUyB0ZXN0IGFnZW50DQoNCi0tYm91bmRhcnkNCg5Db250ZW50LURpc3Bvc2l0aW9uOiBmb3JtLWRhdGE7IG5hbWU9ImZpbGUiOyBmaWxlbmFtZT0iMS5waHAiDQpDb250ZW50LURpc3Bvc2l0aW9uOiBmb3JtLWRhdGE7IG5hbWU9InBvc3QiDQoNCjxwaHAgdmFyX2R1bXAoZmlsZV9nZXRfY29udGVudHMoIi9ldGMvcGFzc3dkIikpOw0KLS1ib3VuZGFyeS0t" | ||
| output: | ||
| # The rule will match when an older version of the engine doesn't fail parsing. In newer versions of the engine, | ||
| # parsing will fail and the body will be considered invalid. | ||
| log_contains: 'Multipart parsing error: Multipart: Invalid part header \(contains invalid character\)|\[id "922130"\] \[msg "Multipart header contains characters outside of valid range"\]' | ||
| - test_title: 922130-2 | ||
| desc: | | ||
| Positive test: special character in multipart header. | ||
| Request is a multipart request with 2 Content-Disposition headers, | ||
| where the first one contains a 0x0E character at the last position. | ||
| --boundary | ||
| Content-Disposition\x0E: form-data; name="file"; filename="1.php" | ||
| Content-Disposition: form-data; name="post" | ||
|
|
||
| <?php var_dump(file_get_contents("/etc/passwd")); | ||
| --boundary-- | ||
| stages: | ||
| - stage: | ||
| input: | ||
| dest_addr: 127.0.0.1 | ||
| method: POST | ||
| port: 80 | ||
| uri: "/post" | ||
| version: "HTTP/1.1" | ||
| encoded_request: "UE9TVCAvcG9zdCBIVFRQLzEuMQ0KQWNjZXB0OiAqLyoNCkNvbm5lY3Rpb246IGNsb3NlDQpDb250ZW50LUxlbmd0aDogMTg2DQpDb250ZW50LVR5cGU6IG11bHRpcGFydC9mb3JtLWRhdGE7IGJvdW5kYXJ5PWJvdW5kYXJ5DQpIb3N0OiBsb2NhbGhvc3QNClVzZXItQWdlbnQ6IE9XQVNQIENSUyB0ZXN0IGFnZW50DQoNCi0tYm91bmRhcnkNCkNvbnRlbnQtRGlzcG9zaXRpb24OOiBmb3JtLWRhdGE7IG5hbWU9ImZpbGUiOyBmaWxlbmFtZT0iMS5waHAiDQpDb250ZW50LURpc3Bvc2l0aW9uOiBmb3JtLWRhdGE7IG5hbWU9InBvc3QiDQoNCjw/cGhwIHZhcl9kdW1wKGZpbGVfZ2V0X2NvbnRlbnRzKCIvZXRjL3Bhc3N3ZCIpKTsNCi0tYm91bmRhcnktLQ==" | ||
| output: | ||
| # The rule will match when an older version of the engine doesn't fail parsing. In newer versions of the engine, | ||
| # parsing will fail and the body will be considered invalid. | ||
| log_contains: 'Multipart parsing error: Multipart: Invalid part header \(contains invalid character\)|\[id "922130"\] \[msg "Multipart header contains characters outside of valid range"\]' | ||
| - test_title: 922130-3 | ||
| desc: "Negative test: no special character in multipart header" | ||
| stages: | ||
| - stage: | ||
| input: | ||
| dest_addr: 127.0.0.1 | ||
| headers: | ||
| Host: "localhost" | ||
| User-Agent: "OWASP CRS test agent" | ||
| Content-Type: multipart/form-data; boundary=boundary | ||
| Accept: "*/*" | ||
| method: POST | ||
| port: 80 | ||
| uri: "/post" | ||
| version: "HTTP/1.1" | ||
| data: | | ||
| --boundary | ||
| Content-Disposition: form-data; name="file"; filename="1.php" | ||
|
|
||
| <?php var_dump(file_get_contents("/etc/passwd")); ?> | ||
| --boundary-- | ||
| output: | ||
| no_log_contains: 'Multipart parsing error: Multipart: Invalid part header \(contains invalid character\)|\[id "922130"\] \[msg "Multipart header contains characters outside of valid range"\]' | ||
| - test_title: 922130-4 | ||
| desc: | | ||
| Positive test: special character in multipart header. | ||
| Request is a multipart request with 2 Content-Disposition headers, | ||
| where the first one contains a 0x20 character, the last invalid character before the valid range. | ||
| --boundary | ||
| Content-\x20Disposition: form-data; name="file"; filename="1.php" | ||
| Content-Disposition: form-data; name="post" | ||
|
|
||
| <?php var_dump(file_get_contents("/etc/passwd")); | ||
| --boundary-- | ||
| stages: | ||
| - stage: | ||
| input: | ||
| dest_addr: 127.0.0.1 | ||
| port: 80 | ||
| uri: "/post" | ||
| version: "HTTP/1.1" | ||
| encoded_request: "UE9TVCAvcG9zdCBIVFRQLzEuMQ0KQWNjZXB0OiAqLyoNCkNvbm5lY3Rpb246IGNsb3NlDQpDb250ZW50LUxlbmd0aDogMTg2DQpDb250ZW50LVR5cGU6IG11bHRpcGFydC9mb3JtLWRhdGE7IGJvdW5kYXJ5PWJvdW5kYXJ5DQpIb3N0OiBsb2NhbGhvc3QNClVzZXItQWdlbnQ6IE9XQVNQIENSUyB0ZXN0IGFnZW50DQoNCi0tYm91bmRhcnkNCkNvbnRlbnQtIERpc3Bvc2l0aW9uOiBmb3JtLWRhdGE7IG5hbWU9ImZpbGUiOyBmaWxlbmFtZT0iMS5waHAiDQpDb250ZW50LURpc3Bvc2l0aW9uOiBmb3JtLWRhdGE7IG5hbWU9InBvc3QiDQoNCjw/cGhwIHZhcl9kdW1wKGZpbGVfZ2V0X2NvbnRlbnRzKCIvZXRjL3Bhc3N3ZCIpKTsNCi0tYm91bmRhcnktLQ==" | ||
| output: | ||
| # The rule will match when an older version of the engine doesn't fail parsing. In newer versions of the engine, | ||
| # parsing will fail and the body will be considered invalid. | ||
| log_contains: 'Multipart parsing error: Multipart: Invalid part header \(contains invalid character\)|\[id "922130"\] \[msg "Multipart header contains characters outside of valid range"\]' | ||
| - test_title: 922130-5 | ||
| desc: "Negative test: no character from outside of range in multipart header; '!' is allowed (!, the first character in the range of valid characters))" | ||
| stages: | ||
| - stage: | ||
| input: | ||
| dest_addr: 127.0.0.1 | ||
| headers: | ||
| Host: "localhost" | ||
| User-Agent: "OWASP CRS test agent" | ||
| Content-Type: multipart/form-data; boundary=boundary | ||
| Accept: "*/*" | ||
| method: POST | ||
| port: 80 | ||
| uri: "/post" | ||
| version: "HTTP/1.1" | ||
| data: | | ||
| --boundary | ||
| Content-!Disposition: form-data; name="file"; filename="1.php" | ||
|
|
||
| <?php var_dump(file_get_contents("/etc/passwd")); ?> | ||
| --boundary-- | ||
| output: | ||
| no_log_contains: 'Multipart parsing error: Multipart: Invalid part header \(contains invalid character\)|\[id "922130"\] \[msg "Multipart header contains characters outside of valid range"\]' | ||
| - test_title: 922130-6 | ||
| desc: "Negative test: no character from outside of range in multipart header; '~' is allowed (~, the last valid character in the range of valid characters)" | ||
| stages: | ||
| - stage: | ||
| input: | ||
| dest_addr: 127.0.0.1 | ||
| headers: | ||
| Host: "localhost" | ||
| User-Agent: "OWASP CRS test agent" | ||
| Content-Type: multipart/form-data; boundary=boundary | ||
| Accept: "*/*" | ||
| method: POST | ||
| port: 80 | ||
| uri: "/post" | ||
| version: "HTTP/1.1" | ||
| data: | | ||
| --boundary | ||
| Content~Disposition: form-data; name="file"; filename="1.php" | ||
| Content-Disposition: form-data; name="post" | ||
|
|
||
| <?php var_dump(file_get_contents("/etc/passwd")); ?> | ||
| --boundary-- | ||
| output: | ||
| no_log_contains: 'Multipart parsing error: Multipart: Invalid part header \(contains invalid character\)|\[id "922130"\] \[msg "Multipart header contains characters outside of valid range"\]' | ||
| - test_title: 922130-7 | ||
| desc: | | ||
| Positive test: special character in multipart header. | ||
| Request is a multipart request with 2 Content-Disposition headers, | ||
| where the first one contains a 0x7F character, the first invalid character after the valid range. | ||
| --boundary | ||
| Content\x7F-Disposition: form-data; name="file"; filename="1.php" | ||
| Content-Disposition: form-data; name="post" | ||
|
|
||
| <?php var_dump(file_get_contents("/etc/passwd")); | ||
| --boundary-- | ||
| stages: | ||
| - stage: | ||
| input: | ||
| dest_addr: 127.0.0.1 | ||
| port: 80 | ||
| uri: "/post" | ||
| version: "HTTP/1.1" | ||
| encoded_request: "UE9TVCAvcG9zdCBIVFRQLzEuMQ0KQWNjZXB0OiAqLyoNCkNvbm5lY3Rpb246IGNsb3NlDQpDb250ZW50LUxlbmd0aDogMTg2DQpDb250ZW50LVR5cGU6IG11bHRpcGFydC9mb3JtLWRhdGE7IGJvdW5kYXJ5PWJvdW5kYXJ5DQpIb3N0OiBsb2NhbGhvc3QNClVzZXItQWdlbnQ6IE9XQVNQIENSUyB0ZXN0IGFnZW50DQoNCi0tYm91bmRhcnkNCkNvbnRlbnR/LURpc3Bvc2l0aW9uOiBmb3JtLWRhdGE7IG5hbWU9ImZpbGUiOyBmaWxlbmFtZT0iMS5waHAiDQpDb250ZW50LURpc3Bvc2l0aW9uOiBmb3JtLWRhdGE7IG5hbWU9InBvc3QiDQoNCjw/cGhwIHZhcl9kdW1wKGZpbGVfZ2V0X2NvbnRlbnRzKCIvZXRjL3Bhc3N3ZCIpKTsNCi0tYm91bmRhcnktLQ==" | ||
| output: | ||
| # The rule will match when an older version of the engine doesn't fail parsing. In newer versions of the engine, | ||
| # parsing will fail and the body will be considered invalid. | ||
| log_contains: 'Multipart parsing error: Multipart: Invalid part header \(contains invalid character\)|\[id "922130"\] \[msg "Multipart header contains characters outside of valid range"\]' | ||
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.