-
-
Notifications
You must be signed in to change notification settings - Fork 405
feat: added detection for RCE via Referer header #3993
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: main
Are you sure you want to change the base?
Conversation
📊 Quantitative test results for language: |
Co-authored-by: Max Leske <250711+theseion@users.noreply.github.com>
Co-authored-by: Max Leske <250711+theseion@users.noreply.github.com>
Co-authored-by: Max Leske <250711+theseion@users.noreply.github.com>
Co-authored-by: Max Leske <250711+theseion@users.noreply.github.com>
Co-authored-by: Max Leske <250711+theseion@users.noreply.github.com>
Co-authored-by: Max Leske <250711+theseion@users.noreply.github.com>
Co-authored-by: Max Leske <250711+theseion@users.noreply.github.com>
@theseion LGTM :) |
Will check, need a little time though. |
@Xhoenix You are doing double URL decode using |
Also, i don't think we need such a complex rule for this. According to RFC 9110, |
I checked the RFC 9110 and Referer header must not contain fragments. I think we should just update rule |
I think rule 932200 covers that. This is after all based off of 932200. |
932200 doesn't check the Referer header. |
I checked and rule 932205 does check the Referer header in the URL part. |
Should we close this PR? |
No, but we need to finish it. |
@theseion You forgot this comment. |
No, as I wrote above, I think we need an additional rule because 932200 doesn't check the Referer header:
|
You probably misread: |
So we'll have everything covered except for the URI itself in the Referer header. You were right @Xhoenix. |
Co-authored-by: Max Leske <250711+theseion@users.noreply.github.com>
version: HTTP/1.0 | ||
output: | ||
log: | ||
match_regex: "Matched Data: .*? found within REQUEST_HEADERS:Referer: .*" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Don't use wildcards here but the full string to match. With the wildcards, we won't see the value of TX.0
and won't know whether it is what we expect it to be.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Well, the regex is matching REQUEST_HEADERS:Referer
, as per logdata
, which is what you asked to implement.
Co-authored-by: Max Leske <250711+theseion@users.noreply.github.com>
Fixes #3498