feat: add potential malicious file extensions into tx.restricted_extensions #4068

Xhoenix · 2025-03-31T08:48:55Z

Source: Copilot chat

Here are some insights into potentially malicious file extensions from your list and why you should consider adding them to your Web Application Firewall (WAF) rules:

### **Potentially Malicious Extensions**
1. **`.hta` (HTML Application)**: These files can execute arbitrary commands and are often used in phishing attacks.
2. **`.reg` (Registry File)**: Can modify system registry settings, potentially introducing malware.
3. **`.sct` (Windows Script Component)**: Often exploited to execute malicious scripts.
4. **`.shs` (Shell Scrap Object)**: Can contain executable code disguised as harmless files.
5. **`.tmp` (Temporary File)**: While not inherently malicious, these files can be used to store malware payloads.
6. **`.ani` (Animated Cursor File)**: Vulnerabilities in `.ani` files have been exploited in the past to execute malicious code.
7. **`.application` (ClickOnce Application Installer)**: Can install malicious software if not properly verified.
8. **`.gadget` (Windows Gadget File)**: Can execute code and is often targeted by attackers.

---

### **Additional Potentially Malicious Extensions**
1. **`.inf` (Setup Information File)**: Can be used to run commands or configure settings, sometimes maliciously.
2. **`.ini` (Configuration File)**: Often targeted to alter applica
8000
tion settings or hide malicious code.
3. **`.msc` (Microsoft Management Console Snap-in)**: Could be exploited to manage and change system configurations maliciously.
4. **`.sys` (System File)**: Directly interacts with the operating system, and malicious `.sys` files can severely compromise a system.
5. **`.drv` (Driver File)**: Can manipulate hardware drivers to execute malicious code.
6. **`.bat` and `.cmd` (Batch Script Files)**: Can automate harmful command-line operations.
7. **`.tmp` (Temporary File)**: Sometimes serves as a staging ground for malicious payloads.
8. **`.vxd` (Virtual Device Driver File)**: Could be exploited to control hardware or software operations.

---

### **Less Directly Malicious but Still Risky**
1. **`.cer`, `.crt`, `.key`, `.pfx`, `.prf` (Certificate and Key Files)**: If intercepted or altered, these can compromise secure connections and identity verification.
2. **`.compositefont` and `.ttf` (Font Files)**: Vulnerabilities in font processing have been exploited to execute malicious code.
3. **`.rdp` (Remote Desktop Protocol File)**: Could allow remote attackers to gain unauthorized access if misconfigured or manipulated.

---

Here is an analysis of the file extensions you provided, focusing on their potential risks and whether they might warrant blocking in your Web Application Firewall (WAF):

---

### **Potentially Dangerous Extensions**
1. **`.app`**: Could execute applications, depending on the system it targets. Monitor closely.
2. **`.bat` and `.cmd`**: Batch script files often automate malicious operations. These should be blocked or monitored.
3. **`.com` and `.exe`**: Common executable files that can run harmful code directly on a system.
4. **`.dll` (Dynamic Link Library)**: Can be exploited to load malicious code into legitimate processes.
5. **`.jar`**: Java Archive files that may execute malicious Java code.
6. **`.jnlp`**: Java Network Launch Protocol files that can launch Java applications over a network, potentially malicious.
7. **`.js` and `.jse`**: JavaScript files used for scripting; often exploited for attacks like XSS or phishing.
8. **`.lnk` (Shortcut File)**: Can be crafted to link to malicious executables.
9. **`.msi`, `.msp`, `.mst`**: Windows Installer files that may be used to install malicious programs.
10. **`.ocx` (ActiveX Control)**: Often used in exploits targeting Internet Explorer or related applications.
11. **`.pif`**: Program Information File that can execute malicious DOS-based programs.
12. **`.scr` (Screensaver File)**: Can hide malware in the guise of legitimate screensaver files.
13. **`.tlb`**: Type Library files that could be used to load malicious components.
14. **`.url`**: Could redirect to malicious websites.
15. **`.vbe` and `.vbs`**: VBScript files often used in ransomware or phishing attacks.
16. **`.ws`, `.wsc`, `.wsf`, `.wsh`**: Windows Script files capable of executing harmful scripts or automating malicious tasks.

---

github-actions · 2025-03-31T08:49:30Z

📊 Quantitative test results for language: eng, year: 2023, size: 10K, paranoia level: 1:
🚀 Quantitative testing did not detect new false positives

Xhoenix · 2025-03-31T09:04:00Z

I think we can exclude the .js file extension, as some sites provide javascript files for download. Let me know if anyone has suggestions about the other extensions.

azurit · 2025-03-31T09:56:11Z

Of course you cannot block .js, rule ~~901164~~ 920440 is not restricted to HTTP download.

You need to update also crs-setup.conf.example.

azurit · 2025-03-31T10:31:43Z

We cannot block also .jnlp and i'm in doubt about .app.

azurit · 2025-03-31T11:11:14Z

Looks ok for me but someone other should look at it, too.

fzipi

Looks reasonable. Let's see if we start getting FPs with some extension or not.

EsadCetiner · 2025-03-31T11:59:29Z

That's quite a few new entries being added, I'm concerned this will cause false positives especially since they're from an LLM. Copilot isn't explaining how these files relate to web app security, but more around security for desktop computers.

I'm having a pretty hard time imagining how accessing some of these files can be harmful, we should remove them if we can't think of a reasonable attack scenario.

A fair few of these are stuff like fonts, Window's cursor files, Windows 7 era gadget files, etc

.hta should definitely be removed since it's a legacy file format for Internet Explorer (Yes I know who uses IE, but I can't even think of a viable attack scenario for accessing this file)

.crt files are just certificate files, these are meant to be public but I guess somebody could accidently store a private key as an .crt file.

feat: add malicious file extensions

c5f7cbd

Xhoenix mentioned this pull request Mar 31, 2025

Check / integrate GovCert file extension list #3143

Closed

update crs-setup.conf.example

fc46a2b

azurit changed the title ~~feat: add malicious file extensions~~ feat: add malicious file extensions into tx.restricted_extensions Mar 31, 2025

update extensions list

8000

0141db9

fzipi changed the title ~~feat: add malicious file extensions into tx.restricted_extensions~~ feat: add potential malicious file extensions into tx.restricted_extensions Mar 31, 2025

fzipi added the release:new-detection In this PR we introduce a new detection label Mar 31, 2025

fzipi approved these changes Mar 31, 2025

View reviewed changes

Xhoenix added this pull request to the merge queue Mar 31, 2025

Merged via the queue into coreruleset:main with commit bc6450d Mar 31, 2025
8 checks passed

Xhoenix deleted the add-restricted-file-extensions branch March 31, 2025 11:54

fzipi mentioned this pull request Apr 7, 2025

Monthly Chat Agenda April 2025-04-07 #4087

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

feat: add potential malicious file extensions into tx.restricted_extensions #4068

feat: add potential malicious file extensions into tx.restricted_extensions #4068

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

feat: add potential malicious file extensions into tx.restricted_extensions #4068

feat: add potential malicious file extensions into tx.restricted_extensions #4068

Uh oh!

Conversation

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!