diff --git a/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf b/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf index 933fa0fd3..208bbf25d 100644 --- a/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf +++ b/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf @@ -612,6 +612,40 @@ SecRule FILES|REQUEST_HEADERS:X-Filename|REQUEST_HEADERS:X_Filename|REQUEST_HEAD setvar:'tx.lfi_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" +# +# -=[ Rule 932200 ]=- +# +# Intercept RCE Bypass using uninitialized variables +# Refer to: https://www.secjuice.com/web-application-firewall-waf-evasion/ +# +# Examples: +# - foo;cat$u/etc$u/passwd +# - bar;cd+/etc;/bin$u/ca*+passwd +# +# (remove this line) Regex notes: https://regex101.com/r/JgZFRi/2/ +# +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:bin|boot|dev|etc|home|lib|media|mnt|opt|proc|root|run|sbin|srv|sys|tmp|usr|var|[a-z]\*|\*[a-z]+)\$[a-zA-Z@]" \ + "id:932200,\ + phase:2,\ + block,\ + capture,\ + t:none,t:lowercase,\ + msg:'RCE Bypass using Uninitialized Variable',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-rce',\ + tag:'OWASP_CRS',\ + tag:'OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION',\ + tag:'WASCTC/WASC-31',\ + tag:'OWASP_TOP_10/A1',\ + tag:'PCI/6.5.2',\ + ver:'OWASP_CRS/3.2.0',\ + severity:'CRITICAL',\ + setvar:'tx.lfi_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:932013,phase:1,pass,nolog,skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE" SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:932014,phase:2,pass,nolog,skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE"