feat(933100, 933160): added t:urlDecodeUni for JSON / XML urlencoded #4345
+40
−4
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Contributor
|
📊 Quantitative test results for language: |
Added a new test case with a JSON payload and updated author.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Hello,
You may find this approach a bit overzealous, but I don’t understand why this transformation isn’t applied. These adjustments have been running here for years without any false positives.
At the moment, there is no PL1 rule that captures this payload variant (urlencoded):
curl -H "x-format-output: txt-matched-rules" -H "x-crs-paranoia-level:4" "https://sandbox.coreruleset.org/" -d '{"payload":"%3C%3Fphp%20eval%2F%2Atest%2A%2F%28%27%3F%3E%3C%3Fphp%20%27.eval%2F%2Atest%2A%2F%28%27return%20base64%27.%27_decode%28eval%2F%2Atest%2A%2F%28base64%27.%27_%27.%27dec%27.%27ode%27.%27%28%22cmV0dXJuICRfR0VUWyd0ZXN0J107%22%29%29%29%3B%27%29%29%3B"}' -H 'Content-type:application/json'920230 PL2 Multiple URL Encoding Detected
920273 PL4 Invalid character in request (outside of very strict set)
932200 PL2 RCE Bypass Technique
932200 PL2 RCE Bypass Technique
933190 PL3 PHP Injection Attack: PHP Closing Tag Found
942340 PL2 Detects basic SQL authentication bypass attempts 3/3
942370 PL2 Detects classic SQL injection probings 2/3
942430 PL2 Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (12)
942440 PL2 SQL Comment Sequence Detected
942431 PL3 Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (6)
942511 PL3 SQLi bypass attempt by ticks detected
942432 PL4 Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (2)
949110 PL? Inbound Anomaly Score Exceeded (Total Score: 52)
980170 PL? Anomaly Scores: (Inbound Scores: blocking=52, detection=52, per_pl=0-31-13-8, threshold=5) - (Outbound Scores:
blocking=0, detection=0, per_pl=0-0-0-0, threshold=4) - (SQLI=29, XSS=0, RFI=0, LFI=0, RCE=10, PHPI=5, HTTP=0, SESS=0, COMBINED_SCORE=52)
The non-urlencoded version is correctly detected:
echo "eyJwYXlsb2FkIjoiPD9waHAgZXZhbFwvKnRlc3QqXC8oJz8+PD9waHAgJy5ldmFsXC8qdGVzdCpcLygncmV0dXJuIGJhc2U2NCcuJ19kZWNvZGUoZXZhbFwvKnRlc3QqXC8oYmFzZTY0Jy4nXycuJ2RlYycuJ29kZScuJyhcImNtVjBkWEp1SUNSZlIwVlVXeWQwWlhOMEoxMDdcIikpKTsnKSk7In0=" | base64 -d > test && curl -H "x-format-output: txt-matched-rules" -H "x-crs-paranoia-level:4" "https://sandbox.coreruleset.org/" -d '@test' -H 'Content-type:application/json'920273 PL4 Invalid character in request (outside of very strict set)
932200 PL2 RCE Bypass Technique
932200 PL2 RCE Bypass Technique
932240 PL2 Remote Command Execution: Unix Command Injection evasion attempt detected
932190 PL3 Remote Command Execution: Wildcard bypass technique attempt
933100 PL1 PHP Injection Attack: PHP Open Tag Found
933160 PL1 PHP Injection Attack: High-Risk PHP Function Call Found
933161 PL3 PHP Injection Attack: Low-Value PHP Function Call Found
933190 PL3 PHP Injection Attack: PHP Closing Tag Found
942340 PL2 Detects basic SQL authentication bypass attempts 3/3
942370 PL2 Detects classic SQL injection probings 2/3
942430 PL2 Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (12)
942440 PL2 SQL Comment Sequence Detected
942431 PL3 Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (6)
942460 PL3 Meta-Character Anomaly Detection Alert - Repetitive Non-Word Characters
942511 PL3 SQLi bypass attempt by ticks detected
942432 PL4 Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (2)
949110 PL? Inbound Anomaly Score Exceeded (Total Score: 77)
980170 PL? Anomaly Scores: (Inbound Scores: blocking=77, detection=77, per_pl=10-33-26-8, threshold=5) - (Outbound Scores: blocking=0, detection=0, per_pl=0-0-0-0, threshold=4) - (SQLI=32, XSS=0, RFI=0, LFI=0, RCE=20, PHPI=20, HTTP=0, SESS=0, COMBINED_SCORE=77)
What do you think?