-
-
Notifications
You must be signed in to change notification settings - Fork 429
DevRetreat21DemoSite
Project lead for this during the dev retreat: @lifeforms / @fzipi
Project lead for this after the dev retreat: @theMiddle
The idea is to give users / researchers a simple way to test their payloads against CRS. The result should be a usable proof of concept.
This project got its own repository at https://github.com/coreruleset/crs-sandbox
Basic documentation on this page here below.
┌─────────────┐ ┌──────────────┐
│ │ 5: Response│ │
│ └◄─────────────┤ │ 4: Log read using Unique Transaction
Security Researcher │ OpenResty │◄──────────────────────┐
│ │ 1: Request*│ │ │
│ ├──────────────► │ │
│ │ │ │ │
└─────────────┘ └───────┬──────┘ ┌────┴────┐
│ │ │
│ │ │
│ │ │
│ │ │
2: HTTP│Proxy │ Logs │
│ │ │
│ │ │
│ │ │
┌───────▼──────┐ └────▲────┘
│ │ │
│ │ │
│ Web Server │ 3: Log written │
│ ├───────────────────────┘
│ │
│ │
└──────────────┘
https://playground.coraza.io/ could be a base to try this out.
A different, more simple / limited approach would be the following interface:
=====================================
foo = <enter payload here (textarea)>
_______________________________
_______________________________
_______________________________
[ button: Submit vs CRS PL1 ] [button: Submit vs CRS PL2] [button: Submit vs CRS PL3] [button: Submit vs CRS PL4]
=====================================
The following thought on reporting the rules apply:
Thought about the implementation again. I guess one problem is getting logs from an ongoing request. So what we need to do is:
Request is submitted
$UNIQUE_ID for request is generated (automatically)
Custom Allow-List rule set protects our server: only single parameter is allowed, etc.
CRS does its thing
Redirect on report URI with Query-String argument reqid=$UNIQUE_ID
Browser follows redirect
Reporting script / app / whatever takes the $UNIQUE_ID, grabs the corresponding alerts, displays them in readable form, status 200 is returned
Problem: User may want to refine the payload and submit anew. So we might need to stay on the submission form and display the original payload anew. (edited)