Failed to include some OS commands injection payloads in #REQUEST-932-APPLICATION-ATTACK-RCE rules
See original GitHub issue_Issue originally created by user umarfarook882 on date 2017-06-14 05:43:35. Link to original issue: https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/809._
I have tested these payload on OWASP CRS, It failed to detect. I have checked the rule on REQUEST-932-APPLICATION-ATTACK-RCE, these payloads are not included on the regex pattern on any rules expect PS. but i can execute ps command on vulnerable application without specify arguments.
127.0.0.1 && cd /root/Desktop/ && pwd && service --status-all
127.0.0.1 && ps
127.0.0.1 && service mysql status
127.0.0.1 && service apache2 status
For more information check my demo video on Github
Issue Analytics
- State:
- Created 3 years ago
- Comments:13
Top Results From Across the Web
Failed to include some OS commands injection payloads in ...
I have tested these payload on OWASP CRS, It failed to detect. I have checked the rule on REQUEST-932-APPLICATION-ATTACK-RCE, these payloads ...
Read more >CRS rule groups and rules - Azure Web Application Firewall
This article contains the current rules and rule sets offered. In the rare occasion that a published ruleset needs to be updated, it...
Read more >Handling False Positives with the OWASP ... - netnea
We will take a vanilla installation of the OWASP ModSecurity Core Rule Set (CRS) troubled by a large number of false positives and...
Read more >Detection of PHP Web Shells with Access log, WAF and Audit ...
Reviewing the logs below, firstly we can see that the 'access.log' has not recorded any artifacts during the execution. Within the ModSecurity ' ......
Read more >Power-up Access Gateway with ModSecurity and Core Rule Set
The Core Rule Set provides protection against many common attack categories, including: SQL Injection (SQLi). Cross Site Scripting (XSS).
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
User lifeforms commented on date 2017-06-14 08:43:28:
Hi Umar, thanks for the report 😃
Indeed we currently only check for the
ps
command when including a trailing argument. This was a tradeoff, since the stringps
happened a few times in a testing data set. So the value of executing the command was compared to the possible false positives, and I decided to require an argument, so that for instanceps waux
(showing all other uid’s processes) would be blocked, but the less interestingps
would be left through.I also considered
service
, but in my recollection this also caused many positives in English text. Basically people could not use the wordservice
on a newline, after some punctuation, after a;
, etc, and this happens sometimes in regular text. At the same time, theservice
command might provide some info leaks but usually the web server process should not run as root and therefore it’s not likely that an attacker could stop/start services.The same goes for
cd
, it’s not too dangerous in itself (it can be used to discover paths of course) but it happened too often in natural English text so I removed it.However
pwd
is definitely something we could block I think. I wonder why we don’t have that yet. I’ll have to test this on my Reddit comments dataset.User fgsch commented on date 2019-10-20 22:16:33:
This issue has timed out as it has not received any update in over 2 years. If this is still a problem please open a new issue.