Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Failed to include some OS commands injection payloads in #REQUEST-932-APPLICATION-ATTACK-RCE rules

See original GitHub issue

_Issue originally created by user umarfarook882 on date 2017-06-14 05:43:35. Link to original issue: https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/809._

I have tested these payload on OWASP CRS, It failed to detect. I have checked the rule on REQUEST-932-APPLICATION-ATTACK-RCE, these payloads are not included on the regex pattern on any rules expect PS. but i can execute ps command on vulnerable application without specify arguments.

    127.0.0.1 && cd /root/Desktop/ && pwd && service --status-all 
    127.0.0.1 && ps
    127.0.0.1 && service mysql status
    127.0.0.1 && service apache2 status

For more information check my demo video on Github

Issue Analytics

State:
Created 3 years ago
Comments:13

Top GitHub Comments

1reaction

CRS-migration-botcommented, May 13, 2020

User lifeforms commented on date 2017-06-14 08:43:28:

Hi Umar, thanks for the report 😃

Indeed we currently only check for the ps command when including a trailing argument. This was a tradeoff, since the string ps happened a few times in a testing data set. So the value of executing the command was compared to the possible false positives, and I decided to require an argument, so that for instance ps waux (showing all other uid’s processes) would be blocked, but the less interesting ps would be left through.

I also considered service, but in my recollection this also caused many positives in English text. Basically people could not use the word service on a newline, after some punctuation, after a ;, etc, and this happens sometimes in regular text. At the same time, the service command might provide some info leaks but usually the web server process should not run as root and therefore it’s not likely that an attacker could stop/start services.

The same goes for cd, it’s not too dangerous in itself (it can be used to discover paths of course) but it happened too often in natural English text so I removed it.

However pwd is definitely something we could block I think. I wonder why we don’t have that yet. I’ll have to test this on my Reddit comments dataset.

0reactions

CRS-migration-botcommented, May 13, 2020

User fgsch commented on date 2019-10-20 22:16:33:

This issue has timed out as it has not received any update in over 2 years. If this is still a problem please open a new issue.

Top Results From Across the Web

Failed to include some OS commands injection payloads in ...

I have tested these payload on OWASP CRS, It failed to detect. I have checked the rule on REQUEST-932-APPLICATION-ATTACK-RCE, these payloads ...

CRS rule groups and rules - Azure Web Application Firewall

This article contains the current rules and rule sets offered. In the rare occasion that a published ruleset needs to be updated, it...

Handling False Positives with the OWASP ... - netnea

We will take a vanilla installation of the OWASP ModSecurity Core Rule Set (CRS) troubled by a large number of false positives and...

Detection of PHP Web Shells with Access log, WAF and Audit ...

Reviewing the logs below, firstly we can see that the 'access.log' has not recorded any artifacts during the execution. Within the ModSecurity ' ......

Power-up Access Gateway with ModSecurity and Core Rule Set

The Core Rule Set provides protection against many common attack categories, including: SQL Injection (SQLi). Cross Site Scripting (XSS).