Owasp-modsecurity-crs: RCE detection bypass at PL1

Created on 19 Aug 2019  路  6Comments  路  Source: SpiderLabs/owasp-modsecurity-crs

The following bypass was pasted on twitter.

{ 1 }; ;+$u+cat+/etc$u/passwd$u
{ 2 }; ;+$u+cat+/etc$u/passwd+\#

https://twitter.com/spyerror/status/1162826904833089541?s=19

According to @franbuehler, this passes on PL1, but is being detected on PL2.

Type of Issue

RCE rule detection bypass

Description

See above.

Your Environment

CRS 3.1

Confirmation

[X] I have removed any personal data (email addresses, IP addresses,
passwords, domain names) from any logs posted.

False Negative - Evasion PR available

Most helpful comment

This evasion technique (and several others) can be defeated with the t:bash transformation - see https://www.approach.be/en/modsecurity.html

All 6 comments

First command gets the following scores:
individual paranoia level scores: 0, 13, 11, 13

Second command:
individual paranoia level scores: 0, 18, 11, 13

This evasion technique (and several others) can be defeated with the t:bash transformation - see https://www.approach.be/en/modsecurity.html

If only it would be merged ...

IIRC we already talk about that in a meeting (refer to https://www.secjuice.com/web-application-firewall-waf-evasion/). If you agree, I would try to catch this bypass technique in PL1.

This issue has been open 120 days with no activity. Remove the stale label or comment, or this will be closed in 14 days

still in progress...

Was this page helpful?
0 / 5 - 0 ratings