The following bypass was pasted on twitter.
{ 1 }; ;+$u+cat+/etc$u/passwd$u
{ 2 }; ;+$u+cat+/etc$u/passwd+\#
https://twitter.com/spyerror/status/1162826904833089541?s=19
According to @franbuehler, this passes on PL1, but is being detected on PL2.
RCE rule detection bypass
See above.
CRS 3.1
[X] I have removed any personal data (email addresses, IP addresses,
passwords, domain names) from any logs posted.
First command gets the following scores:
individual paranoia level scores: 0, 13, 11, 13
Second command:
individual paranoia level scores: 0, 18, 11, 13
This evasion technique (and several others) can be defeated with the t:bash transformation - see https://www.approach.be/en/modsecurity.html
If only it would be merged ...
IIRC we already talk about that in a meeting (refer to https://www.secjuice.com/web-application-firewall-waf-evasion/). If you agree, I would try to catch this bypass technique in PL1.
This issue has been open 120 days with no activity. Remove the stale label or comment, or this will be closed in 14 days
still in progress...
Most helpful comment
This evasion technique (and several others) can be defeated with the t:bash transformation - see https://www.approach.be/en/modsecurity.html