search

coreruleset / coreruleset

OWASP CRS (Official Repository)
https://coreruleset.org
Apache License 2.0
2.19k stars 366 forks source link

Add a rule to prevent fname~{\d+}.ext issues #494

Closed CRS-migration-bot closed 4 years ago

CRS-migration-bot commented 4 years ago

Issue originally created by user csanders-git on date 2016-08-09 12:56:30. Link to original issue: https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/494.

This is highlighted in ivanr 's talk from a while ago -- but I don't think we'll see this pattern very frequently in requests and as a result we can attempt to block these.

Examples for regressions:

GET /ADMIN~1.ASP 
GET /admin~2.ASP
GET /bob~1.html

There MAY be some false positives here because these are in fact legit files and my understanding from the microsoft link below is that files with the same name will be appended the ~\d extension.

https://blog.qualys.com/wp-content/uploads/2012/08/Protocol-Level%20Evasion%20of%20Web%20Application%20Firewalls%20(Ivan%20Ristic,%20Qualys,%20Black%20Hat%20USA%202012)%20SLIDES.pdf

More Information https://support.microsoft.com/en-us/kb/142982

There may also be some interest in blocking uploads with these extensions -- not quite sure this is necessary

An example regex

^.*~\d+\.\w+$
CRS-migration-bot commented 4 years ago

User fgsch commented on date 2019-10-20 22:25:14:

This issue has timed out as it has not received any update in over 2 years. If this is still a problem please open a new issue.