An attacker sends a payload that creates the file "dsdds.php" which is a remote shell. However the file name is random so when the attacker tries to send the next stage to this remote shell; it will fail because there is no rule for it in lophiid.
In this case it would be great if a content script that handled the initial payload can create a "rule" so that future requests for the random file are matched.
Such rules should be temporarily active to prevent abuse and because of the simple fact that they are only relevant for one specific attack and therefore there is no need to keep the rule around. We should cleanup these rules automatically. Perhaps the maximum life time of such a rule should be given as a parameter to the rule creation Javascript function that we'll implement. Then a background thread can loop over rules occasionally and remove or disable expired rules.
I've also seen cases where the random file expects as input OR prints a random string. In that case, it might be necessary to also allow the script to create a Content. I would keep that out of scope for this issue though.
Imagine the following scenario:
An attacker sends a payload that creates the file "dsdds.php" which is a remote shell. However the file name is random so when the attacker tries to send the next stage to this remote shell; it will fail because there is no rule for it in lophiid.
In this case it would be great if a content script that handled the initial payload can create a "rule" so that future requests for the random file are matched.
Such rules should be temporarily active to prevent abuse and because of the simple fact that they are only relevant for one specific attack and therefore there is no need to keep the rule around. We should cleanup these rules automatically. Perhaps the maximum life time of such a rule should be given as a parameter to the rule creation Javascript function that we'll implement. Then a background thread can loop over rules occasionally and remove or disable expired rules.
I've also seen cases where the random file expects as input OR prints a random string. In that case, it might be necessary to also allow the script to create a Content. I would keep that out of scope for this issue though.