buixor
commented
10 years ago Hey Adrian,
Can you tell me a bit more about what you are trying to achieve ? blocking hexa content, ie \xAA or ?
Closed adriandf closed 10 years ago
buixor
commented
10 years ago Hey Adrian,
Can you tell me a bit more about what you are trying to achieve ? blocking hexa content, ie \xAA or ?
adriandf
commented
10 years ago Hi,
in short yes, block say \x00 type JavaScript encoding. Could have some "uses":
https://blog.whitehatsec.com/hash-length-extension-attacks/ crypto attack
http://blog.spiderlabs.com/2012/08/stripe-ctf-walkthrough.html -> Level 7 challenge, crypto attack
http://www.exploit-db.com/exploits/22100/ for XSS
or even SQLi.
Thanks, Adrian
buixor
commented
10 years ago hey :)
naxsi blocks / drops %00 encoding or any null bytes resulting of decoding. however, this is part of "internal" rules (along with ie protocol anomalies rules), as it's hard to express in classic rules style. You can still add \x00 rules if you feel it's needed, however I'm not convinced, %00 tends to be used mostly in my opinion ?
On Mon, Nov 25, 2013 at 3:35 PM, adriandf notifications@github.com wrote:
Hi,
in short yes, block say \x00 type JavaScript encoding. Could have some "uses": https://blog.whitehatsec.com/hash-length-extension-attacks/ crypto attack http://blog.spiderlabs.com/2012/08/stripe-ctf-walkthrough.html -> Level 7 challenge, crypto attack http://www.exploit-db.com/exploits/22100/ for XSS or even SQLi.
Thanks, Adrian
— Reply to this email directly or view it on GitHubhttps://github.com/nbs-system/naxsi/issues/95#issuecomment-29205773 .
adriandf
commented
10 years ago in our logs we see quite some number of requests using \x00 requests so we did add a block. :)
buixor
commented
10 years ago oh cool :)
Can you please let us know more about the attacks you saw (live) that use / rely on this kind of encoding ?
Cheers,
On Mon, Nov 25, 2013 at 4:04 PM, adriandf notifications@github.com wrote:
in our logs we see quite some number of requests using \x00 requests so we did add a block. :)
— Reply to this email directly or view it on GitHubhttps://github.com/nbs-system/naxsi/issues/95#issuecomment-29208153 .
adriandf
commented
10 years ago we used to have a "generator" for docs downloads on a site that appended a hmac value to download URL. We noticed on that attacks similar to the ones listed in the whitehat blog.
These days we notice weird request like (it's always in this combo from various IPs). Not sure what they mean with the first request (does not have a HTTP method, nginx issues a 400). Second seems to be for a d-link router vuln.
66.206.56.178 - - [25/Nov/2013:13:25:21 -0500] "\x80w\x01\x03\x01\x00N\x00\x00\x00 \x00\x009\x00\x008\x00\x005\x00\x00\x16\x00\x00\x13\x00\x00" 400 166 "-" "-"
66.206.56.178 - admin [25/Nov/2013:13:25:21 -0500] "GET /HNAP1/ HTTP/1.1" 302 154 "http://my_server_ip" "Mozilla/2.0 (compatible; MSIE 3.0B; Win32)"Personal I like to block all junk/weird stuff from reaching the app and log that.
buixor
commented
10 years ago Thanks,
I will perform some tests to see whether it's worth it, however I'm a bit concerned about false positives. I'm closing the issue for now :)
Hi,
Would be nice to add MainRules out-of-the-box to block requests with "padding", e.g:
Thanks, Adrian