Open wargio opened 1 year ago
For some reasons nginx or naxsi on the windows build does not decode correctly the bytes as we expect to see.
Logs:
2022-12-19T16:45:36.3777060Z rg: re.compile('^.*{\\"ip\\":\\"127\\.0\\.0\\.1\\",\\"server\\":\\"[a-z\\d.]+\\",\\"rid\\":\\"[a-f\\d]+\\",\\"uri\\":\\"\\/\\\\\\\\\\\\\\\\\\\\u00ff\\\\\\\\a\\",\\"id\\":20,\\"zone\\":\\"URL\\",\\"var_name\\":\\"\\") 2022-12-19T16:45:36.3777954Z fl: 2022/12/19 16:45:16 [error] 3516#6832: *1 {"ip":"127.0.0.1","server":"127.0.0.1","rid":"0c0f0000c5620000323a000091190000","uri":"/\u00ff/a","id":20,"zone":"URL","var_name":"","content":""}, client: 127.0.0.1, server: localhost, request: "GET /%5C%5C%ff%5Ca?b=<>%5C%5C HTTP/1.1", host: "127.0.0.1:8080" 2022-12-19T16:45:36.3778398Z 2022-12-19T16:45:36.3778808Z fl: 2022/12/19 16:45:16 [error] 3516#6832: *1 {"ip":"127.0.0.1","server":"127.0.0.1","uri":"/%FF/a","config":"drop","rid":"0c0f0000c5620000323a000091190000","zone0":"URL","id0":"20","var_name0":""}, client: 127.0.0.1, server: localhost, request: "GET /%5C%5C%ff%5Ca?b=<>%5C%5C HTTP/1.1", host: "127.0.0.1:8080"
Reproducer test
=== TEST 1.9: JSON log + extended + FF byte --- main_config load_module $TEST_NGINX_NAXSI_MODULE_SO; --- http_config include $TEST_NGINX_NAXSI_RULES; --- config set $naxsi_json_log 1; set $naxsi_extensive_log 1; location / { SecRulesEnabled; DeniedUrl "/RequestDenied"; CheckRule "$SQL >= 8" BLOCK; CheckRule "$RFI >= 8" BLOCK; CheckRule "$TRAVERSAL >= 4" BLOCK; CheckRule "$XSS >= 8" BLOCK; root $TEST_NGINX_SERVROOT/html/; index index.html index.htm; } location /RequestDenied { return 412; # return 412; } --- request eval "GET /%5C%5C%ff%5Ca?b=<>%5C%5C" --- error_code: 412 --- error_log eval qr@{"ip":"127\.0\.0\.1","server":"[a-z\d.]+","rid":"[a-f\d]+","uri":"\/\\\\\\\\\\u00ff\\\\a","id":20,"zone":"URL","var_name":"","content":""}, client: 127\.0\.0\.1,@
For some reasons nginx or naxsi on the windows build does not decode correctly the bytes as we expect to see.
Logs:
Reproducer test