Adds initial support to @detectXSS

Libinject was recently updated to support XSS detection. This commit adds initial support to it.
2025-09-29 11:16:33 +03:00 · 2014-02-17 06:31:38 -08:00
parent 47f5cf92db
commit 66939d059b
14 changed files with 1590 additions and 4 deletions
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@@ -1,7 +1,9 @@
 check_PROGRAMS = msc_test
 msc_test_SOURCES = msc_test.c \
    $(top_srcdir)/apache2/acmp.c \
+    $(top_srcdir)/apache2/libinjection/libinjection_html5.c \
    $(top_srcdir)/apache2/libinjection/libinjection_sqli.c \
+    $(top_srcdir)/apache2/libinjection/libinjection_xss.c \
    $(top_srcdir)/apache2/modsecurity.c \
    $(top_srcdir)/apache2/msc_crypt.c \
    $(top_srcdir)/apache2/msc_geo.c \
--- a/tests/op/detectXSS.t
+++ b/tests/op/detectXSS.t
@@ -0,0 +1,18 @@
+{
+   type => "op",
+   name => "detectXSS",
+   input => "",
+   ret => 0
+},
+{
+   type => "op",
+   name => "detectXSS",
+   input => "this is not an XSS",
+   ret => 0
+},
+{
+   type => "op",
+   name => "detectXSS",
+   input => "<a href=\"javascript:alert(1)\">)",
+   ret => 1
+}
--- a/tests/regression/misc/25-libinjection.t
+++ b/tests/regression/misc/25-libinjection.t
@@ -0,0 +1,110 @@
+### libinjection.
+
+{
+	type => "misc",
+	comment => "libinjection SQLi - with SQLi",
+	conf => qq(
+		SecRuleEngine On
+		SecDebugLog $ENV{DEBUG_LOG}
+		SecDebugLogLevel 9
+                SecRequestBodyAccess On
+
+		SecRule REQUEST_BODY "\@detectSQLi" "id:192372,log,deny"
+	),
+	match_log => {
+		error => [ qr/detected SQLi using libinjection/, 1],
+		debug => [ qr/detected SQLi using libinjection/, 1 ],
+	},
+	match_response => {
+		status => qr/^403$/,
+	},
+	request => new HTTP::Request(
+		POST => "http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/index.html",
+		[
+			"Content-Type" => "application/x-www-form-urlencoded",
+		],
+		#  Args
+		"some_variable=-1' and 1=1 union/* foo */select load_file('/etc/passwd')--"
+	),
+},
+{
+	type => "misc",
+	comment => "libinjection SQLi - without SQLi",
+	conf => qq(
+		SecRuleEngine On
+		SecDebugLog $ENV{DEBUG_LOG}
+		SecDebugLogLevel 9
+                SecRequestBodyAccess On
+
+		SecRule REQUEST_BODY "\@detectSQLi" "id:192372,log,deny"
+	),
+	match_log => {
+		-error => [ qr/detected SQLi using libinjection/, 1],
+		-debug => [ qr/detected SQLi using libinjection/, 1 ],
+	},
+	match_response => {
+		status => qr/^200$/,
+	},
+	request => new HTTP::Request(
+		POST => "http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/index.html",
+		[
+			"Content-Type" => "application/x-www-form-urlencoded",
+		],
+		#  Args
+		"some_variable=hello cruel world"
+	),
+},
+{
+	type => "misc",
+	comment => "libinjection XSS - with XSS",
+	conf => qq(
+		SecRuleEngine On
+		SecDebugLog $ENV{DEBUG_LOG}
+		SecDebugLogLevel 9
+                SecRequestBodyAccess On
+
+		SecRule REQUEST_BODY "\@detectXSS" "id:192372,log,deny"
+	),
+	match_log => {
+		error => [ qr/detected XSS using libinjection/, 1],
+		debug => [ qr/detected XSS using libinjection/, 1 ],
+	},
+	match_response => {
+		status => qr/^403$/,
+	},
+	request => new HTTP::Request(
+		POST => "http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/index.html",
+		[
+			"Content-Type" => "application/x-www-form-urlencoded",
+		],
+		#  Args
+		"some_variable=<a href=\"javascript:alert(1)\">"
+	),
+},
+{
+	type => "misc",
+	comment => "libinjection XSS - without XSS",
+	conf => qq(
+		SecRuleEngine On
+		SecDebugLog $ENV{DEBUG_LOG}
+		SecDebugLogLevel 9
+                SecRequestBodyAccess On
+
+		SecRule REQUEST_BODY "\@detectXSS" "id:192372,log,deny"
+	),
+	match_log => {
+		-error => [ qr/detected XSS using libinjection/, 1],
+		-debug => [ qr/detected XSS using libinjection/, 1 ],
+	},
+	match_response => {
+		status => qr/^200$/,
+	},
+	request => new HTTP::Request(
+		POST => "http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/index.html",
+		[
+			"Content-Type" => "application/x-www-form-urlencoded",
+		],
+		#  Args
+		"some_variable=hello cruel world"
+	),
+}