github_mirrors/ModSecurity
3
0
Fork 1
mirror of https://github.com/owasp-modsecurity/ModSecurity.git synced 2025-09-29 19:24:29 +03:00
Code Issues Packages Projects Releases Wiki Activity

Adds support to SecXMLExternalEntity

Browse Source
This commit is contained in:
Felipe Zimmerle
2016-05-18 17:01:53 -03:00
parent 6a7b970fe3
commit f989ecd5cb
13 changed files with 215 additions and 30 deletions
Download Patch File Download Diff File Expand all files Collapse all files

142
test/test-cases/regression/config-xml_external_entity.json Normal file
View File

@@ -0,0 +1,142 @@
[
{
"enabled":1,
"version_min":300000,
"title":"Testing SecXMLExternalEntity/XXE 1",
"expected":{
"debug_log": "Target value: \" jo smith\""
},
"client":{
"ip":"200.249.12.31",
"port":123
},
"request":{
"headers":{
"Host":"localhost",
"User-Agent":"curl/7.38.0",
"Accept":"*/*",
"Cookie": "PHPSESSID=rAAAAAAA2t5uvjq435r4q7ib3vtdjq120",
"Content-Type": "text/xml"
},
"uri":"/?key=value&key=other_value",
"method":"POST",
"body": [
"<?xml version=\"1.0\" encoding=\"UTF-8\"?>",
"<!DOCTYPE author [",
"<!ELEMENT book (#PCDATA)>",
"<!ENTITY js \"Jo Smith\">",
"]>",
"<bookstore>",
"<book category=\"WEB\"> &js;</book>",
"</bookstore>"
]
},
"server":{
"ip":"200.249.12.31",
"port":80
},
"rules":[
"SecRuleEngine On",
"SecRequestBodyAccess On",
"SecXMLExternalEntity Off",
"SecRule REQUEST_HEADERS:Content-Type \"^text/xml$\" \"id:500005,phase:1,t:none,t:lowercase,nolog,pass,ctl:requestBodyProcessor=XML\"",
"SecRule XML:/bookstore/book[text()] \".*\" \"id:500006,phase:3,t:none,t:lowercase,nolog,pass\""
]
},
{
"enabled":1,
"version_min":300000,
"title":"Testing SecXMLExternalEntity/XXE 2",
"expected":{
"debug_log": "XML: Failed to load DTD: test-cases/data/SoapEnvelope.dtd",
"http_code": 403
},
"client":{
"ip":"200.249.12.31",
"port":123
},
"request":{
"headers":{
"Host":"localhost",
"User-Agent":"curl/7.38.0",
"Accept":"*/*",
"Cookie": "PHPSESSID=rAAAAAAA2t5uvjq435r4q7ib3vtdjq120",
"Content-Type": "text/xml"
},
"uri":"/?key=value&key=other_value",
"method":"POST",
"body": [
"<?xml version=\"1.0\" encoding=\"UTF-8\"?>",
"<!DOCTYPE author [",
"<!ELEMENT book ANY>",
"<!ENTITY js SYSTEM \"/etc/passwd\">",
"]>",
"<bookstore>",
"<book category=\"WEB\"> &js;</book>",
"</bookstore>"
]
},
"server":{
"ip":"200.249.12.31",
"port":80
},
"rules":[
"SecRuleEngine On",
"SecRequestBodyAccess On",
"SecXMLExternalEntity Off",
"SecRule REQUEST_HEADERS:Content-Type \"^text/xml$\" \"id:500005,phase:1,t:none,t:lowercase,nolog,pass,ctl:requestBodyProcessor=XML\"",
"SecRule XML:/bookstore/book \".*\" \"id:500006,phase:3,t:none,t:lowercase,nolog,pass,xmlns:soap='http://schemas.xmlsoap.org/soap/envelope/'\"",
"SecRule XML \"@validateDTD test-cases/data/SoapEnvelope.dtd\" \"id:500007,phase:3,deny\""
]
},
{
"enabled":1,
"version_min":300000,
"title":"Testing SecXMLExternalEntity/XXE 3",
"expected":{
"debug_log": "XML Error: No declaration for element bookstore",
"http_code": 403
},
"client":{
"ip":"200.249.12.31",
"port":123
},
"request":{
"headers":{
"Host":"localhost",
"User-Agent":"curl/7.38.0",
"Accept":"*/*",
"Cookie": "PHPSESSID=rAAAAAAA2t5uvjq435r4q7ib3vtdjq120",
"Content-Type": "text/xml"
},
"uri":"/?key=value&key=other_value",
"method":"POST",
"body": [
"<?xml version=\"1.0\" encoding=\"UTF-8\"?>",
"<!DOCTYPE author [",
"<!ELEMENT book ANY>",
"<!ENTITY js SYSTEM \"/etc/passwd\">",
"]>",
"<bookstore>",
"<book category=\"WEB\"> &js;</book>",
"</bookstore>"
]
},
"server":{
"ip":"200.249.12.31",
"port":80
},
"rules":[
"SecRuleEngine On",
"SecRequestBodyAccess On",
"SecXMLExternalEntity On",
"SecRule REQUEST_HEADERS:Content-Type \"^text/xml$\" \"id:500005,phase:1,t:none,t:lowercase,nolog,pass,ctl:requestBodyProcessor=XML\"",
"SecRule XML:/bookstore/book \".*\" \"id:500006,phase:3,t:none,t:lowercase,nolog,pass,xmlns:soap='http://schemas.xmlsoap.org/soap/envelope/'\"",
"SecRule XML \"@validateDTD test-cases/data/SoapEnvelope.dtd\" \"id:500007,phase:3,deny\""
]
}
]

7
test/test-cases/regression/request-body-parser-xml-validade-dtd.json
View File

@@ -39,6 +39,7 @@
"rules":[
"SecRuleEngine On",
"SecRequestBodyAccess On",
"SecXMLExternalEntity On",
"SecRule REQUEST_HEADERS:Content-Type \"^text/xml$\" \"id:500008,phase:1,t:none,t:lowercase,nolog,pass,ctl:requestBodyProcessor=XML\"",
"SecRule XML \"@validateDTD test-cases/data/SoapEnvelope.dtd\" \"id:500007,phase:3,deny\""
]
@@ -84,6 +85,7 @@
"rules":[
"SecRuleEngine On",
"SecRequestBodyAccess On",
"SecXMLExternalEntity On",
"SecRule REQUEST_HEADERS:Content-Type \"^text/xml$\" \"id:500008,phase:1,t:none,t:lowercase,nolog,pass,ctl:requestBodyProcessor=XML\"",
"SecRule XML \"@validateDTD test-cases/data/SoapEnvelope.dtd\" \"id:500007,phase:3,deny\""
]
@@ -129,6 +131,7 @@
"rules":[
"SecRuleEngine On",
"SecRequestBodyAccess On",
"SecXMLExternalEntity On",
"SecRule REQUEST_HEADERS:Content-Type \"^text/xml$\" \"id:500008,phase:1,t:none,t:lowercase,nolog,pass,ctl:requestBodyProcessor=XML\"",
"SecRule XML \"@validateDTD test-cases/data/SoapEnvelope.dtd\" \"id:500007,phase:3,deny\""
]
@@ -138,7 +141,8 @@
"version_min":300000,
"title":"Testing XML request body parser - validateDTD (bad DTD)",
"expected":{
"parser_error": "Line: 4. Column: 12. XML: Failed to load DTD: test-cases/data/SoapEnvelope-bad.dtd"
"debug_log": "Failed to load DTD: test-cases/data/SoapEnvelope-bad.dtd",
"http_code": 403
},
"client":{
"ip":"200.249.12.31",
@@ -173,6 +177,7 @@
"rules":[
"SecRuleEngine On",
"SecRequestBodyAccess On",
"SecXMLExternalEntity On",
"SecRule REQUEST_HEADERS:Content-Type \"^text/xml$\" \"id:500008,phase:1,t:none,t:lowercase,nolog,pass,ctl:requestBodyProcessor=XML\"",
"SecRule XML \"@validateDTD test-cases/data/SoapEnvelope-bad.dtd\" \"id:500007,phase:3,deny\""
]

8
test/test-cases/regression/request-body-parser-xml.json
View File

@@ -43,6 +43,7 @@
"rules":[
"SecRuleEngine On",
"SecRequestBodyAccess On",
"SecXMLExternalEntity On",
"SecRule REQUEST_HEADERS:Content-Type \"^text/xml$\" \"id:500005,phase:1,t:none,t:lowercase,nolog,pass,ctl:requestBodyProcessor=XML\"",
"SecRule XML \"@validateSchema test-cases/data/SoapEnvelope.xsd\" \"id:500007,phase:3,deny\""
]
@@ -92,6 +93,7 @@
"rules":[
"SecRuleEngine On",
"SecRequestBodyAccess On",
"SecXMLExternalEntity On",
"SecRule REQUEST_HEADERS:Content-Type \"^text/xml$\" \"id:500008,phase:1,t:none,t:lowercase,nolog,pass,ctl:requestBodyProcessor=XML\"",
"SecRule XML \"@validateSchema test-cases/data/SoapEnvelope.xsd\" \"id:500007,phase:3,deny\""
]
@@ -141,6 +143,7 @@
"rules":[
"SecRuleEngine On",
"SecRequestBodyAccess On",
"SecXMLExternalEntity On",
"SecRule REQUEST_HEADERS:Content-Type \"^text/xml$\" \"id:500008,phase:1,t:none,t:lowercase,nolog,pass,ctl:requestBodyProcessor=XML\"",
"SecRule XML \"@validateSchema test-cases/data/SoapEnvelope.xsd\" \"id:500007,phase:3,deny\""
]
@@ -190,6 +193,7 @@
"rules":[
"SecRuleEngine On",
"SecRequestBodyAccess On",
"SecXMLExternalEntity On",
"SecRule REQUEST_HEADERS:Content-Type \"^text/xml$\" \"id:500008,phase:1,t:none,t:lowercase,nolog,pass,ctl:requestBodyProcessor=XML\"",
"SecRule XML \"@validateSchema test-cases/data/SoapEnvelope.xsd\" \"id:500007,phase:3,deny\""
]
@@ -199,7 +203,8 @@
"version_min":300000,
"title":"Testing XML request body parser (bad schema)",
"expected":{
"parser_error": " XML: Failed to load Schema: test-cases/data/SoapEnvelope-bad.xsd. XML Error: Failed to parse the XML resource 'test-cases/data/SoapEnvelope-bad.xsd"
"debug_log": "XML: Failed to load Schema: test-cases/data/SoapEnvelope-bad.xsd. XML Error: Failed to parse the XML resource 'test-cases/data/SoapEnvelope-bad.xsd",
"http_code": 403
},
"client":{
"ip":"200.249.12.31",
@@ -238,6 +243,7 @@
"rules":[
"SecRuleEngine On",
"SecRequestBodyAccess On",
"SecXMLExternalEntity On",
"SecRule REQUEST_HEADERS:Content-Type \"^text/xml$\" \"id:500008,phase:1,t:none,t:lowercase,nolog,pass,ctl:requestBodyProcessor=XML\"",
"SecRule XML \"@validateSchema test-cases/data/SoapEnvelope-bad.xsd\" \"id:500007,phase:3,deny\""
]