Skip to content

Commit 341f5ba

Browse files
EsadCetinerEsadCetiner
authored
fix: editing tag false positive (#65)
* fix: editing tag false positive * fix: editing tag false positive * fix: check log output correctly * fix: move `ARGS_NAMES:users[0]` to it's own rule * up
1 parent b6ada60 commit 341f5ba

File tree

7 files changed

+48
-15
lines changed

7 files changed

+48
-15
lines changed

Diff for: plugins/wordpress-rule-exclusions-before.conf

+6
Original file line numberDiff line numberDiff line change
@@ -466,6 +466,7 @@ SecRule REQUEST_FILENAME "@unconditionalMatch" \
466466
ctl:ruleRemoveTargetById=931130;ARGS:_wp_http_referer,\
467467
ctl:ruleRemoveTargetById=932150;ARGS:_wp_http_referer,\
468468
ctl:ruleRemoveTargetById=932200;ARGS:_wp_http_referer,\
469+
ctl:ruleRemoveTargetById=932235;ARGS:_wp_http_referer,\
469470
ctl:ruleRemoveTargetById=932236;ARGS:_wp_http_referer,\
470471
ctl:ruleRemoveTargetById=941100;ARGS:_wp_http_referer,\
471472
ctl:ruleRemoveTargetById=942130;ARGS:_wp_http_referer,\
@@ -477,6 +478,7 @@ SecRule REQUEST_FILENAME "@unconditionalMatch" \
477478
ctl:ruleRemoveTargetById=942432;ARGS:_wp_http_referer,\
478479
ctl:ruleRemoveTargetById=942440;ARGS:_wp_http_referer,\
479480
ctl:ruleRemoveTargetById=920230;ARGS:wp_http_referer,\
481+
ctl:ruleRemoveTargetById=920273;ARGS:wp_http_referer,\
480482
ctl:ruleRemoveTargetById=931130;ARGS:wp_http_referer,\
481483
ctl:ruleRemoveTargetById=932150;ARGS:wp_http_referer,\
482484
ctl:ruleRemoveTargetById=932200;ARGS:wp_http_referer,\
@@ -488,6 +490,7 @@ SecRule REQUEST_FILENAME "@unconditionalMatch" \
488490
ctl:ruleRemoveTargetById=942230;ARGS:wp_http_referer,\
489491
ctl:ruleRemoveTargetById=942260;ARGS:wp_http_referer,\
490492
ctl:ruleRemoveTargetById=942431;ARGS:wp_http_referer,\
493+
ctl:ruleRemoveTargetById=942432;ARGS:wp_http_referer,\
491494
ctl:ruleRemoveTargetById=932236;ARGS:_wpnonce,\
492495
ctl:ruleRemoveTargetById=942450;ARGS:_wpnonce,\
493496
ver:'wordpress-rule-exclusions-plugin/1.0.1'"
@@ -624,6 +627,7 @@ SecRule REQUEST_FILENAME "@endsWith /wp-admin/user-new.php" \
624627
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pass2"
625628

626629
# The ID variable is used all over wordpress
630+
# Managing users
627631
SecRule REQUEST_FILENAME "@rx /wp-admin/(?:admin|admin-ajax|edit|users)\.php$" \
628632
"id:9507601,\
629633
phase:1,\
@@ -632,6 +636,8 @@ SecRule REQUEST_FILENAME "@rx /wp-admin/(?:admin|admin-ajax|edit|users)\.php$" \
632636
nolog,\
633637
ctl:ruleRemoveTargetById=932236;ARGS_NAMES:id,\
634638
ctl:ruleRemoveTargetById=932236;ARGS_NAMES:ids,\
639+
ctl:ruleRemoveTargetById=920273;ARGS_NAMES:users[0],\
640+
ctl:ruleRemoveTargetById=942432;ARGS_NAMES:users[0],\
635641
ver:'wordpress-rule-exclusions-plugin/1.0.1'"
636642

637643
#

Diff for: tests/regression/wordpress-rule-exclusions-plugin/9507100.yaml

+2-2
Original file line numberDiff line numberDiff line change
@@ -20,7 +20,7 @@ tests:
2020
version: "HTTP/1.1"
2121
uri: /post/wp-login.php?pwd=<script>
2222
output:
23-
no_log_contains: |
23+
no_log_contains: |-
2424
id "932236"|id "941110"
2525
- test_title: 9507100-2
2626
desc: ARGS:redirect_to tends to contain multiple special characters since it'll include the redirect URL
@@ -37,5 +37,5 @@ tests:
3737
version: "HTTP/1.1"
3838
uri: /post/wp-login.php?redirect_to=;;;;;;;;;;;;
3939
output:
40-
no_log_contains: |
40+
no_log_contains: |-
4141
id "942430"|id "942431"|id "942432"

Diff for: tests/regression/wordpress-rule-exclusions-plugin/9507121.yaml

+1-1
Original file line numberDiff line numberDiff line change
@@ -22,5 +22,5 @@ tests:
2222
uri: /post/wp-admin/admin-ajax.php
2323
data: |
2424
log=test&pwd=%3Cscript%3E&redirect_to=https%3A%2F%2Fexample.com%2Fwp-admin%2F&testcookie=1
25-
no_log_contains: |
25+
no_log_contains: |-
2626
id "932236"|id "941110"

Diff for: tests/regression/wordpress-rule-exclusions-plugin/9507139.yaml

+1-1
Original file line numberDiff line numberDiff line change
@@ -23,5 +23,5 @@ tests:
2323
uri: /post/wp-json/wp/v2/global-styles/1?wp_theme_preview=twentytwentyfour&_locale=user
2424
data: |
2525
{"id":2934,"styles":{"blocks":{"core/site-title":{"typography":{"fontWeight":"400"}},"core/pullquote":{"typography":{"fontSize":"var(--wp--preset--font-size--large)","fontStyle":"normal","fontWeight":"normal","lineHeight":"1.2"}},"core/quote":{"variations":{"plain":{"typography":{"fontStyle":"normal","fontWeight":"400"}}},"typography":{"fontFamily":"var(--wp--preset--font-family--heading)","fontSize":"var(--wp--preset--font-size--large)","fontStyle":"normal"}},"core/navigation":{"typography":{"fontWeight":"400"}}},"elements":{"button":{"typography":{"fontFamily":"var(--wp--preset--font-family--heading)","fontSize":"var(--wp--preset--font-size--small)","fontStyle":"normal"}},"heading":{"color":{"background":"#ab5a5a"}}},"css":""}}
26-
no_log_contains: |
26+
no_log_contains: |-
2727
id "942100|id "942440"

Diff for: tests/regression/wordpress-rule-exclusions-plugin/9507140.yaml

+1-1
Original file line numberDiff line numberDiff line change
@@ -26,5 +26,5 @@ tests:
2626
data: |
2727
{"id":"twentytwentyfour//header","content":"<!-- wp:group{\"align\":\"wide\",\"style\":{\"spacing\":{\"padding\":{\"top\":\"20px\",\"bottom\":\"20px\"}}},\"backgroundColor\":\"base\",\"layout\":{\"type\":\"constrained\"}} -->\n<div class=\"wp-block-groupalignwide has-base-background-color has-background\" style=\"padding-top:20px;padding-bottom:20px\"><!-- wp:group{\"align\":\"wide\",\"layout\":{\"type\":\"flex\",\"justifyContent\":\"space-between\",\"flexWrap\":\"wrap\"}} -->\n<div class=\"wp-block-group alignwide\"><!-- wp:group{\"style\":{\"spacing\":{\"blockGap\":\"var:preset|spacing|20\"},\"layout\":{\"selfStretch\":\"fit\",\"flexSize\":null}},\"layout\":{\"type\":\"flex\"}} -->\n<div class=\"wp-block-group\">
2828
<!-- wp:site-logo{\"width\":60,\"shouldSyncIcon\":false} /-->\n\n<!-- wp:group {\"style\":{\"spacing\":{\"blockGap\":\"0px\"}}} -->\n<div class=\"wp-block-group\"><!-- wp:site-title {\"level\":0} /--></div>\n<!-- /wp:group--></div>\n<!-- /wp:group -->\n\n<!-- wp:navigation{\"ref\":2180,\"icon\":\"menu\",\"layout\":{\"type\":\"flex\",\"justifyContent\":\"right\",\"orientation\":\"horizontal\",\"flexWrap\":\"wrap\"},\"style\":{\"spacing\":{\"margin\":{\"top\":\"0\"},\"blockGap\":\"va>/--></div>\n<!-- /wp:group -->\n\n<!-- wp:paragraph -->\n<p></p>\n<!-- /wp:paragraph --></div>\n<!-- /wp:group -->"}
29-
no_log_contains: |
29+
no_log_contains: |-
3030
id "932240"|id "932236"|id "941100"|id "941150"|id "941160"|id "941180"|id "941181"|id "941320"|id "942210"|id "942330"|id "942340"|id "942370"|id "942430"|id "942431"|id "942432"|id "942440"|id "942520"

Diff for: tests/regression/wordpress-rule-exclusions-plugin/9507201.yaml

+1-1
Original file line numberDiff line numberDiff line change
@@ -24,5 +24,5 @@ tests:
2424
{"validation":"require-all-validate","requests":[{"path":"/wp/v2/widgets","body":{"id_base":"block","instance":{"raw":{"content":"<!-- wp:paragraph -->\n<p>test</p>\n<!--/wp:paragraph -->"}},"sidebar":"sidebar-1"},"method":"POST"},{"path":"/wp/v2/widgets","body":{"id_base":"block","instance":{"raw":{"content":"<!-- wp:search{\"label\":\"Search\",\"buttonText\":\"Search\"} /-->"}},
2525
"sidebar":"sidebar-1"},"method":"POST"},{"path":"/wp/v2/widgets","body":{"id_base":"block","instance":{"raw":{"content":"<!-- wp:table-->\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><tbody><tr><td></td><td></td></tr><tr><td></td><td></td></tr></tbody></table></figure>\n<!-- /wp:table-->"}},"sidebar":"sidebar-1"},"method":"POST"}]}
2626
output:
27-
no_log_contains: |
27+
no_log_contains: |-
2828
id "920272"|id "920273"|id "932200"|id "932236"|id "932240"|id "932370"|id "941150"|id "941180"|id "941181"|id "941320"|id "941330"|id "942130"|id "942131"|id "942200"|id "942210"|id "942260"|id "942330"|id "942340"|id "942370"|id "942430"|id "942431"|id "942432"|id "942440"|id "942460"|id "942520"

Diff for: tests/regression/wordpress-rule-exclusions-plugin/9507350.yaml

+36-9
Original file line numberDiff line numberDiff line change
@@ -20,7 +20,8 @@ tests:
2020
version: "HTTP/1.1"
2121
uri: /get/wp-admin/user-edit.php?user_id=9&wp_http_referer=%2Fwp-admin%2Fusers.php%3Fupdate%3Dadd%26id%3D9
2222
output:
23-
no_log_contains: id "932236"
23+
no_log_contains: |-
24+
id "920230"|id "932235"|id "932236"|id "942430"|id "942431"|id "942432"|id "942450"
2425
- test_title: 9507350-2
2526
desc: Deleteing a user account
2627
stages:
@@ -37,8 +38,8 @@ tests:
3738
version: "HTTP/1.1"
3839
uri: /post/wp-admin/users.php?s=&_wpnonce=random&_wp_http_referer=%2Fwp-admin%2Fusers.php&action=delete&new_role=&paged=1&users%5B0%5D=9&action2=delete&new_role2=
3940
output:
40-
no_log_contains: |
41-
id "920230"|id "942430"|id "942431"|id "942432"
41+
no_log_contains: |-
42+
id "920230"|id "932235"|id "932236"|id "942430"|id "942431"|id "942432"|id "942450"
4243
- test_title: 9507350-3
4344
desc: Disable 932236 for randomly generated nonce
4445
stages:
@@ -54,7 +55,8 @@ tests:
5455
version: "HTTP/1.1"
5556
uri: /post/wp-admin/users.php?s=&_wpnonce=lsrandom&_wp_http_referer=%2Fwp-admin%2Fusers.php&action=delete&new_role=&paged=1&users%5B0%5D=9&action2=delete&new_role2=
5657
output:
57-
no_log_contains: id "932236"
58+
no_log_contains: |-
59+
id "920230"|id "932235"|id "932236"|id "942430"|id "942431"|id "942432"|id "942450"
5860
- test_title: 9507350-4
5961
desc: Disable 942450 for randomly generated nonce
6062
stages:
@@ -70,7 +72,8 @@ tests:
7072
version: "HTTP/1.1"
7173
uri: /post/wp-admin/users.php?s=&_wpnonce=0x0800random&_wp_http_referer=%2Fwp-admin%2Fusers.php&action=delete&new_role=&paged=1&users%5B0%5D=9&action2=delete&new_role2=
7274
output:
73-
no_log_contains: id "942450"
75+
no_log_contains: |-
76+
id "920230"|id "932235"|id "932236"|id "942430"|id "942431"|id "942432"|id "942450"
7477
- test_title: 9507350-5
7578
desc: Disable 932236 for randomly generated nonce
7679
stages:
@@ -86,7 +89,8 @@ tests:
8689
version: "HTTP/1.1"
8790
uri: /post/wp-admin/users.php?s=&nonce=lsrandom
8891
output:
89-
no_log_contains: id "932236"
92+
no_log_contains: |-
93+
id "920230"|id "932235"|id "932236"|id "942430"|id "942431"|id "942432"|id "942450"
9094
- test_title: 9507350-6
9195
desc: Disable 942450 for randomly generated nonce
9296
stages:
@@ -102,7 +106,8 @@ tests:
102106
version: "HTTP/1.1"
103107
uri: /post/wp-admin/users.php?s=&nonce=0x0800random
104108
output:
105-
no_log_contains: id "942450"
109+
no_log_contains: |-
110+
id "920230"|id "932235"|id "932236"|id "942430"|id "942431"|id "942432"|id "942450"
106111
- test_title: 9507350-7
107112
desc: Requesting a static file with randomly generated version
108113
stages:
@@ -118,7 +123,8 @@ tests:
118123
version: "HTTP/1.1"
119124
uri: /get/example.js?ver=lsrandom
120125
output:
121-
no_log_contains: id "932236"
126+
no_log_contains: |-
127+
id "920230"|id "932235"|id "932236"|id "942430"|id "942431"|id "942432"|id "942450"
122128
- test_title: 9507350-8
123129
desc: Requesting a static file with randomly generated version
124130
stages:
@@ -134,4 +140,25 @@ tests:
134140
version: "HTTP/1.1"
135141
uri: /get/example.js?ver=0x0000
136142
output:
137-
no_log_contains: id "942450"
143+
no_log_contains: |-
144+
id "920230"|id "932235"|id "932236"|id "942430"|id "942431"|id "942432"|id "942450"
145+
- test_title: 9507350-9
146+
desc: Editing tags
147+
stages:
148+
- stage:
149+
input:
150+
dest_addr: 127.0.0.1
151+
headers:
152+
Host: localhost
153+
User-Agent: OWASP CRS test agent
154+
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
155+
Content-Type: application/x-www-form-urlencoded
156+
port: 80
157+
method: POST
158+
version: "HTTP/1.1"
159+
uri: /post/wp-admin/edit-tags.php
160+
data: |
161+
_wp_http_referer=/wp-admin/term.php?taxonomy=post_tag&tag_ID=12&post_type=post&wp_http_referer=%2Fwp-admin%2Fedit-tags.php%3Ftaxonomy%3Dpost_tag
162+
output:
163+
no_log_contains: |-
164+
id "920230"|id "932235"|id "932236"|id "942430"|id "942431"|id "942432"|id "942450"

0 commit comments

Comments
 (0)