fix: login redirect fp (#53)

EsadCetiner · web-flow · commit c885bdaed319 · 2024-07-12T14:49:24.000+10:00
diff --git a/plugins/wordpress-rule-exclusions-before.conf b/plugins/wordpress-rule-exclusions-before.conf
@@ -44,11 +44,21 @@ SecRule REQUEST_FILENAME "@endsWith /wp-login.php" \
     t:none,\
     nolog,\
     ctl:ruleRemoveTargetById=932236;ARGS_NAMES:pwd,\
+    ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pwd,\
+    ver:'wordpress-rule-exclusions-plugin/1.0.1'"
+
+# Redirect for wp-login/wp-admin
+SecRule REQUEST_FILENAME "@rx /wp-(?:login|admin/admin-ajax)\.php$" \
+    "id:9507101,\
+    phase:1,\
+    pass,\
+    t:none,\
+    nolog,\
+    ctl:ruleRemoveTargetById=920230;ARGS:redirect_to,\
     ctl:ruleRemoveTargetById=931130;ARGS:redirect_to,\
     ctl:ruleRemoveTargetById=942430;ARGS:redirect_to,\
     ctl:ruleRemoveTargetById=942431;ARGS:redirect_to,\
     ctl:ruleRemoveTargetById=942432;ARGS:redirect_to,\
-    ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pwd,\
     ver:'wordpress-rule-exclusions-plugin/1.0.1'"
 
 # Reset password
@@ -76,6 +86,7 @@ SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" \
     pass,\
     t:none,\
     nolog,\
+    ctl:ruleRemoveTargetById=932236;ARGS_NAMES:pwd,\
     ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pwd,\
     ver:'wordpress-rule-exclusions-plugin/1.0.1'"
 
diff --git a/tests/regression/wordpress-rule-exclusions-plugin/9507121.yaml b/tests/regression/wordpress-rule-exclusions-plugin/9507121.yaml
@@ -0,0 +1,26 @@
+---
+meta:
+  author: "Esad Cetiner"
+  description: "Wordpress Rule Exclusions Plugin"
+  enabled: true
+  name: 9507121.yaml
+tests:
+  - test_title: 9507121-1
+    desc: Logging into WordPress
+    stages:
+      - stage:
+          input:
+            dest_addr: 127.0.0.1
+            headers:
+              Host: localhost
+              User-Agent: OWASP CRS test agent
+              Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+              Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+            port: 80
+            method: POST
+            version: "HTTP/1.1"
+            uri: /post/wp-admin/admin-ajax.php
+            data: |
+              log=test&pwd=%3Cscript%3E&redirect_to=https%3A%2F%2Fexample.com%2Fwp-admin%2F&testcookie=1
+            no_log_contains: |
+              id "932236"|id "941110"
