More OWASP compliance, added/modified regression tests

Author: eilandert

plugins/wordpress-hardening-before.conf

@@ -71,11 +71,14 @@ SecRule REQUEST_FILENAME "^/xmlrpc\.php" \
   "id:9522102,\
   phase:2,\
   t:lowercase,t:normalizePath,t:trim,\
-  block,\
-  capture,\
-  severity:'CRITICAL',\
   tag:'wordpress',\
   tag:'xmlrpc',\
+  accuracy:'9',\
+  maturity:'1',\
+  severity:'NOTICE',\
+  ver:'WPHARD/1.0.0',\
+  block,\
+  capture,\
   logdata:'Request Filename %{REQUEST_FILENAME}',\
   msg:'Wordpress hardening: xmlrpc.php access attempt',\
   setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -96,11 +99,15 @@ SecMarker "BEGIN_WPHARD_USER_ENUMERATION"
 SecRule REQUEST_URI "@rx (author\=[0-9]+)|(wp/v2/users)" \
   "id:9522104,\
   phase:2,\
-  block,\
   t:lowercase,t:normalizePath,t:trim,\
-  severity:'CRITICAL',\
   tag:'wordpress',\
   tag:'enumeration',\
+  accuracy:'9',\
+  maturity:'1',\
+  severity:'NOTICE',\
+  ver:'WPHARD/1.0.0',\
+  block,\
+  capture,\
   logdata:'Request URI %{REQUEST_URI}',\
   msg:'Wordpress hardening: user enumeration detected',\
   setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -122,11 +129,15 @@ SecRule REQUEST_FILENAME "@rx ^/wp-json/.+" \
   "id:9522107,\
   phase:2,\
   t:lowercase,t:normalizePath,\
-  block,\
-  severity:'CRITICAL',\
   tag:'wordpress',\
   tag:'rest-api',\
   tag:'wp-json',\
+  accuracy:'9',\
+  maturity:'1',\
+  severity:'NOTICE',\
+  ver:'WPHARD/1.0.0',\
+  block,\
+  capture,\
   logdata:'Request FILENAME %{REQUEST_FILENAME}',\
   msg:'Wordpress hardening: /wp-json rest api access detected',\
   setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -148,10 +159,14 @@ SecRule REQUEST_URI "@beginsWith /wp-login.php" \
   "id:9522109,\
   phase:2,\
   t:lowercase,t:normalizePath,t:trim,\
-  block,\
-  severity:'CRITICAL',\
   tag:'wordpress',\
   tag:'admin-login',\
+  accuracy:'9',\
+  maturity:'1',\
+  severity:'WARNING',\
+  ver:'WPHARD/1.0.0',\
+  block,\
+  capture,\
   logdata:'detected admin login',\
   msg:'Wordpress hardening: admin login attempt detected',\
     chain"
@@ -175,59 +190,52 @@ SecRule REQUEST_FILENAME "^/wp-cron\.php" \
   "id:9522111,\
   phase:2,\
   t:lowercase,t:normalizePath,t:trim,\
-  block,\
-  capture,\
-  severity:'CRITICAL',\
   tag:'wordpress',\
   tag:'wpcron',\
+  accuracy:'9',\
+  maturity:'1',\
+  severity:'NOTICE',\
+  ver:'WPHARD/1.0.0',\
+  block,\
+  capture,\
   logdata:'Request Filename %{REQUEST_FILENAME}',\
   msg:'Wordpress hardening: /wp-cron.php access attempt',\
   setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
 SecMarker "END_WPHARD_WPCRON"
 
-# No direct access to .php files or directory listings. (PL1)
-SecRule REQUEST_FILENAME "@rx ^/wp-(content|includes)/([^/]*/)*[^/.]+(\.php)?$" \
+# No direct access to .php files except index.php/wp-admin/xmlrpc/wpcron
+# (regression test)
+SecRule REQUEST_FILENAME "@rx ^(?!.*(?:\/wp-admin\/|(?:^|\/)(index|xmlrpc|wp-cron|wp-login)\.php$)).*\.php$" \
   "id:9522200,\
   phase:2,\
   t:lowercase,t:normalizePath,t:trim,\
-  block,\
-  capture,\
-  severity:'CRITICAL',\
   tag:'wordpress',\
-  logdata:'Request Filename %{REQUEST_FILENAME}',\
-  msg:'Wordpress hardening: Direct access to phpfiles or directory listings in wp-content or wp-includes not allowed',\
-  setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
-
-# Check for inclusion attacks on index.php (PL2)
-# (no regression test yet)
-SecRule REQUEST_FILENAME "@endsWith /index.php" \
-  "id:9522201,\
-  phase:2,\
-  t:lowercase,t:normalizePath,t:trim,\
+  tag:'direct-access',\
+  accuracy:'9',\
+  maturity:'1',\
+  severity:'NOTICE',\
+  ver:'WPHARD/1.0.0',\
   block,\
   capture,\
-  severity:'CRITICAL',\
-  tag:'wordpress',\
-  tag:'inclusion-attack',\
-  msg:'Inclusion attack detected on index.php',\
   logdata:'Request Filename %{REQUEST_FILENAME}',\
-  chain"
-    SecRule ARGS_GET "@contains %2F" \
-      "setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}',\
-      chain"
-        SecRule ARGS_POST "@contains %2F" \
-          "setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
+  msg:'Wordpress hardening: attempt to access php files other than index.php',\
+  setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
 # No direct access to these files (PL1)
 # (regression test)
 SecRule REQUEST_FILENAME "@pmFromFile wordpress-hardening-files.data" \
   "id:9522202,\
   phase:2,\
   t:lowercase,t:normalizePath,t:trim,\
-  block,\
-  severity:'CRITICAL',\
   tag:'wordpress',\
+  tag:'direct-access',\
+  accuracy:'9',\
+  maturity:'1',\
+  severity:'NOTICE',\
+  ver:'WPHARD/1.0.0',\
+  block,\
+  capture,\
   logdata:'Request Filename %{REQUEST_FILENAME}',\
   msg:'Wordpress hardening: direct file access attempt on files that dont need that',\
   setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -238,10 +246,14 @@ SecRule REQUEST_FILENAME "@rx .(pl|cgi|py|sh|lua|asp)$" \
   "id:9522203,\
   phase:2,\
   t:lowercase,t:normalizePath,t:trim,\
-  block,\
-  severity:'CRITICAL',\
   tag:'wordpress',\
   tag:'only-allow-php-extension',\
+  accuracy:'9',\
+  maturity:'1',\
+  severity:'NOTICE',\
+  ver:'WPHARD/1.0.0',\
+  block,\
+  capture,\
   logdata:'Request Filename %{REQUEST_FILENAME}',\
   msg:'Wordpress hardening: trying another interpreter',\
   setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@@ -252,24 +264,32 @@ SecRule REQUEST_FILENAME "@rx ^/wp-content/uploads/.*\.(?:s?html?|js|swf|lua)$"
   "id:9522205,\
   phase:2,\
   t:lowercase,t:normalizePath,t:trim,\
-  block,\
-  severity:'CRITICAL',\
   tag:'wordpress',\
   tag:'uploads',\
+  accuracy:'9',\
+  maturity:'1',\
+  severity:'NOTICE',\
+  ver:'WPHARD/1.0.0',\
+  block,\
+  capture,\
   logdata:'Request Filename %{REQUEST_FILENAME}',\
   msg:'Wordpress hardening: attempt to access wp-content/uploads nasty stuff',\
   setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
 # Deny access to sensitive files (Pl1)
 # (regression test)
-SecRule REQUEST_FILENAME "@rx \.(conf|htaccess|htpass|sql|orig|bak|db|ini|md|log|git|github|swp$|DS_STORE$)($|/)?" \
+SecRule REQUEST_FILENAME "@rx \.(conf|htaccess|htpass|sql|orig|bak|db|ini|md|log|git|github|swp|DS_STORE)($|/)?" \
   "id:9522206,\
   phase:2,\
   t:lowercase,t:normalizePath,t:trim,\
-  block,\
-  severity:'CRITICAL',\
   tag:'wordpress',\
   tag:'sensitive-files',\
+  accuracy:'9',\
+  maturity:'1',\
+  severity:'NOTICE',\
+  ver:'WPHARD/1.0.0',\
+  block,\
+  capture,\
   logdata:'Request Filename %{REQUEST_FILENAME}',\
   msg:'Wordpress hardening: denied access to sensitive files',\
   setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -280,11 +300,15 @@ SecRule REQUEST_FILENAME "@rx ^/wp-json/?$" \
   "id:9522207,\
   phase:2,\
   t:lowercase,t:normalizePath,t:trim,\
-  block,\
-  severity:'CRITICAL',\
   tag:'wordpress',\
   tag:'sensitive-files',\
   tag:'wp-json',\
+  accuracy:'9',\
+  maturity:'1',\
+  severity:'NOTICE',\
+  ver:'WPHARD/1.0.0',\
+  block,\
+  capture,\
   logdata:'Request Filename %{REQUEST_FILENAME}',\
   msg:'Wordpress hardening: denied access to ^/wp-json$',\
   setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"

tests/regression/wordpress-hardening-plugin/9522102.yaml

@@ -6,7 +6,7 @@ meta:
   name: 9522102.yaml
 tests:
   - test_title: 9522102
-    desc: Test if xmlrpc.php is blocked
+    desc: Test if xmlrpc.php is not blocked (default)
     stages:
       - stage:
           input:

tests/regression/wordpress-hardening-plugin/9522104.yaml

@@ -6,7 +6,7 @@ meta:
   name: 9522104.yaml
 tests:
   - test_title: 9522104-1
-    desc: Test if user enumeration is blocked
+    desc: Test if user enumeration is blocked (default)
     stages:
       - stage:
           input:
@@ -23,7 +23,7 @@ tests:
           output:
             log_contains: id "9522104"
   - test_title: 9522104-2
-    desc: Test if user enumeration is blocked
+    desc: Test if user enumeration is blocked, with caps
     stages:
       - stage:
           input:
@@ -91,7 +91,7 @@ tests:
           output:
             log_contains: id "9522104"
   - test_title: 9522104-6
-    desc: Test if user enumeration is blocked
+    desc: Test if user enumeration is blocked through alternative route
     stages:
       - stage:
           input:

tests/regression/wordpress-hardening-plugin/9522111.yaml

@@ -6,7 +6,7 @@ meta:
   name: 9522111.yaml
 tests:
   - test_title: 95222111
-    desc: Test if wp-cron.php works
+    desc: Test if wp-cron.php is not blocked (default)
     stages:
       - stage:
           input:

tests/regression/wordpress-hardening-plugin/9522200.yaml

@@ -0,0 +1,126 @@
+---
+meta:
+  author: Thijs Eilander
+  description: wordpress-hardening-plugin
+  enabled: true
+  name: 9522200.yaml
+tests:
+  - test_title: 9522200-1
+    desc: Test if php in the plugins directory is blocked
+    stages:
+      - stage:
+          input:
+            dest_addr: 127.0.0.1
+            headers:
+              Host: localhost
+              User-Agent: OWASP CRS
+              Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+            port: 80
+            method: GET
+            uri: /wp-content/plugins/modsecurity/modsecurity.php
+            data: |
+              text
+          output:
+            log_contains: id "9522200"
+  - test_title: 9522200-2
+    desc: Test if /wp-includes/*.php is blocked
+    stages:
+      - stage:
+          input:
+            dest_addr: 127.0.0.1
+            headers:
+              Host: localhost
+              User-Agent: OWASP CRS
+              Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+            port: 80
+            method: GET
+            uri: /wp-includes/wp-db.php
+            data: |
+              text
+          output:
+            log_contains: id "9522200"
+  - test_title: 9522200-3
+    desc: Test if /index.php is working
+    stages:
+      - stage:
+          input:
+            dest_addr: 127.0.0.1
+            headers:
+              Host: localhost
+              User-Agent: OWASP CRS
+              Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+            port: 80
+            method: GET
+            uri: /index.php
+            data: |
+              text
+          output:
+            no_log_contains: id "9522200"
+  - test_title: 9522200-4
+    desc: Test if /wp-admin/admin-ajax.php is working
+    stages:
+      - stage:
+          input:
+            dest_addr: 127.0.0.1
+            headers:
+              Host: localhost
+              User-Agent: OWASP CRS
+              Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+            port: 80
+            method: GET
+            uri: /wp-admin/admin-ajax.php
+            data: |
+              text
+          output:
+            no_log_contains: id "9522200"
+  - test_title: 9522200-5
+    desc: Test if wp-cron is working
+    stages:
+      - stage:
+          input:
+            dest_addr: 127.0.0.1
+            headers:
+              Host: localhost
+              User-Agent: OWASP CRS
+              Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+            port: 80
+            method: GET
+            uri: /wp-cron.php
+            data: |
+              text
+          output:
+            no_log_contains: id "9522200"
+  - test_title: 9522200-6
+    desc: Test if xmlrpc is working
+    stages:
+      - stage:
+          input:
+            dest_addr: 127.0.0.1
+            headers:
+              Host: localhost
+              User-Agent: OWASP CRS
+              Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+            port: 80
+            method: GET
+            uri: /xmlrpc.php
+            data: |
+              text
+          output:
+            no_log_contains: id "9522200"
+  - test_title: 9522200-7
+    desc: Test if wp-login.php is working
+    stages:
+      - stage:
+          input:
+            dest_addr: 127.0.0.1
+            headers:
+              Host: localhost
+              User-Agent: OWASP CRS
+              Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+            port: 80
+            method: GET
+            uri: /wp-login.php
+            data: |
+              text
+          output:
+            no_log_contains: id "9522200"