owasp-modsecurity-crs
owasp-modsecurity-crs copied to clipboard
SpiderLabs
RCE detection bypass at PL1
The following bypass was pasted on twitter.
{ 1 }; ;+$u+cat+/etc$u/passwd$u
{ 2 }; ;+$u+cat+/etc$u/passwd+\#
https://twitter.com/spyerror/status/1162826904833089541?s=19
According to @franbuehler, this passes on PL1, but is being detected on PL2.
Type of Issue
RCE rule detection bypass
Description
See above.
Your Environment
CRS 3.1
Confirmation
[X] I have removed any personal data (email addresses, IP addresses, passwords, domain names) from any logs posted.
First command gets the following scores:
individual paranoia level scores: 0, 13, 11, 13
Second command:
individual paranoia level scores: 0, 18, 11, 13
This evasion technique (and several others) can be defeated with the t:bash transformation - see https://www.approach.be/en/modsecurity.html
IIRC we already talk about that in a meeting (refer to https://www.secjuice.com/web-application-firewall-waf-evasion/). If you agree, I would try to catch this bypass technique in PL1.
This issue has been open 120 days with no activity. Remove the stale label or comment, or this will be closed in 14 days
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}