crowdsecurity
[draft] Add vpatch-CVE-2023-30625 rule and test
The detection rule for CVE-2023-30625 targets SQL Injection vulnerabilities in Rudder Server versions before 1.3.0-rc.1. The rule specifically looks for patterns in the BODY_ARGS where the source_id parameter is manipulated to close off the SQL statement and comment out the rest, which is a common SQL injection technique. The regex used ("source_id.*';.*--") is designed to catch any manipulation that closes the SQL statement (';) and comments out the remaining part of the query (--). This pattern is indicative of an attempt to inject SQL commands, which could lead to unauthorized database access or code execution, especially given the superuser permissions of the rudder role in PostgreSQL by default.
The test configuration and nuclei test are set up to simulate an attack using the detected pattern, ensuring that the rule triggers correctly when such an attack is attempted. The test expects a 403 status code, indicating that the request was blocked by the WAF.
Hello @crowdsec-automation and thank you for your contribution!
:heavy_exclamation_mark: It seems that the following scenarios are not part of the 'crowdsecurity/appsec-virtual-patching' collection:
:red_circle: crowdsecurity/vpatch-CVE-2023-30625 :red_circle:
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
Hello @crowdsec-automation,
Scenarios/AppSec Rule are compliant with the taxonomy, thank you for your contribution!
