hub icon indicating copy to clipboard operation
hub copied to clipboard
verified publisher icon crowdsecurity

Add vpatch-CVE-2020-8656 rule and test

Open crowdsec-automation opened this issue 2 months ago • 7 comments

This rule targets SQL injection attempts in the EyesOfNetwork getApiKey endpoint (CVE-2020-8656). The detection logic is as follows:

  • The first rule block matches requests to the /eonapi/getApiKey endpoint by checking if the URI contains this path, using a lowercase transform for normalization.
  • The second rule block inspects the username query parameter for the presence of a single quote ('), which is a common SQL injection metacharacter. Both lowercase and urldecode transforms are applied to ensure the match is case-insensitive and works even if the payload is URL-encoded.
  • The rule avoids matching on the full SQLi payload to reduce false negatives and instead focuses on the minimal, reliable indicator of SQLi attempts.
  • The labels section includes the correct CVE, ATT&CK, and CWE references, and the product/vuln class label is formatted as required.
  • The test nuclei template is reduced to a single request and only checks for a 403 response, as per the guidelines.

Validation checklist:

  • All value: fields are lowercase.
  • All relevant transforms include lowercase.
  • No match.value contains capital letters.
  • The rule uses contains instead of regex where applicable.

crowdsec-automation avatar Oct 15 '25 14:10 crowdsec-automation

Hello @crowdsec-automation and thank you for your contribution!

:heavy_exclamation_mark: It seems that the following scenarios are not part of the 'crowdsecurity/appsec-virtual-patching' collection:

:red_circle: crowdsecurity/vpatch-CVE-2020-8656 :red_circle:

github-actions[bot] avatar Oct 15 '25 14:10 github-actions[bot]

Hello @crowdsec-automation,

Scenarios/AppSec Rule are compliant with the taxonomy, thank you for your contribution!

github-actions[bot] avatar Oct 15 '25 14:10 github-actions[bot]

Hello @seemanne,

:white_check_mark: The new VPATCH Rule is compliant, thank you for your contribution!

github-actions[bot] avatar Oct 22 '25 13:10 github-actions[bot]

Hello @seemanne,

Scenarios/AppSec Rule are compliant with the taxonomy, thank you for your contribution!

github-actions[bot] avatar Oct 22 '25 13:10 github-actions[bot]

Hello @seemanne,

:white_check_mark: The new VPATCH Rule is compliant, thank you for your contribution!

github-actions[bot] avatar Oct 22 '25 14:10 github-actions[bot]

Hello @seemanne,

Scenarios/AppSec Rule are compliant with the taxonomy, thank you for your contribution!

github-actions[bot] avatar Oct 22 '25 14:10 github-actions[bot]

Hello @AlteredCoder,

Scenarios/AppSec Rule are compliant with the taxonomy, thank you for your contribution!

github-actions[bot] avatar Oct 22 '25 14:10 github-actions[bot]

closed in favor of https://github.com/crowdsecurity/hub/pull/1569

seemanne avatar Nov 05 '25 15:11 seemanne