gh0stkey
关于「HaE公共规则」征集活动
关于「HaE公共规则」征集活动
活动背景
为了更好的为开源用户服务,现在HaE官方推出「HaE公共规则」征集活动,大家可以围绕现有公共规则进行调优改进或提交具有通用性、实战性的规则。
活动内容
活动时间:2022年7月至2022年12月
参与方式:在本Issue下评论提交即可
活动奖励:提交调优改进规则奖励10元红包;提交通用实战规则奖励20元红包。
活动评审方:key、0chencc、OverSpace安全团队成员
提交模板
提交模板以HaE正则字段为主,记得使用反引号包含。
规则描述:用于匹配Shiro框架应用
Name: Shiro
Regex: (=deleteMe|rememberMe=)
Color: green
Scope: any
Engine: dfa
Sensitive: true
测试数据:
rememberMe=deleteMe
当个前排
color: red
engine: dfa
name: 企业微信密钥
regex: ([c|C]or[p|P]id|[a|A]pp[S|s]ecret|[c|C]orp[s|S]ecret)
scope: any
sensitive: true
测试数据
暂无,检测的参数名corpid appsecret corpsecret 准确性未知,缺乏实战收获
@sv3nbeast 根据GIthub的信息去敏的测试数据如下:
{"corpid":"wwc830525c5b018fe1", "corpsecret":"dCSk9_GdaaakC6RcVjVRO1BlLne-JPcgUrDiQS5JBbC"}
由于appsecret 具有普遍性,缺少特有特征所以删除该匹配,正则变为:
([c|C]or[p|P]id|[c|C]orp[s|S]ecret)
完整规则修改为:
color: green
engine: dfa
loaded: true
name: WeCom Key
regex: ([c|C]or[p|P]id|[c|C]orp[s|S]ecret)
scope: any
sensitive: true
HaE测试截图如下:
综上所述,收录该规则,麻烦微信联系我,发放活动奖励(20元),再次感谢。
微信小程序SessionKey
color: green
engine: nfa
loaded: true
name: SessionKey
regex: ([S|s]ession[ _-]?[K|k]ey)
scope: any
sensitive: true
测试数据
session_key
sessionKey
Sessionkey
Session-key
Session_key
规则描述:用于匹配f5负载均衡
Name: F5-BIGIP Regex: (BIG-IP|F5_ST|F5_HT|F5_fullWT|BigIP|BIGipServerpool|F5LTM|BIGipServer|BIGip) Color: green Scope: any Engine: dfa Sensitive: true
测试数据
Server: BIG-IP Server: BigIP Server: F5LTM Set-Cookie:F5_HT_shrinked= Set-Cookie: BIGipServerpool_8.29_8030=487098378.24095.0000
Hae测试截图:
顺便请教一下上面几位师傅response里面那个markinfo是啥东西啊。。。
规则描述:用于匹配Apache APISIX框架应用
Name: APISIX Regex: (Server: APISIX) Color: blue Scope: response header Engine: nfa Sensitive: true
测试数据:
HTTP/2 200 OK Date: Thu, 28 Jul 2022 05:55:46 GMT Content-Type: text/plain; charset=utf-8 Server: APISIX/2.12.1
URL跳转
engine: nfa
loaded: true
name: URL Redirect
regex: ([\?|&](redirect|reference|return|refix|readfile|redirect_to|redirect_url|returnto|register|returnurl|redirecturi|redir|returl|redirecturl|redirect_uri|redirect_url)=.*)
scope: any
sensitive: false
匹配数据
(?|&)redirect= (?|&)reference= (?|&)return= (?|&)refix= (?|&)readfile= (?|&)redirect_to= (?|&)redirect_url= (?|&)returnto= (?|&)register= (?|&)returnurl= (?|&)redirecturi= (?|&)redir= (?|&)returl= (?|&)redirecturl= (?|&)redirect_uri= (?|&)redirect_url=
LFI
- color: yellow
engine: nfa
loaded: true
name: LFI
regex: ([\?|&]((filename=)|(filepath=)|(inputfile=)|(readfile=)|(download=)|(file=))(.*))
scope: any
sensitive: false
匹配数据
(?|&)filename= (?|&)filepath= (?|&)inputfile= (?|&)readfile= (?|&)download= (?|&)file=
- color: green
engine: nfa
loaded: true
name: Secret Key OR Private API
regex:
(access_key|access_token|SecretKey|SecretId|admin_pass|admin_user|algolia_admin_key|algolia_api_key|alias_pass|alicloud_access_key|amazon_secret_access_key|amazonaws|ansible_vault_password|aos_key|api_key|api_key_secret|api_key_sid|api_secret|api.googlemaps AIza|apidocs|apikey|apiSecret|app_debug|app_id|app_key|app_log_level|app_secret|appkey|appkeysecret|application_key|appsecret|appspot|auth_token|authorizationToken|authsecret|aws_access|aws_access_key_id|aws_bucket|aws_key|aws_secret|aws_secret_key|aws_token|AWSSecretKey|b2_app_key|bashrc password|bintray_apikey|bintray_gpg_password|bintray_key|bintraykey|bluemix_api_key|bluemix_pass|browserstack_access_key|bucket_password|bucketeer_aws_access_key_id|bucketeer_aws_secret_access_key|built_branch_deploy_key|bx_password|cache_driver|cache_s3_secret_key|cattle_access_key|cattle_secret_key|certificate_password|ci_deploy_password|client_secret|client_zpk_secret_key|clojars_password|cloud_api_key|cloud_watch_aws_access_key|cloudant_password|cloudflare_api_key|cloudflare_auth_key|cloudinary_api_secret|cloudinary_name|codecov_token|config|conn.login|connectionstring|consumer_key|consumer_secret|credentials|cypress_record_key|database_password|database_schema_test|datadog_api_key|datadog_app_key|db_password|db_server|db_username|dbpasswd|dbpassword|dbuser|deploy_password|digitalocean_ssh_key_body|digitalocean_ssh_key_ids|docker_hub_password|docker_key|docker_pass|docker_passwd|docker_password|dockerhub_password|dockerhubpassword|dot - files|dotfiles|droplet_travis_password|dynamoaccesskeyid|dynamosecretaccesskey|elastica_host|elastica_port|elasticsearch_password|encryption_key|encryption_password|env.heroku_api_key|env.sonatype_password|eureka.awssecretkey)[a-z0-9_ .\-,]{0,25}[a-z0-9A-Z_ .\-,]{0,25}(=|>|:=|\||:|<=|=>|:).{0,5}['\"]([0-9a-zA-Z\-_=]{6,64})['\"]scope: response body sensitive: true
匹配数据
想问一下师傅,能不能加个不区分大小写匹配选项,
access_key="123p123123123123123123123 ncklasdnkn1jk3bn1jk2bjkab fkasb djknaskdjlqk asdml;asmdl;asddqw3kpo12jm3 access_key="1asdnasjkd-ansdklnaskldnaksdqwek-djknaskdjlqk"amazon_secret_access_key="ASDJIOQWJIOEJIWOQE-daknsdklnkQ123123-31233" password="123123nkqwekjl123hj1i2h3io12h3ih12io3ihdbfjbdjmklmnklnsdklasd"admaklsndklansdklqw "password"='12312j3iojsiodhiwqhueighiquwgeiudskfjaamazon_secret_access_key="ASDJIOQWJIOEJIWOQE-daknsdklnkQ123123-31233"sopdjaopdjkas,12312'qwmelqwjmekl;qjwieojqw,
@sakura404x URL跳转的规则其实有在现有的规则里已经有了,就是Url As Value,不过后面可以考虑在这个规则上再添加参数名;LFI的规则我们可以微信聊一下,感谢提交,麻烦添加微信(解码):RVZJTENIRU5fXw==,领取红包。
@weujieytt 首先感谢提交规则,但是由于规则中有许多内容与HaE本身现有规则是冲突重复的,另外HaE支持大小写敏感与否的选项,Sensitive字段就是用作该功能,所以感谢提交,暂不收录(可以考虑再跟HaE公共规则库做一个对比去重)。
@weujieytt 近期实战中遇到类似的规则,所以打算将一些通用的提取出来,综合考虑收录您的规则,可以添加我微信给您发红包~
haha 感谢key师傅