Walter Hop
Walter Hop
I've done some tests with very small injections. Assuming there's a query `select * from user where foo=$foo` with injectable parameter, and I want to retrieve all rows. Then I...
A thing which could be tremendously helpful would be a user-defined transformations. The most interesting would probably be a parametrizable regular-expression replace transformation, let's say `t:replace:from:to`. In CRS3, the RCE...
This PR addresses #2699. It will solve false negatives such as `/index.php/%3Csvg/onload=alert()` I've reviewed our XSS rules, and on first sight, the rules seem specific enough to allow us passing...
### Description We detect powershell commands. However, we are not detecting shorthand aliases. Many commands are very verbose, but they have short aliases. The Powershell function Get-Alias will show the...
Meeting notes of 11 April 2022. # Checks - [x] is #2417 ok? - [x] is #2417 tested on coraza? -> Not yet, will be done during RC1. - [x]...
### Description In #2668, it was shown that PHP variables can be accessed by `$ {` (note the space between the chars). As @theMiddleBlue found, PL1 can be bypassed for...
### Description In #1991, some false positives were found with commonly occurring English words `copy`, `time` and `more`. ``` curl localhost -d "foo=--I think it would; copy should" curl localhost...
### Motivation The reputation rules have been removed from the core. ### Proposed solution Create an optional plugin for GeoIP users.
### Motivation We currently serve the OWASP Juiceshop as a vulnerable application. In August there will be an on-site live hacking event that would include us as a target. We...
### Motivation The reputation rules have been removed from the core. The RBL check is now gone. ### Proposed solution For the users of `@rbl` we can bring it back...