diff --git a/example/main.go b/example/main.go index 04c4d7b..d832601 100644 --- a/example/main.go +++ b/example/main.go @@ -3,7 +3,6 @@ package main import ( "fmt" - "github.com/corazawaf/coraza-coreruleset" coreruleset "github.com/corazawaf/coraza-coreruleset" "github.com/corazawaf/coraza/v3" ) diff --git a/magefile.go b/magefile.go index 4717bf6..04f23a6 100644 --- a/magefile.go +++ b/magefile.go @@ -23,11 +23,18 @@ import ( func DownloadCRS() error { rulesDir := "rules" rulesDstDir := rulesDir + "/@owasp_crs" - if err := os.MkdirAll(rulesDstDir, os.ModePerm); err != nil { + testsDir := "tests" + + // Before downloading, we need to remove: + // - old rules under rules/@owasp_crs + // - all the related tests + if err := cleanupOldCRS(rulesDstDir, testsDir); err != nil { return err } - testsDir := "tests" + if err := os.MkdirAll(rulesDstDir, os.ModePerm); err != nil { + return err + } uri := fmt.Sprintf("https://github.com/coreruleset/coreruleset/archive/%s.zip", crsVersion) @@ -158,6 +165,29 @@ func copyFile(f *zip.File, dstPath string) error { return nil } +func cleanupOldCRS(rulesDstDir, testsDir string) error { + if err := os.RemoveAll(rulesDstDir); err != nil { + return err + } + if err := filepath.WalkDir(testsDir, func(path string, d os.DirEntry, err error) error { + if err != nil { + return err + } + + // tests folder contains go files related to the coraza-coreruleset repo that we don't want to remove + if d.Name() != "tests.go" && d.Name() != "tests_test.go" && path != testsDir { + if err := os.RemoveAll(path); err != nil { + return err + } + return filepath.SkipDir + } + return nil + }); err != nil { + return err + } + return nil +} + func Test() error { return sh.RunV("go", "test", "./...") } diff --git a/rules/@owasp_crs/crawlers-user-agents.data b/rules/@owasp_crs/crawlers-user-agents.data deleted file mode 100644 index 25bd827..0000000 --- a/rules/@owasp_crs/crawlers-user-agents.data +++ /dev/null @@ -1,34 +0,0 @@ -# Search engine crawlers and other bots -# crawler -# https://80legs.com/ -80legs -# scraping framework -# https://ache.readthedocs.io/en/latest/ -# User-Agent: (Mozilla/5.0 (compatible; ACME/VERSION; +OPERATOR_CONTACT_URL; +OPERATOR_CONTACT_EMAIL) -ACHE/ -# SEO -AhrefsBot -black widow -blackwidow -CensysInspect -colly - -crawler4j -grapeFX -GrapeshotCrawler/2.0 -heritrix/ -Krzana bot -Lingewoud-550-Spyder -Mechanize -MJ12bot -NutchCVS/ -Owlin bot -PiplBot -prowebwalker -pymills-spider/ -pyspider/ -rogerbot -SearchmetricsBot -SemrushBot -seoscanners.net -Scrapy/ -Wappalyzer diff --git a/rules/@owasp_crs/scanners-headers.data b/rules/@owasp_crs/scanners-headers.data deleted file mode 100644 index f87c667..0000000 --- a/rules/@owasp_crs/scanners-headers.data +++ /dev/null @@ -1,8 +0,0 @@ -acunetix-product -(acunetix web vulnerability scanner -acunetix-scanning-agreement -acunetix-user-agreement -myvar=1234 -x-ratproxy-loop -bytes=0-,5-0,5-1,5-2,5-3,5-4,5-5,5-6,5-7,5-8,5-9,5-10,5-11,5-12,5-13,5-14 -x-scanner diff --git a/rules/@owasp_crs/scanners-urls.data b/rules/@owasp_crs/scanners-urls.data deleted file mode 100644 index 768049e..0000000 --- a/rules/@owasp_crs/scanners-urls.data +++ /dev/null @@ -1,17 +0,0 @@ -/.adSensepostnottherenonobook -/hello.html -/actSensepostnottherenonotive -/acunetix-wvs-test-for-some-inexistent-file -/antidisestablishmentarianism -/appscan_fingerprint/mac_address -/arachni- -/cybercop -/nessus_is_probing_you_ -/nessustest -/netsparker- -/rfiinc.txt -/thereisnowaythat-you-canbethere -/w3af/remotefileinclude.html -appscan_fingerprint -w00tw00t.at.ISC.SANS.DFind -w00tw00t.at.blackhats.romanian.anti-sec diff --git a/rules/@owasp_crs/scripting-user-agents.data b/rules/@owasp_crs/scripting-user-agents.data deleted file mode 100644 index 3b68952..0000000 --- a/rules/@owasp_crs/scripting-user-agents.data +++ /dev/null @@ -1,27 +0,0 @@ -# Generic HTTP clients (popular libraries) - -# http library -# https://docs.aiohttp.org/en/stable/ -# User-Agent: Python/VERSION aiohttp/VERSION -aiohttp/ - -# http library -# http://search.cpan.org/~opera/HTTP-DAV/DAV.pm -dav.pm/v -Go http package -Go 1.1 package http -Go-http-client/ -libwww-perl -mozilla/4.0 (compatible) -mozilla/4.0 (compatible; msie 6.0; win32) -mozilla/5.0 sf/ -mozilla/5.0 sf// -python-httplib2 -python-httpx/ -python-requests -Python-urllib -typhoeus -winhttp.winhttprequest -unirest-java/ -scalaj-http/ -http4s-ember diff --git a/tests/REQUEST-913-SCANNER-DETECTION/913101.yaml b/tests/REQUEST-913-SCANNER-DETECTION/913101.yaml deleted file mode 100644 index 31ea01c..0000000 --- a/tests/REQUEST-913-SCANNER-DETECTION/913101.yaml +++ /dev/null @@ -1,39 +0,0 @@ ---- -meta: - author: airween - description: None - enabled: true - name: 913101.yaml -tests: - - test_title: 913101-1 - desc: "Scripting/generic user agents test" - stages: - - stage: - input: - dest_addr: 127.0.0.1 - port: 80 - headers: - Host: "localhost" - User-Agent: "libwww-perl" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - method: GET - uri: / - version: HTTP/1.0 - output: - log_contains: id "913101" - - test_title: 913101-2 - desc: "Scripting/generic user agents negative test" - stages: - - stage: - input: - dest_addr: "127.0.0.1" - port: 80 - headers: - Host: "localhost" - User-Agent: "OWASP CRS test agent" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - method: GET - uri: / - version: HTTP/1.0 - output: - no_log_contains: id "913101" diff --git a/tests/REQUEST-913-SCANNER-DETECTION/913102.yaml b/tests/REQUEST-913-SCANNER-DETECTION/913102.yaml deleted file mode 100644 index 8294f7f..0000000 --- a/tests/REQUEST-913-SCANNER-DETECTION/913102.yaml +++ /dev/null @@ -1,23 +0,0 @@ ---- -meta: - author: airween - description: "Crawler User-Agents test - this test does not need any negative case" - enabled: true - name: 913102.yaml -tests: - - test_title: 913102-1 - desc: "Crawler User-Agents test" - stages: - - stage: - input: - dest_addr: 127.0.0.1 - port: 80 - headers: - Host: "localhost" - User-Agent: "blackwidow" - Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - method: GET - uri: / - version: HTTP/1.0 - output: - log_contains: id "913102" diff --git a/tests/REQUEST-913-SCANNER-DETECTION/913110.yaml b/tests/REQUEST-913-SCANNER-DETECTION/913110.yaml deleted file mode 100644 index 778a1c0..0000000 --- a/tests/REQUEST-913-SCANNER-DETECTION/913110.yaml +++ /dev/null @@ -1,44 +0,0 @@ ---- -meta: - author: csanders-git - description: None - enabled: true - name: 913110.yaml -tests: - - test_title: 913110-1 - desc: Request Indicates a Security Scanner Scanned the Site (913110) from old modsec regressions - stages: - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 - Accept-Encoding: gzip,deflate - Accept-Language: en-us,en;q=0.5 - Acunetix-Product: WVS/5.0 (Acunetix Web Vulnerability Scanner - EVALUATION) - Host: localhost - Keep-Alive: '300' - Proxy-Connection: keep-alive - User-Agent: "OWASP CRS test agent" - method: GET - port: 80 - uri: / - version: HTTP/1.0 - output: - log_contains: id "913110" - - test_title: 913110-2 - desc: "Scanner identification based on custom header" - stages: - - stage: - input: - dest_addr: "127.0.0.1" - method: "GET" - port: 80 - headers: - Host: "localhost" - X-Scanner: "whatever" - uri: "/" - User-Agent: "OWASP CRS test agent" - Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 - output: - log_contains: id "913110" diff --git a/tests/REQUEST-913-SCANNER-DETECTION/913120.yaml b/tests/REQUEST-913-SCANNER-DETECTION/913120.yaml deleted file mode 100644 index 4b2bf74..0000000 --- a/tests/REQUEST-913-SCANNER-DETECTION/913120.yaml +++ /dev/null @@ -1,57 +0,0 @@ ---- -meta: - author: csanders-git - description: None - enabled: true - name: 913120.yaml -tests: - - test_title: 913120-1 - desc: Request Indicates a Security Scanner Scanned the Site (913120) from old modsec regressions - stages: - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 - Accept-Encoding: gzip,deflate - Accept-Language: en-us,en;q=0.5 - Host: localhost - Keep-Alive: '300' - Proxy-Connection: keep-alive - User-Agent: "OWASP CRS test agent" - method: GET - port: 80 - uri: /nessustest - version: HTTP/1.0 - output: - log_contains: id "913120" - - test_title: 913120-2 - desc: IBM fingerprint from (http://www-01.ibm.com/support/docview.wss?uid=swg21293132) - stages: - - stage: - input: - dest_addr: 127.0.0.1 - headers: - User-Agent: "OWASP CRS test agent" - Host: localhost - Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 - uri: /AppScan_fingerprint/MAC_ADDRESS_01234567890.html?9ABCDG1 - version: HTTP/1.0 - output: - log_contains: id "913120" - - test_title: 913120-3 - desc: "Scanner identification based on uri" - stages: - - stage: - input: - dest_addr: "127.0.0.1" - method: "GET" - port: 80 - headers: - Host: "localhost" - version: HTTP/1.0 - User-Agent: "OWASP CRS test agent" - Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 - uri: "/nessus_is_probing_you_" - output: - log_contains: id "913120" diff --git a/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932115.yaml b/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932115.yaml deleted file mode 100644 index 95abd00..0000000 --- a/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932115.yaml +++ /dev/null @@ -1,192 +0,0 @@ ---- -meta: - author: Franziska Buehler - description: Windows shell command injections - enabled: true - name: 932115.yaml -tests: - - test_title: 932115-1 - desc: | - Windows shell command injection with 'sort': view=image.jpg%26sort < file.txt - Match input redirection to sort - stages: - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 - Host: localhost - Proxy-Connection: keep-alive - User-Agent: "OWASP CRS test agent" - method: GET - port: 80 - uri: /?view%3Dimage.jpg%26sort%20%3C%20file.txt - version: HTTP/1.0 - output: - log_contains: id "932115" - - test_title: 932115-2 - desc: | - Windows shell command injection with 'sort': view=image.jpg%26sort /r file.txt - Match sort with normal argument - stages: - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 - Host: localhost - Proxy-Connection: keep-alive - User-Agent: "OWASP CRS test agent" - method: GET - port: 80 - uri: /?view%3Dimage.jpg%26sort%20%2Fr%20file.txt - version: HTTP/1.0 - output: - log_contains: id "932115" - - test_title: 932115-3 - desc: | - Windows shell command injection with 'sort': view=image.jpg%26sort/r file.txt - Match sort with argument without preceding space - stages: - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 - Host: localhost - Proxy-Connection: keep-alive - User-Agent: "OWASP CRS test agent" - method: GET - port: 80 - uri: /?view%3Dimage.jpg%26sort%2Fr%20file.txt - version: HTTP/1.0 - output: - log_contains: id "932115" - - test_title: 932115-4 - desc: | - Windows shell command injection with 'sort': view=image.jpg%26sort /r file.txt - Match sort with argument with multiple preceding space - stages: - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 - Host: localhost - Proxy-Connection: keep-alive - User-Agent: "OWASP CRS test agent" - method: GET - port: 80 - uri: /?view%3Dimage.jpg%26sort%20%20%2Fr%20file.txt - version: HTTP/1.0 - output: - log_contains: id "932115" - - test_title: 932115-5 - desc: | - Windows shell command injection with 'sort' (false positive): sort%3Dex%26sortdir%3Dascending - Do not match query parameter - stages: - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 - Host: localhost - Proxy-Connection: keep-alive - User-Agent: "OWASP CRS test agent" - method: GET - port: 80 - uri: /www/delivery/lg.php?bannerid=18&campaignid=1&zoneid=4&loc=https%3A%2F%2Fwww.example.com%2Ffoo%2Fbar%2Fx-x%2Fx%3Fs%3D2014-11-01%26e%3D2020-10-31%26ex%3D7%26page%3D1%26sort%3Dex%26sortdir%3Ddescending&referer=https%3A%2F%2Fwww.example.com%2Ffoo%2Fbar%2Fx-x%2Fx%3Fs%3D2014-11-01%26e%3D2020-10-31%26ex%3D7%26page%3D1%26sort%3Dex%26sortdir%3Dascending&cb=7de91ea349 - version: HTTP/1.0 - output: - no_log_contains: id "932115" - - test_title: 932115-6 - desc: | - Windows shell command injection with 'sort' (false positive): sort%3D0 - Do not match encoded path - stages: - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 - Host: localhost - Proxy-Connection: keep-alive - User-Agent: "OWASP CRS test agent" - method: GET - port: 80 - uri: /url%2Fbla%3Ftest%3D1%26sort%3D0 - version: HTTP/1.0 - output: - no_log_contains: id "932115" - - test_title: 932115-7 - desc: "Windows shell command injection using 'type'" - stages: - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - User-Agent: "OWASP CRS test agent" - Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 - method: POST - port: 80 - uri: "/" - data: "var=test@coreruleset.org\"|type %SYSTEMROOT%\\win.ini" - version: HTTP/1.0 - output: - log_contains: id "932115" - - test_title: 932115-8 - desc: Windows Command Injection bypass with time - stages: - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - User-Agent: "OWASP CRS test agent" - Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 - Accept-Encoding: gzip, deflate, br - Accept-Language: en-us,en;q=0.5 - method: GET - port: 80 - uri: "/?foo=time+tracert" - version: HTTP/1.1 - output: - log_contains: "id \"932115\"" - - test_title: 932115-9 - desc: Windows Command Injection bypass with time negative test - stages: - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - User-Agent: "OWASP CRS test agent" - Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 - Accept-Encoding: gzip, deflate, br - Accept-Language: en-us,en;q=0.5 - method: GET - port: 80 - uri: "/?foo=time+warner+" - version: HTTP/1.1 - output: - no_log_contains: "id \"932115\"" - - test_title: 932115-10 - desc: Windows Command Injection test for BB finding 935E1D91 - evasion attempt - stages: - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - User-Agent: "OWASP CRS test agent" - Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 - Accept-Encoding: gzip, deflate, br - Accept-Language: en-us,en;q=0.5 - method: GET - port: 80 - uri: "/?foo=ti^me+tracert" - version: HTTP/1.1 - output: - log_contains: "id \"932115\""