Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: fps with id, wp_referer, nav menus and static files #36

Merged
merged 8 commits into from
Apr 4, 2024
Merged

fix: fps with id, wp_referer, nav menus and static files #36

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
8862753
fix: fps with id, wp_referer, nav menus and static files
EsadCetiner Mar 10, 2024
5359e9d
fix: linting errors
EsadCetiner Mar 10, 2024
f3eaaf2
fix: attempt to fix failing tests
EsadCetiner Mar 10, 2024
9a64c79
fix: failing tests
EsadCetiner Mar 10, 2024
d3ddb82
fix: failing tests
EsadCetiner Mar 10, 2024
e20db20
fix: make tests a bit clearer
EsadCetiner Mar 10, 2024
85fc4a6
fix: revert previous commit
EsadCetiner Mar 10, 2024
9bc3a9e
perf: remove unnecessary rules
EsadCetiner Mar 20, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
37 changes: 35 additions & 2 deletions plugins/wordpress-rule-exclusions-before.conf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -508,31 +508,54 @@ SecRule REQUEST_FILENAME "@endsWith /wp-admin/user-new.php" \
# _wp_http_referer and wp_http_referer are passed on a lot of wp-admin pages
SecRule REQUEST_FILENAME "@unconditionalMatch" \
"id:9507600,\
phase:2,\
phase:1,\
pass,\
t:none,\
nolog,\
ctl:ruleRemoveTargetById=932236;ARGS:nonce,\
ctl:ruleRemoveTargetById=942450;ARGS:nonce,\
ctl:ruleRemoveTargetById=932236;ARGS:ver,\
ctl:ruleRemoveTargetById=942450;ARGS:ver,\
ctl:ruleRemoveTargetById=920230;ARGS:_wp_http_referer,\
ctl:ruleRemoveTargetById=920273;ARGS:_wp_http_referer,\
ctl:ruleRemoveTargetById=931130;ARGS:_wp_http_referer,\
ctl:ruleRemoveTargetById=932150;ARGS:_wp_http_referer,\
ctl:ruleRemoveTargetById=932200;ARGS:_wp_http_referer,\
ctl:ruleRemoveTargetById=932236;ARGS:_wp_http_referer,\
ctl:ruleRemoveTargetById=941100;ARGS:_wp_http_referer,\
ctl:ruleRemoveTargetById=942130;ARGS:_wp_http_referer,\
ctl:ruleRemoveTargetById=942200;ARGS:_wp_http_referer,\
ctl:ruleRemoveTargetById=942230;ARGS:_wp_http_referer,\
ctl:ruleRemoveTargetById=942260;ARGS:_wp_http_referer,\
ctl:ruleRemoveTargetById=942430;ARGS:_wp_http_referer,\
ctl:ruleRemoveTargetById=942431;ARGS:_wp_http_referer,\
ctl:ruleRemoveTargetById=942432;ARGS:_wp_http_referer,\
ctl:ruleRemoveTargetById=942440;ARGS:_wp_http_referer,\
ctl:ruleRemoveTargetById=920230;ARGS:wp_http_referer,\
ctl:ruleRemoveTargetById=931130;ARGS:wp_http_referer,\
ctl:ruleRemoveTargetById=932150;ARGS:wp_http_referer,\
ctl:ruleRemoveTargetById=932200;ARGS:wp_http_referer,\
ctl:ruleRemoveTargetById=932236;ARGS:wp_http_referer,\
ctl:ruleRemoveTargetById=932370;ARGS:wp_http_referer,\
ctl:ruleRemoveTargetById=941100;ARGS:wp_http_referer,\
ctl:ruleRemoveTargetById=942130;ARGS:wp_http_referer,\
ctl:ruleRemoveTargetById=942200;ARGS:wp_http_referer,\
ctl:ruleRemoveTargetById=942230;ARGS:wp_http_referer,\
ctl:ruleRemoveTargetById=942260;ARGS:wp_http_referer,\
ctl:ruleRemoveTargetById=942431;ARGS:wp_http_referer,\
ctl:ruleRemoveTargetById=932236;ARGS:_wpnonce,\
ctl:ruleRemoveTargetById=942450;ARGS:_wpnonce,\
ver:'wordpress-rule-exclusions-plugin/1.0.1'"

# The ID variable is used all over wordpress
SecRule REQUEST_FILENAME "@rx /wp-admin/(?:admin|admin-ajax|edit|users)\.php$" \
"id:9507601,\
phase:1,\
pass,\
t:none,\
nolog,\
ctl:ruleRemoveTargetById=932236;ARGS_NAMES:id,\
ctl:ruleRemoveTargetById=932236;ARGS_NAMES:ids,\
ver:'wordpress-rule-exclusions-plugin/1.0.1'"

#
Expand Down Expand Up @@ -604,16 +627,22 @@ SecRule REQUEST_FILENAME "@endsWith /wp-admin/nav-menus.php" \
ctl:ruleRemoveTargetById=932200;ARGS,\
ctl:ruleRemoveTargetById=932150;ARGS,\
ctl:ruleRemoveTargetById=942460;ARGS:menu-name,\
ctl:ruleRemoveTargetById=920273;ARGS:nav-menu-data,\
ctl:ruleRemoveTargetById=931130;ARGS:nav-menu-data,\
ctl:ruleRemoveTargetById=932200;ARGS:nav-menu-data,\
ctl:ruleRemoveTargetById=932240;ARGS:nav-menu-data,\
ctl:ruleRemoveTargetById=941330;ARGS:nav-menu-data,\
ctl:ruleRemoveTargetById=941340;ARGS:nav-menu-data,\
ctl:ruleRemoveTargetById=942200;ARGS:nav-menu-data,\
ctl:ruleRemoveTargetById=942260;ARGS:nav-menu-data,\
ctl:ruleRemoveTargetById=942330;ARGS:nav-menu-data,\
ctl:ruleRemoveTargetById=942340;ARGS:nav-menu-data,\
ctl:ruleRemoveTargetById=942370;ARGS:nav-menu-data,\
ctl:ruleRemoveTargetById=942430;ARGS:nav-menu-data,\
ctl:ruleRemoveTargetById=942431;ARGS:nav-menu-data,\
ctl:ruleRemoveTargetById=942460;ARGS:nav-menu-data"
ctl:ruleRemoveTargetById=942432;ARGS:nav-menu-data,\
ctl:ruleRemoveTargetById=942460;ARGS:nav-menu-data,\
ctl:ruleRemoveTargetById=942520;ARGS:nav-menu-data"

# Edit text widgets (can contain custom HTML)
SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" \
Expand Down Expand Up @@ -931,6 +960,10 @@ SecRule REQUEST_FILENAME "@rx /wp-admin/load-(?:scripts|styles)\.php$" \
ctl:ruleRemoveTargetById=942430;ARGS:load[chunk_1],\
ctl:ruleRemoveTargetById=942431;ARGS:load[chunk_1],\
ctl:ruleRemoveTargetById=942432;ARGS:load[chunk_1],\
ctl:ruleRemoveTargetById=932236;ARGS:load[chunk_2],\
ctl:ruleRemoveTargetById=942430;ARGS:load[chunk_2],\
ctl:ruleRemoveTargetById=942431;ARGS:load[chunk_2],\
ctl:ruleRemoveTargetById=942432;ARGS:load[chunk_2],\
ctl:ruleRemoveTargetById=920100;REQUEST_LINE,\
ver:'wordpress-rule-exclusions-plugin/1.0.1'"

Expand Down
129 changes: 129 additions & 0 deletions tests/regression/wordpress-rule-exclusions-plugin/9507600.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,129 @@
---
meta:
author: "Esad Cetiner"
description: "Wordpress Rule Exclusions Plugin"
enabled: true
name: 9507600.yaml
tests:
- test_title: 9507600-1
desc: Creating a new user account
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: OWASP CRS
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
port: 80
method: GET
uri: /wp-admin/user-edit.php?user_id=9&wp_http_referer=%2Fwp-admin%2Fusers.php%3Fupdate%3Dadd%26id%3D9
output:
no_log_contains: id "932236"
- test_title: 9507600-2
desc: Deleteing a user account
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: OWASP CRS
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
content-type: application/x-www-form-urlencoded
port: 80
method: POST
uri: /wp-admin/users.php?s=&_wpnonce=random&_wp_http_referer=%2Fwp-admin%2Fusers.php&action=delete&new_role=&paged=1&users%5B0%5D=9&action2=delete&new_role2=
output:
no_log_contains: |
id "(?:920230|942430|942431|942432)"
- test_title: 9507600-3
desc: Disable 932236 for randomly generated nonce
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: OWASP CRS
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
port: 80
method: POST
uri: /wp-admin/users.php?s=&_wpnonce=lsrandom&_wp_http_referer=%2Fwp-admin%2Fusers.php&action=delete&new_role=&paged=1&users%5B0%5D=9&action2=delete&new_role2=
output:
no_log_contains: id "932236"
- test_title: 9507600-4
desc: Disable 942450 for randomly generated nonce
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: OWASP CRS
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
port: 80
method: POST
uri: /wp-admin/users.php?s=&_wpnonce=0x0800random&_wp_http_referer=%2Fwp-admin%2Fusers.php&action=delete&new_role=&paged=1&users%5B0%5D=9&action2=delete&new_role2=
output:
no_log_contains: id "942450"
- test_title: 9507600-5
desc: Disable 932236 for randomly generated nonce
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: OWASP CRS
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
port: 80
method: POST
uri: /wp-admin/users.php?s=&nonce=lsrandom
output:
no_log_contains: id "932236"
- test_title: 9507600-6
desc: Disable 942450 for randomly generated nonce
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: OWASP CRS
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
port: 80
method: POST
uri: /wp-admin/users.php?s=&nonce=0x0800random
output:
no_log_contains: id "942450"
- test_title: 9507600-7
desc: Requesting a static file with randomly generated version
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: OWASP CRS
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
port: 80
method: POST
uri: /wp-admin/users.php?s=&ver=lsrandom
output:
no_log_contains: id "932236"
- test_title: 9507600-8
desc: Requesting a static file with randomly generated version
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: OWASP CRS
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
port: 80
method: POST
uri: /wp-admin/users.php?s=&ver=0x0800random
output:
no_log_contains: id "942450"