From bab47f1de9f0240b71b9a8eff34b6c13ec226713 Mon Sep 17 00:00:00 2001 From: Ervin Hegedus Date: Thu, 7 Mar 2019 21:24:31 +0000 Subject: [PATCH 1/2] Hide REQUEST_BODY variable if the CT doesn't allow --- src/rule.cc | 58 +- src/transaction.cc | 14 + .../regression/rule-944120_full.json | 6850 +++++++++++++++++ 3 files changed, 6898 insertions(+), 24 deletions(-) create mode 100644 test/test-cases/regression/rule-944120_full.json diff --git a/src/rule.cc b/src/rule.cc index 70f281e0ca..36d343e711 100644 --- a/src/rule.cc +++ b/src/rule.cc @@ -728,39 +728,49 @@ bool Rule::evaluate(Transaction *trans, values = executeDefaultTransformations(trans, value); for (const auto &valueTemp : values) { - bool ret; + bool ret = false; std::string valueAfterTrans = std::move(*valueTemp.first); - ret = executeOperatorAt(trans, key, valueAfterTrans, ruleMessage); + // REQUEST_BBODY available only in RequestBodyProcessor + // https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-(v2.x)#REQUEST_BODY + // "This variable is available only if the URLENCODED request body processor was used" + // assume that the current operator couldn't has any effect + if (key != "REQUEST_BODY" || + (key == "REQUEST_BODY" && + trans->m_requestBodyType != Transaction::MultiPartRequestBody && + trans->m_requestBodyType != Transaction::JSONRequestBody && + trans->m_requestBodyType != Transaction::XMLRequestBody)) { + ret = executeOperatorAt(trans, key, valueAfterTrans, ruleMessage); + + if (ret == true) { + ruleMessage->m_match = m_op->resolveMatchMessage(trans, + key, value); + for (auto &i : v->m_orign) { + ruleMessage->m_reference.append(i->toText()); + } - if (ret == true) { - ruleMessage->m_match = m_op->resolveMatchMessage(trans, - key, value); - for (auto &i : v->m_orign) { - ruleMessage->m_reference.append(i->toText()); - } + ruleMessage->m_reference.append(*valueTemp.second); + updateMatchedVars(trans, key, valueAfterTrans); + executeActionsIndependentOfChainedRuleResult(trans, + &containsBlock, ruleMessage); - ruleMessage->m_reference.append(*valueTemp.second); - updateMatchedVars(trans, key, valueAfterTrans); - executeActionsIndependentOfChainedRuleResult(trans, - &containsBlock, ruleMessage); + bool isItToBeLogged = ruleMessage->m_saveMessage; + if (m_containsMultiMatchAction && isItToBeLogged) { + /* warn */ + trans->m_rulesMessages.push_back(*ruleMessage); - bool isItToBeLogged = ruleMessage->m_saveMessage; - if (m_containsMultiMatchAction && isItToBeLogged) { - /* warn */ - trans->m_rulesMessages.push_back(*ruleMessage); + /* error */ + if (!ruleMessage->m_isDisruptive) { + trans->serverLog(ruleMessage); + } - /* error */ - if (!ruleMessage->m_isDisruptive) { - trans->serverLog(ruleMessage); + RuleMessage *rm = new RuleMessage(this, trans); + rm->m_saveMessage = ruleMessage->m_saveMessage; + ruleMessage.reset(rm); } - RuleMessage *rm = new RuleMessage(this, trans); - rm->m_saveMessage = ruleMessage->m_saveMessage; - ruleMessage.reset(rm); + globalRet = true; } - - globalRet = true; } } delete v; diff --git a/src/transaction.cc b/src/transaction.cc index 693bed6b90..02d7b323df 100644 --- a/src/transaction.cc +++ b/src/transaction.cc @@ -583,6 +583,8 @@ int Transaction::addRequestHeader(const std::string& key, if (keyl == "content-type") { std::string multipart("multipart/form-data"); std::string urlencoded("application/x-www-form-urlencoded"); + std::string xml("application/xml"); + std::string json("application/json"); std::string l = utils::string::tolower(value); if (l.compare(0, multipart.length(), multipart) == 0) { this->m_requestBodyType = MultiPartRequestBody; @@ -593,6 +595,18 @@ int Transaction::addRequestHeader(const std::string& key, this->m_requestBodyType = WWWFormUrlEncoded; m_variableReqbodyProcessor.set("URLENCODED", m_variableOffset); } + + if (l.compare(0, xml.length(), xml) == 0) { + this->m_requestBodyType = XMLRequestBody; + m_variableReqbodyProcessor.set("XML", m_variableOffset); + m_requestBodyProcessor = XMLRequestBody; + } + + if (l.compare(0, json.length(), json) == 0) { + this->m_requestBodyType = JSONRequestBody; + m_variableReqbodyProcessor.set("JSON", m_variableOffset); + m_requestBodyProcessor = JSONRequestBody; + } } if (keyl == "host") { diff --git a/test/test-cases/regression/rule-944120_full.json b/test/test-cases/regression/rule-944120_full.json new file mode 100644 index 0000000000..944eb42b40 --- /dev/null +++ b/test/test-cases/regression/rule-944120_full.json @@ -0,0 +1,6850 @@ +[ + { + "enabled":1, + "version_min":300000, + "title":"Positive tests for rule 944120 944120-0", + "client":{ + "ip":"200.249.12.31", + "port":123 + }, + "server":{ + "ip":"200.249.12.31", + "port":80 + }, + "request":{ + "headers":{ + "Host": "localhost", + "User-Agent": "ModSecurity CRS 3 Tests", + "Accept": "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5", + "Accept-Charset": "ISO-8859-1,utf-8;q=0.7,*;q=0.7", + "Accept-Encoding": "gzip,deflate", + "Accept-Language": "en-us,en;q=0.5", + "Content-Type": "application/x-www-form-urlencoded" + }, + "uri":"/", + "http_version":1.0, + "method":"POST", + "body": [ + "test=ProcessBuilder.evil.clonetransformer" + ] + }, + "response":{ + "headers":{ + "Date":"Mon, 13 Jul 2015 20:02:41 GMT", + "Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT", + "Content-Type":"text/html" + }, + "body":[ + "no need." + ] + }, + "expected":{ + "http_code":403 + }, + "rules":[ + "SecRuleEngine On", + "SecDefaultAction \"phase:2,deny,block,status:403,log\"", + "SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \"@rx (?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)\" \"id:944120,phase:2,block,t:none,t:lowercase,log,msg:'Remote Command Execution: Java serialization (CVE-2015-5842)',logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',ver:'OWASP_CRS/3.1.0',severity:'CRITICAL',chain\"", + "SecRule MATCHED_VARS \"@rx (?:runtime|processbuilder)\" \"t:none,t:lowercase,setvar:'tx.msg=%{rule.msg}',setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'\"" + ] + }, + { + "enabled":1, + "version_min":300000, + "title":"Positive tests for rule 944120 944120-1", + "client":{ + "ip":"200.249.12.31", + "port":123 + }, + "server":{ + "ip":"200.249.12.31", + "port":80 + }, + "request":{ + "headers":{ + "Host": "localhost", + "User-Agent": "ModSecurity CRS 3 Tests", + "Accept": "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5", + "Accept-Charset": "ISO-8859-1,utf-8;q=0.7,*;q=0.7", + "Accept-Encoding": "gzip,deflate", + "Accept-Language": "en-us,en;q=0.5", + "Content-Type": "application/x-www-form-urlencoded" + }, + "uri":"/", + "http_version":1.0, + "method":"POST", + "body": [ + "ProcessBuilder.evil.clonetransformer=test" + ] + }, + "response":{ + "headers":{ + "Date":"Mon, 13 Jul 2015 20:02:41 GMT", + "Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT", + "Content-Type":"text/html" + }, + "body":[ + "no need." + ] + }, + "expected":{ + "http_code":403 + }, + "rules":[ + "SecRuleEngine On", + "SecDefaultAction \"phase:2,deny,block,status:403,log\"", + "SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \"@rx (?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)\" \"id:944120,phase:2,block,t:none,t:lowercase,log,msg:'Remote Command Execution: Java serialization (CVE-2015-5842)',logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',ver:'OWASP_CRS/3.1.0',severity:'CRITICAL',chain\"", + "SecRule MATCHED_VARS \"@rx (?:runtime|processbuilder)\" \"t:none,t:lowercase,setvar:'tx.msg=%{rule.msg}',setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'\"" + ] + }, + { + "enabled":1, + "version_min":300000, + "title":"Positive tests for rule 944120 944120-2", + "client":{ + "ip":"200.249.12.31", + "port":123 + }, + "server":{ + "ip":"200.249.12.31", + "port":80 + }, + "request":{ + "headers":{ + "Host": "localhost", + "User-Agent": "ModSecurity CRS 3 Tests", + "Accept": "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5", + "Accept-Charset": "ISO-8859-1,utf-8;q=0.7,*;q=0.7", + "Accept-Encoding": "gzip,deflate", + "Accept-Language": "en-us,en;q=0.5", + "Content-Type": "application/x-www-form-urlencoded", + "Cookie": "test=ProcessBuilder.evil.clonetransformer" + }, + "uri":"/", + "http_version":1.0, + "method":"POST", + "body": [ + "test=value" + ] + }, + "response":{ + "headers":{ + "Date":"Mon, 13 Jul 2015 20:02:41 GMT", + "Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT", + "Content-Type":"text/html" + }, + "body":[ + "no need." + ] + }, + "expected":{ + "http_code":403 + }, + "rules":[ + "SecRuleEngine On", + "SecDefaultAction \"phase:2,deny,block,status:403,log\"", + "SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \"@rx (?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)\" \"id:944120,phase:2,block,t:none,t:lowercase,log,msg:'Remote Command Execution: Java serialization (CVE-2015-5842)',logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',ver:'OWASP_CRS/3.1.0',severity:'CRITICAL',chain\"", + "SecRule MATCHED_VARS \"@rx (?:runtime|processbuilder)\" \"t:none,t:lowercase,setvar:'tx.msg=%{rule.msg}',setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'\"" + ] + }, + { + "enabled":1, + "version_min":300000, + "title":"Positive tests for rule 944120 944120-3", + "client":{ + "ip":"200.249.12.31", + "port":123 + }, + "server":{ + "ip":"200.249.12.31", + "port":80 + }, + "request":{ + "headers":{ + "Host": "localhost", + "User-Agent": "ModSecurity CRS 3 Tests", + "Accept": "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5", + "Accept-Charset": "ISO-8859-1,utf-8;q=0.7,*;q=0.7", + "Accept-Encoding": "gzip,deflate", + "Accept-Language": "en-us,en;q=0.5", + "Content-Type": "application/x-www-form-urlencoded", + "Cookie": "ProcessBuilder.evil.clonetransformer=test" + }, + "uri":"/", + "http_version":1.0, + "method":"POST", + "body": [ + "test=value" + ] + }, + "response":{ + "headers":{ + "Date":"Mon, 13 Jul 2015 20:02:41 GMT", + "Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT", + "Content-Type":"text/html" + }, + "body":[ + "no need." + ] + }, + "expected":{ + "http_code":403 + }, + "rules":[ + "SecRuleEngine On", + "SecDefaultAction \"phase:2,deny,block,status:403,log\"", + "SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \"@rx (?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)\" \"id:944120,phase:2,block,t:none,t:lowercase,log,msg:'Remote Command Execution: Java serialization (CVE-2015-5842)',logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',ver:'OWASP_CRS/3.1.0',severity:'CRITICAL',chain\"", + "SecRule MATCHED_VARS \"@rx (?:runtime|processbuilder)\" \"t:none,t:lowercase,setvar:'tx.msg=%{rule.msg}',setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'\"" + ] + }, + { + "enabled":1, + "version_min":300000, + "title":"Positive tests for rule 944120 944120-4", + "client":{ + "ip":"200.249.12.31", + "port":123 + }, + "server":{ + "ip":"200.249.12.31", + "port":80 + }, + "request":{ + "headers":{ + "Host": "localhost", + "User-Agent": "ModSecurity CRS 3 Tests", + "Accept": "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5", + "Accept-Charset": "ISO-8859-1,utf-8;q=0.7,*;q=0.7", + "Accept-Encoding": "gzip,deflate", + "Accept-Language": "en-us,en;q=0.5", + "Content-Type": "application/x-www-form-urlencoded", + "test": "ProcessBuilder.evil.clonetransformer" + }, + "uri":"/", + "http_version":1.0, + "method":"POST", + "body": [ + "test=value" + ] + }, + "response":{ + "headers":{ + "Date":"Mon, 13 Jul 2015 20:02:41 GMT", + "Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT", + "Content-Type":"text/html" + }, + "body":[ + "no need." + ] + }, + "expected":{ + "http_code":403 + }, + "rules":[ + "SecRuleEngine On", + "SecDefaultAction \"phase:2,deny,block,status:403,log\"", + "SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \"@rx (?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)\" \"id:944120,phase:2,block,t:none,t:lowercase,log,msg:'Remote Command Execution: Java serialization (CVE-2015-5842)',logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',ver:'OWASP_CRS/3.1.0',severity:'CRITICAL',chain\"", + "SecRule MATCHED_VARS \"@rx (?:runtime|processbuilder)\" \"t:none,t:lowercase,setvar:'tx.msg=%{rule.msg}',setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'\"" + ] + }, + { + "enabled":1, + "version_min":300000, + "title":"Positive tests for rule 944120 944120-5", + "client":{ + "ip":"200.249.12.31", + "port":123 + }, + "server":{ + "ip":"200.249.12.31", + "port":80 + }, + "request":{ + "headers":{ + "Host": "localhost", + "User-Agent": "ModSecurity CRS 3 Tests", + "Accept": "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5", + "Accept-Charset": "ISO-8859-1,utf-8;q=0.7,*;q=0.7", + "Accept-Encoding": "gzip,deflate", + "Accept-Language": "en-us,en;q=0.5", + "Content-Type": "application/xml" + }, + "uri":"/", + "http_version":1.0, + "method":"POST", + "body": [ + "value" + ] + }, + "response":{ + "headers":{ + "Date":"Mon, 13 Jul 2015 20:02:41 GMT", + "Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT", + "Content-Type":"text/html" + }, + "body":[ + "no need." + ] + }, + "expected":{ + "http_code":200 + }, + "rules":[ + "SecRuleEngine On", + "SecDefaultAction \"phase:2,deny,block,status:403,log\"", + "SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \"@rx (?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)\" \"id:944120,phase:2,block,t:none,t:lowercase,log,msg:'Remote Command Execution: Java serialization (CVE-2015-5842)',logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',ver:'OWASP_CRS/3.1.0',severity:'CRITICAL',chain\"", + "SecRule MATCHED_VARS \"@rx (?:runtime|processbuilder)\" \"t:none,t:lowercase,setvar:'tx.msg=%{rule.msg}',setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'\"" + ] + }, + { + "enabled":1, + "version_min":300000, + "title":"Positive tests for rule 944120 944120-6", + "client":{ + "ip":"200.249.12.31", + "port":123 + }, + "server":{ + "ip":"200.249.12.31", + "port":80 + }, + "request":{ + "headers":{ + "Host": "localhost", + "User-Agent": "ModSecurity CRS 3 Tests", + "Accept": "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5", + "Accept-Charset": "ISO-8859-1,utf-8;q=0.7,*;q=0.7", + "Accept-Encoding": "gzip,deflate", + "Accept-Language": "en-us,en;q=0.5", + "Content-Type": "application/xml" + }, + "uri":"/", + "http_version":1.0, + "method":"POST", + "body": [ + "element_value" + ] + }, + "response":{ + "headers":{ + "Date":"Mon, 13 Jul 2015 20:02:41 GMT", + "Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT", + "Content-Type":"text/html" + }, + "body":[ + "no need." + ] + }, + "expected":{ + "http_code":200 + }, + "rules":[ + "SecRuleEngine On", + "SecDefaultAction \"phase:2,deny,block,status:403,log\"", + "SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \"@rx (?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)\" \"id:944120,phase:2,block,t:none,t:lowercase,log,msg:'Remote Command Execution: Java serialization (CVE-2015-5842)',logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',ver:'OWASP_CRS/3.1.0',severity:'CRITICAL',chain\"", + "SecRule MATCHED_VARS \"@rx (?:runtime|processbuilder)\" \"t:none,t:lowercase,setvar:'tx.msg=%{rule.msg}',setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'\"" + ] + }, + { + "enabled":1, + "version_min":300000, + "title":"Positive tests for rule 944120 944120-7", + "client":{ + "ip":"200.249.12.31", + "port":123 + }, + "server":{ + "ip":"200.249.12.31", + "port":80 + }, + "request":{ + "headers":{ + "Host": "localhost", + "User-Agent": "ModSecurity CRS 3 Tests", + "Accept": "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5", + "Accept-Charset": "ISO-8859-1,utf-8;q=0.7,*;q=0.7", + "Accept-Encoding": "gzip,deflate", + "Accept-Language": "en-us,en;q=0.5", + "Content-Type": "application/xml" + }, + "uri":"/", + "http_version":1.0, + "method":"POST", + "body": [ + "element_value" + ] + }, + "response":{ + "headers":{ + "Date":"Mon, 13 Jul 2015 20:02:41 GMT", + "Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT", + "Content-Type":"text/html" + }, + "body":[ + "no need." + ] + }, + "expected":{ + "http_code":403 + }, + "rules":[ + "SecRuleEngine On", + "SecDefaultAction \"phase:2,deny,block,status:403,log\"", + "SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \"@rx (?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)\" \"id:944120,phase:2,block,t:none,t:lowercase,log,msg:'Remote Command Execution: Java serialization (CVE-2015-5842)',logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',ver:'OWASP_CRS/3.1.0',severity:'CRITICAL',chain\"", + "SecRule MATCHED_VARS \"@rx (?:runtime|processbuilder)\" \"t:none,t:lowercase,setvar:'tx.msg=%{rule.msg}',setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'\"" + ] + }, + { + "enabled":1, + "version_min":300000, + "title":"Positive tests for rule 944120 944120-8", + "client":{ + "ip":"200.249.12.31", + "port":123 + }, + "server":{ + "ip":"200.249.12.31", + "port":80 + }, + "request":{ + "headers":{ + "Host": "localhost", + "User-Agent": "ModSecurity CRS 3 Tests", + "Accept": "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5", + "Accept-Charset": "ISO-8859-1,utf-8;q=0.7,*;q=0.7", + "Accept-Encoding": "gzip,deflate", + "Accept-Language": "en-us,en;q=0.5", + "Content-Type": "application/xml" + }, + "uri":"/", + "http_version":1.0, + "method":"POST", + "body": [ + "ProcessBuilder.evil.clonetransformer" + ] + }, + "response":{ + "headers":{ + "Date":"Mon, 13 Jul 2015 20:02:41 GMT", + "Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT", + "Content-Type":"text/html" + }, + "body":[ + "no need." + ] + }, + "expected":{ + "http_code":403 + }, + "rules":[ + "SecRuleEngine On", + "SecDefaultAction \"phase:2,deny,block,status:403,log\"", + "SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \"@rx (?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)\" \"id:944120,phase:2,block,t:none,t:lowercase,log,msg:'Remote Command Execution: Java serialization (CVE-2015-5842)',logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',ver:'OWASP_CRS/3.1.0',severity:'CRITICAL',chain\"", + "SecRule MATCHED_VARS \"@rx (?:runtime|processbuilder)\" \"t:none,t:lowercase,setvar:'tx.msg=%{rule.msg}',setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'\"" + ] + }, + { + "enabled":1, + "version_min":300000, + "title":"Positive tests for rule 944120 944120-9", + "client":{ + "ip":"200.249.12.31", + "port":123 + }, + "server":{ + "ip":"200.249.12.31", + "port":80 + }, + "request":{ + "headers":{ + "Host": "localhost", + "User-Agent": "ModSecurity CRS 3 Tests", + "Accept": "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5", + "Accept-Charset": "ISO-8859-1,utf-8;q=0.7,*;q=0.7", + "Accept-Encoding": "gzip,deflate", + "Accept-Language": "en-us,en;q=0.5", + "Content-Type": "application/xml" + }, + "uri":"/", + "http_version":1.0, + "method":"POST", + "body": [ + "ProcessBuilder.evil.clonetransformer" + ] + }, + "response":{ + "headers":{ + "Date":"Mon, 13 Jul 2015 20:02:41 GMT", + "Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT", + "Content-Type":"text/html" + }, + "body":[ + "no need." + ] + }, + "expected":{ + "http_code":403 + }, + "rules":[ + "SecRuleEngine On", + "SecDefaultAction \"phase:2,deny,block,status:403,log\"", + "SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \"@rx (?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)\" \"id:944120,phase:2,block,t:none,t:lowercase,log,msg:'Remote Command Execution: Java serialization (CVE-2015-5842)',logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',ver:'OWASP_CRS/3.1.0',severity:'CRITICAL',chain\"", + "SecRule MATCHED_VARS \"@rx (?:runtime|processbuilder)\" \"t:none,t:lowercase,setvar:'tx.msg=%{rule.msg}',setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'\"" + ] + }, + { + "enabled":1, + "version_min":300000, + "title":"Positive tests for rule 944120 944120-10", + "client":{ + "ip":"200.249.12.31", + "port":123 + }, + "server":{ + "ip":"200.249.12.31", + "port":80 + }, + "request":{ + "headers":{ + "Host": "localhost", + "User-Agent": "ModSecurity CRS 3 Tests", + "Accept": "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5", + "Accept-Charset": "ISO-8859-1,utf-8;q=0.7,*;q=0.7", + "Accept-Encoding": "gzip,deflate", + "Accept-Language": "en-us,en;q=0.5", + "Content-Type": "text/plain" + }, + "uri":"/", + "http_version":1.0, + "method":"POST", + "body": [ + "test=ProcessBuilder.evil.clonetransformer" + ] + }, + "response":{ + "headers":{ + "Date":"Mon, 13 Jul 2015 20:02:41 GMT", + "Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT", + "Content-Type":"text/html" + }, + "body":[ + "no need." + ] + }, + "expected":{ + "http_code":403 + }, + "rules":[ + "SecRuleEngine On", + "SecDefaultAction \"phase:2,deny,block,status:403,log\"", + "SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \"@rx (?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)\" \"id:944120,phase:2,block,t:none,t:lowercase,log,msg:'Remote Command Execution: Java serialization (CVE-2015-5842)',logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',ver:'OWASP_CRS/3.1.0',severity:'CRITICAL',chain\"", + "SecRule MATCHED_VARS \"@rx (?:runtime|processbuilder)\" \"t:none,t:lowercase,setvar:'tx.msg=%{rule.msg}',setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'\"" + ] + }, + { + "enabled":1, + "version_min":300000, + "title":"Positive tests for rule 944120 944120-11", + "client":{ + "ip":"200.249.12.31", + "port":123 + }, + "server":{ + "ip":"200.249.12.31", + "port":80 + }, + "request":{ + "headers":{ + "Host": "localhost", + "User-Agent": "ModSecurity CRS 3 Tests", + "Accept": "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5", + "Accept-Charset": "ISO-8859-1,utf-8;q=0.7,*;q=0.7", + "Accept-Encoding": "gzip,deflate", + "Accept-Language": "en-us,en;q=0.5", + "Content-Type": "application/json" + }, + "uri":"/", + "http_version":1.0, + "method":"POST", + "body": [ + "{\"test\": \"ProcessBuilder.evil.clonetransformer\"}" + ] + }, + "response":{ + "headers":{ + "Date":"Mon, 13 Jul 2015 20:02:41 GMT", + "Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT", + "Content-Type":"text/html" + }, + "body":[ + "no need." + ] + }, + "expected":{ + "http_code":403 + }, + "rules":[ + "SecRuleEngine On", + "SecDefaultAction \"phase:2,deny,block,status:403,log\"", + "SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \"@rx (?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)\" \"id:944120,phase:2,block,t:none,t:lowercase,log,msg:'Remote Command Execution: Java serialization (CVE-2015-5842)',logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',ver:'OWASP_CRS/3.1.0',severity:'CRITICAL',chain\"", + "SecRule MATCHED_VARS \"@rx (?:runtime|processbuilder)\" \"t:none,t:lowercase,setvar:'tx.msg=%{rule.msg}',setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'\"" + ] + }, + { + "enabled":1, + "version_min":300000, + "title":"Positive tests for rule 944120 944120-12", + "client":{ + "ip":"200.249.12.31", + "port":123 + }, + "server":{ + "ip":"200.249.12.31", + "port":80 + }, + "request":{ + "headers":{ + "Host": "localhost", + "User-Agent": "ModSecurity CRS 3 Tests", + "Accept": "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5", + "Accept-Charset": "ISO-8859-1,utf-8;q=0.7,*;q=0.7", + "Accept-Encoding": "gzip,deflate", + "Accept-Language": "en-us,en;q=0.5", + "Content-Type": "application/json" + }, + "uri":"/", + "http_version":1.0, + "method":"POST", + "body": [ + "{\"ProcessBuilder.evil.clonetransformer\": \"test\"}" + ] + }, + "response":{ + "headers":{ + "Date":"Mon, 13 Jul 2015 20:02:41 GMT", + "Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT", + "Content-Type":"text/html" + }, + "body":[ + "no need." + ] + }, + "expected":{ + "http_code":403 + }, + "rules":[ + "SecRuleEngine On", + "SecDefaultAction \"phase:2,deny,block,status:403,log\"", + "SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \"@rx (?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)\" \"id:944120,phase:2,block,t:none,t:lowercase,log,msg:'Remote Command Execution: Java serialization (CVE-2015-5842)',logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',ver:'OWASP_CRS/3.1.0',severity:'CRITICAL',chain\"", + "SecRule MATCHED_VARS \"@rx (?:runtime|processbuilder)\" \"t:none,t:lowercase,setvar:'tx.msg=%{rule.msg}',setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'\"" + ] + }, + { + "enabled":1, + "version_min":300000, + "title":"Positive tests for rule 944120 944120-13", + "client":{ + "ip":"200.249.12.31", + "port":123 + }, + "server":{ + "ip":"200.249.12.31", + "port":80 + }, + "request":{ + "headers":{ + "Host": "localhost", + "User-Agent": "ModSecurity CRS 3 Tests", + "Accept": "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5", + "Accept-Charset": "ISO-8859-1,utf-8;q=0.7,*;q=0.7", + "Accept-Encoding": "gzip,deflate", + "Accept-Language": "en-us,en;q=0.5", + "Content-Type": "multipart/form-data; boundary=---------------------------thisissparta" + }, + "uri":"/", + "http_version":1.0, + "method":"POST", + "body": [ + "-----------------------------thisissparta\r", + "Content-Disposition: form-data; name=\"payload\r", + "Content-Type: application/json\r", + "\r", + "{\"ProcessBuilder.evil.clonetransformer\": \"test\"}\r", + "-----------------------------thisissparta--" + ] + }, + "response":{ + "headers":{ + "Date":"Mon, 13 Jul 2015 20:02:41 GMT", + "Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT", + "Content-Type":"text/html" + }, + "body":[ + "no need." + ] + }, + "expected":{ + "http_code":403 + }, + "rules":[ + "SecRuleEngine On", + "SecDefaultAction \"phase:2,deny,block,status:403,log\"", + "SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \"@rx (?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)\" \"id:944120,phase:2,block,t:none,t:lowercase,log,msg:'Remote Command Execution: Java serialization (CVE-2015-5842)',logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',ver:'OWASP_CRS/3.1.0',severity:'CRITICAL',chain\"", + "SecRule MATCHED_VARS \"@rx (?:runtime|processbuilder)\" \"t:none,t:lowercase,setvar:'tx.msg=%{rule.msg}',setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'\"" + ] + }, + { + "enabled":1, + "version_min":300000, + "title":"Positive tests for rule 944120 944120-14", + "client":{ + "ip":"200.249.12.31", + "port":123 + }, + "server":{ + "ip":"200.249.12.31", + "port":80 + }, + "request":{ + "headers":{ + "Host": "localhost", + "User-Agent": "ModSecurity CRS 3 Tests", + "Accept": "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5", + "Accept-Charset": "ISO-8859-1,utf-8;q=0.7,*;q=0.7", + "Accept-Encoding": "gzip,deflate", + "Accept-Language": "en-us,en;q=0.5", + "Content-Type": "multipart/form-data; boundary=---------------------------thisissparta" + }, + "uri":"/", + "http_version":1.0, + "method":"POST", + "body": [ + "-----------------------------thisissparta\r", + "Content-Disposition: form-data; name=\"payload\r", + "Content-Type: application/json\r", + "\r", + "{\"ProcessBuilder.evil.clonetransformer\": \"test\"}\r", + "-----------------------------thisissparta--" + ] + }, + "response":{ + "headers":{ + "Date":"Mon, 13 Jul 2015 20:02:41 GMT", + "Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT", + "Content-Type":"text/html" + }, + "body":[ + "no need." + ] + }, + "expected":{ + "http_code":403 + }, + "rules":[ + "SecRuleEngine On", + "SecDefaultAction \"phase:2,deny,block,status:403,log\"", + "SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \"@rx (?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)\" \"id:944120,phase:2,block,t:none,t:lowercase,log,msg:'Remote Command Execution: Java serialization (CVE-2015-5842)',logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',ver:'OWASP_CRS/3.1.0',severity:'CRITICAL',chain\"", + "SecRule MATCHED_VARS \"@rx (?:runtime|processbuilder)\" \"t:none,t:lowercase,setvar:'tx.msg=%{rule.msg}',setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'\"" + ] + }, + { + "enabled":1, + "version_min":300000, + "title":"Positive tests for rule 944120 944120-15", + "client":{ + "ip":"200.249.12.31", + "port":123 + }, + "server":{ + "ip":"200.249.12.31", + "port":80 + }, + "request":{ + "headers":{ + "Host": "localhost", + "User-Agent": "ModSecurity CRS 3 Tests", + "Accept": "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5", + "Accept-Charset": "ISO-8859-1,utf-8;q=0.7,*;q=0.7", + "Accept-Encoding": "gzip,deflate", + "Accept-Language": "en-us,en;q=0.5", + "Content-Type": "multipart/form-data; boundary=---------------------------thisissparta" + }, + "uri":"/", + "http_version":1.0, + "method":"POST", + "body": [ + "-----------------------------thisissparta\r", + "Content-Disposition: form-data; name=\"payload\r", + "Content-Type: application/xml\r", + "\r", + "ProcessBuilder.evil.clonetransformer\r", + "-----------------------------thisissparta--" + ] + }, + "response":{ + "headers":{ + "Date":"Mon, 13 Jul 2015 20:02:41 GMT", + "Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT", + "Content-Type":"text/html" + }, + "body":[ + "no need." + ] + }, + "expected":{ + "http_code":403 + }, + "rules":[ + "SecRuleEngine On", + "SecDefaultAction \"phase:2,deny,block,status:403,log\"", + "SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \"@rx (?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)\" \"id:944120,phase:2,block,t:none,t:lowercase,log,msg:'Remote Command Execution: Java serialization (CVE-2015-5842)',logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',ver:'OWASP_CRS/3.1.0',severity:'CRITICAL',chain\"", + "SecRule MATCHED_VARS \"@rx (?:runtime|processbuilder)\" \"t:none,t:lowercase,setvar:'tx.msg=%{rule.msg}',setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'\"" + ] + }, + { + "enabled":1, + "version_min":300000, + "title":"Positive tests for rule 944120 944120-16", + "client":{ + "ip":"200.249.12.31", + "port":123 + }, + "server":{ + "ip":"200.249.12.31", + "port":80 + }, + "request":{ + "headers":{ + "Host": "localhost", + "User-Agent": "ModSecurity CRS 3 Tests", + "Accept": "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5", + "Accept-Charset": "ISO-8859-1,utf-8;q=0.7,*;q=0.7", + "Accept-Encoding": "gzip,deflate", + "Accept-Language": "en-us,en;q=0.5", + "Content-Type": "multipart/form-data; boundary=---------------------------thisissparta" + }, + "uri":"/", + "http_version":1.0, + "method":"POST", + "body": [ + "-----------------------------thisissparta\r", + "Content-Disposition: form-data; name=\"payload\r", + "Content-Type: application/xml\r", + "\r", + "ProcessBuilder.evil.clonetransformer\r", + "-----------------------------thisissparta--" + ] + }, + "response":{ + "headers":{ + "Date":"Mon, 13 Jul 2015 20:02:41 GMT", + "Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT", + "Content-Type":"text/html" + }, + "body":[ + "no need." + ] + }, + "expected":{ + "http_code":403 + }, + "rules":[ + "SecRuleEngine On", + "SecDefaultAction \"phase:2,deny,block,status:403,log\"", + "SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \"@rx (?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)\" \"id:944120,phase:2,block,t:none,t:lowercase,log,msg:'Remote Command Execution: Java serialization (CVE-2015-5842)',logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',ver:'OWASP_CRS/3.1.0',severity:'CRITICAL',chain\"", + "SecRule MATCHED_VARS \"@rx (?:runtime|processbuilder)\" \"t:none,t:lowercase,setvar:'tx.msg=%{rule.msg}',setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'\"" + ] + }, + { + "enabled":1, + "version_min":300000, + "title":"Positive tests for rule 944120 944120-17", + "client":{ + "ip":"200.249.12.31", + "port":123 + }, + "server":{ + "ip":"200.249.12.31", + "port":80 + }, + "request":{ + "headers":{ + "Host": "localhost", + "User-Agent": "ModSecurity CRS 3 Tests", + "Accept": "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5", + "Accept-Charset": "ISO-8859-1,utf-8;q=0.7,*;q=0.7", + "Accept-Encoding": "gzip,deflate", + "Accept-Language": "en-us,en;q=0.5", + "Content-Type": "application/x-www-form-urlencoded" + }, + "uri":"/", + "http_version":1.0, + "method":"POST", + "body": [ + "test=ProcessBuilder.evil.forclosure" + ] + }, + "response":{ + "headers":{ + "Date":"Mon, 13 Jul 2015 20:02:41 GMT", + "Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT", + "Content-Type":"text/html" + }, + "body":[ + "no need." + ] + }, + "expected":{ + "http_code":403 + }, + "rules":[ + "SecRuleEngine On", + "SecDefaultAction \"phase:2,deny,block,status:403,log\"", + "SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \"@rx (?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)\" \"id:944120,phase:2,block,t:none,t:lowercase,log,msg:'Remote Command Execution: Java serialization (CVE-2015-5842)',logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',ver:'OWASP_CRS/3.1.0',severity:'CRITICAL',chain\"", + "SecRule MATCHED_VARS \"@rx (?:runtime|processbuilder)\" \"t:none,t:lowercase,setvar:'tx.msg=%{rule.msg}',setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'\"" + ] + }, + { + "enabled":1, + "version_min":300000, + "title":"Positive tests for rule 944120 944120-18", + "client":{ + "ip":"200.249.12.31", + "port":123 + }, + "server":{ + "ip":"200.249.12.31", + "port":80 + }, + "request":{ + "headers":{ + "Host": "localhost", + "User-Agent": "ModSecurity CRS 3 Tests", + "Accept": "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5", + "Accept-Charset": "ISO-8859-1,utf-8;q=0.7,*;q=0.7", + "Accept-Encoding": "gzip,deflate", + "Accept-Language": "en-us,en;q=0.5", + "Content-Type": "application/x-www-form-urlencoded" + }, + "uri":"/", + "http_version":1.0, + "method":"POST", + "body": [ + "ProcessBuilder.evil.forclosure=test" + ] + }, + "response":{ + "headers":{ + "Date":"Mon, 13 Jul 2015 20:02:41 GMT", + "Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT", + "Content-Type":"text/html" + }, + "body":[ + "no need." + ] + }, + "expected":{ + "http_code":403 + }, + "rules":[ + "SecRuleEngine On", + "SecDefaultAction \"phase:2,deny,block,status:403,log\"", + "SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \"@rx (?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)\" \"id:944120,phase:2,block,t:none,t:lowercase,log,msg:'Remote Command Execution: Java serialization (CVE-2015-5842)',logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',ver:'OWASP_CRS/3.1.0',severity:'CRITICAL',chain\"", + "SecRule MATCHED_VARS \"@rx (?:runtime|processbuilder)\" \"t:none,t:lowercase,setvar:'tx.msg=%{rule.msg}',setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'\"" + ] + }, + { + "enabled":1, + "version_min":300000, + "title":"Positive tests for rule 944120 944120-19", + "client":{ + "ip":"200.249.12.31", + "port":123 + }, + "server":{ + "ip":"200.249.12.31", + "port":80 + }, + "request":{ + "headers":{ + "Host": "localhost", + "User-Agent": "ModSecurity CRS 3 Tests", + "Accept": "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5", + "Accept-Charset": "ISO-8859-1,utf-8;q=0.7,*;q=0.7", + "Accept-Encoding": "gzip,deflate", + "Accept-Language": "en-us,en;q=0.5", + "Content-Type": "application/x-www-form-urlencoded", + "Cookie": "test=ProcessBuilder.evil.forclosure" + }, + "uri":"/", + "http_version":1.0, + "method":"POST", + "body": [ + "test=value" + ] + }, + "response":{ + "headers":{ + "Date":"Mon, 13 Jul 2015 20:02:41 GMT", + "Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT", + "Content-Type":"text/html" + }, + "body":[ + "no need." + ] + }, + "expected":{ + "http_code":403 + }, + "rules":[ + "SecRuleEngine On", + "SecDefaultAction \"phase:2,deny,block,status:403,log\"", + "SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \"@rx (?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)\" \"id:944120,phase:2,block,t:none,t:lowercase,log,msg:'Remote Command Execution: Java serialization (CVE-2015-5842)',logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',ver:'OWASP_CRS/3.1.0',severity:'CRITICAL',chain\"", + "SecRule MATCHED_VARS \"@rx (?:runtime|processbuilder)\" \"t:none,t:lowercase,setvar:'tx.msg=%{rule.msg}',setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'\"" + ] + }, + { + "enabled":1, + "version_min":300000, + "title":"Positive tests for rule 944120 944120-20", + "client":{ + "ip":"200.249.12.31", + "port":123 + }, + "server":{ + "ip":"200.249.12.31", + "port":80 + }, + "request":{ + "headers":{ + "Host": "localhost", + "User-Agent": "ModSecurity CRS 3 Tests", + "Accept": "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5", + "Accept-Charset": "ISO-8859-1,utf-8;q=0.7,*;q=0.7", + "Accept-Encoding": "gzip,deflate", + "Accept-Language": "en-us,en;q=0.5", + "Content-Type": "application/x-www-form-urlencoded", + "Cookie": "ProcessBuilder.evil.forclosure=test" + }, + "uri":"/", + "http_version":1.0, + "method":"POST", + "body": [ + "test=value" + ] + }, + "response":{ + "headers":{ + "Date":"Mon, 13 Jul 2015 20:02:41 GMT", + "Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT", + "Content-Type":"text/html" + }, + "body":[ + "no need." + ] + }, + "expected":{ + "http_code":403 + }, + "rules":[ + "SecRuleEngine On", + "SecDefaultAction \"phase:2,deny,block,status:403,log\"", + "SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \"@rx (?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)\" \"id:944120,phase:2,block,t:none,t:lowercase,log,msg:'Remote Command Execution: Java serialization (CVE-2015-5842)',logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',ver:'OWASP_CRS/3.1.0',severity:'CRITICAL',chain\"", + "SecRule MATCHED_VARS \"@rx (?:runtime|processbuilder)\" \"t:none,t:lowercase,setvar:'tx.msg=%{rule.msg}',setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'\"" + ] + }, + { + "enabled":1, + "version_min":300000, + "title":"Positive tests for rule 944120 944120-21", + "client":{ + "ip":"200.249.12.31", + "port":123 + }, + "server":{ + "ip":"200.249.12.31", + "port":80 + }, + "request":{ + "headers":{ + "Host": "localhost", + "User-Agent": "ModSecurity CRS 3 Tests", + "Accept": "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5", + "Accept-Charset": "ISO-8859-1,utf-8;q=0.7,*;q=0.7", + "Accept-Encoding": "gzip,deflate", + "Accept-Language": "en-us,en;q=0.5", + "Content-Type": "application/x-www-form-urlencoded", + "test": "ProcessBuilder.evil.forclosure" + }, + "uri":"/", + "http_version":1.0, + "method":"POST", + "body": [ + "test=value" + ] + }, + "response":{ + "headers":{ + "Date":"Mon, 13 Jul 2015 20:02:41 GMT", + "Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT", + "Content-Type":"text/html" + }, + "body":[ + "no need." + ] + }, + "expected":{ + "http_code":403 + }, + "rules":[ + "SecRuleEngine On", + "SecDefaultAction \"phase:2,deny,block,status:403,log\"", + "SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \"@rx (?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)\" \"id:944120,phase:2,block,t:none,t:lowercase,log,msg:'Remote Command Execution: Java serialization (CVE-2015-5842)',logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',ver:'OWASP_CRS/3.1.0',severity:'CRITICAL',chain\"", + "SecRule MATCHED_VARS \"@rx (?:runtime|processbuilder)\" \"t:none,t:lowercase,setvar:'tx.msg=%{rule.msg}',setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'\"" + ] + }, + { + "enabled":1, + "version_min":300000, + "title":"Positive tests for rule 944120 944120-22", + "client":{ + "ip":"200.249.12.31", + "port":123 + }, + "server":{ + "ip":"200.249.12.31", + "port":80 + }, + "request":{ + "headers":{ + "Host": "localhost", + "User-Agent": "ModSecurity CRS 3 Tests", + "Accept": "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5", + "Accept-Charset": "ISO-8859-1,utf-8;q=0.7,*;q=0.7", + "Accept-Encoding": "gzip,deflate", + "Accept-Language": "en-us,en;q=0.5", + "Content-Type": "application/xml" + }, + "uri":"/", + "http_version":1.0, + "method":"POST", + "body": [ + "value" + ] + }, + "response":{ + "headers":{ + "Date":"Mon, 13 Jul 2015 20:02:41 GMT", + "Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT", + "Content-Type":"text/html" + }, + "body":[ + "no need." + ] + }, + "expected":{ + "http_code":200 + }, + "rules":[ + "SecRuleEngine On", + "SecDefaultAction \"phase:2,deny,block,status:403,log\"", + "SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \"@rx (?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)\" \"id:944120,phase:2,block,t:none,t:lowercase,log,msg:'Remote Command Execution: Java serialization (CVE-2015-5842)',logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',ver:'OWASP_CRS/3.1.0',severity:'CRITICAL',chain\"", + "SecRule MATCHED_VARS \"@rx (?:runtime|processbuilder)\" \"t:none,t:lowercase,setvar:'tx.msg=%{rule.msg}',setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'\"" + ] + }, + { + "enabled":1, + "version_min":300000, + "title":"Positive tests for rule 944120 944120-23", + "client":{ + "ip":"200.249.12.31", + "port":123 + }, + "server":{ + "ip":"200.249.12.31", + "port":80 + }, + "request":{ + "headers":{ + "Host": "localhost", + "User-Agent": "ModSecurity CRS 3 Tests", + "Accept": "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5", + "Accept-Charset": "ISO-8859-1,utf-8;q=0.7,*;q=0.7", + "Accept-Encoding": "gzip,deflate", + "Accept-Language": "en-us,en;q=0.5", + "Content-Type": "application/xml" + }, + "uri":"/", + "http_version":1.0, + "method":"POST", + "body": [ + "element_value" + ] + }, + "response":{ + "headers":{ + "Date":"Mon, 13 Jul 2015 20:02:41 GMT", + "Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT", + "Content-Type":"text/html" + }, + "body":[ + "no need." + ] + }, + "expected":{ + "http_code":200 + }, + "rules":[ + "SecRuleEngine On", + "SecDefaultAction \"phase:2,deny,block,status:403,log\"", + "SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \"@rx (?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)\" \"id:944120,phase:2,block,t:none,t:lowercase,log,msg:'Remote Command Execution: Java serialization (CVE-2015-5842)',logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',ver:'OWASP_CRS/3.1.0',severity:'CRITICAL',chain\"", + "SecRule MATCHED_VARS \"@rx (?:runtime|processbuilder)\" \"t:none,t:lowercase,setvar:'tx.msg=%{rule.msg}',setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'\"" + ] + }, + { + "enabled":1, + "version_min":300000, + "title":"Positive tests for rule 944120 944120-24", + "client":{ + "ip":"200.249.12.31", + "port":123 + }, + "server":{ + "ip":"200.249.12.31", + "port":80 + }, + "request":{ + "headers":{ + "Host": "localhost", + "User-Agent": "ModSecurity CRS 3 Tests", + "Accept": "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5", + "Accept-Charset": "ISO-8859-1,utf-8;q=0.7,*;q=0.7", + "Accept-Encoding": "gzip,deflate", + "Accept-Language": "en-us,en;q=0.5", + "Content-Type": "application/xml" + }, + "uri":"/", + "http_version":1.0, + "method":"POST", + "body": [ + "element_value" + ] + }, + "response":{ + "headers":{ + "Date":"Mon, 13 Jul 2015 20:02:41 GMT", + "Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT", + "Content-Type":"text/html" + }, + "body":[ + "no need." + ] + }, + "expected":{ + "http_code":403 + }, + "rules":[ + "SecRuleEngine On", + "SecDefaultAction \"phase:2,deny,block,status:403,log\"", + "SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \"@rx (?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)\" \"id:944120,phase:2,block,t:none,t:lowercase,log,msg:'Remote Command Execution: Java serialization (CVE-2015-5842)',logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',ver:'OWASP_CRS/3.1.0',severity:'CRITICAL',chain\"", + "SecRule MATCHED_VARS \"@rx (?:runtime|processbuilder)\" \"t:none,t:lowercase,setvar:'tx.msg=%{rule.msg}',setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'\"" + ] + }, + { + "enabled":1, + "version_min":300000, + "title":"Positive tests for rule 944120 944120-25", + "client":{ + "ip":"200.249.12.31", + "port":123 + }, + "server":{ + "ip":"200.249.12.31", + "port":80 + }, + "request":{ + "headers":{ + "Host": "localhost", + "User-Agent": "ModSecurity CRS 3 Tests", + "Accept": "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5", + "Accept-Charset": "ISO-8859-1,utf-8;q=0.7,*;q=0.7", + "Accept-Encoding": "gzip,deflate", + "Accept-Language": "en-us,en;q=0.5", + "Content-Type": "application/xml" + }, + "uri":"/", + "http_version":1.0, + "method":"POST", + "body": [ + "ProcessBuilder.evil.forclosure" + ] + }, + "response":{ + "headers":{ + "Date":"Mon, 13 Jul 2015 20:02:41 GMT", + "Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT", + "Content-Type":"text/html" + }, + "body":[ + "no need." + ] + }, + "expected":{ + "http_code":403 + }, + "rules":[ + "SecRuleEngine On", + "SecDefaultAction \"phase:2,deny,block,status:403,log\"", + "SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \"@rx (?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)\" \"id:944120,phase:2,block,t:none,t:lowercase,log,msg:'Remote Command Execution: Java serialization (CVE-2015-5842)',logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',ver:'OWASP_CRS/3.1.0',severity:'CRITICAL',chain\"", + "SecRule MATCHED_VARS \"@rx (?:runtime|processbuilder)\" \"t:none,t:lowercase,setvar:'tx.msg=%{rule.msg}',setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'\"" + ] + }, + { + "enabled":1, + "version_min":300000, + "title":"Positive tests for rule 944120 944120-26", + "client":{ + "ip":"200.249.12.31", + "port":123 + }, + "server":{ + "ip":"200.249.12.31", + "port":80 + }, + "request":{ + "headers":{ + "Host": "localhost", + "User-Agent": "ModSecurity CRS 3 Tests", + "Accept": "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5", + "Accept-Charset": "ISO-8859-1,utf-8;q=0.7,*;q=0.7", + "Accept-Encoding": "gzip,deflate", + "Accept-Language": "en-us,en;q=0.5", + "Content-Type": "application/xml" + }, + "uri":"/", + "http_version":1.0, + "method":"POST", + "body": [ + "ProcessBuilder.evil.forclosure" + ] + }, + "response":{ + "headers":{ + "Date":"Mon, 13 Jul 2015 20:02:41 GMT", + "Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT", + "Content-Type":"text/html" + }, + "body":[ + "no need." + ] + }, + "expected":{ + "http_code":403 + }, + "rules":[ + "SecRuleEngine On", + "SecDefaultAction \"phase:2,deny,block,status:403,log\"", + "SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \"@rx (?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)\" \"id:944120,phase:2,block,t:none,t:lowercase,log,msg:'Remote Command Execution: Java serialization (CVE-2015-5842)',logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',ver:'OWASP_CRS/3.1.0',severity:'CRITICAL',chain\"", + "SecRule MATCHED_VARS \"@rx (?:runtime|processbuilder)\" \"t:none,t:lowercase,setvar:'tx.msg=%{rule.msg}',setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'\"" + ] + }, + { + "enabled":1, + "version_min":300000, + "title":"Positive tests for rule 944120 944120-27", + "client":{ + "ip":"200.249.12.31", + "port":123 + }, + "server":{ + "ip":"200.249.12.31", + "port":80 + }, + "request":{ + "headers":{ + "Host": "localhost", + "User-Agent": "ModSecurity CRS 3 Tests", + "Accept": "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5", + "Accept-Charset": "ISO-8859-1,utf-8;q=0.7,*;q=0.7", + "Accept-Encoding": "gzip,deflate", + "Accept-Language": "en-us,en;q=0.5", + "Content-Type": "text/plain" + }, + "uri":"/", + "http_version":1.0, + "method":"POST", + "body": [ + "test=ProcessBuilder.evil.forclosure" + ] + }, + "response":{ + "headers":{ + "Date":"Mon, 13 Jul 2015 20:02:41 GMT", + "Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT", + "Content-Type":"text/html" + }, + "body":[ + "no need." + ] + }, + "expected":{ + "http_code":403 + }, + "rules":[ + "SecRuleEngine On", + "SecDefaultAction \"phase:2,deny,block,status:403,log\"", + "SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \"@rx (?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)\" \"id:944120,phase:2,block,t:none,t:lowercase,log,msg:'Remote Command Execution: Java serialization (CVE-2015-5842)',logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',ver:'OWASP_CRS/3.1.0',severity:'CRITICAL',chain\"", + "SecRule MATCHED_VARS \"@rx (?:runtime|processbuilder)\" \"t:none,t:lowercase,setvar:'tx.msg=%{rule.msg}',setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'\"" + ] + }, + { + "enabled":1, + "version_min":300000, + "title":"Positive tests for rule 944120 944120-28", + "client":{ + "ip":"200.249.12.31", + "port":123 + }, + "server":{ + "ip":"200.249.12.31", + "port":80 + }, + "request":{ + "headers":{ + "Host": "localhost", + "User-Agent": "ModSecurity CRS 3 Tests", + "Accept": "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5", + "Accept-Charset": "ISO-8859-1,utf-8;q=0.7,*;q=0.7", + "Accept-Encoding": "gzip,deflate", + "Accept-Language": "en-us,en;q=0.5", + "Content-Type": "application/json" + }, + "uri":"/", + "http_version":1.0, + "method":"POST", + "body": [ + "{\"test\": \"ProcessBuilder.evil.forclosure\"}" + ] + }, + "response":{ + "headers":{ + "Date":"Mon, 13 Jul 2015 20:02:41 GMT", + "Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT", + "Content-Type":"text/html" + }, + "body":[ + "no need." + ] + }, + "expected":{ + "http_code":403 + }, + "rules":[ + "SecRuleEngine On", + "SecDefaultAction \"phase:2,deny,block,status:403,log\"", + "SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \"@rx (?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)\" \"id:944120,phase:2,block,t:none,t:lowercase,log,msg:'Remote Command Execution: Java serialization (CVE-2015-5842)',logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',ver:'OWASP_CRS/3.1.0',severity:'CRITICAL',chain\"", + "SecRule MATCHED_VARS \"@rx (?:runtime|processbuilder)\" \"t:none,t:lowercase,setvar:'tx.msg=%{rule.msg}',setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'\"" + ] + }, + { + "enabled":1, + "version_min":300000, + "title":"Positive tests for rule 944120 944120-29", + "client":{ + "ip":"200.249.12.31", + "port":123 + }, + "server":{ + "ip":"200.249.12.31", + "port":80 + }, + "request":{ + "headers":{ + "Host": "localhost", + "User-Agent": "ModSecurity CRS 3 Tests", + "Accept": "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5", + "Accept-Charset": "ISO-8859-1,utf-8;q=0.7,*;q=0.7", + "Accept-Encoding": "gzip,deflate", + "Accept-Language": "en-us,en;q=0.5", + "Content-Type": "application/json" + }, + "uri":"/", + "http_version":1.0, + "method":"POST", + "body": [ + "{\"ProcessBuilder.evil.forclosure\": \"test\"}" + ] + }, + "response":{ + "headers":{ + "Date":"Mon, 13 Jul 2015 20:02:41 GMT", + "Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT", + "Content-Type":"text/html" + }, + "body":[ + "no need." + ] + }, + "expected":{ + "http_code":403 + }, + "rules":[ + "SecRuleEngine On", + "SecDefaultAction \"phase:2,deny,block,status:403,log\"", + "SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \"@rx (?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)\" \"id:944120,phase:2,block,t:none,t:lowercase,log,msg:'Remote Command Execution: Java serialization (CVE-2015-5842)',logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',ver:'OWASP_CRS/3.1.0',severity:'CRITICAL',chain\"", + "SecRule MATCHED_VARS \"@rx (?:runtime|processbuilder)\" \"t:none,t:lowercase,setvar:'tx.msg=%{rule.msg}',setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'\"" + ] + }, + { + "enabled":1, + "version_min":300000, + "title":"Positive tests for rule 944120 944120-30", + "client":{ + "ip":"200.249.12.31", + "port":123 + }, + "server":{ + "ip":"200.249.12.31", + "port":80 + }, + "request":{ + "headers":{ + "Host": "localhost", + "User-Agent": "ModSecurity CRS 3 Tests", + "Accept": "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5", + "Accept-Charset": "ISO-8859-1,utf-8;q=0.7,*;q=0.7", + "Accept-Encoding": "gzip,deflate", + "Accept-Language": "en-us,en;q=0.5", + "Content-Type": "multipart/form-data; boundary=---------------------------thisissparta" + }, + "uri":"/", + "http_version":1.0, + "method":"POST", + "body": [ + "-----------------------------thisissparta\r", + "Content-Disposition: form-data; name=\"payload\r", + "Content-Type: application/json\r", + "\r", + "{\"ProcessBuilder.evil.forclosure\": \"test\"}\r", + "-----------------------------thisissparta--" + ] + }, + "response":{ + "headers":{ + "Date":"Mon, 13 Jul 2015 20:02:41 GMT", + "Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT", + "Content-Type":"text/html" + }, + "body":[ + "no need." + ] + }, + "expected":{ + "http_code":403 + }, + "rules":[ + "SecRuleEngine On", + "SecDefaultAction \"phase:2,deny,block,status:403,log\"", + "SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \"@rx (?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)\" \"id:944120,phase:2,block,t:none,t:lowercase,log,msg:'Remote Command Execution: Java serialization (CVE-2015-5842)',logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',ver:'OWASP_CRS/3.1.0',severity:'CRITICAL',chain\"", + "SecRule MATCHED_VARS \"@rx (?:runtime|processbuilder)\" \"t:none,t:lowercase,setvar:'tx.msg=%{rule.msg}',setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'\"" + ] + }, + { + "enabled":1, + "version_min":300000, + "title":"Positive tests for rule 944120 944120-31", + "client":{ + "ip":"200.249.12.31", + "port":123 + }, + "server":{ + "ip":"200.249.12.31", + "port":80 + }, + "request":{ + "headers":{ + "Host": "localhost", + "User-Agent": "ModSecurity CRS 3 Tests", + "Accept": "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5", + "Accept-Charset": "ISO-8859-1,utf-8;q=0.7,*;q=0.7", + "Accept-Encoding": "gzip,deflate", + "Accept-Language": "en-us,en;q=0.5", + "Content-Type": "multipart/form-data; boundary=---------------------------thisissparta" + }, + "uri":"/", + "http_version":1.0, + "method":"POST", + "body": [ + "-----------------------------thisissparta\r", + "Content-Disposition: form-data; name=\"payload\r", + "Content-Type: application/json\r", + "\r", + "{\"ProcessBuilder.evil.forclosure\": \"test\"}\r", + "-----------------------------thisissparta--" + ] + }, + "response":{ + "headers":{ + "Date":"Mon, 13 Jul 2015 20:02:41 GMT", + "Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT", + "Content-Type":"text/html" + }, + "body":[ + "no need." + ] + }, + "expected":{ + "http_code":403 + }, + "rules":[ + "SecRuleEngine On", + "SecDefaultAction \"phase:2,deny,block,status:403,log\"", + "SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \"@rx (?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)\" \"id:944120,phase:2,block,t:none,t:lowercase,log,msg:'Remote Command Execution: Java serialization (CVE-2015-5842)',logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',ver:'OWASP_CRS/3.1.0',severity:'CRITICAL',chain\"", + "SecRule MATCHED_VARS \"@rx (?:runtime|processbuilder)\" \"t:none,t:lowercase,setvar:'tx.msg=%{rule.msg}',setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'\"" + ] + }, + { + "enabled":1, + "version_min":300000, + "title":"Positive tests for rule 944120 944120-32", + "client":{ + "ip":"200.249.12.31", + "port":123 + }, + "server":{ + "ip":"200.249.12.31", + "port":80 + }, + "request":{ + "headers":{ + "Host": "localhost", + "User-Agent": "ModSecurity CRS 3 Tests", + "Accept": "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5", + "Accept-Charset": "ISO-8859-1,utf-8;q=0.7,*;q=0.7", + "Accept-Encoding": "gzip,deflate", + "Accept-Language": "en-us,en;q=0.5", + "Content-Type": "multipart/form-data; boundary=---------------------------thisissparta" + }, + "uri":"/", + "http_version":1.0, + "method":"POST", + "body": [ + "-----------------------------thisissparta\r", + "Content-Disposition: form-data; name=\"payload\r", + "Content-Type: application/xml\r", + "\r", + "ProcessBuilder.evil.forclosure\r", + "-----------------------------thisissparta--" + ] + }, + "response":{ + "headers":{ + "Date":"Mon, 13 Jul 2015 20:02:41 GMT", + "Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT", + "Content-Type":"text/html" + }, + "body":[ + "no need." + ] + }, + "expected":{ + "http_code":403 + }, + "rules":[ + "SecRuleEngine On", + "SecDefaultAction \"phase:2,deny,block,status:403,log\"", + "SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \"@rx (?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)\" \"id:944120,phase:2,block,t:none,t:lowercase,log,msg:'Remote Command Execution: Java serialization (CVE-2015-5842)',logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',ver:'OWASP_CRS/3.1.0',severity:'CRITICAL',chain\"", + "SecRule MATCHED_VARS \"@rx (?:runtime|processbuilder)\" \"t:none,t:lowercase,setvar:'tx.msg=%{rule.msg}',setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'\"" + ] + }, + { + "enabled":1, + "version_min":300000, + "title":"Positive tests for rule 944120 944120-33", + "client":{ + "ip":"200.249.12.31", + "port":123 + }, + "server":{ + "ip":"200.249.12.31", + "port":80 + }, + "request":{ + "headers":{ + "Host": "localhost", + "User-Agent": "ModSecurity CRS 3 Tests", + "Accept": "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5", + "Accept-Charset": "ISO-8859-1,utf-8;q=0.7,*;q=0.7", + "Accept-Encoding": "gzip,deflate", + "Accept-Language": "en-us,en;q=0.5", + "Content-Type": "multipart/form-data; boundary=---------------------------thisissparta" + }, + "uri":"/", + "http_version":1.0, + "method":"POST", + "body": [ + "-----------------------------thisissparta\r", + "Content-Disposition: form-data; name=\"payload\r", + "Content-Type: application/xml\r", + "\r", + "ProcessBuilder.evil.forclosure\r", + "-----------------------------thisissparta--" + ] + }, + "response":{ + "headers":{ + "Date":"Mon, 13 Jul 2015 20:02:41 GMT", + "Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT", + "Content-Type":"text/html" + }, + "body":[ + "no need." + ] + }, + "expected":{ + "http_code":403 + }, + "rules":[ + "SecRuleEngine On", + "SecDefaultAction \"phase:2,deny,block,status:403,log\"", + "SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \"@rx (?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)\" \"id:944120,phase:2,block,t:none,t:lowercase,log,msg:'Remote Command Execution: Java serialization (CVE-2015-5842)',logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',ver:'OWASP_CRS/3.1.0',severity:'CRITICAL',chain\"", + "SecRule MATCHED_VARS \"@rx (?:runtime|processbuilder)\" \"t:none,t:lowercase,setvar:'tx.msg=%{rule.msg}',setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'\"" + ] + }, + { + "enabled":1, + "version_min":300000, + "title":"Positive tests for rule 944120 944120-34", + "client":{ + "ip":"200.249.12.31", + "port":123 + }, + "server":{ + "ip":"200.249.12.31", + "port":80 + }, + "request":{ + "headers":{ + "Host": "localhost", + "User-Agent": "ModSecurity CRS 3 Tests", + "Accept": "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5", + "Accept-Charset": "ISO-8859-1,utf-8;q=0.7,*;q=0.7", + "Accept-Encoding": "gzip,deflate", + "Accept-Language": "en-us,en;q=0.5", + "Content-Type": "application/x-www-form-urlencoded" + }, + "uri":"/", + "http_version":1.0, + "method":"POST", + "body": [ + "test=ProcessBuilder.evil.instantiatefactory" + ] + }, + "response":{ + "headers":{ + "Date":"Mon, 13 Jul 2015 20:02:41 GMT", + "Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT", + "Content-Type":"text/html" + }, + "body":[ + "no need." + ] + }, + "expected":{ + "http_code":403 + }, + "rules":[ + "SecRuleEngine On", + "SecDefaultAction \"phase:2,deny,block,status:403,log\"", + "SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \"@rx (?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)\" \"id:944120,phase:2,block,t:none,t:lowercase,log,msg:'Remote Command Execution: Java serialization (CVE-2015-5842)',logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',ver:'OWASP_CRS/3.1.0',severity:'CRITICAL',chain\"", + "SecRule MATCHED_VARS \"@rx (?:runtime|processbuilder)\" \"t:none,t:lowercase,setvar:'tx.msg=%{rule.msg}',setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'\"" + ] + }, + { + "enabled":1, + "version_min":300000, + "title":"Positive tests for rule 944120 944120-35", + "client":{ + "ip":"200.249.12.31", + "port":123 + }, + "server":{ + "ip":"200.249.12.31", + "port":80 + }, + "request":{ + "headers":{ + "Host": "localhost", + "User-Agent": "ModSecurity CRS 3 Tests", + "Accept": "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5", + "Accept-Charset": "ISO-8859-1,utf-8;q=0.7,*;q=0.7", + "Accept-Encoding": "gzip,deflate", + "Accept-Language": "en-us,en;q=0.5", + "Content-Type": "application/x-www-form-urlencoded" + }, + "uri":"/", + "http_version":1.0, + "method":"POST", + "body": [ + "ProcessBuilder.evil.instantiatefactory=test" + ] + }, + "response":{ + "headers":{ + "Date":"Mon, 13 Jul 2015 20:02:41 GMT", + "Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT", + "Content-Type":"text/html" + }, + "body":[ + "no need." + ] + }, + "expected":{ + "http_code":403 + }, + "rules":[ + "SecRuleEngine On", + "SecDefaultAction \"phase:2,deny,block,status:403,log\"", + "SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \"@rx (?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)\" \"id:944120,phase:2,block,t:none,t:lowercase,log,msg:'Remote Command Execution: Java serialization (CVE-2015-5842)',logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',ver:'OWASP_CRS/3.1.0',severity:'CRITICAL',chain\"", + "SecRule MATCHED_VARS \"@rx (?:runtime|processbuilder)\" \"t:none,t:lowercase,setvar:'tx.msg=%{rule.msg}',setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'\"" + ] + }, + { + "enabled":1, + "version_min":300000, + "title":"Positive tests for rule 944120 944120-36", + "client":{ + "ip":"200.249.12.31", + "port":123 + }, + "server":{ + "ip":"200.249.12.31", + "port":80 + }, + "request":{ + "headers":{ + "Host": "localhost", + "User-Agent": "ModSecurity CRS 3 Tests", + "Accept": "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5", + "Accept-Charset": "ISO-8859-1,utf-8;q=0.7,*;q=0.7", + "Accept-Encoding": "gzip,deflate", + "Accept-Language": "en-us,en;q=0.5", + "Content-Type": "application/x-www-form-urlencoded", + "Cookie": "test=ProcessBuilder.evil.instantiatefactory" + }, + "uri":"/", + "http_version":1.0, + "method":"POST", + "body": [ + "test=value" + ] + }, + "response":{ + "headers":{ + "Date":"Mon, 13 Jul 2015 20:02:41 GMT", + "Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT", + "Content-Type":"text/html" + }, + "body":[ + "no need." + ] + }, + "expected":{ + "http_code":403 + }, + "rules":[ + "SecRuleEngine On", + "SecDefaultAction \"phase:2,deny,block,status:403,log\"", + "SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \"@rx (?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)\" \"id:944120,phase:2,block,t:none,t:lowercase,log,msg:'Remote Command Execution: Java serialization (CVE-2015-5842)',logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',ver:'OWASP_CRS/3.1.0',severity:'CRITICAL',chain\"", + "SecRule MATCHED_VARS \"@rx (?:runtime|processbuilder)\" \"t:none,t:lowercase,setvar:'tx.msg=%{rule.msg}',setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'\"" + ] + }, + { + "enabled":1, + "version_min":300000, + "title":"Positive tests for rule 944120 944120-37", + "client":{ + "ip":"200.249.12.31", + "port":123 + }, + "server":{ + "ip":"200.249.12.31", + "port":80 + }, + "request":{ + "headers":{ + "Host": "localhost", + "User-Agent": "ModSecurity CRS 3 Tests", + "Accept": "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5", + "Accept-Charset": "ISO-8859-1,utf-8;q=0.7,*;q=0.7", + "Accept-Encoding": "gzip,deflate", + "Accept-Language": "en-us,en;q=0.5", + "Content-Type": "application/x-www-form-urlencoded", + "Cookie": "ProcessBuilder.evil.instantiatefactory=test" + }, + "uri":"/", + "http_version":1.0, + "method":"POST", + "body": [ + "test=value" + ] + }, + "response":{ + "headers":{ + "Date":"Mon, 13 Jul 2015 20:02:41 GMT", + "Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT", + "Content-Type":"text/html" + }, + "body":[ + "no need." + ] + }, + "expected":{ + "http_code":403 + }, + "rules":[ + "SecRuleEngine On", + "SecDefaultAction \"phase:2,deny,block,status:403,log\"", + "SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \"@rx (?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)\" \"id:944120,phase:2,block,t:none,t:lowercase,log,msg:'Remote Command Execution: Java serialization (CVE-2015-5842)',logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',ver:'OWASP_CRS/3.1.0',severity:'CRITICAL',chain\"", + "SecRule MATCHED_VARS \"@rx (?:runtime|processbuilder)\" \"t:none,t:lowercase,setvar:'tx.msg=%{rule.msg}',setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'\"" + ] + }, + { + "enabled":1, + "version_min":300000, + "title":"Positive tests for rule 944120 944120-38", + "client":{ + "ip":"200.249.12.31", + "port":123 + }, + "server":{ + "ip":"200.249.12.31", + "port":80 + }, + "request":{ + "headers":{ + "Host": "localhost", + "User-Agent": "ModSecurity CRS 3 Tests", + "Accept": "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5", + "Accept-Charset": "ISO-8859-1,utf-8;q=0.7,*;q=0.7", + "Accept-Encoding": "gzip,deflate", + "Accept-Language": "en-us,en;q=0.5", + "Content-Type": "application/x-www-form-urlencoded", + "test": "ProcessBuilder.evil.instantiatefactory" + }, + "uri":"/", + "http_version":1.0, + "method":"POST", + "body": [ + "test=value" + ] + }, + "response":{ + "headers":{ + "Date":"Mon, 13 Jul 2015 20:02:41 GMT", + "Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT", + "Content-Type":"text/html" + }, + "body":[ + "no need." + ] + }, + "expected":{ + "http_code":403 + }, + "rules":[ + "SecRuleEngine On", + "SecDefaultAction \"phase:2,deny,block,status:403,log\"", + "SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \"@rx (?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)\" \"id:944120,phase:2,block,t:none,t:lowercase,log,msg:'Remote Command Execution: Java serialization (CVE-2015-5842)',logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',ver:'OWASP_CRS/3.1.0',severity:'CRITICAL',chain\"", + "SecRule MATCHED_VARS \"@rx (?:runtime|processbuilder)\" \"t:none,t:lowercase,setvar:'tx.msg=%{rule.msg}',setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'\"" + ] + }, + { + "enabled":1, + "version_min":300000, + "title":"Positive tests for rule 944120 944120-39", + "client":{ + "ip":"200.249.12.31", + "port":123 + }, + "server":{ + "ip":"200.249.12.31", + "port":80 + }, + "request":{ + "headers":{ + "Host": "localhost", + "User-Agent": "ModSecurity CRS 3 Tests", + "Accept": "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5", + "Accept-Charset": "ISO-8859-1,utf-8;q=0.7,*;q=0.7", + "Accept-Encoding": "gzip,deflate", + "Accept-Language": "en-us,en;q=0.5", + "Content-Type": "application/xml" + }, + "uri":"/", + "http_version":1.0, + "method":"POST", + "body": [ + "value" + ] + }, + "response":{ + "headers":{ + "Date":"Mon, 13 Jul 2015 20:02:41 GMT", + "Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT", + "Content-Type":"text/html" + }, + "body":[ + "no need." + ] + }, + "expected":{ + "http_code":200 + }, + "rules":[ + "SecRuleEngine On", + "SecDefaultAction \"phase:2,deny,block,status:403,log\"", + "SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \"@rx (?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)\" \"id:944120,phase:2,block,t:none,t:lowercase,log,msg:'Remote Command Execution: Java serialization (CVE-2015-5842)',logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',ver:'OWASP_CRS/3.1.0',severity:'CRITICAL',chain\"", + "SecRule MATCHED_VARS \"@rx (?:runtime|processbuilder)\" \"t:none,t:lowercase,setvar:'tx.msg=%{rule.msg}',setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'\"" + ] + }, + { + "enabled":1, + "version_min":300000, + "title":"Positive tests for rule 944120 944120-40", + "client":{ + "ip":"200.249.12.31", + "port":123 + }, + "server":{ + "ip":"200.249.12.31", + "port":80 + }, + "request":{ + "headers":{ + "Host": "localhost", + "User-Agent": "ModSecurity CRS 3 Tests", + "Accept": "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5", + "Accept-Charset": "ISO-8859-1,utf-8;q=0.7,*;q=0.7", + "Accept-Encoding": "gzip,deflate", + "Accept-Language": "en-us,en;q=0.5", + "Content-Type": "application/xml" + }, + "uri":"/", + "http_version":1.0, + "method":"POST", + "body": [ + "element_value" + ] + }, + "response":{ + "headers":{ + "Date":"Mon, 13 Jul 2015 20:02:41 GMT", + "Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT", + "Content-Type":"text/html" + }, + "body":[ + "no need." + ] + }, + "expected":{ + "http_code":200 + }, + "rules":[ + "SecRuleEngine On", + "SecDefaultAction \"phase:2,deny,block,status:403,log\"", + "SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \"@rx (?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)\" \"id:944120,phase:2,block,t:none,t:lowercase,log,msg:'Remote Command Execution: Java serialization (CVE-2015-5842)',logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',ver:'OWASP_CRS/3.1.0',severity:'CRITICAL',chain\"", + "SecRule MATCHED_VARS \"@rx (?:runtime|processbuilder)\" \"t:none,t:lowercase,setvar:'tx.msg=%{rule.msg}',setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'\"" + ] + }, + { + "enabled":1, + "version_min":300000, + "title":"Positive tests for rule 944120 944120-41", + "client":{ + "ip":"200.249.12.31", + "port":123 + }, + "server":{ + "ip":"200.249.12.31", + "port":80 + }, + "request":{ + "headers":{ + "Host": "localhost", + "User-Agent": "ModSecurity CRS 3 Tests", + "Accept": "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5", + "Accept-Charset": "ISO-8859-1,utf-8;q=0.7,*;q=0.7", + "Accept-Encoding": "gzip,deflate", + "Accept-Language": "en-us,en;q=0.5", + "Content-Type": "application/xml" + }, + "uri":"/", + "http_version":1.0, + "method":"POST", + "body": [ + "element_value" + ] + }, + "response":{ + "headers":{ + "Date":"Mon, 13 Jul 2015 20:02:41 GMT", + "Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT", + "Content-Type":"text/html" + }, + "body":[ + "no need." + ] + }, + "expected":{ + "http_code":403 + }, + "rules":[ + "SecRuleEngine On", + "SecDefaultAction \"phase:2,deny,block,status:403,log\"", + "SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \"@rx (?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)\" \"id:944120,phase:2,block,t:none,t:lowercase,log,msg:'Remote Command Execution: Java serialization (CVE-2015-5842)',logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',ver:'OWASP_CRS/3.1.0',severity:'CRITICAL',chain\"", + "SecRule MATCHED_VARS \"@rx (?:runtime|processbuilder)\" \"t:none,t:lowercase,setvar:'tx.msg=%{rule.msg}',setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'\"" + ] + }, + { + "enabled":1, + "version_min":300000, + "title":"Positive tests for rule 944120 944120-42", + "client":{ + "ip":"200.249.12.31", + "port":123 + }, + "server":{ + "ip":"200.249.12.31", + "port":80 + }, + "request":{ + "headers":{ + "Host": "localhost", + "User-Agent": "ModSecurity CRS 3 Tests", + "Accept": "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5", + "Accept-Charset": "ISO-8859-1,utf-8;q=0.7,*;q=0.7", + "Accept-Encoding": "gzip,deflate", + "Accept-Language": "en-us,en;q=0.5", + "Content-Type": "application/xml" + }, + "uri":"/", + "http_version":1.0, + "method":"POST", + "body": [ + "ProcessBuilder.evil.instantiatefactory" + ] + }, + "response":{ + "headers":{ + "Date":"Mon, 13 Jul 2015 20:02:41 GMT", + "Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT", + "Content-Type":"text/html" + }, + "body":[ + "no need." + ] + }, + "expected":{ + "http_code":403 + }, + "rules":[ + "SecRuleEngine On", + "SecDefaultAction \"phase:2,deny,block,status:403,log\"", + "SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \"@rx (?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)\" \"id:944120,phase:2,block,t:none,t:lowercase,log,msg:'Remote Command Execution: Java serialization (CVE-2015-5842)',logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',ver:'OWASP_CRS/3.1.0',severity:'CRITICAL',chain\"", + "SecRule MATCHED_VARS \"@rx (?:runtime|processbuilder)\" \"t:none,t:lowercase,setvar:'tx.msg=%{rule.msg}',setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'\"" + ] + }, + { + "enabled":1, + "version_min":300000, + "title":"Positive tests for rule 944120 944120-43", + "client":{ + "ip":"200.249.12.31", + "port":123 + }, + "server":{ + "ip":"200.249.12.31", + "port":80 + }, + "request":{ + "headers":{ + "Host": "localhost", + "User-Agent": "ModSecurity CRS 3 Tests", + "Accept": "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5", + "Accept-Charset": "ISO-8859-1,utf-8;q=0.7,*;q=0.7", + "Accept-Encoding": "gzip,deflate", + "Accept-Language": "en-us,en;q=0.5", + "Content-Type": "application/xml" + }, + "uri":"/", + "http_version":1.0, + "method":"POST", + "body": [ + "ProcessBuilder.evil.instantiatefactory" + ] + }, + "response":{ + "headers":{ + "Date":"Mon, 13 Jul 2015 20:02:41 GMT", + "Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT", + "Content-Type":"text/html" + }, + "body":[ + "no need." + ] + }, + "expected":{ + "http_code":403 + }, + "rules":[ + "SecRuleEngine On", + "SecDefaultAction \"phase:2,deny,block,status:403,log\"", + "SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \"@rx (?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)\" \"id:944120,phase:2,block,t:none,t:lowercase,log,msg:'Remote Command Execution: Java serialization (CVE-2015-5842)',logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',ver:'OWASP_CRS/3.1.0',severity:'CRITICAL',chain\"", + "SecRule MATCHED_VARS \"@rx (?:runtime|processbuilder)\" \"t:none,t:lowercase,setvar:'tx.msg=%{rule.msg}',setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'\"" + ] + }, + { + "enabled":1, + "version_min":300000, + "title":"Positive tests for rule 944120 944120-44", + "client":{ + "ip":"200.249.12.31", + "port":123 + }, + "server":{ + "ip":"200.249.12.31", + "port":80 + }, + "request":{ + "headers":{ + "Host": "localhost", + "User-Agent": "ModSecurity CRS 3 Tests", + "Accept": "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5", + "Accept-Charset": "ISO-8859-1,utf-8;q=0.7,*;q=0.7", + "Accept-Encoding": "gzip,deflate", + "Accept-Language": "en-us,en;q=0.5", + "Content-Type": "text/plain" + }, + "uri":"/", + "http_version":1.0, + "method":"POST", + "body": [ + "test=ProcessBuilder.evil.instantiatefactory" + ] + }, + "response":{ + "headers":{ + "Date":"Mon, 13 Jul 2015 20:02:41 GMT", + "Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT", + "Content-Type":"text/html" + }, + "body":[ + "no need." + ] + }, + "expected":{ + "http_code":403 + }, + "rules":[ + "SecRuleEngine On", + "SecDefaultAction \"phase:2,deny,block,status:403,log\"", + "SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \"@rx (?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)\" \"id:944120,phase:2,block,t:none,t:lowercase,log,msg:'Remote Command Execution: Java serialization (CVE-2015-5842)',logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',ver:'OWASP_CRS/3.1.0',severity:'CRITICAL',chain\"", + "SecRule MATCHED_VARS \"@rx (?:runtime|processbuilder)\" \"t:none,t:lowercase,setvar:'tx.msg=%{rule.msg}',setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'\"" + ] + }, + { + "enabled":1, + "version_min":300000, + "title":"Positive tests for rule 944120 944120-45", + "client":{ + "ip":"200.249.12.31", + "port":123 + }, + "server":{ + "ip":"200.249.12.31", + "port":80 + }, + "request":{ + "headers":{ + "Host": "localhost", + "User-Agent": "ModSecurity CRS 3 Tests", + "Accept": "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5", + "Accept-Charset": "ISO-8859-1,utf-8;q=0.7,*;q=0.7", + "Accept-Encoding": "gzip,deflate", + "Accept-Language": "en-us,en;q=0.5", + "Content-Type": "application/json" + }, + "uri":"/", + "http_version":1.0, + "method":"POST", + "body": [ + "{\"test\": \"ProcessBuilder.evil.instantiatefactory\"}" + ] + }, + "response":{ + "headers":{ + "Date":"Mon, 13 Jul 2015 20:02:41 GMT", + "Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT", + "Content-Type":"text/html" + }, + "body":[ + "no need." + ] + }, + "expected":{ + "http_code":403 + }, + "rules":[ + "SecRuleEngine On", + "SecDefaultAction \"phase:2,deny,block,status:403,log\"", + "SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \"@rx (?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)\" \"id:944120,phase:2,block,t:none,t:lowercase,log,msg:'Remote Command Execution: Java serialization (CVE-2015-5842)',logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',ver:'OWASP_CRS/3.1.0',severity:'CRITICAL',chain\"", + "SecRule MATCHED_VARS \"@rx (?:runtime|processbuilder)\" \"t:none,t:lowercase,setvar:'tx.msg=%{rule.msg}',setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'\"" + ] + }, + { + "enabled":1, + "version_min":300000, + "title":"Positive tests for rule 944120 944120-46", + "client":{ + "ip":"200.249.12.31", + "port":123 + }, + "server":{ + "ip":"200.249.12.31", + "port":80 + }, + "request":{ + "headers":{ + "Host": "localhost", + "User-Agent": "ModSecurity CRS 3 Tests", + "Accept": "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5", + "Accept-Charset": "ISO-8859-1,utf-8;q=0.7,*;q=0.7", + "Accept-Encoding": "gzip,deflate", + "Accept-Language": "en-us,en;q=0.5", + "Content-Type": "application/json" + }, + "uri":"/", + "http_version":1.0, + "method":"POST", + "body": [ + "{\"ProcessBuilder.evil.instantiatefactory\": \"test\"}" + ] + }, + "response":{ + "headers":{ + "Date":"Mon, 13 Jul 2015 20:02:41 GMT", + "Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT", + "Content-Type":"text/html" + }, + "body":[ + "no need." + ] + }, + "expected":{ + "http_code":403 + }, + "rules":[ + "SecRuleEngine On", + "SecDefaultAction \"phase:2,deny,block,status:403,log\"", + "SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \"@rx (?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)\" \"id:944120,phase:2,block,t:none,t:lowercase,log,msg:'Remote Command Execution: Java serialization (CVE-2015-5842)',logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',ver:'OWASP_CRS/3.1.0',severity:'CRITICAL',chain\"", + "SecRule MATCHED_VARS \"@rx (?:runtime|processbuilder)\" \"t:none,t:lowercase,setvar:'tx.msg=%{rule.msg}',setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'\"" + ] + }, + { + "enabled":1, + "version_min":300000, + "title":"Positive tests for rule 944120 944120-47", + "client":{ + "ip":"200.249.12.31", + "port":123 + }, + "server":{ + "ip":"200.249.12.31", + "port":80 + }, + "request":{ + "headers":{ + "Host": "localhost", + "User-Agent": "ModSecurity CRS 3 Tests", + "Accept": "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5", + "Accept-Charset": "ISO-8859-1,utf-8;q=0.7,*;q=0.7", + "Accept-Encoding": "gzip,deflate", + "Accept-Language": "en-us,en;q=0.5", + "Content-Type": "multipart/form-data; boundary=---------------------------thisissparta" + }, + "uri":"/", + "http_version":1.0, + "method":"POST", + "body": [ + "-----------------------------thisissparta\r", + "Content-Disposition: form-data; name=\"payload\r", + "Content-Type: application/json\r", + "\r", + "{\"ProcessBuilder.evil.instantiatefactory\": \"test\"}\r", + "-----------------------------thisissparta--" + ] + }, + "response":{ + "headers":{ + "Date":"Mon, 13 Jul 2015 20:02:41 GMT", + "Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT", + "Content-Type":"text/html" + }, + "body":[ + "no need." + ] + }, + "expected":{ + "http_code":403 + }, + "rules":[ + "SecRuleEngine On", + "SecDefaultAction \"phase:2,deny,block,status:403,log\"", + "SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \"@rx (?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)\" \"id:944120,phase:2,block,t:none,t:lowercase,log,msg:'Remote Command Execution: Java serialization (CVE-2015-5842)',logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',ver:'OWASP_CRS/3.1.0',severity:'CRITICAL',chain\"", + "SecRule MATCHED_VARS \"@rx (?:runtime|processbuilder)\" \"t:none,t:lowercase,setvar:'tx.msg=%{rule.msg}',setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'\"" + ] + }, + { + "enabled":1, + "version_min":300000, + "title":"Positive tests for rule 944120 944120-48", + "client":{ + "ip":"200.249.12.31", + "port":123 + }, + "server":{ + "ip":"200.249.12.31", + "port":80 + }, + "request":{ + "headers":{ + "Host": "localhost", + "User-Agent": "ModSecurity CRS 3 Tests", + "Accept": "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5", + "Accept-Charset": "ISO-8859-1,utf-8;q=0.7,*;q=0.7", + "Accept-Encoding": "gzip,deflate", + "Accept-Language": "en-us,en;q=0.5", + "Content-Type": "multipart/form-data; boundary=---------------------------thisissparta" + }, + "uri":"/", + "http_version":1.0, + "method":"POST", + "body": [ + "-----------------------------thisissparta\r", + "Content-Disposition: form-data; name=\"payload\r", + "Content-Type: application/json\r", + "\r", + "{\"ProcessBuilder.evil.instantiatefactory\": \"test\"}\r", + "-----------------------------thisissparta--" + ] + }, + "response":{ + "headers":{ + "Date":"Mon, 13 Jul 2015 20:02:41 GMT", + "Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT", + "Content-Type":"text/html" + }, + "body":[ + "no need." + ] + }, + "expected":{ + "http_code":403 + }, + "rules":[ + "SecRuleEngine On", + "SecDefaultAction \"phase:2,deny,block,status:403,log\"", + "SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \"@rx (?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)\" \"id:944120,phase:2,block,t:none,t:lowercase,log,msg:'Remote Command Execution: Java serialization (CVE-2015-5842)',logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',ver:'OWASP_CRS/3.1.0',severity:'CRITICAL',chain\"", + "SecRule MATCHED_VARS \"@rx (?:runtime|processbuilder)\" \"t:none,t:lowercase,setvar:'tx.msg=%{rule.msg}',setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'\"" + ] + }, + { + "enabled":1, + "version_min":300000, + "title":"Positive tests for rule 944120 944120-49", + "client":{ + "ip":"200.249.12.31", + "port":123 + }, + "server":{ + "ip":"200.249.12.31", + "port":80 + }, + "request":{ + "headers":{ + "Host": "localhost", + "User-Agent": "ModSecurity CRS 3 Tests", + "Accept": "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5", + "Accept-Charset": "ISO-8859-1,utf-8;q=0.7,*;q=0.7", + "Accept-Encoding": "gzip,deflate", + "Accept-Language": "en-us,en;q=0.5", + "Content-Type": "multipart/form-data; boundary=---------------------------thisissparta" + }, + "uri":"/", + "http_version":1.0, + "method":"POST", + "body": [ + "-----------------------------thisissparta\r", + "Content-Disposition: form-data; name=\"payload\r", + "Content-Type: application/xml\r", + "\r", + "ProcessBuilder.evil.instantiatefactory\r", + "-----------------------------thisissparta--" + ] + }, + "response":{ + "headers":{ + "Date":"Mon, 13 Jul 2015 20:02:41 GMT", + "Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT", + "Content-Type":"text/html" + }, + "body":[ + "no need." + ] + }, + "expected":{ + "http_code":403 + }, + "rules":[ + "SecRuleEngine On", + "SecDefaultAction \"phase:2,deny,block,status:403,log\"", + "SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \"@rx (?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)\" \"id:944120,phase:2,block,t:none,t:lowercase,log,msg:'Remote Command Execution: Java serialization (CVE-2015-5842)',logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',ver:'OWASP_CRS/3.1.0',severity:'CRITICAL',chain\"", + "SecRule MATCHED_VARS \"@rx (?:runtime|processbuilder)\" \"t:none,t:lowercase,setvar:'tx.msg=%{rule.msg}',setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'\"" + ] + }, + { + "enabled":1, + "version_min":300000, + "title":"Positive tests for rule 944120 944120-50", + "client":{ + "ip":"200.249.12.31", + "port":123 + }, + "server":{ + "ip":"200.249.12.31", + "port":80 + }, + "request":{ + "headers":{ + "Host": "localhost", + "User-Agent": "ModSecurity CRS 3 Tests", + "Accept": "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5", + "Accept-Charset": "ISO-8859-1,utf-8;q=0.7,*;q=0.7", + "Accept-Encoding": "gzip,deflate", + "Accept-Language": "en-us,en;q=0.5", + "Content-Type": "multipart/form-data; boundary=---------------------------thisissparta" + }, + "uri":"/", + "http_version":1.0, + "method":"POST", + "body": [ + "-----------------------------thisissparta\r", + "Content-Disposition: form-data; name=\"payload\r", + "Content-Type: application/xml\r", + "\r", + "ProcessBuilder.evil.instantiatefactory\r", + "-----------------------------thisissparta--" + ] + }, + "response":{ + "headers":{ + "Date":"Mon, 13 Jul 2015 20:02:41 GMT", + "Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT", + "Content-Type":"text/html" + }, + "body":[ + "no need." + ] + }, + "expected":{ + "http_code":403 + }, + "rules":[ + "SecRuleEngine On", + "SecDefaultAction \"phase:2,deny,block,status:403,log\"", + "SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \"@rx (?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)\" \"id:944120,phase:2,block,t:none,t:lowercase,log,msg:'Remote Command Execution: Java serialization (CVE-2015-5842)',logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',ver:'OWASP_CRS/3.1.0',severity:'CRITICAL',chain\"", + "SecRule MATCHED_VARS \"@rx (?:runtime|processbuilder)\" \"t:none,t:lowercase,setvar:'tx.msg=%{rule.msg}',setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'\"" + ] + }, + { + "enabled":1, + "version_min":300000, + "title":"Positive tests for rule 944120 944120-51", + "client":{ + "ip":"200.249.12.31", + "port":123 + }, + "server":{ + "ip":"200.249.12.31", + "port":80 + }, + "request":{ + "headers":{ + "Host": "localhost", + "User-Agent": "ModSecurity CRS 3 Tests", + "Accept": "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5", + "Accept-Charset": "ISO-8859-1,utf-8;q=0.7,*;q=0.7", + "Accept-Encoding": "gzip,deflate", + "Accept-Language": "en-us,en;q=0.5", + "Content-Type": "application/x-www-form-urlencoded" + }, + "uri":"/", + "http_version":1.0, + "method":"POST", + "body": [ + "test=ProcessBuilder.evil.instantiatetransformer" + ] + }, + "response":{ + "headers":{ + "Date":"Mon, 13 Jul 2015 20:02:41 GMT", + "Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT", + "Content-Type":"text/html" + }, + "body":[ + "no need." + ] + }, + "expected":{ + "http_code":403 + }, + "rules":[ + "SecRuleEngine On", + "SecDefaultAction \"phase:2,deny,block,status:403,log\"", + "SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \"@rx (?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)\" \"id:944120,phase:2,block,t:none,t:lowercase,log,msg:'Remote Command Execution: Java serialization (CVE-2015-5842)',logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',ver:'OWASP_CRS/3.1.0',severity:'CRITICAL',chain\"", + "SecRule MATCHED_VARS \"@rx (?:runtime|processbuilder)\" \"t:none,t:lowercase,setvar:'tx.msg=%{rule.msg}',setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'\"" + ] + }, + { + "enabled":1, + "version_min":300000, + "title":"Positive tests for rule 944120 944120-52", + "client":{ + "ip":"200.249.12.31", + "port":123 + }, + "server":{ + "ip":"200.249.12.31", + "port":80 + }, + "request":{ + "headers":{ + "Host": "localhost", + "User-Agent": "ModSecurity CRS 3 Tests", + "Accept": "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5", + "Accept-Charset": "ISO-8859-1,utf-8;q=0.7,*;q=0.7", + "Accept-Encoding": "gzip,deflate", + "Accept-Language": "en-us,en;q=0.5", + "Content-Type": "application/x-www-form-urlencoded" + }, + "uri":"/", + "http_version":1.0, + "method":"POST", + "body": [ + "ProcessBuilder.evil.instantiatetransformer=test" + ] + }, + "response":{ + "headers":{ + "Date":"Mon, 13 Jul 2015 20:02:41 GMT", + "Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT", + "Content-Type":"text/html" + }, + "body":[ + "no need." + ] + }, + "expected":{ + "http_code":403 + }, + "rules":[ + "SecRuleEngine On", + "SecDefaultAction \"phase:2,deny,block,status:403,log\"", + "SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \"@rx (?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)\" \"id:944120,phase:2,block,t:none,t:lowercase,log,msg:'Remote Command Execution: Java serialization (CVE-2015-5842)',logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',ver:'OWASP_CRS/3.1.0',severity:'CRITICAL',chain\"", + "SecRule MATCHED_VARS \"@rx (?:runtime|processbuilder)\" \"t:none,t:lowercase,setvar:'tx.msg=%{rule.msg}',setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'\"" + ] + }, + { + "enabled":1, + "version_min":300000, + "title":"Positive tests for rule 944120 944120-53", + "client":{ + "ip":"200.249.12.31", + "port":123 + }, + "server":{ + "ip":"200.249.12.31", + "port":80 + }, + "request":{ + "headers":{ + "Host": "localhost", + "User-Agent": "ModSecurity CRS 3 Tests", + "Accept": "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5", + "Accept-Charset": "ISO-8859-1,utf-8;q=0.7,*;q=0.7", + "Accept-Encoding": "gzip,deflate", + "Accept-Language": "en-us,en;q=0.5", + "Content-Type": "application/x-www-form-urlencoded", + "Cookie": "test=ProcessBuilder.evil.instantiatetransformer" + }, + "uri":"/", + "http_version":1.0, + "method":"POST", + "body": [ + "test=value" + ] + }, + "response":{ + "headers":{ + "Date":"Mon, 13 Jul 2015 20:02:41 GMT", + "Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT", + "Content-Type":"text/html" + }, + "body":[ + "no need." + ] + }, + "expected":{ + "http_code":403 + }, + "rules":[ + "SecRuleEngine On", + "SecDefaultAction \"phase:2,deny,block,status:403,log\"", + "SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \"@rx (?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)\" \"id:944120,phase:2,block,t:none,t:lowercase,log,msg:'Remote Command Execution: Java serialization (CVE-2015-5842)',logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',ver:'OWASP_CRS/3.1.0',severity:'CRITICAL',chain\"", + "SecRule MATCHED_VARS \"@rx (?:runtime|processbuilder)\" \"t:none,t:lowercase,setvar:'tx.msg=%{rule.msg}',setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'\"" + ] + }, + { + "enabled":1, + "version_min":300000, + "title":"Positive tests for rule 944120 944120-54", + "client":{ + "ip":"200.249.12.31", + "port":123 + }, + "server":{ + "ip":"200.249.12.31", + "port":80 + }, + "request":{ + "headers":{ + "Host": "localhost", + "User-Agent": "ModSecurity CRS 3 Tests", + "Accept": "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5", + "Accept-Charset": "ISO-8859-1,utf-8;q=0.7,*;q=0.7", + "Accept-Encoding": "gzip,deflate", + "Accept-Language": "en-us,en;q=0.5", + "Content-Type": "application/x-www-form-urlencoded", + "Cookie": "ProcessBuilder.evil.instantiatetransformer=test" + }, + "uri":"/", + "http_version":1.0, + "method":"POST", + "body": [ + "test=value" + ] + }, + "response":{ + "headers":{ + "Date":"Mon, 13 Jul 2015 20:02:41 GMT", + "Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT", + "Content-Type":"text/html" + }, + "body":[ + "no need." + ] + }, + "expected":{ + "http_code":403 + }, + "rules":[ + "SecRuleEngine On", + "SecDefaultAction \"phase:2,deny,block,status:403,log\"", + "SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \"@rx (?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)\" \"id:944120,phase:2,block,t:none,t:lowercase,log,msg:'Remote Command Execution: Java serialization (CVE-2015-5842)',logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',ver:'OWASP_CRS/3.1.0',severity:'CRITICAL',chain\"", + "SecRule MATCHED_VARS \"@rx (?:runtime|processbuilder)\" \"t:none,t:lowercase,setvar:'tx.msg=%{rule.msg}',setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'\"" + ] + }, + { + "enabled":1, + "version_min":300000, + "title":"Positive tests for rule 944120 944120-55", + "client":{ + "ip":"200.249.12.31", + "port":123 + }, + "server":{ + "ip":"200.249.12.31", + "port":80 + }, + "request":{ + "headers":{ + "Host": "localhost", + "User-Agent": "ModSecurity CRS 3 Tests", + "Accept": "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5", + "Accept-Charset": "ISO-8859-1,utf-8;q=0.7,*;q=0.7", + "Accept-Encoding": "gzip,deflate", + "Accept-Language": "en-us,en;q=0.5", + "Content-Type": "application/x-www-form-urlencoded", + "test": "ProcessBuilder.evil.instantiatetransformer" + }, + "uri":"/", + "http_version":1.0, + "method":"POST", + "body": [ + "test=value" + ] + }, + "response":{ + "headers":{ + "Date":"Mon, 13 Jul 2015 20:02:41 GMT", + "Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT", + "Content-Type":"text/html" + }, + "body":[ + "no need." + ] + }, + "expected":{ + "http_code":403 + }, + "rules":[ + "SecRuleEngine On", + "SecDefaultAction \"phase:2,deny,block,status:403,log\"", + "SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \"@rx (?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)\" \"id:944120,phase:2,block,t:none,t:lowercase,log,msg:'Remote Command Execution: Java serialization (CVE-2015-5842)',logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',ver:'OWASP_CRS/3.1.0',severity:'CRITICAL',chain\"", + "SecRule MATCHED_VARS \"@rx (?:runtime|processbuilder)\" \"t:none,t:lowercase,setvar:'tx.msg=%{rule.msg}',setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'\"" + ] + }, + { + "enabled":1, + "version_min":300000, + "title":"Positive tests for rule 944120 944120-56", + "client":{ + "ip":"200.249.12.31", + "port":123 + }, + "server":{ + "ip":"200.249.12.31", + "port":80 + }, + "request":{ + "headers":{ + "Host": "localhost", + "User-Agent": "ModSecurity CRS 3 Tests", + "Accept": "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5", + "Accept-Charset": "ISO-8859-1,utf-8;q=0.7,*;q=0.7", + "Accept-Encoding": "gzip,deflate", + "Accept-Language": "en-us,en;q=0.5", + "Content-Type": "application/xml" + }, + "uri":"/", + "http_version":1.0, + "method":"POST", + "body": [ + "value" + ] + }, + "response":{ + "headers":{ + "Date":"Mon, 13 Jul 2015 20:02:41 GMT", + "Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT", + "Content-Type":"text/html" + }, + "body":[ + "no need." + ] + }, + "expected":{ + "http_code":200 + }, + "rules":[ + "SecRuleEngine On", + "SecDefaultAction \"phase:2,deny,block,status:403,log\"", + "SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \"@rx (?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)\" \"id:944120,phase:2,block,t:none,t:lowercase,log,msg:'Remote Command Execution: Java serialization (CVE-2015-5842)',logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',ver:'OWASP_CRS/3.1.0',severity:'CRITICAL',chain\"", + "SecRule MATCHED_VARS \"@rx (?:runtime|processbuilder)\" \"t:none,t:lowercase,setvar:'tx.msg=%{rule.msg}',setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'\"" + ] + }, + { + "enabled":1, + "version_min":300000, + "title":"Positive tests for rule 944120 944120-57", + "client":{ + "ip":"200.249.12.31", + "port":123 + }, + "server":{ + "ip":"200.249.12.31", + "port":80 + }, + "request":{ + "headers":{ + "Host": "localhost", + "User-Agent": "ModSecurity CRS 3 Tests", + "Accept": "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5", + "Accept-Charset": "ISO-8859-1,utf-8;q=0.7,*;q=0.7", + "Accept-Encoding": "gzip,deflate", + "Accept-Language": "en-us,en;q=0.5", + "Content-Type": "application/xml" + }, + "uri":"/", + "http_version":1.0, + "method":"POST", + "body": [ + "element_value" + ] + }, + "response":{ + "headers":{ + "Date":"Mon, 13 Jul 2015 20:02:41 GMT", + "Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT", + "Content-Type":"text/html" + }, + "body":[ + "no need." + ] + }, + "expected":{ + "http_code":200 + }, + "rules":[ + "SecRuleEngine On", + "SecDefaultAction \"phase:2,deny,block,status:403,log\"", + "SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \"@rx (?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)\" \"id:944120,phase:2,block,t:none,t:lowercase,log,msg:'Remote Command Execution: Java serialization (CVE-2015-5842)',logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',ver:'OWASP_CRS/3.1.0',severity:'CRITICAL',chain\"", + "SecRule MATCHED_VARS \"@rx (?:runtime|processbuilder)\" \"t:none,t:lowercase,setvar:'tx.msg=%{rule.msg}',setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'\"" + ] + }, + { + "enabled":1, + "version_min":300000, + "title":"Positive tests for rule 944120 944120-58", + "client":{ + "ip":"200.249.12.31", + "port":123 + }, + "server":{ + "ip":"200.249.12.31", + "port":80 + }, + "request":{ + "headers":{ + "Host": "localhost", + "User-Agent": "ModSecurity CRS 3 Tests", + "Accept": "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5", + "Accept-Charset": "ISO-8859-1,utf-8;q=0.7,*;q=0.7", + "Accept-Encoding": "gzip,deflate", + "Accept-Language": "en-us,en;q=0.5", + "Content-Type": "application/xml" + }, + "uri":"/", + "http_version":1.0, + "method":"POST", + "body": [ + "element_value" + ] + }, + "response":{ + "headers":{ + "Date":"Mon, 13 Jul 2015 20:02:41 GMT", + "Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT", + "Content-Type":"text/html" + }, + "body":[ + "no need." + ] + }, + "expected":{ + "http_code":403 + }, + "rules":[ + "SecRuleEngine On", + "SecDefaultAction \"phase:2,deny,block,status:403,log\"", + "SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \"@rx (?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)\" \"id:944120,phase:2,block,t:none,t:lowercase,log,msg:'Remote Command Execution: Java serialization (CVE-2015-5842)',logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',ver:'OWASP_CRS/3.1.0',severity:'CRITICAL',chain\"", + "SecRule MATCHED_VARS \"@rx (?:runtime|processbuilder)\" \"t:none,t:lowercase,setvar:'tx.msg=%{rule.msg}',setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'\"" + ] + }, + { + "enabled":1, + "version_min":300000, + "title":"Positive tests for rule 944120 944120-59", + "client":{ + "ip":"200.249.12.31", + "port":123 + }, + "server":{ + "ip":"200.249.12.31", + "port":80 + }, + "request":{ + "headers":{ + "Host": "localhost", + "User-Agent": "ModSecurity CRS 3 Tests", + "Accept": "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5", + "Accept-Charset": "ISO-8859-1,utf-8;q=0.7,*;q=0.7", + "Accept-Encoding": "gzip,deflate", + "Accept-Language": "en-us,en;q=0.5", + "Content-Type": "application/xml" + }, + "uri":"/", + "http_version":1.0, + "method":"POST", + "body": [ + "ProcessBuilder.evil.instantiatetransformer" + ] + }, + "response":{ + "headers":{ + "Date":"Mon, 13 Jul 2015 20:02:41 GMT", + "Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT", + "Content-Type":"text/html" + }, + "body":[ + "no need." + ] + }, + "expected":{ + "http_code":403 + }, + "rules":[ + "SecRuleEngine On", + "SecDefaultAction \"phase:2,deny,block,status:403,log\"", + "SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \"@rx (?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)\" \"id:944120,phase:2,block,t:none,t:lowercase,log,msg:'Remote Command Execution: Java serialization (CVE-2015-5842)',logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',ver:'OWASP_CRS/3.1.0',severity:'CRITICAL',chain\"", + "SecRule MATCHED_VARS \"@rx (?:runtime|processbuilder)\" \"t:none,t:lowercase,setvar:'tx.msg=%{rule.msg}',setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'\"" + ] + }, + { + "enabled":1, + "version_min":300000, + "title":"Positive tests for rule 944120 944120-60", + "client":{ + "ip":"200.249.12.31", + "port":123 + }, + "server":{ + "ip":"200.249.12.31", + "port":80 + }, + "request":{ + "headers":{ + "Host": "localhost", + "User-Agent": "ModSecurity CRS 3 Tests", + "Accept": "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5", + "Accept-Charset": "ISO-8859-1,utf-8;q=0.7,*;q=0.7", + "Accept-Encoding": "gzip,deflate", + "Accept-Language": "en-us,en;q=0.5", + "Content-Type": "application/xml" + }, + "uri":"/", + "http_version":1.0, + "method":"POST", + "body": [ + "ProcessBuilder.evil.instantiatetransformer" + ] + }, + "response":{ + "headers":{ + "Date":"Mon, 13 Jul 2015 20:02:41 GMT", + "Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT", + "Content-Type":"text/html" + }, + "body":[ + "no need." + ] + }, + "expected":{ + "http_code":403 + }, + "rules":[ + "SecRuleEngine On", + "SecDefaultAction \"phase:2,deny,block,status:403,log\"", + "SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \"@rx (?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)\" \"id:944120,phase:2,block,t:none,t:lowercase,log,msg:'Remote Command Execution: Java serialization (CVE-2015-5842)',logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',ver:'OWASP_CRS/3.1.0',severity:'CRITICAL',chain\"", + "SecRule MATCHED_VARS \"@rx (?:runtime|processbuilder)\" \"t:none,t:lowercase,setvar:'tx.msg=%{rule.msg}',setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'\"" + ] + }, + { + "enabled":1, + "version_min":300000, + "title":"Positive tests for rule 944120 944120-61", + "client":{ + "ip":"200.249.12.31", + "port":123 + }, + "server":{ + "ip":"200.249.12.31", + "port":80 + }, + "request":{ + "headers":{ + "Host": "localhost", + "User-Agent": "ModSecurity CRS 3 Tests", + "Accept": "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5", + "Accept-Charset": "ISO-8859-1,utf-8;q=0.7,*;q=0.7", + "Accept-Encoding": "gzip,deflate", + "Accept-Language": "en-us,en;q=0.5", + "Content-Type": "text/plain" + }, + "uri":"/", + "http_version":1.0, + "method":"POST", + "body": [ + "test=ProcessBuilder.evil.instantiatetransformer" + ] + }, + "response":{ + "headers":{ + "Date":"Mon, 13 Jul 2015 20:02:41 GMT", + "Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT", + "Content-Type":"text/html" + }, + "body":[ + "no need." + ] + }, + "expected":{ + "http_code":403 + }, + "rules":[ + "SecRuleEngine On", + "SecDefaultAction \"phase:2,deny,block,status:403,log\"", + "SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \"@rx (?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)\" \"id:944120,phase:2,block,t:none,t:lowercase,log,msg:'Remote Command Execution: Java serialization (CVE-2015-5842)',logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',ver:'OWASP_CRS/3.1.0',severity:'CRITICAL',chain\"", + "SecRule MATCHED_VARS \"@rx (?:runtime|processbuilder)\" \"t:none,t:lowercase,setvar:'tx.msg=%{rule.msg}',setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'\"" + ] + }, + { + "enabled":1, + "version_min":300000, + "title":"Positive tests for rule 944120 944120-62", + "client":{ + "ip":"200.249.12.31", + "port":123 + }, + "server":{ + "ip":"200.249.12.31", + "port":80 + }, + "request":{ + "headers":{ + "Host": "localhost", + "User-Agent": "ModSecurity CRS 3 Tests", + "Accept": "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5", + "Accept-Charset": "ISO-8859-1,utf-8;q=0.7,*;q=0.7", + "Accept-Encoding": "gzip,deflate", + "Accept-Language": "en-us,en;q=0.5", + "Content-Type": "application/json" + }, + "uri":"/", + "http_version":1.0, + "method":"POST", + "body": [ + "{\"test\": \"ProcessBuilder.evil.instantiatetransformer\"}" + ] + }, + "response":{ + "headers":{ + "Date":"Mon, 13 Jul 2015 20:02:41 GMT", + "Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT", + "Content-Type":"text/html" + }, + "body":[ + "no need." + ] + }, + "expected":{ + "http_code":403 + }, + "rules":[ + "SecRuleEngine On", + "SecDefaultAction \"phase:2,deny,block,status:403,log\"", + "SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \"@rx (?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)\" \"id:944120,phase:2,block,t:none,t:lowercase,log,msg:'Remote Command Execution: Java serialization (CVE-2015-5842)',logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',ver:'OWASP_CRS/3.1.0',severity:'CRITICAL',chain\"", + "SecRule MATCHED_VARS \"@rx (?:runtime|processbuilder)\" \"t:none,t:lowercase,setvar:'tx.msg=%{rule.msg}',setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'\"" + ] + }, + { + "enabled":1, + "version_min":300000, + "title":"Positive tests for rule 944120 944120-63", + "client":{ + "ip":"200.249.12.31", + "port":123 + }, + "server":{ + "ip":"200.249.12.31", + "port":80 + }, + "request":{ + "headers":{ + "Host": "localhost", + "User-Agent": "ModSecurity CRS 3 Tests", + "Accept": "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5", + "Accept-Charset": "ISO-8859-1,utf-8;q=0.7,*;q=0.7", + "Accept-Encoding": "gzip,deflate", + "Accept-Language": "en-us,en;q=0.5", + "Content-Type": "application/json" + }, + "uri":"/", + "http_version":1.0, + "method":"POST", + "body": [ + "{\"ProcessBuilder.evil.instantiatetransformer\": \"test\"}" + ] + }, + "response":{ + "headers":{ + "Date":"Mon, 13 Jul 2015 20:02:41 GMT", + "Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT", + "Content-Type":"text/html" + }, + "body":[ + "no need." + ] + }, + "expected":{ + "http_code":403 + }, + "rules":[ + "SecRuleEngine On", + "SecDefaultAction \"phase:2,deny,block,status:403,log\"", + "SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \"@rx (?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)\" \"id:944120,phase:2,block,t:none,t:lowercase,log,msg:'Remote Command Execution: Java serialization (CVE-2015-5842)',logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',ver:'OWASP_CRS/3.1.0',severity:'CRITICAL',chain\"", + "SecRule MATCHED_VARS \"@rx (?:runtime|processbuilder)\" \"t:none,t:lowercase,setvar:'tx.msg=%{rule.msg}',setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'\"" + ] + }, + { + "enabled":1, + "version_min":300000, + "title":"Positive tests for rule 944120 944120-64", + "client":{ + "ip":"200.249.12.31", + "port":123 + }, + "server":{ + "ip":"200.249.12.31", + "port":80 + }, + "request":{ + "headers":{ + "Host": "localhost", + "User-Agent": "ModSecurity CRS 3 Tests", + "Accept": "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5", + "Accept-Charset": "ISO-8859-1,utf-8;q=0.7,*;q=0.7", + "Accept-Encoding": "gzip,deflate", + "Accept-Language": "en-us,en;q=0.5", + "Content-Type": "multipart/form-data; boundary=---------------------------thisissparta" + }, + "uri":"/", + "http_version":1.0, + "method":"POST", + "body": [ + "-----------------------------thisissparta\r", + "Content-Disposition: form-data; name=\"payload\r", + "Content-Type: application/json\r", + "\r", + "{\"ProcessBuilder.evil.instantiatetransformer\": \"test\"}\r", + "-----------------------------thisissparta--" + ] + }, + "response":{ + "headers":{ + "Date":"Mon, 13 Jul 2015 20:02:41 GMT", + "Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT", + "Content-Type":"text/html" + }, + "body":[ + "no need." + ] + }, + "expected":{ + "http_code":403 + }, + "rules":[ + "SecRuleEngine On", + "SecDefaultAction \"phase:2,deny,block,status:403,log\"", + "SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \"@rx (?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)\" \"id:944120,phase:2,block,t:none,t:lowercase,log,msg:'Remote Command Execution: Java serialization (CVE-2015-5842)',logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',ver:'OWASP_CRS/3.1.0',severity:'CRITICAL',chain\"", + "SecRule MATCHED_VARS \"@rx (?:runtime|processbuilder)\" \"t:none,t:lowercase,setvar:'tx.msg=%{rule.msg}',setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'\"" + ] + }, + { + "enabled":1, + "version_min":300000, + "title":"Positive tests for rule 944120 944120-65", + "client":{ + "ip":"200.249.12.31", + "port":123 + }, + "server":{ + "ip":"200.249.12.31", + "port":80 + }, + "request":{ + "headers":{ + "Host": "localhost", + "User-Agent": "ModSecurity CRS 3 Tests", + "Accept": "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5", + "Accept-Charset": "ISO-8859-1,utf-8;q=0.7,*;q=0.7", + "Accept-Encoding": "gzip,deflate", + "Accept-Language": "en-us,en;q=0.5", + "Content-Type": "multipart/form-data; boundary=---------------------------thisissparta" + }, + "uri":"/", + "http_version":1.0, + "method":"POST", + "body": [ + "-----------------------------thisissparta\r", + "Content-Disposition: form-data; name=\"payload\r", + "Content-Type: application/json\r", + "\r", + "{\"ProcessBuilder.evil.instantiatetransformer\": \"test\"}\r", + "-----------------------------thisissparta--" + ] + }, + "response":{ + "headers":{ + "Date":"Mon, 13 Jul 2015 20:02:41 GMT", + "Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT", + "Content-Type":"text/html" + }, + "body":[ + "no need." + ] + }, + "expected":{ + "http_code":403 + }, + "rules":[ + "SecRuleEngine On", + "SecDefaultAction \"phase:2,deny,block,status:403,log\"", + "SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \"@rx (?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)\" \"id:944120,phase:2,block,t:none,t:lowercase,log,msg:'Remote Command Execution: Java serialization (CVE-2015-5842)',logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',ver:'OWASP_CRS/3.1.0',severity:'CRITICAL',chain\"", + "SecRule MATCHED_VARS \"@rx (?:runtime|processbuilder)\" \"t:none,t:lowercase,setvar:'tx.msg=%{rule.msg}',setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'\"" + ] + }, + { + "enabled":1, + "version_min":300000, + "title":"Positive tests for rule 944120 944120-66", + "client":{ + "ip":"200.249.12.31", + "port":123 + }, + "server":{ + "ip":"200.249.12.31", + "port":80 + }, + "request":{ + "headers":{ + "Host": "localhost", + "User-Agent": "ModSecurity CRS 3 Tests", + "Accept": "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5", + "Accept-Charset": "ISO-8859-1,utf-8;q=0.7,*;q=0.7", + "Accept-Encoding": "gzip,deflate", + "Accept-Language": "en-us,en;q=0.5", + "Content-Type": "multipart/form-data; boundary=---------------------------thisissparta" + }, + "uri":"/", + "http_version":1.0, + "method":"POST", + "body": [ + "-----------------------------thisissparta\r", + "Content-Disposition: form-data; name=\"payload\r", + "Content-Type: application/xml\r", + "\r", + "ProcessBuilder.evil.instantiatetransformer\r", + "-----------------------------thisissparta--" + ] + }, + "response":{ + "headers":{ + "Date":"Mon, 13 Jul 2015 20:02:41 GMT", + "Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT", + "Content-Type":"text/html" + }, + "body":[ + "no need." + ] + }, + "expected":{ + "http_code":403 + }, + "rules":[ + "SecRuleEngine On", + "SecDefaultAction \"phase:2,deny,block,status:403,log\"", + "SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \"@rx (?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)\" \"id:944120,phase:2,block,t:none,t:lowercase,log,msg:'Remote Command Execution: Java serialization (CVE-2015-5842)',logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',ver:'OWASP_CRS/3.1.0',severity:'CRITICAL',chain\"", + "SecRule MATCHED_VARS \"@rx (?:runtime|processbuilder)\" \"t:none,t:lowercase,setvar:'tx.msg=%{rule.msg}',setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'\"" + ] + }, + { + "enabled":1, + "version_min":300000, + "title":"Positive tests for rule 944120 944120-67", + "client":{ + "ip":"200.249.12.31", + "port":123 + }, + "server":{ + "ip":"200.249.12.31", + "port":80 + }, + "request":{ + "headers":{ + "Host": "localhost", + "User-Agent": "ModSecurity CRS 3 Tests", + "Accept": "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5", + "Accept-Charset": "ISO-8859-1,utf-8;q=0.7,*;q=0.7", + "Accept-Encoding": "gzip,deflate", + "Accept-Language": "en-us,en;q=0.5", + "Content-Type": "multipart/form-data; boundary=---------------------------thisissparta" + }, + "uri":"/", + "http_version":1.0, + "method":"POST", + "body": [ + "-----------------------------thisissparta\r", + "Content-Disposition: form-data; name=\"payload\r", + "Content-Type: application/xml\r", + "\r", + "ProcessBuilder.evil.instantiatetransformer\r", + "-----------------------------thisissparta--" + ] + }, + "response":{ + "headers":{ + "Date":"Mon, 13 Jul 2015 20:02:41 GMT", + "Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT", + "Content-Type":"text/html" + }, + "body":[ + "no need." + ] + }, + "expected":{ + "http_code":403 + }, + "rules":[ + "SecRuleEngine On", + "SecDefaultAction \"phase:2,deny,block,status:403,log\"", + "SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \"@rx (?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)\" \"id:944120,phase:2,block,t:none,t:lowercase,log,msg:'Remote Command Execution: Java serialization (CVE-2015-5842)',logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',ver:'OWASP_CRS/3.1.0',severity:'CRITICAL',chain\"", + "SecRule MATCHED_VARS \"@rx (?:runtime|processbuilder)\" \"t:none,t:lowercase,setvar:'tx.msg=%{rule.msg}',setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'\"" + ] + }, + { + "enabled":1, + "version_min":300000, + "title":"Positive tests for rule 944120 944120-68", + "client":{ + "ip":"200.249.12.31", + "port":123 + }, + "server":{ + "ip":"200.249.12.31", + "port":80 + }, + "request":{ + "headers":{ + "Host": "localhost", + "User-Agent": "ModSecurity CRS 3 Tests", + "Accept": "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5", + "Accept-Charset": "ISO-8859-1,utf-8;q=0.7,*;q=0.7", + "Accept-Encoding": "gzip,deflate", + "Accept-Language": "en-us,en;q=0.5", + "Content-Type": "application/x-www-form-urlencoded" + }, + "uri":"/", + "http_version":1.0, + "method":"POST", + "body": [ + "test=ProcessBuilder.evil.invokertransformer" + ] + }, + "response":{ + "headers":{ + "Date":"Mon, 13 Jul 2015 20:02:41 GMT", + "Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT", + "Content-Type":"text/html" + }, + "body":[ + "no need." + ] + }, + "expected":{ + "http_code":403 + }, + "rules":[ + "SecRuleEngine On", + "SecDefaultAction \"phase:2,deny,block,status:403,log\"", + "SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \"@rx (?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)\" \"id:944120,phase:2,block,t:none,t:lowercase,log,msg:'Remote Command Execution: Java serialization (CVE-2015-5842)',logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',ver:'OWASP_CRS/3.1.0',severity:'CRITICAL',chain\"", + "SecRule MATCHED_VARS \"@rx (?:runtime|processbuilder)\" \"t:none,t:lowercase,setvar:'tx.msg=%{rule.msg}',setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'\"" + ] + }, + { + "enabled":1, + "version_min":300000, + "title":"Positive tests for rule 944120 944120-69", + "client":{ + "ip":"200.249.12.31", + "port":123 + }, + "server":{ + "ip":"200.249.12.31", + "port":80 + }, + "request":{ + "headers":{ + "Host": "localhost", + "User-Agent": "ModSecurity CRS 3 Tests", + "Accept": "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5", + "Accept-Charset": "ISO-8859-1,utf-8;q=0.7,*;q=0.7", + "Accept-Encoding": "gzip,deflate", + "Accept-Language": "en-us,en;q=0.5", + "Content-Type": "application/x-www-form-urlencoded" + }, + "uri":"/", + "http_version":1.0, + "method":"POST", + "body": [ + "ProcessBuilder.evil.invokertransformer=test" + ] + }, + "response":{ + "headers":{ + "Date":"Mon, 13 Jul 2015 20:02:41 GMT", + "Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT", + "Content-Type":"text/html" + }, + "body":[ + "no need." + ] + }, + "expected":{ + "http_code":403 + }, + "rules":[ + "SecRuleEngine On", + "SecDefaultAction \"phase:2,deny,block,status:403,log\"", + "SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \"@rx (?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)\" \"id:944120,phase:2,block,t:none,t:lowercase,log,msg:'Remote Command Execution: Java serialization (CVE-2015-5842)',logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',ver:'OWASP_CRS/3.1.0',severity:'CRITICAL',chain\"", + "SecRule MATCHED_VARS \"@rx (?:runtime|processbuilder)\" \"t:none,t:lowercase,setvar:'tx.msg=%{rule.msg}',setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'\"" + ] + }, + { + "enabled":1, + "version_min":300000, + "title":"Positive tests for rule 944120 944120-70", + "client":{ + "ip":"200.249.12.31", + "port":123 + }, + "server":{ + "ip":"200.249.12.31", + "port":80 + }, + "request":{ + "headers":{ + "Host": "localhost", + "User-Agent": "ModSecurity CRS 3 Tests", + "Accept": "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5", + "Accept-Charset": "ISO-8859-1,utf-8;q=0.7,*;q=0.7", + "Accept-Encoding": "gzip,deflate", + "Accept-Language": "en-us,en;q=0.5", + "Content-Type": "application/x-www-form-urlencoded", + "Cookie": "test=ProcessBuilder.evil.invokertransformer" + }, + "uri":"/", + "http_version":1.0, + "method":"POST", + "body": [ + "test=value" + ] + }, + "response":{ + "headers":{ + "Date":"Mon, 13 Jul 2015 20:02:41 GMT", + "Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT", + "Content-Type":"text/html" + }, + "body":[ + "no need." + ] + }, + "expected":{ + "http_code":403 + }, + "rules":[ + "SecRuleEngine On", + "SecDefaultAction \"phase:2,deny,block,status:403,log\"", + "SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \"@rx (?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)\" \"id:944120,phase:2,block,t:none,t:lowercase,log,msg:'Remote Command Execution: Java serialization (CVE-2015-5842)',logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',ver:'OWASP_CRS/3.1.0',severity:'CRITICAL',chain\"", + "SecRule MATCHED_VARS \"@rx (?:runtime|processbuilder)\" \"t:none,t:lowercase,setvar:'tx.msg=%{rule.msg}',setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'\"" + ] + }, + { + "enabled":1, + "version_min":300000, + "title":"Positive tests for rule 944120 944120-71", + "client":{ + "ip":"200.249.12.31", + "port":123 + }, + "server":{ + "ip":"200.249.12.31", + "port":80 + }, + "request":{ + "headers":{ + "Host": "localhost", + "User-Agent": "ModSecurity CRS 3 Tests", + "Accept": "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5", + "Accept-Charset": "ISO-8859-1,utf-8;q=0.7,*;q=0.7", + "Accept-Encoding": "gzip,deflate", + "Accept-Language": "en-us,en;q=0.5", + "Content-Type": "application/x-www-form-urlencoded", + "Cookie": "ProcessBuilder.evil.invokertransformer=test" + }, + "uri":"/", + "http_version":1.0, + "method":"POST", + "body": [ + "test=value" + ] + }, + "response":{ + "headers":{ + "Date":"Mon, 13 Jul 2015 20:02:41 GMT", + "Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT", + "Content-Type":"text/html" + }, + "body":[ + "no need." + ] + }, + "expected":{ + "http_code":403 + }, + "rules":[ + "SecRuleEngine On", + "SecDefaultAction \"phase:2,deny,block,status:403,log\"", + "SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \"@rx (?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)\" \"id:944120,phase:2,block,t:none,t:lowercase,log,msg:'Remote Command Execution: Java serialization (CVE-2015-5842)',logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',ver:'OWASP_CRS/3.1.0',severity:'CRITICAL',chain\"", + "SecRule MATCHED_VARS \"@rx (?:runtime|processbuilder)\" \"t:none,t:lowercase,setvar:'tx.msg=%{rule.msg}',setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'\"" + ] + }, + { + "enabled":1, + "version_min":300000, + "title":"Positive tests for rule 944120 944120-72", + "client":{ + "ip":"200.249.12.31", + "port":123 + }, + "server":{ + "ip":"200.249.12.31", + "port":80 + }, + "request":{ + "headers":{ + "Host": "localhost", + "User-Agent": "ModSecurity CRS 3 Tests", + "Accept": "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5", + "Accept-Charset": "ISO-8859-1,utf-8;q=0.7,*;q=0.7", + "Accept-Encoding": "gzip,deflate", + "Accept-Language": "en-us,en;q=0.5", + "Content-Type": "application/x-www-form-urlencoded", + "test": "ProcessBuilder.evil.invokertransformer" + }, + "uri":"/", + "http_version":1.0, + "method":"POST", + "body": [ + "test=value" + ] + }, + "response":{ + "headers":{ + "Date":"Mon, 13 Jul 2015 20:02:41 GMT", + "Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT", + "Content-Type":"text/html" + }, + "body":[ + "no need." + ] + }, + "expected":{ + "http_code":403 + }, + "rules":[ + "SecRuleEngine On", + "SecDefaultAction \"phase:2,deny,block,status:403,log\"", + "SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \"@rx (?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)\" \"id:944120,phase:2,block,t:none,t:lowercase,log,msg:'Remote Command Execution: Java serialization (CVE-2015-5842)',logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',ver:'OWASP_CRS/3.1.0',severity:'CRITICAL',chain\"", + "SecRule MATCHED_VARS \"@rx (?:runtime|processbuilder)\" \"t:none,t:lowercase,setvar:'tx.msg=%{rule.msg}',setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'\"" + ] + }, + { + "enabled":1, + "version_min":300000, + "title":"Positive tests for rule 944120 944120-73", + "client":{ + "ip":"200.249.12.31", + "port":123 + }, + "server":{ + "ip":"200.249.12.31", + "port":80 + }, + "request":{ + "headers":{ + "Host": "localhost", + "User-Agent": "ModSecurity CRS 3 Tests", + "Accept": "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5", + "Accept-Charset": "ISO-8859-1,utf-8;q=0.7,*;q=0.7", + "Accept-Encoding": "gzip,deflate", + "Accept-Language": "en-us,en;q=0.5", + "Content-Type": "application/xml" + }, + "uri":"/", + "http_version":1.0, + "method":"POST", + "body": [ + "value" + ] + }, + "response":{ + "headers":{ + "Date":"Mon, 13 Jul 2015 20:02:41 GMT", + "Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT", + "Content-Type":"text/html" + }, + "body":[ + "no need." + ] + }, + "expected":{ + "http_code":200 + }, + "rules":[ + "SecRuleEngine On", + "SecDefaultAction \"phase:2,deny,block,status:403,log\"", + "SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \"@rx (?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)\" \"id:944120,phase:2,block,t:none,t:lowercase,log,msg:'Remote Command Execution: Java serialization (CVE-2015-5842)',logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',ver:'OWASP_CRS/3.1.0',severity:'CRITICAL',chain\"", + "SecRule MATCHED_VARS \"@rx (?:runtime|processbuilder)\" \"t:none,t:lowercase,setvar:'tx.msg=%{rule.msg}',setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'\"" + ] + }, + { + "enabled":1, + "version_min":300000, + "title":"Positive tests for rule 944120 944120-74", + "client":{ + "ip":"200.249.12.31", + "port":123 + }, + "server":{ + "ip":"200.249.12.31", + "port":80 + }, + "request":{ + "headers":{ + "Host": "localhost", + "User-Agent": "ModSecurity CRS 3 Tests", + "Accept": "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5", + "Accept-Charset": "ISO-8859-1,utf-8;q=0.7,*;q=0.7", + "Accept-Encoding": "gzip,deflate", + "Accept-Language": "en-us,en;q=0.5", + "Content-Type": "application/xml" + }, + "uri":"/", + "http_version":1.0, + "method":"POST", + "body": [ + "element_value" + ] + }, + "response":{ + "headers":{ + "Date":"Mon, 13 Jul 2015 20:02:41 GMT", + "Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT", + "Content-Type":"text/html" + }, + "body":[ + "no need." + ] + }, + "expected":{ + "http_code":200 + }, + "rules":[ + "SecRuleEngine On", + "SecDefaultAction \"phase:2,deny,block,status:403,log\"", + "SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \"@rx (?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)\" \"id:944120,phase:2,block,t:none,t:lowercase,log,msg:'Remote Command Execution: Java serialization (CVE-2015-5842)',logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',ver:'OWASP_CRS/3.1.0',severity:'CRITICAL',chain\"", + "SecRule MATCHED_VARS \"@rx (?:runtime|processbuilder)\" \"t:none,t:lowercase,setvar:'tx.msg=%{rule.msg}',setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'\"" + ] + }, + { + "enabled":1, + "version_min":300000, + "title":"Positive tests for rule 944120 944120-75", + "client":{ + "ip":"200.249.12.31", + "port":123 + }, + "server":{ + "ip":"200.249.12.31", + "port":80 + }, + "request":{ + "headers":{ + "Host": "localhost", + "User-Agent": "ModSecurity CRS 3 Tests", + "Accept": "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5", + "Accept-Charset": "ISO-8859-1,utf-8;q=0.7,*;q=0.7", + "Accept-Encoding": "gzip,deflate", + "Accept-Language": "en-us,en;q=0.5", + "Content-Type": "application/xml" + }, + "uri":"/", + "http_version":1.0, + "method":"POST", + "body": [ + "element_value" + ] + }, + "response":{ + "headers":{ + "Date":"Mon, 13 Jul 2015 20:02:41 GMT", + "Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT", + "Content-Type":"text/html" + }, + "body":[ + "no need." + ] + }, + "expected":{ + "http_code":403 + }, + "rules":[ + "SecRuleEngine On", + "SecDefaultAction \"phase:2,deny,block,status:403,log\"", + "SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \"@rx (?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)\" \"id:944120,phase:2,block,t:none,t:lowercase,log,msg:'Remote Command Execution: Java serialization (CVE-2015-5842)',logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',ver:'OWASP_CRS/3.1.0',severity:'CRITICAL',chain\"", + "SecRule MATCHED_VARS \"@rx (?:runtime|processbuilder)\" \"t:none,t:lowercase,setvar:'tx.msg=%{rule.msg}',setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'\"" + ] + }, + { + "enabled":1, + "version_min":300000, + "title":"Positive tests for rule 944120 944120-76", + "client":{ + "ip":"200.249.12.31", + "port":123 + }, + "server":{ + "ip":"200.249.12.31", + "port":80 + }, + "request":{ + "headers":{ + "Host": "localhost", + "User-Agent": "ModSecurity CRS 3 Tests", + "Accept": "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5", + "Accept-Charset": "ISO-8859-1,utf-8;q=0.7,*;q=0.7", + "Accept-Encoding": "gzip,deflate", + "Accept-Language": "en-us,en;q=0.5", + "Content-Type": "application/xml" + }, + "uri":"/", + "http_version":1.0, + "method":"POST", + "body": [ + "ProcessBuilder.evil.invokertransformer" + ] + }, + "response":{ + "headers":{ + "Date":"Mon, 13 Jul 2015 20:02:41 GMT", + "Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT", + "Content-Type":"text/html" + }, + "body":[ + "no need." + ] + }, + "expected":{ + "http_code":403 + }, + "rules":[ + "SecRuleEngine On", + "SecDefaultAction \"phase:2,deny,block,status:403,log\"", + "SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \"@rx (?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)\" \"id:944120,phase:2,block,t:none,t:lowercase,log,msg:'Remote Command Execution: Java serialization (CVE-2015-5842)',logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',ver:'OWASP_CRS/3.1.0',severity:'CRITICAL',chain\"", + "SecRule MATCHED_VARS \"@rx (?:runtime|processbuilder)\" \"t:none,t:lowercase,setvar:'tx.msg=%{rule.msg}',setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'\"" + ] + }, + { + "enabled":1, + "version_min":300000, + "title":"Positive tests for rule 944120 944120-77", + "client":{ + "ip":"200.249.12.31", + "port":123 + }, + "server":{ + "ip":"200.249.12.31", + "port":80 + }, + "request":{ + "headers":{ + "Host": "localhost", + "User-Agent": "ModSecurity CRS 3 Tests", + "Accept": "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5", + "Accept-Charset": "ISO-8859-1,utf-8;q=0.7,*;q=0.7", + "Accept-Encoding": "gzip,deflate", + "Accept-Language": "en-us,en;q=0.5", + "Content-Type": "application/xml" + }, + "uri":"/", + "http_version":1.0, + "method":"POST", + "body": [ + "ProcessBuilder.evil.invokertransformer" + ] + }, + "response":{ + "headers":{ + "Date":"Mon, 13 Jul 2015 20:02:41 GMT", + "Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT", + "Content-Type":"text/html" + }, + "body":[ + "no need." + ] + }, + "expected":{ + "http_code":403 + }, + "rules":[ + "SecRuleEngine On", + "SecDefaultAction \"phase:2,deny,block,status:403,log\"", + "SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \"@rx (?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)\" \"id:944120,phase:2,block,t:none,t:lowercase,log,msg:'Remote Command Execution: Java serialization (CVE-2015-5842)',logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',ver:'OWASP_CRS/3.1.0',severity:'CRITICAL',chain\"", + "SecRule MATCHED_VARS \"@rx (?:runtime|processbuilder)\" \"t:none,t:lowercase,setvar:'tx.msg=%{rule.msg}',setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'\"" + ] + }, + { + "enabled":1, + "version_min":300000, + "title":"Positive tests for rule 944120 944120-78", + "client":{ + "ip":"200.249.12.31", + "port":123 + }, + "server":{ + "ip":"200.249.12.31", + "port":80 + }, + "request":{ + "headers":{ + "Host": "localhost", + "User-Agent": "ModSecurity CRS 3 Tests", + "Accept": "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5", + "Accept-Charset": "ISO-8859-1,utf-8;q=0.7,*;q=0.7", + "Accept-Encoding": "gzip,deflate", + "Accept-Language": "en-us,en;q=0.5", + "Content-Type": "text/plain" + }, + "uri":"/", + "http_version":1.0, + "method":"POST", + "body": [ + "test=ProcessBuilder.evil.invokertransformer" + ] + }, + "response":{ + "headers":{ + "Date":"Mon, 13 Jul 2015 20:02:41 GMT", + "Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT", + "Content-Type":"text/html" + }, + "body":[ + "no need." + ] + }, + "expected":{ + "http_code":403 + }, + "rules":[ + "SecRuleEngine On", + "SecDefaultAction \"phase:2,deny,block,status:403,log\"", + "SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \"@rx (?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)\" \"id:944120,phase:2,block,t:none,t:lowercase,log,msg:'Remote Command Execution: Java serialization (CVE-2015-5842)',logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',ver:'OWASP_CRS/3.1.0',severity:'CRITICAL',chain\"", + "SecRule MATCHED_VARS \"@rx (?:runtime|processbuilder)\" \"t:none,t:lowercase,setvar:'tx.msg=%{rule.msg}',setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'\"" + ] + }, + { + "enabled":1, + "version_min":300000, + "title":"Positive tests for rule 944120 944120-79", + "client":{ + "ip":"200.249.12.31", + "port":123 + }, + "server":{ + "ip":"200.249.12.31", + "port":80 + }, + "request":{ + "headers":{ + "Host": "localhost", + "User-Agent": "ModSecurity CRS 3 Tests", + "Accept": "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5", + "Accept-Charset": "ISO-8859-1,utf-8;q=0.7,*;q=0.7", + "Accept-Encoding": "gzip,deflate", + "Accept-Language": "en-us,en;q=0.5", + "Content-Type": "application/json" + }, + "uri":"/", + "http_version":1.0, + "method":"POST", + "body": [ + "{\"test\": \"ProcessBuilder.evil.invokertransformer\"}" + ] + }, + "response":{ + "headers":{ + "Date":"Mon, 13 Jul 2015 20:02:41 GMT", + "Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT", + "Content-Type":"text/html" + }, + "body":[ + "no need." + ] + }, + "expected":{ + "http_code":403 + }, + "rules":[ + "SecRuleEngine On", + "SecDefaultAction \"phase:2,deny,block,status:403,log\"", + "SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \"@rx (?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)\" \"id:944120,phase:2,block,t:none,t:lowercase,log,msg:'Remote Command Execution: Java serialization (CVE-2015-5842)',logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',ver:'OWASP_CRS/3.1.0',severity:'CRITICAL',chain\"", + "SecRule MATCHED_VARS \"@rx (?:runtime|processbuilder)\" \"t:none,t:lowercase,setvar:'tx.msg=%{rule.msg}',setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'\"" + ] + }, + { + "enabled":1, + "version_min":300000, + "title":"Positive tests for rule 944120 944120-80", + "client":{ + "ip":"200.249.12.31", + "port":123 + }, + "server":{ + "ip":"200.249.12.31", + "port":80 + }, + "request":{ + "headers":{ + "Host": "localhost", + "User-Agent": "ModSecurity CRS 3 Tests", + "Accept": "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5", + "Accept-Charset": "ISO-8859-1,utf-8;q=0.7,*;q=0.7", + "Accept-Encoding": "gzip,deflate", + "Accept-Language": "en-us,en;q=0.5", + "Content-Type": "application/json" + }, + "uri":"/", + "http_version":1.0, + "method":"POST", + "body": [ + "{\"ProcessBuilder.evil.invokertransformer\": \"test\"}" + ] + }, + "response":{ + "headers":{ + "Date":"Mon, 13 Jul 2015 20:02:41 GMT", + "Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT", + "Content-Type":"text/html" + }, + "body":[ + "no need." + ] + }, + "expected":{ + "http_code":403 + }, + "rules":[ + "SecRuleEngine On", + "SecDefaultAction \"phase:2,deny,block,status:403,log\"", + "SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \"@rx (?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)\" \"id:944120,phase:2,block,t:none,t:lowercase,log,msg:'Remote Command Execution: Java serialization (CVE-2015-5842)',logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',ver:'OWASP_CRS/3.1.0',severity:'CRITICAL',chain\"", + "SecRule MATCHED_VARS \"@rx (?:runtime|processbuilder)\" \"t:none,t:lowercase,setvar:'tx.msg=%{rule.msg}',setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'\"" + ] + }, + { + "enabled":1, + "version_min":300000, + "title":"Positive tests for rule 944120 944120-81", + "client":{ + "ip":"200.249.12.31", + "port":123 + }, + "server":{ + "ip":"200.249.12.31", + "port":80 + }, + "request":{ + "headers":{ + "Host": "localhost", + "User-Agent": "ModSecurity CRS 3 Tests", + "Accept": "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5", + "Accept-Charset": "ISO-8859-1,utf-8;q=0.7,*;q=0.7", + "Accept-Encoding": "gzip,deflate", + "Accept-Language": "en-us,en;q=0.5", + "Content-Type": "multipart/form-data; boundary=---------------------------thisissparta" + }, + "uri":"/", + "http_version":1.0, + "method":"POST", + "body": [ + "-----------------------------thisissparta\r", + "Content-Disposition: form-data; name=\"payload\r", + "Content-Type: application/json\r", + "\r", + "{\"ProcessBuilder.evil.invokertransformer\": \"test\"}\r", + "-----------------------------thisissparta--" + ] + }, + "response":{ + "headers":{ + "Date":"Mon, 13 Jul 2015 20:02:41 GMT", + "Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT", + "Content-Type":"text/html" + }, + "body":[ + "no need." + ] + }, + "expected":{ + "http_code":403 + }, + "rules":[ + "SecRuleEngine On", + "SecDefaultAction \"phase:2,deny,block,status:403,log\"", + "SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \"@rx (?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)\" \"id:944120,phase:2,block,t:none,t:lowercase,log,msg:'Remote Command Execution: Java serialization (CVE-2015-5842)',logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',ver:'OWASP_CRS/3.1.0',severity:'CRITICAL',chain\"", + "SecRule MATCHED_VARS \"@rx (?:runtime|processbuilder)\" \"t:none,t:lowercase,setvar:'tx.msg=%{rule.msg}',setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'\"" + ] + }, + { + "enabled":1, + "version_min":300000, + "title":"Positive tests for rule 944120 944120-82", + "client":{ + "ip":"200.249.12.31", + "port":123 + }, + "server":{ + "ip":"200.249.12.31", + "port":80 + }, + "request":{ + "headers":{ + "Host": "localhost", + "User-Agent": "ModSecurity CRS 3 Tests", + "Accept": "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5", + "Accept-Charset": "ISO-8859-1,utf-8;q=0.7,*;q=0.7", + "Accept-Encoding": "gzip,deflate", + "Accept-Language": "en-us,en;q=0.5", + "Content-Type": "multipart/form-data; boundary=---------------------------thisissparta" + }, + "uri":"/", + "http_version":1.0, + "method":"POST", + "body": [ + "-----------------------------thisissparta\r", + "Content-Disposition: form-data; name=\"payload\r", + "Content-Type: application/json\r", + "\r", + "{\"ProcessBuilder.evil.invokertransformer\": \"test\"}\r", + "-----------------------------thisissparta--" + ] + }, + "response":{ + "headers":{ + "Date":"Mon, 13 Jul 2015 20:02:41 GMT", + "Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT", + "Content-Type":"text/html" + }, + "body":[ + "no need." + ] + }, + "expected":{ + "http_code":403 + }, + "rules":[ + "SecRuleEngine On", + "SecDefaultAction \"phase:2,deny,block,status:403,log\"", + "SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \"@rx (?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)\" \"id:944120,phase:2,block,t:none,t:lowercase,log,msg:'Remote Command Execution: Java serialization (CVE-2015-5842)',logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',ver:'OWASP_CRS/3.1.0',severity:'CRITICAL',chain\"", + "SecRule MATCHED_VARS \"@rx (?:runtime|processbuilder)\" \"t:none,t:lowercase,setvar:'tx.msg=%{rule.msg}',setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'\"" + ] + }, + { + "enabled":1, + "version_min":300000, + "title":"Positive tests for rule 944120 944120-83", + "client":{ + "ip":"200.249.12.31", + "port":123 + }, + "server":{ + "ip":"200.249.12.31", + "port":80 + }, + "request":{ + "headers":{ + "Host": "localhost", + "User-Agent": "ModSecurity CRS 3 Tests", + "Accept": "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5", + "Accept-Charset": "ISO-8859-1,utf-8;q=0.7,*;q=0.7", + "Accept-Encoding": "gzip,deflate", + "Accept-Language": "en-us,en;q=0.5", + "Content-Type": "multipart/form-data; boundary=---------------------------thisissparta" + }, + "uri":"/", + "http_version":1.0, + "method":"POST", + "body": [ + "-----------------------------thisissparta\r", + "Content-Disposition: form-data; name=\"payload\r", + "Content-Type: application/xml\r", + "\r", + "ProcessBuilder.evil.invokertransformer\r", + "-----------------------------thisissparta--" + ] + }, + "response":{ + "headers":{ + "Date":"Mon, 13 Jul 2015 20:02:41 GMT", + "Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT", + "Content-Type":"text/html" + }, + "body":[ + "no need." + ] + }, + "expected":{ + "http_code":403 + }, + "rules":[ + "SecRuleEngine On", + "SecDefaultAction \"phase:2,deny,block,status:403,log\"", + "SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \"@rx (?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)\" \"id:944120,phase:2,block,t:none,t:lowercase,log,msg:'Remote Command Execution: Java serialization (CVE-2015-5842)',logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',ver:'OWASP_CRS/3.1.0',severity:'CRITICAL',chain\"", + "SecRule MATCHED_VARS \"@rx (?:runtime|processbuilder)\" \"t:none,t:lowercase,setvar:'tx.msg=%{rule.msg}',setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'\"" + ] + }, + { + "enabled":1, + "version_min":300000, + "title":"Positive tests for rule 944120 944120-84", + "client":{ + "ip":"200.249.12.31", + "port":123 + }, + "server":{ + "ip":"200.249.12.31", + "port":80 + }, + "request":{ + "headers":{ + "Host": "localhost", + "User-Agent": "ModSecurity CRS 3 Tests", + "Accept": "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5", + "Accept-Charset": "ISO-8859-1,utf-8;q=0.7,*;q=0.7", + "Accept-Encoding": "gzip,deflate", + "Accept-Language": "en-us,en;q=0.5", + "Content-Type": "multipart/form-data; boundary=---------------------------thisissparta" + }, + "uri":"/", + "http_version":1.0, + "method":"POST", + "body": [ + "-----------------------------thisissparta\r", + "Content-Disposition: form-data; name=\"payload\r", + "Content-Type: application/xml\r", + "\r", + "ProcessBuilder.evil.invokertransformer\r", + "-----------------------------thisissparta--" + ] + }, + "response":{ + "headers":{ + "Date":"Mon, 13 Jul 2015 20:02:41 GMT", + "Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT", + "Content-Type":"text/html" + }, + "body":[ + "no need." + ] + }, + "expected":{ + "http_code":403 + }, + "rules":[ + "SecRuleEngine On", + "SecDefaultAction \"phase:2,deny,block,status:403,log\"", + "SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \"@rx (?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)\" \"id:944120,phase:2,block,t:none,t:lowercase,log,msg:'Remote Command Execution: Java serialization (CVE-2015-5842)',logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',ver:'OWASP_CRS/3.1.0',severity:'CRITICAL',chain\"", + "SecRule MATCHED_VARS \"@rx (?:runtime|processbuilder)\" \"t:none,t:lowercase,setvar:'tx.msg=%{rule.msg}',setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'\"" + ] + }, + { + "enabled":1, + "version_min":300000, + "title":"Positive tests for rule 944120 944120-85", + "client":{ + "ip":"200.249.12.31", + "port":123 + }, + "server":{ + "ip":"200.249.12.31", + "port":80 + }, + "request":{ + "headers":{ + "Host": "localhost", + "User-Agent": "ModSecurity CRS 3 Tests", + "Accept": "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5", + "Accept-Charset": "ISO-8859-1,utf-8;q=0.7,*;q=0.7", + "Accept-Encoding": "gzip,deflate", + "Accept-Language": "en-us,en;q=0.5", + "Content-Type": "application/x-www-form-urlencoded" + }, + "uri":"/", + "http_version":1.0, + "method":"POST", + "body": [ + "test=ProcessBuilder.evil.prototypeclonefactory" + ] + }, + "response":{ + "headers":{ + "Date":"Mon, 13 Jul 2015 20:02:41 GMT", + "Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT", + "Content-Type":"text/html" + }, + "body":[ + "no need." + ] + }, + "expected":{ + "http_code":403 + }, + "rules":[ + "SecRuleEngine On", + "SecDefaultAction \"phase:2,deny,block,status:403,log\"", + "SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \"@rx (?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)\" \"id:944120,phase:2,block,t:none,t:lowercase,log,msg:'Remote Command Execution: Java serialization (CVE-2015-5842)',logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',ver:'OWASP_CRS/3.1.0',severity:'CRITICAL',chain\"", + "SecRule MATCHED_VARS \"@rx (?:runtime|processbuilder)\" \"t:none,t:lowercase,setvar:'tx.msg=%{rule.msg}',setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'\"" + ] + }, + { + "enabled":1, + "version_min":300000, + "title":"Positive tests for rule 944120 944120-86", + "client":{ + "ip":"200.249.12.31", + "port":123 + }, + "server":{ + "ip":"200.249.12.31", + "port":80 + }, + "request":{ + "headers":{ + "Host": "localhost", + "User-Agent": "ModSecurity CRS 3 Tests", + "Accept": "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5", + "Accept-Charset": "ISO-8859-1,utf-8;q=0.7,*;q=0.7", + "Accept-Encoding": "gzip,deflate", + "Accept-Language": "en-us,en;q=0.5", + "Content-Type": "application/x-www-form-urlencoded" + }, + "uri":"/", + "http_version":1.0, + "method":"POST", + "body": [ + "ProcessBuilder.evil.prototypeclonefactory=test" + ] + }, + "response":{ + "headers":{ + "Date":"Mon, 13 Jul 2015 20:02:41 GMT", + "Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT", + "Content-Type":"text/html" + }, + "body":[ + "no need." + ] + }, + "expected":{ + "http_code":403 + }, + "rules":[ + "SecRuleEngine On", + "SecDefaultAction \"phase:2,deny,block,status:403,log\"", + "SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \"@rx (?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)\" \"id:944120,phase:2,block,t:none,t:lowercase,log,msg:'Remote Command Execution: Java serialization (CVE-2015-5842)',logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',ver:'OWASP_CRS/3.1.0',severity:'CRITICAL',chain\"", + "SecRule MATCHED_VARS \"@rx (?:runtime|processbuilder)\" \"t:none,t:lowercase,setvar:'tx.msg=%{rule.msg}',setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'\"" + ] + }, + { + "enabled":1, + "version_min":300000, + "title":"Positive tests for rule 944120 944120-87", + "client":{ + "ip":"200.249.12.31", + "port":123 + }, + "server":{ + "ip":"200.249.12.31", + "port":80 + }, + "request":{ + "headers":{ + "Host": "localhost", + "User-Agent": "ModSecurity CRS 3 Tests", + "Accept": "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5", + "Accept-Charset": "ISO-8859-1,utf-8;q=0.7,*;q=0.7", + "Accept-Encoding": "gzip,deflate", + "Accept-Language": "en-us,en;q=0.5", + "Content-Type": "application/x-www-form-urlencoded", + "Cookie": "test=ProcessBuilder.evil.prototypeclonefactory" + }, + "uri":"/", + "http_version":1.0, + "method":"POST", + "body": [ + "test=value" + ] + }, + "response":{ + "headers":{ + "Date":"Mon, 13 Jul 2015 20:02:41 GMT", + "Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT", + "Content-Type":"text/html" + }, + "body":[ + "no need." + ] + }, + "expected":{ + "http_code":403 + }, + "rules":[ + "SecRuleEngine On", + "SecDefaultAction \"phase:2,deny,block,status:403,log\"", + "SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \"@rx (?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)\" \"id:944120,phase:2,block,t:none,t:lowercase,log,msg:'Remote Command Execution: Java serialization (CVE-2015-5842)',logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',ver:'OWASP_CRS/3.1.0',severity:'CRITICAL',chain\"", + "SecRule MATCHED_VARS \"@rx (?:runtime|processbuilder)\" \"t:none,t:lowercase,setvar:'tx.msg=%{rule.msg}',setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'\"" + ] + }, + { + "enabled":1, + "version_min":300000, + "title":"Positive tests for rule 944120 944120-88", + "client":{ + "ip":"200.249.12.31", + "port":123 + }, + "server":{ + "ip":"200.249.12.31", + "port":80 + }, + "request":{ + "headers":{ + "Host": "localhost", + "User-Agent": "ModSecurity CRS 3 Tests", + "Accept": "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5", + "Accept-Charset": "ISO-8859-1,utf-8;q=0.7,*;q=0.7", + "Accept-Encoding": "gzip,deflate", + "Accept-Language": "en-us,en;q=0.5", + "Content-Type": "application/x-www-form-urlencoded", + "Cookie": "ProcessBuilder.evil.prototypeclonefactory=test" + }, + "uri":"/", + "http_version":1.0, + "method":"POST", + "body": [ + "test=value" + ] + }, + "response":{ + "headers":{ + "Date":"Mon, 13 Jul 2015 20:02:41 GMT", + "Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT", + "Content-Type":"text/html" + }, + "body":[ + "no need." + ] + }, + "expected":{ + "http_code":403 + }, + "rules":[ + "SecRuleEngine On", + "SecDefaultAction \"phase:2,deny,block,status:403,log\"", + "SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \"@rx (?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)\" \"id:944120,phase:2,block,t:none,t:lowercase,log,msg:'Remote Command Execution: Java serialization (CVE-2015-5842)',logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',ver:'OWASP_CRS/3.1.0',severity:'CRITICAL',chain\"", + "SecRule MATCHED_VARS \"@rx (?:runtime|processbuilder)\" \"t:none,t:lowercase,setvar:'tx.msg=%{rule.msg}',setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'\"" + ] + }, + { + "enabled":1, + "version_min":300000, + "title":"Positive tests for rule 944120 944120-89", + "client":{ + "ip":"200.249.12.31", + "port":123 + }, + "server":{ + "ip":"200.249.12.31", + "port":80 + }, + "request":{ + "headers":{ + "Host": "localhost", + "User-Agent": "ModSecurity CRS 3 Tests", + "Accept": "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5", + "Accept-Charset": "ISO-8859-1,utf-8;q=0.7,*;q=0.7", + "Accept-Encoding": "gzip,deflate", + "Accept-Language": "en-us,en;q=0.5", + "Content-Type": "application/x-www-form-urlencoded", + "test": "ProcessBuilder.evil.prototypeclonefactory" + }, + "uri":"/", + "http_version":1.0, + "method":"POST", + "body": [ + "test=value" + ] + }, + "response":{ + "headers":{ + "Date":"Mon, 13 Jul 2015 20:02:41 GMT", + "Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT", + "Content-Type":"text/html" + }, + "body":[ + "no need." + ] + }, + "expected":{ + "http_code":403 + }, + "rules":[ + "SecRuleEngine On", + "SecDefaultAction \"phase:2,deny,block,status:403,log\"", + "SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \"@rx (?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)\" \"id:944120,phase:2,block,t:none,t:lowercase,log,msg:'Remote Command Execution: Java serialization (CVE-2015-5842)',logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',ver:'OWASP_CRS/3.1.0',severity:'CRITICAL',chain\"", + "SecRule MATCHED_VARS \"@rx (?:runtime|processbuilder)\" \"t:none,t:lowercase,setvar:'tx.msg=%{rule.msg}',setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'\"" + ] + }, + { + "enabled":1, + "version_min":300000, + "title":"Positive tests for rule 944120 944120-90", + "client":{ + "ip":"200.249.12.31", + "port":123 + }, + "server":{ + "ip":"200.249.12.31", + "port":80 + }, + "request":{ + "headers":{ + "Host": "localhost", + "User-Agent": "ModSecurity CRS 3 Tests", + "Accept": "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5", + "Accept-Charset": "ISO-8859-1,utf-8;q=0.7,*;q=0.7", + "Accept-Encoding": "gzip,deflate", + "Accept-Language": "en-us,en;q=0.5", + "Content-Type": "application/xml" + }, + "uri":"/", + "http_version":1.0, + "method":"POST", + "body": [ + "value" + ] + }, + "response":{ + "headers":{ + "Date":"Mon, 13 Jul 2015 20:02:41 GMT", + "Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT", + "Content-Type":"text/html" + }, + "body":[ + "no need." + ] + }, + "expected":{ + "http_code":200 + }, + "rules":[ + "SecRuleEngine On", + "SecDefaultAction \"phase:2,deny,block,status:403,log\"", + "SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \"@rx (?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)\" \"id:944120,phase:2,block,t:none,t:lowercase,log,msg:'Remote Command Execution: Java serialization (CVE-2015-5842)',logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',ver:'OWASP_CRS/3.1.0',severity:'CRITICAL',chain\"", + "SecRule MATCHED_VARS \"@rx (?:runtime|processbuilder)\" \"t:none,t:lowercase,setvar:'tx.msg=%{rule.msg}',setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'\"" + ] + }, + { + "enabled":1, + "version_min":300000, + "title":"Positive tests for rule 944120 944120-91", + "client":{ + "ip":"200.249.12.31", + "port":123 + }, + "server":{ + "ip":"200.249.12.31", + "port":80 + }, + "request":{ + "headers":{ + "Host": "localhost", + "User-Agent": "ModSecurity CRS 3 Tests", + "Accept": "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5", + "Accept-Charset": "ISO-8859-1,utf-8;q=0.7,*;q=0.7", + "Accept-Encoding": "gzip,deflate", + "Accept-Language": "en-us,en;q=0.5", + "Content-Type": "application/xml" + }, + "uri":"/", + "http_version":1.0, + "method":"POST", + "body": [ + "element_value" + ] + }, + "response":{ + "headers":{ + "Date":"Mon, 13 Jul 2015 20:02:41 GMT", + "Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT", + "Content-Type":"text/html" + }, + "body":[ + "no need." + ] + }, + "expected":{ + "http_code":200 + }, + "rules":[ + "SecRuleEngine On", + "SecDefaultAction \"phase:2,deny,block,status:403,log\"", + "SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \"@rx (?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)\" \"id:944120,phase:2,block,t:none,t:lowercase,log,msg:'Remote Command Execution: Java serialization (CVE-2015-5842)',logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',ver:'OWASP_CRS/3.1.0',severity:'CRITICAL',chain\"", + "SecRule MATCHED_VARS \"@rx (?:runtime|processbuilder)\" \"t:none,t:lowercase,setvar:'tx.msg=%{rule.msg}',setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'\"" + ] + }, + { + "enabled":1, + "version_min":300000, + "title":"Positive tests for rule 944120 944120-92", + "client":{ + "ip":"200.249.12.31", + "port":123 + }, + "server":{ + "ip":"200.249.12.31", + "port":80 + }, + "request":{ + "headers":{ + "Host": "localhost", + "User-Agent": "ModSecurity CRS 3 Tests", + "Accept": "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5", + "Accept-Charset": "ISO-8859-1,utf-8;q=0.7,*;q=0.7", + "Accept-Encoding": "gzip,deflate", + "Accept-Language": "en-us,en;q=0.5", + "Content-Type": "application/xml" + }, + "uri":"/", + "http_version":1.0, + "method":"POST", + "body": [ + "element_value" + ] + }, + "response":{ + "headers":{ + "Date":"Mon, 13 Jul 2015 20:02:41 GMT", + "Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT", + "Content-Type":"text/html" + }, + "body":[ + "no need." + ] + }, + "expected":{ + "http_code":403 + }, + "rules":[ + "SecRuleEngine On", + "SecDefaultAction \"phase:2,deny,block,status:403,log\"", + "SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \"@rx (?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)\" \"id:944120,phase:2,block,t:none,t:lowercase,log,msg:'Remote Command Execution: Java serialization (CVE-2015-5842)',logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',ver:'OWASP_CRS/3.1.0',severity:'CRITICAL',chain\"", + "SecRule MATCHED_VARS \"@rx (?:runtime|processbuilder)\" \"t:none,t:lowercase,setvar:'tx.msg=%{rule.msg}',setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'\"" + ] + }, + { + "enabled":1, + "version_min":300000, + "title":"Positive tests for rule 944120 944120-93", + "client":{ + "ip":"200.249.12.31", + "port":123 + }, + "server":{ + "ip":"200.249.12.31", + "port":80 + }, + "request":{ + "headers":{ + "Host": "localhost", + "User-Agent": "ModSecurity CRS 3 Tests", + "Accept": "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5", + "Accept-Charset": "ISO-8859-1,utf-8;q=0.7,*;q=0.7", + "Accept-Encoding": "gzip,deflate", + "Accept-Language": "en-us,en;q=0.5", + "Content-Type": "application/xml" + }, + "uri":"/", + "http_version":1.0, + "method":"POST", + "body": [ + "ProcessBuilder.evil.prototypeclonefactory" + ] + }, + "response":{ + "headers":{ + "Date":"Mon, 13 Jul 2015 20:02:41 GMT", + "Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT", + "Content-Type":"text/html" + }, + "body":[ + "no need." + ] + }, + "expected":{ + "http_code":403 + }, + "rules":[ + "SecRuleEngine On", + "SecDefaultAction \"phase:2,deny,block,status:403,log\"", + "SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \"@rx (?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)\" \"id:944120,phase:2,block,t:none,t:lowercase,log,msg:'Remote Command Execution: Java serialization (CVE-2015-5842)',logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',ver:'OWASP_CRS/3.1.0',severity:'CRITICAL',chain\"", + "SecRule MATCHED_VARS \"@rx (?:runtime|processbuilder)\" \"t:none,t:lowercase,setvar:'tx.msg=%{rule.msg}',setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'\"" + ] + }, + { + "enabled":1, + "version_min":300000, + "title":"Positive tests for rule 944120 944120-94", + "client":{ + "ip":"200.249.12.31", + "port":123 + }, + "server":{ + "ip":"200.249.12.31", + "port":80 + }, + "request":{ + "headers":{ + "Host": "localhost", + "User-Agent": "ModSecurity CRS 3 Tests", + "Accept": "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5", + "Accept-Charset": "ISO-8859-1,utf-8;q=0.7,*;q=0.7", + "Accept-Encoding": "gzip,deflate", + "Accept-Language": "en-us,en;q=0.5", + "Content-Type": "application/xml" + }, + "uri":"/", + "http_version":1.0, + "method":"POST", + "body": [ + "ProcessBuilder.evil.prototypeclonefactory" + ] + }, + "response":{ + "headers":{ + "Date":"Mon, 13 Jul 2015 20:02:41 GMT", + "Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT", + "Content-Type":"text/html" + }, + "body":[ + "no need." + ] + }, + "expected":{ + "http_code":403 + }, + "rules":[ + "SecRuleEngine On", + "SecDefaultAction \"phase:2,deny,block,status:403,log\"", + "SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \"@rx (?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)\" \"id:944120,phase:2,block,t:none,t:lowercase,log,msg:'Remote Command Execution: Java serialization (CVE-2015-5842)',logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',ver:'OWASP_CRS/3.1.0',severity:'CRITICAL',chain\"", + "SecRule MATCHED_VARS \"@rx (?:runtime|processbuilder)\" \"t:none,t:lowercase,setvar:'tx.msg=%{rule.msg}',setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'\"" + ] + }, + { + "enabled":1, + "version_min":300000, + "title":"Positive tests for rule 944120 944120-95", + "client":{ + "ip":"200.249.12.31", + "port":123 + }, + "server":{ + "ip":"200.249.12.31", + "port":80 + }, + "request":{ + "headers":{ + "Host": "localhost", + "User-Agent": "ModSecurity CRS 3 Tests", + "Accept": "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5", + "Accept-Charset": "ISO-8859-1,utf-8;q=0.7,*;q=0.7", + "Accept-Encoding": "gzip,deflate", + "Accept-Language": "en-us,en;q=0.5", + "Content-Type": "text/plain" + }, + "uri":"/", + "http_version":1.0, + "method":"POST", + "body": [ + "test=ProcessBuilder.evil.prototypeclonefactory" + ] + }, + "response":{ + "headers":{ + "Date":"Mon, 13 Jul 2015 20:02:41 GMT", + "Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT", + "Content-Type":"text/html" + }, + "body":[ + "no need." + ] + }, + "expected":{ + "http_code":403 + }, + "rules":[ + "SecRuleEngine On", + "SecDefaultAction \"phase:2,deny,block,status:403,log\"", + "SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \"@rx (?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)\" \"id:944120,phase:2,block,t:none,t:lowercase,log,msg:'Remote Command Execution: Java serialization (CVE-2015-5842)',logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',ver:'OWASP_CRS/3.1.0',severity:'CRITICAL',chain\"", + "SecRule MATCHED_VARS \"@rx (?:runtime|processbuilder)\" \"t:none,t:lowercase,setvar:'tx.msg=%{rule.msg}',setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'\"" + ] + }, + { + "enabled":1, + "version_min":300000, + "title":"Positive tests for rule 944120 944120-96", + "client":{ + "ip":"200.249.12.31", + "port":123 + }, + "server":{ + "ip":"200.249.12.31", + "port":80 + }, + "request":{ + "headers":{ + "Host": "localhost", + "User-Agent": "ModSecurity CRS 3 Tests", + "Accept": "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5", + "Accept-Charset": "ISO-8859-1,utf-8;q=0.7,*;q=0.7", + "Accept-Encoding": "gzip,deflate", + "Accept-Language": "en-us,en;q=0.5", + "Content-Type": "application/json" + }, + "uri":"/", + "http_version":1.0, + "method":"POST", + "body": [ + "{\"test\": \"ProcessBuilder.evil.prototypeclonefactory\"}" + ] + }, + "response":{ + "headers":{ + "Date":"Mon, 13 Jul 2015 20:02:41 GMT", + "Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT", + "Content-Type":"text/html" + }, + "body":[ + "no need." + ] + }, + "expected":{ + "http_code":403 + }, + "rules":[ + "SecRuleEngine On", + "SecDefaultAction \"phase:2,deny,block,status:403,log\"", + "SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \"@rx (?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)\" \"id:944120,phase:2,block,t:none,t:lowercase,log,msg:'Remote Command Execution: Java serialization (CVE-2015-5842)',logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',ver:'OWASP_CRS/3.1.0',severity:'CRITICAL',chain\"", + "SecRule MATCHED_VARS \"@rx (?:runtime|processbuilder)\" \"t:none,t:lowercase,setvar:'tx.msg=%{rule.msg}',setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'\"" + ] + }, + { + "enabled":1, + "version_min":300000, + "title":"Positive tests for rule 944120 944120-97", + "client":{ + "ip":"200.249.12.31", + "port":123 + }, + "server":{ + "ip":"200.249.12.31", + "port":80 + }, + "request":{ + "headers":{ + "Host": "localhost", + "User-Agent": "ModSecurity CRS 3 Tests", + "Accept": "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5", + "Accept-Charset": "ISO-8859-1,utf-8;q=0.7,*;q=0.7", + "Accept-Encoding": "gzip,deflate", + "Accept-Language": "en-us,en;q=0.5", + "Content-Type": "application/json" + }, + "uri":"/", + "http_version":1.0, + "method":"POST", + "body": [ + "{\"ProcessBuilder.evil.prototypeclonefactory\": \"test\"}" + ] + }, + "response":{ + "headers":{ + "Date":"Mon, 13 Jul 2015 20:02:41 GMT", + "Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT", + "Content-Type":"text/html" + }, + "body":[ + "no need." + ] + }, + "expected":{ + "http_code":403 + }, + "rules":[ + "SecRuleEngine On", + "SecDefaultAction \"phase:2,deny,block,status:403,log\"", + "SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \"@rx (?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)\" \"id:944120,phase:2,block,t:none,t:lowercase,log,msg:'Remote Command Execution: Java serialization (CVE-2015-5842)',logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',ver:'OWASP_CRS/3.1.0',severity:'CRITICAL',chain\"", + "SecRule MATCHED_VARS \"@rx (?:runtime|processbuilder)\" \"t:none,t:lowercase,setvar:'tx.msg=%{rule.msg}',setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'\"" + ] + }, + { + "enabled":1, + "version_min":300000, + "title":"Positive tests for rule 944120 944120-98", + "client":{ + "ip":"200.249.12.31", + "port":123 + }, + "server":{ + "ip":"200.249.12.31", + "port":80 + }, + "request":{ + "headers":{ + "Host": "localhost", + "User-Agent": "ModSecurity CRS 3 Tests", + "Accept": "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5", + "Accept-Charset": "ISO-8859-1,utf-8;q=0.7,*;q=0.7", + "Accept-Encoding": "gzip,deflate", + "Accept-Language": "en-us,en;q=0.5", + "Content-Type": "multipart/form-data; boundary=---------------------------thisissparta" + }, + "uri":"/", + "http_version":1.0, + "method":"POST", + "body": [ + "-----------------------------thisissparta\r", + "Content-Disposition: form-data; name=\"payload\r", + "Content-Type: application/json\r", + "\r", + "{\"ProcessBuilder.evil.prototypeclonefactory\": \"test\"}\r", + "-----------------------------thisissparta--" + ] + }, + "response":{ + "headers":{ + "Date":"Mon, 13 Jul 2015 20:02:41 GMT", + "Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT", + "Content-Type":"text/html" + }, + "body":[ + "no need." + ] + }, + "expected":{ + "http_code":403 + }, + "rules":[ + "SecRuleEngine On", + "SecDefaultAction \"phase:2,deny,block,status:403,log\"", + "SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \"@rx (?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)\" \"id:944120,phase:2,block,t:none,t:lowercase,log,msg:'Remote Command Execution: Java serialization (CVE-2015-5842)',logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',ver:'OWASP_CRS/3.1.0',severity:'CRITICAL',chain\"", + "SecRule MATCHED_VARS \"@rx (?:runtime|processbuilder)\" \"t:none,t:lowercase,setvar:'tx.msg=%{rule.msg}',setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'\"" + ] + }, + { + "enabled":1, + "version_min":300000, + "title":"Positive tests for rule 944120 944120-99", + "client":{ + "ip":"200.249.12.31", + "port":123 + }, + "server":{ + "ip":"200.249.12.31", + "port":80 + }, + "request":{ + "headers":{ + "Host": "localhost", + "User-Agent": "ModSecurity CRS 3 Tests", + "Accept": "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5", + "Accept-Charset": "ISO-8859-1,utf-8;q=0.7,*;q=0.7", + "Accept-Encoding": "gzip,deflate", + "Accept-Language": "en-us,en;q=0.5", + "Content-Type": "multipart/form-data; boundary=---------------------------thisissparta" + }, + "uri":"/", + "http_version":1.0, + "method":"POST", + "body": [ + "-----------------------------thisissparta\r", + "Content-Disposition: form-data; name=\"payload\r", + "Content-Type: application/json\r", + "\r", + "{\"ProcessBuilder.evil.prototypeclonefactory\": \"test\"}\r", + "-----------------------------thisissparta--" + ] + }, + "response":{ + "headers":{ + "Date":"Mon, 13 Jul 2015 20:02:41 GMT", + "Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT", + "Content-Type":"text/html" + }, + "body":[ + "no need." + ] + }, + "expected":{ + "http_code":403 + }, + "rules":[ + "SecRuleEngine On", + "SecDefaultAction \"phase:2,deny,block,status:403,log\"", + "SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \"@rx (?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)\" \"id:944120,phase:2,block,t:none,t:lowercase,log,msg:'Remote Command Execution: Java serialization (CVE-2015-5842)',logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',ver:'OWASP_CRS/3.1.0',severity:'CRITICAL',chain\"", + "SecRule MATCHED_VARS \"@rx (?:runtime|processbuilder)\" \"t:none,t:lowercase,setvar:'tx.msg=%{rule.msg}',setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'\"" + ] + }, + { + "enabled":1, + "version_min":300000, + "title":"Positive tests for rule 944120 944120-100", + "client":{ + "ip":"200.249.12.31", + "port":123 + }, + "server":{ + "ip":"200.249.12.31", + "port":80 + }, + "request":{ + "headers":{ + "Host": "localhost", + "User-Agent": "ModSecurity CRS 3 Tests", + "Accept": "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5", + "Accept-Charset": "ISO-8859-1,utf-8;q=0.7,*;q=0.7", + "Accept-Encoding": "gzip,deflate", + "Accept-Language": "en-us,en;q=0.5", + "Content-Type": "multipart/form-data; boundary=---------------------------thisissparta" + }, + "uri":"/", + "http_version":1.0, + "method":"POST", + "body": [ + "-----------------------------thisissparta\r", + "Content-Disposition: form-data; name=\"payload\r", + "Content-Type: application/xml\r", + "\r", + "ProcessBuilder.evil.prototypeclonefactory\r", + "-----------------------------thisissparta--" + ] + }, + "response":{ + "headers":{ + "Date":"Mon, 13 Jul 2015 20:02:41 GMT", + "Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT", + "Content-Type":"text/html" + }, + "body":[ + "no need." + ] + }, + "expected":{ + "http_code":403 + }, + "rules":[ + "SecRuleEngine On", + "SecDefaultAction \"phase:2,deny,block,status:403,log\"", + "SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \"@rx (?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)\" \"id:944120,phase:2,block,t:none,t:lowercase,log,msg:'Remote Command Execution: Java serialization (CVE-2015-5842)',logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',ver:'OWASP_CRS/3.1.0',severity:'CRITICAL',chain\"", + "SecRule MATCHED_VARS \"@rx (?:runtime|processbuilder)\" \"t:none,t:lowercase,setvar:'tx.msg=%{rule.msg}',setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'\"" + ] + }, + { + "enabled":1, + "version_min":300000, + "title":"Positive tests for rule 944120 944120-101", + "client":{ + "ip":"200.249.12.31", + "port":123 + }, + "server":{ + "ip":"200.249.12.31", + "port":80 + }, + "request":{ + "headers":{ + "Host": "localhost", + "User-Agent": "ModSecurity CRS 3 Tests", + "Accept": "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5", + "Accept-Charset": "ISO-8859-1,utf-8;q=0.7,*;q=0.7", + "Accept-Encoding": "gzip,deflate", + "Accept-Language": "en-us,en;q=0.5", + "Content-Type": "multipart/form-data; boundary=---------------------------thisissparta" + }, + "uri":"/", + "http_version":1.0, + "method":"POST", + "body": [ + "-----------------------------thisissparta\r", + "Content-Disposition: form-data; name=\"payload\r", + "Content-Type: application/xml\r", + "\r", + "ProcessBuilder.evil.prototypeclonefactory\r", + "-----------------------------thisissparta--" + ] + }, + "response":{ + "headers":{ + "Date":"Mon, 13 Jul 2015 20:02:41 GMT", + "Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT", + "Content-Type":"text/html" + }, + "body":[ + "no need." + ] + }, + "expected":{ + "http_code":403 + }, + "rules":[ + "SecRuleEngine On", + "SecDefaultAction \"phase:2,deny,block,status:403,log\"", + "SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \"@rx (?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)\" \"id:944120,phase:2,block,t:none,t:lowercase,log,msg:'Remote Command Execution: Java serialization (CVE-2015-5842)',logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',ver:'OWASP_CRS/3.1.0',severity:'CRITICAL',chain\"", + "SecRule MATCHED_VARS \"@rx (?:runtime|processbuilder)\" \"t:none,t:lowercase,setvar:'tx.msg=%{rule.msg}',setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'\"" + ] + }, + { + "enabled":1, + "version_min":300000, + "title":"Positive tests for rule 944120 944120-102", + "client":{ + "ip":"200.249.12.31", + "port":123 + }, + "server":{ + "ip":"200.249.12.31", + "port":80 + }, + "request":{ + "headers":{ + "Host": "localhost", + "User-Agent": "ModSecurity CRS 3 Tests", + "Accept": "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5", + "Accept-Charset": "ISO-8859-1,utf-8;q=0.7,*;q=0.7", + "Accept-Encoding": "gzip,deflate", + "Accept-Language": "en-us,en;q=0.5", + "Content-Type": "application/x-www-form-urlencoded" + }, + "uri":"/", + "http_version":1.0, + "method":"POST", + "body": [ + "test=ProcessBuilder.evil.prototypeserializationfactory" + ] + }, + "response":{ + "headers":{ + "Date":"Mon, 13 Jul 2015 20:02:41 GMT", + "Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT", + "Content-Type":"text/html" + }, + "body":[ + "no need." + ] + }, + "expected":{ + "http_code":403 + }, + "rules":[ + "SecRuleEngine On", + "SecDefaultAction \"phase:2,deny,block,status:403,log\"", + "SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \"@rx (?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)\" \"id:944120,phase:2,block,t:none,t:lowercase,log,msg:'Remote Command Execution: Java serialization (CVE-2015-5842)',logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',ver:'OWASP_CRS/3.1.0',severity:'CRITICAL',chain\"", + "SecRule MATCHED_VARS \"@rx (?:runtime|processbuilder)\" \"t:none,t:lowercase,setvar:'tx.msg=%{rule.msg}',setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'\"" + ] + }, + { + "enabled":1, + "version_min":300000, + "title":"Positive tests for rule 944120 944120-103", + "client":{ + "ip":"200.249.12.31", + "port":123 + }, + "server":{ + "ip":"200.249.12.31", + "port":80 + }, + "request":{ + "headers":{ + "Host": "localhost", + "User-Agent": "ModSecurity CRS 3 Tests", + "Accept": "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5", + "Accept-Charset": "ISO-8859-1,utf-8;q=0.7,*;q=0.7", + "Accept-Encoding": "gzip,deflate", + "Accept-Language": "en-us,en;q=0.5", + "Content-Type": "application/x-www-form-urlencoded" + }, + "uri":"/", + "http_version":1.0, + "method":"POST", + "body": [ + "ProcessBuilder.evil.prototypeserializationfactory=test" + ] + }, + "response":{ + "headers":{ + "Date":"Mon, 13 Jul 2015 20:02:41 GMT", + "Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT", + "Content-Type":"text/html" + }, + "body":[ + "no need." + ] + }, + "expected":{ + "http_code":403 + }, + "rules":[ + "SecRuleEngine On", + "SecDefaultAction \"phase:2,deny,block,status:403,log\"", + "SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \"@rx (?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)\" \"id:944120,phase:2,block,t:none,t:lowercase,log,msg:'Remote Command Execution: Java serialization (CVE-2015-5842)',logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',ver:'OWASP_CRS/3.1.0',severity:'CRITICAL',chain\"", + "SecRule MATCHED_VARS \"@rx (?:runtime|processbuilder)\" \"t:none,t:lowercase,setvar:'tx.msg=%{rule.msg}',setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'\"" + ] + }, + { + "enabled":1, + "version_min":300000, + "title":"Positive tests for rule 944120 944120-104", + "client":{ + "ip":"200.249.12.31", + "port":123 + }, + "server":{ + "ip":"200.249.12.31", + "port":80 + }, + "request":{ + "headers":{ + "Host": "localhost", + "User-Agent": "ModSecurity CRS 3 Tests", + "Accept": "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5", + "Accept-Charset": "ISO-8859-1,utf-8;q=0.7,*;q=0.7", + "Accept-Encoding": "gzip,deflate", + "Accept-Language": "en-us,en;q=0.5", + "Content-Type": "application/x-www-form-urlencoded", + "Cookie": "test=ProcessBuilder.evil.prototypeserializationfactory" + }, + "uri":"/", + "http_version":1.0, + "method":"POST", + "body": [ + "test=value" + ] + }, + "response":{ + "headers":{ + "Date":"Mon, 13 Jul 2015 20:02:41 GMT", + "Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT", + "Content-Type":"text/html" + }, + "body":[ + "no need." + ] + }, + "expected":{ + "http_code":403 + }, + "rules":[ + "SecRuleEngine On", + "SecDefaultAction \"phase:2,deny,block,status:403,log\"", + "SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \"@rx (?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)\" \"id:944120,phase:2,block,t:none,t:lowercase,log,msg:'Remote Command Execution: Java serialization (CVE-2015-5842)',logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',ver:'OWASP_CRS/3.1.0',severity:'CRITICAL',chain\"", + "SecRule MATCHED_VARS \"@rx (?:runtime|processbuilder)\" \"t:none,t:lowercase,setvar:'tx.msg=%{rule.msg}',setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'\"" + ] + }, + { + "enabled":1, + "version_min":300000, + "title":"Positive tests for rule 944120 944120-105", + "client":{ + "ip":"200.249.12.31", + "port":123 + }, + "server":{ + "ip":"200.249.12.31", + "port":80 + }, + "request":{ + "headers":{ + "Host": "localhost", + "User-Agent": "ModSecurity CRS 3 Tests", + "Accept": "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5", + "Accept-Charset": "ISO-8859-1,utf-8;q=0.7,*;q=0.7", + "Accept-Encoding": "gzip,deflate", + "Accept-Language": "en-us,en;q=0.5", + "Content-Type": "application/x-www-form-urlencoded", + "Cookie": "ProcessBuilder.evil.prototypeserializationfactory=test" + }, + "uri":"/", + "http_version":1.0, + "method":"POST", + "body": [ + "test=value" + ] + }, + "response":{ + "headers":{ + "Date":"Mon, 13 Jul 2015 20:02:41 GMT", + "Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT", + "Content-Type":"text/html" + }, + "body":[ + "no need." + ] + }, + "expected":{ + "http_code":403 + }, + "rules":[ + "SecRuleEngine On", + "SecDefaultAction \"phase:2,deny,block,status:403,log\"", + "SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \"@rx (?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)\" \"id:944120,phase:2,block,t:none,t:lowercase,log,msg:'Remote Command Execution: Java serialization (CVE-2015-5842)',logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',ver:'OWASP_CRS/3.1.0',severity:'CRITICAL',chain\"", + "SecRule MATCHED_VARS \"@rx (?:runtime|processbuilder)\" \"t:none,t:lowercase,setvar:'tx.msg=%{rule.msg}',setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'\"" + ] + }, + { + "enabled":1, + "version_min":300000, + "title":"Positive tests for rule 944120 944120-106", + "client":{ + "ip":"200.249.12.31", + "port":123 + }, + "server":{ + "ip":"200.249.12.31", + "port":80 + }, + "request":{ + "headers":{ + "Host": "localhost", + "User-Agent": "ModSecurity CRS 3 Tests", + "Accept": "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5", + "Accept-Charset": "ISO-8859-1,utf-8;q=0.7,*;q=0.7", + "Accept-Encoding": "gzip,deflate", + "Accept-Language": "en-us,en;q=0.5", + "Content-Type": "application/x-www-form-urlencoded", + "test": "ProcessBuilder.evil.prototypeserializationfactory" + }, + "uri":"/", + "http_version":1.0, + "method":"POST", + "body": [ + "test=value" + ] + }, + "response":{ + "headers":{ + "Date":"Mon, 13 Jul 2015 20:02:41 GMT", + "Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT", + "Content-Type":"text/html" + }, + "body":[ + "no need." + ] + }, + "expected":{ + "http_code":403 + }, + "rules":[ + "SecRuleEngine On", + "SecDefaultAction \"phase:2,deny,block,status:403,log\"", + "SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \"@rx (?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)\" \"id:944120,phase:2,block,t:none,t:lowercase,log,msg:'Remote Command Execution: Java serialization (CVE-2015-5842)',logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',ver:'OWASP_CRS/3.1.0',severity:'CRITICAL',chain\"", + "SecRule MATCHED_VARS \"@rx (?:runtime|processbuilder)\" \"t:none,t:lowercase,setvar:'tx.msg=%{rule.msg}',setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'\"" + ] + }, + { + "enabled":1, + "version_min":300000, + "title":"Positive tests for rule 944120 944120-107", + "client":{ + "ip":"200.249.12.31", + "port":123 + }, + "server":{ + "ip":"200.249.12.31", + "port":80 + }, + "request":{ + "headers":{ + "Host": "localhost", + "User-Agent": "ModSecurity CRS 3 Tests", + "Accept": "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5", + "Accept-Charset": "ISO-8859-1,utf-8;q=0.7,*;q=0.7", + "Accept-Encoding": "gzip,deflate", + "Accept-Language": "en-us,en;q=0.5", + "Content-Type": "application/xml" + }, + "uri":"/", + "http_version":1.0, + "method":"POST", + "body": [ + "value" + ] + }, + "response":{ + "headers":{ + "Date":"Mon, 13 Jul 2015 20:02:41 GMT", + "Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT", + "Content-Type":"text/html" + }, + "body":[ + "no need." + ] + }, + "expected":{ + "http_code":200 + }, + "rules":[ + "SecRuleEngine On", + "SecDefaultAction \"phase:2,deny,block,status:403,log\"", + "SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \"@rx (?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)\" \"id:944120,phase:2,block,t:none,t:lowercase,log,msg:'Remote Command Execution: Java serialization (CVE-2015-5842)',logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',ver:'OWASP_CRS/3.1.0',severity:'CRITICAL',chain\"", + "SecRule MATCHED_VARS \"@rx (?:runtime|processbuilder)\" \"t:none,t:lowercase,setvar:'tx.msg=%{rule.msg}',setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'\"" + ] + }, + { + "enabled":1, + "version_min":300000, + "title":"Positive tests for rule 944120 944120-108", + "client":{ + "ip":"200.249.12.31", + "port":123 + }, + "server":{ + "ip":"200.249.12.31", + "port":80 + }, + "request":{ + "headers":{ + "Host": "localhost", + "User-Agent": "ModSecurity CRS 3 Tests", + "Accept": "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5", + "Accept-Charset": "ISO-8859-1,utf-8;q=0.7,*;q=0.7", + "Accept-Encoding": "gzip,deflate", + "Accept-Language": "en-us,en;q=0.5", + "Content-Type": "application/xml" + }, + "uri":"/", + "http_version":1.0, + "method":"POST", + "body": [ + "element_value" + ] + }, + "response":{ + "headers":{ + "Date":"Mon, 13 Jul 2015 20:02:41 GMT", + "Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT", + "Content-Type":"text/html" + }, + "body":[ + "no need." + ] + }, + "expected":{ + "http_code":200 + }, + "rules":[ + "SecRuleEngine On", + "SecDefaultAction \"phase:2,deny,block,status:403,log\"", + "SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \"@rx (?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)\" \"id:944120,phase:2,block,t:none,t:lowercase,log,msg:'Remote Command Execution: Java serialization (CVE-2015-5842)',logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',ver:'OWASP_CRS/3.1.0',severity:'CRITICAL',chain\"", + "SecRule MATCHED_VARS \"@rx (?:runtime|processbuilder)\" \"t:none,t:lowercase,setvar:'tx.msg=%{rule.msg}',setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'\"" + ] + }, + { + "enabled":1, + "version_min":300000, + "title":"Positive tests for rule 944120 944120-109", + "client":{ + "ip":"200.249.12.31", + "port":123 + }, + "server":{ + "ip":"200.249.12.31", + "port":80 + }, + "request":{ + "headers":{ + "Host": "localhost", + "User-Agent": "ModSecurity CRS 3 Tests", + "Accept": "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5", + "Accept-Charset": "ISO-8859-1,utf-8;q=0.7,*;q=0.7", + "Accept-Encoding": "gzip,deflate", + "Accept-Language": "en-us,en;q=0.5", + "Content-Type": "application/xml" + }, + "uri":"/", + "http_version":1.0, + "method":"POST", + "body": [ + "element_value" + ] + }, + "response":{ + "headers":{ + "Date":"Mon, 13 Jul 2015 20:02:41 GMT", + "Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT", + "Content-Type":"text/html" + }, + "body":[ + "no need." + ] + }, + "expected":{ + "http_code":403 + }, + "rules":[ + "SecRuleEngine On", + "SecDefaultAction \"phase:2,deny,block,status:403,log\"", + "SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \"@rx (?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)\" \"id:944120,phase:2,block,t:none,t:lowercase,log,msg:'Remote Command Execution: Java serialization (CVE-2015-5842)',logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',ver:'OWASP_CRS/3.1.0',severity:'CRITICAL',chain\"", + "SecRule MATCHED_VARS \"@rx (?:runtime|processbuilder)\" \"t:none,t:lowercase,setvar:'tx.msg=%{rule.msg}',setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'\"" + ] + }, + { + "enabled":1, + "version_min":300000, + "title":"Positive tests for rule 944120 944120-110", + "client":{ + "ip":"200.249.12.31", + "port":123 + }, + "server":{ + "ip":"200.249.12.31", + "port":80 + }, + "request":{ + "headers":{ + "Host": "localhost", + "User-Agent": "ModSecurity CRS 3 Tests", + "Accept": "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5", + "Accept-Charset": "ISO-8859-1,utf-8;q=0.7,*;q=0.7", + "Accept-Encoding": "gzip,deflate", + "Accept-Language": "en-us,en;q=0.5", + "Content-Type": "application/xml" + }, + "uri":"/", + "http_version":1.0, + "method":"POST", + "body": [ + "ProcessBuilder.evil.prototypeserializationfactory" + ] + }, + "response":{ + "headers":{ + "Date":"Mon, 13 Jul 2015 20:02:41 GMT", + "Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT", + "Content-Type":"text/html" + }, + "body":[ + "no need." + ] + }, + "expected":{ + "http_code":403 + }, + "rules":[ + "SecRuleEngine On", + "SecDefaultAction \"phase:2,deny,block,status:403,log\"", + "SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \"@rx (?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)\" \"id:944120,phase:2,block,t:none,t:lowercase,log,msg:'Remote Command Execution: Java serialization (CVE-2015-5842)',logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',ver:'OWASP_CRS/3.1.0',severity:'CRITICAL',chain\"", + "SecRule MATCHED_VARS \"@rx (?:runtime|processbuilder)\" \"t:none,t:lowercase,setvar:'tx.msg=%{rule.msg}',setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'\"" + ] + }, + { + "enabled":1, + "version_min":300000, + "title":"Positive tests for rule 944120 944120-111", + "client":{ + "ip":"200.249.12.31", + "port":123 + }, + "server":{ + "ip":"200.249.12.31", + "port":80 + }, + "request":{ + "headers":{ + "Host": "localhost", + "User-Agent": "ModSecurity CRS 3 Tests", + "Accept": "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5", + "Accept-Charset": "ISO-8859-1,utf-8;q=0.7,*;q=0.7", + "Accept-Encoding": "gzip,deflate", + "Accept-Language": "en-us,en;q=0.5", + "Content-Type": "application/xml" + }, + "uri":"/", + "http_version":1.0, + "method":"POST", + "body": [ + "ProcessBuilder.evil.prototypeserializationfactory" + ] + }, + "response":{ + "headers":{ + "Date":"Mon, 13 Jul 2015 20:02:41 GMT", + "Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT", + "Content-Type":"text/html" + }, + "body":[ + "no need." + ] + }, + "expected":{ + "http_code":403 + }, + "rules":[ + "SecRuleEngine On", + "SecDefaultAction \"phase:2,deny,block,status:403,log\"", + "SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \"@rx (?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)\" \"id:944120,phase:2,block,t:none,t:lowercase,log,msg:'Remote Command Execution: Java serialization (CVE-2015-5842)',logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',ver:'OWASP_CRS/3.1.0',severity:'CRITICAL',chain\"", + "SecRule MATCHED_VARS \"@rx (?:runtime|processbuilder)\" \"t:none,t:lowercase,setvar:'tx.msg=%{rule.msg}',setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'\"" + ] + }, + { + "enabled":1, + "version_min":300000, + "title":"Positive tests for rule 944120 944120-112", + "client":{ + "ip":"200.249.12.31", + "port":123 + }, + "server":{ + "ip":"200.249.12.31", + "port":80 + }, + "request":{ + "headers":{ + "Host": "localhost", + "User-Agent": "ModSecurity CRS 3 Tests", + "Accept": "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5", + "Accept-Charset": "ISO-8859-1,utf-8;q=0.7,*;q=0.7", + "Accept-Encoding": "gzip,deflate", + "Accept-Language": "en-us,en;q=0.5", + "Content-Type": "text/plain" + }, + "uri":"/", + "http_version":1.0, + "method":"POST", + "body": [ + "test=ProcessBuilder.evil.prototypeserializationfactory" + ] + }, + "response":{ + "headers":{ + "Date":"Mon, 13 Jul 2015 20:02:41 GMT", + "Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT", + "Content-Type":"text/html" + }, + "body":[ + "no need." + ] + }, + "expected":{ + "http_code":403 + }, + "rules":[ + "SecRuleEngine On", + "SecDefaultAction \"phase:2,deny,block,status:403,log\"", + "SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \"@rx (?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)\" \"id:944120,phase:2,block,t:none,t:lowercase,log,msg:'Remote Command Execution: Java serialization (CVE-2015-5842)',logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',ver:'OWASP_CRS/3.1.0',severity:'CRITICAL',chain\"", + "SecRule MATCHED_VARS \"@rx (?:runtime|processbuilder)\" \"t:none,t:lowercase,setvar:'tx.msg=%{rule.msg}',setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'\"" + ] + }, + { + "enabled":1, + "version_min":300000, + "title":"Positive tests for rule 944120 944120-113", + "client":{ + "ip":"200.249.12.31", + "port":123 + }, + "server":{ + "ip":"200.249.12.31", + "port":80 + }, + "request":{ + "headers":{ + "Host": "localhost", + "User-Agent": "ModSecurity CRS 3 Tests", + "Accept": "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5", + "Accept-Charset": "ISO-8859-1,utf-8;q=0.7,*;q=0.7", + "Accept-Encoding": "gzip,deflate", + "Accept-Language": "en-us,en;q=0.5", + "Content-Type": "application/json" + }, + "uri":"/", + "http_version":1.0, + "method":"POST", + "body": [ + "{\"test\": \"ProcessBuilder.evil.prototypeserializationfactory\"}" + ] + }, + "response":{ + "headers":{ + "Date":"Mon, 13 Jul 2015 20:02:41 GMT", + "Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT", + "Content-Type":"text/html" + }, + "body":[ + "no need." + ] + }, + "expected":{ + "http_code":403 + }, + "rules":[ + "SecRuleEngine On", + "SecDefaultAction \"phase:2,deny,block,status:403,log\"", + "SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \"@rx (?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)\" \"id:944120,phase:2,block,t:none,t:lowercase,log,msg:'Remote Command Execution: Java serialization (CVE-2015-5842)',logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',ver:'OWASP_CRS/3.1.0',severity:'CRITICAL',chain\"", + "SecRule MATCHED_VARS \"@rx (?:runtime|processbuilder)\" \"t:none,t:lowercase,setvar:'tx.msg=%{rule.msg}',setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'\"" + ] + }, + { + "enabled":1, + "version_min":300000, + "title":"Positive tests for rule 944120 944120-114", + "client":{ + "ip":"200.249.12.31", + "port":123 + }, + "server":{ + "ip":"200.249.12.31", + "port":80 + }, + "request":{ + "headers":{ + "Host": "localhost", + "User-Agent": "ModSecurity CRS 3 Tests", + "Accept": "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5", + "Accept-Charset": "ISO-8859-1,utf-8;q=0.7,*;q=0.7", + "Accept-Encoding": "gzip,deflate", + "Accept-Language": "en-us,en;q=0.5", + "Content-Type": "application/json" + }, + "uri":"/", + "http_version":1.0, + "method":"POST", + "body": [ + "{\"ProcessBuilder.evil.prototypeserializationfactory\": \"test\"}" + ] + }, + "response":{ + "headers":{ + "Date":"Mon, 13 Jul 2015 20:02:41 GMT", + "Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT", + "Content-Type":"text/html" + }, + "body":[ + "no need." + ] + }, + "expected":{ + "http_code":403 + }, + "rules":[ + "SecRuleEngine On", + "SecDefaultAction \"phase:2,deny,block,status:403,log\"", + "SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \"@rx (?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)\" \"id:944120,phase:2,block,t:none,t:lowercase,log,msg:'Remote Command Execution: Java serialization (CVE-2015-5842)',logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',ver:'OWASP_CRS/3.1.0',severity:'CRITICAL',chain\"", + "SecRule MATCHED_VARS \"@rx (?:runtime|processbuilder)\" \"t:none,t:lowercase,setvar:'tx.msg=%{rule.msg}',setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'\"" + ] + }, + { + "enabled":1, + "version_min":300000, + "title":"Positive tests for rule 944120 944120-115", + "client":{ + "ip":"200.249.12.31", + "port":123 + }, + "server":{ + "ip":"200.249.12.31", + "port":80 + }, + "request":{ + "headers":{ + "Host": "localhost", + "User-Agent": "ModSecurity CRS 3 Tests", + "Accept": "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5", + "Accept-Charset": "ISO-8859-1,utf-8;q=0.7,*;q=0.7", + "Accept-Encoding": "gzip,deflate", + "Accept-Language": "en-us,en;q=0.5", + "Content-Type": "multipart/form-data; boundary=---------------------------thisissparta" + }, + "uri":"/", + "http_version":1.0, + "method":"POST", + "body": [ + "-----------------------------thisissparta\r", + "Content-Disposition: form-data; name=\"payload\r", + "Content-Type: application/json\r", + "\r", + "{\"ProcessBuilder.evil.prototypeserializationfactory\": \"test\"}\r", + "-----------------------------thisissparta--" + ] + }, + "response":{ + "headers":{ + "Date":"Mon, 13 Jul 2015 20:02:41 GMT", + "Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT", + "Content-Type":"text/html" + }, + "body":[ + "no need." + ] + }, + "expected":{ + "http_code":403 + }, + "rules":[ + "SecRuleEngine On", + "SecDefaultAction \"phase:2,deny,block,status:403,log\"", + "SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \"@rx (?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)\" \"id:944120,phase:2,block,t:none,t:lowercase,log,msg:'Remote Command Execution: Java serialization (CVE-2015-5842)',logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',ver:'OWASP_CRS/3.1.0',severity:'CRITICAL',chain\"", + "SecRule MATCHED_VARS \"@rx (?:runtime|processbuilder)\" \"t:none,t:lowercase,setvar:'tx.msg=%{rule.msg}',setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'\"" + ] + }, + { + "enabled":1, + "version_min":300000, + "title":"Positive tests for rule 944120 944120-116", + "client":{ + "ip":"200.249.12.31", + "port":123 + }, + "server":{ + "ip":"200.249.12.31", + "port":80 + }, + "request":{ + "headers":{ + "Host": "localhost", + "User-Agent": "ModSecurity CRS 3 Tests", + "Accept": "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5", + "Accept-Charset": "ISO-8859-1,utf-8;q=0.7,*;q=0.7", + "Accept-Encoding": "gzip,deflate", + "Accept-Language": "en-us,en;q=0.5", + "Content-Type": "multipart/form-data; boundary=---------------------------thisissparta" + }, + "uri":"/", + "http_version":1.0, + "method":"POST", + "body": [ + "-----------------------------thisissparta\r", + "Content-Disposition: form-data; name=\"payload\r", + "Content-Type: application/json\r", + "\r", + "{\"ProcessBuilder.evil.prototypeserializationfactory\": \"test\"}\r", + "-----------------------------thisissparta--" + ] + }, + "response":{ + "headers":{ + "Date":"Mon, 13 Jul 2015 20:02:41 GMT", + "Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT", + "Content-Type":"text/html" + }, + "body":[ + "no need." + ] + }, + "expected":{ + "http_code":403 + }, + "rules":[ + "SecRuleEngine On", + "SecDefaultAction \"phase:2,deny,block,status:403,log\"", + "SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \"@rx (?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)\" \"id:944120,phase:2,block,t:none,t:lowercase,log,msg:'Remote Command Execution: Java serialization (CVE-2015-5842)',logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',ver:'OWASP_CRS/3.1.0',severity:'CRITICAL',chain\"", + "SecRule MATCHED_VARS \"@rx (?:runtime|processbuilder)\" \"t:none,t:lowercase,setvar:'tx.msg=%{rule.msg}',setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'\"" + ] + }, + { + "enabled":1, + "version_min":300000, + "title":"Positive tests for rule 944120 944120-117", + "client":{ + "ip":"200.249.12.31", + "port":123 + }, + "server":{ + "ip":"200.249.12.31", + "port":80 + }, + "request":{ + "headers":{ + "Host": "localhost", + "User-Agent": "ModSecurity CRS 3 Tests", + "Accept": "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5", + "Accept-Charset": "ISO-8859-1,utf-8;q=0.7,*;q=0.7", + "Accept-Encoding": "gzip,deflate", + "Accept-Language": "en-us,en;q=0.5", + "Content-Type": "multipart/form-data; boundary=---------------------------thisissparta" + }, + "uri":"/", + "http_version":1.0, + "method":"POST", + "body": [ + "-----------------------------thisissparta\r", + "Content-Disposition: form-data; name=\"payload\r", + "Content-Type: application/xml\r", + "\r", + "ProcessBuilder.evil.prototypeserializationfactory\r", + "-----------------------------thisissparta--" + ] + }, + "response":{ + "headers":{ + "Date":"Mon, 13 Jul 2015 20:02:41 GMT", + "Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT", + "Content-Type":"text/html" + }, + "body":[ + "no need." + ] + }, + "expected":{ + "http_code":403 + }, + "rules":[ + "SecRuleEngine On", + "SecDefaultAction \"phase:2,deny,block,status:403,log\"", + "SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \"@rx (?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)\" \"id:944120,phase:2,block,t:none,t:lowercase,log,msg:'Remote Command Execution: Java serialization (CVE-2015-5842)',logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',ver:'OWASP_CRS/3.1.0',severity:'CRITICAL',chain\"", + "SecRule MATCHED_VARS \"@rx (?:runtime|processbuilder)\" \"t:none,t:lowercase,setvar:'tx.msg=%{rule.msg}',setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'\"" + ] + }, + { + "enabled":1, + "version_min":300000, + "title":"Positive tests for rule 944120 944120-118", + "client":{ + "ip":"200.249.12.31", + "port":123 + }, + "server":{ + "ip":"200.249.12.31", + "port":80 + }, + "request":{ + "headers":{ + "Host": "localhost", + "User-Agent": "ModSecurity CRS 3 Tests", + "Accept": "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5", + "Accept-Charset": "ISO-8859-1,utf-8;q=0.7,*;q=0.7", + "Accept-Encoding": "gzip,deflate", + "Accept-Language": "en-us,en;q=0.5", + "Content-Type": "multipart/form-data; boundary=---------------------------thisissparta" + }, + "uri":"/", + "http_version":1.0, + "method":"POST", + "body": [ + "-----------------------------thisissparta\r", + "Content-Disposition: form-data; name=\"payload\r", + "Content-Type: application/xml\r", + "\r", + "ProcessBuilder.evil.prototypeserializationfactory\r", + "-----------------------------thisissparta--" + ] + }, + "response":{ + "headers":{ + "Date":"Mon, 13 Jul 2015 20:02:41 GMT", + "Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT", + "Content-Type":"text/html" + }, + "body":[ + "no need." + ] + }, + "expected":{ + "http_code":403 + }, + "rules":[ + "SecRuleEngine On", + "SecDefaultAction \"phase:2,deny,block,status:403,log\"", + "SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \"@rx (?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)\" \"id:944120,phase:2,block,t:none,t:lowercase,log,msg:'Remote Command Execution: Java serialization (CVE-2015-5842)',logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',ver:'OWASP_CRS/3.1.0',severity:'CRITICAL',chain\"", + "SecRule MATCHED_VARS \"@rx (?:runtime|processbuilder)\" \"t:none,t:lowercase,setvar:'tx.msg=%{rule.msg}',setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'\"" + ] + }, + { + "enabled":1, + "version_min":300000, + "title":"Positive tests for rule 944120 944120-119", + "client":{ + "ip":"200.249.12.31", + "port":123 + }, + "server":{ + "ip":"200.249.12.31", + "port":80 + }, + "request":{ + "headers":{ + "Host": "localhost", + "User-Agent": "ModSecurity CRS 3 Tests", + "Accept": "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5", + "Accept-Charset": "ISO-8859-1,utf-8;q=0.7,*;q=0.7", + "Accept-Encoding": "gzip,deflate", + "Accept-Language": "en-us,en;q=0.5", + "Content-Type": "application/x-www-form-urlencoded" + }, + "uri":"/", + "http_version":1.0, + "method":"POST", + "body": [ + "test=ProcessBuilder.evil.whileclosure" + ] + }, + "response":{ + "headers":{ + "Date":"Mon, 13 Jul 2015 20:02:41 GMT", + "Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT", + "Content-Type":"text/html" + }, + "body":[ + "no need." + ] + }, + "expected":{ + "http_code":403 + }, + "rules":[ + "SecRuleEngine On", + "SecDefaultAction \"phase:2,deny,block,status:403,log\"", + "SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \"@rx (?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)\" \"id:944120,phase:2,block,t:none,t:lowercase,log,msg:'Remote Command Execution: Java serialization (CVE-2015-5842)',logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',ver:'OWASP_CRS/3.1.0',severity:'CRITICAL',chain\"", + "SecRule MATCHED_VARS \"@rx (?:runtime|processbuilder)\" \"t:none,t:lowercase,setvar:'tx.msg=%{rule.msg}',setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'\"" + ] + }, + { + "enabled":1, + "version_min":300000, + "title":"Positive tests for rule 944120 944120-120", + "client":{ + "ip":"200.249.12.31", + "port":123 + }, + "server":{ + "ip":"200.249.12.31", + "port":80 + }, + "request":{ + "headers":{ + "Host": "localhost", + "User-Agent": "ModSecurity CRS 3 Tests", + "Accept": "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5", + "Accept-Charset": "ISO-8859-1,utf-8;q=0.7,*;q=0.7", + "Accept-Encoding": "gzip,deflate", + "Accept-Language": "en-us,en;q=0.5", + "Content-Type": "application/x-www-form-urlencoded" + }, + "uri":"/", + "http_version":1.0, + "method":"POST", + "body": [ + "ProcessBuilder.evil.whileclosure=test" + ] + }, + "response":{ + "headers":{ + "Date":"Mon, 13 Jul 2015 20:02:41 GMT", + "Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT", + "Content-Type":"text/html" + }, + "body":[ + "no need." + ] + }, + "expected":{ + "http_code":403 + }, + "rules":[ + "SecRuleEngine On", + "SecDefaultAction \"phase:2,deny,block,status:403,log\"", + "SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \"@rx (?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)\" \"id:944120,phase:2,block,t:none,t:lowercase,log,msg:'Remote Command Execution: Java serialization (CVE-2015-5842)',logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',ver:'OWASP_CRS/3.1.0',severity:'CRITICAL',chain\"", + "SecRule MATCHED_VARS \"@rx (?:runtime|processbuilder)\" \"t:none,t:lowercase,setvar:'tx.msg=%{rule.msg}',setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'\"" + ] + }, + { + "enabled":1, + "version_min":300000, + "title":"Positive tests for rule 944120 944120-121", + "client":{ + "ip":"200.249.12.31", + "port":123 + }, + "server":{ + "ip":"200.249.12.31", + "port":80 + }, + "request":{ + "headers":{ + "Host": "localhost", + "User-Agent": "ModSecurity CRS 3 Tests", + "Accept": "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5", + "Accept-Charset": "ISO-8859-1,utf-8;q=0.7,*;q=0.7", + "Accept-Encoding": "gzip,deflate", + "Accept-Language": "en-us,en;q=0.5", + "Content-Type": "application/x-www-form-urlencoded", + "Cookie": "test=ProcessBuilder.evil.whileclosure" + }, + "uri":"/", + "http_version":1.0, + "method":"POST", + "body": [ + "test=value" + ] + }, + "response":{ + "headers":{ + "Date":"Mon, 13 Jul 2015 20:02:41 GMT", + "Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT", + "Content-Type":"text/html" + }, + "body":[ + "no need." + ] + }, + "expected":{ + "http_code":403 + }, + "rules":[ + "SecRuleEngine On", + "SecDefaultAction \"phase:2,deny,block,status:403,log\"", + "SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \"@rx (?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)\" \"id:944120,phase:2,block,t:none,t:lowercase,log,msg:'Remote Command Execution: Java serialization (CVE-2015-5842)',logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',ver:'OWASP_CRS/3.1.0',severity:'CRITICAL',chain\"", + "SecRule MATCHED_VARS \"@rx (?:runtime|processbuilder)\" \"t:none,t:lowercase,setvar:'tx.msg=%{rule.msg}',setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'\"" + ] + }, + { + "enabled":1, + "version_min":300000, + "title":"Positive tests for rule 944120 944120-122", + "client":{ + "ip":"200.249.12.31", + "port":123 + }, + "server":{ + "ip":"200.249.12.31", + "port":80 + }, + "request":{ + "headers":{ + "Host": "localhost", + "User-Agent": "ModSecurity CRS 3 Tests", + "Accept": "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5", + "Accept-Charset": "ISO-8859-1,utf-8;q=0.7,*;q=0.7", + "Accept-Encoding": "gzip,deflate", + "Accept-Language": "en-us,en;q=0.5", + "Content-Type": "application/x-www-form-urlencoded", + "Cookie": "ProcessBuilder.evil.whileclosure=test" + }, + "uri":"/", + "http_version":1.0, + "method":"POST", + "body": [ + "test=value" + ] + }, + "response":{ + "headers":{ + "Date":"Mon, 13 Jul 2015 20:02:41 GMT", + "Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT", + "Content-Type":"text/html" + }, + "body":[ + "no need." + ] + }, + "expected":{ + "http_code":403 + }, + "rules":[ + "SecRuleEngine On", + "SecDefaultAction \"phase:2,deny,block,status:403,log\"", + "SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \"@rx (?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)\" \"id:944120,phase:2,block,t:none,t:lowercase,log,msg:'Remote Command Execution: Java serialization (CVE-2015-5842)',logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',ver:'OWASP_CRS/3.1.0',severity:'CRITICAL',chain\"", + "SecRule MATCHED_VARS \"@rx (?:runtime|processbuilder)\" \"t:none,t:lowercase,setvar:'tx.msg=%{rule.msg}',setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'\"" + ] + }, + { + "enabled":1, + "version_min":300000, + "title":"Positive tests for rule 944120 944120-123", + "client":{ + "ip":"200.249.12.31", + "port":123 + }, + "server":{ + "ip":"200.249.12.31", + "port":80 + }, + "request":{ + "headers":{ + "Host": "localhost", + "User-Agent": "ModSecurity CRS 3 Tests", + "Accept": "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5", + "Accept-Charset": "ISO-8859-1,utf-8;q=0.7,*;q=0.7", + "Accept-Encoding": "gzip,deflate", + "Accept-Language": "en-us,en;q=0.5", + "Content-Type": "application/x-www-form-urlencoded", + "test": "ProcessBuilder.evil.whileclosure" + }, + "uri":"/", + "http_version":1.0, + "method":"POST", + "body": [ + "test=value" + ] + }, + "response":{ + "headers":{ + "Date":"Mon, 13 Jul 2015 20:02:41 GMT", + "Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT", + "Content-Type":"text/html" + }, + "body":[ + "no need." + ] + }, + "expected":{ + "http_code":403 + }, + "rules":[ + "SecRuleEngine On", + "SecDefaultAction \"phase:2,deny,block,status:403,log\"", + "SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \"@rx (?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)\" \"id:944120,phase:2,block,t:none,t:lowercase,log,msg:'Remote Command Execution: Java serialization (CVE-2015-5842)',logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',ver:'OWASP_CRS/3.1.0',severity:'CRITICAL',chain\"", + "SecRule MATCHED_VARS \"@rx (?:runtime|processbuilder)\" \"t:none,t:lowercase,setvar:'tx.msg=%{rule.msg}',setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'\"" + ] + }, + { + "enabled":1, + "version_min":300000, + "title":"Positive tests for rule 944120 944120-124", + "client":{ + "ip":"200.249.12.31", + "port":123 + }, + "server":{ + "ip":"200.249.12.31", + "port":80 + }, + "request":{ + "headers":{ + "Host": "localhost", + "User-Agent": "ModSecurity CRS 3 Tests", + "Accept": "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5", + "Accept-Charset": "ISO-8859-1,utf-8;q=0.7,*;q=0.7", + "Accept-Encoding": "gzip,deflate", + "Accept-Language": "en-us,en;q=0.5", + "Content-Type": "application/xml" + }, + "uri":"/", + "http_version":1.0, + "method":"POST", + "body": [ + "value" + ] + }, + "response":{ + "headers":{ + "Date":"Mon, 13 Jul 2015 20:02:41 GMT", + "Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT", + "Content-Type":"text/html" + }, + "body":[ + "no need." + ] + }, + "expected":{ + "http_code":200 + }, + "rules":[ + "SecRuleEngine On", + "SecDefaultAction \"phase:2,deny,block,status:403,log\"", + "SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \"@rx (?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)\" \"id:944120,phase:2,block,t:none,t:lowercase,log,msg:'Remote Command Execution: Java serialization (CVE-2015-5842)',logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',ver:'OWASP_CRS/3.1.0',severity:'CRITICAL',chain\"", + "SecRule MATCHED_VARS \"@rx (?:runtime|processbuilder)\" \"t:none,t:lowercase,setvar:'tx.msg=%{rule.msg}',setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'\"" + ] + }, + { + "enabled":1, + "version_min":300000, + "title":"Positive tests for rule 944120 944120-125", + "client":{ + "ip":"200.249.12.31", + "port":123 + }, + "server":{ + "ip":"200.249.12.31", + "port":80 + }, + "request":{ + "headers":{ + "Host": "localhost", + "User-Agent": "ModSecurity CRS 3 Tests", + "Accept": "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5", + "Accept-Charset": "ISO-8859-1,utf-8;q=0.7,*;q=0.7", + "Accept-Encoding": "gzip,deflate", + "Accept-Language": "en-us,en;q=0.5", + "Content-Type": "application/xml" + }, + "uri":"/", + "http_version":1.0, + "method":"POST", + "body": [ + "element_value" + ] + }, + "response":{ + "headers":{ + "Date":"Mon, 13 Jul 2015 20:02:41 GMT", + "Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT", + "Content-Type":"text/html" + }, + "body":[ + "no need." + ] + }, + "expected":{ + "http_code":200 + }, + "rules":[ + "SecRuleEngine On", + "SecDefaultAction \"phase:2,deny,block,status:403,log\"", + "SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \"@rx (?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)\" \"id:944120,phase:2,block,t:none,t:lowercase,log,msg:'Remote Command Execution: Java serialization (CVE-2015-5842)',logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',ver:'OWASP_CRS/3.1.0',severity:'CRITICAL',chain\"", + "SecRule MATCHED_VARS \"@rx (?:runtime|processbuilder)\" \"t:none,t:lowercase,setvar:'tx.msg=%{rule.msg}',setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'\"" + ] + }, + { + "enabled":1, + "version_min":300000, + "title":"Positive tests for rule 944120 944120-126", + "client":{ + "ip":"200.249.12.31", + "port":123 + }, + "server":{ + "ip":"200.249.12.31", + "port":80 + }, + "request":{ + "headers":{ + "Host": "localhost", + "User-Agent": "ModSecurity CRS 3 Tests", + "Accept": "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5", + "Accept-Charset": "ISO-8859-1,utf-8;q=0.7,*;q=0.7", + "Accept-Encoding": "gzip,deflate", + "Accept-Language": "en-us,en;q=0.5", + "Content-Type": "application/xml" + }, + "uri":"/", + "http_version":1.0, + "method":"POST", + "body": [ + "element_value" + ] + }, + "response":{ + "headers":{ + "Date":"Mon, 13 Jul 2015 20:02:41 GMT", + "Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT", + "Content-Type":"text/html" + }, + "body":[ + "no need." + ] + }, + "expected":{ + "http_code":403 + }, + "rules":[ + "SecRuleEngine On", + "SecDefaultAction \"phase:2,deny,block,status:403,log\"", + "SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \"@rx (?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)\" \"id:944120,phase:2,block,t:none,t:lowercase,log,msg:'Remote Command Execution: Java serialization (CVE-2015-5842)',logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',ver:'OWASP_CRS/3.1.0',severity:'CRITICAL',chain\"", + "SecRule MATCHED_VARS \"@rx (?:runtime|processbuilder)\" \"t:none,t:lowercase,setvar:'tx.msg=%{rule.msg}',setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'\"" + ] + }, + { + "enabled":1, + "version_min":300000, + "title":"Positive tests for rule 944120 944120-127", + "client":{ + "ip":"200.249.12.31", + "port":123 + }, + "server":{ + "ip":"200.249.12.31", + "port":80 + }, + "request":{ + "headers":{ + "Host": "localhost", + "User-Agent": "ModSecurity CRS 3 Tests", + "Accept": "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5", + "Accept-Charset": "ISO-8859-1,utf-8;q=0.7,*;q=0.7", + "Accept-Encoding": "gzip,deflate", + "Accept-Language": "en-us,en;q=0.5", + "Content-Type": "application/xml" + }, + "uri":"/", + "http_version":1.0, + "method":"POST", + "body": [ + "ProcessBuilder.evil.whileclosure" + ] + }, + "response":{ + "headers":{ + "Date":"Mon, 13 Jul 2015 20:02:41 GMT", + "Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT", + "Content-Type":"text/html" + }, + "body":[ + "no need." + ] + }, + "expected":{ + "http_code":403 + }, + "rules":[ + "SecRuleEngine On", + "SecDefaultAction \"phase:2,deny,block,status:403,log\"", + "SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \"@rx (?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)\" \"id:944120,phase:2,block,t:none,t:lowercase,log,msg:'Remote Command Execution: Java serialization (CVE-2015-5842)',logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',ver:'OWASP_CRS/3.1.0',severity:'CRITICAL',chain\"", + "SecRule MATCHED_VARS \"@rx (?:runtime|processbuilder)\" \"t:none,t:lowercase,setvar:'tx.msg=%{rule.msg}',setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'\"" + ] + }, + { + "enabled":1, + "version_min":300000, + "title":"Positive tests for rule 944120 944120-128", + "client":{ + "ip":"200.249.12.31", + "port":123 + }, + "server":{ + "ip":"200.249.12.31", + "port":80 + }, + "request":{ + "headers":{ + "Host": "localhost", + "User-Agent": "ModSecurity CRS 3 Tests", + "Accept": "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5", + "Accept-Charset": "ISO-8859-1,utf-8;q=0.7,*;q=0.7", + "Accept-Encoding": "gzip,deflate", + "Accept-Language": "en-us,en;q=0.5", + "Content-Type": "application/xml" + }, + "uri":"/", + "http_version":1.0, + "method":"POST", + "body": [ + "ProcessBuilder.evil.whileclosure" + ] + }, + "response":{ + "headers":{ + "Date":"Mon, 13 Jul 2015 20:02:41 GMT", + "Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT", + "Content-Type":"text/html" + }, + "body":[ + "no need." + ] + }, + "expected":{ + "http_code":403 + }, + "rules":[ + "SecRuleEngine On", + "SecDefaultAction \"phase:2,deny,block,status:403,log\"", + "SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \"@rx (?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)\" \"id:944120,phase:2,block,t:none,t:lowercase,log,msg:'Remote Command Execution: Java serialization (CVE-2015-5842)',logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',ver:'OWASP_CRS/3.1.0',severity:'CRITICAL',chain\"", + "SecRule MATCHED_VARS \"@rx (?:runtime|processbuilder)\" \"t:none,t:lowercase,setvar:'tx.msg=%{rule.msg}',setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'\"" + ] + }, + { + "enabled":1, + "version_min":300000, + "title":"Positive tests for rule 944120 944120-129", + "client":{ + "ip":"200.249.12.31", + "port":123 + }, + "server":{ + "ip":"200.249.12.31", + "port":80 + }, + "request":{ + "headers":{ + "Host": "localhost", + "User-Agent": "ModSecurity CRS 3 Tests", + "Accept": "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5", + "Accept-Charset": "ISO-8859-1,utf-8;q=0.7,*;q=0.7", + "Accept-Encoding": "gzip,deflate", + "Accept-Language": "en-us,en;q=0.5", + "Content-Type": "text/plain" + }, + "uri":"/", + "http_version":1.0, + "method":"POST", + "body": [ + "test=ProcessBuilder.evil.whileclosure" + ] + }, + "response":{ + "headers":{ + "Date":"Mon, 13 Jul 2015 20:02:41 GMT", + "Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT", + "Content-Type":"text/html" + }, + "body":[ + "no need." + ] + }, + "expected":{ + "http_code":403 + }, + "rules":[ + "SecRuleEngine On", + "SecDefaultAction \"phase:2,deny,block,status:403,log\"", + "SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \"@rx (?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)\" \"id:944120,phase:2,block,t:none,t:lowercase,log,msg:'Remote Command Execution: Java serialization (CVE-2015-5842)',logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',ver:'OWASP_CRS/3.1.0',severity:'CRITICAL',chain\"", + "SecRule MATCHED_VARS \"@rx (?:runtime|processbuilder)\" \"t:none,t:lowercase,setvar:'tx.msg=%{rule.msg}',setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'\"" + ] + }, + { + "enabled":1, + "version_min":300000, + "title":"Positive tests for rule 944120 944120-130", + "client":{ + "ip":"200.249.12.31", + "port":123 + }, + "server":{ + "ip":"200.249.12.31", + "port":80 + }, + "request":{ + "headers":{ + "Host": "localhost", + "User-Agent": "ModSecurity CRS 3 Tests", + "Accept": "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5", + "Accept-Charset": "ISO-8859-1,utf-8;q=0.7,*;q=0.7", + "Accept-Encoding": "gzip,deflate", + "Accept-Language": "en-us,en;q=0.5", + "Content-Type": "application/json" + }, + "uri":"/", + "http_version":1.0, + "method":"POST", + "body": [ + "{\"test\": \"ProcessBuilder.evil.whileclosure\"}" + ] + }, + "response":{ + "headers":{ + "Date":"Mon, 13 Jul 2015 20:02:41 GMT", + "Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT", + "Content-Type":"text/html" + }, + "body":[ + "no need." + ] + }, + "expected":{ + "http_code":403 + }, + "rules":[ + "SecRuleEngine On", + "SecDefaultAction \"phase:2,deny,block,status:403,log\"", + "SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \"@rx (?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)\" \"id:944120,phase:2,block,t:none,t:lowercase,log,msg:'Remote Command Execution: Java serialization (CVE-2015-5842)',logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',ver:'OWASP_CRS/3.1.0',severity:'CRITICAL',chain\"", + "SecRule MATCHED_VARS \"@rx (?:runtime|processbuilder)\" \"t:none,t:lowercase,setvar:'tx.msg=%{rule.msg}',setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'\"" + ] + }, + { + "enabled":1, + "version_min":300000, + "title":"Positive tests for rule 944120 944120-131", + "client":{ + "ip":"200.249.12.31", + "port":123 + }, + "server":{ + "ip":"200.249.12.31", + "port":80 + }, + "request":{ + "headers":{ + "Host": "localhost", + "User-Agent": "ModSecurity CRS 3 Tests", + "Accept": "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5", + "Accept-Charset": "ISO-8859-1,utf-8;q=0.7,*;q=0.7", + "Accept-Encoding": "gzip,deflate", + "Accept-Language": "en-us,en;q=0.5", + "Content-Type": "application/json" + }, + "uri":"/", + "http_version":1.0, + "method":"POST", + "body": [ + "{\"ProcessBuilder.evil.whileclosure\": \"test\"}" + ] + }, + "response":{ + "headers":{ + "Date":"Mon, 13 Jul 2015 20:02:41 GMT", + "Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT", + "Content-Type":"text/html" + }, + "body":[ + "no need." + ] + }, + "expected":{ + "http_code":403 + }, + "rules":[ + "SecRuleEngine On", + "SecDefaultAction \"phase:2,deny,block,status:403,log\"", + "SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \"@rx (?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)\" \"id:944120,phase:2,block,t:none,t:lowercase,log,msg:'Remote Command Execution: Java serialization (CVE-2015-5842)',logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',ver:'OWASP_CRS/3.1.0',severity:'CRITICAL',chain\"", + "SecRule MATCHED_VARS \"@rx (?:runtime|processbuilder)\" \"t:none,t:lowercase,setvar:'tx.msg=%{rule.msg}',setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'\"" + ] + }, + { + "enabled":1, + "version_min":300000, + "title":"Positive tests for rule 944120 944120-132", + "client":{ + "ip":"200.249.12.31", + "port":123 + }, + "server":{ + "ip":"200.249.12.31", + "port":80 + }, + "request":{ + "headers":{ + "Host": "localhost", + "User-Agent": "ModSecurity CRS 3 Tests", + "Accept": "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5", + "Accept-Charset": "ISO-8859-1,utf-8;q=0.7,*;q=0.7", + "Accept-Encoding": "gzip,deflate", + "Accept-Language": "en-us,en;q=0.5", + "Content-Type": "multipart/form-data; boundary=---------------------------thisissparta" + }, + "uri":"/", + "http_version":1.0, + "method":"POST", + "body": [ + "-----------------------------thisissparta\r", + "Content-Disposition: form-data; name=\"payload\r", + "Content-Type: application/json\r", + "\r", + "{\"ProcessBuilder.evil.whileclosure\": \"test\"}\r", + "-----------------------------thisissparta--" + ] + }, + "response":{ + "headers":{ + "Date":"Mon, 13 Jul 2015 20:02:41 GMT", + "Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT", + "Content-Type":"text/html" + }, + "body":[ + "no need." + ] + }, + "expected":{ + "http_code":403 + }, + "rules":[ + "SecRuleEngine On", + "SecDefaultAction \"phase:2,deny,block,status:403,log\"", + "SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \"@rx (?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)\" \"id:944120,phase:2,block,t:none,t:lowercase,log,msg:'Remote Command Execution: Java serialization (CVE-2015-5842)',logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',ver:'OWASP_CRS/3.1.0',severity:'CRITICAL',chain\"", + "SecRule MATCHED_VARS \"@rx (?:runtime|processbuilder)\" \"t:none,t:lowercase,setvar:'tx.msg=%{rule.msg}',setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'\"" + ] + }, + { + "enabled":1, + "version_min":300000, + "title":"Positive tests for rule 944120 944120-133", + "client":{ + "ip":"200.249.12.31", + "port":123 + }, + "server":{ + "ip":"200.249.12.31", + "port":80 + }, + "request":{ + "headers":{ + "Host": "localhost", + "User-Agent": "ModSecurity CRS 3 Tests", + "Accept": "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5", + "Accept-Charset": "ISO-8859-1,utf-8;q=0.7,*;q=0.7", + "Accept-Encoding": "gzip,deflate", + "Accept-Language": "en-us,en;q=0.5", + "Content-Type": "multipart/form-data; boundary=---------------------------thisissparta" + }, + "uri":"/", + "http_version":1.0, + "method":"POST", + "body": [ + "-----------------------------thisissparta\r", + "Content-Disposition: form-data; name=\"payload\r", + "Content-Type: application/json\r", + "\r", + "{\"ProcessBuilder.evil.whileclosure\": \"test\"}\r", + "-----------------------------thisissparta--" + ] + }, + "response":{ + "headers":{ + "Date":"Mon, 13 Jul 2015 20:02:41 GMT", + "Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT", + "Content-Type":"text/html" + }, + "body":[ + "no need." + ] + }, + "expected":{ + "http_code":403 + }, + "rules":[ + "SecRuleEngine On", + "SecDefaultAction \"phase:2,deny,block,status:403,log\"", + "SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \"@rx (?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)\" \"id:944120,phase:2,block,t:none,t:lowercase,log,msg:'Remote Command Execution: Java serialization (CVE-2015-5842)',logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',ver:'OWASP_CRS/3.1.0',severity:'CRITICAL',chain\"", + "SecRule MATCHED_VARS \"@rx (?:runtime|processbuilder)\" \"t:none,t:lowercase,setvar:'tx.msg=%{rule.msg}',setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'\"" + ] + }, + { + "enabled":1, + "version_min":300000, + "title":"Positive tests for rule 944120 944120-134", + "client":{ + "ip":"200.249.12.31", + "port":123 + }, + "server":{ + "ip":"200.249.12.31", + "port":80 + }, + "request":{ + "headers":{ + "Host": "localhost", + "User-Agent": "ModSecurity CRS 3 Tests", + "Accept": "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5", + "Accept-Charset": "ISO-8859-1,utf-8;q=0.7,*;q=0.7", + "Accept-Encoding": "gzip,deflate", + "Accept-Language": "en-us,en;q=0.5", + "Content-Type": "multipart/form-data; boundary=---------------------------thisissparta" + }, + "uri":"/", + "http_version":1.0, + "method":"POST", + "body": [ + "-----------------------------thisissparta\r", + "Content-Disposition: form-data; name=\"payload\r", + "Content-Type: application/xml\r", + "\r", + "ProcessBuilder.evil.whileclosure\r", + "-----------------------------thisissparta--" + ] + }, + "response":{ + "headers":{ + "Date":"Mon, 13 Jul 2015 20:02:41 GMT", + "Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT", + "Content-Type":"text/html" + }, + "body":[ + "no need." + ] + }, + "expected":{ + "http_code":403 + }, + "rules":[ + "SecRuleEngine On", + "SecDefaultAction \"phase:2,deny,block,status:403,log\"", + "SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \"@rx (?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)\" \"id:944120,phase:2,block,t:none,t:lowercase,log,msg:'Remote Command Execution: Java serialization (CVE-2015-5842)',logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',ver:'OWASP_CRS/3.1.0',severity:'CRITICAL',chain\"", + "SecRule MATCHED_VARS \"@rx (?:runtime|processbuilder)\" \"t:none,t:lowercase,setvar:'tx.msg=%{rule.msg}',setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'\"" + ] + }, + { + "enabled":1, + "version_min":300000, + "title":"Positive tests for rule 944120 944120-135", + "client":{ + "ip":"200.249.12.31", + "port":123 + }, + "server":{ + "ip":"200.249.12.31", + "port":80 + }, + "request":{ + "headers":{ + "Host": "localhost", + "User-Agent": "ModSecurity CRS 3 Tests", + "Accept": "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5", + "Accept-Charset": "ISO-8859-1,utf-8;q=0.7,*;q=0.7", + "Accept-Encoding": "gzip,deflate", + "Accept-Language": "en-us,en;q=0.5", + "Content-Type": "multipart/form-data; boundary=---------------------------thisissparta" + }, + "uri":"/", + "http_version":1.0, + "method":"POST", + "body": [ + "-----------------------------thisissparta\r", + "Content-Disposition: form-data; name=\"payload\r", + "Content-Type: application/xml\r", + "\r", + "ProcessBuilder.evil.whileclosure\r", + "-----------------------------thisissparta--" + ] + }, + "response":{ + "headers":{ + "Date":"Mon, 13 Jul 2015 20:02:41 GMT", + "Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT", + "Content-Type":"text/html" + }, + "body":[ + "no need." + ] + }, + "expected":{ + "http_code":403 + }, + "rules":[ + "SecRuleEngine On", + "SecDefaultAction \"phase:2,deny,block,status:403,log\"", + "SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \"@rx (?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)\" \"id:944120,phase:2,block,t:none,t:lowercase,log,msg:'Remote Command Execution: Java serialization (CVE-2015-5842)',logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',ver:'OWASP_CRS/3.1.0',severity:'CRITICAL',chain\"", + "SecRule MATCHED_VARS \"@rx (?:runtime|processbuilder)\" \"t:none,t:lowercase,setvar:'tx.msg=%{rule.msg}',setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'\"" + ] + } +] From 171296970cba100206f8a4c938aa57e60610c405 Mon Sep 17 00:00:00 2001 From: Ervin Hegedus Date: Mon, 11 Mar 2019 21:34:45 +0000 Subject: [PATCH 2/2] Disable REQUEST_BODY check when the content-type is multipart --- test/test-cases/regression/offset-variable.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/test/test-cases/regression/offset-variable.json b/test/test-cases/regression/offset-variable.json index 99c9e19a71..55aeea9c22 100644 --- a/test/test-cases/regression/offset-variable.json +++ b/test/test-cases/regression/offset-variable.json @@ -964,7 +964,7 @@ ] }, { - "enabled":1, + "enabled":0, "version_min":300000, "title":"Testing Variables :: REQUEST_BODY", "client":{ @@ -1013,7 +1013,7 @@ ] }, { - "enabled":1, + "enabled":0, "version_min":300000, "title":"Testing Variables :: REQUEST_BODY", "client":{