Skip to content

Instantly share code, notes, and snippets.

View dune73's full-sized avatar

Christian Folini dune73

101 followers · 2 following
View GitHub Profile
@dune73
dune73 / gist:b5012ed09b97063abf3e80fd4d30c9f3
Last active September 26, 2019 22:10
Report of new XSS payloads being sent against a vanilla OWASP ModSecurity Core Rule Set installation
This is an attachment that goes with
https://coreruleset.org/20190926/running-a-few-dozens-of-new-magic-xss-payloads-against-crs-3-2/
Multiline payloads were submitted as separate payloads for simplicity.
We do not think this changes a thing. Single payloads would be easier to detect for CRS.
******* payload-002-001 ***********
Payload:
payload=<a href=# name=x id=x>Click me on IE11</a>
payload=<script event="onclick(blah)<wtfbbq>{}" for=x>blah.view.alert(1)</script>
@dune73
dune73 / gist:67400bf4d1e23848564ad73c679fcbe5
Created September 27, 2019 22:13
Portswigger XSS Cheatsheet vs OWASP ModSecurity CRS 3.2
Cheatsheet: https://portswigger.net/web-security/cross-site-scripting/cheat-sheet
Extractedover 250 payloads and sent them against CRS 3.2
****** payload-000 ********
Payload:
payload=<a id=x tabindex=1 onactivate=alert(1)></a></a>
--- Paranoia Level 1 ---
@dune73
dune73 / html
Created January 28, 2020 22:42
test
test <a href="xxx">xxx</a>
@dune73
dune73 / crs-kindergarden.txt
Created September 2, 2020 12:20
Draft proposal CRS-Kindergarden
Purpose
-------
This is a CRS side project with non-blocking rules in beta quality. The idea
is to allow people to use these rules in production and to provide
feedback so we can adjust them or include them at the right paranoia
level in the real releases.
Rules in Kindergarden are meant to do no harm, but they are still beta.
@dune73
dune73 / testest
Created September 13, 2020 22:48
xxx
@dune73
dune73 / cve-2020-15598.patch
Created September 13, 2020 22:53
diff --git a/src/operators/rx.cc b/src/operators/rx.cc
index 43f6444b..b4fc6ff4 100644
--- a/src/operators/rx.cc
+++ b/src/operators/rx.cc
@@ -1,6 +1,6 @@
/*
* ModSecurity, http://www.modsecurity.org/
- * Copyright (c) 2015 Trustwave Holdings, Inc. (http://www.trustwave.com/)
+ * Copyright (c) 2015 - 2020 Trustwave Holdings, Inc. (http://www.trustwave.com/)
*
@dune73
dune73 / gist:73fb80fce1373b466e00b80397f333d9
Created December 15, 2021 21:40
BEFORE CRS INCLUDE:
# Defense against CVE-2021-44228
# See https://coreruleset.org/20211213/crs-and-log4j-log4shell-cve-2021-44228/
SecRule REQUEST_LINE|ARGS|ARGS_NAMES|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_HEADERS|XML:/|XML://@ "@rx (?:\${[^}]{0,4}\${|\${(?:jndi|ctx))" \
"id:1005,\
phase:2,\
block,\
t:none,t:urlDecodeUni,t:cmdline,\
@dune73
dune73 / tmp.py
Created December 12, 2023 10:19
#! /usr/bin/env python
import subprocess
import json
import datetime
import sys
import os
def get_issue(repository: str, number: int) -> dict:
command = f"""gh issue view \
@dune73
dune73 / gist:03bdb439392adb89dcb09c89e9600355
Created January 12, 2024 15:45
ServerName localhost
ServerAdmin root@localhost
ServerRoot /apache
User www-data
Group www-data
PidFile logs/httpd.pid
ServerTokens Prod
UseCanonicalName On
TraceEnable Off
@dune73
dune73 / gist:0787d6bd8a957c307fb1a32cb6600928
Created March 28, 2024 10:51
CRS Release Policy Blog Post
# Towards a new OWASP CRS Release Policy
With the release of CRS 4.0.0 (2024-02-14), we have also started a line of
monthly releases. CRS 4.1.0 came out on March 21, so we're getting
into the habit. But there is a lot more to this than only a monthly
release and we have not explored these topics yet. This was also
highlighted in a public issue
(FIXME: Link https://github.com/coreruleset/coreruleset/issues/3624)
and a conversation in our Slack recently (OWASP Slack, channel #coreruleset).