Recipe 9-1: Blocking Non-ASCII Characters
This recipe shows you how to determine when attackers attempt to submit non-ASCII characters.
Ingredients
- OWASP ModSecurity Core Rule Set (CRS)
- modsecurity_crs_20_protocol_violations.conf
- ModSecurity
- ARGS variable
- ARGS_NAMES variable
- REQUEST_HEADERS variable
- @validateByteRange operator
CAPEC-52: Embedding NULL Bytes
An attacker embeds one or more null bytes in input to the target software. This attack relies on the usage of a null-valued byte as a string terminator in many environments. The goal is for certain components of the target software to stop processing the input when they encounter the null byte(s).
Sample Attacks
The following attacks were captured from web server honeypot sensors:
209.235.136.112 - - [15/Apr/2012:16:55:36 +0900] "GET
/index.php?option=com_ganalytics&controller=../opt/lampp/logs/
error_log%00.php HTTP/1.0" 404 204
209.235.136.112 - - [15/Apr/2012:16:49:22 +0900] "GET
/index.php?option=com_ganalytics&controller=../etc/group%00.php
HTTP/1.0"
404 204
209.235.136.112 - - [15/Apr/2012:16:49:31 +0900] "GET /index.php?
option=com_ganalytics&controller=../etc/passwd%00.php HTTP/1.0"
404 204
209.235.136.112 - - [15/Apr/2012:16:48:49 +0900] "GET /index.php?
option=com_ganalytics&controller=../etc/shadow%00.php HTTP/1.0"
404 204In these examples, the attacker is attempting to access other OS-level files within the controller parameter of a specific WordPress ...
Get Web Application Defender's Cookbook now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
