Skip to content

Commit b106688

Browse files
EsadCetinerEsadCetiner
authored
feat: detect javascript methods import fetch console.log console.dir (#4076)
* feat: detect javascript methods `import` `fetch` `console.log` `console.dir` * feat: detect javascript methods `import` `fetch` `console.log` `console.dir` * fix: escape dot
1 parent 5bb34cc commit b106688

File tree

3 files changed

+47
-3
lines changed

3 files changed

+47
-3
lines changed

regex-assembly/941390.ra

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -3,7 +3,7 @@
33

44
##!+ i
55
##!^ \b
6-
##!$ \s*\(
6+
##!$ \s*[({]
77

88
eval
99
settimeout
@@ -14,3 +14,7 @@ atob
1414
btoa
1515
prompt
1616
confirm
17+
import
18+
fetch
19+
console\.log
20+
console\.dir

rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -736,7 +736,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS|REQU
736736
# (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
737737
# crs-toolchain regex update 941390
738738
#
739-
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/* "@rx (?i)\b(?:eval|set(?:timeout|interval)|new[\s\x0b]+Function|a(?:lert|tob)|btoa|prompt|confirm)[\s\x0b]*\(" \
739+
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/* "@rx (?i)\b(?:eval|set(?:timeout|interval)|new[\s\x0b]+Function|a(?:lert|tob)|btoa|(?:promp|impor)t|con(?:firm|sole\.(?:log|dir))|fetch)[\s\x0b]*[\(\{]" \
740740
"id:941390,\
741741
phase:2,\
742742
block,\

tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941390.yaml

Lines changed: 41 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
---
22
meta:
3-
author: "Franziska Buehler, Xhoenix, azurit"
3+
author: "Franziska Buehler, Xhoenix, azurit, Esad Cetiner"
44
rule_id: 941390
55
tests:
66
- test_id: 1
@@ -147,3 +147,43 @@ tests:
147147
output:
148148
log:
149149
expect_ids: [941390]
150+
- test_id: 10
151+
desc: |
152+
Known False positive:
153+
Matching `import (` in `if you’re willing to import (and perhaps wait around`
154+
stages:
155+
- input:
156+
dest_addr: 127.0.0.1
157+
headers:
158+
Host: localhost
159+
Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.>"
160+
User-Agent: "OWASP CRS test agent"
161+
method: POST
162+
port: 80
163+
uri: "/post"
164+
data: |-
165+
fp=If you’re looking for a personal recommendation, if you’re willing to import (and perhaps wait around, as they often sell out line has been consistently excellent so far.
166+
version: HTTP/1.1
167+
output:
168+
log:
169+
expect_ids: [941390]
170+
- test_id: 11
171+
desc: |
172+
True Positive:
173+
Detect import method with curly brackets
174+
stages:
175+
- input:
176+
dest_addr: 127.0.0.1
177+
headers:
178+
Host: localhost
179+
Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.>"
180+
User-Agent: "OWASP CRS test agent"
181+
method: POST
182+
port: 80
183+
uri: "/post"
184+
data: |-
185+
code=import { sayHi, sayBye } from "./greeting.js";
186+
version: HTTP/1.1
187+
output:
188+
log:
189+
expect_ids: [941390]

0 commit comments

Comments
 (0)