From 6abc8d1eb8e8e94b57de52702385b5ffc48a22c1 Mon Sep 17 00:00:00 2001 From: Victor Pellan <37553749+vpellan@users.noreply.github.com> Date: Fri, 25 Oct 2024 15:54:11 +0200 Subject: [PATCH] Add Suspicious Request Blocking test without path_params (#3305) --- tests/appsec/blocking_rule.json | 80 +++++++++++++++++++++++-- tests/appsec/test_blocking_addresses.py | 53 +++++++++++++--- 2 files changed, 120 insertions(+), 13 deletions(-) diff --git a/tests/appsec/blocking_rule.json b/tests/appsec/blocking_rule.json index 5cd14c3790..5f2e03dc9b 100644 --- a/tests/appsec/blocking_rule.json +++ b/tests/appsec/blocking_rule.json @@ -521,7 +521,7 @@ "address": "server.request.uri.raw" } ], - "regex": "ypMrmzrWATkLrPKLblvpRGGltBSgHWrK" + "regex": "malicious-uri-ypMrmzrWATkLrPKLblvpRGGltBSgHWrK" }, "operator": "match_regex" }, @@ -532,7 +532,7 @@ "address": "server.request.path_params" } ], - "regex": "cGDgSRJvklxGOKMTNfQMViBPpKAvpFoc" + "regex": "malicious-path-cGDgSRJvklxGOKMTNfQMViBPpKAvpFoc" }, "operator": "match_regex" }, @@ -543,7 +543,7 @@ "address": "server.request.query" } ], - "regex": "SAGihOkuSwXXFDXNqAWJzNuZEdKNunrJ" + "regex": "malicious-query-SAGihOkuSwXXFDXNqAWJzNuZEdKNunrJ" }, "operator": "match_regex" }, @@ -554,7 +554,7 @@ "address": "server.request.headers.no_cookies" } ], - "regex": "kCgvxrYeiwUSYkAuniuGktdvzXYEPSff" + "regex": "malicious-header-kCgvxrYeiwUSYkAuniuGktdvzXYEPSff" }, "operator": "match_regex" }, @@ -565,7 +565,77 @@ "address": "server.request.cookies" } ], - "regex": "PwXuEQEdeAjzWpCDqAzPqiUAdXJMHwtS" + "regex": "malicious-cookie-PwXuEQEdeAjzWpCDqAzPqiUAdXJMHwtS" + }, + "operator": "match_regex" + } + ], + "transformers": [], + "on_match": [ + "block" + ] + }, + { + "id": "tst-037-013", + "name": "Test block on multiple request addresses (without path_params)", + "tags": { + "type": "lfi", + "crs_id": "000013", + "category": "attack_attempt" + }, + "conditions": [ + { + "parameters": { + "inputs": [ + { + "address": "server.request.method" + } + ], + "regex": "GET" + }, + "operator": "match_regex" + }, + { + "parameters": { + "inputs": [ + { + "address": "server.request.uri.raw" + } + ], + "regex": "malicious-uri-wX1GdUiWdVdoklf0pYBi5kQApO9i77tN" + }, + "operator": "match_regex" + }, + { + "parameters": { + "inputs": [ + { + "address": "server.request.query" + } + ], + "regex": "malicious-query-T3d1nKdkTWIG03q03ix9c9UlhbGigvwQ" + }, + "operator": "match_regex" + }, + { + "parameters": { + "inputs": [ + { + "address": "server.request.headers.no_cookies" + } + ], + "regex": "malicious-header-siDzyETAdkvKahD3PxlvIqcE0fMIVywE" + }, + "operator": "match_regex" + }, + { + "parameters": { + "inputs": [ + { + "address": "server.request.cookies" + } + ], + "regex": "malicious-cookie-qU4sV2r6ac2nfETV7aJP9Fdt1NaWC9wB" }, "operator": "match_regex" } diff --git a/tests/appsec/test_blocking_addresses.py b/tests/appsec/test_blocking_addresses.py index 21b8d972c7..ce73154643 100644 --- a/tests/appsec/test_blocking_addresses.py +++ b/tests/appsec/test_blocking_addresses.py @@ -515,9 +515,9 @@ class Test_Suspicious_Request_Blocking: def setup_blocking(self): self.rm_req_block = weblog.get( - f"/tag_value/cGDgSRJvklxGOKMTNfQMViBPpKAvpFoc_ypMrmzrWATkLrPKLblvpRGGltBSgHWrK/200?attack=SAGihOkuSwXXFDXNqAWJzNuZEdKNunrJ", - cookies={"foo": "PwXuEQEdeAjzWpCDqAzPqiUAdXJMHwtS"}, - headers={"content-type": "text/plain", "client": "kCgvxrYeiwUSYkAuniuGktdvzXYEPSff"}, + f"/tag_value/malicious-path-cGDgSRJvklxGOKMTNfQMViBPpKAvpFoc_malicious-uri-ypMrmzrWATkLrPKLblvpRGGltBSgHWrK/200?attack=malicious-query-SAGihOkuSwXXFDXNqAWJzNuZEdKNunrJ", + cookies={"foo": "malicious-cookie-PwXuEQEdeAjzWpCDqAzPqiUAdXJMHwtS"}, + headers={"content-type": "text/plain", "client": "malicious-header-kCgvxrYeiwUSYkAuniuGktdvzXYEPSff"}, ) @irrelevant( @@ -531,14 +531,14 @@ def test_blocking(self): def setup_blocking_before(self): self.set_req1 = weblog.post( - "/tag_value/clean_value_3882/200?attack=SAGihOkuSwXXFDXNqAWJzNuZEdKNunrJ", + "/tag_value/clean_value_3882/200?attack=malicious-query-SAGihOkuSwXXFDXNqAWJzNuZEdKNunrJ", data={"good": "value"}, - cookies={"foo": "PwXuEQEdeAjzWpCDqAzPqiUAdXJMHwtS"}, + cookies={"foo": "malicious-cookie-PwXuEQEdeAjzWpCDqAzPqiUAdXJMHwtS"}, ) self.block_req2 = weblog.get( - f"/tag_value/cGDgSRJvklxGOKMTNfQMViBPpKAvpFoc_ypMrmzrWATkLrPKLblvpRGGltBSgHWrK/200?attack=SAGihOkuSwXXFDXNqAWJzNuZEdKNunrJ", - cookies={"foo": "PwXuEQEdeAjzWpCDqAzPqiUAdXJMHwtS"}, - headers={"content-type": "text/plain", "client": "kCgvxrYeiwUSYkAuniuGktdvzXYEPSff"}, + f"/tag_value/malicious-path-cGDgSRJvklxGOKMTNfQMViBPpKAvpFoc_malicious-uri-ypMrmzrWATkLrPKLblvpRGGltBSgHWrK/200?attack=malicious-query-SAGihOkuSwXXFDXNqAWJzNuZEdKNunrJ", + cookies={"foo": "malicious-cookie-PwXuEQEdeAjzWpCDqAzPqiUAdXJMHwtS"}, + headers={"content-type": "text/plain", "client": "malicious-header-kCgvxrYeiwUSYkAuniuGktdvzXYEPSff"}, ) @irrelevant( @@ -551,11 +551,48 @@ def test_blocking_before(self): assert self.set_req1.status_code == 200 assert self.set_req1.text == "Value tagged" interfaces.library.validate_spans(self.set_req1, _assert_custom_event_tag_presence("clean_value_3882")) + """Test that blocked requests are blocked before being processed""" assert self.block_req2.status_code == 403 interfaces.library.assert_waf_attack(self.block_req2, rule="tst-037-012") interfaces.library.validate_spans(self.block_req2, _assert_custom_event_tag_absence()) + def setup_blocking_without_path_params(self): + self.rm_req_block = weblog.get( + f"/tag_value/path_param_malicious-uri-wX1GdUiWdVdoklf0pYBi5kQApO9i77tN/200?attack=malicious-query-T3d1nKdkTWIG03q03ix9c9UlhbGigvwQ", + cookies={"foo": "malicious-cookie-qU4sV2r6ac2nfETV7aJP9Fdt1NaWC9wB"}, + headers={"content-type": "text/plain", "client": "malicious-header-siDzyETAdkvKahD3PxlvIqcE0fMIVywE"}, + ) + + def test_blocking_without_path_params(self): + """Test if requests that should be blocked are blocked""" + assert self.rm_req_block.status_code == 403, self.rm_req_block.request.url + interfaces.library.assert_waf_attack(self.rm_req_block, rule="tst-037-013") + + def setup_blocking_before_without_path_params(self): + self.set_req1 = weblog.post( + "/tag_value/clean_value_3882/200?attack=malicious-query-T3d1nKdkTWIG03q03ix9c9UlhbGigvwQ", + data={"good": "value"}, + cookies={"foo": "malicious-cookie-qU4sV2r6ac2nfETV7aJP9Fdt1NaWC9wB"}, + ) + self.block_req2 = weblog.get( + f"/tag_value/path_param_malicious-uri-wX1GdUiWdVdoklf0pYBi5kQApO9i77tN/200?attack=malicious-query-T3d1nKdkTWIG03q03ix9c9UlhbGigvwQ", + cookies={"foo": "malicious-cookie-qU4sV2r6ac2nfETV7aJP9Fdt1NaWC9wB"}, + headers={"content-type": "text/plain", "client": "malicious-header-siDzyETAdkvKahD3PxlvIqcE0fMIVywE"}, + ) + + def test_blocking_before_without_path_params(self): + """Test that blocked requests are blocked before being processed""" + # first request should not block and must set the tag in span accordingly + assert self.set_req1.status_code == 200 + assert self.set_req1.text == "Value tagged" + interfaces.library.validate_spans(self.set_req1, _assert_custom_event_tag_presence("clean_value_3882")) + + """Test that blocked requests are blocked before being processed""" + assert self.block_req2.status_code == 403 + interfaces.library.assert_waf_attack(self.block_req2, rule="tst-037-013") + interfaces.library.validate_spans(self.block_req2, _assert_custom_event_tag_absence()) + @scenarios.graphql_appsec @features.appsec_request_blocking