前段时间杜老师发表了一篇《自建 CDN 服务器思路》其中介绍南墙 Web 应用防火墙,有些小伙伴们对其名字很感兴趣,而杜老师注意到了它的防护规则,感觉非常实用,顺手整理了下,分享给需要的小伙伴们。此篇为严重风险的防护规则!
fastjson漏洞拦截 {#fastjson漏洞拦截}
过滤阶段:请求阶段
规则描述:拦截fastjson漏洞漏洞攻击
规则内容:
|---------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19
| local jsonFilter = waf.jsonFilter local function rMatch(v) if v == "@type" then return true, v end return false end local form = waf.form if form then local raw = form["RAW"] local m = jsonFilter(raw, rMatch, false) if m then return m, raw, true end end return false
|
json格式校验 {#json格式校验}
过滤阶段:请求阶段
规则描述:高级攻击者会构造一些异常json绕过WAF检测,该规则对json格式进行安全校验,可以拦截异常json请求。
规则内容:
|------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18
| local form = waf.form local rct = waf.reqContentType local rgx = waf.rgxMatch if rct and waf.contains(waf.toLower(rct), "application/json") and form then local raw = form["RAW"] if raw then if rgx(raw, "^\\s*$", "jos") then return false end local err = waf.checkJson(raw) if err then return true, err .. ":" .. raw, true end end end return false
|
XSS跨站脚本攻击 {#XSS跨站脚本攻击}
过滤阶段:请求阶段
规则描述:攻击者通常会在有漏洞的程序中插入 JavaScript、VBScript、 ActiveX或Flash以欺骗用户。一旦得手,他们可以盗取用户帐户,修改用户设置,盗取/污染cookie,做虚假广告等。
规则内容:
|---------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49
| local kvFilter = waf.kvFilter local checkXSS = waf.checkXSS local function sMatch(v) if v then local m = checkXSS(v) if m then return m, v end end return false end local form = waf.form if form then local m, d = kvFilter(form["FORM"], sMatch) if m then return m, d, true end end local queryString = waf.queryString if queryString then local m, d = kvFilter(queryString, sMatch) if m then return m, d, true end end local cookies = waf.cookies if cookies then local m, d = kvFilter(cookies, sMatch) if m then return m, d, true end end local m, d = sMatch(waf.userAgent) if m then return m, d, true end local m, d = sMatch(waf.referer) if m then return m, d, true end return false
|
java安全规则集 {#java安全规则集}
过滤阶段:请求阶段
规则描述:检测spring、struts、java序列化等相关安全漏洞
规则内容:
|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70
| local kvFilter = waf.kvFilter local rgx = waf.rgxMatch local urlDecode = waf.urlDecode local requestLine = waf.requestLine local check = waf.plugins.javaClassDetection.check local function sMatch(v) local m = rgx(v, "(?:\\$\\{)+(?:j(?:n|\\$\\{)|\\$\\{(?:\\w*:)+)", "joi") if m then return m, "Potential Log4j / Log4shell Attack: " .. v end m = rgx(v, "\\xac\\xed\\x00\\x05|rO0ABQ|KztAAU|Cs7QAF", "jo") if m then return m, "Magic bytes Detected, probable java serialization Attack: " .. v end m = rgx(v, "classLoader\\s*\\.\\s*resources\\s*\\.\\s*context\\s*\\.\\s*parent\\s*\\.\\s*pipeline|springframework\\s*\\.\\s*context\\s*\\.\\s*support\\s*\\.\\s*FileSystemXmlApplicationContext", "jos") if m then return m, "Spring Framework RCE(CVE-2022-22965): " .. v end m = check(v) if m then return m, "Potential dangerous java class: " .. v end return false end local form = waf.form if form then local m, d = kvFilter(form["FORM"], sMatch) if m then return m, d, true end local raw = form["RAW"] m = rgx(raw, "\\xac\\xed\\x00\\x05|rO0ABQ|KztAAU|Cs7QAF", "jo") if m then return m, raw, true end m = check(raw) if m then return m, raw, true end end local queryString = waf.queryString if queryString then local m, d = kvFilter(queryString, sMatch) if m then return m, d, true end end local cookies = waf.cookies if cookies then local m, d = kvFilter(cookies, sMatch) if m then return m, d, true end end local m, d = kvFilter(waf.reqHeaders, sMatch) if m then return m, d, true end local m = rgx(urlDecode(requestLine), "(?:\\$\\{)+(?:j(?:n|\\$\\{)|\\$\\{(?:\\w*:)+)", "joi") if m then return m, requestLine, true end return false
|
Shellshock漏洞 {#Shellshock漏洞}
过滤阶段:请求阶段
规则描述:检测对"Shellshock"(CVE-2014-6271和CVE-2014-7169) GNU Bash RCE漏洞的攻击。
规则内容:
|------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24
| local kvFilter = waf.kvFilter local rgx = waf.rgxMatch local requestLine = waf.requestLine local urlDecode = waf.urlDecode local function rMatch(v) local m = rgx(urlDecode(v), "\\(\\s*\\)\\s+{", "jos") if m then return m, v end return false end local m, d = kvFilter(waf.reqHeaders, rMatch) if m then return m, d, true end local m, d = rMatch(requestLine) if m then return m, d, true end return false
|
远程文件包含 (RFI) {#远程文件包含-RFI}
过滤阶段:请求阶段
规则描述:该规则寻找常见类型的远程文件包含(RFI)攻击方法。 #-PHP"include()"函数 #-JSP <jsp:include page= 或 <c:import url= #-RFI主机与本地主机不匹配
规则内容:
|---------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37
| local kvFilter = waf.kvFilter local rgx = waf.rgxMatch local host = waf.host local counter = waf.strCounter local str_find = string.find local str_sub = string.sub local function rMatch(v) local m = rgx(v, "^(?:url:)?file|ftps?|https?)://(?:[^@]+@)?([^/]+", "joi") if m then local i, j = str_find(v, host, 1, true) if i then if counter(str_sub(v, 1, j), "/") == 2 then return false end end end return m, v end local form = waf.form if form then local m, d = kvFilter(form["FORM"], rMatch) if m then return m, d, true end end local queryString = waf.queryString if queryString then local m, d = kvFilter(queryString, rMatch) if m then return m, d, true end end return false
|
json 命令注入检测 {#json-命令注入检测}
过滤阶段:请求阶段
规则描述:解析请求body中的json内容,并检测命令注入攻击。采用RCE语义检测引擎可以检查各种变形,如:cat$IFS/etc/os-release或c$()at /e??/p???等
规则内容:
|------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20
| local checkRCE = waf.checkRCE local jsonFilter = waf.jsonFilter local function rMatch(v) local m = checkRCE(v) if m then return m, v end return false end local form = waf.form if form then local m, d = jsonFilter(form["RAW"], rMatch, false, true) if m then return m, d, true end end return false
|
常规命令注入检测 {#常规命令注入检测}
过滤阶段:请求阶段
规则描述:检测url、cookie、form中的shell命令注入攻击,采用RCE语义检测引擎可以检查各种变形,如:cat$IFS/etc/os-release或c$()at /e??/p???等
规则内容:
|---------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35
| local checkRCE = waf.checkRCE local kvFilter = waf.kvFilter local function rMatch(v) local m = checkRCE(v) if m then return m, v end return false end local form = waf.form if form then local m, d = kvFilter(form["FORM"], rMatch, true) if m then return m, d, true end end local queryString = waf.queryString if queryString then local m, d = kvFilter(queryString, rMatch, true) if m then return m, d, true end end local cookies = waf.cookies if cookies then local m, d = kvFilter(cookies, rMatch, true) if m then return m, d, true end end return false
|
json sql注入检测 {#json-sql注入检测}
过滤阶段:请求阶段
规则描述:解析请求body中的json内容,并检测sql注入攻击。采用SQL语义检测引擎,可以降低误报。
规则内容:
|------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20
| local checkSQLI = waf.checkSQLI local jsonFilter = waf.jsonFilter local function rMatch(v) local m = checkSQLI(v) if m then return m, v end return false end local form = waf.form if form then local m, d = jsonFilter(form["RAW"], rMatch, false) if m then return m, d, true end end return false
|
常规sql注入检测 {#常规sql注入检测}
过滤阶段:请求阶段
规则描述:检测url、cookie、form中的sql注入攻击。采用SQL语义检测引擎,可以降低误报。
规则内容:
|---------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41
| local checkSQLI = waf.checkSQLI local kvFilter = waf.kvFilter local function sMatch(v) local m = checkSQLI(v) if m then return m, v end return false end local form = waf.form if form then local m, d = kvFilter(form["FORM"], sMatch) if m then return m, d, true end end local queryString = waf.queryString if queryString then local m, d = kvFilter(queryString, sMatch) if m then return m, d, true end end local cookies = waf.cookies if cookies then local m, d = kvFilter(cookies, sMatch) if m then return m, d, true end end local m, d = kvFilter(waf.reqHeaders, sMatch) if m then return m, d, true end return false
|
Invalid protocol {#Invalid-protocol}
过滤阶段:请求阶段
规则描述:请求header数过多,超过64个。
规则内容:
|-----------------|-----------------------------------------------------------------------------------------------|
| 1 2 3 4
| if waf.hErr and waf.hErr=="truncated" then return true,waf.hErr,true end return false
|
XXE漏洞 {#XXE漏洞}
过滤阶段:请求阶段
规则描述:XML外部实体注入(XML External Entity)漏洞简称XXE漏洞。当允许引用外部实体时,通过构造恶意内容,可导致读取任意文件、执行系统命令、探测内网端口、攻击内网网站等危害。
规则内容:
|-----------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 1 2 3 4 5 6 7
| if waf.form and waf.form["RAW"] then local m = waf.rgxMatch(waf.form["RAW"], "<!(?:DOCTYPE|ENTITY)[^>]+?\\bSYSTEM\\b", "jos") if m then return m, waf.form["RAW"], true end end return false
|
ImageMagick漏洞 {#ImageMagick漏洞}
过滤阶段:请求阶段
规则描述:ImageMagick是一个功能强大的开源图形处理软件,该漏洞可以执行任意命令和读写文件
规则内容:
|---------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 1 2 3 4 5 6 7 8 9 10 11 12 13
| local rgx = waf.rgxMatch local function imgContentMatch(v) local m = rgx(v, "\\bpush\\s+graphic-context\\b|\\<\\s*image\\b", "joi") if m then return m, v end return false end if waf.form then local m, d = waf.knFilter(waf.form["FILES"], imgContentMatch, 0) return m, d, true end return false
|
header头漏洞 {#header头漏洞}
过滤阶段:请求阶段
规则描述:httpoxy漏洞可被用来针对CGI环境设置非法代理,从而窃取服务器敏感数据。在CVE-2017-7269(IIS 6.0 WebDAV远程代码执行漏洞)中if和lock_token http头会造成溢出攻击。
规则内容:
|---------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 1 2 3 4 5 6 7 8 9 10 11 12 13
| if waf.reqHeaders.proxy ~= nil then return true, "Proxy: " .. waf.reqHeaders.proxy, true end if waf.reqHeaders.lock_token ~= nil then return true, "Lock-Token: " .. waf.reqHeaders.lock_token, true end if waf.reqHeaders["If"] ~= nil then return true, "If: " .. waf.reqHeaders["If"], true end return false
|
LDAP Injection {#LDAP-Injection}
过滤阶段:请求阶段
规则描述:拦截LDAP注入攻击
规则内容:
|------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36
| local kvFilter = waf.kvFilter local rgx = waf.rgxMatch local htmlEntityDecode = waf.htmlEntityDecode local function rMatch(v) local m = rgx(htmlEntityDecode(v), "^[^:\\(\\)\\&\\|\\!\\<\\>\\~]*\\)\\s*(?:\\((?:[^,\\(\\)\\=\\&\\|\\!\\<\\>\\~]+[><~]?=|\\s*[&!|]\\s*(?:\\)|\\()?\\s*)|\\)\\s*\\(\\s*[\\&\\|\\!]\\s*|[&!|]\\s*\\([^\\(\\)\\=\\&\\|\\!\\<\\>\\~]+[><~]?=[^:\\(\\)\\&\\|\\!\\<\\>\\~]*)", "jos") if m then return m, v end return false end local form = waf.form if form then local m, d = kvFilter(form["FORM"], rMatch) if m then return m, d, true end end local queryString = waf.queryString if queryString then local m, d = kvFilter(queryString, rMatch) if m then return m, d, true end end local cookies = waf.cookies if cookies then local m, d = kvFilter(cookies, rMatch) if m then return m, d, true end end return false
|
HTTP Splitting {#HTTP-Splitting}
过滤阶段:请求阶段
规则描述:此规则检测请求文件名中的\n或\r。
规则内容:
|---------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 1 2 3 4 5 6 7 8 9 10 11 12 13
| local rgx = waf.rgxMatch local function fMatch(v) local m = rgx(v, "[\\n\\r]", "jo") if m then return m, v end return false end local m, d = fMatch(waf.uri) if m then return m, d, true end return false
|
HTTP Header Injection {#HTTP-Header-Injection}
过滤阶段:请求阶段
规则描述:HTTP头注入查找回车符(CR)%0d和换行符(LF)%0a字符,单独或与header字段名称组合使用。如果数据在响应头中返回并由客户端解释,这些字符可能会导致问题。
规则内容:
|---------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53
| local rgx = waf.rgxMatch local htmlEntityDecode = waf.htmlEntityDecode local concat = table.concat local function hMatch(v) local m = rgx(htmlEntityDecode(v), "[\\n\\r]", "jo") if m then return m, v end return false end local function vMatch(v) local m = rgx(htmlEntityDecode(v), "[\\n\\r]+(?:\\s|location|refresh|(?:set-)?cookie|(?:x-)?(?:forwarded-(?:for|host|server)|host|via|remote-ip|remote-addr|originating-IP))\\s*:", "josi") if m then return m, v end return false end local m, d = waf.kvFilter(waf.reqHeaders, hMatch) if m then return m, d, true end local queryString = waf.queryString if queryString then for k, v in pairs(waf.queryString) do m, d = hMatch(k) if m then return m, d, true end if type(v)=="table" then v = concat(v,",") end m, d = vMatch(v) if m then return m, d, true end end end local form = waf.form if form then for k, _ in pairs(form["FORM"]) do m, d = hMatch(k) if m then return m, d, true end end end return false
|
boundary异常拦截 {#boundary异常拦截}
过滤阶段:请求阶段
规则描述:拦截请求content type头中multipart/form-data的异常boundary,如php在上传解析boundary时没有符合rfc规范,对逗号产生了错误解析。
规则内容:
|---------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 1 2 3 4 5 6 7 8 9 10 11
| local ct = waf.reqContentType if ct then if type(ct) ~= "string" then return true, "Malform Content-Type", true elseif waf.contains(ct, "boundary") and (waf.strCounter(ct, "boundary") > 1 or not waf.rgxMatch(ct, "boundary=[\\w\\-]+$", "jo")) then return true, ct, true end end return false
|
asp畸形编码过滤 {#asp畸形编码过滤}
过滤阶段:请求阶段
规则描述:asp中unicode畸形编码会造成waf绕过危害
规则内容:
|-----------------|--------------------------------------------------------------------------------------------------------------------------|
| 1 2 3 4
| if waf.rgxMatch(waf.reqUri,"%u00(?:aa|ba|d0|de|e2|f0|fe)","i") then return true,waf.reqUri,true end return false
|
HTTP Response Splitting {#HTTP-Response-Splitting}
过滤阶段:请求阶段
规则描述:该规则查找回车符(CR)%0d和换行符(LF)%0a字符。如果在响应报头中返回数据,这些字符可能会导致问题,并且可能会被中间代理服务器解释并被视为两个单独的响应。
规则内容:
|------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56
| local kvFilter = waf.kvFilter local rgx = waf.rgxMatch local htmlEntityDecode = waf.htmlEntityDecode local function rMatch(v) local m = rgx(v, "[\\r\\n]\\W*?(?:content-(?:type|length)|set-cookie|location):\\s*\\w", "josi") if m then return m, v end return false end local function hMatch(v) local m = rgx(htmlEntityDecode(v), "(?:\\bhttp/\\d|<(?:html|meta)\\b)", "josi") if m then return m, v end return false end local form = waf.form if form then local m, d = kvFilter(form["FORM"], rMatch) if m then return m, d, true end m, d = kvFilter(form["FORM"], hMatch) if m then return m, d, true end end local queryString = waf.queryString if queryString then local m, d = kvFilter(queryString, rMatch) if m then return m, d, true end m, d = kvFilter(queryString, hMatch) if m then return m, d, true end end local cookies = waf.cookies if cookies then local m, d = kvFilter(cookies, rMatch) if m then return m, d, true end m, d = kvFilter(cookies, hMatch) if m then return m, d, true end end return false
|
HTTP Request Smuggling {#HTTP-Request-Smuggling}
过滤阶段:请求阶段
规则描述:此规则查找与单词HTTP/\d或CR/LF字符组合的HTTP/WEBDAV方法名。这将指向试图将第二个请求注入到请求中,从而绕过对主请求执行的测试,如CVE-2019-20372(Nginx<1.17.7 请求走私漏洞)。
规则内容:
|------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40
| local kvFilter = waf.kvFilter local rgx = waf.rgxMatch local htmlEntityDecode = waf.htmlEntityDecode local function rMatch(v) local m = rgx(htmlEntityDecode(v), "(?:get|post|head|options|connect|put|delete|trace|track|patch|propfind|propatch|mkcol|copy|move|lock|unlock)\\s+[^\\s]+\\s+http/\\d", "josi") if m then return m, v end return false end local form = waf.form if form then local m, d = kvFilter(form["FORM"], rMatch) if m then return m, d, true end m, d = rMatch(form["RAW"]) if m then return m, d, true end end local queryString = waf.queryString if queryString then local m, d = kvFilter(queryString, rMatch) if m then return m, d, true end end local cookies = waf.cookies if cookies then local m, d = kvFilter(cookies, rMatch) if m then return m, d, true end end return false
|
上传文件内容过滤 {#上传文件内容过滤}
过滤阶段:请求阶段
规则描述:过滤上传的文件内容,拦截webshell上传
规则内容:
|---------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 1 2 3 4 5 6 7 8 9 10 11 12 13
| local rgx = waf.rgxMatch local function fileContentMatch(v) local m = rgx(v, "<\\?.+?\\$(?:GLOBALS|_(?:GET|POST|COOKIE|REQUEST|SERVER|FILES|SESSION|ENV))|<\\?php|<jsp:|<%(?i:!|\\s*@|.*?\\brequest\\s*(?:\\.|\\())", "jos") if m then return m, v end return false end if waf.form then local m, d = waf.knFilter(waf.form["FILES"], fileContentMatch, 0) return m, d, true end return false
|
上传文件名过滤 {#上传文件名过滤}
过滤阶段:请求阶段
规则描述:过滤上传文件名中的网页脚本扩展名,拦截webshell上传
规则内容:
|---------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
| local rgx = waf.rgxMatch local function fileNameMatch(v) local m = rgx(v, "\\.(?:as|cer\\b|cdx|ph|jsp|war|class|exe|ht|env|user\\.ini)|php\\.ini", "joi") if m then return m, v end return false end if waf.form then local m, d = waf.knFilter(waf.form["FILES"], fileNameMatch, 1) return m, d, true end return false
|
防持续攻击 {#防持续攻击}
过滤阶段:请求阶段
规则描述:累计攻击超过100次,则在10分钟内拦截该ip访问
规则内容:
|-----------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 1 2 3 4 5 6 7
| local ib = waf.ipBlock local c = ib:get(waf.ip) if c and c >= 100 then ib:set(waf.ip, c, 600, 1) return true, "ip blocked for continue attack: " .. waf.ip, true end return false
|
Invalid protocol {#Invalid-protocol-2}
过滤阶段:请求阶段
规则描述:非法post协议
规则内容:
|-----------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 1 2 3 4 5 6 7
| if waf.form == nil then if waf.contains(waf.fErr, "content_type") then return true, waf.fErr .. ": " .. waf.reqContentType, true end return true, waf.fErr, true end return false
|