1#vi:filetype=perl 2 3 4# A AJOUTER : 5# TEST CASE AVEC UNE REGLE SUR UN HEADER GENERIQUE 6# La même sur des arguments :) 7 8use lib 'lib'; 9use Test::Nginx::Socket; 10 11plan tests => repeat_each(2) * blocks(); 12no_root_location(); 13no_long_string(); 14$ENV{TEST_NGINX_SERVROOT} = server_root(); 15run_tests(); 16__DATA__ 17=== WL TEST 5.0: Two whitelists on two named arguments, same URL 18--- user_files 19>>> buixor 20eh yo 21--- main_config 22load_module /tmp/naxsi_ut/modules/ngx_http_naxsi_module.so; 23--- http_config 24include /tmp/naxsi_ut/naxsi_core.rules; 25MainRule "str:1998" "msg:foobar test pattern" "mz:ARGS" "s:$SQL:42" id:1998; 26MainRule "str:1999" "msg:foobar test pattern #2" "mz:ARGS" "s:$SQL:42" id:1999; 27--- config 28location / { 29 #LearningMode; 30 SecRulesEnabled; 31 DeniedUrl "/RequestDenied"; 32 CheckRule "$SQL >= 8" BLOCK; 33 CheckRule "$RFI >= 8" BLOCK; 34 CheckRule "$TRAVERSAL >= 4" BLOCK; 35 CheckRule "$XSS >= 8" BLOCK; 36 root $TEST_NGINX_SERVROOT/html/; 37 index index.html index.htm; 38 BasicRule wl:1999 "mz:$ARGS_VAR:bla|$URL:/buixor"; 39 BasicRule wl:1998 "mz:$ARGS_VAR:blu|$URL:/buixor"; 40} 41location /RequestDenied { 42 return 412; 43} 44--- request 45GET /buixor?bla=1999 46--- error_code: 200 47=== WL TEST 5.1: Two whitelists on two named arguments, same URL 48--- user_files 49>>> buixor 50eh yo 51--- main_config 52load_module /tmp/naxsi_ut/modules/ngx_http_naxsi_module.so; 53--- http_config 54include /tmp/naxsi_ut/naxsi_core.rules; 55MainRule "str:1998" "msg:foobar test pattern" "mz:ARGS" "s:$SQL:42" id:1998; 56MainRule "str:1999" "msg:foobar test pattern #2" "mz:ARGS" "s:$SQL:42" id:1999; 57--- config 58location / { 59 #LearningMode; 60 SecRulesEnabled; 61 DeniedUrl "/RequestDenied"; 62 CheckRule "$SQL >= 8" BLOCK; 63 CheckRule "$RFI >= 8" BLOCK; 64 CheckRule "$TRAVERSAL >= 4" BLOCK; 65 CheckRule "$XSS >= 8" BLOCK; 66 root $TEST_NGINX_SERVROOT/html/; 67 index index.html index.htm; 68 BasicRule wl:1999 "mz:$ARGS_VAR:bla|$URL:/buixor"; 69 BasicRule wl:1998 "mz:$ARGS_VAR:blu|$URL:/buixor"; 70} 71location /RequestDenied { 72 return 412; 73} 74--- request 75GET /buixor?blu=1999 76--- error_code: 412 77=== WL TEST 5.2: Two whitelists on two named arguments, same URL 78--- user_files 79>>> buixor 80eh yo 81--- main_config 82load_module /tmp/naxsi_ut/modules/ngx_http_naxsi_module.so; 83--- http_config 84include /tmp/naxsi_ut/naxsi_core.rules; 85MainRule "str:1998" "msg:foobar test pattern" "mz:ARGS" "s:$SQL:42" id:1998; 86MainRule "str:1999" "msg:foobar test pattern #2" "mz:ARGS" "s:$SQL:42" id:1999; 87--- config 88location / { 89 #LearningMode; 90 SecRulesEnabled; 91 DeniedUrl "/RequestDenied"; 92 CheckRule "$SQL >= 8" BLOCK; 93 CheckRule "$RFI >= 8" BLOCK; 94 CheckRule "$TRAVERSAL >= 4" BLOCK; 95 CheckRule "$XSS >= 8" BLOCK; 96 root $TEST_NGINX_SERVROOT/html/; 97 index index.html index.htm; 98 BasicRule wl:1999 "mz:$ARGS_VAR:bla|$URL:/buixor"; 99 BasicRule wl:1998 "mz:$ARGS_VAR:blu|$URL:/buixor"; 100} 101location /RequestDenied { 102 return 412; 103} 104--- request 105GET /buixor?bla=1999&blu=1998 106--- error_code: 200 107=== WL TEST 5.3: Two whitelists on two named arguments, same URL 108--- user_files 109>>> buixor 110eh yo 111--- main_config 112load_module /tmp/naxsi_ut/modules/ngx_http_naxsi_module.so; 113--- http_config 114include /tmp/naxsi_ut/naxsi_core.rules; 115MainRule "str:1998" "msg:foobar test pattern" "mz:ARGS" "s:$SQL:42" id:1998; 116MainRule "str:1999" "msg:foobar test pattern #2" "mz:ARGS" "s:$SQL:42" id:1999; 117--- config 118location / { 119 #LearningMode; 120 SecRulesEnabled; 121 DeniedUrl "/RequestDenied"; 122 CheckRule "$SQL >= 8" BLOCK; 123 CheckRule "$RFI >= 8" BLOCK; 124 CheckRule "$TRAVERSAL >= 4" BLOCK; 125 CheckRule "$XSS >= 8" BLOCK; 126 root $TEST_NGINX_SERVROOT/html/; 127 index index.html index.htm; 128 BasicRule wl:1999 "mz:$ARGS_VAR:bla|$URL:/buixor"; 129 BasicRule wl:1998 "mz:$ARGS_VAR:blu|$URL:/buixor"; 130} 131location /RequestDenied { 132 return 412; 133} 134--- request 135GET /?buixor=1998 136--- error_code: 412 137=== WL TEST 5.4: Whitelists on ARGS/URLs that are URLencoded 138--- user_files 139>>> buixor 140eh yo 141--- main_config 142load_module /tmp/naxsi_ut/modules/ngx_http_naxsi_module.so; 143--- http_config 144include /tmp/naxsi_ut/naxsi_core.rules; 145MainRule "str:1998" "msg:foobar test pattern" "mz:ARGS" "s:$SQL:42" id:1998; 146MainRule "str:1999" "msg:foobar test pattern #2" "mz:ARGS" "s:$SQL:42" id:1999; 147--- config 148location / { 149 #LearningMode; 150 SecRulesEnabled; 151 DeniedUrl "/RequestDenied"; 152 CheckRule "$SQL >= 8" BLOCK; 153 CheckRule "$RFI >= 8" BLOCK; 154 CheckRule "$TRAVERSAL >= 4" BLOCK; 155 CheckRule "$XSS >= 8" BLOCK; 156 root $TEST_NGINX_SERVROOT/html/; 157 index index.html index.htm; 158 BasicRule wl:1999 "mz:$ARGS_VAR:b_@_la|$URL:/buixor"; 159 BasicRule wl:1998 "mz:$ARGS_VAR:blu|$URL:/buixor"; 160} 161location /RequestDenied { 162 return 412; 163} 164--- request 165GET /buixor?b_@_la=1999 166--- error_code: 200 167 168=== WL TEST 5.5: Whitelists on ARGS/URLs that are URLencoded 169--- user_files 170>>> buixor 171eh yo 172--- main_config 173load_module /tmp/naxsi_ut/modules/ngx_http_naxsi_module.so; 174--- http_config 175include /tmp/naxsi_ut/naxsi_core.rules; 176MainRule "str:1998" "msg:foobar test pattern" "mz:ARGS" "s:$SQL:42" id:1998; 177MainRule "str:1999" "msg:foobar test pattern #2" "mz:ARGS" "s:$SQL:42" id:1999; 178--- config 179location / { 180 #LearningMode; 181 SecRulesEnabled; 182 DeniedUrl "/RequestDenied"; 183 CheckRule "$SQL >= 8" BLOCK; 184 CheckRule "$RFI >= 8" BLOCK; 185 CheckRule "$TRAVERSAL >= 4" BLOCK; 186 CheckRule "$XSS >= 8" BLOCK; 187 root $TEST_NGINX_SERVROOT/html/; 188 index index.html index.htm; 189 BasicRule wl:1999 "mz:$ARGS_VAR:b[]la|$URL:/buixor"; 190 BasicRule wl:1998 "mz:$ARGS_VAR:blu|$URL:/buixor"; 191} 192location /RequestDenied { 193 return 412; 194} 195--- request 196GET /buixor?b]la=1999 197--- error_code: 412 198 199=== WL TEST 6: Whitelists trying to provoke collisions ($ARGS_VAR:x + $URL:x|ARGS) 200--- user_files 201>>> buixor 202eh yo 203>>> bla 204eh yo 205--- main_config 206load_module /tmp/naxsi_ut/modules/ngx_http_naxsi_module.so; 207--- http_config 208include /tmp/naxsi_ut/naxsi_core.rules; 209MainRule "str:1998" "msg:foobar test pattern" "mz:ARGS" "s:$SQL:42" id:1998; 210MainRule "str:1999" "msg:foobar test pattern #2" "mz:ARGS" "s:$SQL:42" id:1999; 211--- config 212location / { 213 #LearningMode; 214 SecRulesEnabled; 215 DeniedUrl "/RequestDenied"; 216 CheckRule "$SQL >= 8" BLOCK; 217 CheckRule "$RFI >= 8" BLOCK; 218 CheckRule "$TRAVERSAL >= 4" BLOCK; 219 CheckRule "$XSS >= 8" BLOCK; 220 root $TEST_NGINX_SERVROOT/html/; 221 index index.html index.htm; 222# BasicRule wl:1999 "mz:$ARGS_VAR:/bla"; 223 BasicRule wl:1998 "mz:$URL:/bla|ARGS"; 224} 225location /RequestDenied { 226 return 412; 227} 228--- request 229GET /bla?1998 230--- error_code: 200 231 232=== WL TEST 6.0: Whitelists trying to provoke collisions ($ARGS_VAR:x + $URL:x|ARGS) 233--- user_files 234>>> buixor 235eh yo 236--- main_config 237load_module /tmp/naxsi_ut/modules/ngx_http_naxsi_module.so; 238--- http_config 239include /tmp/naxsi_ut/naxsi_core.rules; 240MainRule "str:1998" "msg:foobar test pattern" "mz:ARGS" "s:$SQL:42" id:1998; 241MainRule "str:1999" "msg:foobar test pattern #2" "mz:ARGS" "s:$SQL:42" id:1999; 242--- config 243location / { 244 #LearningMode; 245 SecRulesEnabled; 246 DeniedUrl "/RequestDenied"; 247 CheckRule "$SQL >= 8" BLOCK; 248 CheckRule "$RFI >= 8" BLOCK; 249 CheckRule "$TRAVERSAL >= 4" BLOCK; 250 CheckRule "$XSS >= 8" BLOCK; 251 root $TEST_NGINX_SERVROOT/html/; 252 index index.html index.htm; 253# BasicRule wl:1999 "mz:$ARGS_VAR:/bla"; 254 BasicRule wl:1998 "mz:$URL:/bla|ARGS"; 255} 256location /RequestDenied { 257 return 412; 258} 259--- request 260GET /?/bla=1998 261--- error_code: 412 262 263=== WL TEST 6.1: Whitelists trying to provoke collisions ($ARGS_VAR:x + $URL:x|ARGS) 264--- user_files 265>>> buixor 266eh yo 267>>> bla 268eh yo 269--- main_config 270load_module /tmp/naxsi_ut/modules/ngx_http_naxsi_module.so; 271--- http_config 272include /tmp/naxsi_ut/naxsi_core.rules; 273MainRule "str:1998" "msg:foobar test pattern" "mz:ARGS" "s:$SQL:42" id:1998; 274MainRule "str:1999" "msg:foobar test pattern #2" "mz:ARGS" "s:$SQL:42" id:1999; 275--- config 276location / { 277 #LearningMode; 278 SecRulesEnabled; 279 DeniedUrl "/RequestDenied"; 280 CheckRule "$SQL >= 8" BLOCK; 281 CheckRule "$RFI >= 8" BLOCK; 282 CheckRule "$TRAVERSAL >= 4" BLOCK; 283 CheckRule "$XSS >= 8" BLOCK; 284 root $TEST_NGINX_SERVROOT/html/; 285 index index.html index.htm; 286 BasicRule wl:1999 "mz:$ARGS_VAR:bla"; 287 BasicRule wl:1998 "mz:$URL:/bla|ARGS"; 288} 289location /RequestDenied { 290 return 412; 291} 292--- request 293GET /bla?bla=1999&toto=1998 294--- error_code: 200 295 296=== WL TEST 6.2: Whitelists trying to provoke collisions ($ARGS_VAR:x + $URL:x|ARGS) 297--- user_files 298>>> buixor 299eh yo 300--- main_config 301load_module /tmp/naxsi_ut/modules/ngx_http_naxsi_module.so; 302--- http_config 303include /tmp/naxsi_ut/naxsi_core.rules; 304MainRule "str:1998" "msg:foobar test pattern" "mz:ARGS" "s:$SQL:42" id:1998; 305MainRule "str:1999" "msg:foobar test pattern #2" "mz:ARGS" "s:$SQL:42" id:1999; 306--- config 307location / { 308 #LearningMode; 309 SecRulesEnabled; 310 DeniedUrl "/RequestDenied"; 311 CheckRule "$SQL >= 8" BLOCK; 312 CheckRule "$RFI >= 8" BLOCK; 313 CheckRule "$TRAVERSAL >= 4" BLOCK; 314 CheckRule "$XSS >= 8" BLOCK; 315 root $TEST_NGINX_SERVROOT/html/; 316 index index.html index.htm; 317 BasicRule wl:1999 "mz:$ARGS_VAR:/bla"; 318 BasicRule wl:1998 "mz:$URL:/bla|ARGS"; 319} 320location /RequestDenied { 321 return 412; 322} 323--- request 324GET /buixor?/bla=1999 325--- error_code: 200 326 327=== WL TEST 6.3: Whitelists trying to provoke collisions ($ARGS_VAR:x + $URL:x|ARGS) 328--- user_files 329>>> buixor 330eh yo 331>>> bla 332eh yo 333--- main_config 334load_module /tmp/naxsi_ut/modules/ngx_http_naxsi_module.so; 335--- http_config 336include /tmp/naxsi_ut/naxsi_core.rules; 337MainRule "str:1998" "msg:foobar test pattern" "mz:ARGS" "s:$SQL:42" id:1998; 338MainRule "str:1999" "msg:foobar test pattern #2" "mz:ARGS" "s:$SQL:42" id:1999; 339--- config 340location / { 341 #LearningMode; 342 SecRulesEnabled; 343 DeniedUrl "/RequestDenied"; 344 CheckRule "$SQL >= 8" BLOCK; 345 CheckRule "$RFI >= 8" BLOCK; 346 CheckRule "$TRAVERSAL >= 4" BLOCK; 347 CheckRule "$XSS >= 8" BLOCK; 348 root $TEST_NGINX_SERVROOT/html/; 349 index index.html index.htm; 350 BasicRule wl:1999 "mz:$ARGS_VAR:/bla"; 351 BasicRule wl:1998 "mz:$URL:/bla|ARGS"; 352} 353location /RequestDenied { 354 return 412; 355} 356--- request 357GET /bla?/bla=1999&bu=1998 358--- error_code: 200 359 360