1#vi:filetype=perl 2 3 4# A AJOUTER : 5# TEST CASE AVEC UNE REGLE SUR UN HEADER GENERIQUE 6# La même sur des arguments :) 7 8use lib 'lib'; 9use Test::Nginx::Socket; 10 11repeat_each(3); 12 13plan tests => repeat_each(1) * blocks(); 14no_root_location(); 15no_long_string(); 16$ENV{TEST_NGINX_SERVROOT} = server_root(); 17run_tests(); 18 19 20__DATA__ 21=== TEST 1.0: Basic GET request, with allow rule (useless, just for coverage. ALLOW should be killed) 22--- main_config 23load_module /tmp/naxsi_ut/modules/ngx_http_naxsi_module.so; 24--- http_config 25include /tmp/naxsi_ut/naxsi_core.rules; 26MainRule id:4241 "str:ratata" "mz:ARGS" "s:$TEST:42"; 27#MainRule id:4242 "str:XXX" "s:$SQL:8" "mz:ARGS"; 28--- config 29location / { 30 SecRulesEnabled; 31 DeniedUrl "/RequestDenied"; 32 CheckRule "$SQL >= 8" BLOCK; 33 CheckRule "$RFI >= 8" BLOCK; 34 CheckRule "$TRAVERSAL >= 4" BLOCK; 35 CheckRule "$XSS >= 8" BLOCK; 36 CheckRule "$TEST >= 8" ALLOW; 37 38 root $TEST_NGINX_SERVROOT/html/; 39 index index.html index.htm; 40} 41location /RequestDenied { 42 return 412; 43 # return 412; 44} 45--- request 46GET /?a=ratataXXX 47--- error_code: 200 48=== TEST 1.1: Basic GET request, with global score increase 49--- main_config 50load_module /tmp/naxsi_ut/modules/ngx_http_naxsi_module.so; 51--- http_config 52include /tmp/naxsi_ut/naxsi_core.rules; 53MainRule id:4241 "str:ratata" "mz:ARGS" "s:42"; 54--- config 55location / { 56 SecRulesEnabled; 57 DeniedUrl "/RequestDenied"; 58 CheckRule "$SQL >= 8" BLOCK; 59 CheckRule "$RFI >= 8" BLOCK; 60 CheckRule "$TRAVERSAL >= 4" BLOCK; 61 CheckRule "$XSS >= 8" BLOCK; 62 CheckRule "$TEST >= 8" ALLOW; 63 64 root $TEST_NGINX_SERVROOT/html/; 65 index index.html index.htm; 66} 67location /RequestDenied { 68 return 412; 69 # return 412; 70} 71--- request 72GET /?a=ratataXXX 73--- error_code: 200 74=== TEST 1.2: rule on headers 75--- main_config 76load_module /tmp/naxsi_ut/modules/ngx_http_naxsi_module.so; 77--- http_config 78include /tmp/naxsi_ut/naxsi_core.rules; 79--- config 80location / { 81 SecRulesEnabled; 82 BasicRule id:4241 "str:ratata" "mz:HEADERS" "s:BLOCK"; 83 DeniedUrl "/RequestDenied"; 84 CheckRule "$SQL >= 8" BLOCK; 85 CheckRule "$RFI >= 8" BLOCK; 86 CheckRule "$TRAVERSAL >= 4" BLOCK; 87 CheckRule "$XSS >= 8" BLOCK; 88 CheckRule "$TEST >= 8" ALLOW; 89 90 root $TEST_NGINX_SERVROOT/html/; 91 index index.html index.htm; 92} 93location /RequestDenied { 94 return 412; 95 # return 412; 96} 97--- more_headers 98headertest: ratata 99--- request 100GET /?a=XXX 101--- error_code: 412 102=== TEST 1.2: extensive log while targeting name 103--- main_config 104load_module /tmp/naxsi_ut/modules/ngx_http_naxsi_module.so; 105--- http_config 106include /tmp/naxsi_ut/naxsi_core.rules; 107--- config 108set $naxsi_extensive_log 1; 109location / { 110 SecRulesEnabled; 111 LearningMode; 112 BasicRule id:4241 "str:ratata" "mz:ARGS" "s:BLOCK"; 113 DeniedUrl "/RequestDenied"; 114 CheckRule "$SQL >= 8" BLOCK; 115 CheckRule "$RFI >= 8" BLOCK; 116 CheckRule "$TRAVERSAL >= 4" BLOCK; 117 CheckRule "$XSS >= 8" BLOCK; 118 CheckRule "$TEST >= 8" ALLOW; 119 120 root $TEST_NGINX_SERVROOT/html/; 121 index index.html index.htm; 122} 123location /RequestDenied { 124 return 412; 125 # return 412; 126} 127--- request 128GET /?ratata=tututu 129--- error_code: 200 130=== TEST 1.2: extensive log while targeting name 131--- main_config 132load_module /tmp/naxsi_ut/modules/ngx_http_naxsi_module.so; 133--- http_config 134include /tmp/naxsi_ut/naxsi_core.rules; 135--- config 136set $naxsi_extensive_log 1; 137location / { 138 SecRulesEnabled; 139 LearningMode; 140 BasicRule id:4241 "str:ratata" "mz:ARGS" "s:LOG"; 141 DeniedUrl "/RequestDenied"; 142 CheckRule "$SQL >= 8" BLOCK; 143 CheckRule "$RFI >= 8" BLOCK; 144 CheckRule "$TRAVERSAL >= 4" BLOCK; 145 CheckRule "$XSS >= 8" BLOCK; 146 CheckRule "$TEST >= 8" ALLOW; 147 148 root $TEST_NGINX_SERVROOT/html/; 149 index index.html index.htm; 150} 151location /RequestDenied { 152 return 412; 153 # return 412; 154} 155--- request 156GET /?ratata=tututu 157--- error_code: 200 158=== TEST 1.3: rule on url 159--- main_config 160load_module /tmp/naxsi_ut/modules/ngx_http_naxsi_module.so; 161--- http_config 162include /tmp/naxsi_ut/naxsi_core.rules; 163--- config 164set $naxsi_extensive_log 1; 165location / { 166 SecRulesEnabled; 167 BasicRule id:4241 "str:ratata" "mz:URL" "s:BLOCK"; 168 DeniedUrl "/RequestDenied"; 169 CheckRule "$SQL >= 8" BLOCK; 170 CheckRule "$RFI >= 8" BLOCK; 171 CheckRule "$TRAVERSAL >= 4" BLOCK; 172 CheckRule "$XSS >= 8" BLOCK; 173 CheckRule "$TEST >= 8" ALLOW; 174 175 root $TEST_NGINX_SERVROOT/html/; 176 index index.html index.htm; 177} 178location /RequestDenied { 179 return 412; 180 # return 412; 181} 182--- request 183GET /ratata?x=tututu 184--- error_code: 412 185=== TEST 1.4: add post action as dynamic flag 186--- main_config 187load_module /tmp/naxsi_ut/modules/ngx_http_naxsi_module.so; 188--- http_config 189include /tmp/naxsi_ut/naxsi_core.rules; 190--- config 191set $naxsi_extensive_log 1; 192set $naxsi_flag_post_acton 1; 193location / { 194 SecRulesEnabled; 195 BasicRule id:4241 "str:ratata" "mz:URL" "s:BLOCK"; 196 DeniedUrl "/RequestDenied"; 197 CheckRule "$SQL >= 8" BLOCK; 198 CheckRule "$RFI >= 8" BLOCK; 199 CheckRule "$TRAVERSAL >= 4" BLOCK; 200 CheckRule "$XSS >= 8" BLOCK; 201 CheckRule "$TEST >= 8" ALLOW; 202 203 root $TEST_NGINX_SERVROOT/html/; 204 index index.html index.htm; 205} 206location /RequestDenied { 207 return 412; 208 # return 412; 209} 210--- request 211GET /ratata?x=tututu 212--- error_code: 412 213=== TEST 1.5.0: HEADER_VAR_X 214--- main_config 215load_module /tmp/naxsi_ut/modules/ngx_http_naxsi_module.so; 216--- http_config 217MainRule id:4241 "str:ratata" "mz:$HEADERS_VAR_X:ruuu" "s:BLOCK"; 218include /tmp/naxsi_ut/naxsi_core.rules; 219--- config 220set $naxsi_extensive_log 1; 221set $naxsi_flag_post_acton 1; 222location / { 223 SecRulesEnabled; 224# BasicRule id:4241 "str:ratata" "mz:URL" "s:BLOCK"; 225 DeniedUrl "/RequestDenied"; 226 CheckRule "$SQL >= 8" BLOCK; 227 CheckRule "$RFI >= 8" BLOCK; 228 CheckRule "$TRAVERSAL >= 4" BLOCK; 229 CheckRule "$XSS >= 8" BLOCK; 230 CheckRule "$TEST >= 8" ALLOW; 231 232 root $TEST_NGINX_SERVROOT/html/; 233 index index.html index.htm; 234} 235location /RequestDenied { 236 return 412; 237 # return 412; 238} 239--- more_headers 240ruuu: ratata1 241--- request 242GET /ratata?x=tututu 243--- error_code: 412 244=== TEST 1.5.1: HEADER_VAR_X 245--- main_config 246load_module /tmp/naxsi_ut/modules/ngx_http_naxsi_module.so; 247--- http_config 248MainRule id:4241 "str:ratata" "mz:$HEADERS_VAR_X:ruuu|$URL_X:^/fufu" "s:BLOCK"; 249include /tmp/naxsi_ut/naxsi_core.rules; 250--- config 251set $naxsi_extensive_log 1; 252set $naxsi_flag_post_acton 1; 253location / { 254 SecRulesEnabled; 255# BasicRule id:4241 "str:ratata" "mz:URL" "s:BLOCK"; 256 DeniedUrl "/RequestDenied"; 257 CheckRule "$SQL >= 8" BLOCK; 258 CheckRule "$RFI >= 8" BLOCK; 259 CheckRule "$TRAVERSAL >= 4" BLOCK; 260 CheckRule "$XSS >= 8" BLOCK; 261 CheckRule "$TEST >= 8" ALLOW; 262 263 root $TEST_NGINX_SERVROOT/html/; 264 index index.html index.htm; 265} 266location /RequestDenied { 267 return 412; 268 # return 412; 269} 270--- more_headers 271ruuu: ratata1 272--- request 273GET /fufu?x=tututu 274--- error_code: 412 275=== TEST 1.5.2: HEADER_VAR_X 276--- main_config 277load_module /tmp/naxsi_ut/modules/ngx_http_naxsi_module.so; 278--- http_config 279MainRule id:4241 "str:ratata" "mz:$HEADERS_VAR_X:ruuu|$URL_X:^/fufu" "s:BLOCK"; 280include /tmp/naxsi_ut/naxsi_core.rules; 281--- config 282set $naxsi_extensive_log 1; 283set $naxsi_flag_post_acton 1; 284location / { 285 SecRulesEnabled; 286# BasicRule id:4241 "str:ratata" "mz:URL" "s:BLOCK"; 287 DeniedUrl "/RequestDenied"; 288 CheckRule "$SQL >= 8" BLOCK; 289 CheckRule "$RFI >= 8" BLOCK; 290 CheckRule "$TRAVERSAL >= 4" BLOCK; 291 CheckRule "$XSS >= 8" BLOCK; 292 CheckRule "$TEST >= 8" ALLOW; 293 294 root $TEST_NGINX_SERVROOT/html/; 295 index index.html index.htm; 296} 297location /RequestDenied { 298 return 412; 299 # return 412; 300} 301--- more_headers 302ruuu: ratata1 303--- request 304GET /fuf?x=tututu 305--- error_code: 404 306=== TEST 1.6.0: URL + URL wl 307--- main_config 308load_module /tmp/naxsi_ut/modules/ngx_http_naxsi_module.so; 309--- http_config 310MainRule id:4241 "str:ratata" "mz:URL" "s:BLOCK"; 311include /tmp/naxsi_ut/naxsi_core.rules; 312--- config 313set $naxsi_extensive_log 1; 314set $naxsi_flag_post_acton 1; 315location / { 316 SecRulesEnabled; 317 BasicRule wl:4241 "mz:URL"; 318 DeniedUrl "/RequestDenied"; 319 CheckRule "$SQL >= 8" BLOCK; 320 CheckRule "$RFI >= 8" BLOCK; 321 CheckRule "$TRAVERSAL >= 4" BLOCK; 322 CheckRule "$XSS >= 8" BLOCK; 323 CheckRule "$TEST >= 8" ALLOW; 324 325 root $TEST_NGINX_SERVROOT/html/; 326 index index.html index.htm; 327} 328location /RequestDenied { 329 return 412; 330 # return 412; 331} 332--- request 333GET /ratata 334--- error_code: 404 335=== TEST 1.6.1: URL + URL wl 336--- main_config 337load_module /tmp/naxsi_ut/modules/ngx_http_naxsi_module.so; 338--- http_config 339MainRule id:4241 "str:ratata" "mz:URL" "s:BLOCK"; 340include /tmp/naxsi_ut/naxsi_core.rules; 341--- config 342set $naxsi_extensive_log 1; 343set $naxsi_flag_post_acton 1; 344location / { 345 SecRulesEnabled; 346 BasicRule wl:4241 "mz:BODY"; 347 DeniedUrl "/RequestDenied"; 348 CheckRule "$SQL >= 8" BLOCK; 349 CheckRule "$RFI >= 8" BLOCK; 350 CheckRule "$TRAVERSAL >= 4" BLOCK; 351 CheckRule "$XSS >= 8" BLOCK; 352 CheckRule "$TEST >= 8" ALLOW; 353 354 root $TEST_NGINX_SERVROOT/html/; 355 index index.html index.htm; 356} 357location /RequestDenied { 358 return 412; 359 # return 412; 360} 361--- request 362GET /ratata 363--- error_code: 412 364 365 366 367 368 369