1#vi:filetype=perl 2 3 4# A AJOUTER : 5# TEST CASE AVEC UNE REGLE SUR UN HEADER GENERIQUE 6# La même sur des arguments :) 7 8use lib 'lib'; 9use Test::Nginx::Socket; 10 11repeat_each(3); 12 13plan tests => repeat_each(1) * blocks(); 14no_root_location(); 15no_long_string(); 16$ENV{TEST_NGINX_SERVROOT} = server_root(); 17run_tests(); 18 19 20__DATA__ 21=== TEST 1 : Enable libinjection s:DROP on named var 22--- main_config 23load_module /tmp/naxsi_ut/modules/ngx_http_naxsi_module.so; 24--- http_config 25include /tmp/naxsi_ut/naxsi_core.rules; 26MainRule "d:libinj_xss" "s:DROP" "mz:$ARGS_VAR:ruuu" id:41231; 27--- config 28location / { 29 SecRulesEnabled; 30 LearningMode; 31 DeniedUrl "/RequestDenied"; 32 root $TEST_NGINX_SERVROOT/html/; 33 index index.html index.htm; 34} 35location /RequestDenied { 36 return 412; 37} 38--- raw_request eval 39"GET /?ruuu=a' onmouseover='alert(1) HTTP/1.0 40 41" 42--- error_code: 412 43=== TEST 1.1 : Enable libinjection s:DROP on (bad) named var 44--- main_config 45load_module /tmp/naxsi_ut/modules/ngx_http_naxsi_module.so; 46--- http_config 47include /tmp/naxsi_ut/naxsi_core.rules; 48MainRule "d:libinj_xss" "s:DROP" "mz:$ARGS_VAR:ruuuu" id:41231; 49--- config 50location / { 51 SecRulesEnabled; 52 LearningMode; 53 DeniedUrl "/RequestDenied"; 54 root $TEST_NGINX_SERVROOT/html/; 55 index index.html index.htm; 56} 57location /RequestDenied { 58 return 412; 59} 60--- raw_request eval 61"GET /?ruuu=a' onmouseover='alert(1) HTTP/1.0 62 63" 64--- error_code: 200 65=== TEST 1.2 : Enable libinjection s:DROP on (bad) named var 66--- main_config 67load_module /tmp/naxsi_ut/modules/ngx_http_naxsi_module.so; 68--- http_config 69include /tmp/naxsi_ut/naxsi_core.rules; 70MainRule "d:libinj_xss" "s:DROP" "mz:$ARGS_VAR:ruu" id:41231; 71--- config 72location / { 73 SecRulesEnabled; 74 LearningMode; 75 DeniedUrl "/RequestDenied"; 76 root $TEST_NGINX_SERVROOT/html/; 77 index index.html index.htm; 78} 79location /RequestDenied { 80 return 412; 81} 82--- raw_request eval 83"GET /?ruuu=a' onmouseover='alert(1) HTTP/1.0 84 85" 86--- error_code: 200 87=== TEST 2.1 : Enable libinjection s:$FOOBAR on named var 88--- main_config 89load_module /tmp/naxsi_ut/modules/ngx_http_naxsi_module.so; 90--- http_config 91include /tmp/naxsi_ut/naxsi_core.rules; 92MainRule "d:libinj_xss" "s:$FOOBAR:8" "mz:$ARGS_VAR_X:^fuu[0-9]+$" id:41231; 93--- config 94location / { 95 SecRulesEnabled; 96 LearningMode; 97 CheckRule "$FOOBAR >= 8" DROP; 98 DeniedUrl "/RequestDenied"; 99 root $TEST_NGINX_SERVROOT/html/; 100 index index.html index.htm; 101} 102location /RequestDenied { 103 return 412; 104} 105--- raw_request eval 106"GET /?fuu4242424=a' onmouseover='alert(1) HTTP/1.0 107 108" 109--- error_code: 412 110 111=== TEST 3.0 : Enable libinjection (sql) s:DROP on named var+url 112--- main_config 113load_module /tmp/naxsi_ut/modules/ngx_http_naxsi_module.so; 114--- http_config 115include /tmp/naxsi_ut/naxsi_core.rules; 116MainRule "d:libinj_sql" "s:$FOOBAR:8" "mz:$ARGS_VAR_X:^fuu[0-9]+$|$URL_X:^/foobar/$" id:41231; 117--- config 118location / { 119 SecRulesEnabled; 120 LearningMode; 121 CheckRule "$FOOBAR >= 8" DROP; 122 DeniedUrl "/RequestDenied"; 123 root $TEST_NGINX_SERVROOT/html/; 124 index index.html index.htm; 125} 126location /RequestDenied { 127 return 412; 128} 129--- raw_request eval 130"GET /foobar/?fuu4242424=1' OR '1'='1 HTTP/1.0 131 132" 133--- error_code: 412 134=== TEST 3.0 : Enable libinjection (sql) s:DROP on named var+url (not a valid sqli) 135--- main_config 136load_module /tmp/naxsi_ut/modules/ngx_http_naxsi_module.so; 137--- http_config 138include /tmp/naxsi_ut/naxsi_core.rules; 139MainRule "d:libinj_sql" "s:$FOOBAR:8" "mz:$ARGS_VAR_X:^fuu[0-9]+$|$URL_X:^/foobar/$" id:41231; 140--- config 141location / { 142 SecRulesEnabled; 143 LearningMode; 144 CheckRule "$FOOBAR >= 8" DROP; 145 DeniedUrl "/RequestDenied"; 146 root $TEST_NGINX_SERVROOT/html/; 147 index index.html index.htm; 148} 149location /RequestDenied { 150 return 412; 151} 152--- raw_request eval 153"GET /foobar/?fuu4242424=1' OR \"1\"= HTTP/1.0 154 155" 156--- error_code: 404 157 158