TRKJ/EdgeNode
2
0
Fork 0
mirror of https://github.com/TeaOSLab/EdgeNode.git synced 2025-11-04 07:40:56 +08:00
Code Issues Packages Projects Releases Wiki Activity

WAF规则模板中XSS注入检测规则使用“包含XSS注入”操作符替代以往的正则表达式

Browse Source
This commit is contained in:
刘祥超
2023-12-09 17:00:21 +08:00
parent ee2565905e
commit e03292de28
2 changed files with 49 additions and 46 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
internal/waf/action_page.go
View File

@@ -36,6 +36,10 @@ func (this *PageAction) WillChange() bool {
// Perform the action // Perform the action
func (this *PageAction) Perform(waf *WAF, group *RuleGroup, set *RuleSet, request requests.Request, writer http.ResponseWriter) (continueRequest bool, goNextSet bool) { func (this *PageAction) Perform(waf *WAF, group *RuleGroup, set *RuleSet, request requests.Request, writer http.ResponseWriter) (continueRequest bool, goNextSet bool) {
if writer == nil {
return
}
request.ProcessResponseHeaders(writer.Header(), this.Status) request.ProcessResponseHeaders(writer.Header(), this.Status)
writer.Header().Set("Content-Type", "text/html; charset=utf-8") writer.Header().Set("Content-Type", "text/html; charset=utf-8")
writer.WriteHeader(this.Status) writer.WriteHeader(this.Status)

91
internal/waf/template_test.go
View File

@@ -28,15 +28,13 @@ func Test_Template(t *testing.T) {
t.Fatal(err) t.Fatal(err)
} }
testTemplate1001(a, t, wafInstance) testTemplate1010(a, t, wafInstance)
testTemplate1002(a, t, wafInstance)
testTemplate1003(a, t, wafInstance)
testTemplate2001(a, t, wafInstance) testTemplate2001(a, t, wafInstance)
testTemplate3001(a, t, wafInstance) testTemplate3001(a, t, wafInstance)
testTemplate4001(a, t, wafInstance) testTemplate4001(a, t, wafInstance)
testTemplate5001(a, t, wafInstance) testTemplate5001(a, t, wafInstance)
testTemplate6001(a, t, wafInstance) testTemplate6001(a, t, wafInstance)
testTemplate7001(a, t, wafInstance) testTemplate7010(a, t, wafInstance)
testTemplate20001(a, t, wafInstance) testTemplate20001(a, t, wafInstance)
} }
@@ -86,49 +84,50 @@ func BenchmarkTemplate(b *testing.B) {
} }
} }
func testTemplate1001(a *assert.Assertion, t *testing.T, template *waf.WAF) { func testTemplate1010(a *assert.Assertion, t *testing.T, template *waf.WAF) {
req, err := http.NewRequest(http.MethodGet, "http://example.com/index.php?id=onmousedown%3D123", nil) for _, id := range []string{
if err != nil { "<script",
t.Fatal(err) "<script src=\"123.js\">",
"<script>alert(123)</script>",
"<link",
"<link>",
"1 onfocus='alert(document.cookie)'",
} {
req, err := http.NewRequest(http.MethodGet, "https://example.com/index.php?id="+id, nil)
if err != nil {
t.Fatal(err)
}
req.Header.Set("User-Agent", testUserAgent)
_, _, _, result, err := template.MatchRequest(requests.NewTestRequest(req), nil, firewallconfigs.ServerCaptchaTypeNone)
if err != nil {
t.Fatal(err)
}
a.IsNotNil(result)
if result != nil {
a.IsTrue(result.Code == "1010")
} else {
t.Log("break at:", id)
}
} }
req.Header.Set("User-Agent", testUserAgent)
_, _, _, result, err := template.MatchRequest(requests.NewTestRequest(req), nil, firewallconfigs.ServerCaptchaTypeNone)
if err != nil {
t.Fatal(err)
}
a.IsNotNil(result)
if result != nil {
a.IsTrue(result.Code == "1001")
}
}
func testTemplate1002(a *assert.Assertion, t *testing.T, template *waf.WAF) { for _, id := range []string{
req, err := http.NewRequest(http.MethodGet, "http://example.com/index.php?id=eval%28", nil) "123",
if err != nil { "abc",
t.Fatal(err) "<html></html>",
} } {
_, _, _, result, err := template.MatchRequest(requests.NewTestRequest(req), nil, firewallconfigs.ServerCaptchaTypeNone) req, err := http.NewRequest(http.MethodGet, "https://example.com/index.php?id="+url.QueryEscape(id), nil)
if err != nil { if err != nil {
t.Fatal(err) t.Fatal(err)
} }
a.IsNotNil(result) req.Header.Set("User-Agent", testUserAgent)
if result != nil { _, _, _, result, err := template.MatchRequest(requests.NewTestRequest(req), nil, firewallconfigs.ServerCaptchaTypeNone)
a.IsTrue(result.Code == "1002") if err != nil {
} t.Fatal(err)
} }
a.IsNil(result)
func testTemplate1003(a *assert.Assertion, t *testing.T, template *waf.WAF) { if result != nil {
req, err := http.NewRequest(http.MethodGet, "http://example.com/index.php?id=<script src=\"123.js\">", nil) a.IsTrue(result.Code == "1010")
if err != nil { }
t.Fatal(err)
}
_, _, _, result, err := template.MatchRequest(requests.NewTestRequest(req), nil, firewallconfigs.ServerCaptchaTypeNone)
if err != nil {
t.Fatal(err)
}
a.IsNotNil(result)
if result != nil {
a.IsTrue(result.Code == "1003")
} }
} }
@@ -290,7 +289,7 @@ func testTemplate6001(a *assert.Assertion, t *testing.T, template *waf.WAF) {
} }
} }
func testTemplate7001(a *assert.Assertion, t *testing.T, template *waf.WAF) { func testTemplate7010(a *assert.Assertion, t *testing.T, template *waf.WAF) {
for _, id := range []string{ for _, id := range []string{
" union all select id from credits", " union all select id from credits",
"' or 1=1", "' or 1=1",