kys13

2026-06-02 23:20:25 +01:00
parent e9616a8c7c
commit 0f3e2044a0
7 changed files with 50 additions and 45 deletions
--- a/conf/modsecurity.conf
+++ b/conf/modsecurity.conf
@@ -9,23 +9,24 @@ SecAuditLog /var/log/modsecurity/audit.log

 # sql injection
 SecRule REQUEST_URI|ARGS "['\";]|--" \
-    "id:950001,phase:1,deny,status:403,msg:'SQL Injection Attack Detected',log"
+SecRule REQUEST_URI|ARGS "(?i:(?:select|insert|update|delete|drop|union|create|alter|truncate)\s+.+\s+from|'[^']*'|--|;|\b(or|and)\b\s+\d+\s*=\s*\d+)" \
+    "id:950001,phase:1,deny,status:403,msg:'SQL INJECTION ATTACK DETECTED!!!',log,t:urlDecode,t:sqlHexDecode,t:lowercase"

 # xss / html injection
 SecRule REQUEST_URI|ARGS "(<.*>)|(%3C.*%3E)" \
-    "id:950003,phase:1,deny,status:403,msg:'XSS/HTML Injection Detected',log"
+    "id:950003,phase:1,deny,status:403,msg:'XSS/HTML INJECTION DETECTED!!!',log"

 # command injection
 SecRule ARGS "(\"role\".*:.*\"admin\")|exec|cat|more|ls|dir|/etc/passwd" \
-    "id:950006,phase:2,deny,status:403,msg:'Command Injection Detected',log"
+    "id:950006,phase:2,deny,status:403,msg:'COMMAND INJECTION DETECTED!!!',log"

 # path traversal
 SecRule REQUEST_URI|ARGS "\%00|\%2500|\.\./|ftp|metrics|api-docs" \
-    "id:950007,phase:2,deny,status:403,msg:'Path traversal attempt',log"
+    "id:950007,phase:2,deny,status:403,msg:'PATH TRAVERSAL ATTEMPT!!!',log"

 # exposed stuff (redundante ?)
 SecRule REQUEST_URI|ARGS "\%00|\%2500|ftp|metrics|api-docs" \
-    "id:950008,phase:2,deny,status:500,msg:'Attempt to access ftp, metrics, api-docs',log"
+    "id:950008,phase:2,deny,status:500,msg:'ATTEMPT TO ACCESS FTP, METRICS, API-DOCS!!!',log"

 # rate limiting on login endpoint
 # (max 5 requests per 30s per IP)
--- a/relatorio/relatorio.aux
+++ b/relatorio/relatorio.aux
@@ -41,7 +41,7 @@
 \@writefile{toc}{\contentsline {section}{\numberline {4}Web Application Security Firewall}{11}{section.4}\protected@file@percent }
 \@writefile{toc}{\contentsline {subsection}{\numberline {4.1}Information Gathering}{12}{subsection.4.1}\protected@file@percent }
 \@writefile{toc}{\contentsline {subsection}{\numberline {4.2}Configuration and Deployment Management Testing}{12}{subsection.4.2}\protected@file@percent }
-\@writefile{toc}{\contentsline {subsection}{\numberline {4.3}Identity Management Testing}{12}{subsection.4.3}\protected@file@percent }
+\@writefile{toc}{\contentsline {subsection}{\numberline {4.3}Identity Management Testing}{13}{subsection.4.3}\protected@file@percent }
 \@writefile{toc}{\contentsline {subsection}{\numberline {4.4}Authentication Testing}{13}{subsection.4.4}\protected@file@percent }
 \@writefile{toc}{\contentsline {subsection}{\numberline {4.5}Authorization Testing}{13}{subsection.4.5}\protected@file@percent }
 \@writefile{toc}{\contentsline {subsection}{\numberline {4.6}Session Management Testing}{13}{subsection.4.6}\protected@file@percent }
--- a/relatorio/relatorio.listing
+++ b/relatorio/relatorio.listing
@@ -1,6 +1,6 @@
 SecRuleEngine On
 SecRequestBodyAccess On
-SecResponseBodyAccess Off
+SecResponseBodyAccess On
 SecDebugLog /var/log/modsecurity/debug.log
 SecDebugLogLevel 0
 SecAuditLogParts ABIJ
@@ -8,26 +8,28 @@ SecAuditLogType Serial
 SecAuditLog /var/log/modsecurity/audit.log

 # sql injection
-SecRule ARGS "['\";]|--" \
-    "id:950001,phase:2,deny,status:403,msg:'SQL Injection Attack Detected',log"
+SecRule REQUEST_URI|ARGS "['\";]|--" \
+SecRule REQUEST_URI|ARGS "(?i:(?:select|insert|update|delete|drop|union|create|alter|truncate)\s+.+\s+from|'[^']*'|--|;|\b(or|and)\b\s+\d+\s*=\s*\d+)" \
+    "id:950001,phase:1,deny,status:403,msg:'SQL INJECTION ATTACK DETECTED!!!',log,t:urlDecode,t:sqlHexDecode,t:lowercase"

 # xss / html injection
-SecRule ARGS "<.*>" \
-    "id:950003,phase:2,deny,status:403,msg:'XSS/HTML Injection Detected',log"
+SecRule REQUEST_URI|ARGS "(<.*>)|(%3C.*%3E)" \
+    "id:950003,phase:1,deny,status:403,msg:'XSS/HTML INJECTION DETECTED!!!',log"

 # command injection
 SecRule ARGS "(\"role\".*:.*\"admin\")|exec|cat|more|ls|dir|/etc/passwd" \
-    "id:950006,phase:2,deny,status:403,msg:'Command Injection Detected',log"
+    "id:950006,phase:2,deny,status:403,msg:'COMMAND INJECTION DETECTED!!!',log"

 # path traversal
-SecRule ARGS "\%00|\%2500|(\./|\.\./)|ftp|metrics|api-docs" \
-    "id:950007,phase:2,deny,status:403,msg:'Path Traversal Attempt',log"
+SecRule REQUEST_URI|ARGS "\%00|\%2500|\.\./|ftp|metrics|api-docs" \
+    "id:950007,phase:2,deny,status:403,msg:'PATH TRAVERSAL ATTEMPT!!!',log"

-# exposed stuff
-SecRule REQUEST_URI "\%00|\%2500|ftp|metrics|api-docs" \
-    "id:950008,phase:2,deny,status:500,msg:'Attempt to access ftp, metrics, api-docs',log"
+# exposed stuff (redundante ?)
+SecRule REQUEST_URI|ARGS "\%00|\%2500|ftp|metrics|api-docs" \
+    "id:950008,phase:2,deny,status:500,msg:'ATTEMPT TO ACCESS FTP, METRICS, API-DOCS!!!',log"

-# rate limiting on login endpoint (max 5 requests per 30s per IP)
+# rate limiting on login endpoint
+# (max 5 requests per 30s per IP)
 SecAction \
    "id:950009,phase:1,initcol:ip=%{REMOTE_ADDR},pass,nolog"
 SecRule REQUEST_URI "@streq /rest/user/login" \
--- a/relatorio/relatorio.log
+++ b/relatorio/relatorio.log
@@ -1,4 +1,4 @@
-This is pdfTeX, Version 3.141592653-2.6-1.40.29 (TeX Live 2026/Arch Linux) (preloaded format=pdflatex 2026.5.3)  31 MAY 2026 22:42
+This is pdfTeX, Version 3.141592653-2.6-1.40.29 (TeX Live 2026/Arch Linux) (preloaded format=pdflatex 2026.5.3)  2 JUN 2026 23:18
 entering extended mode
 restricted \write18 enabled.
 %&-line parsing enabled.
@@ -1277,21 +1277,21 @@ LaTeX Warning: `!h' float specifier changed to `!ht'.
 \openout6 = `relatorio.listing'.

 (./relatorio.listing) [11 <./imgs/stack-trace.png>]
-Overfull \hbox (2.16914pt too wide) in paragraph at lines 444--447
+Overfull \hbox (2.16914pt too wide) in paragraph at lines 446--449
 \T1/Raleway-OsF/m/n/10.95 com tags HTML nos cam-pos de \T1/Raleway-OsF/m/it/10.
 95 in-put\T1/Raleway-OsF/m/n/10.95 , como \T1/cmtt/m/n/10.95 <h1>STRONG\T1/Rale
 way-OsF/m/n/10.95 , de-vol-vendo um erro \T1/cmtt/m/n/10.95 403 Forbidden
 []

-
-Overfull \hbox (51.12938pt too wide) in paragraph at lines 448--454
+[12]
+Overfull \hbox (51.12938pt too wide) in paragraph at lines 450--456
 \T1/Raleway-OsF/m/n/10.95 corpo JSON do re-gisto) \T1/Raleway-OsF/b/n/10.95 é m
 i-ti-gada pela re-gra id:950006\T1/Raleway-OsF/m/n/10.95 , que de-teta a se-quê
 n-cia \T1/cmtt/m/n/10.95 "role".*:.*"admin"
 []

-[12] [13]
-Overfull \hbox (111.73438pt too wide) in paragraph at lines 507--511
+[13]
+Overfull \hbox (111.73438pt too wide) in paragraph at lines 509--513
 \T1/Raleway-OsF/m/n/10.95 O pay-load de ex-fil-tra-ção do to-ken JWT via XSS (\
 T1/cmtt/m/n/10.95 <img src="x"onerror="alert(localStorage.getItem('token'))^^T\
 T1/Raleway-OsF/m/n/10.95 )
@@ -1306,10 +1306,10 @@ Package rerunfilecheck Info: File `relatorio.out' has not changed.
 (rerunfilecheck)             Checksum: 71F23F30E8D22A202B518A954FE83332;4897.
 ) 
 Here is how much of TeX's memory you used:
- 31810 strings out of 469495
- 627873 string characters out of 5470099
- 1238894 words of memory out of 5000000
- 59760 multiletter control sequences out of 15000+600000
+ 31813 strings out of 469495
+ 627922 string characters out of 5470099
+ 1260894 words of memory out of 5000000
+ 59761 multiletter control sequences out of 15000+600000
 791342 words of font info for 89 fonts, out of 8000000 for 9000
 16 hyphenation exceptions out of 8191
 113i,8n,122p,697b,1727s stack positions out of 10000i,1000n,20000p,200000b,200000s
@@ -1318,10 +1318,10 @@ hare/texmf-dist/fonts/type1/impallari/raleway/Raleway-Italic.pfb></usr/share/te
 xmf-dist/fonts/type1/impallari/raleway/Raleway-Regular.pfb></usr/share/texmf-di
 st/fonts/type1/public/cm-super/sftt0900.pfb></usr/share/texmf-dist/fonts/type1/
 public/cm-super/sftt1095.pfb>
-Output written on relatorio.pdf (14 pages, 882504 bytes).
+Output written on relatorio.pdf (14 pages, 883965 bytes).
 PDF statistics:
- 425 PDF objects out of 1000 (max. 8388607)
- 361 compressed objects within 4 object streams
- 147 named destinations out of 1000 (max. 500000)
+ 427 PDF objects out of 1000 (max. 8388607)
+ 363 compressed objects within 4 object streams
+ 149 named destinations out of 1000 (max. 500000)
 413 words of extra memory for PDF output out of 10000 (max. 10000000)

--- a/relatorio/relatorio.pdf
+++ b/relatorio/relatorio.pdf
--- a/relatorio/relatorio.tex
+++ b/relatorio/relatorio.tex
@@ -389,7 +389,7 @@ acesso de forma persistente.
 \begin{codeblock}{modsecurity.conf}
 SecRuleEngine On
 SecRequestBodyAccess On
-SecResponseBodyAccess Off
+SecResponseBodyAccess On
 SecDebugLog /var/log/modsecurity/debug.log
 SecDebugLogLevel 0
 SecAuditLogParts ABIJ
@@ -397,26 +397,28 @@ SecAuditLogType Serial
 SecAuditLog /var/log/modsecurity/audit.log

 # sql injection
-SecRule ARGS "['\";]|--" \
-    "id:950001,phase:2,deny,status:403,msg:'SQL Injection Attack Detected',log"
+SecRule REQUEST_URI|ARGS "['\";]|--" \
+SecRule REQUEST_URI|ARGS "(?i:(?:select|insert|update|delete|drop|union|create|alter|truncate)\s+.+\s+from|'[^']*'|--|;|\b(or|and)\b\s+\d+\s*=\s*\d+)" \
+    "id:950001,phase:1,deny,status:403,msg:'SQL INJECTION ATTACK DETECTED!!!',log,t:urlDecode,t:sqlHexDecode,t:lowercase"

 # xss / html injection
-SecRule ARGS "<.*>" \
-    "id:950003,phase:2,deny,status:403,msg:'XSS/HTML Injection Detected',log"
+SecRule REQUEST_URI|ARGS "(<.*>)|(%3C.*%3E)" \
+    "id:950003,phase:1,deny,status:403,msg:'XSS/HTML INJECTION DETECTED!!!',log"

 # command injection
 SecRule ARGS "(\"role\".*:.*\"admin\")|exec|cat|more|ls|dir|/etc/passwd" \
-    "id:950006,phase:2,deny,status:403,msg:'Command Injection Detected',log"
+    "id:950006,phase:2,deny,status:403,msg:'COMMAND INJECTION DETECTED!!!',log"

 # path traversal
-SecRule ARGS "\%00|\%2500|(\./|\.\./)|ftp|metrics|api-docs" \
-    "id:950007,phase:2,deny,status:403,msg:'Path Traversal Attempt',log"
+SecRule REQUEST_URI|ARGS "\%00|\%2500|\.\./|ftp|metrics|api-docs" \
+    "id:950007,phase:2,deny,status:403,msg:'PATH TRAVERSAL ATTEMPT!!!',log"

-# exposed stuff
-SecRule REQUEST_URI "\%00|\%2500|ftp|metrics|api-docs" \
-    "id:950008,phase:2,deny,status:500,msg:'Attempt to access ftp, metrics, api-docs',log"
+# exposed stuff (redundante ?)
+SecRule REQUEST_URI|ARGS "\%00|\%2500|ftp|metrics|api-docs" \
+    "id:950008,phase:2,deny,status:500,msg:'ATTEMPT TO ACCESS FTP, METRICS, API-DOCS!!!',log"

-# rate limiting on login endpoint (max 5 requests per 30s per IP)
+# rate limiting on login endpoint
+# (max 5 requests per 30s per IP)
 SecAction \
    "id:950009,phase:1,initcol:ip=%{REMOTE_ADDR},pass,nolog"
 SecRule REQUEST_URI "@streq /rest/user/login" \
--- a/relatorio/relatorio.toc
+++ b/relatorio/relatorio.toc
@@ -18,7 +18,7 @@
 \contentsline {section}{\numberline {4}Web Application Security Firewall}{11}{section.4}%
 \contentsline {subsection}{\numberline {4.1}Information Gathering}{12}{subsection.4.1}%
 \contentsline {subsection}{\numberline {4.2}Configuration and Deployment Management Testing}{12}{subsection.4.2}%
-\contentsline {subsection}{\numberline {4.3}Identity Management Testing}{12}{subsection.4.3}%
+\contentsline {subsection}{\numberline {4.3}Identity Management Testing}{13}{subsection.4.3}%
 \contentsline {subsection}{\numberline {4.4}Authentication Testing}{13}{subsection.4.4}%
 \contentsline {subsection}{\numberline {4.5}Authorization Testing}{13}{subsection.4.5}%
 \contentsline {subsection}{\numberline {4.6}Session Management Testing}{13}{subsection.4.6}%