wip avec résolution de conflits

containers/conf/angie/naxsi_rules/blocking/20000000_web_security.rules

@@ -0,0 +1,172 @@
+#######################################
+## Webserver Security ids: 20000000  ##
+#######################################
+
+# webserver critical files
+MainRule id:20000000 "s:$UWA:8" "str:.conf" "mz:URL" "msg:file access to .conf";
+MainRule id:20000001 "s:$UWA:8" "str:.ini" "mz:URL" "msg:file access to .ini";
+MainRule id:20000002 "s:$UWA:8" "str:.sql" "mz:URL" "msg:file access to .sql";
+MainRule id:20000003 "s:$UWA:8" "rx:\.txt$" "mz:URL" "msg:file access to .txt";
+MainRule id:20000004 "s:$UWA:8" "str:/sftp-config.json" "mz:URL|BODY" "msg:file access to sftp-config.json";
+MainRule id:20000005 "s:$UWA:8" "str:/.bzr" "mz:URL" "msg:bazaar version control folder access";
+MainRule id:20000006 "s:$UWA:8" "str:/.git" "mz:URL" "msg:git version control folder access";
+MainRule id:20000007 "s:$UWA:8" "str:/.hg" "mz:URL" "msg:mercurial version control folder access";
+MainRule id:20000008 "s:$UWA:8" "str:/.svn" "mz:URL" "msg:svn version control folder access";
+MainRule id:20000009 "s:$UWA:8" "str:/bzr/" "mz:URL" "msg:bazaar version control folder access";
+MainRule id:20000010 "s:$UWA:8" "str:/git/" "mz:URL" "msg:git version control folder access";
+MainRule id:20000011 "s:$UWA:8" "str:/hg/" "mz:URL" "msg:mercurial version control folder access";
+MainRule id:20000012 "s:$UWA:8" "str:/svn/" "mz:URL" "msg:svn version control folder access";
+MainRule id:20000013 "s:$UWA:8" "str:.htpasswd" "mz:ARGS|BODY|URL|FILE_EXT" "msg:file access to .htpasswd";
+MainRule id:20000014 "s:$UWA:8" "str:.htaccess" "mz:ARGS|BODY|URL|FILE_EXT" "msg:file access to .htaccess";
+MainRule id:20000015 "s:$UWA:8" "str:.ds_store" "mz:URL" "msg:file access to .ds_store";
+MainRule id:20000016 "s:$UWA:8" "str:changelog" "mz:URL" "msg:file access to changelog";
+MainRule id:20000017 "s:$UWA:8" "rx:^/core.\d+$" "mz:URL" "msg:file access to core dumps";
+MainRule id:20000018 "s:$UWA:8" "rx:\.module$" "mz:URL" "msg:file access to .module (drupal)";
+MainRule id:20000019 "s:$UWA:8" "str:web.config" "mz:URL" "msg:file access to web.config (drupal)";
+MainRule id:20000020 "s:$UWA:8" "rx:release[-_]notes\." "mz:URL" "msg:file access to release notes";
+MainRule id:20000021 "s:$UWA:8" "rx:~$" "mz:URL" "msg:file access to cache files";
+MainRule id:20000022 "s:$UWA:8" "str:web-inf" "mz:URL|BODY|ARGS" "msg:folder access to WEB-INF";
+
+# Exposed Services
+MainRule id:20000023 "s:$UWA:8" "str:/cgi-bin/luci" "mz:URL" "msg:Exposed OpenWRT";
+MainRule id:20000024 "s:$UWA:8" "rx:^/cgi-bin/.+\.cgi$" "mz:URL" "msg:Exposed cgi-bin";
+MainRule id:20000025 "s:$UWA:8" "str:/jenkins" "mz:URL" "msg:Exposed Jenkins";
+MainRule id:20000026 "s:$UWA:8" "str:/console/login/LoginForm.jsp" "mz:URL" "msg:Exposed Oracle WebLogic Server Administration Console";
+MainRule id:20000027 "s:$UWA:8" "str:/nuxeo/login.jsp" "mz:URL" "msg:Exposed Nuxeo Enterprise Platform";
+MainRule id:20000028 "s:$UWA:8" "str:/zabbix/index.php" "mz:URL" "msg:Exposed Zabbix";
+
+# Known hacking tools like burp suite, etc..
+MainRule id:20000029 "s:$UWA:8" "str:burpcollaborator.net" "mz:ARGS|BODY|HEADERS" "msg:burp collaborator";
+MainRule id:20000030 "s:$UWA:8" "str:/netsparker" "mz:URL" "msg:Netsparker";
+
+# Malicious strings in request
+MainRule id:20000031 "s:$UWA:8" "str:\n\r" "mz:URL" "msg:HTTP - Smuggling-Attempt (NewLine in URI)";
+MainRule id:20000032 "s:$UWA:6" "rx:^[a-zA-Z\d-]+\.[a-zA-Z]+$" "mz:$HEADERS_VAR:Host" "msg:HOST-Header Injection";
+MainRule id:20000033 "s:$UWA:8" "str:/bin/sh" "mz:URL|BODY|ARGS|$HEADERS_VAR:User-Agent|$HEADERS_VAR:Cookie" "msg:/bin/sh in URI";
+MainRule id:20000034 "s:$UWA:8" "str:/etc/passwd" "mz:URL|BODY|ARGS|$HEADERS_VAR:User-Agent|$HEADERS_VAR:Cookie" "msg:/etc/passwd in URI";
+MainRule id:20000035 "s:$UWA:8" "str:/etc/shadow" "mz:URL|BODY|ARGS|$HEADERS_VAR:User-Agent|$HEADERS_VAR:Cookie" "msg:/etc/shadow in URI";
+MainRule id:20000036 "s:$UWA:8" "str:/etc/hosts" "mz:URL|BODY|ARGS|$HEADERS_VAR:User-Agent|$HEADERS_VAR:Cookie" "msg:/etc/hosts in URI";
+MainRule id:20000037 "s:$UWA:8" "str:/Windows/system.ini" "mz:URL|BODY|ARGS|$HEADERS_VAR:User-Agent|$HEADERS_VAR:Cookie" "msg:/Windows/system.ini in URI";
+MainRule id:20000038 "s:$UWA:8" "rx:<!DOCTYPE(\s+)(%*\s*)([{}:.a-zA-Z0-9_-]*)(\s+)SYSTEM" "mz:BODY" "msg: possible XML/XXE-Exploitation atempt (Doctype)";
+MainRule id:20000039 "s:$UWA:8" "str:http://http://" "mz:HEADERS" "msg:Abnormal double http:// in HTTP header";
+MainRule id:20000040 "s:$UWA:8" "str:https://http://" "mz:HEADERS" "msg:Abnormal double http:// in HTTP header";
+MainRule id:20000041 "s:$UWA:8" "str:http://https://" "mz:HEADERS" "msg:Abnormal double http:// in HTTP header";
+MainRule id:20000042 "s:$UWA:8" "str:https://https://" "mz:HEADERS" "msg:Abnormal double http:// in HTTP header";
+
+# ThinkPHP Remote Code Execution CVE-2018-20062
+MainRule id:20000043 "s:$UWA:8" "str:index/\think\app/invokefunction" "mz:URL" "msg:CVE-2018-20062";
+
+# AWS related files
+MainRule id:20000044 "s:$UWA:8" "str:/.aws/" "mz:URL" "msg:AWS Credential Stealer";
+
+# dot folders and files
+MainRule id:20000045 "s:$UWA:8" "rx:/\.[^.]" "mz:URL" "msg:Access to dot folder or file";
+
+# Exposed Microsoft Exchange
+MainRule id:20000046 "s:$UWA:8" "str:autodiscover/autodiscover.json" "mz:URL" "msg:Exposed Microsoft Exchange";
+MainRule id:20000047 "s:$UWA:8" "str:autodiscover/autodiscover.xml" "mz:URL" "msg:Exposed Microsoft Exchange";
+MainRule id:20000048 "s:$UWA:8" "str:/auth.owa" "mz:URL" "msg:Exposed Microsoft Exchange";
+
+# Ignition 2.5.1 Remote Code Execution CVE-2021-3129
+MainRule id:20000049 "s:$UWA:8" "str:/_ignition/execute-solution" "mz:URL" "msg:CVE-2021-3129";
+
+# CVE-2018-13379 path traversal vulnerability in Fortinet's FortiGate SSL VPN
+# https://x.x.x.x/remote/fgt_lang?lang=/../../../..//////////dev/cmdb/sslvpn_websession
+MainRule id:20000050 "s:$UWA:8" "str:/sslvpn_websession" "mz:ARGS|BODY|HEADERS" "msg:CVE-2018-13379";
+
+# Exposed Apache Tomcat Administration Panel
+MainRule id:20000051 "s:$UWA:8" "str:/manager/html" "mz:URL" "msg:Exposed Apache Tomcat Administration Panel";
+
+# Block NMAP enumeration
+MainRule id:20000052 "s:$UWA:8" "str:/HNAP1" "mz:URL" "msg:NMAP enumeration attempt";
+MainRule id:20000053 "s:$UWA:8" "rx:/default\.(asp|aspx|cfm|cgi|jsa|jsp|php|pl)$" "mz:URL" "msg:NMAP enumeration attempt";
+MainRule id:20000054 "s:$UWA:8" "rx:/start\.(asp|aspx|cfm|cgi|jsa|jsp|php|pl)$" "mz:URL" "msg:NMAP enumeration attempt";
+MainRule id:20000055 "s:$UWA:8" "rx:/localstart\.(asp|aspx|cfm|cgi|jsa|jsp|php|pl)$" "mz:URL" "msg:NMAP enumeration attempt";
+MainRule id:20000056 "s:$UWA:8" "rx:/admin\.(asp|aspx|cfm|cgi|jsa|jsp|php|pl)$" "mz:URL" "msg:NMAP enumeration attempt";
+MainRule id:20000057 "s:$UWA:8" "str:/nmaplowercheck" "mz:URL" "msg:NMAP enumeration attempt";
+
+# Siemens PLC scan
+MainRule id:20000058 "s:$UWA:8" "str:/__Additional" "mz:URL" "msg:Siemens PLC scan";
+MainRule id:20000059 "s:$UWA:8" "str:/docs/cplugError.html/" "mz:URL" "msg:Siemens PLC scan";
+MainRule id:20000060 "s:$UWA:8" "str:/Portal/Portal.mwsl" "mz:URL" "msg:Siemens PLC scan";
+
+# Block Citrix XenApp
+MainRule id:20000061 "s:$UWA:8" "str:/scripts/wpnbr.dll" "mz:URL" "msg:Citrix XenApp";
+
+# Block jenkins authentication bypass CVE-2018-1000861
+MainRule id:20000062 "s:$UWA:8" "str:/securityRealm/user/admin/search/index" "mz:URL" "msg:CVE-2018-1000861";
+
+# Block jenkins RCE CVE-2019-1003029, CVE-2019-1003030
+MainRule id:20000063 "s:$UWA:8" "str:/descriptorByName/org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SecureGroovyScript/checkScript/" "mz:URL" "msg:CVE-2019-1003029, CVE-2019-1003030";
+
+# Log4J bypass
+MainRule id:20000064 "s:$UWA:8" "str:${env:NaN:-" "mz:URL|ARGS|BODY|HEADERS" "msg:Attempted Log4J Bypass";
+
+# Windows system paths
+MainRule id:20000065 "s:$UWA:8" "str:\Windows\system.ini" "mz:URL|BODY|ARGS|$HEADERS_VAR:User-Agent|$HEADERS_VAR:Cookie" "msg:\Windows\system.ini in URI";
+MainRule id:20000066 "s:$UWA:8" "str:/Windows/win.ini" "mz:URL|BODY|ARGS|$HEADERS_VAR:User-Agent|$HEADERS_VAR:Cookie" "msg:/Windows/win.ini in URI";
+MainRule id:20000067 "s:$UWA:8" "str:\Windows\win.ini" "mz:URL|BODY|ARGS|$HEADERS_VAR:User-Agent|$HEADERS_VAR:Cookie" "msg:\Windows\win.ini in URI";
+
+# Exposed Apache Host Manager App
+MainRule id:20000068 "s:$UWA:8" "str:/manager/text/list" "mz:URL" "msg:Exposed Apache Host Manager App";
+
+# Spring Cloud Gateway Code Injection Vulnerability
+MainRule id:20000069 "s:$UWA:8" "str:/actuator/gateway/routes" "mz:URL" "msg:CVE-2022-22947";
+
+# Block Spring4Shell
+MainRule id:20000070 "s:$UWA:8" "str:class.module.classLoader.resources." "mz:RAW_BODY" "msg:CVE-2022-22965";
+MainRule id:20000071 "s:$UWA:8" "rx:<%|%>" "mz:HEADERS" "msg:CVE-2022-22965";
+
+# Block Microsoft Exchange Server Remote Code Execution
+MainRule id:20000072 "s:$UWA:8" "str:/ecp/Current/exporttool/microsoft.exchange.ediscovery.exporttool.application" "mz:URL" "msg:CVE-2021-28481";
+
+# Prevents IndoXploit/IDX Shell dump access
+# A website that has been infected will have a world-browsable folder called `idx_config`
+# which contains text versions of the configuration file of every CMS installation the shell
+# is able to find (impacts WordPress, Joomla and Magento).
+MainRule id:20000073 "s:$UWA:8" "str:/idx_config" "mz:URL" "msg:Prevent IndoXploit/IDX Shell dump access";
+
+# Prevents old grafana to return all folders
+# https://github.com/grafana/grafana/pull/44175
+MainRule id:20000074 "s:$UWA:8" "rx:^0$" "mz:$URL:/api/search|$ARGS_VAR:folderIds" "msg:Access all grafana folders";
+
+# Block access to yaml files
+MainRule id:20000075 "s:$UWA:8" "str:.yml" "mz:URL" "msg:file access to .yml";
+MainRule id:20000076 "s:$UWA:8" "str:.yaml" "mz:URL" "msg:file access to .yaml";
+
+# Block access to HashiCorp Consul/Vault template files
+MainRule id:20000077 "s:$UWA:8" "rx:\.ctmpl$" "mz:URL" "msg:file access to .ctmpl";
+MainRule id:20000078 "s:$UWA:8" "rx:\.hcl$" "mz:URL" "msg:file access to .hcl";
+
+# Block access to known files used for fingerprinting
+MainRule id:20000079 "s:$UWA:8" "rx:\.md$" "mz:URL" "msg:file access to .md";
+MainRule id:20000080 "s:$UWA:8" "rx:read[-_]?me" "mz:URL" "msg:file access to readme";
+MainRule id:20000081 "s:$UWA:8" "rx:\.toml$" "mz:URL" "msg:file access to .toml";
+
+# AWS related files
+MainRule id:20000082 "s:$UWA:8" "str:dockerrun.aws.json" "mz:URL" "msg:Exposed AWS Elastic Beanstalk configuration";
+
+# Block access to temporary backup files like .bak,.bak.php, etc...
+MainRule id:20000083 "s:$UWA:8" "str:.bak" "mz:URL" "msg:file access to temporary backup files";
+
+# Path traversal in nuxt/framework when in dev mode
+# https://huntr.dev/bounties/4849af83-450c-435e-bc0b-71705f5be440/
+MainRule id:20000084 "s:$UWA:8" "str:_nuxt/@" "mz:URL" "msg:path traversal in nuxt framework";
+
+# AWS NodeJS related files
+MainRule id:20000085 "s:$UWA:8" "str:awsconfig" "mz:URL" "msg:Exposed AWS config files";
+MainRule id:20000086 "s:$UWA:8" "str:aws-config" "mz:URL" "msg:Exposed AWS config files";
+MainRule id:20000087 "s:$UWA:8" "str:awscred" "mz:URL" "msg:Exposed AWS config files";
+MainRule id:20000088 "s:$UWA:8" "str:aws-cred" "mz:URL" "msg:Exposed AWS config files";
+
+# Text editors temp and config files
+MainRule id:20000089 "s:$UWA:8" "str:.old" "mz:URL" "msg:Exposed temp copy";
+MainRule id:20000090 "s:$UWA:8" "str:.save" "mz:URL" "msg:Exposed temp copy";
+MainRule id:20000091 "s:$UWA:8" "str:.DS_Store" "mz:URL" "msg:Exposed temp copy";
+MainRule id:20000092 "s:$UWA:8" "str:vscode" "mz:URL" "msg:Exposed vscode directory";
+
+# Exposed .env
+MainRule id:20000093 "s:$UWA:8" "str:/.env" "mz:URL" "msg:access to .env file or dir";
+
+# androxgh0st exploit
+MainRule id:20000094 "s:$UWA:8" "str:androxgh0st" "mz:ANY" "msg:androxgh0st exploit";