Everything we have tested with haproxy and coraza spoa has been detected and marked/bl

MYSQL Injection Not Detected about coraza-spoa HOT 5 OPEN

corazawaf commented on June 11, 2024

MYSQL Injection Not Detected

from coraza-spoa.

Comments (5)

jptosso commented on June 11, 2024

Can you share your settings? I've sent this payload to our playground and it is detected by Coraza and CRS.

from coraza-spoa.

davidfcunningham commented on June 11, 2024

haproxy.conf:

global
ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets
defaults
mode http
timeout connect 5000
timeout client 50000
timeout server 50000

mailers mymailers
mailer smtp1 noreply-com.mail.protection.outlook.com:25

http-errors myerrors
errorfile 403 /usr/local/haproxy/etc/errors/403.http

frontend http-frontend
bind x.x.x.x:80
redirect scheme https if !{ ssl_fc }

frontend https_frontend
bind x.x.x.x:443 ssl crt /nfs/noreply.crt
mode http
option httpclose
default_backend web_server

backend web_server
mode http
balance roundrobin
cookie SERVERID insert indirect nocache
option forwardfor
server s1 127.0.0.1:80

frontend http_frontend
bind 127.0.0.1:80
mode http
unique-id-format %[uuid()]
unique-id-header X-Unique-ID
errorfiles myerrors
http-response return status 403 default-errorfiles if { status 403 }

log-format "%ci:%cp\ [%t]\ %ft\ %b/%s\ %Th/%Ti/%TR/%Tq/%Tw/%Tc/%Tr/%Tt\ %ST\ %B\ %CC\ %CS\ %tsc\ %ac/%fc/%bc/%sc/%rc\ %sq/%bq\ %hr\ %hs\ %{+Q}r\ %ID\ spoa-error:\ %[var(txn.coraza.error)]\ waf-hit:\ %[var(txn.coraza.fail)]"

filter spoe engine coraza config /usr/local/haproxy/etc/coraza.cfg

Deny for Coraza WAF hits

http-request deny if { var(txn.coraza.action) -m str deny }
http-response deny if { var(txn.coraza.action) -m str deny }

use_backend https_web_server

backend https_web_server
mode http
balance roundrobin
cookie SERVERID insert indirect nocache
server s1 x.x.x.x:443 ssl verify none check cookie s1
server s2 x.x.x.x:443 ssl verify none check cookie s2
server s3 x.x.x.x:443 ssl verify none check cookie s3

backend coraza-spoa
mode tcp
email-alert mailers mymailers
email-alert from [email protected]
email-alert to [email protected]
server s1 x.x.x.x:9000 check

coraza.cfg

https://github.com/haproxy/haproxy/blob/master/doc/SPOE.txt

[coraza]
spoe-agent coraza-agent
messages coraza-req coraza-res
option var-prefix coraza
option set-on-error error
timeout hello 100ms
timeout idle 2m
timeout processing 500ms
use-backend coraza-spoa
log global

spoe-message coraza-req
args app=str(sample_app) id=unique-id src-ip=src src-port=src_port dst-ip=dst dst-port=dst_port method=method path=path query=query version=req.ver headers=req.hdrs body=req.body
event on-frontend-http-request

spoe-message coraza-res
args app=str(sample_app) id=unique-id version=res.ver status=status headers=res.hdrs body=res.body
event on-http-response

On the coraza server....

config.yaml

The SPOA server bind address

bind: 0.0.0.0:9000

Process request and response with this application if provided app name is not found.

You can remove or comment out this config param if you don't need "default_application" functionality.

default_application: sample_app

applications:
sample_app:
# Get the coraza.conf from https://github.com/corazawaf/coraza
#
# Download the OWASP CRS from https://github.com/coreruleset/coreruleset/releases
# and copy crs-setup.conf & the rules, plugins directories to /etc/coraza-spoa
rules:
- Include /etc/coraza-spoa/coraza.conf
- Include /etc/coraza-spoa/crs-setup.conf
- Include /etc/coraza-spoa/rules/*.conf

# The transaction cache lifetime in milliseconds (60000ms = 60s)
transaction_ttl_ms: 60000
# The maximum number of transactions which can be cached
transaction_active_limit: 100000

# The log level configuration, one of: debug/info/warn/error/panic/fatal
log_level: info
# The log file path
log_file: /var/log/corazo.log

coraza.conf is empty, crs-setup.conf is the default, and rules/*.conf is the coreruleset.

from coraza-spoa.

albertogrimana commented on June 11, 2024

I test this with my Coraza haproxy and detect without any problem...
(I redacted IP data)

{"level":"error","ts":1693058026.2358866,"msg":"[client "xxxxxxxxxxxx"] Coraza: Access denied (phase 2). SQL Injection Attack Detected via libinjection [file "/etc/coraza-spoa/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "7359"] [id "942100"] [rev ""] [msg "SQL Injection Attack Detected via libinjection"] [data "Matched Data: s;EnE found within ARGS:bfirstname: Dave '; update subscribers set username='joe' where username='joe';--"] [severity "critical"] [ver "OWASP_CRS/4.0.0-rc1"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/66"] [tag "PCI/6.5.2"] [hostname "xxxxxxxxxxx"] [uri "/apps/files/?dir=/&fileid=7&fullname=&bfirstname=Dave+%27%3B+update+subscribers+set+username%3D%27joe%27+where+username%3D%27joe%27%3B--"] [unique_id "WDdWKQltDBvdNBGelwL"]\n"}

And have a deny in haproxy logs

2023-08-26T13:59:24+00:00 xxxx haproxy[29]: xxxxxxx [26/Aug/2023:13:59:24.490] http-in~ http-in/ 18/1/-1/-1/-1/-1/-1/52 -1 0 - - PR-- 2/1/0/0/0 0/0 "GET https://xxxxxxxxxxx/?dir=/&fileid=7&fullname=&bfirstname=Dave+%27%3B+update+subscribers+set+username%3D%27joe%27+where+username%3D%27joe%27%3B-- HTTP/2.0" - spoa-error: - waf-action: deny waf-data: -

I try with https://myurl/blabla&fullname=&bfirstname=Dave+%27%3B+update+subscribers+set+username%3D%27joe%27+where+username%3D%27joe%27%3B--

My haproxy config

   #Coraza
    filter spoe engine coraza config /usr/local/etc/haproxy/spoe-coraza.conf
    
    # Deny for Coraza WAF hits
    http-request silent-drop if { var(txn.coraza.action) -m str deny }

    backend coraza-spoa
           mode tcp
           server s1 127.0.0.1:9000

spoe-coraza.conf

     [coraza]
     spoe-agent coraza-agent
        messages    coraza-req
        option      var-prefix      coraza
        option      set-on-error    error
        timeout     hello           2s
        timeout     idle            2m
        timeout     processing     	15s 
        use-backend coraza-spoa
        log         global

     spoe-message coraza-req
        args app=fe_name id=unique-id src-ip=src src-port=src_port dst-ip=dst dst-port=dst_port method=method path=path query=query version=req.ver headers=req.hdrs body=req.body
        event on-frontend-http-request

I don`t use http-response because at least for my have errors with the cache memory and don't work

Maybe your problem is that have coraza.conf empty that is modsecurity.conf in ModSec project
Edit: You can download from this URL https://github.com/corazawaf/coraza/blob/main/coraza.conf-recommended

Regards and sorry for my English.....

from coraza-spoa.

davidfcunningham commented on June 11, 2024

Hello,

I agree this is detected when attempted in the URL itself. It's when it's in the payload it seems to be missed. I have gzip disabled, so it's not compressing it. And, you can see in my tcpflow what coraza is seeing/haproxy is sending.

from coraza-spoa.

davidfcunningham commented on June 11, 2024

I see what you are saying about the coraza.cfg file... and the body setting in there. Thank you. I will try that.

from coraza-spoa.

MYSQL Injection Not Detected about coraza-spoa HOT 5 OPEN

Comments (5)

Deny for Coraza WAF hits

https://github.com/haproxy/haproxy/blob/master/doc/SPOE.txt

The SPOA server bind address

Process request and response with this application if provided app name is not found.

You can remove or comment out this config param if you don't need "default_application" functionality.

Related Issues (20)

Recommend Projects

React

Vue.js

Typescript

TensorFlow

Django

Laravel

D3

Recommend Topics

javascript

web

server

Machine learning

Visualization

Game

Recommend Org

Facebook

Microsoft

Google

Alibaba

D3

Tencent