Ruleset-Update:: XXE-Vuln and Websocket-Upgrade-Detection

86 views
Skip to first unread message

mex

unread,
Jan 30, 2014, 6:31:23 PM1/30/14
to naxsi-discuss
remarks: we'll probably see more of this later, since the vulnerability will affect a lot more systems that use php + xml-parsing. rce'ing like it's rails-time again; the vuln-description from sensepost.cpom and the blogpost by r.silva is worth a read. 
#
#
# sid: 42000341 |  date: 2014-01-31 - 00:21:19 | maker: lazydog
# 
# credits: 
# - sensepost.com for a nice generic vuln- analysis 
#   http://sensepost.com/blog/10178.html
# - Reginaldo Silva for his blogpost about a server facebook-vuln
#   http://www.ubercomp.com/posts/2014-01-16_facebook_remote_code_execution
# 
#  
# 
# 
 
MainRule "rx:<!ENTITY(.*)SYSTEM" "msg:DN WEB_SERVER possible XML/XXE-Exploitation atempt" "mz:BODY" "s:$UWA:8" id:42000341 ; 


-----------------------------------------------
tl;dr: after checking out sec-stuff around websockets: DONT WANT (atm) 
#
# sid: 42000340 |  date: 2014-01-31 - 00:21:47 | maker: lazydog
# 
# Attempt to connect to a Websocket
 
MainRule "str:upgrade" "msg:DN APP_SERVER Websocket-Connection-Scan" "mz:$HEADERS_VAR:Connection" "s:$UWA:8" id:42000340 ;


regards, 

mex


bui

unread,
Jan 31, 2014, 3:37:16 AM1/31/14
to naxsi-discuss
tl;dr: after checking out sec-stuff around websockets: DONT WANT (atm) 

me neither :p However, I'm thinking about hacking something in naxsi to allow "raw" search in BODY's, regardless of declared content .. Might be useful for websocket filtering, as well as requests with no content-type .. (saw this in losy applications !)

What do you guys think about it ? ;)




--
You received this message because you are subscribed to the Google Groups "naxsi-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to naxsi-discus...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

mex

unread,
Jan 31, 2014, 12:36:42 PM1/31/14
to naxsi-discuss

raw filtering would be interesting! websockets will be (one of the) 
the next security-nightmares. 

btw, what about wss (websocket-https) or compression?
i have no clue atm :D




2014-01-31 bui <ori...@gmail.com>:
Reply all
Reply to author
Forward
0 new messages