382 lines
11 KiB
Perl
Vendored
382 lines
11 KiB
Perl
Vendored
use lib 'lib';
|
|
use Test::Nginx::Socket;
|
|
|
|
plan tests => repeat_each(2) * blocks();
|
|
no_root_location();
|
|
no_long_string();
|
|
$ENV{TEST_NGINX_SERVROOT} = server_root();
|
|
run_tests();
|
|
__DATA__
|
|
=== ID TEST 1.0: Drop rule without learning
|
|
--- main_config
|
|
load_module /tmp/naxsi_ut/modules/ngx_http_naxsi_module.so;
|
|
--- http_config
|
|
include /tmp/naxsi_ut/naxsi_core.rules;
|
|
MainRule "str:1999" "msg:foobar test pattern #1" "mz:ARGS" "s:DROP" id:1999;
|
|
--- config
|
|
location / {
|
|
SecRulesEnabled;
|
|
DeniedUrl "/RequestDenied";
|
|
CheckRule "$SQL >= 8" BLOCK;
|
|
CheckRule "$RFI >= 8" BLOCK;
|
|
CheckRule "$TRAVERSAL >= 4" BLOCK;
|
|
CheckRule "$XSS >= 8" BLOCK;
|
|
root $TEST_NGINX_SERVROOT/html/;
|
|
index index.html index.htm;
|
|
}
|
|
location /RequestDenied {
|
|
return 412;
|
|
}
|
|
--- request
|
|
GET /?bla=1999
|
|
--- error_code: 412
|
|
|
|
=== ID TEST 1.1: whitelisted drop rule without learning
|
|
--- main_config
|
|
load_module /tmp/naxsi_ut/modules/ngx_http_naxsi_module.so;
|
|
--- http_config
|
|
include /tmp/naxsi_ut/naxsi_core.rules;
|
|
MainRule "str:1999" "msg:foobar test pattern #1" "mz:ARGS" "s:DROP" id:1999;
|
|
--- config
|
|
location / {
|
|
SecRulesEnabled;
|
|
DeniedUrl "/RequestDenied";
|
|
CheckRule "$SQL >= 8" BLOCK;
|
|
CheckRule "$RFI >= 8" BLOCK;
|
|
CheckRule "$TRAVERSAL >= 4" BLOCK;
|
|
CheckRule "$XSS >= 8" BLOCK;
|
|
root $TEST_NGINX_SERVROOT/html/;
|
|
BasicRule wl:1999 "mz:ARGS";
|
|
index index.html index.htm;
|
|
}
|
|
location /RequestDenied {
|
|
return 412;
|
|
}
|
|
--- request
|
|
GET /?bla=1999
|
|
--- error_code: 200
|
|
|
|
=== ID TEST 1.2: bad whitelisted drop rule without learning
|
|
--- main_config
|
|
load_module /tmp/naxsi_ut/modules/ngx_http_naxsi_module.so;
|
|
--- http_config
|
|
include /tmp/naxsi_ut/naxsi_core.rules;
|
|
MainRule "str:1999" "msg:foobar test pattern #1" "mz:ARGS" "s:DROP" id:1999;
|
|
--- config
|
|
location / {
|
|
SecRulesEnabled;
|
|
DeniedUrl "/RequestDenied";
|
|
CheckRule "$SQL >= 8" BLOCK;
|
|
CheckRule "$RFI >= 8" BLOCK;
|
|
CheckRule "$TRAVERSAL >= 4" BLOCK;
|
|
CheckRule "$XSS >= 8" BLOCK;
|
|
root $TEST_NGINX_SERVROOT/html/;
|
|
BasicRule wl:1999 "mz:URL";
|
|
index index.html index.htm;
|
|
}
|
|
location /RequestDenied {
|
|
return 412;
|
|
}
|
|
--- request
|
|
GET /?bla=1999
|
|
--- error_code: 412
|
|
|
|
=== ID TEST 1.3: drop rule with learning
|
|
--- main_config
|
|
load_module /tmp/naxsi_ut/modules/ngx_http_naxsi_module.so;
|
|
--- http_config
|
|
include /tmp/naxsi_ut/naxsi_core.rules;
|
|
MainRule "str:1999" "msg:foobar test pattern #1" "mz:ARGS" "s:DROP" id:1999;
|
|
--- config
|
|
location / {
|
|
SecRulesEnabled;
|
|
LearningMode;
|
|
DeniedUrl "/RequestDenied";
|
|
CheckRule "$SQL >= 8" BLOCK;
|
|
CheckRule "$RFI >= 8" BLOCK;
|
|
CheckRule "$TRAVERSAL >= 4" BLOCK;
|
|
CheckRule "$XSS >= 8" BLOCK;
|
|
root $TEST_NGINX_SERVROOT/html/;
|
|
index index.html index.htm;
|
|
}
|
|
location /RequestDenied {
|
|
return 412;
|
|
}
|
|
--- request
|
|
GET /?bla=1999
|
|
--- error_code: 412
|
|
|
|
|
|
|
|
=== ID TEST 1.4: drop rule with learning + correct whitelist
|
|
--- main_config
|
|
load_module /tmp/naxsi_ut/modules/ngx_http_naxsi_module.so;
|
|
--- http_config
|
|
include /tmp/naxsi_ut/naxsi_core.rules;
|
|
MainRule "str:1999" "msg:foobar test pattern #1" "mz:ARGS" "s:DROP" id:1999;
|
|
--- config
|
|
location / {
|
|
SecRulesEnabled;
|
|
LearningMode;
|
|
DeniedUrl "/RequestDenied";
|
|
CheckRule "$SQL >= 8" BLOCK;
|
|
CheckRule "$RFI >= 8" BLOCK;
|
|
CheckRule "$TRAVERSAL >= 4" BLOCK;
|
|
CheckRule "$XSS >= 8" BLOCK;
|
|
BasicRule wl:1999 "mz:$ARGS_VAR:bla";
|
|
root $TEST_NGINX_SERVROOT/html/;
|
|
index index.html index.htm;
|
|
}
|
|
location /RequestDenied {
|
|
return 412;
|
|
}
|
|
--- request
|
|
GET /?bla=1999
|
|
--- error_code: 200
|
|
|
|
|
|
=== ID TEST 1.5: drop rule with learning + incorrect whitelist
|
|
--- main_config
|
|
load_module /tmp/naxsi_ut/modules/ngx_http_naxsi_module.so;
|
|
--- http_config
|
|
include /tmp/naxsi_ut/naxsi_core.rules;
|
|
MainRule "str:1999" "msg:foobar test pattern #1" "mz:ARGS" "s:DROP" id:1999;
|
|
--- config
|
|
location / {
|
|
SecRulesEnabled;
|
|
LearningMode;
|
|
DeniedUrl "/RequestDenied";
|
|
CheckRule "$SQL >= 8" BLOCK;
|
|
CheckRule "$RFI >= 8" BLOCK;
|
|
CheckRule "$TRAVERSAL >= 4" BLOCK;
|
|
CheckRule "$XSS >= 8" BLOCK;
|
|
BasicRule wl:1999 "mz:$ARGS_VAR:bla|$URL:/x";
|
|
root $TEST_NGINX_SERVROOT/html/;
|
|
index index.html index.htm;
|
|
}
|
|
location /RequestDenied {
|
|
return 412;
|
|
}
|
|
--- request
|
|
GET /?bla=1999
|
|
--- error_code: 412
|
|
|
|
|
|
|
|
=== ID TEST 2.0: drop checkrule
|
|
--- main_config
|
|
load_module /tmp/naxsi_ut/modules/ngx_http_naxsi_module.so;
|
|
--- http_config
|
|
include /tmp/naxsi_ut/naxsi_core.rules;
|
|
MainRule "str:1999" "msg:foobar test pattern #1" "mz:ARGS" "s:$FOO:8" id:1999;
|
|
--- config
|
|
location / {
|
|
SecRulesEnabled;
|
|
LearningMode;
|
|
DeniedUrl "/RequestDenied";
|
|
CheckRule "$FOO >= 8" DROP;
|
|
root $TEST_NGINX_SERVROOT/html/;
|
|
index index.html index.htm;
|
|
}
|
|
location /RequestDenied {
|
|
return 412;
|
|
}
|
|
--- request
|
|
GET /?bla=1999
|
|
--- error_code: 412
|
|
|
|
=== ID TEST 2.1: drop checkrule, with whitelisted rule
|
|
--- main_config
|
|
load_module /tmp/naxsi_ut/modules/ngx_http_naxsi_module.so;
|
|
--- http_config
|
|
include /tmp/naxsi_ut/naxsi_core.rules;
|
|
MainRule "str:1999" "msg:foobar test pattern #1" "mz:ARGS" "s:$FOO:8" id:1999;
|
|
--- config
|
|
location / {
|
|
SecRulesEnabled;
|
|
LearningMode;
|
|
DeniedUrl "/RequestDenied";
|
|
CheckRule "$FOO >= 8" DROP;
|
|
BasicRule wl:1999 "mz:$URL:/|$ARGS_VAR_X:^bla$";
|
|
root $TEST_NGINX_SERVROOT/html/;
|
|
index index.html index.htm;
|
|
}
|
|
location /RequestDenied {
|
|
return 412;
|
|
}
|
|
--- request
|
|
GET /?bla=1999
|
|
--- error_code: 200
|
|
=== ID TEST 2.2: drop checkrule, with failed whitelisted rule
|
|
--- main_config
|
|
load_module /tmp/naxsi_ut/modules/ngx_http_naxsi_module.so;
|
|
--- http_config
|
|
include /tmp/naxsi_ut/naxsi_core.rules;
|
|
MainRule "str:1999" "msg:foobar test pattern #1" "mz:ARGS" "s:$FOO:8" id:1999;
|
|
--- config
|
|
location / {
|
|
SecRulesEnabled;
|
|
LearningMode;
|
|
DeniedUrl "/RequestDenied";
|
|
CheckRule "$FOO >= 8" DROP;
|
|
BasicRule wl:1999 "mz:$URL:/|$ARGS_VAR_X:^bla1";
|
|
root $TEST_NGINX_SERVROOT/html/;
|
|
index index.html index.htm;
|
|
}
|
|
location /RequestDenied {
|
|
return 412;
|
|
}
|
|
--- request
|
|
GET /?bla=1999
|
|
--- error_code: 412
|
|
|
|
|
|
|
|
=== ID TEST 3.0: <= checkrule (why not dude)
|
|
--- main_config
|
|
load_module /tmp/naxsi_ut/modules/ngx_http_naxsi_module.so;
|
|
--- http_config
|
|
include /tmp/naxsi_ut/naxsi_core.rules;
|
|
MainRule "str:1999" "msg:foobar test pattern #1" "mz:ARGS" "s:$FOO:8" id:1999;
|
|
--- config
|
|
location / {
|
|
SecRulesEnabled;
|
|
DeniedUrl "/RequestDenied";
|
|
CheckRule "$FOO <= 8" BLOCK;
|
|
root $TEST_NGINX_SERVROOT/html/;
|
|
index index.html index.htm;
|
|
}
|
|
location /RequestDenied {
|
|
return 412;
|
|
}
|
|
--- request
|
|
GET /?bla=1999
|
|
--- error_code: 412
|
|
=== ID TEST 3.1: <= checkrule : Is useless, as score will go through value 8 before reaching 16, thus the checkrule will be applied
|
|
--- main_config
|
|
load_module /tmp/naxsi_ut/modules/ngx_http_naxsi_module.so;
|
|
--- http_config
|
|
include /tmp/naxsi_ut/naxsi_core.rules;
|
|
MainRule "str:1999" "msg:foobar test pattern #1" "mz:ARGS" "s:$FOO:8" id:1999;
|
|
--- config
|
|
location / {
|
|
SecRulesEnabled;
|
|
DeniedUrl "/RequestDenied";
|
|
CheckRule "$FOO <= 8" BLOCK;
|
|
root $TEST_NGINX_SERVROOT/html/;
|
|
index index.html index.htm;
|
|
}
|
|
location /RequestDenied {
|
|
return 412;
|
|
}
|
|
--- request
|
|
GET /?bla=1999&blu=1999
|
|
--- error_code: 412
|
|
=== ID TEST 3.2: < checkrule (why not dude)
|
|
--- main_config
|
|
load_module /tmp/naxsi_ut/modules/ngx_http_naxsi_module.so;
|
|
--- http_config
|
|
include /tmp/naxsi_ut/naxsi_core.rules;
|
|
MainRule "str:1999" "msg:foobar test pattern #1" "mz:ARGS" "s:$FOO:8" id:1999;
|
|
--- config
|
|
location / {
|
|
SecRulesEnabled;
|
|
DeniedUrl "/RequestDenied";
|
|
CheckRule "$FOO < 8" BLOCK;
|
|
root $TEST_NGINX_SERVROOT/html/;
|
|
index index.html index.htm;
|
|
}
|
|
location /RequestDenied {
|
|
return 412;
|
|
}
|
|
--- request
|
|
GET /?bla=1999
|
|
--- error_code: 200
|
|
=== ID TEST 3.3: < checkrule (why not dude)
|
|
--- main_config
|
|
load_module /tmp/naxsi_ut/modules/ngx_http_naxsi_module.so;
|
|
--- http_config
|
|
include /tmp/naxsi_ut/naxsi_core.rules;
|
|
MainRule "str:1999" "msg:foobar test pattern #1" "mz:ARGS" "s:$FOO:7" id:1999;
|
|
--- config
|
|
location / {
|
|
SecRulesEnabled;
|
|
DeniedUrl "/RequestDenied";
|
|
CheckRule "$FOO < 8" BLOCK;
|
|
root $TEST_NGINX_SERVROOT/html/;
|
|
index index.html index.htm;
|
|
}
|
|
location /RequestDenied {
|
|
return 412;
|
|
}
|
|
--- request
|
|
GET /?bla=1999
|
|
--- error_code: 412
|
|
=== ID TEST 3.4: > checkrule (why not dude)
|
|
--- main_config
|
|
load_module /tmp/naxsi_ut/modules/ngx_http_naxsi_module.so;
|
|
--- http_config
|
|
include /tmp/naxsi_ut/naxsi_core.rules;
|
|
MainRule "str:1999" "msg:foobar test pattern #1" "mz:ARGS" "s:$FOO:8" id:1999;
|
|
--- config
|
|
location / {
|
|
SecRulesEnabled;
|
|
DeniedUrl "/RequestDenied";
|
|
CheckRule "$FOO > 8" BLOCK;
|
|
root $TEST_NGINX_SERVROOT/html/;
|
|
index index.html index.htm;
|
|
}
|
|
location /RequestDenied {
|
|
return 412;
|
|
}
|
|
--- request
|
|
GET /?bla=1999
|
|
--- error_code: 200
|
|
|
|
=== ID TEST 3.5: > checkrule (why not dude)
|
|
--- main_config
|
|
load_module /tmp/naxsi_ut/modules/ngx_http_naxsi_module.so;
|
|
--- http_config
|
|
include /tmp/naxsi_ut/naxsi_core.rules;
|
|
MainRule "str:1999" "msg:foobar test pattern #1" "mz:ARGS" "s:$FOO:9" id:1999;
|
|
--- config
|
|
location / {
|
|
SecRulesEnabled;
|
|
DeniedUrl "/RequestDenied";
|
|
CheckRule "$FOO > 8" BLOCK;
|
|
root $TEST_NGINX_SERVROOT/html/;
|
|
index index.html index.htm;
|
|
}
|
|
location /RequestDenied {
|
|
return 412;
|
|
}
|
|
--- request
|
|
GET /?bla=1999
|
|
--- error_code: 412
|
|
|
|
|
|
=== ID TEST 4.0: super long exception (trigger 400 bad request on old versions)
|
|
--- main_config
|
|
load_module /tmp/naxsi_ut/modules/ngx_http_naxsi_module.so;
|
|
--- http_config
|
|
include /tmp/naxsi_ut/naxsi_core.rules;
|
|
--- config
|
|
location / {
|
|
SecRulesEnabled;
|
|
LearningMode;
|
|
DeniedUrl "/RequestDenied";
|
|
CheckRule "$FOO > 8" BLOCK;
|
|
root $TEST_NGINX_SERVROOT/html/;
|
|
index index.html index.htm;
|
|
error_page 405 = $uri;
|
|
}
|
|
location /RequestDenied {
|
|
return 412;
|
|
}
|
|
--- request eval
|
|
use URI::Escape;
|
|
"POST /
|
|
a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2=<>(){}[]'--;=a&a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1=<>(){}[]'--;=a&a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3=<>(){}[]'--;=a&a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4=<>(){}[]'&a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5=<>(){}[]'"
|
|
--- error_code: 200
|
|
|