WAF 390613

From Atomicorp Wiki
Revision as of 14:03, 18 November 2010 by Mshinn (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Rule ID

390613

Alert Message

Atomicorp.com WAF Rules: Invalid character in request or headers

Description

This rules detects NULL characters in the request URL or in a header for the request. NULL characters are often used by attackers to try an bypass intrusion detection systems, as there have been vulnerabilities in IDS' (including modsecurity) that have allowed attackers to bypass IDS systems. The Rules will detect the use of NULL characters and will block them.

Example attack'

GET /index.php?option=com_shoutbox&controller=../../../../../../../../../../../../../../../proc/self/environ%00 HTTP/1.1

The last character in this request is a null, which is invalid and is part of an actual attack on the system. The above example is an attacker attempting to access the Linux /proc file system via a recursion attack, with an added NULL character at the end to attempt to evade the IDS system.

False Positives:

This can be triggered if an application legitimately uses a NULL as a value for a Header. This has only been seen used for some Cookies, and should never be seen for URLs, File Names or Header Names.

It recommended that you report this as a false positive so our security team can determine if this is a legitimate case, or if its clever attack on your systems. Instructions to report false positives are details on the Reporting False Positives wiki page.

Similar Rules

WAF_340614

WAF_340613

Personal tools