WAF 390614
| Rule 390614 | |
|---|---|
| Status | Active |
| Alert Message | Atomicorp.com WAF Rules: Invalid character in ARGS |
Contents |
Description
This rules detects NULL characters in unusual arguments. NULL characters are often used by attackers to try an bypass intrusion detection systems, as there have been vulnerabilities in IDS' (including modsecurity) that have allowed attackers to bypass IDS systems. WAFs will commonly ignore everything after the null but pass the entire string to web server where it is processed. The Rules will detect the use of NULL characters and will block them.
Example attack'
GET /index.php?option=com_shoutbox&controller=../../../../../../../../../../../../../../../proc/self/environ%00 HTTP/1.1
The last character in this request is a null, which is invalid and is part of an actual attack on the system. The above example is an attacker attempting to access the Linux /proc file system via a recursion attack, with an added NULL character at the end to attempt to evade the IDS system.
Troubleshooting
False Positives
The rule contains logic to detect cases where the use of NULL characters is non-malicious. In some cases, an application may do this in a new way that logic can not detect. If you believe this is a false positive, please report this to our security team to determine if this is a legitimate case, or if its clever attack on your system. Instructions to report false positives are detailed on the Reporting False Positives wiki page. If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.
Tuning Guidance
If you want to disable this rule, please see the Tuning the Atomicorp WAF Rules page for basic information.
Additional Information
Similar Rules
Knowledge Base Articles
None.
Outside References
None.
Notes
None.
