Difference between revisions of "WAF 390614"

From Atomicorp Wiki
Jump to: navigation, search
(Created page with "{{Infobox |header1 = Rule 390614 |label2 = Status |data2 = Active |label3 = Alert Message |data3 = Atomicorp.com WAF Rules: Invalid character in ARGS }} = Description = Thi...")
 

Latest revision as of 12:21, 13 January 2017

Rule 390614
Status Active
Alert Message Atomicorp.com WAF Rules: Invalid character in ARGS

Contents

[edit] Description

This rules detects NULL characters in unusual arguments. NULL characters are often used by attackers to try an bypass intrusion detection systems, as there have been vulnerabilities in IDS' (including modsecurity) that have allowed attackers to bypass IDS systems. WAFs will commonly ignore everything after the null but pass the entire string to web server where it is processed. The Rules will detect the use of NULL characters and will block them.

Example attack'

GET /index.php?option=com_shoutbox&controller=../../../../../../../../../../../../../../../proc/self/environ%00 HTTP/1.1

The last character in this request is a null, which is invalid and is part of an actual attack on the system. The above example is an attacker attempting to access the Linux /proc file system via a recursion attack, with an added NULL character at the end to attempt to evade the IDS system.

[edit] Troubleshooting

[edit] False Positives

The rule contains logic to detect cases where the use of NULL characters is non-malicious. In some cases, an application may do this in a new way that logic can not detect. If you believe this is a false positive, please report this to our security team to determine if this is a legitimate case, or if its clever attack on your system. Instructions to report false positives are detailed on the Reporting False Positives wiki page. If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

[edit] Tuning Guidance

If you want to disable this rule, please see the Tuning the Atomicorp WAF Rules page for basic information.

[edit] Additional Information

[edit] Similar Rules

WAF_340614

WAF_340613

[edit] Knowledge Base Articles

None.

[edit] Outside References

None.

[edit] Notes

None.

Personal tools