Updates tests

Author: va1da5

.vscode/settings.json

@@ -3,7 +3,7 @@
     "ruff.importStrategy": "useBundled",
     "editor.formatOnSave": true,
     "editor.codeActionsOnSave": {
-        "source.fixAll": true,
-        "source.organizeImports": true
+        "source.fixAll": "explicit",
+        "source.organizeImports": "explicit"
     }
 }

Makefile

@@ -0,0 +1,15 @@
+.PHONY: start
+start:
+	docker compose up -d
+
+.PHONY: logs
+logs:
+	docker compose exec -it modsecurity tail -f /var/log/nginx/modsecurity.log || podman-compose exec modsecurity tail -f /var/log/nginx/modsecurity.log
+
+.PHONY: restart
+restart:
+	docker compose restart modsecurity
+
+.PHONY: test
+test:
+	pytest

README.md

@@ -1,8 +1,12 @@
 # 📛 OWASP ModSecurity Core Rule Set Tuning Practice
 
-**Disclaimer**: _Work in progress_
+[This collection](./test_waf.py) of basic unit tests is designed for practicing on how to adjust the [OWASP ModSecurity WAF Core Rule Set](https://owasp.org/www-project-modsecurity-core-rule-set/) to pass each test. It's important to note that these tests are not reflective of real-life situations and are solely intended for honing your skills in tuning WAF rules in different scenarios.
 
-[This collection](./test_waf.py) of basic unit tests is designed for practicing how to adjust [ModSecurity WAF rules](https://owasp.org/www-project-modsecurity-core-rule-set/) to pass each test. It's important to note that these tests are not reflective of real-life situations and are solely intended for honing your skills in tuning WAF rules in different scenarios.
+## Requirements
+
+- Docker/Podman
+- Docker Compose
+- Python
 
 ## Getting Started
 
@@ -23,6 +27,10 @@ docker compose up -d
 docker compose exec -it modsecurity tail -f /var/log/nginx/modsecurity.log
 podman-compose exec modsecurity tail -f /var/log/nginx/modsecurity.log
 
+# Restart container to apply new rules
+docker compose restart modsecurity
+podman-compose restart modsecurity
+
 # Use BurpSuite proxy for request inspection
 export HTTP_PROXY=http://localhost:8080
 ```
@@ -37,10 +45,25 @@ pytest
 pytest -k test_cookie_1
 ```
 
+### Recommended Process
+
+1. Start WAF and webserver `docker compose up -d`
+2. Start monitoring of WAF logs `docker compose exec -it modsecurity tail -f /var/log/nginx/modsecurity.log`
+3. Review test definition in [`test_waf.py`](./test_waf.py)
+4. Execute individual test `pytest -k test_generic_form_1`
+5. Review WAF log entries
+6. Update WAF [rules](./waf)
+7. Restart WAF `docker compose restart modsecurity`
+8. Repeat steps 4 to 7 until test reports success.
+9. Move to the next unit test.
+
 ## References
 
 - [owasp-modsecurity/ModSecurity](https://github.com/owasp-modsecurity/ModSecurity)
 - [OWASP ModSecurity Core Rule Set](https://owasp.org/www-project-modsecurity-core-rule-set/)
 - [coreruleset/coreruleset](https://github.com/coreruleset/coreruleset)
 - [OWASP CRS Docker Image](https://github.com/coreruleset/modsecurity-crs-docker)
 - [Handling False Positives with the OWASP ModSecurity Core Rule Set](https://www.netnea.com/cms/apache-tutorial-8_handling-false-positives-modsecurity-core-rule-set/)
+- [SANS ModSecurity Rules](https://wiki.sans.blue/Tools/pdfs/ModSecurity.pdf)
+- [ModSecurity Reference Manual (v3.x)](https://github.com/owasp-modsecurity/ModSecurity/wiki/Reference-Manual)
+- [Full pytest documentation](https://docs.pytest.org/en/8.2.x/contents.html)

pyproject.toml

@@ -63,13 +63,14 @@ select = [
     "E9",
     "F",
 ]
+
 ignore = [
     # mutable defaults
     "B006",
 ]
 
 # Allow fix for all enabled rules (when `--fix`) is provided.
-fixable = ["ALL"]
+fixable = ["I"]
 
 unfixable = [
     # disable auto fix for print statements
@@ -108,9 +109,3 @@ docstring-code-format = false
 # This only has an effect when the `docstring-code-format` setting is
 # enabled.
 docstring-code-line-length = "dynamic"
-
-[tool.ruff.lint.isort]
-length-sort = true
-length-sort-straight = true
-combine-as-imports = true
-extra-standard-library = ["typing_extensions"]

test_waf.py

@@ -1,5 +1,6 @@
 import http
 import urllib.parse
+import uuid
 from random import randrange
 
 import pytest
@@ -13,6 +14,10 @@ def get_url(path: str) -> str:
     return urllib.parse.urljoin(ENDPOINT, path)
 
 
+def url_encode_all(string):
+    return "".join("%{0:0>2x}".format(ord(char)) for char in string)
+
+
 @pytest.fixture
 def user_agent():
     return {"User-Agent": UA}
@@ -75,37 +80,78 @@ def test_password_json_3(request_kwargs):
     assert response.status_code == http.HTTPStatus.FORBIDDEN
 
 
+def test_nosql_1(request_kwargs):
+    """This should work as it uses NOSQL"""
+    data = {}
+    data[str(uuid.uuid1())] = "test' or '1'='1"
+    response = requests.post(get_url("/nosql/update"), data=data, **request_kwargs)
+    assert response.status_code == http.HTTPStatus.OK
+
+
+def test_nosql_2(request_kwargs):
+    """NOSQL exploitation attempts should be blocked"""
+    data = {"username": {"$eq": "admin"}, "password": {"$regex": "^mdp"}}
+    response = requests.post(get_url("/nosql/update"), json=data, **request_kwargs)
+    assert response.status_code == http.HTTPStatus.FORBIDDEN
+
+
 def test_cookie_1(user_agent):
-    """As an example, this cookie is considered safe and WAF should not block it"""
-    cookie = "yummy_cookie=uname-it; tasty_cookie=strawberry"
+    """These cookies are considered safe and WAF should not block it"""
+    cookie = "yummy_cookie=banana; tasty_cookie=strawberry"
     headers = {**user_agent, "Cookie": cookie}
     response = requests.get(get_url("/cookies"), headers=headers)
     assert response.status_code == http.HTTPStatus.OK
 
 
 def test_cookie_2(user_agent):
+    """As an example, this cookie is considered safe and WAF should not block it"""
+    cookie = "delicious_cookie=uname-it; tasty_cookie=strawberry"
+    headers = {**user_agent, "Cookie": cookie}
+    response = requests.get(get_url("/cookies"), headers=headers)
+    assert response.status_code == http.HTTPStatus.OK
+
+
+def test_cookie_3(user_agent):
     """Create custom rule to detect use of `username` cookie and prevent use of it"""
     cookie = "username=admin; session-id=73101f80-727c-4c4d-b812-9023d40e8510"
     headers = {**user_agent, "Cookie": cookie}
     response = requests.get(get_url("/cookies"), headers=headers)
     assert response.status_code == http.HTTPStatus.FORBIDDEN
 
 
-def test_cookie_3(user_agent):
+def test_cookie_4(user_agent):
     """Lets assume this is a legit cookie and needs to be allowed"""
-    cookie = 'SESSION=a:2:{i:0;s:4:"bob";i:1;s:33:"admin\'istrator\'=";}'
+    cookie = 'SESSION=O:13:"ConvisoPerson":5:{s:8:"username";s:6:"Antony";s:4:"team";s:5:"PTaaS";s:3:"age";i:17;s:6:"office";s:6:"Intern";s:12:"accountAdmin";b:0;}'
     headers = {**user_agent, "Cookie": cookie}
     response = requests.get(get_url("/cookies"), headers=headers)
     assert response.status_code == http.HTTPStatus.OK
 
 
+def test_cookie_5(user_agent):
+    """Lets assume this is a legit cookie and needs to be allowed"""
+    cookie = f"SESSION={str(uuid.uuid1())}|uname -a"
+    headers = {**user_agent, "Cookie": cookie}
+    response = requests.get(get_url("/cookies"), headers=headers)
+    assert response.status_code == http.HTTPStatus.FORBIDDEN
+
+
 def test_get_params_1(request_kwargs):
-    """This get parameter should not be blocked"""
+    """This get parameter value is considered safe and should not be blocked"""
     response = requests.get(get_url("/status") + "?action=netstat", **request_kwargs)
     assert response.status_code == http.HTTPStatus.OK
 
 
-def test_get_params_2(request_kwargs):
+@pytest.mark.parametrize(
+    "cmd",
+    ["whoami", "uname", "netcat", "wget"],
+)
+def test_get_params_2(cmd: str, request_kwargs):
+    """This and any other potential RCE attack parameter values should be blocked"""
+    response = requests.get(get_url("/status") + f"?action={cmd}", **request_kwargs)
+    assert response.status_code == http.HTTPStatus.FORBIDDEN
+
+
+def test_get_params_3(request_kwargs):
     """The below activity should be blocked"""
     response = requests.get(get_url("/status") + "?cmd=whoami", **request_kwargs)
     assert response.status_code == http.HTTPStatus.FORBIDDEN
@@ -118,3 +164,90 @@ def test_user_agent_1():
     }
     response = requests.get(get_url("/ua"), headers=headers)
     assert response.status_code == http.HTTPStatus.OK
+
+
+def test_user_agent_2():
+    """The below user-agent includes RCE attack attempt and must be blocked"""
+    headers = {
+        "User-Agent": 'Mozilla/5.0 (Linux; Android 10; id) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Mobile Safari/537.3; echo "<h1>Defaced</h1>" > /var/www/html/public/index.php'
+    }
+    response = requests.get(get_url("/ua"), headers=headers)
+    assert response.status_code == http.HTTPStatus.FORBIDDEN
+
+
+@pytest.mark.parametrize(
+    "filename",
+    ["backup.sql", "dump.sql", "backup.old", "HEAD", "settings.xml", "config.json"],
+)
+def test_file_1(
+    filename: str,
+):
+    """Prevent users from accessing sensitive files anywhere on the server"""
+    path = f"/{str(uuid.uuid1())}/{filename}"
+    response = requests.get(get_url(path))
+    assert response.status_code == http.HTTPStatus.NOT_FOUND
+
+
+@pytest.mark.parametrize(
+    "filename",
+    [
+        "jquery.js",
+        "index.css",
+        "latin-wght-normal.woff2",
+    ],
+)
+def test_file_2(filename: str, request_kwargs):
+    """Allow to download static content"""
+    path = f"/{str(uuid.uuid1())}/{filename}"
+    response = requests.get(get_url(path), **request_kwargs)
+    assert response.status_code == http.HTTPStatus.OK
+
+
+@pytest.mark.parametrize(
+    "path",
+    [
+        "/var/www/html/config.json",
+        "/var/www/html/public/index.php",
+        "/etc/passwd",
+        "/proc/self/environ",
+        "/var/log/nginx/access.log",
+    ],
+)
+def test_file_3(path: str, request_kwargs):
+    """Prevent users from accessing files outside /home/* directory"""
+    response = requests.get(
+        get_url("/file/api") + f"?path={url_encode_all(path)}", **request_kwargs
+    )
+    assert response.status_code == http.HTTPStatus.NOT_FOUND
+
+
+@pytest.mark.parametrize(
+    "path",
+    [
+        "/etc/passwd",
+        "/proc/self/environ",
+    ],
+)
+def test_file_4(path: str, request_kwargs):
+    """Requests for system files should be blocked in general"""
+    response = requests.get(
+        get_url("/system/manage") + f"?path={url_encode_all(path)}", **request_kwargs
+    )
+    assert response.status_code == http.HTTPStatus.FORBIDDEN
+
+
+@pytest.mark.parametrize(
+    "filename",
+    [
+        "report.pdf",
+        "notes.txt",
+        "index.php",
+    ],
+)
+def test_file_5(filename: str, request_kwargs):
+    """Allow accessing specific files"""
+    response = requests.get(
+        get_url("/file/api") + f"?path=/home/{str(uuid.uuid1())}/{filename}",
+        **request_kwargs,
+    )
+    assert response.status_code == http.HTTPStatus.OK