From 99cab6d750e2d8e2f6dfc412394ce49ae7534bd6 Mon Sep 17 00:00:00 2001 From: jvoisin Date: Wed, 28 Apr 2021 10:55:01 +0200 Subject: Add a blogpost to our propaganda section --- doc/source/papers.rst | 1 + 1 file changed, 1 insertion(+) (limited to 'doc') diff --git a/doc/source/papers.rst b/doc/source/papers.rst index 3cdb909..35905dd 100644 --- a/doc/source/papers.rst +++ b/doc/source/papers.rst @@ -101,6 +101,7 @@ Articles """" - `Sortie de Snuffleupagus 0.7.0 - Los Elefantes `__ (fr) - linuxfr +- `Virtual patching CVE-2021-29447 with Snuffleupagus `__ - dustri.org Papers -- cgit v1.3 From 006026b492b119319219cd0e6eb2a6cbdb77c4e6 Mon Sep 17 00:00:00 2001 From: jvoisin Date: Sat, 1 May 2021 17:20:02 +0200 Subject: Add a warning about the HMAC thingy for wordpress --- doc/source/config.rst | 6 ++++++ 1 file changed, 6 insertions(+) (limited to 'doc') diff --git a/doc/source/config.rst b/doc/source/config.rst index 258b1ab..84e3fa9 100644 --- a/doc/source/config.rst +++ b/doc/source/config.rst @@ -164,6 +164,12 @@ It can either be ``enabled`` or ``disabled`` and can be used in ``simulation`` m sp.unserialize_hmac.enable(); sp.unserialize_hmac.disable(); + +.. warning:: + + This feature breaks web applications doing checks on the serialized + representation of data on their own, like `WordPress `__. + .. _config_cookie-encryption: Cookies-related mitigations -- cgit v1.3 From 73f764647baa7cdfb66eb6bf4b2feb96e190ef88 Mon Sep 17 00:00:00 2001 From: jvoisin Date: Sat, 1 May 2021 17:50:32 +0200 Subject: Improve our SQLI-related documentation and remove some useless rules --- config/default.rules | 29 +---------------------------- config/default_php8.rules | 29 +---------------------------- doc/source/features.rst | 12 +++--------- 3 files changed, 5 insertions(+), 65 deletions(-) (limited to 'doc') diff --git a/config/default.rules b/config/default.rules index 05dd91d..74e1edb 100644 --- a/config/default.rules +++ b/config/default.rules @@ -96,34 +96,7 @@ sp.disable_function.function("is_callable").param("var").value("shell_exec").dro sp.disable_function.function("is_callable").param("var").value("proc_open").drop(); sp.disable_function.function("is_callable").param("var").value("passthru").drop(); -# Commenting sqli related stuff to improve performance. -# TODO figure out why these functions can't be hooked at startup -# Ghetto sqli hardening -# sp.disable_function.function("mysql_query").param("query").value_r("/\\*").drop(); -# sp.disable_function.function("mysql_query").param("query").value_r("--").drop(); -# sp.disable_function.function("mysql_query").param("query").value_r("#").drop(); -# sp.disable_function.function("mysql_query").param("query").value_r(";.*;").drop(); -# sp.disable_function.function("mysql_query").param("query").value_r("benchmark").drop(); -# sp.disable_function.function("mysql_query").param("query").value_r("sleep").drop(); -# sp.disable_function.function("mysql_query").param("query").value_r("information_schema").drop(); - -# sp.disable_function.function("mysqli_query").param("query").value_r("/\\*").drop(); -# sp.disable_function.function("mysqli_query").param("query").value_r("--").drop(); -# sp.disable_function.function("mysqli_query").param("query").value_r("#").drop(); -# sp.disable_function.function("mysqli_query").param("query").value_r(";.*;").drop(); -# sp.disable_function.function("mysqli_query").param("query").value_r("benchmark").drop(); -# sp.disable_function.function("mysqli_query").param("query").value_r("sleep").drop(); -# sp.disable_function.function("mysqli_query").param("query").value_r("information_schema").drop(); - -# sp.disable_function.function("PDO::query").param("query").value_r("/\\*").drop(); -# sp.disable_function.function("PDO::query").param("query").value_r("--").drop(); -# sp.disable_function.function("PDO::query").param("query").value_r("#").drop(); -# sp.disable_function.function("PDO::query").param("query").value_r(";.*;").drop(); -# sp.disable_function.function("PDO::query").param("query").value_r("benchmark\\s*\\(").drop(); -# sp.disable_function.function("PDO::query").param("query").value_r("sleep\\s*\\(").drop(); -# sp.disable_function.function("PDO::query").param("query").value_r("information_schema").drop(); - -# Ghetto sqli detection +# Ghetto error-based sqli detection # sp.disable_function.function("mysql_query").ret("FALSE").drop(); # sp.disable_function.function("mysqli_query").ret("FALSE").drop(); # sp.disable_function.function("PDO::query").ret("FALSE").drop(); diff --git a/config/default_php8.rules b/config/default_php8.rules index fa3120e..427dcaf 100644 --- a/config/default_php8.rules +++ b/config/default_php8.rules @@ -97,34 +97,7 @@ sp.disable_function.function("is_callable").param("value").value("shell_exec").d sp.disable_function.function("is_callable").param("value").value("proc_open").drop(); sp.disable_function.function("is_callable").param("value").value("passthru").drop(); -# Commenting sqli related stuff to improve performance. -# TODO figure out why these functions can't be hooked at startup -# Ghetto sqli hardening -# sp.disable_function.function("mysql_query").param("query").value_r("/\\*").drop(); -# sp.disable_function.function("mysql_query").param("query").value_r("--").drop(); -# sp.disable_function.function("mysql_query").param("query").value_r("#").drop(); -# sp.disable_function.function("mysql_query").param("query").value_r(";.*;").drop(); -# sp.disable_function.function("mysql_query").param("query").value_r("benchmark").drop(); -# sp.disable_function.function("mysql_query").param("query").value_r("sleep").drop(); -# sp.disable_function.function("mysql_query").param("query").value_r("information_schema").drop(); - -# sp.disable_function.function("mysqli_query").param("query").value_r("/\\*").drop(); -# sp.disable_function.function("mysqli_query").param("query").value_r("--").drop(); -# sp.disable_function.function("mysqli_query").param("query").value_r("#").drop(); -# sp.disable_function.function("mysqli_query").param("query").value_r(";.*;").drop(); -# sp.disable_function.function("mysqli_query").param("query").value_r("benchmark").drop(); -# sp.disable_function.function("mysqli_query").param("query").value_r("sleep").drop(); -# sp.disable_function.function("mysqli_query").param("query").value_r("information_schema").drop(); - -# sp.disable_function.function("PDO::query").param("query").value_r("/\\*").drop(); -# sp.disable_function.function("PDO::query").param("query").value_r("--").drop(); -# sp.disable_function.function("PDO::query").param("query").value_r("#").drop(); -# sp.disable_function.function("PDO::query").param("query").value_r(";.*;").drop(); -# sp.disable_function.function("PDO::query").param("query").value_r("benchmark\\s*\\(").drop(); -# sp.disable_function.function("PDO::query").param("query").value_r("sleep\\s*\\(").drop(); -# sp.disable_function.function("PDO::query").param("query").value_r("information_schema").drop(); - -# Ghetto sqli detection +# Ghetto error-based sqli detection # sp.disable_function.function("mysql_query").ret("FALSE").drop(); # sp.disable_function.function("mysqli_query").ret("FALSE").drop(); # sp.disable_function.function("PDO::query").ret("FALSE").drop(); diff --git a/doc/source/features.rst b/doc/source/features.rst index 2eebc88..25fd62d 100644 --- a/doc/source/features.rst +++ b/doc/source/features.rst @@ -480,15 +480,9 @@ to see that people are disabling it on production too. We're detecting/preventing this by not allowing the ``CURLOPT_SSL_VERIFYPEER`` and ``CURLOPT_SSL_VERIFYHOST`` options from being set to ``0``. -*Cheap* SQL injections detection -"""""""""""""""""""""""""""""""" +*Cheap* error-based SQL injections detection +"""""""""""""""""""""""""""""""""""""""""""" -In some SQL injections, attackers might need to use comments, a feature that is -often not used in production system, so it might be a good idea to filter -queries that contains some. The same filtering idea can be used against -SQL functions that are frequently used in SQL injections, like ``sleep``, ``benchmark`` -or strings like ``version_info``. - -On the topic of SQL injections, if a function performing a query returns ``FALSE`` +If a function performing a SQL query returns ``FALSE`` (indicating an error), it might be useful to dump the request for further analysis. -- cgit v1.3