Comments (9)
post做了修改,post_Mod只会对content-type 为 application/x-www-form-urlencoded 这种的进行过滤(非表单上传/raw类型),而不像以前的对post整体的body体进行过滤。表单上传后面会增加新的过滤。
from openstar.
那我来重新做一下测试看看,是不是这个情况。
from openstar.
还是不行啊。有没有即时聊天工具,供技术交流?
#api/debug调用结果。
{"_worker_id":0,"_Openstar_version":"v 1.5.0.8","_ip":"172.19.100.7","_ngx_configure":" --prefix=/opt/openresty/nginx --with-debug --with-cc-opt='-DNGX_LUA_USE_ASSERT -DNGX_LUA_ABORT_AT_PANIC -O2' --add-module=../ngx_devel_kit-0.3.0 --add-module=../echo-nginx-module-0.60 --add-module=../xss-nginx-module-0.05 --add-module=../ngx_coolkit-0.2rc3 --add-module=../set-misc-nginx-module-0.31 --add-module=../form-input-nginx-module-0.12 --add-module=../encrypted-session-nginx-module-0.06 --add-module=../srcache-nginx-module-0.31 --add-module=../ngx_lua-0.10.7 --add-module=../ngx_lua_upstream-0.06 --add-module=../headers-more-nginx-module-0.32 --add-module=../array-var-nginx-module-0.05 --add-module=../memc-nginx-module-0.17 --add-module=../redis2-nginx-module-0.13 --add-module=../redis-nginx-module-0.3.7 --add-module=../rds-json-nginx-module-0.14 --add-module=../rds-csv-nginx-module-0.07 --with-ld-opt=-Wl,-rpath,/opt/openresty/luajit/lib --pid-path=/var/run/nginx.pid --with-http_ssl_module","_ngx_version":1011002,"_worker_count":1,"_ngxVar":{"query_string":"","request_completion":"","request_time":"0.000","pid":"5927","host":"172.19.100.10","nginx_version":"1.11.2","request_uri":"/api/debug","remote_addr":"172.19.100.7","document_root":"/opt/openresty/nginx/html","connection":"9","http_host":"172.19.100.10:5460","request_method":"GET","msec":"1494406833.846","pipe":".","server_name":"localhost:5460","time_iso8601":"2017-05-10T17:00:33+08:00","uri":"/api/debug","server_addr":"172.19.100.10","realpath_root":"/opt/openresty/nginx/html","bytes_sent":"0","connection_requests":"1","request":"GET /api/debug HTTP/1.1","server_protocol":"HTTP/1.1","scheme":"http","document_uri":"/api/debug","request_filename":"/opt/openresty/nginx/html/api/debug","body_bytes_sent":"0","proxy_protocol_port":"","status":"000","hostname":"localhost.localdomain","time_local":"10/May/2017:17:00:33 +0800","request_length":"389","server_port":"5460","request_id":"71c788220b07184188ed2ec955b8d56a","proxy_protocol_addr":"","remote_port":"63094","limit_rate":"0"},"_ngx_prefix":"/opt/openresty/nginx/","_lua_version":"LuaJIT 2.1.0-beta2","_headers":{"host":"172.19.100.10:5460","accept-language":"zh-CN,zh;q=0.8","connection":"keep-alive","accept":"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8","accept-encoding":"gzip, deflate, sdch","upgrade-insecure-requests":"1","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2979.0 Safari/537.36"},"_args":{},"_pid":5927,"_ngx_lua_version":10007}
#waf的配置,修改了一个地方more_set_headers 'Server: OpenStar 1.5.0.8';用于测试反馈。
#nginx配置,修改了一个地方,worker_processes 1;
#our.conf,proxy_pass是ok的。
#################### passport waf_cc by zhouj #################
2016年6月9日 11:26:36 up
upstream passport_web {
server 172.19.92.97:8080 max_fails=1 fail_timeout=10s;
}
server {
listen 80;
server_name www.test10.com;
access_log logs/mytest.access.log main;
error_log logs/mytest.debug.log debug;
#proxy_next_upstream http_502 http_504 http_404 error timeout invalid_header;
location ~* \.(gif|jpg|png|jpeg|bmp|css|js|flv|ico|swf|woff)$ {
proxy_pass http://passport_web;
access_log off;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
#proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_cache_valid 200 302 6h;
proxy_cache_valid 301 1d;
proxy_cache_valid any 1m;
expires 30d;
}
location /WebGoat {
#92.97的8080端口,是允许的tomcat。
proxy_pass http://172.19.92.97:8080/WebGoat;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
#proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
####################################################
###############
#post_mod.json增加一个新的过滤规则
{
"state": "on",
"hostname": ["*",""],
"post_str": ["testpostbodydrop","jio"],
"action": "deny"
}
###############
#############request#############
###包头增加你说的字段Content-Type: application/x-www-form-urlencoded
POST /WebGoat/login.mvc HTTP/1.1
Host: www.test10.com
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2979.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate, sdch
Accept-Language: zh-CN,zh;q=0.8
Cookie: JSESSIONID=16B05686B08E321935090255506F7514
Connection: close
Content-Length: 16
testpostbodydrop
#############request#############
#############response##########
####直接透传过去了,这里405是97机器后台报的错误。没有被post_mod过滤掉。
##################
HTTP/1.1 405 Method Not Allowed
Date: Wed, 10 May 2017 09:14:21 GMT
Content-Type: text/html;charset=utf-8
Content-Length: 1047
Connection: close
Allow: GET
Content-Language: en
Server: OpenStar 1.5.0.8
HTTP Status 405 - Request method 'POST' not supported
type Status report
message Request method 'POST' not supported
description The specified HTTP method is not allowed for the requested resource.
Apache Tomcat/7.0.59
################################from openstar.
POST /WebGoat/login.mvc HTTP/1.1
Host: www.test10.com
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2979.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate, sdch
Accept-Language: zh-CN,zh;q=0.8
Cookie: JSESSIONID=16B05686B08E321935090255506F7514
Connection: close
Content-Length: 16
a=testpostbodydrop&b=ddd
%%%%%%%%%%
试试上面的 post_Mod 是过滤值内容而不是过滤post的key.
一些web编程你在看看资料去
from openstar.
from openstar.
from openstar.
用你给的例子是一样的效果。
from openstar.
通过api检查 base 开关情况,检查各个mod规则情况,确定waf.conf在our.conf之前引用。
排查问题......
from openstar.
uri拦截是生效的,说明waf是加载正常的,our.conf引用,用的是默认配置的位置。
from openstar.
Related Issues (20)
- multipart模式下的post请求体无法过滤 HOT 1
- openstar/access_all.lua:559: bad argument #1 to 'pairs' (table expected, got nil) HOT 1
- 关于过cdn配置ip黑名单的问题 HOT 1
- 一个小问题 HOT 1
- no suitable image found for macos HOT 1
- no http.close after http.new
- 如何配置地址白名单 HOT 1
- Jenkins 上传插件被拦截 HOT 1
- nginx: [emerg] unknown log format "main" in /opt/openresty/openstar/conf/waf.conf:62 HOT 2
- 使用bash/install.sh脚本安装出现错误,脚本中存在未定义变量install_or_version HOT 1
- attempt to index local 'optl' (a userdata value) HOT 3
- 使用bash下的脚本安装openstar后访问提示500 HOT 6
- 集群部署问题 HOT 2
- 访问http://localhost: 5460报500错误,后台error.log日志如下: HOT 1
- curl 127.0.0.1:5460 报错 HOT 7
- 功能改进 HOT 2
- 对于盲命令执行,大佬如何做检测的 HOT 1
- 安装报错:shell.lua:6: module 'resty.signal' not found HOT 1
- 4层代理-转发配置-stream配置无法保存 HOT 2
- 带正则的规则都不生效 HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from openstar.