-
Notifications
You must be signed in to change notification settings - Fork 6
Expand file tree
/
Copy pathlog4shellFilter.xml
More file actions
136 lines (136 loc) · 7.05 KB
/
log4shellFilter.xml
File metadata and controls
136 lines (136 loc) · 7.05 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
<?xml version="1.0" encoding="UTF-8"?>
<exp:Export Version="3.0"
xmlns:L7p="http://www.layer7tech.com/ws/policy"
xmlns:exp="http://www.layer7tech.com/ws/policy/export" xmlns:wsp="http://schemas.xmlsoap.org/ws/2002/12/policy">
<exp:References/>
<wsp:Policy xmlns:L7p="http://www.layer7tech.com/ws/policy" xmlns:wsp="http://schemas.xmlsoap.org/ws/2002/12/policy">
<wsp:All wsp:Usage="Required">
<L7p:CommentAssertion>
<L7p:Comment stringValue="/**********************************************"/>
</L7p:CommentAssertion>
<L7p:CommentAssertion>
<L7p:Comment stringValue=" "/>
</L7p:CommentAssertion>
<L7p:CommentAssertion>
<L7p:Comment stringValue=" WARNING - May Generate False Positives"/>
</L7p:CommentAssertion>
<L7p:CommentAssertion>
<L7p:Comment stringValue=" "/>
</L7p:CommentAssertion>
<L7p:CommentAssertion>
<L7p:Comment stringValue="Use this policy to filter out incoming requests that could"/>
</L7p:CommentAssertion>
<L7p:CommentAssertion>
<L7p:Comment stringValue="be an attempt at exploiting a back-end log4shell vulnerability by"/>
</L7p:CommentAssertion>
<L7p:CommentAssertion>
<L7p:Comment stringValue="looking for instances of "${" in the headers, parameters and payload"/>
</L7p:CommentAssertion>
<L7p:CommentAssertion>
<L7p:Comment stringValue=" "/>
</L7p:CommentAssertion>
<L7p:CommentAssertion>
<L7p:Comment stringValue="Prior to including this policy in a service (or globally), you should"/>
</L7p:CommentAssertion>
<L7p:CommentAssertion>
<L7p:Comment stringValue="validate that legitimate API traffic will not trigger this (false"/>
</L7p:CommentAssertion>
<L7p:CommentAssertion>
<L7p:Comment stringValue="positives). You should also test for performance impacts for APIs"/>
</L7p:CommentAssertion>
<L7p:CommentAssertion>
<L7p:Comment stringValue="that have high traffic, large payloads, or require low-latency."/>
</L7p:CommentAssertion>
<L7p:CommentAssertion>
<L7p:Comment stringValue=" "/>
</L7p:CommentAssertion>
<L7p:CommentAssertion>
<L7p:Comment stringValue="If the pattern is detected, this policy fails, otherwise it suceeds."/>
</L7p:CommentAssertion>
<L7p:CommentAssertion>
<L7p:Comment stringValue="The failure is not a garantee of a log4shell exploit."/>
</L7p:CommentAssertion>
<L7p:CommentAssertion>
<L7p:Comment stringValue=" "/>
</L7p:CommentAssertion>
<L7p:CommentAssertion>
<L7p:Comment stringValue="Provided as an example only. For a more detailed explanation on"/>
</L7p:CommentAssertion>
<L7p:CommentAssertion>
<L7p:Comment stringValue="how this could help with log4shell and how this is not a silver"/>
</L7p:CommentAssertion>
<L7p:CommentAssertion>
<L7p:Comment stringValue="bullet, please read this article:"/>
</L7p:CommentAssertion>
<L7p:CommentAssertion>
<L7p:Comment stringValue="https://apiacademy.co/2021/12/can-you-pattern-detect-your-way-out-of-the-log4j-exploit-risk/"/>
</L7p:CommentAssertion>
<L7p:CommentAssertion>
<L7p:Comment stringValue=" "/>
</L7p:CommentAssertion>
<L7p:CommentAssertion>
<L7p:Comment stringValue="**********************************************/"/>
</L7p:CommentAssertion>
<wsp:OneOrMore wsp:Usage="Required">
<wsp:All wsp:Usage="Required">
<L7p:ComparisonAssertion>
<L7p:CaseSensitive booleanValue="false"/>
<L7p:Expression1 stringValue="${request.url.query}"/>
<L7p:Operator operatorNull="null"/>
<L7p:Predicates predicates="included">
<L7p:item stringLength="included">
<L7p:Max intValue="-1"/>
<L7p:Min intValue="1"/>
</L7p:item>
</L7p:Predicates>
</L7p:ComparisonAssertion>
<L7p:EncodeDecode>
<L7p:SourceVariableName stringValue="request.url.query"/>
<L7p:TargetDataType variableDataType="string"/>
<L7p:TargetVariableName stringValue="decodedquery"/>
<L7p:TransformType transformType="URL_DECODE"/>
</L7p:EncodeDecode>
</wsp:All>
<L7p:SetVariable>
<L7p:Base64Expression stringValue=""/>
<L7p:VariableToSet stringValue="decodedquery"/>
</L7p:SetVariable>
<L7p:assertionComment>
<L7p:Properties mapValue="included">
<L7p:entry>
<L7p:key stringValue="LEFT.COMMENT"/>
<L7p:value stringValue="decode query if present"/>
</L7p:entry>
</L7p:Properties>
</L7p:assertionComment>
</wsp:OneOrMore>
<L7p:CommentAssertion>
<L7p:Comment stringValue="Here you can adjust what gets scanned by the regex"/>
</L7p:CommentAssertion>
<L7p:SetVariable>
<L7p:AssertionComment assertionComment="included">
<L7p:Properties mapValue="included">
<L7p:entry>
<L7p:key stringValue="LEFT.COMMENT"/>
<L7p:value stringValue="stage inspection input"/>
</L7p:entry>
</L7p:Properties>
</L7p:AssertionComment>
<L7p:Base64Expression stringValue="JHtkZWNvZGVkcXVlcnl9JHtyZXF1ZXN0Lmh0dHAuYWxsaGVhZGVydmFsdWVzfSR7cmVxdWVzdC5tYWlucGFydH0NCg0K"/>
<L7p:VariableToSet stringValue="toeval"/>
</L7p:SetVariable>
<L7p:CommentAssertion>
<L7p:Comment stringValue="Here you can adjust the pattern you want to scan for"/>
</L7p:CommentAssertion>
<L7p:Regex>
<L7p:AutoTarget booleanValue="false"/>
<L7p:OtherTargetMessageVariable stringValue="toeval"/>
<L7p:ProceedIfPatternMatches booleanValue="false"/>
<L7p:Regex stringValue="\$\{"/>
<L7p:RegexName stringValue="Fail if ${"/>
<L7p:Replacement stringValue=""/>
<L7p:Target target="OTHER"/>
</L7p:Regex>
</wsp:All>
</wsp:Policy>
</exp:Export>