Hi eenis,
(?:something) means do not capture the values that matched something, kind of
save it for later so you may use it, the less you capture things you don't need
the better it is for performance.
Regards,
Manuel
Envoyé de mon Galaxy S5 4G+ Orange
-------- Original message --------
From: Denis Kolegov <d.n.kole...@gmail.com>
Date: 14/01/2016 00:10 (GMT+01:00)
To: ac...@owasp.org
Cc: owasp-modsecurity-core-rule-set@lists.owasp.org
Subject: Re: [Owasp-modsecurity-core-rule-set] LDAP injection rule
Hi.
It seems my question was not clear.
I asked about logic of regular expression.
What is a purpose of first part of RE where it checks string beginning with '('?
(?:\((?:\W*?(?:objectc(?:ategory|lass)|homedirectory|[gu]idnumber|cn)\b\W*?=|[^\w\x80-\xFF]*?[\!\&\|][^\w\x80-\xFF]*?\())
Thanks.
---
Denis Kolegov
14 Янв 2016 г. 3:18 пользователь "Achim"
<ac...@owasp.org<mailto:ac...@owasp.org>> написал:
Hi Denis,
the round brackets in RE are used to group, in particular to group variants.
If they should be a literal character, they need to be escaped with a
\ (backslash).
Said this, you see both usages -- ( as grouping meta character, and \( as
literal character -- in your visualized picture. You see the literal \(
one only, but not the grouping ( in the picture.
In LDAP round brackets are a core syntax element.
Does this help?
Achim
On 13.01.2016 12:21, Denis Kolegov wrote:
> Hello All.
>
> I am working on RE for LDAP injection.
> Could anybody explain the structure of the LDAP injection detection rule?
>
> https://github.com/SpiderLabs/owasp-modsecurity-crs/blob/master/base_rules/modsecurity_crs_40_generic_attacks.conf
>
> Its regular expression is the following:
>
> (?:\((?:\W*?(?:objectc(?:ategory|lass)|homedirectory|[gu]idnumber|cn)\b\W*?=|[^\w\x80-\xFF]*?[\!\&\|][^\w\x80-\xFF]*?\()|\)[^\w\x80-\xFF]*?\([^\w\x80-\xFF]*?[\!\&\|])
>
> See regular expression visualizer (https://jex.im/regulex) screenshot in
> the attachment.
>
> My questions:
>
> 1. What is the purpose of RE after '(' character? Which context is
> supposed there?
>
> I found the following vectors:
>
> Alonso-Parada vectors:
>
> foo)(sn=100
> foo)(&)
> documents)(security_level=*))(&(directory=documents
> printer)(uid=*)
> printer)(department=fa*)
>
> printer)(department=*fa*)
> *)(objectClass=*))(&(objectClass=void
> *)(objectClass=users))(&(objectClass=foo
> void)(objectClass=users))(&(objectClass=void)
>
>
> Exploit DB:
>
> ka0x)(|(homedirectory=*)
> 5faa0382d747b754)(sn=*
> 5faa0382d747b754)!(sn=*
>
> Burp:
>
> eb9adbd87d)(sn=*
> eb9adbd87d)!(sn=*
> *)(sn=*
> *)!(sn=*
>
>
>
> 2. Some trivial LDAPi vectors are not detected. For example,
>
> printer)(uid=*)
>
> from Alonso-Parada slides
> https://www.blackhat.com/presentations/bh-europe-08/Alonso-Parada/Whitepaper/bh-eu-08-alonso-parada-WP.pdf
>
> Thanks.
>
>
>
> _______________________________________________
> Owasp-modsecurity-core-rule-set mailing list
> Owasp-modsecurity-core-rule-set@lists.owasp.org<mailto:Owasp-modsecurity-core-rule-set@lists.owasp.org>
> https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
>
_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
Owasp-modsecurity-core-rule-set@lists.owasp.org<mailto:Owasp-modsecurity-core-rule-set@lists.owasp.org>
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
________________________________
This message and any attachments are intended solely for the addressees and may
contain confidential information. Any unauthorized use or disclosure, either
whole or partial, is prohibited.
E-mails are susceptible to alteration. Our company shall not be liable for the
message if altered, changed or falsified. If you are not the intended recipient
of this message, please delete it and notify the sender.
Although all reasonable efforts have been made to keep this transmission free
from viruses, the sender will not be liable for damages caused by a transmitted
virus.
_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
Owasp-modsecurity-core-rule-set@lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
