Skip to content

Add vpatch-CVE-2023-3169 rule and test #1529

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 6 commits into
base: master
Choose a base branch
from
Open

Add vpatch-CVE-2023-3169 rule and test #1529

wants to merge 6 commits into from

Conversation

crowdsec-automation
Copy link
Contributor

This rule detects exploitation attempts of CVE-2023-3169, a stored XSS vulnerability in the tagDiv Composer WordPress plugin. The attack is performed by sending a POST request to the /wp-json/tdw/save_css endpoint with the compiled_css parameter containing injected JavaScript (e.g., <script> tags).

  • The first rule condition matches requests to the vulnerable endpoint by checking if the URI contains /wp-json/tdw/save_css, using a lowercase transform for case insensitivity.
  • The second rule condition inspects the compiled_css parameter in the POST body, decoding and lowercasing it, and matches if it contains the string <script>, which is a strong indicator of XSS payload injection.
  • The rule avoids false positives by targeting only the relevant parameter and endpoint, and by looking for the generic XSS vector <script> rather than specific payloads.
  • The test nuclei template is adapted to check for a 403 response, as expected from a WAF block.

Validation checklist:

  • All value: fields are lowercase.
  • transform includes lowercase and urldecode where applicable.
  • No match.value contains capital letters.
  • Rule uses contains instead of regex where applicable.

@github-actions
Copy link

Hello @crowdsec-automation and thank you for your contribution!

❗ It seems that the following scenarios are not part of the 'crowdsecurity/appsec-virtual-patching' collection:

🔴 crowdsecurity/vpatch-CVE-2023-3169 🔴

@github-actions
Copy link

Hello @crowdsec-automation,

Scenarios/AppSec Rule are compliant with the taxonomy, thank you for your contribution!

@github-actions
Copy link

Hello @seemanne and thank you for your contribution!

❗ It seems that the following scenarios are not part of the 'crowdsecurity/appsec-virtual-patching' collection:

🔴 crowdsecurity/vpatch-CVE-2023-0600 🔴
🔴 crowdsecurity/vpatch-CVE-2023-2009 🔴
🔴 crowdsecurity/vpatch-CVE-2023-0900 🔴
🔴 crowdsecurity/vpatch-CVE-2023-6623 🔴
🔴 crowdsecurity/vpatch-CVE-2023-23489 🔴
🔴 crowdsecurity/vpatch-CVE-2023-4634 🔴
🔴 crowdsecurity/vpatch-CVE-2023-23488 🔴
🔴 crowdsecurity/vpatch-CVE-2024-1071 🔴
🔴 crowdsecurity/vpatch-CVE-2023-6567 🔴
🔴 crowdsecurity/vpatch-CVE-2023-6360 🔴
🔴 crowdsecurity/vpatch-CVE-2024-1061 🔴

@github-actions
Copy link

Hello @seemanne,

Scenarios/AppSec Rule are compliant with the taxonomy, thank you for your contribution!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@seemanne seemanne seemanne approved these changes

Assignees

@seemanne seemanne

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@crowdsec-automation @seemanne @actions-user