Add vpatch-CVE-2022-25322 rule and test #1532
Conversation
|
Hello @crowdsec-automation and thank you for your contribution! ❗ It seems that the following scenarios are not part of the 'crowdsecurity/appsec-virtual-patching' collection: 🔴 crowdsecurity/vpatch-CVE-2022-25322 🔴 |
|
Hello @crowdsec-automation, Scenarios/AppSec Rule are compliant with the taxonomy, thank you for your contribution! |
|
Hello @seemanne and thank you for your contribution! ❗ It seems that the following scenarios are not part of the 'crowdsecurity/appsec-virtual-patching' collection: 🔴 crowdsecurity/vpatch-CVE-2023-0600 🔴 |
|
Hello @seemanne, Scenarios/AppSec Rule are compliant with the taxonomy, thank you for your contribution! |
3 participants
This rule targets SQL injection attempts in the ZEROF Web Server 2.0, specifically on the
/HandleEventendpoint. The nuclei template shows that the vulnerable parameter isO33in the POST body, which is manipulated to include a single quote (') to trigger SQL errors./HandleEventendpoint, using a case-insensitive comparison (lowercasetransform).O33parameter in the POST body (BODY_ARGS), applying bothlowercaseandurldecodetransforms to ensure normalization and to catch encoded payloads. It matches if the value contains a single quote, a common SQL injection indicator.labelssection includes the correct CVE, ATT&CK, and CWE references, and the product/vuln class label is formatted as required.The test nuclei template is adapted to send a POST request with the vulnerable parameter and expects a 403 response, as per the detection rule. All
value:fields are lowercase, and the rule usescontainsfor the SQL metacharacter, as per guidelines. No regex is used where a simplecontainssuffices, and all transforms are present for case insensitivity and decoding.