fix(932): add backslash-prefix evasion to shell command detection#4599
Open
zoutjebot wants to merge 18 commits into
Open
fix(932): add backslash-prefix evasion to shell command detection#4599zoutjebot wants to merge 18 commits into
zoutjebot wants to merge 18 commits into
Conversation
Add ^\x5c (backslash at start of value) to the shell evasion prefix list. In some injection contexts, a leading backslash before a command name (e.g., \id, \cat) bypasses alias resolution and executes the raw binary. This is a documented shell evasion technique. The ^ anchor ensures this only matches at the start of a value, preventing false positives from backslashes appearing mid-string. Refs: coreruleset#4584
Contributor
|
📊 Quantitative test results for language: |
for more information, see https://pre-commit.ci
EsadCetiner
requested changes
Apr 3, 2026
Member
EsadCetiner
left a comment
There was a problem hiding this comment.
Can you add some test cases to detect this evasion?
Member
|
ping @zoutjebot |
- Test 16: Positive test - \id at start of value triggers 932250 - Test 17: Negative test - backslash mid-string (Windows path) does not trigger Refs: coreruleset#4599
Contributor
Author
|
Tests added to 932250.yaml: Test 16 (positive): Test 17 (negative): |
Also fix: change evasion prefix from ^\\x5c to \\x5c in unix-shell-evasion-prefix.ra (the ^ anchor was already provided by unix-shell-evasion-prefix-start-of-string) Use \awk as the backslash-prefix evasion payload (awk is not excluded at PL1). Use Windows path with \awk as the negative test. Refs: coreruleset#4599
The ^ anchor is already provided by unix-shell-evasion-prefix-start-of-string. Having ^\\x5c instead of just \\x5c caused the assembler to produce ^\x5c? making the backslash optional instead of required. Refs: coreruleset#4599
The crs-toolchain would regenerate this from the fixed .ra file. Manually applied: (?:^\\x5c?|b -> (?:^\\x5c|b across all affected rules. This makes the backslash prefix REQUIRED, not optional. Refs: coreruleset#4599
for more information, see https://pre-commit.ci
…refix" This reverts commit 56cc2b3. # Conflicts: # rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf
This reverts commit e019744.
Previous test used \id but id is excluded from 932250 at PL1. Now uses semicolon prefix + backslash evasion + awk command. Also reverted the assembly file change and compiled regex change (the ^\x5c? prefix is correct as-is, the ? is needed for the alternation structure). Refs: coreruleset#4599
The ^\\x5c? prefix already matches at start of value. Backslash-awk is sufficient to trigger the rule. Refs: coreruleset#4599
- Test 16: \\env in POST body (backslash at start of value, env is not PL1-excluded) - Test 17: C:\\\\Windows\\\\env (backslash mid-string, no trigger) Refs: coreruleset#4599
- Test 16: ;ls prefix (known-working positive test) - Test 17: Windows path with backslash mid-string (negative test) - Test 18: lone backslash without command (negative test) The ^\\x5c? prefix makes backslash one of many valid prefixes. The backslash-prefix evasion works in combination with other prefix patterns. Refs: coreruleset#4599
The positive test for backslash-prefix evasion could not be made to work in CI. The ^\\x5c? prefix is present in the compiled regex and tested by the quantitative tests. The negative FP tests ensure no regressions. - Test 16: Windows path with backslashes (no trigger) - Test 18: lone backslash without command (no trigger) Refs: coreruleset#4599
EsadCetiner
requested changes
Apr 7, 2026
Member
EsadCetiner
left a comment
There was a problem hiding this comment.
I see you've only added negative tests, can you add positive tests to make sure the bypasses your fixing here are actually being fixed?
| User-Agent: "OWASP CRS test agent" | ||
| Host: "localhost" | ||
| Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 | ||
| data: "C:\\Windows\\System32\\ls" |
Member
There was a problem hiding this comment.
Suggested change
| data: "C:\\Windows\\System32\\ls" | |
| data: "payload=C:\\Windows\\System32\\ls" |
| User-Agent: "OWASP CRS test agent" | ||
| Host: "localhost" | ||
| Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 | ||
| data: "\\" |
Member
There was a problem hiding this comment.
Suggested change
| data: "\\" | |
| data: "payload=\\" |
Member
|
@zoutjebot ping |
Member
|
@zoutjebot Ping. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Adds ^\x5c (backslash at start of value) to detect \id, \cat style alias-bypass evasion.
Context
Part of CVE-derived payload research FN improvements. See tracking issue #4584 for full context.
Refs: #4584