アンチCSRFトークンとアラートフィルターを追加

EC-CUBE · Feb 16, 2022 · 754ac03 · 754ac03
1 parent f55c4c2
commit 754ac03
Showing 1 changed file with 280 additions and 2 deletions.
diff --git a/zap/options.properties b/zap/options.properties
@@ -113,14 +113,16 @@ anticsrf.tokens.token\(54\).name=calendar[_token]
 anticsrf.tokens.token\(54\).enabled=true
 anticsrf.tokens.token\(55\).name=nonmember[_token]
 anticsrf.tokens.token\(55\).enabled=true
+anticsrf.tokens.token\(56\).name=admin_customer[_token]
+anticsrf.tokens.token\(56\).enabled=true
 scanner.antiCSFR=true
 httpsessions.tokens.token\(0\).name=eccube
 httpsessions.tokens.token\(0\).enabled=true
 httpsessions.tokens.token\(1\).name=ecsessid
 httpsessions.tokens.token\(1\).enabled=true
 httpsessions.tokens.token\(2\).name=phpsessid
 httpsessions.tokens.token\(2\).enabled=true
-## Filtering out false positives in PATH Traversal
+## Filtering out false positives in PATH Traversal to add_cart
 globalalertfilter.filters.filter\(0\).ruleid=6
 globalalertfilter.filters.filter\(0\).newrisk=-1
 globalalertfilter.filters.filter\(0\).url=https://ec-cube/products/add_cart/[0-9]+
@@ -144,7 +146,7 @@ globalalertfilter.filters.filter\(1\).attackregex=false
 globalalertfilter.filters.filter\(1\).evidence=
 globalalertfilter.filters.filter\(1\).evidenceregex=false
 globalalertfilter.filters.filter\(1\).enabled=true
-## Filtering out false positives in anti CSRF token
+## Filtering out false positives in anti CSRF token to searchForm
 globalalertfilter.filters.filter\(2\).ruleid=10202
 globalalertfilter.filters.filter\(2\).newrisk=-1
 globalalertfilter.filters.filter\(2\).url=https://ec-cube/.*
@@ -156,3 +158,279 @@ globalalertfilter.filters.filter\(2\).attackregex=false
 globalalertfilter.filters.filter\(2\).evidence=
 globalalertfilter.filters.filter\(2\).evidenceregex=false
 globalalertfilter.filters.filter\(2\).enabled=true
+## Filtering out false positives in PATH Traversal to method
+globalalertfilter.filters.filter\(3\).ruleid=6
+globalalertfilter.filters.filter\(3\).newrisk=-1
+globalalertfilter.filters.filter\(3\).url=https://ec-cube/.*/delete
+globalalertfilter.filters.filter\(3\).urlregex=true
+globalalertfilter.filters.filter\(3\).param=_method
+globalalertfilter.filters.filter\(3\).paramregex=false
+globalalertfilter.filters.filter\(3\).attack=delete
+globalalertfilter.filters.filter\(3\).attackregex=false
+globalalertfilter.filters.filter\(3\).evidence=
+globalalertfilter.filters.filter\(3\).evidenceregex=false
+globalalertfilter.filters.filter\(3\).enabled=true
+## Filtering out false positives in anti CSRF token to ec-cube.net
+globalalertfilter.filters.filter\(4\).ruleid=10202
+globalalertfilter.filters.filter\(4\).newrisk=-1
+globalalertfilter.filters.filter\(4\).url=https://ec-cube/.*
+globalalertfilter.filters.filter\(4\).urlregex=true
+globalalertfilter.filters.filter\(4\).param=
+globalalertfilter.filters.filter\(4\).paramregex=false
+globalalertfilter.filters.filter\(4\).attack=<form action="https://www.ec-cube.net/.*" method="post" target="_blank">
+globalalertfilter.filters.filter\(4\).attackregex=true
+globalalertfilter.filters.filter\(4\).evidence=
+globalalertfilter.filters.filter\(4\).evidenceregex=false
+globalalertfilter.filters.filter\(4\).enabled=true
+## Filtering out false positives in anti CSRF token to form_bulk
+globalalertfilter.filters.filter\(5\).ruleid=10202
+globalalertfilter.filters.filter\(5\).newrisk=-1
+globalalertfilter.filters.filter\(5\).url=https://ec-cube/admin/product
+globalalertfilter.filters.filter\(5\).urlregex=false
+globalalertfilter.filters.filter\(5\).param=
+globalalertfilter.filters.filter\(5\).paramregex=false
+globalalertfilter.filters.filter\(5\).attack=
+globalalertfilter.filters.filter\(5\).attackregex=false
+globalalertfilter.filters.filter\(5\).evidence=<form id="form_bulk" method="POST" action="">
+globalalertfilter.filters.filter\(5\).evidenceregex=false
+globalalertfilter.filters.filter\(5\).enabled=true
+## Filtering out false positives in anti CSRF token to category
+globalalertfilter.filters.filter\(6\).ruleid=10202
+globalalertfilter.filters.filter\(6\).newrisk=-1
+globalalertfilter.filters.filter\(6\).url=https://ec-cube/admin/category
+globalalertfilter.filters.filter\(6\).urlregex=false
+globalalertfilter.filters.filter\(6\).param=
+globalalertfilter.filters.filter\(6\).paramregex=false
+globalalertfilter.filters.filter\(6\).attack=
+globalalertfilter.filters.filter\(6\).attackregex=false
+globalalertfilter.filters.filter\(6\).evidence=<form class="form-row d-none mode-edit" method="POST" action="https://ec-cube/admin/product/category" enctype="multipart/form-data">
+globalalertfilter.filters.filter\(6\).evidenceregex=false
+globalalertfilter.filters.filter\(6\).enabled=true
+## Filtering out false positives in anti CSRF token to class_category
+globalalertfilter.filters.filter\(7\).ruleid=10202
+globalalertfilter.filters.filter\(7\).newrisk=-1
+globalalertfilter.filters.filter\(7\).url=https://ec-cube/admin/product/class_category/.*
+globalalertfilter.filters.filter\(7\).urlregex=true
+globalalertfilter.filters.filter\(7\).param=
+globalalertfilter.filters.filter\(7\).paramregex=false
+globalalertfilter.filters.filter\(7\).attack=
+globalalertfilter.filters.filter\(7\).attackregex=false
+globalalertfilter.filters.filter\(7\).evidence=<form class="form-row d-none mode-edit" method="post" action="https://ec-cube/admin/product/class_category/[0-9]+/[0-9]+/edit">
+globalalertfilter.filters.filter\(7\).evidenceregex=true
+globalalertfilter.filters.filter\(7\).enabled=true
+## Filtering out false positives in anti CSRF token to class_name
+globalalertfilter.filters.filter\(8\).ruleid=10202
+globalalertfilter.filters.filter\(8\).newrisk=-1
+globalalertfilter.filters.filter\(8\).url=https://ec-cube/admin/product/class_name
+globalalertfilter.filters.filter\(8\).urlregex=false
+globalalertfilter.filters.filter\(8\).param=
+globalalertfilter.filters.filter\(8\).paramregex=false
+globalalertfilter.filters.filter\(8\).attack=
+globalalertfilter.filters.filter\(8\).attackregex=false
+globalalertfilter.filters.filter\(8\).evidence=<form class="form-row d-none mode-edit" method="post" action="https://ec-cube/admin/product/class_name">
+globalalertfilter.filters.filter\(8\).evidenceregex=false
+globalalertfilter.filters.filter\(8\).enabled=true
+## Filtering out false positives in anti CSRF token to tag
+globalalertfilter.filters.filter\(9\).ruleid=10202
+globalalertfilter.filters.filter\(9\).newrisk=-1
+globalalertfilter.filters.filter\(9\).url=https://ec-cube/admin/product/tag
+globalalertfilter.filters.filter\(9\).urlregex=false
+globalalertfilter.filters.filter\(9\).param=
+globalalertfilter.filters.filter\(9\).paramregex=false
+globalalertfilter.filters.filter\(9\).attack=
+globalalertfilter.filters.filter\(9\).attackregex=false
+globalalertfilter.filters.filter\(9\).evidence=<form class="form-row d-none mode-edit" method="post" action="https://ec-cube/admin/product/tag">
+globalalertfilter.filters.filter\(9\).evidenceregex=false
+globalalertfilter.filters.filter\(9\).enabled=true
+## Filtering out false positives in PATH Traversal to edit
+globalalertfilter.filters.filter\(10\).ruleid=6
+globalalertfilter.filters.filter\(10\).newrisk=-1
+globalalertfilter.filters.filter\(10\).url=https://ec-cube/admin/.*/edit
+globalalertfilter.filters.filter\(10\).urlregex=true
+globalalertfilter.filters.filter\(10\).param=
+globalalertfilter.filters.filter\(10\).paramregex=false
+globalalertfilter.filters.filter\(10\).attack=edit
+globalalertfilter.filters.filter\(10\).attackregex=false
+globalalertfilter.filters.filter\(10\).evidence=
+globalalertfilter.filters.filter\(10\).evidenceregex=false
+globalalertfilter.filters.filter\(10\).enabled=true
+## Filtering out false positives in PATH Traversal to new
+globalalertfilter.filters.filter\(11\).ruleid=6
+globalalertfilter.filters.filter\(11\).newrisk=-1
+globalalertfilter.filters.filter\(11\).url=https://ec-cube/admin/.*/new
+globalalertfilter.filters.filter\(11\).urlregex=true
+globalalertfilter.filters.filter\(11\).param=
+globalalertfilter.filters.filter\(11\).paramregex=false
+globalalertfilter.filters.filter\(11\).attack=new
+globalalertfilter.filters.filter\(11\).attackregex=false
+globalalertfilter.filters.filter\(11\).evidence=
+globalalertfilter.filters.filter\(11\).evidenceregex=false
+globalalertfilter.filters.filter\(11\).enabled=true
+## Filtering out false positives in anti CSRF token to order_item_type
+globalalertfilter.filters.filter\(12\).ruleid=10202
+globalalertfilter.filters.filter\(12\).newrisk=-1
+globalalertfilter.filters.filter\(12\).url=https://ec-cube/admin/order/search/order_item_type
+globalalertfilter.filters.filter\(12\).urlregex=false
+globalalertfilter.filters.filter\(12\).param=
+globalalertfilter.filters.filter\(12\).paramregex=false
+globalalertfilter.filters.filter\(12\).attack=
+globalalertfilter.filters.filter\(12\).attackregex=false
+globalalertfilter.filters.filter\(12\).evidence=<form name="product_form[0-9]+">
+globalalertfilter.filters.filter\(12\).evidenceregex=true
+globalalertfilter.filters.filter\(12\).enabled=true
+## Filtering out false positives in anti CSRF token to search product
+globalalertfilter.filters.filter\(13\).ruleid=10202
+globalalertfilter.filters.filter\(13\).newrisk=-1
+globalalertfilter.filters.filter\(13\).url=https://ec-cube/admin/.*/search/product
+globalalertfilter.filters.filter\(13\).urlregex=true
+globalalertfilter.filters.filter\(13\).param=
+globalalertfilter.filters.filter\(13\).paramregex=false
+globalalertfilter.filters.filter\(13\).attack=
+globalalertfilter.filters.filter\(13\).attackregex=false
+globalalertfilter.filters.filter\(13\).evidence=<form name="product_form[0-9]+">
+globalalertfilter.filters.filter\(13\).evidenceregex=true
+globalalertfilter.filters.filter\(13\).enabled=true
+## Filtering out false positives in XSS(Persistent) to file_manager
+globalalertfilter.filters.filter\(14\).ruleid=40014
+globalalertfilter.filters.filter\(14\).newrisk=-1
+globalalertfilter.filters.filter\(14\).url=https://ec-cube/admin/content/file_manager
+globalalertfilter.filters.filter\(14\).urlregex=false
+globalalertfilter.filters.filter\(14\).param=form[file][]
+globalalertfilter.filters.filter\(14\).paramregex=false
+globalalertfilter.filters.filter\(14\).attack=;alert(1)
+globalalertfilter.filters.filter\(14\).attackregex=false
+globalalertfilter.filters.filter\(14\).evidence=
+globalalertfilter.filters.filter\(14\).evidenceregex=false
+globalalertfilter.filters.filter\(14\).enabled=true
+## Filtering out false positives in XSS(Reflected) to file_manager
+globalalertfilter.filters.filter\(15\).ruleid=40012
+globalalertfilter.filters.filter\(15\).newrisk=-1
+globalalertfilter.filters.filter\(15\).url=https://ec-cube/admin/content/file_manager
+globalalertfilter.filters.filter\(15\).urlregex=false
+globalalertfilter.filters.filter\(15\).param=
+globalalertfilter.filters.filter\(15\).paramregex=false
+globalalertfilter.filters.filter\(15\).attack=;alert(1)
+globalalertfilter.filters.filter\(15\).attackregex=false
+globalalertfilter.filters.filter\(15\).evidence=;alert(1)
+globalalertfilter.filters.filter\(15\).evidenceregex=false
+globalalertfilter.filters.filter\(15\).enabled=true
+## Filtering out false positives in XSS(Reflected) to recommend
+globalalertfilter.filters.filter\(16\).ruleid=40012
+globalalertfilter.filters.filter\(16\).newrisk=-1
+globalalertfilter.filters.filter\(16\).url=https://ec-cube/admin/plugin/recommend/.*
+globalalertfilter.filters.filter\(16\).urlregex=true
+globalalertfilter.filters.filter\(16\).param=recommend_product[comment]
+globalalertfilter.filters.filter\(16\).paramregex=false
+globalalertfilter.filters.filter\(16\).attack=
+globalalertfilter.filters.filter\(16\).attackregex=false
+globalalertfilter.filters.filter\(16\).evidence=
+globalalertfilter.filters.filter\(16\).evidenceregex=false
+globalalertfilter.filters.filter\(16\).enabled=true
+## Filtering out false positives in SQL Injection to file_manager
+globalalertfilter.filters.filter\(17\).ruleid=40018
+globalalertfilter.filters.filter\(17\).newrisk=-1
+globalalertfilter.filters.filter\(17\).url=https://ec-cube/admin/content/file_manager
+globalalertfilter.filters.filter\(17\).urlregex=false
+globalalertfilter.filters.filter\(17\).param=
+globalalertfilter.filters.filter\(17\).paramregex=false
+globalalertfilter.filters.filter\(17\).attack=
+globalalertfilter.filters.filter\(17\).attackregex=false
+globalalertfilter.filters.filter\(17\).evidence=
+globalalertfilter.filters.filter\(17\).evidenceregex=false
+globalalertfilter.filters.filter\(17\).enabled=true
+## Filtering out false positives in XSS(Reflected) to mail_magazine
+globalalertfilter.filters.filter\(18\).ruleid=40012
+globalalertfilter.filters.filter\(18\).newrisk=-1
+globalalertfilter.filters.filter\(18\).url=https://ec-cube/admin/plugin/mail_magazine/select/.*
+globalalertfilter.filters.filter\(18\).urlregex=true
+globalalertfilter.filters.filter\(18\).param=mail_magazine[htmlBody]
+globalalertfilter.filters.filter\(18\).paramregex=false
+globalalertfilter.filters.filter\(18\).attack=
+globalalertfilter.filters.filter\(18\).attackregex=false
+globalalertfilter.filters.filter\(18\).evidence=
+globalalertfilter.filters.filter\(18\).evidenceregex=false
+globalalertfilter.filters.filter\(18\).enabled=true
+## Filtering out false positives in XSS(Reflected) to mail preview
+globalalertfilter.filters.filter\(19\).ruleid=40012
+globalalertfilter.filters.filter\(19\).newrisk=-1
+globalalertfilter.filters.filter\(19\).url=https://ec-cube/admin/setting/shop/mail/preview
+globalalertfilter.filters.filter\(19\).urlregex=false
+globalalertfilter.filters.filter\(19\).param=html_body
+globalalertfilter.filters.filter\(19\).paramregex=false
+globalalertfilter.filters.filter\(19\).attack=
+globalalertfilter.filters.filter\(19\).attackregex=false
+globalalertfilter.filters.filter\(19\).evidence=
+globalalertfilter.filters.filter\(19\).evidenceregex=false
+globalalertfilter.filters.filter\(19\).enabled=true
+## Filtering out false positives in PATH Traversal to csv
+globalalertfilter.filters.filter\(20\).ruleid=6
+globalalertfilter.filters.filter\(20\).newrisk=-1
+globalalertfilter.filters.filter\(20\).url=https://ec-cube/admin/setting/shop/csv/.*
+globalalertfilter.filters.filter\(20\).urlregex=true
+globalalertfilter.filters.filter\(20\).param=
+globalalertfilter.filters.filter\(20\).paramregex=false
+globalalertfilter.filters.filter\(20\).attack=[0-9]+
+globalalertfilter.filters.filter\(20\).attackregex=true
+globalalertfilter.filters.filter\(20\).evidence=
+globalalertfilter.filters.filter\(20\).evidenceregex=false
+globalalertfilter.filters.filter\(20\).enabled=true
+## Filtering out false positives in PATH Traversal to security
+globalalertfilter.filters.filter\(21\).ruleid=6
+globalalertfilter.filters.filter\(21\).newrisk=-1
+globalalertfilter.filters.filter\(21\).url=https://ec-cube/admin/setting/system/security
+globalalertfilter.filters.filter\(21\).urlregex=false
+globalalertfilter.filters.filter\(21\).param=admin_security[admin_route_dir]
+globalalertfilter.filters.filter\(21\).paramregex=false
+globalalertfilter.filters.filter\(21\).attack=security
+globalalertfilter.filters.filter\(21\).attackregex=false
+globalalertfilter.filters.filter\(21\).evidence=
+globalalertfilter.filters.filter\(21\).evidenceregex=false
+globalalertfilter.filters.filter\(21\).enabled=true
+## Filtering out false positives in anti CSRF token to authentication_setting
+globalalertfilter.filters.filter\(22\).ruleid=10202
+globalalertfilter.filters.filter\(22\).newrisk=-1
+globalalertfilter.filters.filter\(22\).url=https://ec-cube/admin/store/plugin/authentication_setting
+globalalertfilter.filters.filter\(22\).urlregex=false
+globalalertfilter.filters.filter\(22\).param=
+globalalertfilter.filters.filter\(22\).paramregex=false
+globalalertfilter.filters.filter\(22\).attack=
+globalalertfilter.filters.filter\(22\).attackregex=false
+globalalertfilter.filters.filter\(22\).evidence=<form id="captcha-form" method="post">
+globalalertfilter.filters.filter\(22\).evidenceregex=false
+globalalertfilter.filters.filter\(22\).enabled=true
+## Filtering out false positives in anti CSRF token to memeber
+globalalertfilter.filters.filter\(22\).ruleid=10202
+globalalertfilter.filters.filter\(22\).newrisk=-1
+globalalertfilter.filters.filter\(22\).url=https://ec-cube/admin/setting/system/member
+globalalertfilter.filters.filter\(22\).urlregex=false
+globalalertfilter.filters.filter\(22\).param=
+globalalertfilter.filters.filter\(22\).paramregex=false
+globalalertfilter.filters.filter\(22\).attack=
+globalalertfilter.filters.filter\(22\).attackregex=false
+globalalertfilter.filters.filter\(22\).evidence=<form name="form1" id="form1" method="post" action="">
+globalalertfilter.filters.filter\(22\).evidenceregex=false
+globalalertfilter.filters.filter\(22\).enabled=true
+## Filtering out false positives in PATH Traversal to customer
+globalalertfilter.filters.filter\(23\).ruleid=6
+globalalertfilter.filters.filter\(23\).newrisk=-1
+globalalertfilter.filters.filter\(23\).url=https://ec-cube/shopping/customer
+globalalertfilter.filters.filter\(23\).urlregex=false
+globalalertfilter.filters.filter\(23\).param=
+globalalertfilter.filters.filter\(23\).paramregex=false
+globalalertfilter.filters.filter\(23\).attack=customer
+globalalertfilter.filters.filter\(23\).attackregex=false
+globalalertfilter.filters.filter\(23\).evidence=
+globalalertfilter.filters.filter\(23\).evidenceregex=false
+globalalertfilter.filters.filter\(23\).enabled=true
+## Filtering out false positives in anti CSRF token to favorite
+globalalertfilter.filters.filter\(24\).ruleid=10202
+globalalertfilter.filters.filter\(24\).newrisk=-1
+globalalertfilter.filters.filter\(24\).url=https://ec-cube/products/detail/.*
+globalalertfilter.filters.filter\(24\).urlregex=true
+globalalertfilter.filters.filter\(24\).param=
+globalalertfilter.filters.filter\(24\).paramregex=false
+globalalertfilter.filters.filter\(24\).attack=
+globalalertfilter.filters.filter\(24\).attackregex=false
+globalalertfilter.filters.filter\(24\).evidence=<form action="https://ec-cube/products/add_favorite/[0-9]+" method="post">
+globalalertfilter.filters.filter\(24\).evidenceregex=true
+globalalertfilter.filters.filter\(24\).enabled=true