Al usar AWS re:Post, aceptas las AWS re:Post Términos de uso
AWS re:Postre:Post

WAF managed rule to prevent dotenv vulnerability

0

Hi There,

Please help to identify which WAF managed rule is responsible to prevent dotenv scanning e.g.

Examples

/.env, /docker/.env, /anypath/.env

I was thinking that that this rule AWSManagedRulesCommonRuleSet would help, but while testing it doesn't work and allows scanning dotenv

Thanks!

Temas
Seguridad, identidad y cumplimiento
Etiquetas
AWS WAF
Idioma
English
y0zg
preguntada hace 2 años683 visualizaciones
2 Respuestas
0

Hi,

These are couple of Rule sets that do have certain calls to env coverage :

AWSManagedRulesUnixRuleSet
PHP RuleSet

we were not able to find anything specific for docker. However we would recommend you to consider managed rules and a base coverage using which you can write custom rules to meet any additional coverage that may be needed.

Here is the link which talks about managed rule groups : https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-use-case.html#aws-managed-rule-groups-use-case-posix-os

I hope this helps.

AWS
INGENIERO DE SOPORTE
Wilsina_R
respondido hace 2 años
0

Hi There! Thank you for your answer! I added 2 more AWS managed rules AWSManagedRulesUnixRuleSet and AWSManagedRulesPHPRuleSet but still can access .env

curl -I  https://example.com/.env
HTTP/2 404
content-type: application/json

Any thoughts?

y0zg
respondido hace 2 años

No has iniciado sesión. Iniciar sesión para publicar una respuesta.

Una buena respuesta responde claramente a la pregunta, proporciona comentarios constructivos y fomenta el crecimiento profesional en la persona que hace la pregunta.

Pautas para responder preguntas

Contenido relevante