Usando AWS re:Post, accetti AWS re:Post Termini di utilizzo
AWS re:Postre:Post

WAF managed rule to prevent dotenv vulnerability

0

Hi There,

Please help to identify which WAF managed rule is responsible to prevent dotenv scanning e.g.

Examples

/.env, /docker/.env, /anypath/.env

I was thinking that that this rule AWSManagedRulesCommonRuleSet would help, but while testing it doesn't work and allows scanning dotenv

Thanks!

Argomenti
Sicurezza, identità e conformità
Tag
AWS WAF
Lingua
English
y0zg
posta 2 anni fa683 visualizzazioni
2 Risposte
0

Hi,

These are couple of Rule sets that do have certain calls to env coverage :

AWSManagedRulesUnixRuleSet
PHP RuleSet

we were not able to find anything specific for docker. However we would recommend you to consider managed rules and a base coverage using which you can write custom rules to meet any additional coverage that may be needed.

Here is the link which talks about managed rule groups : https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-use-case.html#aws-managed-rule-groups-use-case-posix-os

I hope this helps.

AWS
TECNICO DI SUPPORTO
Wilsina_R
con risposta 2 anni fa
0

Hi There! Thank you for your answer! I added 2 more AWS managed rules AWSManagedRulesUnixRuleSet and AWSManagedRulesPHPRuleSet but still can access .env

curl -I  https://example.com/.env
HTTP/2 404
content-type: application/json

Any thoughts?

y0zg
con risposta 2 anni fa

Accesso non effettuato. Accedi per postare una risposta.

Una buona risposta soddisfa chiaramente la domanda, fornisce un feedback costruttivo e incoraggia la crescita professionale del richiedente.

Linee guida per rispondere alle domande

Contenuto pertinente