web_injection: harden markdown exfil detectors against domain/extension/param evasion#1928
Open
WatchTree-19 wants to merge 1 commit into
Open
web_injection: harden markdown exfil detectors against domain/extension/param evasion#1928WatchTree-19 wants to merge 1 commit into
WatchTree-19 wants to merge 1 commit into
Conversation
…on/param evasion The MarkdownExfil* regexes missed hyphenated domains, svg/bmp/ico image sinks, and query-param names with digits/underscores/hyphens - each a one-character change to the attacker-controlled exfil URL. Widen the shared charsets accordingly; structure is unchanged so benign images still don't score. +regression test. Signed-off-by: WatchTree-19 <119982314+WatchTree-19@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
problem
the
web_injection.MarkdownExfil*detectors catch the Bing/ChatGPT markdown-image data-exfiltration pattern (), but the regexes are narrow enough that a trivial, attacker-controlled change to the exfil URL evades them:[a-z0-9.]/[a-z0-9./]with no hyphen, sohttps://bad-domain.com/logo.png?q=<data>doesn't match. (the regex comments even usebad-domain.comas an example - but that example never matched its own detector.)(jpg|jpeg|gif|webp|png); a markdown image pointing at.svg(renderable and exfil-capable) slips past.[a-z]+, so?q1=/?q_1=/?x-data=don't match.each is a one-character change to the URL the attacker controls, so they're realistic bypasses of a real-world exfil detector.
fix
widen the shared patterns across all the MarkdownExfil regexes:
[a-z0-9.]/[a-z0-9./]-> add-svg,bmp,ico[a-z]+->[a-z0-9_-]+structure is otherwise unchanged, so benign images without a populated exfil parameter still don't score.
tests
added
test_markdown_exfil_hardened_against_evasioncovering the three evaded variants (hyphen domain, svg, digit/underscore param) plus benign controls. all existingtest_detectors_web_injection.pyassertions still hold unchanged - the safe/unsafe corpus keys on markdown structure, not these charsets.black+ruffclean.found by reading the detector.