From cd76bacd4aa42e0a2b97f3c8e3ff497fd3dd0495 Mon Sep 17 00:00:00 2001
From: Luca Deri <deri@ntop.org>
Date: Mon, 10 Oct 2022 22:34:26 +0200
Subject: Added detection of URLs starting with a dot (.)

---
 src/lib/protocols/http.c | 2 ++
 1 file changed, 2 insertions(+)

(limited to 'src/lib/protocols')

diff --git a/src/lib/protocols/http.c b/src/lib/protocols/http.c
index f26aeaa5c..3430af942 100644
--- a/src/lib/protocols/http.c
+++ b/src/lib/protocols/http.c
@@ -632,6 +632,8 @@ static void ndpi_check_http_url(struct ndpi_detection_module_struct *ndpi_struct
     ndpi_set_risk(ndpi_struct, flow, NDPI_URL_POSSIBLE_RCE_INJECTION, "PHP code in URL");
   else if(strncmp(url, "/shell?", 7) == 0)
     ndpi_set_risk(ndpi_struct, flow, NDPI_URL_POSSIBLE_RCE_INJECTION, "Possible WebShell detected");
+  else if(strncmp(url, "/.", 2) == 0)
+    ndpi_set_risk(ndpi_struct, flow, NDPI_POSSIBLE_EXPLOIT, "URL starting with dot");
 }
 
 /* ************************************************************* */
-- 
cgit v1.2.3