contrast-agent 5.3.0 → 6.1.1

data/lib/contrast/agent/protect/rule/http_method_tampering.rb

@@ -10,57 +10,83 @@ module Contrast
         # The Ruby implementation of the Protect HTTP Method Tampering rule.
         class HttpMethodTampering < Contrast::Agent::Protect::Rule::BaseService
           NAME = 'method-tampering'
-          STANDARD_METHODS = %w[GET HEAD POST PUT DELETE CONNECT OPTIONS TRACE PATCH].cs__freeze
+          # STANDARD_METHODS = %w[GET HEAD POST PUT DELETE CONNECT OPTIONS TRACE PATCH].cs__freeze
+          #
+          # APPLICABLE_METHODS_INPUTS = %w[
+          #   ACL BASELINE-CONTROL CHECKIN CHECKOUT CONNECT COPY
+          #   DELETE GET HEAD LABEL LOCK MERGE MKACTIVITY MKCALENDAR
+          #   MKCOL MKWORKSPACE MOVE OPTIONS ORDERPATCH PATCH POST
+          #   PROPFIND PROPPATCH PUT REPORT SEARCH TRACE UNCHECKOUT
+          #   UNLOCK UPDATE VERSION-CONTROL
+          # ].cs__freeze
 
-          def rule_name
-            NAME
+          class << self
+            # @param attack_sample [Contrast::Api::Dtm::RaspRuleSample]
+            # @return [Hash] the details for this specific rule
+            def extract_details attack_sample
+              {
+                  method: attack_sample.method_tampering.method, # rubocop:disable Security/Object/Method
+                  responseCode: attack_sample.method_tampering.response_code
+              }
+            end
           end
 
-          def postfilter context
-            return unless enabled? && POSTFILTER_MODES.include?(mode)
-            return if normal_request?(context)
-
-            # The only way to be here in postfilter with a result is if the rule mode was MONITOR
-            ia_results = gather_ia_results(context)
-            return if ia_results.empty?
-
-            # does the status code start with 4 or 5? Rails responds with 404 (but java is checking 501)
-            response_code = context&.response&.response_code
-            return unless response_code
-
-            method = ia_results.first.value
-            result = if response_code.to_s.start_with?('4', '5')
-                       build_attack_without_match(context, nil, nil, method: method, response_code: response_code)
-                     else
-                       build_attack_with_match(context, nil, nil, nil, method: method, response_code: response_code)
-                     end
-
-            return unless result
-
-            append_to_activity(context, result)
-            cef_logging result, :ineffective_attack
-          end
-
-          protected
-
-          def build_sample context, evaluation, _candidate_string, **kwargs
-            sample = build_base_sample(context, evaluation)
-            sample.user_input.value = kwargs[:method]
-            sample.user_input.input_type = :METHOD
-
-            sample.method_tampering = Contrast::Api::Dtm::HttpMethodTamperingDetails.new
-            sample.method_tampering.method = Contrast::Utils::StringUtils.protobuf_safe_string(kwargs[:method])
-            code = kwargs[:response_code] || -1
-            sample.method_tampering.response_code = code.to_i
-            sample
+          def rule_name
+            NAME
           end
 
-          private
-
-          def normal_request? context
-            method = context.request.request_method
-            context.request.static? || method.nil? || STANDARD_METHODS.include?(method.upcase)
-          end
+          # This rule is solely based on input analysis, which the Service handles. When we move from the Service to the
+          # agent with protect library, we should re-enable these tests and that rule.
+          # TODO: RUBY-1574
+          # def enabled?
+          #   super && false
+          # end
+          #
+          # def postfilter context
+          #   return unless enabled? && POSTFILTER_MODES.include?(mode)
+          #   return if normal_request?(context)
+          #
+          #   # The only way to be here in postfilter with a result is if the rule mode was MONITOR
+          #   ia_results = gather_ia_results(context)
+          #   return if ia_results.empty?
+          #
+          #   # does the status code start with 4 or 5? Rails responds with 404 (but java is checking 501)
+          #   response_code = context&.response&.response_code
+          #   return unless response_code
+          #
+          #   method = ia_results.first.value
+          #   result = if response_code.to_s.start_with?('4', '5')
+          #              build_attack_without_match(context, nil, nil, method: method, response_code: response_code)
+          #            else
+          #              build_attack_with_match(context, nil, nil, nil, method: method, response_code: response_code)
+          #            end
+          #
+          #   return unless result
+          #
+          #   append_to_activity(context, result)
+          #   cef_logging result, :ineffective_attack
+          # end
+          #
+          # protected
+          #
+          # def build_sample context, evaluation, _candidate_string, **kwargs
+          #   sample = build_base_sample(context, evaluation)
+          #   sample.user_input.value = kwargs[:method]
+          #   sample.user_input.input_type = :METHOD
+          #
+          #   sample.method_tampering = Contrast::Api::Dtm::HttpMethodTamperingDetails.new
+          #   sample.method_tampering.method = Contrast::Utils::StringUtils.protobuf_safe_string(kwargs[:method])
+          #   code = kwargs[:response_code] || -1
+          #   sample.method_tampering.response_code = code.to_i
+          #   sample
+          # end
+          #
+          # private
+          #
+          # def normal_request? context
+          #   method = context.request.request_method
+          #   context.request.static? || method.nil? || STANDARD_METHODS.include?(method.upcase)
+          # end
         end
       end
     end

data/lib/contrast/agent/protect/rule/no_sqli/no_sqli_input_classification.rb

@@ -0,0 +1,231 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/utils/object_share'
+require 'contrast/agent/protect/rule/no_sqli'
+require 'contrast/agent/protect/input_analyzer/input_analyzer'
+require 'contrast/utils/input_classification'
+
+module Contrast
+  module Agent
+    module Protect
+      module Rule
+        # This module will do the Input Classification stage of NoSQLI rule
+        # as a result input would be marked as WORTHWATCHING or IGNORE,
+        # to be analyzed at the sink level.
+        module NoSqliInputClassification
+          class << self
+            include InputClassificationBase
+
+            NOSQL_COMMENT_REGEXP = %r{"\s*(?:<--|//)}.cs__freeze
+            NOSQL_OR_REGEXP = /(?=(\s+\|\|\s+))/.cs__freeze
+            NOSQL_COMMENTS_AFTER_REGEXP = %r{(?:<--|//)}.cs__freeze
+
+            ZERO_OR_MORE_SPACES_REGEXP = /\s*/.cs__freeze
+            QUOTE_REGEXP = /['"’‘]/.cs__freeze
+            NUMBERS_AND_LETTERS_REGEXP = /[[:alnum:]]+/.cs__freeze
+            COMPARISON_REGEXP = /(?:==|>=|<=|>|<|)/.cs__freeze
+            NOSQL_QUOTED_REGEXP = /
+              #{ ZERO_OR_MORE_SPACES_REGEXP }
+              #{ QUOTE_REGEXP }
+              #{ NUMBERS_AND_LETTERS_REGEXP }
+              #{ QUOTE_REGEXP }
+              #{ ZERO_OR_MORE_SPACES_REGEXP }
+              #{ COMPARISON_REGEXP }
+              #{ ZERO_OR_MORE_SPACES_REGEXP }
+              #{ QUOTE_REGEXP }
+              #{ NUMBERS_AND_LETTERS_REGEXP }
+              #{ QUOTE_REGEXP }
+            /x.cs__freeze
+            NOSQL_NUMERIC_REGEXP = /
+              #{ ZERO_OR_MORE_SPACES_REGEXP }
+              #{ NUMBERS_AND_LETTERS_REGEXP }
+              #{ ZERO_OR_MORE_SPACES_REGEXP }
+              #{ COMPARISON_REGEXP }
+              #{ ZERO_OR_MORE_SPACES_REGEXP }
+              #{ NUMBERS_AND_LETTERS_REGEXP }
+            /x.cs__freeze
+
+            NOSQL_DEFINITE_THRESHOLD = 3
+            NOSQL_WORTH_WATCHING_THRESHOLD = 1
+            NOSQL_CONFIDENCE_THRESHOLD = 3
+            MAX_DISTANCE = 10
+
+            # Input Classification stage is done to determine if an user input is
+            # WORTHWATCHING or to be ignored.
+            #
+            # @param input_type [Contrast::Agent::Reporting::InputType] The type of the user input.
+            # @param value [String, Array<String>] the value of the input.
+            # @param input_analysis [Contrast::Agent::Reporting::InputAnalysis] Holds all the results from the
+            #                                                       agent analysis from the current
+            #                                                       Request.
+            # @return ia [Contrast::Agent::Reporting::InputAnalysis] with updated results.
+            def classify input_type, value, input_analysis
+              return unless input_analysis.request
+
+              rule_id = Contrast::Agent::Protect::Rule::NoSqli::NAME
+
+              # double check the input to avoid calling match? on array
+              Array(value).each do |val|
+                Array(val).each do |v|
+                  input_analysis.results << nosqli_create_new_input_result(input_analysis.request,
+                                                                           rule_id,
+                                                                           input_type,
+                                                                           v)
+                end
+              end
+
+              input_analysis
+            end
+
+            private
+
+            # Creates a new instance of InputAnalysisResult with basic info.
+            #
+            # @param rule_id [String] The name of the Protect Rule.
+            # @param input_type [Contrast::Agent::Reporting::InputType] The type of the user input.
+            # @param score_level [Contrast::Agent::Reporting::ScoreLevel] the score tag after analysis.
+            # @param value [String, Array<String>] the value of the input.
+            # @param path [String] the path of the current request context.
+            #
+            # @return res [Contrast::Agent::Reporting::InputAnalysisResult]
+            def new_ia_result rule_id, input_type, score_level, path, value
+              super(rule_id, input_type, path, value).tap { |res| res.score_level = score_level }
+            end
+
+            # This methods checks if input should be tagged DEFINITEATTACK, WORTHWATCHING, or IGNORE,
+            # and creates a new instance of InputAnalysisResult.
+            #
+            # @param request [Contrast::Agent::Request] the current request context.
+            # @param rule_id [String] The name of the Protect Rule.
+            # @param input_type [Contrast::Agent::Reporting::InputType] The type of the user input.
+            # @param value [String, Array<String>] the value of the input.
+            #
+            # @return res [Contrast::Agent::Reporting::InputAnalysisResult]
+            def nosqli_create_new_input_result request, rule_id, input_type, value
+              score = evaluate_patterns(value)
+              score = evaluate_rules(value, score)
+
+              score_level = if definite_attack?(score)
+                              DEFINITEATTACK
+                            elsif worth_watching?(score)
+                              WORTHWATCHING
+                            else
+                              IGNORE
+                            end
+
+              new_ia_result(rule_id, input_type, score_level, request.path, value)
+            end
+
+            # This method evaluates the patterns relevant to NoSQL Injection to check whether
+            # the input is matched by any of them. The total score of all patterns matched is
+            # returned, unless the individual matching pattern score matches or exceeds
+            # NOSQL_CONFIDENCE_THRESHOLD *and* the total score for all evaluations matches or
+            # exceeds NOSQL_DEFINITE_THRESHOLD, in which case the total score achieved to that
+            # point is returned.
+            #
+            # @param value [String] the value of the input.
+            # @param value [Integer] the total score thus far.
+            #
+            # @return res [Integer]
+            def evaluate_patterns value, total_score = 0
+              applicable_patterns = nosqli_patterns
+              return total_score if applicable_patterns.nil?
+
+              total_patterns_score = 0
+              applicable_patterns.each do |pattern|
+                next unless value.match?(pattern[:value])
+
+                total_patterns_score += pattern[:score].to_i
+                total_score += pattern[:score].to_i
+
+                if pattern[:score].to_i >= NOSQL_CONFIDENCE_THRESHOLD && definite_attack?(total_score)
+                  return total_score
+                end
+              end
+
+              total_score
+            end
+
+            def evaluate_comment_rule value
+              (value =~ NOSQL_COMMENT_REGEXP).nil? ? 0 : 2 # None/Medium
+            end
+
+            # This method evaluates the searcher rules relevant to NoSQL Injection to check whether
+            # the input is matched by any of them. The total score of all rules matched is
+            # returned, unless the individual matching rukle score matches or exceeds
+            # NOSQL_CONFIDENCE_THRESHOLD *and* the total score for all evaluations matches or
+            # exceeds NOSQL_DEFINITE_THRESHOLD, in which case the total score achieved to that
+            # point is returned.
+            #
+            # @param value [String] the value of the input.
+            # @param value [Integer] the total score thus far.
+            #
+            # @return res [Integer]
+            def evaluate_rules value, total_score = 0
+              total_rules_score = 0
+              %i[evaluate_comment_rule evaluate_or_rule].each do |method|
+                rule_score = send(method, value)
+                total_rules_score += rule_score
+                total_score += rule_score
+
+                return total_score if rule_score >= NOSQL_CONFIDENCE_THRESHOLD && definite_attack?(total_score)
+              end
+
+              total_score
+            end
+
+            # This method evaluates the input value for NoSQL Or searches. Each possible match is
+            # checked. If a match is found then a score of either 3 (High) or 4 (Critical) will
+            # be returned, depending on whether the regexp for finding comments is also matched.
+            #
+            # @param value [String] the value of the input.
+            #
+            # @return res [Integer]
+            def evaluate_or_rule value
+              score = 0
+
+              locs = matches_by_position(value, NOSQL_OR_REGEXP)
+              return score if locs.empty?
+
+              locs.each do |loc|
+                [NOSQL_QUOTED_REGEXP, NOSQL_NUMERIC_REGEXP].each do |pattern|
+                  pattern_locs = matches_by_position(value[loc[1]..], pattern)
+                  next unless !pattern_locs.empty? && pattern_locs[0][0] < MAX_DISTANCE
+
+                  return 4 if value.match?(NOSQL_COMMENTS_AFTER_REGEXP, loc[1] + pattern_locs[0][1]) # Critical
+
+                  score = 3 # High
+                  break
+                end
+              end
+
+              score
+            end
+
+            # This method returns the patterns to be checked against the input value.
+            #
+            # @return res [Array, nil]
+            def nosqli_patterns
+              server_features = Contrast::Agent::Reporting::Settings::ServerFeatures.new
+              rule_definitions = server_features&.protect&.rule_definition_list
+              rule_definitions&.find { |r| r[:name] == Contrast::Agent::Protect::Rule::NoSqli::NAME }&.dig(:patterns)
+            end
+
+            def matches_by_position value, pattern
+              value.to_enum(:scan, pattern).map { Regexp.last_match.offset(Regexp.last_match.size - 1) }
+            end
+
+            def definite_attack? score
+              score >= NOSQL_DEFINITE_THRESHOLD
+            end
+
+            def worth_watching? score
+              score >= NOSQL_WORTH_WATCHING_THRESHOLD
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/protect/rule/no_sqli.rb

@@ -18,6 +18,19 @@ module Contrast
 
           NAME = 'nosql-injection'
           BLOCK_MESSAGE = 'NoSQLi rule triggered. Response blocked.'
+          class << self
+            # @param attack_sample [Contrast::Api::Dtm::RaspRuleSample]
+            # @return [Hash] the details for this specific rule
+            def extract_details attack_sample
+              {
+                  start: attack_sample.no_sqli.start_idx,
+                  end: attack_sample.no_sqli.end_idx,
+                  boundaryOverrunIndex: attack_sample.no_sqli.boundary_overrun_idx,
+                  inputBoundaryIndex: attack_sample.no_sqli.input_boundary_idx,
+                  query: attack_sample.no_sqli.query
+              }
+            end
+          end
 
           def rule_name
             NAME
@@ -35,8 +48,21 @@ module Contrast
 
             append_to_activity(context, result)
 
-            cef_logging result, :successful_attack
-            raise Contrast::SecurityException.new(self, BLOCK_MESSAGE) if blocked?
+            cef_logging(result, :successful_attack)
+            raise(Contrast::SecurityException.new(self, BLOCK_MESSAGE)) if blocked?
+          end
+
+          def build_attack_with_match context, input_analysis_result, result, candidate_string, **kwargs
+            if mode == Contrast::Api::Settings::ProtectionRule::Mode::NO_ACTION ||
+                  mode == Contrast::Api::Settings::ProtectionRule::Mode::PERMIT
+
+              return result
+            end
+
+            result ||= build_attack_result(context)
+            update_successful_attack_response(context, input_analysis_result, result, candidate_string)
+            append_sample(context, input_analysis_result, result, candidate_string, **kwargs)
+            result
           end
 
           protected

data/lib/contrast/agent/protect/rule/path_traversal.rb

@@ -25,6 +25,16 @@ module Contrast
             /windows/repair/
           ].cs__freeze
 
+          class << self
+            # @param attack_sample [Contrast::Api::Dtm::RaspRuleSample]
+            # @return [Hash] the details for this specific rule
+            def extract_details attack_sample
+              {
+                  path: attack_sample.path_traversal.path
+              }
+            end
+          end
+
           def rule_name
             NAME
           end
@@ -38,9 +48,9 @@ module Contrast
             append_to_activity(context, result)
             return unless blocked?
 
-            cef_logging result, :successful_attack, path
-            raise Contrast::SecurityException.new(self,
-                                                  "Path Traversal rule triggered. Call to File.#{ method } blocked.")
+            cef_logging(result, :successful_attack, path)
+            raise(Contrast::SecurityException.new(self,
+                                                  "Path Traversal rule triggered. Call to File.#{ method } blocked."))
           end
 
           protected

data/lib/contrast/agent/protect/rule/sqli/sqli_input_classification.rb

@@ -7,6 +7,8 @@ require 'contrast/agent/protect/rule/sqli'
 require 'contrast/agent/reporting/input_analysis/score_level'
 require 'contrast/agent/protect/rule/sqli/sqli_worth_watching'
 require 'contrast/agent/protect/input_analyzer/input_analyzer'
+require 'contrast/utils/input_classification'
+require 'contrast/components/logger'
 
 module Contrast
   module Agent
@@ -17,9 +19,9 @@ module Contrast
         # to be analyzed at the sink level.
         module SqliInputClassification
           class << self
-            include Contrast::Agent::Reporting::InputType
-            include Contrast::Agent::Reporting::ScoreLevel
+            include InputClassificationBase
             include Contrast::Agent::Protect::Rule::SqliWorthWatching
+            include Contrast::Components::Logger::InstanceMethods
 
             WORTHWATCHING_MATCH = 'sqli-worth-watching-v2'
             SQLI_KEYS_NEEDED = [
@@ -37,43 +39,25 @@ module Contrast
             # @return ia [Contrast::Agent::Reporting::InputAnalysis] with updated results.
             def classify input_type, value, input_analysis
               return unless Contrast::Agent::Protect::Rule::Sqli::APPLICABLE_USER_INPUTS.include?(input_type)
-              return unless input_analysis.request
+              return unless super
 
               rule_id = Contrast::Agent::Protect::Rule::Sqli::NAME
-              results = []
 
               # double check the input to avoid calling match? on array
               Array(value).each do |val|
                 Array(val).each do |v|
-                  results << sqli_create_new_input_result(input_analysis.request, rule_id, input_type, v)
+                  input_analysis.results << sqli_create_new_input_result(input_analysis.request, rule_id, input_type, v)
                 end
               end
 
-              input_analysis.results = results
               input_analysis
+            rescue StandardError => e
+              logger.debug('An Error was recorded in the input classification of the sqli.')
+              logger.debug(e)
             end
 
             private
 
-            # Creates new isntance of InputAnalysisResult with basic info.
-            #
-            # @param rule_id [String] The name of the Protect Rule.
-            # @param input_type [Contrast::Agent::Reporting::InputType] The type of the user input.
-            # @param score_level [Contrast::Agent::Reporting::ScoreLevel] the score tag after analysis.
-            # @param value [String, Array<String>] the value of the input.
-            # @param path [String] the path of the current request context.
-            #
-            # @return res [Contrast::Agent::Reporting::InputAnalysisResult]
-            def new_ia_result rule_id, input_type, score_level, path, value
-              res = Contrast::Agent::Reporting::InputAnalysisResult.new
-              res.rule_id = rule_id
-              res.input_type = input_type
-              res.path = path
-              res.score_level = score_level
-              res.value = value
-              res
-            end
-
             # This methods checks if input is tagged WORTHWATCHING or IGNORE matches value with it's
             # key if needed and Creates new isntance of InputAnalysisResult.
             #
@@ -84,37 +68,17 @@ module Contrast
             #
             # @return res [Contrast::Agent::Reporting::InputAnalysisResult]
             def sqli_create_new_input_result request, rule_id, input_type, value
-              result = if sqli_worth_watching? value
-                         ia_result = new_ia_result(rule_id, input_type, WORTHWATCHING, request.path, value)
-                         ia_result.ids << WORTHWATCHING_MATCH
-                         ia_result
-                       else
-                         new_ia_result(rule_id, input_type, IGNORE, request.path, value)
-                       end
-              if SQLI_KEYS_NEEDED.include? input_type
-                result.key = sqli_add_needed_key request, result, input_type, value
-              end
-              result
-            end
-
-            # This methods checks if input is value that matches a key in the input.
-            #
-            # @param request [Contrast::Agent::Request] the current request context.
-            # @param result [Contrast::Agent::Reporting::InputAnalysisResult] result to be updated.
-            # @param input_type [Contrast::Agent::Reporting::InputType] The type of the user input.
-            # @param value [String, Array<String>] the value of the input.
-            #
-            # @return result [Contrast::Agent::Reporting::InputAnalysisResult] updated with key result.
-            def sqli_add_needed_key request, result, input_type, value
-              case input_type
-              when COOKIE_VALUE
-                result.key = request.cookies.key(value)
-              when PARAMETER_VALUE
-                result.key = request.parameters.key(value)
+              ia_result = new_ia_result(rule_id, input_type, request.path, value)
+              if sqli_worth_watching?(value)
+                ia_result.ids << WORTHWATCHING_MATCH
+                ia_result.score_level = WORTHWATCHING
+                ia_result
               else
-                result.key
+                ia_result.score_level = IGNORE
               end
-              result.key
+
+              add_needed_key(request, ia_result, input_type, value) if SQLI_KEYS_NEEDED.include?(input_type)
+              ia_result
             end
           end
         end

data/lib/contrast/agent/protect/rule/sqli/sqli_worth_watching.rb

@@ -91,7 +91,7 @@ module Contrast
           # @param input [String] the user input to be inspected
           # @return true | false
           def language_keywords? input
-            contains_substring? input, SQL_KEYWORDS
+            contains_substring?(input, SQL_KEYWORDS)
           end
 
           # Helper method to find a substrings in given input.
@@ -99,9 +99,7 @@ module Contrast
           # @param substrings [Array] set of substrings to inspect.
           # @return true | false
           def contains_substring? input, substrings
-            return true if substrings.any? { |sub| input.include?(sub) }
-
-            false
+            substrings.any? { |sub| input.include?(sub) }
           end
 
           # Helper method to find the number of substrings.
@@ -111,7 +109,6 @@ module Contrast
           def number_of_substrings input, substring
             number = 0
             input.each_char.reduce(0) { |_acc, elem| number += 1 if contains_substring?(elem, substring) }
-
             number
           end
         end

data/lib/contrast/agent/protect/rule/sqli.rb

@@ -31,6 +31,20 @@ module Contrast
           NAME = 'sql-injection'
           BLOCK_MESSAGE = 'SQLi rule triggered. Response blocked.'
 
+          class << self
+            # @param attack_sample [Contrast::Api::Dtm::RaspRuleSample]
+            # @return [Hash] the details for this specific rule
+            def extract_details attack_sample
+              {
+                  start: attack_sample.sqli.start_idx,
+                  end: attack_sample.sqli.end_idx,
+                  boundaryOverrunIndex: attack_sample.sqli.boundary_overrun_idx,
+                  inputBoundaryIndex: attack_sample.sqli.input_boundary_idx,
+                  query: attack_sample.sqli.query
+              }
+            end
+          end
+
           def rule_name
             NAME
           end
@@ -47,29 +61,8 @@ module Contrast
 
             append_to_activity(context, result)
 
-            cef_logging result, :successful_attack, query_string
-            raise Contrast::SecurityException.new(self, BLOCK_MESSAGE) if blocked?
-          end
-
-          private
-
-          def find_attacker context, potential_attack_string, **kwargs
-            ia_results = gather_ia_results(context)
-            find_attacker_with_results(context, potential_attack_string, ia_results, **kwargs)
-          end
-
-          def infilter? context
-            return false unless context&.agent_input_analysis&.results
-            return false unless enabled?
-            return false if protect_excluded_by_code?
-
-            true
-          end
-
-          def gather_ia_results context
-            context.agent_input_analysis.results.select do |ia_result|
-              ia_result.rule_id == rule_name
-            end
+            cef_logging(result, :successful_attack, query_string)
+            raise(Contrast::SecurityException.new(self, BLOCK_MESSAGE)) if blocked?
           end
         end
       end