Thread: [mod-security-users] validateUrlEncoding question
Brought to you by:
victorhora,
zimmerletw
From: hanj <ma...@as...> - 2007-05-30 23:45:13
|
Hello I'm trying to understand this block: [Wed May 30 16:28:42 2007] [error] [client xxx.xxx.xxx.xxx] ModSecurity: Access denied with code 403 (phase 2). Invalid URL Encoding: Not enough characters at the end of input. [hostname "www.domain.com"] [uri "/survey.php"] [unique_id "gSek7ULbO5UAABlWMpUAAAAB"] This looks to be a false positive (based off of the client IP) and would like to figure out what exactly is the problem.. and how to correct this. I do have : SecRule ARGS "@validateUrlEncoding" in my 10_config.conf, and I'm guessing it's tripping up on that. Thanks! hanji |
From: Ryan B. <Ryan.Barnett@Breach.com> - 2007-05-30 23:52:13
|
Are you using the Core Rules? If so, there is this existing rule in the modsecurity_crs_20_protocol_violations.conf file that checks for URL Encoding issues - # Check decodings SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Refere r "@validateUrlEncoding" \ "chain, deny,log,auditlog,status:400,msg:'URL Encoding Abuse Attack Attempt',,id:'950107',severity:'4'" SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Refere r "\%(?![0-9a-fA-F]{2}|u[0-9a-fA-F]{4})" Why did you add one specifically to the modsecurity_crs_10_config.conf file? In order to diagnose this, you need to send an audit log example. --=20 Ryan C. Barnett ModSecurity Community Manager Breach Security: Director of Application Security Training Web Application Security Consortium (WASC) Member CIS Apache Benchmark Project Lead SANS Instructor, GCIA, GCFA, GCIH, GSNA, GCUX, GSEC Author: Preventing Web Attacks with Apache =20 > -----Original Message----- > From: mod...@li... [mailto:mod- > sec...@li...] On Behalf Of hanj > Sent: Wednesday, May 30, 2007 7:43 PM > To: mod...@li... > Subject: [mod-security-users] validateUrlEncoding question >=20 > Hello >=20 > I'm trying to understand this block: >=20 > [Wed May 30 16:28:42 2007] [error] [client xxx.xxx.xxx.xxx] > ModSecurity: Access denied with code 403 (phase 2). Invalid URL > Encoding: Not enough characters at the end of input. [hostname > "www.domain.com"] [uri "/survey.php"] [unique_id > "gSek7ULbO5UAABlWMpUAAAAB"] >=20 > This looks to be a false positive (based off of the client IP) and would > like to > figure out what exactly is the problem.. and how to correct this. >=20 > I do have : > SecRule ARGS "@validateUrlEncoding" > in my 10_config.conf, and I'm guessing it's tripping up on that. >=20 > Thanks! > hanji >=20 > ------------------------------------------------------------------------ - > This SF.net email is sponsored by DB2 Express > Download DB2 Express C - the FREE version of DB2 express and take > control of your XML. No limits. Just data. Click to get it now. > http://sourceforge.net/powerbar/db2/ > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users |
From: hanj <ma...@as...> - 2007-05-31 01:47:40
|
On Wed, 30 May 2007 19:55:32 -0400 "Ryan Barnett" <Ryan.Barnett@Breach.com> wrote: > Are you using the Core Rules? If so, there is this existing rule in the > modsecurity_crs_20_protocol_violations.conf file that checks for URL > Encoding issues - > > # Check decodings > SecRule > REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Refere > r "@validateUrlEncoding" \ > "chain, deny,log,auditlog,status:400,msg:'URL Encoding Abuse > Attack Attempt',,id:'950107',severity:'4'" > SecRule > REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Refere > r "\%(?![0-9a-fA-F]{2}|u[0-9a-fA-F]{4})" I do have that rule in protocol_violations.conf and I'm using the core rules. > Why did you add one specifically to the modsecurity_crs_10_config.conf > file? I added that for the transition from mod_sec-1.x to 2.x In my original 99_mod_security.conf for 1.8.7, I had the following: SecFilterCheckURLEncoding On Looking at the conversion matrix for 1.x to 2.x, I saw that SecFilterCheckURLEncoding was now replaced with SecRule ARGS "@validateUrlEncoding" Should that not be the case??? > In order to diagnose this, you need to send an audit log example. I'll take a look to see if can get audit log info. Thanks hanji |
From: hanj <ma...@as...> - 2007-05-31 01:59:57
|
On Wed, 30 May 2007 19:55:32 -0400 "Ryan Barnett" <Ryan.Barnett@Breach.com> wrote: > In order to diagnose this, you need to send an audit log example. Here is the audit log from the request that triggered the alert and block. I removed some of the values for privacy. Thanks! hanji --f654b76b-A-- [30/May/2007:16:28:42 --0600] gSek7ULbO5UAABlWMpUAAAAB xxx.xxx.xxx.xxx 53086 xxx.xxx.xxx.xxx 80 --f654b76b-B-- POST /survey.php HTTP/1.0 Accept: */* Accept-Language: en Accept-Encoding: gzip, deflate Referer: http://www.domain.com/survey.htm User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en) AppleWebKit/418.8 (KHTML, like Gecko) Safari/419.3 Content-Type: application/x-www-form-urlencoded Pragma: no-cache Content-Length: 1469 Host: www.domain.com Via: 1.1 xxx.xxx.xxx.xxx:8000 (squid/2.5.STABLE11) X-Forwarded-For: xxx.xxx.xxx.xxx Cache-Control: max-age=259200 Connection: keep-alive --f654b76b-C-- name_1=Halfpop&GoalsAchieved=Institute+goals%3A+1%29+I+did+create+a+civil+engineering+module+related+to+energy+resources+for+use+in+my+physics+c lass+and+I+am+pleased+with+how+it+worked.+2%29+I+think+the+removed+removed+removed+will+help+motivate+more+removed+to+take+an+interest+in+how+t echnology+works.++3%29+I+do+have+a+better+grip+on+creating+data+sets%2C+but+probably+not+enough+to+feel+qualified+to+teach%2Ftrain+anyone+else.% 0D%0A%0D%0AProject+goals%3A+1%29+I+did+get+some+notebooks+into+my+removed%2C+but+the+mac+power+books+were+too+late+to+be+utilized+by+my+removed+for+this+year%27s+competition.+2%29+Too+early+to+tell+if+there+will+be+any+impact+on+other+science+course+enrollments.+3%29+I+have+continued+ with+removed+and+say+thanks+for+the+alert+to+attend+the+removed+conference+in+removed+this+spring.&expertInstr=4&comfortData=3&comfortMaking=3&use Extent=2&arcview=3&arcviewExt=2&encourage=3&StuBen=4&StuImpInstr=5&StuExperts_1=&StuExperts_2=10%25&StuExperts_3=30%25&StuExperts_4=40%25&StuExp erts_5=20%25&removed=4&removed=eoy-tchr&PDCPDCAppVer=4.01.27&PDCPDCAdminEmlAdr=removed%40comcast.net&removedddress=removed%40comcast.net&removed=name_1%3B+GoalsAchieved%3B+expertInstr%3B+comfortData%3B+comfortMaking%3B+useExtent%3B+arcview%3B+arcviewExt %3B+encourage%3B+removed%3B+StuImpInstr%3B+StuExperts_1%3B+StuExperts_2%3B+StuExperts_3%3B+StuExperts_4%3B+StuExperts_5%3B+Sturemoved%3B+removed removed%3B+product%3B+ --f654b76b-F-- HTTP/1.1 302 Found Location: http://www.domain.com Content-Length: 212 Keep-Alive: timeout=15, max=100 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1 --f654b76b-H-- Message: Access denied with code 403 (phase 2). Invalid URL Encoding: Not enough characters at the end of input. Action: Intercepted (phase 2) Stopwatch: 1180564122477805 221943 (220704* 220906 -) Producer: ModSecurity v2.1.1 (Apache 2.x) Server: Apache --f654b76b-Z-- |
From: Ryan B. <Ryan.Barnett@Breach.com> - 2007-05-31 02:29:31
|
> -----Original Message----- > From: mod...@li... [mailto:mod- > sec...@li...] On Behalf Of hanj > Sent: Wednesday, May 30, 2007 9:46 PM > To: mod...@li... > Subject: Re: [mod-security-users] validateUrlEncoding question >=20 > > Why did you add one specifically to the modsecurity_crs_10_config.conf > > file? >=20 > I added that for the transition from mod_sec-1.x to 2.x >=20 > In my original 99_mod_security.conf for 1.8.7, I had the following: > SecFilterCheckURLEncoding On >=20 > Looking at the conversion matrix for 1.x to 2.x, I saw that > SecFilterCheckURLEncoding was now replaced with > SecRule ARGS "@validateUrlEncoding" >=20 > Should that not be the case??? >=20 [Ryan Barnett] In 1.x the URL Encoding validation was a global Directive which means that you could choose exactly when/where it would be applied. In 2.x, this functionality is now in a operator which allows you the flexibility to validate URL Encoding of specific Variables. In the example Core Rule that I showed you, the @validateUrlEncoding operator is already inspecting the ARGS variable along with a number of other ones. Basically, your rule is redundant and not needed. |
From: hanj <ma...@as...> - 2007-05-31 02:41:11
|
On Wed, 30 May 2007 22:32:47 -0400 "Ryan Barnett" <Ryan.Barnett@Breach.com> wrote: > [Ryan Barnett] In 1.x the URL Encoding validation was a global Directive > which means that you could choose exactly when/where it would be > applied. In 2.x, this functionality is now in a operator which allows > you the flexibility to validate URL Encoding of specific Variables. In > the example Core Rule that I showed you, the @validateUrlEncoding > operator is already inspecting the ARGS variable along with a number of > other ones. Basically, your rule is redundant and not needed. I see. I removed some of the redundant rules that I added and I'm sticking with the core rules. Any ideas, based off of the audit_log why that was blocked? Thanks! hanji |