Re: [mod-security-users] [Fwd: Re: XMLRPC Payload Rule]
Brought to you by:
victorhora,
zimmerletw
From: Ryan B. <Rya...@br...> - 2009-11-04 01:00:13
|
Did you see this message in the debug log? [04/Nov/2009:00:34:17 +0000] [192.168.1.1/sid#82132e8][rid#82254f8][/RPC2][4] Input filter: Request body access not enabled. You need to add - SecRequestBodyAccess On To your conf. Ryan C. Barnett Director of Application Security Research Breach Security, Inc. Ryan.Barnett@Breach.com www.Breach.com ________________________________ From: Rob Greenwood To: Brian Rectanus Cc: Mod Security Sent: Tue Nov 03 19:45:10 2009 Subject: Re: [mod-security-users] [Fwd: Re: XMLRPC Payload Rule] Sure :) The XML getting passed is XMLRPC and is posted to /RPC in the following format..; POST /RPC2 HTTP/1.1 <?xml version=\"1.0\" ?> <methodCall> <methodName>session.login_with_password</methodName> <params> <param> <value> <string>test</string> </value> </param> <param> <value> <string>test</string> </value> </param> </params> </methodCall> The element I'm bothered about filtering on is methodName, so my rule is as follows..; SecRuleEngine On SecDefaultAction log,deny,status:403,phase:2 SecRule REQUEST_URI "^/RPC" phase:1,pass,ctl:requestBodyProcessor=XML SecRule XML:/methodCall/methodName/text() session.login_with_password Debug log shows..; [04/Nov/2009:00:34:17 +0000] [192.168.1.1/sid#82132e8][rid#82254f8][/RPC2][9<http://192.168.1.1/sid#82132e8][rid#82254f8][/RPC2][9>] This phase consists of 1 rule(s). [04/Nov/2009:00:34:17 +0000] [192.168.1.1/sid#82132e8][rid#82254f8][/RPC2][4<http://192.168.1.1/sid#82132e8][rid#82254f8][/RPC2][4>] Recipe: Invoking rule 82170b0; [file "/etc/apache2/sites-enabled/000-default"] [line "14"]. [04/Nov/2009:00:34:17 +0000] [192.168.1.1/sid#82132e8][rid#82254f8][/RPC2][5<http://192.168.1.1/sid#82132e8][rid#82254f8][/RPC2][5>] Rule 82170b0: SecRule "REQUEST_URI" "@rx ^/RPC" "log,status:403,phase:1,pass,ctl:requestBodyProcessor=XML" [04/Nov/2009:00:34:17 +0000] [192.168.1.1/sid#82132e8][rid#82254f8][/RPC2][4<http://192.168.1.1/sid#82132e8][rid#82254f8][/RPC2][4>] Transformation completed in 2 usec. [04/Nov/2009:00:34:17 +0000] [192.168.1.1/sid#82132e8][rid#82254f8][/RPC2][4<http://192.168.1.1/sid#82132e8][rid#82254f8][/RPC2][4>] Executing operator "rx" with param "^/RPC" against REQUEST_URI. [04/Nov/2009:00:34:17 +0000] [192.168.1.1/sid#82132e8][rid#82254f8][/RPC2][9<http://192.168.1.1/sid#82132e8][rid#82254f8][/RPC2][9>] Target value: "/RPC2" [04/Nov/2009:00:34:17 +0000] [192.168.1.1/sid#82132e8][rid#82254f8][/RPC2][4<http://192.168.1.1/sid#82132e8][rid#82254f8][/RPC2][4>] Operator completed in 31 usec. [04/Nov/2009:00:34:17 +0000] [192.168.1.1/sid#82132e8][rid#82254f8][/RPC2][4<http://192.168.1.1/sid#82132e8][rid#82254f8][/RPC2][4>] Ctl: Set requestBodyProcessor to XML. [04/Nov/2009:00:34:17 +0000] [192.168.1.1/sid#82132e8][rid#82254f8][/RPC2][2<http://192.168.1.1/sid#82132e8][rid#82254f8][/RPC2][2>] Warning. Pattern match "^/RPC" at REQUEST_URI. [file "/etc/apache2/sites-enabled/000-default"] [line "14"] [04/Nov/2009:00:34:17 +0000] [192.168.1.1/sid#82132e8][rid#82254f8][/RPC2][4<http://192.168.1.1/sid#82132e8][rid#82254f8][/RPC2][4>] Rule returned 1. [04/Nov/2009:00:34:17 +0000] [192.168.1.1/sid#82132e8][rid#82254f8][/RPC2][9<http://192.168.1.1/sid#82132e8][rid#82254f8][/RPC2][9>] Match -> mode NEXT_RULE. [04/Nov/2009:00:34:17 +0000] [192.168.1.1/sid#82132e8][rid#82254f8][/RPC2][4<http://192.168.1.1/sid#82132e8][rid#82254f8][/RPC2][4>] PdfProtect: Not enabled here. [04/Nov/2009:00:34:17 +0000] [192.168.1.1/sid#82132e8][rid#82254f8][/RPC2][4<http://192.168.1.1/sid#82132e8][rid#82254f8][/RPC2][4>] Second phase starting (dcfg 8214280). [04/Nov/2009:00:34:17 +0000] [192.168.1.1/sid#82132e8][rid#82254f8][/RPC2][4<http://192.168.1.1/sid#82132e8][rid#82254f8][/RPC2][4>] Input filter: Request body access not enabled. [04/Nov/2009:00:34:17 +0000] [192.168.1.1/sid#82132e8][rid#82254f8][/RPC2][4<http://192.168.1.1/sid#82132e8][rid#82254f8][/RPC2][4>] Time #1: 644 [04/Nov/2009:00:34:17 +0000] [192.168.1.1/sid#82132e8][rid#82254f8][/RPC2][4<http://192.168.1.1/sid#82132e8][rid#82254f8][/RPC2][4>] Starting phase REQUEST_BODY. [04/Nov/2009:00:34:17 +0000] [192.168.1.1/sid#82132e8][rid#82254f8][/RPC2][9<http://192.168.1.1/sid#82132e8][rid#82254f8][/RPC2][9>] This phase consists of 1 rule(s). [04/Nov/2009:00:34:17 +0000] [192.168.1.1/sid#82132e8][rid#82254f8][/RPC2][4<http://192.168.1.1/sid#82132e8][rid#82254f8][/RPC2][4>] Recipe: Invoking rule 82178d0; [file "/etc/apache2/sites-enabled/000-default"] [line "15"]. [04/Nov/2009:00:34:17 +0000] [192.168.1.1/sid#82132e8][rid#82254f8][/RPC2][5<http://192.168.1.1/sid#82132e8][rid#82254f8][/RPC2][5>] Rule 82178d0: SecRule "XML:/methodCall/methodName/text()" "@rx session.login_with_password" "log,deny,status:403,phase:2" [04/Nov/2009:00:34:17 +0000] [192.168.1.1/sid#82132e8][rid#82254f8][/RPC2][4<http://192.168.1.1/sid#82132e8][rid#82254f8][/RPC2][4>] Rule returned 0. [04/Nov/2009:00:34:17 +0000] [192.168.1.1/sid#82132e8][rid#82254f8][/RPC2][9<http://192.168.1.1/sid#82132e8][rid#82254f8][/RPC2][9>] No match, not chained -> mode NEXT_RULE. [04/Nov/2009:00:34:17 +0000] [192.168.1.1/sid#82132e8][rid#82254f8][/RPC2][4<http://192.168.1.1/sid#82132e8][rid#82254f8][/RPC2][4>] Time #2: 724 So the first phase is triggering and enabling the XML processor, but the second phase doesn't match. Am I being stupid? Thanks in advance! 2009/11/3 Brian Rectanus <Bri...@br...<mailto:Bri...@br...>> I don't have a good example other than those in the docs. Those seem pretty straight forward. Maybe send us what you have tried and someone can comment on what you may be missing? -B -- Brian Rectanus Breach Security |