Re: [mod-security-users] [Fwd: Re: XMLRPC Payload Rule]

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

Did you see this message in the debug log?

[04/Nov/2009:00:34:17 +0000] [192.168.1.1/sid#82132e8][rid#82254f8][/RPC2][4] Input filter: Request body access not enabled.

You need to add - SecRequestBodyAccess On

To your conf.

Ryan C. Barnett
Director of Application Security Research
Breach Security, Inc.
Ryan.Barnett@Breach.com
www.Breach.com

________________________________
From: Rob Greenwood
To: Brian Rectanus
Cc: Mod Security
Sent: Tue Nov 03 19:45:10 2009
Subject: Re: [mod-security-users] [Fwd: Re: XMLRPC Payload Rule]

Sure :)

The XML getting passed is XMLRPC and is posted to /RPC in the following format..;

POST /RPC2 HTTP/1.1
<?xml version=\"1.0\" ?>
<methodCall>
  <methodName>session.login_with_password</methodName>
   <params>
    <param>
     <value>
      <string>test</string>
     </value>
    </param>
    <param>
     <value>
      <string>test</string>
     </value>
    </param>
   </params>
</methodCall>

The element I'm bothered about filtering on is methodName, so my rule is as follows..;

SecRuleEngine On
SecDefaultAction log,deny,status:403,phase:2
SecRule REQUEST_URI "^/RPC" phase:1,pass,ctl:requestBodyProcessor=XML
SecRule XML:/methodCall/methodName/text() session.login_with_password

Debug log shows..;

[04/Nov/2009:00:34:17 +0000] [192.168.1.1/sid#82132e8][rid#82254f8][/RPC2][9<http://192.168.1.1/sid#82132e8][rid#82254f8][/RPC2][9>] This phase consists of 1 rule(s).
[04/Nov/2009:00:34:17 +0000] [192.168.1.1/sid#82132e8][rid#82254f8][/RPC2][4<http://192.168.1.1/sid#82132e8][rid#82254f8][/RPC2][4>] Recipe: Invoking rule 82170b0; [file "/etc/apache2/sites-enabled/000-default"] [line "14"].
[04/Nov/2009:00:34:17 +0000] [192.168.1.1/sid#82132e8][rid#82254f8][/RPC2][5<http://192.168.1.1/sid#82132e8][rid#82254f8][/RPC2][5>] Rule 82170b0: SecRule "REQUEST_URI" "@rx ^/RPC" "log,status:403,phase:1,pass,ctl:requestBodyProcessor=XML"
[04/Nov/2009:00:34:17 +0000] [192.168.1.1/sid#82132e8][rid#82254f8][/RPC2][4<http://192.168.1.1/sid#82132e8][rid#82254f8][/RPC2][4>] Transformation completed in 2 usec.
[04/Nov/2009:00:34:17 +0000] [192.168.1.1/sid#82132e8][rid#82254f8][/RPC2][4<http://192.168.1.1/sid#82132e8][rid#82254f8][/RPC2][4>] Executing operator "rx" with param "^/RPC" against REQUEST_URI.
[04/Nov/2009:00:34:17 +0000] [192.168.1.1/sid#82132e8][rid#82254f8][/RPC2][9<http://192.168.1.1/sid#82132e8][rid#82254f8][/RPC2][9>] Target value: "/RPC2"
[04/Nov/2009:00:34:17 +0000] [192.168.1.1/sid#82132e8][rid#82254f8][/RPC2][4<http://192.168.1.1/sid#82132e8][rid#82254f8][/RPC2][4>] Operator completed in 31 usec.
[04/Nov/2009:00:34:17 +0000] [192.168.1.1/sid#82132e8][rid#82254f8][/RPC2][4<http://192.168.1.1/sid#82132e8][rid#82254f8][/RPC2][4>] Ctl: Set requestBodyProcessor to XML.
[04/Nov/2009:00:34:17 +0000] [192.168.1.1/sid#82132e8][rid#82254f8][/RPC2][2<http://192.168.1.1/sid#82132e8][rid#82254f8][/RPC2][2>] Warning. Pattern match "^/RPC" at REQUEST_URI. [file "/etc/apache2/sites-enabled/000-default"] [line "14"]
[04/Nov/2009:00:34:17 +0000] [192.168.1.1/sid#82132e8][rid#82254f8][/RPC2][4<http://192.168.1.1/sid#82132e8][rid#82254f8][/RPC2][4>] Rule returned 1.
[04/Nov/2009:00:34:17 +0000] [192.168.1.1/sid#82132e8][rid#82254f8][/RPC2][9<http://192.168.1.1/sid#82132e8][rid#82254f8][/RPC2][9>] Match -> mode NEXT_RULE.
[04/Nov/2009:00:34:17 +0000] [192.168.1.1/sid#82132e8][rid#82254f8][/RPC2][4<http://192.168.1.1/sid#82132e8][rid#82254f8][/RPC2][4>] PdfProtect: Not enabled here.
[04/Nov/2009:00:34:17 +0000] [192.168.1.1/sid#82132e8][rid#82254f8][/RPC2][4<http://192.168.1.1/sid#82132e8][rid#82254f8][/RPC2][4>] Second phase starting (dcfg 8214280).
[04/Nov/2009:00:34:17 +0000] [192.168.1.1/sid#82132e8][rid#82254f8][/RPC2][4<http://192.168.1.1/sid#82132e8][rid#82254f8][/RPC2][4>] Input filter: Request body access not enabled.
[04/Nov/2009:00:34:17 +0000] [192.168.1.1/sid#82132e8][rid#82254f8][/RPC2][4<http://192.168.1.1/sid#82132e8][rid#82254f8][/RPC2][4>] Time #1: 644
[04/Nov/2009:00:34:17 +0000] [192.168.1.1/sid#82132e8][rid#82254f8][/RPC2][4<http://192.168.1.1/sid#82132e8][rid#82254f8][/RPC2][4>] Starting phase REQUEST_BODY.
[04/Nov/2009:00:34:17 +0000] [192.168.1.1/sid#82132e8][rid#82254f8][/RPC2][9<http://192.168.1.1/sid#82132e8][rid#82254f8][/RPC2][9>] This phase consists of 1 rule(s).
[04/Nov/2009:00:34:17 +0000] [192.168.1.1/sid#82132e8][rid#82254f8][/RPC2][4<http://192.168.1.1/sid#82132e8][rid#82254f8][/RPC2][4>] Recipe: Invoking rule 82178d0; [file "/etc/apache2/sites-enabled/000-default"] [line "15"].
[04/Nov/2009:00:34:17 +0000] [192.168.1.1/sid#82132e8][rid#82254f8][/RPC2][5<http://192.168.1.1/sid#82132e8][rid#82254f8][/RPC2][5>] Rule 82178d0: SecRule "XML:/methodCall/methodName/text()" "@rx session.login_with_password" "log,deny,status:403,phase:2"
[04/Nov/2009:00:34:17 +0000] [192.168.1.1/sid#82132e8][rid#82254f8][/RPC2][4<http://192.168.1.1/sid#82132e8][rid#82254f8][/RPC2][4>] Rule returned 0.
[04/Nov/2009:00:34:17 +0000] [192.168.1.1/sid#82132e8][rid#82254f8][/RPC2][9<http://192.168.1.1/sid#82132e8][rid#82254f8][/RPC2][9>] No match, not chained -> mode NEXT_RULE.
[04/Nov/2009:00:34:17 +0000] [192.168.1.1/sid#82132e8][rid#82254f8][/RPC2][4<http://192.168.1.1/sid#82132e8][rid#82254f8][/RPC2][4>] Time #2: 724

So the first phase is triggering and enabling the XML processor, but the second phase doesn't match.

Am I being stupid?

Thanks in advance!

2009/11/3 Brian Rectanus <Bri...@br...<mailto:Bri...@br...>>
I don't have a good example other than those in the docs.  Those seem pretty straight forward.  Maybe send us what you have tried and someone can comment on what you may be missing?

-B

--
Brian Rectanus
Breach Security