[Mod-security-developers] [JIRA] Resolved: (MODSEC-344) ModSecurityIIS: HTTP Request Smuggling protection does not work

[Breno S. P. (JIRA) <no...@mo...>]

     [ https://www.modsecurity.org/tracker/browse/MODSEC-344?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Breno Silva Pinto resolved MODSEC-344.
--------------------------------------

    Fix Version/s: 2.7.2
       Resolution: Fixed

> ModSecurityIIS: HTTP Request Smuggling protection does not work
> ---------------------------------------------------------------
>
>                 Key: MODSEC-344
>                 URL: https://www.modsecurity.org/tracker/browse/MODSEC-344
>             Project: ModSecurity
>          Issue Type: Bug
>      Security Level: Normal
>    Affects Versions: 2.7.0
>         Environment: Server: IIS 7 on Windows Server 2008 R2
> Test Client: WCAT on Windows Server 2008 R2
>            Reporter: akurmi
>            Assignee: Breno Silva Pinto
>              Labels: IIS, ModSecurityIIS
>             Fix For: 2.7.2
>
>         Attachments: conf1.zip
>
>
> ModSecurity configuration file:
> #
> # HTTP Request Smuggling
> #
> # -=[ Rule Logic ]=-
> # This rule looks for a comma character in either the Content-Length or Transfer-Encoding
> # request headers.  This character would indicate that there were more than one request header
> # with this same name.  In these instances, Apache treats the data in a similar manner as 
> # multiple cookie values.
> #
> # -=[ References ]=-
> # http://projects.webappsec.org/HTTP-Request-Smuggling
> # http://article.gmane.org/gmane.comp.apache.mod-security.user/3299
> #
> SecRule REQUEST_HEADERS:'/(Content-Length|Transfer-Encoding)/' "," "phase:1,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',t:none,capture,block,msg:'HTTP Request Smuggling Attack.',id:'950012',tag:'OWASP_CRS/WEB_ATTACK/REQUEST_SMUGGLING',tag:'WASCTC/WASC-26',tag:'OWASP_TOP_10/A1',tag:'PCI/6.5.2',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/REQUEST_SMUGGLING-%{matched_var_name}=%{tx.0}"
> WCAT Scenario:
> 	transaction
> 	{
> 		id = "HTTP Request Smuggling (950012) 2";
> 		weight = 100;
> 		request
> 		{
> 			addheader
> 			{
> 				name    = "Content-Length";
> 				value   = "3";
> 			}
> 			addheader
> 			{
> 				name    = "Content-Length";
> 				value   = "3";
> 			}
> 			url = "/default.aspx";
> 			statuscode= 403;
> 			port = 8080;
> 			verb = POST;
> 			postdata = "abc";
> 		}
> 		close
> 		{
> 			method      = ka;
> 		}
> 	}
> It returns 405 instead of 403.

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira