Re: [mod-security-users] Question...

[Dave R. ►D. 202-369-1. <Da...@3d...>]

Ryan,

 

Thank you very much.

 

Please don’t laugh...I’m new to this….

 

Again, I’ve been using the default Configuration…

 

Is this the rule that is causing the issue?

 

"phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,log,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'1234123404',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2'"

SecRule REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer "(?:\b(?:(?:type\b\W*?\b(?:text\b\W*?\b(?:j(?:ava)?|ecma|vb)|application\b\W*?\bx-(?:java|vb))script|c(?:opyparentfolder|reatetextrange)|get(?:special|parent)folder|iframe\b.{0,100}?\bsrc)\b|on(?:(?:mo(?:use(?:o(?:ver|ut)|down|move|up)|ve)|key(?:press|down|up)|c(?:hange|lick)|s(?:elec|ubmi)t|(?:un)?load|dragdrop|resize|focus|blur)\b\W*?=|abort\b)|(?:l(?:owsrc\b\W*?\b(?:(?:java|vb)script|shell|http)|ivescript)|(?:href|url)\b\W*?\b(?:(?:java|vb)script|shell)|background-image|mocha):|s(?:(?:tyle\b\W*=.*\bexpression\b\W*|ettimeout\b\W*?)\(|rc\b\W*?\b(?:(?:java|vb)script|shell|http):)|a(?:ctivexobject\b|lert\b\W*?\(|sfunction:))|<(?:(?:body\b.*?\b(?:backgroun|onloa)d|input\b.*?\btype\b\W*?\bimage)\b| ?(?:(?:script|meta)\b|iframe)|!\[cdata\[)|(?:\.(?:(?:execscrip|addimpor)t|(?:fromcharcod|cooki)e|innerhtml)|\@import)\b)" \

 

 

Would I just add this as a new line in the configuration text area?

 

“SecRuleUpdateTargetById 1234123404 !REQUEST_FILENAME”

 

Or does this string need to be added to or integrated into this rule in the configuration text area and if so, where?

 

 

THANKS!

 

d.

 

 

David Roe | Direct 202-369-1455 
CERTIFIED Google AdWords Partner | 360 Virtual Tour Photography | Mobile Web | SMS

 

From: Ryan Barnett [mailto:RBa...@tr...] 
Sent: Wednesday, July 17, 2013 7:07 PM
To: <Da...@3d...>
Cc: Mailing-List mod_security
Subject: Re: [mod-security-users] Question...

 

Dave,

These look like rules from gotroot based on the rule IDs.

 

The false positive here is due to the rule looking in the request FILENAME variable for the ".cookie" string. This matched on - 

 

/clients/dynatree- 1.2.1/jquery/jquery.cookie.js 

 

So you will want to add an exception to remove this variable from inspection -

 

SecRuleUpdateTargetById 1234123404 !REQUEST_FILENAME

 

As any FYI - it is low possibility of real attack on request FILENAME and a high false positive rate. This is why we removed that from the OWASP CRS - 

https://github.com/SpiderLabs/owasp-modsecurity-crs

Might want to consider using those. 

 

--

Ryan Barnett

Lead Security Researcher

Trustwave - SpiderLabs

 


On Jul 17, 2013, at 6:02 PM, "Dave Roe ►Direct 202-369-1455" <Da...@3d...> wrote:

Harald,

I have posted the apache log file for an account that experienced the issue earlier today here (thedonaldsongroup.com):
http://www.juicebox360.com/thedonaldsongroup.com.gz

Again, I am using the default rules for Mod Security.  I am interested in knowing which of the default rules I need to disable or remove to allow for the use of cookies.

I have uploaded a screen shot of the Mod Security log that shows the activity here:
http://www.juicebox360.com/Mod_Security_Issue.pdf

I am specifically interested in preventing this rule from running:

Access denied with code 406 (phase 2). Pattern match "(?:\\b(?:(?:type\\b\\W*?\\b(?:text\\b\\W*?\\b(?:j(?:ava)?|ecma|vb)|application\\b\\W*?\\bx-(?:java|vb))script|c(?:opyparentfolder|reatetextrange)|get(?:special|parent)folder|iframe\\b.{0,100}?\\bsrc)\\b|on(?:(?:mo(?:use(?:o(?:ver|ut)|down|move|up)|ve)| <file:///\\b|on(%3f:(%3f:mo(%3f:use(%3f:o(%3f:ver|ut)|down|move|up)|ve)|>  ..." at REQUEST_FILENAME. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "117"] [id "1234123404"] [msg "Cross-site Scripting (XSS) Attack"] [data ".cookie"] [severity "CRITICAL"] [tag "WEB_ATTACK/XSS"]

Whatever help you can offer would be greatly appreciated.

Thank you.

d.


David Roe | Direct 202-369-1455 
CERTIFIED Google AdWords Partner | 360 Virtual Tour Photography | Mobile Web | SMS


-----Original Message-----
From: Reindl Harald [mailto:h.r...@th...] 
Sent: Wednesday, July 17, 2013 5:29 PM
To: Mailing-List mod_security
Subject: Re: [mod-security-users] Question...

why do you not reply to the list?
*you* need to know where *your* logfiles are configured

Am 17.07.2013 23:27, schrieb Dave Roe ►Direct 202-369-1455:



Reindl,

 

I apologize...you could send me a link to the apache log file?

I don't know where that is -

 

THANKS!

 

David Roe | Direct 202-369-1455

CERTIFIED Google AdWords Partner | 360 Virtual Tour Photography | 

Mobile Web | SMS

 

-----Original Message-----

From: Reindl Harald [mailto:h.r...@th...]

Sent: Wednesday, July 17, 2013 2:05 PM

To: mod...@li...

Subject: Re: [mod-security-users] Question...

 

Am 17.07.2013 18:57, schrieb Dave Roe ►Direct 202-369-1455:

I have a simple question.

 

I am wondering which of the default configuration rules I need to 

disable to allow one of my custom apps to set cookies?

 

Right now we are getting a 406 error

 

any answer would be easier if you would post the error message in the 

apache logfile so we know *what* rule





------------------------------------------------------------------------------
See everything from the browser to the database with AppDynamics
Get end-to-end visibility with application monitoring from AppDynamics
Isolate bottlenecks and diagnose root cause in seconds.
Start your free trial of AppDynamics Pro today!
http://pubads.g.doubleclick.net/gampad/clk?id=48808831 <http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk> &iu=/4140/ostg.clktrk
_______________________________________________
mod-security-users mailing list
mod...@li...
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/

 

  _____  


This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.