Re: [mod-security-users] Many web pages getting blocked!
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] Many web pages getting blocked!
|
From: Barry P. <bar...@ho...> - 2015-04-07 15:02:02
|
Google Tag Manager uses small iFrames as a fallback when javascript can't be used. ModSecurity warns that invisible iFrames could be used to include security threats and so blocks them by default. Would be nice to be able to allow just these Google Tag Manager tags but haven't found a nice way around this myself so I disable those rules. This stack overflow question looks at this too: http://stackoverflow.com/questions/22964411/google-tag-manager-include-that-passes-mod-security-rules-in-apache Alternatively do you need to look at outbound body content? It can be expensive to do this, though obviously with the added benefit of extra security of checking those. Most threats are concerned with looking at inbound requests so you can turn off outbound body check off with the following: SecResponseBodyAccess Off This will slow allow checking of outbound headers, which are quicker to process but means you cannot check for information leakage. Thanks, Barry ________________________________ > From: pal...@on... > To: mod...@li... > Date: Tue, 7 Apr 2015 19:03:07 +0530 > Subject: [mod-security-users] Many web pages getting blocked! > > > Hi, > > > > Our many web pages are getting blocked by the following rules defined > in the base_rules/modsecurity_crs_50_outbound.conf file: > > > > # > > # IFrame Injection > > # > > SecRule RESPONSE_BODY "!@pm iframe" \ > > > "phase:4,rev:'2',ver:'OWASP_CRS/2.2.9',maturity:'9',accuracy:'6',id:'981177',t:none,capture,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,pass,nolog,skipAfter:END_IFRAME_CHECK" > > #SecRule RESPONSE_BODY > "<\W*iframe[^>]+?\b(?:width|height)\b\W*?=\W*?[\"']?[^\"'1-9]*?(?:(?:20|1?\d(?:\.\d*)?)(?![\d%.])|[0-3](?:\.\d*)?%)" > \ > > > "t:replaceComments,phase:4,rev:'2',ver:'OWASP_CRS/2.2.9',maturity:'9',accuracy:'9',ctl:auditLogParts=+E,block,msg:'Possibly > malicious iframe tag in output',logdata:'Matched Data: %{TX.0} found > within %{MATCHED_VAR_NAME}: > %{MATCHED_VAR}',capture,id:'981000',tag:'OWASP_CRS/OWASP_CRS/MALICIOUS_IFRAME',severity:'4',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/MALICIOUS_IFRAME-%{matched_var_name}=%{tx.0}" > > SecRule RESPONSE_BODY > "<\W*iframe[^>]+?\bstyle\W*?=\W*?[\"']?\W*?\bdisplay\b\W*?:\W*?\bnone\b" > \ > > > "t:replaceComments,phase:4,rev:'2',ver:'OWASP_CRS/2.2.9',maturity:'9',accuracy:'8',ctl:auditLogParts=+E,block,msg:'Possibly > malicious iframe tag in output',logdata:'Matched Data: %{TX.0} found > within %{MATCHED_VAR_NAME}: > %{MATCHED_VAR}',capture,id:'981001',tag:'OWASP_CRS/OWASP_CRS/MALICIOUS_IFRAME',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+%{tx.error_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/MALICIOUS_IFRAME-%{matched_var_name}=%{tx.0}" > > > > SecRule RESPONSE_BODY "(?i:<\s*IFRAME\s*?[^>]*?src=\"javascript:)" \ > > > "t:none,phase:4,rev:'2',ver:'OWASP_CRS/2.2.9',maturity:'9',accuracy:'9',ctl:auditLogParts=+E,block,msg:'Malicious > iframe+javascript tag in output',logdata:'Matched Data: %{TX.0} found > within %{MATCHED_VAR_NAME}: > %{MATCHED_VAR}',capture,id:'981003',tag:'OWASP_CRS/OWASP_CRS/MALICIOUS_IFRAME',tag:'bugtraq,13544',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+%{tx.error_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/MALICIOUS_IFRAME-%{matched_var_name}=%{tx.0}" > > > > SecMarker END_IFRAME_CHECK > > > > > > Following is the error log which we get: > > > > ModSecurity: Access denied with code 403 (phase 4). Pattern match > "<\\\\W*iframe[^>]+?\\\\b(?:width|height)\\\\b\\\\W*?=\\\\W*?[\\"']?[^\\"'1-9]*?(?:(?:20|1?\\\\d(?:\\\\.\\\\d*)?)(?![\\\\d%.])|[0-3](?:\\\\.\\\\d*)?%)" > at RESPONSE_BODY. [file > "/opt/modsecurity/etc/crs/base_rules/modsecurity_crs_50_outbound.conf"] > [line "71"] [id "981000"] [rev "2"] [msg "Possibly malicious iframe tag > in output"] [data "Matched Data: <iframe > src=\\x22//www.googletagmanager.com/ns.html?id=GTM-PXKNDQ\\x22 > height=\\x220 found within RESPONSE_BODY: <!doctype > html>\\x0d\\x0a\\x0d\\x0a\\x0d\\x0a\\x0d\\x0a..."] [severity > "WARNING"] [ver "OWASP_CRS/2.2.9"] [maturity "9"] [accuracy "9"] [tag > "OWASP_CRS/OWASP_CRS/MALICIOUS_IFRAME"] [hostname "1atesting.in"] [uri > "/index.html"] [unique_id "VSPU-cCoqoMAAGAEfNAAAADL"] > > > > > > Is this a false positive and we should comment this rule from > mod-security or our script is containing a pattern which is considered > malicious? > > Please help. > > > > Thanks, > > Pallavi > > ________________________________ > > This email and any files transmitted with it are confidential and > intended solely for the use of the individual or entity to which they > are addressed. If you have received it by mistake, please let us know > by e-mail reply and delete it from your system. Any unauthorized > copying, disclosure or distribution of this e-mail, or the material in > this e-mail is strictly prohibited. Please note that any views or > opinions presented in this email are solely those of the author and do > not necessarily represent those of OneAssist. E-mail transmission > cannot be guaranteed to be secured or error-free as information could > be intercepted, corrupted, lost, destroyed, arrive late or incomplete, > or contain viruses. The sender therefore does not accept liability for > any errors or omissions in the contents of this message, which arise as > a result of e-mail transmission. > > ________________________________ > > > > ------------------------------------------------------------------------------ > BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT Develop > your own process in accordance with the BPMN 2 standard Learn Process > modeling best practices with Bonita BPM through live exercises > http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- > event?utm_ > source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF > _______________________________________________ mod-security-users > mailing list mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ |
