[mod-security-users] issue with response body processing
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
[mod-security-users] issue with response body processing
|
From: Alex <adm...@ah...> - 2015-10-19 02:55:47
|
Hi All,
I having a problem with rules that involve inspection of the response
body. Some info about the server:
Modsec version: 2.2.9
Ruleset version: "OWASP_CRS/2.2.9"
Web Server: Apache 2.4
OS: Debian 8 x64 (using modsec and crs from the debian repository).
The below rule keeps tripping (snippet from audit log):
--d123de0b-H--
Message: Match of "rx
(?:\\b(?:(?:i(?:nterplay|hdr|d3)|m(?:ovi|thd)|r(?:ar!|iff)|(?:ex|jf)if|f(?:lv|ws)|varg|cws)\\b|gif)|B(?:%pdf|\\.ra)\\b)"
against "RESPONSE_BODY" required. [file "
/etc/modsecurity/activated_rules/modsecurity_crs_50_outbound.conf"]
[line "39"] [id "970903"] [rev "2"] [msg "ASP/JSP source code leakage"]
[data "Matched Data: <% found within RESPONS
E_BODY:
\x1f\x8b\x08\x00\x00\x00\x00\x00\x00\x03\xed}\xfbw\xdb6\xd2\xe8\xcf\xf69\xfd\x1f\xb0ln%\xb7\xd6\xd3\xcf\xc8\x8f\xae7NZ\xdf\xbc\xfc\xd9n\xb7\xdf\xa699\x94\x08Y\x8c)R%);J\xae\xff
\xf7;3\x00\xf8\xa6D\xca\x92\x9dt\xad\xd3\xc6\x12\x09\x0c\x06\x83\xc1\xbc0\x00\xbe[\xdd\xff\xc7\xf1\xdbg\x17\xff{\xfa\x9c\x0d\xfc\xa1u\xf8\xdd\xea>\xfee\x96n_\x1eh\xdc\xd6\xe0\x09\x83\x
cf\xfe\x80\xeb\x86\xfcN\xbf\x87\xdc\xd7\xa1\x8a?\xaa\xf1\xbf\xc6\xe6\xf5\x81\xd6sl\x9f\xdb~\xcd\x9f\x8c\..."]
[severity "ERROR"] [ver "OWASP_CRS/2.2.9"] [maturity "9"] [accuracy "9"]
[
tag "OWASP_CRS/LEAKAGE/SOURCE_CODE_ASP_JSP"] [tag "WASCTC/WASC-13"] [tag
"OWASP_TOP_10/A6"] [tag "PCI/6.5.6"]
Message: Access denied with code 403 (phase 4). [file
"/etc/modsecurity/activated_rules/modsecurity_crs_59_outbound_blocking.conf"]
[line "24"] [id "981200"] [msg "Outbound Anomaly Sco
re Exceeded (score 4): Last Matched Message: ASP/JSP source code
leakage"] [data "Last Matched Data: <%"]
Message: Warning. Operator GE matched 4 at TX:outbound_anomaly_score.
[file
"/etc/modsecurity/activated_rules/modsecurity_crs_60_correlation.conf"]
[line "40"] [id "981205"] [msg "Outb
ound Anomaly Score Exceeded (score 4): ASP/JSP source code leakage"]
Action: Intercepted (phase 4)
Stopwatch: 1444624874809492 772556 (- - -)
Stopwatch2: 1444624874809492 772556; combined=14697, p1=470, p2=12435,
p3=3, p4=1679, p5=110, sr=82, sw=0, l=0, gc=0
Response-Body-Transformed: Dechunked
Producer: ModSecurity for Apache/2.8.0 (http://www.modsecurity.org/);
OWASP_CRS/2.2.9.
Server: Apache/2.4.10 (Debian)
Engine-Mode: "ENABLED"
----------------------------
This rule is being tripped in error. The response body in the audit log
seems to be compressed and is all garbage, it just happens that there
are probably a sequence of characters in that data that trips this rule.
Setting "SecDisableBackendCompression Off" seems to fix this but
ultimately disables compression all together in apache.. which is not
good news since I'd like to keep compression on for our site visitors.
Is there any way to have modsecurity look at the response body prior to
apache compressing it? Googling for solutions really only turned up
articles suggesting the SecDisableBackendCompression trick.. Surely
there is a better way to deal with this and still have the best of both
worlds.
Look forward to suggestions.
Cheers,
Alex.
|
