Re: [mod-security-users] issue with response body processing
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] issue with response body processing
|
From: Alex <adm...@ah...> - 2015-10-19 23:24:11
|
Hi Christian, Is this what you were wanting to see? (snippet from audit log): --fb5c277e-A-- [20/Oct/2015:10:14:15 +1100] ViV5RnrKQOUAAAM@TmMAAAAM 59.IP.IP.IP 41052 122.IP.IP.IP 443 --fb5c277e-B-- GET /the/getrequest/index.php/something/something/1183 HTTP/1.1 Host: the.host.name User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:41.0) Gecko/20100101 Firefox/41.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Referer: https://host.name/some/folder/index.php/blah/blah Cookie: <snip> Connection: keep-alive --fb5c277e-F-- HTTP/1.1 403 Forbidden Last-Modified: Tue, 18 Jun 2013 03:29:32 GMT ETag: "a67-4df6552483f00" Accept-Ranges: bytes Content-Length: 2663 X-Powered-By: A flock of seagulls X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block X-Frame-Options: sameorigin Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html --fb5c277e-E-- �}�w�6����9��ln%����ȏ�7NZ��n�ߦ99Y�)R%);J���;3��Dʒ�t��� <snip loads of garbage> --fb5c277e-H-- Message: Match of "rx (?:\\b(?:(?:i(?:nterplay|hdr|d3)|m(?:ovi|thd)|r(?:ar!|iff)|(?:ex|jf)if|f(?:lv|ws)|varg|cws)\\b|gif)|B(?:%pdf|\\.ra)\\b)" against "RESPONSE_BODY" required. [file "/etc/modsecurity/activated_rules/modsecurity_crs_50_outbound.conf"] [line "39"] [id "970903"] [rev "2"] [msg "ASP/JSP source code leakage"] [data "Matched Data: <% found within RESPONSE_BODY: \x1f\x8b\x08\x00\x00\x00\x00\x00\x00\x03\xed}\xfbw\xdb6\xd2\xe8\xcf\xf69\xfd\x1f\xb0ln%\xb7\xd6\xd3\xcf\xc8\x8f\xae7NZ\xdf\xbc\xfc\xd9n\xb7\xdf\xa699\x94\x08Y\x8c)R%);J\xae\xff\xf7;3\x00\xf8\xa6D\xca\x92\x9dt\xad\xd3\xc6\x12\x09\x0c\x06\x83\xc1\xbc0\x00\xbe[\xdd\xff\xc7\xf1\xdbg\x17\xff{\xfa\x9c\x0d\xfc\xa1u\xf8\xdd\xea>\xfee\x96n_\x1eh\xdc\xd6\xe0\x09\x83\xcf\xfe\x80\xeb\x86\xfcN\xbf\x87\xdc\xd7\xa1\x8a?\xaa\xf1\xbf\xc6\xe6\xf5\x81\xd6sl\x9f\xdb~\xcd\x9f\x8c\..."] [severity "ERROR"] [ver "OWASP_CRS/2.2.9"] [maturity "9"] [accuracy "9"] [tag "OWASP_CRS/LEAKAGE/SOURCE_CODE_ASP_JSP"] [tag "WASCTC/WASC-13"] [tag "OWASP_TOP_10/A6"] [tag "PCI/6.5.6"] Message: Access denied with code 403 (phase 4). [file "/etc/modsecurity/activated_rules/modsecurity_crs_59_outbound_blocking.conf"] [line "24"] [id "981200"] [msg "Outbound Anomaly Score Exceeded (score 4): Last Matched Message: ASP/JSP source code leakage"] [data "Last Matched Data: <%"] Message: Warning. Operator GE matched 4 at TX:outbound_anomaly_score. [file "/etc/modsecurity/activated_rules/modsecurity_crs_60_correlation.conf"] [line "40"] [id "981205"] [msg "Outbound Anomaly Score Exceeded (score 4): ASP/JSP source code leakage"] Action: Intercepted (phase 4) Stopwatch: 1445296454982648 990282 (- - -) Stopwatch2: 1445296454982648 990282; combined=16528, p1=334, p2=12802, p3=4, p4=3230, p5=157, sr=61, sw=1, l=0, gc=0 Response-Body-Transformed: Dechunked Producer: ModSecurity for Apache/2.8.0 (http://www.modsecurity.org/); OWASP_CRS/2.2.9. Server: Apache/2.4.10 (Debian) Engine-Mode: "ENABLED ------------------ We're definitely running modsecurity in an embedded mode scenario. Kind Regards, Alex R. On 2015-10-19 15:03, Christian Folini wrote: > Hello, > > On Mon, Oct 19, 2015 at 02:52:03PM +1100, Alex wrote: > >> Thank you for the followup. There is no reverse proxy setup in place, >> modsecurity is running on the application server. Does this change >> anything? > > Well, the doc says: > > "This directive is necessary in reverse proxy mode when the backend > servers support response compression, but you wish to inspect response > bodies. Unless you disable backend compression, ModSecurity will only > see compressed content, which is not very useful. This directive is not > necessary in embedded mode, because ModSecurity performs inspection > before response compression takes place." > > So technically, you should not have your problem in the first place. > So maybe it is not the compression after all. The match in your > response body suggests binary, but not quite. > What is this actually? Request and Response headers would be welcome. > > Ahoj, > > Christian |
