Re: [mod-security-users] Rule 920420 and Detecting the Struts 2 Vulnerability

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Hello Osama,

This question is probably better suited for the Core Rule Set
mailinglist 
(-> https://lists.owasp.org/listinfo/owasp-modsecurity-core-rule-set)

We're currently discussing this exploit over at
https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/703#issuecomment-285831977
and aim to extend the reach of
932100 PL1
932110 PL1
932160 PL1
to the Content-Type header.

As for 920420, is not there a negation that says all methods outside
of GET/HEAD/... should be inspected.

Ahoj,

Christian

On Fri, Mar 10, 2017 at 07:38:39PM -0500, Osama Elnaggar wrote:
> Hi,
> 
> The recent Struts 2 vulnerability (
> http://www.bankinfosecurity.com/apache-struts-2-under-zero-day-attack-update-now-a-9761)
> allows
> for RCE by sending a malicious Content-Type.  Someone was asking how they
> can use ModSecurity to protect against this and I suggested they use Rule
> 920420 (see below).  It was then pointed out that this rule does not
> inspect POST requests.  I know I can easily copy/edit this rule to inspect
> POST requests as well but I was wondering if there was a specific reason
> that the rule by default does not support POSTs.  Any ideas?  Thanks.
> 
> #
> # Restrict which content-types we accept.
> #
> SecRule REQUEST_METHOD "!^(?:GET|HEAD|PROPFIND|OPTIONS)$" \
>   "phase:request,\
>    chain,\
>    t:none,\
>    block,\
>    msg:'Request content type is not allowed by policy',\
>    rev:'2',\
>    ver:'OWASP_CRS/3.0.0',\
>    maturity:'9',\
>    accuracy:'9',\
>    id:920420,\
>    severity:'CRITICAL',\
>    logdata:'%{matched_var}',\
>    tag:'application-multi',\
>    tag:'language-multi',\
>    tag:'platform-multi',\
>    tag:'attack-protocol',\
>    tag:'OWASP_CRS/POLICY/ENCODING_NOT_ALLOWED',\
>    tag:'WASCTC/WASC-20',\
>    tag:'OWASP_TOP_10/A1',\
>    tag:'OWASP_AppSensor/EE2',\
>    tag:'PCI/12.1'"
>      SecRule REQUEST_HEADERS:Content-Type "^([^;\s]+)" \
>        "chain,\
>         capture"
>           SecRule TX:0 "!^%{tx.allowed_request_content_type}$" \
>             "t:none,\
>              ctl:forceRequestBodyVariable=On,\
>              setvar:'tx.msg=%{rule.msg}',\
>              setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
>              setvar:tx.%{rule.id
> }-OWASP_CRS/POLICY/CONTENT_TYPE_NOT_ALLOWED-%{matched_var_name}=%{matched_var}"
> 
> -- 
> Osama Elnaggar

> ------------------------------------------------------------------------------
> Announcing the Oxford Dictionaries API! The API offers world-renowned
> dictionary content that is easy and intuitive to access. Sign up for an
> account today to start using our lexical data to power your apps and
> projects. Get started today and enter our developer competition.
> http://sdm.link/oxford

> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/

-- 
https://www.feistyduck.com/training/modsecurity-training-course
mailto:chr...@ne...
twitter: @ChrFolini