Re: [mod-security-users] Sanitize JSON Request / Response
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] Sanitize JSON Request / Response
|
From: Christian F. <chr...@ne...> - 2018-03-14 21:34:33
|
Hello Cristiano, I did the following request: $> curl localhost -d "CVV=0000-0000-0000-0000" -d "exec=/bin/bash" and got the following audit-log when using CRS3 (parameter exec triggering the writing of the audit log): --a7997f3d-A-- [14/Mar/2018:22:29:03 +0100] WqmUH6r6pkVX9OUmJm3aggAAAAM 127.0.0.1 50058 127.0.0.1 40080 --a7997f3d-B-- POST / HTTP/1.1 Host: localhost User-Agent: curl/7.50.1 Accept: */* Content-Length: 38 Content-Type: application/x-www-form-urlencoded --a7997f3d-C-- CVV=*******************&exec=/bin/bash --a7997f3d-F-- HTTP/1.1 200 OK Last-Modified: Sun, 17 Dec 2017 11:08:45 GMT ETag: "2d-5608741dac6fd" Accept-Ranges: bytes Content-Length: 45 Content-Type: text/html ... I'm running ModSec 2.9.2 on Apache 2.4.29, both self compiled according to the tutorials on netnea.com. My ModSec Configuration: ------------------------------------------------------------------------------ SecRuleEngine On SecRequestBodyAccess On SecRequestBodyLimit 10000000 SecRequestBodyNoFilesLimit 64000 SecResponseBodyAccess On SecResponseBodyLimit 10000000 SecTmpDir /tmp/ SecDataDir /tmp/ SecUploadDir /tmp/ SecDebugLog /apache/logs/modsec_debug.log SecDebugLogLevel 3 SecAuditEngine RelevantOnly SecAuditLogRelevantStatus "^(?:5|4(?!04))" SecAuditLogParts ABEFHIJZ SecAuditLogType Concurrent SecAuditLog /apache/logs/modsec_audit.log SecAuditLogStorageDir /apache/logs/audit/ SecPcreMatchLimit 500000 SecPcreMatchLimitRecursion 500000 SecDefaultAction "phase:2,pass,log" # == ModSec Rule ID Namespace Definition # Service-specific before Core-Rules: 10000 - 49999 # Service-specific after Core-Rules: 50000 - 79999 # Locally shared rules: 80000 - 99999 # - Performance: 90000 - 90199 # Recommended ModSec Rules (few): 200000 - 200010 # OWASP Core-Rules: 900000 - 999999 # === ModSec timestamps at the start of each phase (ids: 90000 - 90009) SecAction "id:'90000',phase:1,nolog,pass,setvar:TX.ModSecTimestamp1start=%{DURATION}" SecAction "id:'90001',phase:2,nolog,pass,setvar:TX.ModSecTimestamp2start=%{DURATION}" SecAction "id:'90002',phase:3,nolog,pass,setvar:TX.ModSecTimestamp3start=%{DURATION}" SecAction "id:'90003',phase:4,nolog,pass,setvar:TX.ModSecTimestamp4start=%{DURATION}" SecAction "id:'90004',phase:5,nolog,pass,setvar:TX.ModSecTimestamp5start=%{DURATION}" # SecRule REQUEST_FILENAME "@beginsWith /" "id:'90005',phase:5,t:none,nolog,noauditlog,pass,setenv:write_perflog" # === ModSec Recommended Rules (in modsec src package) (ids: 200000-200010) SecRule REQUEST_HEADERS:Content-Type "text/xml" "id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML" SecRule REQBODY_ERROR "!@eq 0" "id:'200001',phase:2,t:none,deny,status:400,log,msg:'Failed to parse request body.',\ logdata:'%{reqbody_error_msg}',severity:2" SecRule MULTIPART_STRICT_ERROR "!@eq 0" \ "id:'200002',phase:2,t:none,log,deny,status:403, \ msg:'Multipart request body failed strict validation: \ PE %{REQBODY_PROCESSOR_ERROR}, \ BQ %{MULTIPART_BOUNDARY_QUOTED}, \ BW %{MULTIPART_BOUNDARY_WHITESPACE}, \ DB %{MULTIPART_DATA_BEFORE}, \ DA %{MULTIPART_DATA_AFTER}, \ HF %{MULTIPART_HEADER_FOLDING}, \ LF %{MULTIPART_LF_LINE}, \ SM %{MULTIPART_MISSING_SEMICOLON}, \ IQ %{MULTIPART_INVALID_QUOTING}, \ IP %{MULTIPART_INVALID_PART}, \ IH %{MULTIPART_INVALID_HEADER_FOLDING}, \ FL %{MULTIPART_FILE_LIMIT_EXCEEDED}'" SecRule TX:/^MSC_/ "!@streq 0" "id:'200004',phase:2,t:none,deny,status:500,msg:'ModSecurity internal error flagged: %{MATCHED_VAR_NAME}'" # === ModSecurity Rules (ids: 900000-999999) # === ModSec Core Rules Base Configuration (ids: 900001-900021) Include /home/dune73/data/git/crs-official/crs-setup.conf.example SecAction "id:900111,phase:1,nolog,pass,t:none,setvar:tx.inbound_anomaly_score_threshold=500,setvar:tx.outbound_anomaly_score_threshold=500" SecAction "id:'900000',phase:1,nolog,pass,t:none,setvar:tx.paranoia_level=4" # === ModSecurity Ignore Rules Before Core Rules Inclusion; order by id of ignored rule (ids: 10000-49999) # SecRule ARGS:a "." "id:1001,phase:2,pass,log,msg:'XXX1: %{MATCHED_VAR}'" # SecRule ARGS_GET:a "." "id:1002,phase:2,pass,log,msg:'XXX2: %{MATCHED_VAR}'" # SecRule ARGS_POST:a "." "id:1003,phase:2,pass,log,msg:'XXX3: %{MATCHED_VAR}'" # SecRule REQUEST_URI "." "id:1004,phase:2,pass,log,msg:'XXX4: %{MATCHED_VAR}'" # SecRule REQUEST_HEADERS:User-Agent "." "id:1005,phase:2,pass,log,msg:'XXX5: %{MATCHED_VAR}'" SecRule ARGS:b "." "id:1006,phase:2,pass,log,auditlog,msg:'XXX6: %{MATCHED_VAR}'" SecAction "nolog,phase:2,id:101,sanitiseArg:CVV" SecAction "nolog,phase:4,id:102,sanitiseArg:CVV_Reponse" # === ModSecurity Core Rules Inclusion Include /home/dune73/data/git/crs-official/rules/*.conf # === ModSec Core Rules: Startup Time Rules Exclusions # === ModSec timestamps at the end of each phase (ids: 90010 - 90019) SecAction "id:'90010',phase:1,pass,nolog,setvar:TX.ModSecTimestamp1end=%{DURATION}" SecAction "id:'90011',phase:2,pass,nolog,setvar:TX.ModSecTimestamp2end=%{DURATION}" SecAction "id:'90012',phase:3,pass,nolog,setvar:TX.ModSecTimestamp3end=%{DURATION}" SecAction "id:'90013',phase:4,pass,nolog,setvar:TX.ModSecTimestamp4end=%{DURATION}" SecAction "id:'90014',phase:5,pass,nolog,setvar:TX.ModSecTimestamp5end=%{DURATION}" # === ModSec performance calculations and variable export (ids: 90100 - 90199) SecAction "id:'90100',phase:5,pass,nolog,setvar:TX.perf_modsecinbound=%{PERF_PHASE1}" SecAction "id:'90101',phase:5,pass,nolog,setvar:TX.perf_modsecinbound=+%{PERF_PHASE2}" SecAction "id:'90102',phase:5,pass,nolog,setvar:TX.perf_application=%{TX.ModSecTimestamp3start}" SecAction "id:'90103',phase:5,pass,nolog,setvar:TX.perf_application=-%{TX.ModSecTimestamp2end}" SecAction "id:'90104',phase:5,pass,nolog,setvar:TX.perf_modsecoutbound=%{PERF_PHASE3}" SecAction "id:'90105',phase:5,pass,nolog,setvar:TX.perf_modsecoutbound=+%{PERF_PHASE4}" SecAction "id:'90106',phase:5,pass,nolog,setenv:ModSecTimeIn=%{TX.perf_modsecinbound}" SecAction "id:'90107',phase:5,pass,nolog,setenv:ApplicationTime=%{TX.perf_application}" SecAction "id:'90108',phase:5,pass,nolog,setenv:ModSecTimeOut=%{TX.perf_modsecoutbound}" SecAction "id:'90109',phase:5,pass,nolog,setenv:ModSecAnomalyScoreIn=%{TX.anomaly_score}" SecAction "id:'90110',phase:5,pass,nolog,setenv:ModSecAnomalyScoreOut=%{TX.outbound_anomaly_score}" # === End ModSec Configuration ------------------------------------------------------------------------------ So I think this generally works. If it does not for you, then please try and reproduce the behaviour on the latest ModSec version of the 2.9 series and open a bug report in case. Ahoj, Christian On Wed, Mar 14, 2018 at 06:13:04PM -0300, Cristiano Galdino wrote: > Hi Christian! > Modsecurity: 2.9.0-1 (from Ubuntu repository) > Apache 2.4.18-2ubuntu3.5 > Tks! > > Cristiano Galdino > cri...@ga... > > On 14 Mar 2018 17:55 -0300, Christian Folini > <chr...@ne...>, wrote: > > Hello Christiano, > What platform are you using? (-> ModSec version, Apache / NGINX / > IIS?) > Ahoj, > Christian > On Wed, Mar 14, 2018 at 05:06:28PM -0300, Cristiano Galdino wrote: > > Hello! > I created a rule in ModSecurity to sanitize param CVV (credit card) > but > it is not working. > Samples: > SecAction "nolog,phase:2,id:101,sanitiseArg:CVV” > SecAction "nolog,phase:4,id:102,sanitiseArg:CVV_Reponse" > This prevents me from using modsecurity because PCI does not allow > CVV > to be stored. > I found this issue without response. > [1]https://github.com/SpiderLabs/ModSecurity/issues/715 > What can I do? > Cristiano Galdino > cri...@ga... > References > 1. https://github.com/SpiderLabs/ModSecurity/issues/715 > > -------------------------------------------------------------------- > ---------- > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's > SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ > > -- > https://www.feistyduck.com/training/modsecurity-training-course > https://www.feistyduck.com/books/modsecurity-handbook/ > mailto:chr...@ne... > twitter: @ChrFolini > -------------------------------------------------------------------- > ---------- > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's > SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ -- https://www.feistyduck.com/training/modsecurity-training-course https://www.feistyduck.com/books/modsecurity-handbook/ mailto:chr...@ne... twitter: @ChrFolini |
