Re: [mod-security-users] Sanitize JSON Request / Response
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] Sanitize JSON Request / Response
|
From: Robert P. <rpa...@fe...> - 2018-03-14 21:38:16
|
Christian, you tested with a application/x-www-form-urlencoded request; Christiano's use case involves JSON-encoded bodies. I do not believe JSON request bodies can be translated into data collections that can have sanitize actions applied on them at this point. On Wed, Mar 14, 2018 at 2:34 PM, Christian Folini < chr...@ne...> wrote: > Hello Cristiano, > > I did the following request: > > $> curl localhost -d "CVV=0000-0000-0000-0000" -d "exec=/bin/bash" > > and got the following audit-log when using CRS3 (parameter exec triggering > the writing of the audit log): > > --a7997f3d-A-- > [14/Mar/2018:22:29:03 +0100] WqmUH6r6pkVX9OUmJm3aggAAAAM 127.0.0.1 50058 > 127.0.0.1 40080 > --a7997f3d-B-- > POST / HTTP/1.1 > Host: localhost > User-Agent: curl/7.50.1 > Accept: */* > Content-Length: 38 > Content-Type: application/x-www-form-urlencoded > > --a7997f3d-C-- > CVV=*******************&exec=/bin/bash > --a7997f3d-F-- > HTTP/1.1 200 OK > Last-Modified: Sun, 17 Dec 2017 11:08:45 GMT > ETag: "2d-5608741dac6fd" > Accept-Ranges: bytes > Content-Length: 45 > Content-Type: text/html > ... > > > > I'm running ModSec 2.9.2 on Apache 2.4.29, both self compiled according to > the tutorials on netnea.com. > > My ModSec Configuration: > > ------------------------------------------------------------ > ------------------ > > SecRuleEngine On > > SecRequestBodyAccess On > SecRequestBodyLimit 10000000 > SecRequestBodyNoFilesLimit 64000 > > SecResponseBodyAccess On > SecResponseBodyLimit 10000000 > > SecTmpDir /tmp/ > SecDataDir /tmp/ > SecUploadDir /tmp/ > > SecDebugLog /apache/logs/modsec_debug.log > SecDebugLogLevel 3 > > SecAuditEngine RelevantOnly > SecAuditLogRelevantStatus "^(?:5|4(?!04))" > SecAuditLogParts ABEFHIJZ > > SecAuditLogType Concurrent > SecAuditLog /apache/logs/modsec_audit.log > SecAuditLogStorageDir /apache/logs/audit/ > > SecPcreMatchLimit 500000 > SecPcreMatchLimitRecursion 500000 > > SecDefaultAction "phase:2,pass,log" > > > > # == ModSec Rule ID Namespace Definition > # Service-specific before Core-Rules: 10000 - 49999 > # Service-specific after Core-Rules: 50000 - 79999 > # Locally shared rules: 80000 - 99999 > # - Performance: 90000 - 90199 > # Recommended ModSec Rules (few): 200000 - 200010 > # OWASP Core-Rules: 900000 - 999999 > > > # === ModSec timestamps at the start of each phase (ids: 90000 - 90009) > > SecAction "id:'90000',phase:1,nolog,pass,setvar:TX. > ModSecTimestamp1start=%{DURATION}" > SecAction "id:'90001',phase:2,nolog,pass,setvar:TX. > ModSecTimestamp2start=%{DURATION}" > SecAction "id:'90002',phase:3,nolog,pass,setvar:TX. > ModSecTimestamp3start=%{DURATION}" > SecAction "id:'90003',phase:4,nolog,pass,setvar:TX. > ModSecTimestamp4start=%{DURATION}" > SecAction "id:'90004',phase:5,nolog,pass,setvar:TX. > ModSecTimestamp5start=%{DURATION}" > > # SecRule REQUEST_FILENAME "@beginsWith /" "id:'90005',phase:5,t:none, > nolog,noauditlog,pass,setenv:write_perflog" > > > > # === ModSec Recommended Rules (in modsec src package) (ids: 200000-200010) > > SecRule REQUEST_HEADERS:Content-Type "text/xml" > "id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl: > requestBodyProcessor=XML" > > SecRule REQBODY_ERROR "!@eq 0" "id:'200001',phase:2,t:none, > deny,status:400,log,msg:'Failed to parse request body.',\ > logdata:'%{reqbody_error_msg}',severity:2" > > SecRule MULTIPART_STRICT_ERROR "!@eq 0" \ > "id:'200002',phase:2,t:none,log,deny,status:403, \ > msg:'Multipart request body failed strict validation: \ > PE %{REQBODY_PROCESSOR_ERROR}, \ > BQ %{MULTIPART_BOUNDARY_QUOTED}, \ > BW %{MULTIPART_BOUNDARY_WHITESPACE}, \ > DB %{MULTIPART_DATA_BEFORE}, \ > DA %{MULTIPART_DATA_AFTER}, \ > HF %{MULTIPART_HEADER_FOLDING}, \ > LF %{MULTIPART_LF_LINE}, \ > SM %{MULTIPART_MISSING_SEMICOLON}, \ > IQ %{MULTIPART_INVALID_QUOTING}, \ > IP %{MULTIPART_INVALID_PART}, \ > IH %{MULTIPART_INVALID_HEADER_FOLDING}, \ > FL %{MULTIPART_FILE_LIMIT_EXCEEDED}'" > > SecRule TX:/^MSC_/ "!@streq 0" "id:'200004',phase:2,t:none, > deny,status:500,msg:'ModSecurity internal error flagged: > %{MATCHED_VAR_NAME}'" > > > # === ModSecurity Rules (ids: 900000-999999) > > # === ModSec Core Rules Base Configuration (ids: 900001-900021) > > Include /home/dune73/data/git/crs-official/crs-setup.conf.example > > SecAction "id:900111,phase:1,nolog,pass,t:none,setvar:tx.inbound_ > anomaly_score_threshold=500,setvar:tx.outbound_anomaly_ > score_threshold=500" > SecAction "id:'900000',phase:1,nolog,pass,t:none,setvar:tx. > paranoia_level=4" > > # === ModSecurity Ignore Rules Before Core Rules Inclusion; order by id of > ignored rule (ids: 10000-49999) > > # SecRule ARGS:a "." > "id:1001,phase:2,pass,log,msg:'XXX1: %{MATCHED_VAR}'" > > # SecRule ARGS_GET:a "." > "id:1002,phase:2,pass,log,msg:'XXX2: %{MATCHED_VAR}'" > > # SecRule ARGS_POST:a "." > "id:1003,phase:2,pass,log,msg:'XXX3: %{MATCHED_VAR}'" > > # SecRule REQUEST_URI "." > "id:1004,phase:2,pass,log,msg:'XXX4: %{MATCHED_VAR}'" > > # SecRule REQUEST_HEADERS:User-Agent "." > "id:1005,phase:2,pass,log,msg:'XXX5: %{MATCHED_VAR}'" > > SecRule ARGS:b "." "id:1006,phase:2,pass,log,auditlog,msg:'XXX6: > %{MATCHED_VAR}'" > > > SecAction "nolog,phase:2,id:101,sanitiseArg:CVV" > SecAction "nolog,phase:4,id:102,sanitiseArg:CVV_Reponse" > > > > > > # === ModSecurity Core Rules Inclusion > > Include /home/dune73/data/git/crs-official/rules/*.conf > > # === ModSec Core Rules: Startup Time Rules Exclusions > > > > > > > # === ModSec timestamps at the end of each phase (ids: 90010 - 90019) > > SecAction "id:'90010',phase:1,pass,nolog,setvar:TX.ModSecTimestamp1end=%{ > DURATION}" > SecAction "id:'90011',phase:2,pass,nolog,setvar:TX.ModSecTimestamp2end=%{ > DURATION}" > SecAction "id:'90012',phase:3,pass,nolog,setvar:TX.ModSecTimestamp3end=%{ > DURATION}" > SecAction "id:'90013',phase:4,pass,nolog,setvar:TX.ModSecTimestamp4end=%{ > DURATION}" > SecAction "id:'90014',phase:5,pass,nolog,setvar:TX.ModSecTimestamp5end=%{ > DURATION}" > > > # === ModSec performance calculations and variable export (ids: 90100 - > 90199) > > SecAction "id:'90100',phase:5,pass,nolog,setvar:TX.perf_ > modsecinbound=%{PERF_PHASE1}" > SecAction "id:'90101',phase:5,pass,nolog,setvar:TX.perf_ > modsecinbound=+%{PERF_PHASE2}" > SecAction "id:'90102',phase:5,pass,nolog,setvar:TX.perf_application=%{TX. > ModSecTimestamp3start}" > SecAction "id:'90103',phase:5,pass,nolog,setvar:TX.perf_application=-%{TX. > ModSecTimestamp2end}" > SecAction "id:'90104',phase:5,pass,nolog,setvar:TX.perf_ > modsecoutbound=%{PERF_PHASE3}" > SecAction "id:'90105',phase:5,pass,nolog,setvar:TX.perf_ > modsecoutbound=+%{PERF_PHASE4}" > SecAction "id:'90106',phase:5,pass,nolog,setenv:ModSecTimeIn=%{ > TX.perf_modsecinbound}" > SecAction "id:'90107',phase:5,pass,nolog,setenv:ApplicationTime=% > {TX.perf_application}" > SecAction "id:'90108',phase:5,pass,nolog,setenv:ModSecTimeOut=%{ > TX.perf_modsecoutbound}" > SecAction "id:'90109',phase:5,pass,nolog,setenv:ModSecAnomalyScoreIn=%{TX. > anomaly_score}" > SecAction "id:'90110',phase:5,pass,nolog,setenv: > ModSecAnomalyScoreOut=%{TX.outbound_anomaly_score}" > > > # === End ModSec Configuration > > ------------------------------------------------------------ > ------------------ > > > So I think this generally works. If it does not for you, then please try > and > reproduce the behaviour on the latest ModSec version of the 2.9 series and > open a bug report in case. > > Ahoj, > > Christian > > > > On Wed, Mar 14, 2018 at 06:13:04PM -0300, Cristiano Galdino wrote: > > Hi Christian! > > Modsecurity: 2.9.0-1 (from Ubuntu repository) > > Apache 2.4.18-2ubuntu3.5 > > Tks! > > > > Cristiano Galdino > > cri...@ga... > > > > On 14 Mar 2018 17:55 -0300, Christian Folini > > <chr...@ne...>, wrote: > > > > Hello Christiano, > > What platform are you using? (-> ModSec version, Apache / NGINX / > > IIS?) > > Ahoj, > > Christian > > On Wed, Mar 14, 2018 at 05:06:28PM -0300, Cristiano Galdino wrote: > > > > Hello! > > I created a rule in ModSecurity to sanitize param CVV (credit card) > > but > > it is not working. > > Samples: > > SecAction "nolog,phase:2,id:101,sanitiseArg:CVV” > > SecAction "nolog,phase:4,id:102,sanitiseArg:CVV_Reponse" > > This prevents me from using modsecurity because PCI does not allow > > CVV > > to be stored. > > I found this issue without response. > > [1]https://github.com/SpiderLabs/ModSecurity/issues/715 > > What can I do? > > Cristiano Galdino > > cri...@ga... > > References > > 1. https://github.com/SpiderLabs/ModSecurity/issues/715 > > > > ------------------------------------------------------------ > -------- > > ---------- > > Check out the vibrant tech community on one of the world's most > > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > > > > _______________________________________________ > > mod-security-users mailing list > > mod...@li... > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > Commercial ModSecurity Rules and Support from Trustwave's > > SpiderLabs: > > http://www.modsecurity.org/projects/commercial/rules/ > > http://www.modsecurity.org/projects/commercial/support/ > > > > -- > > https://www.feistyduck.com/training/modsecurity-training-course > > https://www.feistyduck.com/books/modsecurity-handbook/ > > mailto:chr...@ne... > > twitter: @ChrFolini > > ------------------------------------------------------------ > -------- > > ---------- > > Check out the vibrant tech community on one of the world's most > > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > > _______________________________________________ > > mod-security-users mailing list > > mod...@li... > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > Commercial ModSecurity Rules and Support from Trustwave's > > SpiderLabs: > > http://www.modsecurity.org/projects/commercial/rules/ > > http://www.modsecurity.org/projects/commercial/support/ > > > ------------------------------------------------------------ > ------------------ > > Check out the vibrant tech community on one of the world's most > > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > > > _______________________________________________ > > mod-security-users mailing list > > mod...@li... > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > http://www.modsecurity.org/projects/commercial/rules/ > > http://www.modsecurity.org/projects/commercial/support/ > > > -- > https://www.feistyduck.com/training/modsecurity-training-course > https://www.feistyduck.com/books/modsecurity-handbook/ > mailto:chr...@ne... > twitter: @ChrFolini > > ------------------------------------------------------------ > ------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ > |
