Re: [mod-security-users] Sanitize JSON Request / Response
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] Sanitize JSON Request / Response
|
From: Cristiano G. <cri...@ga...> - 2018-03-14 21:42:33
|
Yep! My application use JSON payloads.
Christian, please try it:
$> curl -H "Content-Type: application/json" -X POST -d '{"cvv”:"123"}' http://localhost/?id=/bin/bash
Cristiano Galdino
(61) 9860 1 9860
cri...@ga...
On 14 Mar 2018 18:38 -0300, Robert Paprocki <rpa...@fe...>, wrote:
> Christian, you tested with a application/x-www-form-urlencoded request; Christiano's use case involves JSON-encoded bodies.
>
> I do not believe JSON request bodies can be translated into data collections that can have sanitize actions applied on them at this point.
>
> > On Wed, Mar 14, 2018 at 2:34 PM, Christian Folini <chr...@ne...> wrote:
> > > Hello Cristiano,
> > >
> > > I did the following request:
> > >
> > > $> curl localhost -d "CVV=0000-0000-0000-0000" -d "exec=/bin/bash"
> > >
> > > and got the following audit-log when using CRS3 (parameter exec triggering
> > > the writing of the audit log):
> > >
> > > --a7997f3d-A--
> > > [14/Mar/2018:22:29:03 +0100] WqmUH6r6pkVX9OUmJm3aggAAAAM 127.0.0.1 50058 127.0.0.1 40080
> > > --a7997f3d-B--
> > > POST / HTTP/1.1
> > > Host: localhost
> > > User-Agent: curl/7.50.1
> > > Accept: */*
> > > Content-Length: 38
> > > Content-Type: application/x-www-form-urlencoded
> > >
> > > --a7997f3d-C--
> > > CVV=*******************&exec=/bin/bash
> > > --a7997f3d-F--
> > > HTTP/1.1 200 OK
> > > Last-Modified: Sun, 17 Dec 2017 11:08:45 GMT
> > > ETag: "2d-5608741dac6fd"
> > > Accept-Ranges: bytes
> > > Content-Length: 45
> > > Content-Type: text/html
> > > ...
> > >
> > >
> > >
> > > I'm running ModSec 2.9.2 on Apache 2.4.29, both self compiled according to
> > > the tutorials on netnea.com.
> > >
> > > My ModSec Configuration:
> > >
> > > ------------------------------------------------------------------------------
> > >
> > > SecRuleEngine On
> > >
> > > SecRequestBodyAccess On
> > > SecRequestBodyLimit 10000000
> > > SecRequestBodyNoFilesLimit 64000
> > >
> > > SecResponseBodyAccess On
> > > SecResponseBodyLimit 10000000
> > >
> > > SecTmpDir /tmp/
> > > SecDataDir /tmp/
> > > SecUploadDir /tmp/
> > >
> > > SecDebugLog /apache/logs/modsec_debug.log
> > > SecDebugLogLevel 3
> > >
> > > SecAuditEngine RelevantOnly
> > > SecAuditLogRelevantStatus "^(?:5|4(?!04))"
> > > SecAuditLogParts ABEFHIJZ
> > >
> > > SecAuditLogType Concurrent
> > > SecAuditLog /apache/logs/modsec_audit.log
> > > SecAuditLogStorageDir /apache/logs/audit/
> > >
> > > SecPcreMatchLimit 500000
> > > SecPcreMatchLimitRecursion 500000
> > >
> > > SecDefaultAction "phase:2,pass,log"
> > >
> > >
> > >
> > > # == ModSec Rule ID Namespace Definition
> > > # Service-specific before Core-Rules: 10000 - 49999
> > > # Service-specific after Core-Rules: 50000 - 79999
> > > # Locally shared rules: 80000 - 99999
> > > # - Performance: 90000 - 90199
> > > # Recommended ModSec Rules (few): 200000 - 200010
> > > # OWASP Core-Rules: 900000 - 999999
> > >
> > >
> > > # === ModSec timestamps at the start of each phase (ids: 90000 - 90009)
> > >
> > > SecAction "id:'90000',phase:1,nolog,pass,setvar:TX.ModSecTimestamp1start=%{DURATION}"
> > > SecAction "id:'90001',phase:2,nolog,pass,setvar:TX.ModSecTimestamp2start=%{DURATION}"
> > > SecAction "id:'90002',phase:3,nolog,pass,setvar:TX.ModSecTimestamp3start=%{DURATION}"
> > > SecAction "id:'90003',phase:4,nolog,pass,setvar:TX.ModSecTimestamp4start=%{DURATION}"
> > > SecAction "id:'90004',phase:5,nolog,pass,setvar:TX.ModSecTimestamp5start=%{DURATION}"
> > >
> > > # SecRule REQUEST_FILENAME "@beginsWith /" "id:'90005',phase:5,t:none,nolog,noauditlog,pass,setenv:write_perflog"
> > >
> > >
> > >
> > > # === ModSec Recommended Rules (in modsec src package) (ids: 200000-200010)
> > >
> > > SecRule REQUEST_HEADERS:Content-Type "text/xml" "id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML"
> > >
> > > SecRule REQBODY_ERROR "!@eq 0" "id:'200001',phase:2,t:none,deny,status:400,log,msg:'Failed to parse request body.',\
> > > logdata:'%{reqbody_error_msg}',severity:2"
> > >
> > > SecRule MULTIPART_STRICT_ERROR "!@eq 0" \
> > > "id:'200002',phase:2,t:none,log,deny,status:403, \
> > > msg:'Multipart request body failed strict validation: \
> > > PE %{REQBODY_PROCESSOR_ERROR}, \
> > > BQ %{MULTIPART_BOUNDARY_QUOTED}, \
> > > BW %{MULTIPART_BOUNDARY_WHITESPACE}, \
> > > DB %{MULTIPART_DATA_BEFORE}, \
> > > DA %{MULTIPART_DATA_AFTER}, \
> > > HF %{MULTIPART_HEADER_FOLDING}, \
> > > LF %{MULTIPART_LF_LINE}, \
> > > SM %{MULTIPART_MISSING_SEMICOLON}, \
> > > IQ %{MULTIPART_INVALID_QUOTING}, \
> > > IP %{MULTIPART_INVALID_PART}, \
> > > IH %{MULTIPART_INVALID_HEADER_FOLDING}, \
> > > FL %{MULTIPART_FILE_LIMIT_EXCEEDED}'"
> > >
> > > SecRule TX:/^MSC_/ "!@streq 0" "id:'200004',phase:2,t:none,deny,status:500,msg:'ModSecurity internal error flagged: %{MATCHED_VAR_NAME}'"
> > >
> > >
> > > # === ModSecurity Rules (ids: 900000-999999)
> > >
> > > # === ModSec Core Rules Base Configuration (ids: 900001-900021)
> > >
> > > Include /home/dune73/data/git/crs-official/crs-setup.conf.example
> > >
> > > SecAction "id:900111,phase:1,nolog,pass,t:none,setvar:tx.inbound_anomaly_score_threshold=500,setvar:tx.outbound_anomaly_score_threshold=500"
> > > SecAction "id:'900000',phase:1,nolog,pass,t:none,setvar:tx.paranoia_level=4"
> > >
> > > # === ModSecurity Ignore Rules Before Core Rules Inclusion; order by id of ignored rule (ids: 10000-49999)
> > >
> > > # SecRule ARGS:a "." "id:1001,phase:2,pass,log,msg:'XXX1: %{MATCHED_VAR}'"
> > >
> > > # SecRule ARGS_GET:a "." "id:1002,phase:2,pass,log,msg:'XXX2: %{MATCHED_VAR}'"
> > >
> > > # SecRule ARGS_POST:a "." "id:1003,phase:2,pass,log,msg:'XXX3: %{MATCHED_VAR}'"
> > >
> > > # SecRule REQUEST_URI "." "id:1004,phase:2,pass,log,msg:'XXX4: %{MATCHED_VAR}'"
> > >
> > > # SecRule REQUEST_HEADERS:User-Agent "." "id:1005,phase:2,pass,log,msg:'XXX5: %{MATCHED_VAR}'"
> > >
> > > SecRule ARGS:b "." "id:1006,phase:2,pass,log,auditlog,msg:'XXX6: %{MATCHED_VAR}'"
> > >
> > >
> > > SecAction "nolog,phase:2,id:101,sanitiseArg:CVV"
> > > SecAction "nolog,phase:4,id:102,sanitiseArg:CVV_Reponse"
> > >
> > >
> > >
> > >
> > >
> > > # === ModSecurity Core Rules Inclusion
> > >
> > > Include /home/dune73/data/git/crs-official/rules/*.conf
> > >
> > > # === ModSec Core Rules: Startup Time Rules Exclusions
> > >
> > >
> > >
> > >
> > >
> > >
> > > # === ModSec timestamps at the end of each phase (ids: 90010 - 90019)
> > >
> > > SecAction "id:'90010',phase:1,pass,nolog,setvar:TX.ModSecTimestamp1end=%{DURATION}"
> > > SecAction "id:'90011',phase:2,pass,nolog,setvar:TX.ModSecTimestamp2end=%{DURATION}"
> > > SecAction "id:'90012',phase:3,pass,nolog,setvar:TX.ModSecTimestamp3end=%{DURATION}"
> > > SecAction "id:'90013',phase:4,pass,nolog,setvar:TX.ModSecTimestamp4end=%{DURATION}"
> > > SecAction "id:'90014',phase:5,pass,nolog,setvar:TX.ModSecTimestamp5end=%{DURATION}"
> > >
> > >
> > > # === ModSec performance calculations and variable export (ids: 90100 - 90199)
> > >
> > > SecAction "id:'90100',phase:5,pass,nolog,setvar:TX.perf_modsecinbound=%{PERF_PHASE1}"
> > > SecAction "id:'90101',phase:5,pass,nolog,setvar:TX.perf_modsecinbound=+%{PERF_PHASE2}"
> > > SecAction "id:'90102',phase:5,pass,nolog,setvar:TX.perf_application=%{TX.ModSecTimestamp3start}"
> > > SecAction "id:'90103',phase:5,pass,nolog,setvar:TX.perf_application=-%{TX.ModSecTimestamp2end}"
> > > SecAction "id:'90104',phase:5,pass,nolog,setvar:TX.perf_modsecoutbound=%{PERF_PHASE3}"
> > > SecAction "id:'90105',phase:5,pass,nolog,setvar:TX.perf_modsecoutbound=+%{PERF_PHASE4}"
> > > SecAction "id:'90106',phase:5,pass,nolog,setenv:ModSecTimeIn=%{TX.perf_modsecinbound}"
> > > SecAction "id:'90107',phase:5,pass,nolog,setenv:ApplicationTime=%{TX.perf_application}"
> > > SecAction "id:'90108',phase:5,pass,nolog,setenv:ModSecTimeOut=%{TX.perf_modsecoutbound}"
> > > SecAction "id:'90109',phase:5,pass,nolog,setenv:ModSecAnomalyScoreIn=%{TX.anomaly_score}"
> > > SecAction "id:'90110',phase:5,pass,nolog,setenv:ModSecAnomalyScoreOut=%{TX.outbound_anomaly_score}"
> > >
> > >
> > > # === End ModSec Configuration
> > >
> > > ------------------------------------------------------------------------------
> > >
> > >
> > > So I think this generally works. If it does not for you, then please try and
> > > reproduce the behaviour on the latest ModSec version of the 2.9 series and
> > > open a bug report in case.
> > >
> > > Ahoj,
> > >
> > > Christian
> > >
> > >
> > >
> > > On Wed, Mar 14, 2018 at 06:13:04PM -0300, Cristiano Galdino wrote:
> > > > Hi Christian!
> > > > Modsecurity: 2.9.0-1 (from Ubuntu repository)
> > > > Apache 2.4.18-2ubuntu3.5
> > > > Tks!
> > > >
> > > > Cristiano Galdino
> > > > cri...@ga...
> > > >
> > > > On 14 Mar 2018 17:55 -0300, Christian Folini
> > > > <chr...@ne...>, wrote:
> > > >
> > > > Hello Christiano,
> > > > What platform are you using? (-> ModSec version, Apache / NGINX /
> > > > IIS?)
> > > > Ahoj,
> > > > Christian
> > > > On Wed, Mar 14, 2018 at 05:06:28PM -0300, Cristiano Galdino wrote:
> > > >
> > > > Hello!
> > > > I created a rule in ModSecurity to sanitize param CVV (credit card)
> > > > but
> > > > it is not working.
> > > > Samples:
> > > > SecAction "nolog,phase:2,id:101,sanitiseArg:CVV”
> > > > SecAction "nolog,phase:4,id:102,sanitiseArg:CVV_Reponse"
> > > > This prevents me from using modsecurity because PCI does not allow
> > > > CVV
> > > > to be stored.
> > > > I found this issue without response.
> > > > [1]https://github.com/SpiderLabs/ModSecurity/issues/715
> > > > What can I do?
> > > > Cristiano Galdino
> > > > cri...@ga...
> > > > References
> > > > 1. https://github.com/SpiderLabs/ModSecurity/issues/715
> > > >
> > > > --------------------------------------------------------------------
> > > > ----------
> > > > Check out the vibrant tech community on one of the world's most
> > > > engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> > > >
> > > > _______________________________________________
> > > > mod-security-users mailing list
> > > > mod...@li...
> > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users
> > > > Commercial ModSecurity Rules and Support from Trustwave's
> > > > SpiderLabs:
> > > > http://www.modsecurity.org/projects/commercial/rules/
> > > > http://www.modsecurity.org/projects/commercial/support/
> > > >
> > > > --
> > > > https://www.feistyduck.com/training/modsecurity-training-course
> > > > https://www.feistyduck.com/books/modsecurity-handbook/
> > > > mailto:chr...@ne...
> > > > twitter: @ChrFolini
> > > > --------------------------------------------------------------------
> > > > ----------
> > > > Check out the vibrant tech community on one of the world's most
> > > > engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> > > > _______________________________________________
> > > > mod-security-users mailing list
> > > > mod...@li...
> > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users
> > > > Commercial ModSecurity Rules and Support from Trustwave's
> > > > SpiderLabs:
> > > > http://www.modsecurity.org/projects/commercial/rules/
> > > > http://www.modsecurity.org/projects/commercial/support/
> > >
> > > > ------------------------------------------------------------------------------
> > > > Check out the vibrant tech community on one of the world's most
> > > > engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> > >
> > > > _______________________________________________
> > > > mod-security-users mailing list
> > > > mod...@li...
> > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users
> > > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> > > > http://www.modsecurity.org/projects/commercial/rules/
> > > > http://www.modsecurity.org/projects/commercial/support/
> > >
> > >
> > > --
> > > https://www.feistyduck.com/training/modsecurity-training-course
> > > https://www.feistyduck.com/books/modsecurity-handbook/
> > > mailto:chr...@ne...
> > > twitter: @ChrFolini
> > >
> > > ------------------------------------------------------------------------------
> > > Check out the vibrant tech community on one of the world's most
> > > engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> > > _______________________________________________
> > > mod-security-users mailing list
> > > mod...@li...
> > > https://lists.sourceforge.net/lists/listinfo/mod-security-users
> > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> > > http://www.modsecurity.org/projects/commercial/rules/
> > > http://www.modsecurity.org/projects/commercial/support/
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/
|
