Re: [mod-security-users] Sanitize JSON Request / Response
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] Sanitize JSON Request / Response
|
From: Christian F. <chr...@ne...> - 2018-03-14 22:05:30
|
Sorry, I was a bit quick to jump to that conclusion. Overlooked your remark
on JSON.
I confirm this does not work.
Sanitation is generally an issue as there is no sanitation in the alerts
written into the error-log. Even it is less severe as the audit log.
Best,
Christian
On Wed, Mar 14, 2018 at 06:41:25PM -0300, Cristiano Galdino wrote:
> Yep! My application use JSON payloads.
> Christian, please try it:
> $> curl -H "Content-Type: application/json" -X POST -d '{"cvv”:"123"}'
> [1]http://localhost/?id=/bin/bash
>
> Cristiano Galdino
> (61) 9860 1 9860
> cri...@ga...
>
> On 14 Mar 2018 18:38 -0300, Robert Paprocki
> <rpa...@fe...>, wrote:
>
> Christian, you tested with a application/x-www-form-urlencoded
> request; Christiano's use case involves JSON-encoded bodies.
> I do not believe JSON request bodies can be translated into data
> collections that can have sanitize actions applied on them at this
> point.
>
> On Wed, Mar 14, 2018 at 2:34 PM, Christian Folini
> <[2]chr...@ne...> wrote:
>
> Hello Cristiano,
> I did the following request:
> $> curl localhost -d "CVV=0000-0000-0000-0000" -d "exec=/bin/bash"
> and got the following audit-log when using CRS3 (parameter exec
> triggering
> the writing of the audit log):
> --a7997f3d-A--
> [14/Mar/2018:22:29:03 +0100] WqmUH6r6pkVX9OUmJm3aggAAAAM 127.0.0.1
> 50058 127.0.0.1 40080
> --a7997f3d-B--
> POST / HTTP/1.1
> Host: localhost
> User-Agent: curl/7.50.1
> Accept: */*
> Content-Length: 38
> Content-Type: application/x-www-form-urlencoded
> --a7997f3d-C--
> CVV=*******************&exec=/bin/bash
> --a7997f3d-F--
> HTTP/1.1 200 OK
> Last-Modified: Sun, 17 Dec 2017 11:08:45 GMT
> ETag: "2d-5608741dac6fd"
> Accept-Ranges: bytes
> Content-Length: 45
> Content-Type: text/html
> ...
> I'm running ModSec 2.9.2 on Apache 2.4.29, both self compiled
> according to
> the tutorials on [3]netnea.com.
> My ModSec Configuration:
> ------------------------------------------------------------
> ------------------
> SecRuleEngine On
> SecRequestBodyAccess On
> SecRequestBodyLimit 10000000
> SecRequestBodyNoFilesLimit 64000
> SecResponseBodyAccess On
> SecResponseBodyLimit 10000000
> SecTmpDir /tmp/
> SecDataDir /tmp/
> SecUploadDir /tmp/
> SecDebugLog /apache/logs/modsec_debug.log
> SecDebugLogLevel 3
> SecAuditEngine RelevantOnly
> SecAuditLogRelevantStatus "^(?:5|4(?!04))"
> SecAuditLogParts ABEFHIJZ
> SecAuditLogType Concurrent
> SecAuditLog /apache/logs/modsec_audit.log
> SecAuditLogStorageDir /apache/logs/audit/
> SecPcreMatchLimit 500000
> SecPcreMatchLimitRecursion 500000
> SecDefaultAction "phase:2,pass,log"
> # == ModSec Rule ID Namespace Definition
> # Service-specific before Core-Rules: 10000 - 49999
> # Service-specific after Core-Rules: 50000 - 79999
> # Locally shared rules: 80000 - 99999
> # - Performance: 90000 - 90199
> # Recommended ModSec Rules (few): 200000 - 200010
> # OWASP Core-Rules: 900000 - 999999
> # === ModSec timestamps at the start of each phase (ids: 90000 -
> 90009)
> SecAction "id:'90000',phase:1,nolog,pass,setvar:TX.
> ModSecTimestamp1start=%{DURATION}"
> SecAction "id:'90001',phase:2,nolog,pass,setvar:TX.
> ModSecTimestamp2start=%{DURATION}"
> SecAction "id:'90002',phase:3,nolog,pass,setvar:TX.
> ModSecTimestamp3start=%{DURATION}"
> SecAction "id:'90003',phase:4,nolog,pass,setvar:TX.
> ModSecTimestamp4start=%{DURATION}"
> SecAction "id:'90004',phase:5,nolog,pass,setvar:TX.
> ModSecTimestamp5start=%{DURATION}"
> # SecRule REQUEST_FILENAME "@beginsWith /"
> "id:'90005',phase:5,t:none,nolog,noauditlog,pass,setenv:
> write_perflog"
> # === ModSec Recommended Rules (in modsec src package) (ids:
> 200000-200010)
> SecRule REQUEST_HEADERS:Content-Type "text/xml"
> "id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:
> requestBodyProcessor=XML"
> SecRule REQBODY_ERROR "!@eq 0" "id:'200001',phase:2,t:none,
> deny,status:400,log,msg:'Failed to parse request body.',\
> logdata:'%{reqbody_error_msg}',severity:2"
> SecRule MULTIPART_STRICT_ERROR "!@eq 0" \
> "id:'200002',phase:2,t:none,log,deny,status:403, \
> msg:'Multipart request body failed strict validation: \
> PE %{REQBODY_PROCESSOR_ERROR}, \
> BQ %{MULTIPART_BOUNDARY_QUOTED}, \
> BW %{MULTIPART_BOUNDARY_WHITESPACE}, \
> DB %{MULTIPART_DATA_BEFORE}, \
> DA %{MULTIPART_DATA_AFTER}, \
> HF %{MULTIPART_HEADER_FOLDING}, \
> LF %{MULTIPART_LF_LINE}, \
> SM %{MULTIPART_MISSING_SEMICOLON}, \
> IQ %{MULTIPART_INVALID_QUOTING}, \
> IP %{MULTIPART_INVALID_PART}, \
> IH %{MULTIPART_INVALID_HEADER_FOLDING}, \
> FL %{MULTIPART_FILE_LIMIT_EXCEEDED}'"
> SecRule TX:/^MSC_/ "!@streq 0" "id:'200004',phase:2,t:none,
> deny,status:500,msg:'ModSecurity internal error flagged:
> %{MATCHED_VAR_NAME}'"
> # === ModSecurity Rules (ids: 900000-999999)
> # === ModSec Core Rules Base Configuration (ids: 900001-900021)
> Include /home/dune73/data/git/crs-official/crs-setup.conf.
> example
> SecAction "id:900111,phase:1,nolog,pass,t:none,setvar:tx.inbound_
> anomaly_score_threshold=500,setvar:tx.outbound_anomaly_
> score_threshold=500"
> SecAction "id:'900000',phase:1,nolog,pass,t:none,setvar:tx.
> paranoia_level=4"
> # === ModSecurity Ignore Rules Before Core Rules Inclusion; order by
> id of ignored rule (ids: 10000-49999)
> # SecRule ARGS:a "."
> "id:1001,phase:2,pass,log,msg:'XXX1: %{MATCHED_VAR}'"
> # SecRule ARGS_GET:a "."
> "id:1002,phase:2,pass,log,msg:'XXX2: %{MATCHED_VAR}'"
> # SecRule ARGS_POST:a "."
> "id:1003,phase:2,pass,log,msg:'XXX3: %{MATCHED_VAR}'"
> # SecRule REQUEST_URI "."
> "id:1004,phase:2,pass,log,msg:'XXX4: %{MATCHED_VAR}'"
> # SecRule REQUEST_HEADERS:User-Agent "."
> "id:1005,phase:2,pass,log,msg:'XXX5: %{MATCHED_VAR}'"
> SecRule ARGS:b "." "id:1006,phase:2,pass,log,
> auditlog,msg:'XXX6: %{MATCHED_VAR}'"
> SecAction "nolog,phase:2,id:101,sanitiseArg:CVV"
> SecAction "nolog,phase:4,id:102,sanitiseArg:CVV_Reponse"
> # === ModSecurity Core Rules Inclusion
> Include /home/dune73/data/git/crs-official/rules/*.conf
> # === ModSec Core Rules: Startup Time Rules Exclusions
> # === ModSec timestamps at the end of each phase (ids: 90010 -
> 90019)
> SecAction "id:'90010',phase:1,pass,nolog,setvar:TX.
> ModSecTimestamp1end=%{DURATION}"
> SecAction "id:'90011',phase:2,pass,nolog,setvar:TX.
> ModSecTimestamp2end=%{DURATION}"
> SecAction "id:'90012',phase:3,pass,nolog,setvar:TX.
> ModSecTimestamp3end=%{DURATION}"
> SecAction "id:'90013',phase:4,pass,nolog,setvar:TX.
> ModSecTimestamp4end=%{DURATION}"
> SecAction "id:'90014',phase:5,pass,nolog,setvar:TX.
> ModSecTimestamp5end=%{DURATION}"
> # === ModSec performance calculations and variable export (ids:
> 90100 - 90199)
> SecAction "id:'90100',phase:5,pass,nolog,setvar:TX.perf_
> modsecinbound=%{PERF_PHASE1}"
> SecAction "id:'90101',phase:5,pass,nolog,setvar:TX.perf_
> modsecinbound=+%{PERF_PHASE2}"
> SecAction "id:'90102',phase:5,pass,nolog,setvar:TX.perf_
> application=%{TX.ModSecTimestamp3start}"
> SecAction "id:'90103',phase:5,pass,nolog,setvar:TX.perf_
> application=-%{TX.ModSecTimestamp2end}"
> SecAction "id:'90104',phase:5,pass,nolog,setvar:TX.perf_
> modsecoutbound=%{PERF_PHASE3}"
> SecAction "id:'90105',phase:5,pass,nolog,setvar:TX.perf_
> modsecoutbound=+%{PERF_PHASE4}"
> SecAction "id:'90106',phase:5,pass,nolog,setenv:ModSecTimeIn=%{
> TX.perf_modsecinbound}"
> SecAction "id:'90107',phase:5,pass,nolog,setenv:ApplicationTime=%
> {TX.perf_application}"
> SecAction "id:'90108',phase:5,pass,nolog,setenv:ModSecTimeOut=%{
> TX.perf_modsecoutbound}"
> SecAction "id:'90109',phase:5,pass,nolog,setenv:
> ModSecAnomalyScoreIn=%{TX.anomaly_score}"
> SecAction "id:'90110',phase:5,pass,nolog,setenv:
> ModSecAnomalyScoreOut=%{TX.outbound_anomaly_score}"
> # === End ModSec Configuration
> ------------------------------------------------------------
> ------------------
> So I think this generally works. If it does not for you, then please
> try and
> reproduce the behaviour on the latest ModSec version of the 2.9
> series and
> open a bug report in case.
> Ahoj,
> Christian
> On Wed, Mar 14, 2018 at 06:13:04PM -0300, Cristiano Galdino wrote:
> > Hi Christian!
> > Modsecurity: 2.9.0-1 (from Ubuntu repository)
> > Apache 2.4.18-2ubuntu3.5
> > Tks!
> >
> > Cristiano Galdino
> > [4]cri...@ga...
> >
> > On 14 Mar 2018 17:55 -0300, Christian Folini
> > <[5]chr...@ne...>, wrote:
> >
> > Hello Christiano,
> > What platform are you using? (-> ModSec version, Apache /
> NGINX /
> > IIS?)
> > Ahoj,
> > Christian
> > On Wed, Mar 14, 2018 at 05:06:28PM -0300, Cristiano Galdino
> wrote:
> >
> > Hello!
> > I created a rule in ModSecurity to sanitize param CVV (credit
> card)
> > but
> > it is not working.
> > Samples:
> > SecAction "nolog,phase:2,id:101,sanitiseArg:CVV”
> > SecAction "nolog,phase:4,id:102,sanitiseArg:CVV_Reponse"
> > This prevents me from using modsecurity because PCI does not
> allow
> > CVV
> > to be stored.
> > I found this issue without response.
> > [1][6]https://github.com/SpiderLabs/ModSecurity/issues/715
> > What can I do?
> > Cristiano Galdino
> > [7]cri...@ga...
> > References
> > 1. [8]https://github.com/SpiderLabs/ModSecurity/issues/715
> >
> > ------------------------------------------------------------
> --------
> > ----------
> > Check out the vibrant tech community on one of the world's
> most
> > engaging tech sites, Slashdot.org!
> [9]http://sdm.link/slashdot
> >
> > _______________________________________________
> > mod-security-users mailing list
> > [10]mod...@li...
> > [11]https://lists.sourceforge.net/
> lists/listinfo/mod-security-users
> > Commercial ModSecurity Rules and Support from Trustwave's
> > SpiderLabs:
> > [12]http://www.modsecurity.org/projects/commercial/rules/
> > [13]http://www.modsecurity.org/projects/commercial/support/
> >
> > --
> > [14]https://www.feistyduck.com/training/modsecurity-training-
> course
> > [15]https://www.feistyduck.com/books/modsecurity-handbook/
> > mailto:[16]chr...@ne...
> > twitter: @ChrFolini
> > ------------------------------------------------------------
> --------
> > ----------
> > Check out the vibrant tech community on one of the world's
> most
> > engaging tech sites, Slashdot.org!
> [17]http://sdm.link/slashdot
> > _______________________________________________
> > mod-security-users mailing list
> > [18]mod...@li...
> > [19]https://lists.sourceforge.net/
> lists/listinfo/mod-security-users
> > Commercial ModSecurity Rules and Support from Trustwave's
> > SpiderLabs:
> > [20]http://www.modsecurity.org/projects/commercial/rules/
> > [21]http://www.modsecurity.org/projects/commercial/support/
> > ------------------------------------------------------------
> ------------------
> > Check out the vibrant tech community on one of the world's most
> > engaging tech sites, Slashdot.org! [22]http://sdm.link/slashdot
> > _______________________________________________
> > mod-security-users mailing list
> > [23]mod...@li...
> > [24]https://lists.sourceforge.net/lists/listinfo/mod-security-
> users
> > Commercial ModSecurity Rules and Support from Trustwave's
> SpiderLabs:
> > [25]http://www.modsecurity.org/projects/commercial/rules/
> > [26]http://www.modsecurity.org/projects/commercial/support/
> --
> [27]https://www.feistyduck.com/training/modsecurity-training-course
> [28]https://www.feistyduck.com/books/modsecurity-handbook/
> mailto:[29]chr...@ne...
> twitter: @ChrFolini
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! [30]http://sdm.link/slashdot
> _______________________________________________
> mod-security-users mailing list
> [31]mod...@li...
> [32]https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's
> SpiderLabs:
> [33]http://www.modsecurity.org/projects/commercial/rules/
> [34]http://www.modsecurity.org/projects/commercial/support/
>
> --------------------------------------------------------------------
> ----------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's
> SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/
>
> References
>
> 1. http://localhost:3000/api/login
> 2. mailto:chr...@ne...
> 3. http://netnea.com/
> 4. mailto:cri...@ga...
> 5. mailto:chr...@ne...
> 6. https://github.com/SpiderLabs/ModSecurity/issues/715
> 7. mailto:cri...@ga...
> 8. https://github.com/SpiderLabs/ModSecurity/issues/715
> 9. http://sdm.link/slashdot
> 10. mailto:mod...@li...
> 11. https://lists.sourceforge.net/lists/listinfo/mod-security-users
> 12. http://www.modsecurity.org/projects/commercial/rules/
> 13. http://www.modsecurity.org/projects/commercial/support/
> 14. https://www.feistyduck.com/training/modsecurity-training-course
> 15. https://www.feistyduck.com/books/modsecurity-handbook/
> 16. mailto:chr...@ne...
> 17. http://sdm.link/slashdot
> 18. mailto:mod...@li...
> 19. https://lists.sourceforge.net/lists/listinfo/mod-security-users
> 20. http://www.modsecurity.org/projects/commercial/rules/
> 21. http://www.modsecurity.org/projects/commercial/support/
> 22. http://sdm.link/slashdot
> 23. mailto:mod...@li...
> 24. https://lists.sourceforge.net/lists/listinfo/mod-security-users
> 25. http://www.modsecurity.org/projects/commercial/rules/
> 26. http://www.modsecurity.org/projects/commercial/support/
> 27. https://www.feistyduck.com/training/modsecurity-training-course
> 28. https://www.feistyduck.com/books/modsecurity-handbook/
> 29. mailto:chr...@ne...
> 30. http://sdm.link/slashdot
> 31. mailto:mod...@li...
> 32. https://lists.sourceforge.net/lists/listinfo/mod-security-users
> 33. http://www.modsecurity.org/projects/commercial/rules/
> 34. http://www.modsecurity.org/projects/commercial/support/
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/
--
https://www.feistyduck.com/training/modsecurity-training-course
https://www.feistyduck.com/books/modsecurity-handbook/
mailto:chr...@ne...
twitter: @ChrFolini
|
