Re: [mod-security-users] Sanitize JSON Request / Response
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] Sanitize JSON Request / Response
|
From: Cristiano G. <cri...@ga...> - 2018-03-14 23:50:09
|
Hello there!
If modsecurity can parse the values of JSON payloads, why can not it sanitize?
This is non-sense for me.
Look this request:
$> curl -H "Content-Type: application/json" -X POST -d '{"CVV":"123","blah":"/bin/bash"}' localhost/Authenticate
and this is audit-log:
--9eb5dc70-A--
[14/Mar/2018:20:37:35 --0300] WqmyP6wfJasAAFQJf@AAAAAS 127.0.0.1 53230 127.0.0.1 80
--9eb5dc70-B--
POST /Authenticate HTTP/1.1
Host: localhost
User-Agent: curl/7.47.0
Accept: */*
Content-Type: application/json
Content-Length: 36
--9eb5dc70-C--
{"CVV":"123","blah":"/bin/bash"}
--9eb5dc70-E--
{"message":"Failed"}
--9eb5dc70-F--
HTTP/1.1 400 Bad Request
Access-Control-Allow-Origin: *
Content-Type: application/json
Content-Length: 190
X-Content-Type-Options: nosniff
X-Frame-Options: sameorigin
Connection: close
--9eb5dc70-H--
Message: Warning. Matched phrase "bin/bash" at ARGS:blah. [file "/usr/share/modsecurity-crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "448"] [id "932160"] [rev "1"] [msg "Remote Command Execution: Unix Shell Code Found"] [data "Matched Data: bin/bash found within ARGS:blah: /bin/bash"] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "1"] [accuracy "8"] [tag "application-multi"] [tag "language-shell"] [tag "platform-unix"] [tag "attack-rce"] [tag "OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION"] [tag "WASCTC/WASC-31"] [tag "OWASP_TOP_10/A1"] [tag "PCI/6.5.2"]
Message: Warning. Operator GE matched 5 at TX:anomaly_score. [file "/usr/share/modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "57"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [severity "CRITICAL"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"]
Message: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/usr/share/modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf"] [line "73"] [id "980130"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 5 - SQLI=0,XSS=0,RFI=0,LFI=0,RCE=5,PHPI=0,HTTP=0,SESS=0): Remote Command Execution: Unix Shell Code Found"] [tag "event-correlation"]
Apache-Handler: proxy-server
Stopwatch: 1521070655519139 8420 (- - -)
Stopwatch2: 1521070655519139 8420; combined=1400, p1=343, p2=801, p3=40, p4=129, p5=86, sr=35, sw=1, l=0, gc=0
Response-Body-Transformed: Dechunked
Producer: ModSecurity for Apache/2.9.0 (http://www.modsecurity.org/); OWASP_CRS/3.0.0.
Server: Apache/2.4.18
Sanitised-Args: "CVV".
Engine-Mode: "DETECTION_ONLY"
--9eb5dc70-Z--
Cristiano Galdino
(61) 9860 1 9860
cri...@ga...
On 14 Mar 2018 19:05 -0300, Christian Folini <chr...@ne...>, wrote:
> Sorry, I was a bit quick to jump to that conclusion. Overlooked your remark
> on JSON.
>
> I confirm this does not work.
>
> Sanitation is generally an issue as there is no sanitation in the alerts
> written into the error-log. Even it is less severe as the audit log.
>
> Best,
>
> Christian
>
>
> On Wed, Mar 14, 2018 at 06:41:25PM -0300, Cristiano Galdino wrote:
> > Yep! My application use JSON payloads.
> > Christian, please try it:
> > $> curl -H "Content-Type: application/json" -X POST -d '{"cvv”:"123"}'
> > [1]http://localhost/?id=/bin/bash
> >
> > Cristiano Galdino
> > (61) 9860 1 9860
> > cri...@ga...
> >
> > On 14 Mar 2018 18:38 -0300, Robert Paprocki
> > <rpa...@fe...>, wrote:
> >
> > Christian, you tested with a application/x-www-form-urlencoded
> > request; Christiano's use case involves JSON-encoded bodies.
> > I do not believe JSON request bodies can be translated into data
> > collections that can have sanitize actions applied on them at this
> > point.
> >
> > On Wed, Mar 14, 2018 at 2:34 PM, Christian Folini
> > <[2]chr...@ne...> wrote:
> >
> > Hello Cristiano,
> > I did the following request:
> > $> curl localhost -d "CVV=0000-0000-0000-0000" -d "exec=/bin/bash"
> > and got the following audit-log when using CRS3 (parameter exec
> > triggering
> > the writing of the audit log):
> > --a7997f3d-A--
> > [14/Mar/2018:22:29:03 +0100] WqmUH6r6pkVX9OUmJm3aggAAAAM 127.0.0.1
> > 50058 127.0.0.1 40080
> > --a7997f3d-B--
> > POST / HTTP/1.1
> > Host: localhost
> > User-Agent: curl/7.50.1
> > Accept: */*
> > Content-Length: 38
> > Content-Type: application/x-www-form-urlencoded
> > --a7997f3d-C--
> > CVV=*******************&exec=/bin/bash
> > --a7997f3d-F--
> > HTTP/1.1 200 OK
> > Last-Modified: Sun, 17 Dec 2017 11:08:45 GMT
> > ETag: "2d-5608741dac6fd"
> > Accept-Ranges: bytes
> > Content-Length: 45
> > Content-Type: text/html
> > ...
> > I'm running ModSec 2.9.2 on Apache 2.4.29, both self compiled
> > according to
> > the tutorials on [3]netnea.com.
> > My ModSec Configuration:
> > ------------------------------------------------------------
> > ------------------
> > SecRuleEngine On
> > SecRequestBodyAccess On
> > SecRequestBodyLimit 10000000
> > SecRequestBodyNoFilesLimit 64000
> > SecResponseBodyAccess On
> > SecResponseBodyLimit 10000000
> > SecTmpDir /tmp/
> > SecDataDir /tmp/
> > SecUploadDir /tmp/
> > SecDebugLog /apache/logs/modsec_debug.log
> > SecDebugLogLevel 3
> > SecAuditEngine RelevantOnly
> > SecAuditLogRelevantStatus "^(?:5|4(?!04))"
> > SecAuditLogParts ABEFHIJZ
> > SecAuditLogType Concurrent
> > SecAuditLog /apache/logs/modsec_audit.log
> > SecAuditLogStorageDir /apache/logs/audit/
> > SecPcreMatchLimit 500000
> > SecPcreMatchLimitRecursion 500000
> > SecDefaultAction "phase:2,pass,log"
> > # == ModSec Rule ID Namespace Definition
> > # Service-specific before Core-Rules: 10000 - 49999
> > # Service-specific after Core-Rules: 50000 - 79999
> > # Locally shared rules: 80000 - 99999
> > # - Performance: 90000 - 90199
> > # Recommended ModSec Rules (few): 200000 - 200010
> > # OWASP Core-Rules: 900000 - 999999
> > # === ModSec timestamps at the start of each phase (ids: 90000 -
> > 90009)
> > SecAction "id:'90000',phase:1,nolog,pass,setvar:TX.
> > ModSecTimestamp1start=%{DURATION}"
> > SecAction "id:'90001',phase:2,nolog,pass,setvar:TX.
> > ModSecTimestamp2start=%{DURATION}"
> > SecAction "id:'90002',phase:3,nolog,pass,setvar:TX.
> > ModSecTimestamp3start=%{DURATION}"
> > SecAction "id:'90003',phase:4,nolog,pass,setvar:TX.
> > ModSecTimestamp4start=%{DURATION}"
> > SecAction "id:'90004',phase:5,nolog,pass,setvar:TX.
> > ModSecTimestamp5start=%{DURATION}"
> > # SecRule REQUEST_FILENAME "@beginsWith /"
> > "id:'90005',phase:5,t:none,nolog,noauditlog,pass,setenv:
> > write_perflog"
> > # === ModSec Recommended Rules (in modsec src package) (ids:
> > 200000-200010)
> > SecRule REQUEST_HEADERS:Content-Type "text/xml"
> > "id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:
> > requestBodyProcessor=XML"
> > SecRule REQBODY_ERROR "!@eq 0" "id:'200001',phase:2,t:none,
> > deny,status:400,log,msg:'Failed to parse request body.',\
> > logdata:'%{reqbody_error_msg}',severity:2"
> > SecRule MULTIPART_STRICT_ERROR "!@eq 0" \
> > "id:'200002',phase:2,t:none,log,deny,status:403, \
> > msg:'Multipart request body failed strict validation: \
> > PE %{REQBODY_PROCESSOR_ERROR}, \
> > BQ %{MULTIPART_BOUNDARY_QUOTED}, \
> > BW %{MULTIPART_BOUNDARY_WHITESPACE}, \
> > DB %{MULTIPART_DATA_BEFORE}, \
> > DA %{MULTIPART_DATA_AFTER}, \
> > HF %{MULTIPART_HEADER_FOLDING}, \
> > LF %{MULTIPART_LF_LINE}, \
> > SM %{MULTIPART_MISSING_SEMICOLON}, \
> > IQ %{MULTIPART_INVALID_QUOTING}, \
> > IP %{MULTIPART_INVALID_PART}, \
> > IH %{MULTIPART_INVALID_HEADER_FOLDING}, \
> > FL %{MULTIPART_FILE_LIMIT_EXCEEDED}'"
> > SecRule TX:/^MSC_/ "!@streq 0" "id:'200004',phase:2,t:none,
> > deny,status:500,msg:'ModSecurity internal error flagged:
> > %{MATCHED_VAR_NAME}'"
> > # === ModSecurity Rules (ids: 900000-999999)
> > # === ModSec Core Rules Base Configuration (ids: 900001-900021)
> > Include /home/dune73/data/git/crs-official/crs-setup.conf.
> > example
> > SecAction "id:900111,phase:1,nolog,pass,t:none,setvar:tx.inbound_
> > anomaly_score_threshold=500,setvar:tx.outbound_anomaly_
> > score_threshold=500"
> > SecAction "id:'900000',phase:1,nolog,pass,t:none,setvar:tx.
> > paranoia_level=4"
> > # === ModSecurity Ignore Rules Before Core Rules Inclusion; order by
> > id of ignored rule (ids: 10000-49999)
> > # SecRule ARGS:a "."
> > "id:1001,phase:2,pass,log,msg:'XXX1: %{MATCHED_VAR}'"
> > # SecRule ARGS_GET:a "."
> > "id:1002,phase:2,pass,log,msg:'XXX2: %{MATCHED_VAR}'"
> > # SecRule ARGS_POST:a "."
> > "id:1003,phase:2,pass,log,msg:'XXX3: %{MATCHED_VAR}'"
> > # SecRule REQUEST_URI "."
> > "id:1004,phase:2,pass,log,msg:'XXX4: %{MATCHED_VAR}'"
> > # SecRule REQUEST_HEADERS:User-Agent "."
> > "id:1005,phase:2,pass,log,msg:'XXX5: %{MATCHED_VAR}'"
> > SecRule ARGS:b "." "id:1006,phase:2,pass,log,
> > auditlog,msg:'XXX6: %{MATCHED_VAR}'"
> > SecAction "nolog,phase:2,id:101,sanitiseArg:CVV"
> > SecAction "nolog,phase:4,id:102,sanitiseArg:CVV_Reponse"
> > # === ModSecurity Core Rules Inclusion
> > Include /home/dune73/data/git/crs-official/rules/*.conf
> > # === ModSec Core Rules: Startup Time Rules Exclusions
> > # === ModSec timestamps at the end of each phase (ids: 90010 -
> > 90019)
> > SecAction "id:'90010',phase:1,pass,nolog,setvar:TX.
> > ModSecTimestamp1end=%{DURATION}"
> > SecAction "id:'90011',phase:2,pass,nolog,setvar:TX.
> > ModSecTimestamp2end=%{DURATION}"
> > SecAction "id:'90012',phase:3,pass,nolog,setvar:TX.
> > ModSecTimestamp3end=%{DURATION}"
> > SecAction "id:'90013',phase:4,pass,nolog,setvar:TX.
> > ModSecTimestamp4end=%{DURATION}"
> > SecAction "id:'90014',phase:5,pass,nolog,setvar:TX.
> > ModSecTimestamp5end=%{DURATION}"
> > # === ModSec performance calculations and variable export (ids:
> > 90100 - 90199)
> > SecAction "id:'90100',phase:5,pass,nolog,setvar:TX.perf_
> > modsecinbound=%{PERF_PHASE1}"
> > SecAction "id:'90101',phase:5,pass,nolog,setvar:TX.perf_
> > modsecinbound=+%{PERF_PHASE2}"
> > SecAction "id:'90102',phase:5,pass,nolog,setvar:TX.perf_
> > application=%{TX.ModSecTimestamp3start}"
> > SecAction "id:'90103',phase:5,pass,nolog,setvar:TX.perf_
> > application=-%{TX.ModSecTimestamp2end}"
> > SecAction "id:'90104',phase:5,pass,nolog,setvar:TX.perf_
> > modsecoutbound=%{PERF_PHASE3}"
> > SecAction "id:'90105',phase:5,pass,nolog,setvar:TX.perf_
> > modsecoutbound=+%{PERF_PHASE4}"
> > SecAction "id:'90106',phase:5,pass,nolog,setenv:ModSecTimeIn=%{
> > TX.perf_modsecinbound}"
> > SecAction "id:'90107',phase:5,pass,nolog,setenv:ApplicationTime=%
> > {TX.perf_application}"
> > SecAction "id:'90108',phase:5,pass,nolog,setenv:ModSecTimeOut=%{
> > TX.perf_modsecoutbound}"
> > SecAction "id:'90109',phase:5,pass,nolog,setenv:
> > ModSecAnomalyScoreIn=%{TX.anomaly_score}"
> > SecAction "id:'90110',phase:5,pass,nolog,setenv:
> > ModSecAnomalyScoreOut=%{TX.outbound_anomaly_score}"
> > # === End ModSec Configuration
> > ------------------------------------------------------------
> > ------------------
> > So I think this generally works. If it does not for you, then please
> > try and
> > reproduce the behaviour on the latest ModSec version of the 2.9
> > series and
> > open a bug report in case.
> > Ahoj,
> > Christian
> > On Wed, Mar 14, 2018 at 06:13:04PM -0300, Cristiano Galdino wrote:
> > > Hi Christian!
> > > Modsecurity: 2.9.0-1 (from Ubuntu repository)
> > > Apache 2.4.18-2ubuntu3.5
> > > Tks!
> > >
> > > Cristiano Galdino
> > > [4]cri...@ga...
> > >
> > > On 14 Mar 2018 17:55 -0300, Christian Folini
> > > <[5]chr...@ne...>, wrote:
> > >
> > > Hello Christiano,
> > > What platform are you using? (-> ModSec version, Apache /
> > NGINX /
> > > IIS?)
> > > Ahoj,
> > > Christian
> > > On Wed, Mar 14, 2018 at 05:06:28PM -0300, Cristiano Galdino
> > wrote:
> > >
> > > Hello!
> > > I created a rule in ModSecurity to sanitize param CVV (credit
> > card)
> > > but
> > > it is not working.
> > > Samples:
> > > SecAction "nolog,phase:2,id:101,sanitiseArg:CVV”
> > > SecAction "nolog,phase:4,id:102,sanitiseArg:CVV_Reponse"
> > > This prevents me from using modsecurity because PCI does not
> > allow
> > > CVV
> > > to be stored.
> > > I found this issue without response.
> > > [1][6]https://github.com/SpiderLabs/ModSecurity/issues/715
> > > What can I do?
> > > Cristiano Galdino
> > > [7]cri...@ga...
> > > References
> > > 1. [8]https://github.com/SpiderLabs/ModSecurity/issues/715
> > >
> > > ------------------------------------------------------------
> > --------
> > > ----------
> > > Check out the vibrant tech community on one of the world's
> > most
> > > engaging tech sites, Slashdot.org!
> > [9]http://sdm.link/slashdot
> > >
> > > _______________________________________________
> > > mod-security-users mailing list
> > > [10]mod...@li...
> > > [11]https://lists.sourceforge.net/
> > lists/listinfo/mod-security-users
> > > Commercial ModSecurity Rules and Support from Trustwave's
> > > SpiderLabs:
> > > [12]http://www.modsecurity.org/projects/commercial/rules/
> > > [13]http://www.modsecurity.org/projects/commercial/support/
> > >
> > > --
> > > [14]https://www.feistyduck.com/training/modsecurity-training-
> > course
> > > [15]https://www.feistyduck.com/books/modsecurity-handbook/
> > > mailto:[16]chr...@ne...
> > > twitter: @ChrFolini
> > > ------------------------------------------------------------
> > --------
> > > ----------
> > > Check out the vibrant tech community on one of the world's
> > most
> > > engaging tech sites, Slashdot.org!
> > [17]http://sdm.link/slashdot
> > > _______________________________________________
> > > mod-security-users mailing list
> > > [18]mod...@li...
> > > [19]https://lists.sourceforge.net/
> > lists/listinfo/mod-security-users
> > > Commercial ModSecurity Rules and Support from Trustwave's
> > > SpiderLabs:
> > > [20]http://www.modsecurity.org/projects/commercial/rules/
> > > [21]http://www.modsecurity.org/projects/commercial/support/
> > > ------------------------------------------------------------
> > ------------------
> > > Check out the vibrant tech community on one of the world's most
> > > engaging tech sites, Slashdot.org! [22]http://sdm.link/slashdot
> > > _______________________________________________
> > > mod-security-users mailing list
> > > [23]mod...@li...
> > > [24]https://lists.sourceforge.net/lists/listinfo/mod-security-
> > users
> > > Commercial ModSecurity Rules and Support from Trustwave's
> > SpiderLabs:
> > > [25]http://www.modsecurity.org/projects/commercial/rules/
> > > [26]http://www.modsecurity.org/projects/commercial/support/
> > --
> > [27]https://www.feistyduck.com/training/modsecurity-training-course
> > [28]https://www.feistyduck.com/books/modsecurity-handbook/
> > mailto:[29]chr...@ne...
> > twitter: @ChrFolini
> > ------------------------------------------------------------
> > ------------------
> > Check out the vibrant tech community on one of the world's most
> > engaging tech sites, Slashdot.org! [30]http://sdm.link/slashdot
> > _______________________________________________
> > mod-security-users mailing list
> > [31]mod...@li...
> > [32]https://lists.sourceforge.net/lists/listinfo/mod-security-users
> > Commercial ModSecurity Rules and Support from Trustwave's
> > SpiderLabs:
> > [33]http://www.modsecurity.org/projects/commercial/rules/
> > [34]http://www.modsecurity.org/projects/commercial/support/
> >
> > --------------------------------------------------------------------
> > ----------
> > Check out the vibrant tech community on one of the world's most
> > engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> > _______________________________________________
> > mod-security-users mailing list
> > mod...@li...
> > https://lists.sourceforge.net/lists/listinfo/mod-security-users
> > Commercial ModSecurity Rules and Support from Trustwave's
> > SpiderLabs:
> > http://www.modsecurity.org/projects/commercial/rules/
> > http://www.modsecurity.org/projects/commercial/support/
> >
> > References
> >
> > 1. http://localhost:3000/api/login
> > 2. mailto:chr...@ne...
> > 3. http://netnea.com/
> > 4. mailto:cri...@ga...
> > 5. mailto:chr...@ne...
> > 6. https://github.com/SpiderLabs/ModSecurity/issues/715
> > 7. mailto:cri...@ga...
> > 8. https://github.com/SpiderLabs/ModSecurity/issues/715
> > 9. http://sdm.link/slashdot
> > 10. mailto:mod...@li...
> > 11. https://lists.sourceforge.net/lists/listinfo/mod-security-users
> > 12. http://www.modsecurity.org/projects/commercial/rules/
> > 13. http://www.modsecurity.org/projects/commercial/support/
> > 14. https://www.feistyduck.com/training/modsecurity-training-course
> > 15. https://www.feistyduck.com/books/modsecurity-handbook/
> > 16. mailto:chr...@ne...
> > 17. http://sdm.link/slashdot
> > 18. mailto:mod...@li...
> > 19. https://lists.sourceforge.net/lists/listinfo/mod-security-users
> > 20. http://www.modsecurity.org/projects/commercial/rules/
> > 21. http://www.modsecurity.org/projects/commercial/support/
> > 22. http://sdm.link/slashdot
> > 23. mailto:mod...@li...
> > 24. https://lists.sourceforge.net/lists/listinfo/mod-security-users
> > 25. http://www.modsecurity.org/projects/commercial/rules/
> > 26. http://www.modsecurity.org/projects/commercial/support/
> > 27. https://www.feistyduck.com/training/modsecurity-training-course
> > 28. https://www.feistyduck.com/books/modsecurity-handbook/
> > 29. mailto:chr...@ne...
> > 30. http://sdm.link/slashdot
> > 31. mailto:mod...@li...
> > 32. https://lists.sourceforge.net/lists/listinfo/mod-security-users
> > 33. http://www.modsecurity.org/projects/commercial/rules/
> > 34. http://www.modsecurity.org/projects/commercial/support/
>
> > ------------------------------------------------------------------------------
> > Check out the vibrant tech community on one of the world's most
> > engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
> > _______________________________________________
> > mod-security-users mailing list
> > mod...@li...
> > https://lists.sourceforge.net/lists/listinfo/mod-security-users
> > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> > http://www.modsecurity.org/projects/commercial/rules/
> > http://www.modsecurity.org/projects/commercial/support/
>
>
> --
> https://www.feistyduck.com/training/modsecurity-training-course
> https://www.feistyduck.com/books/modsecurity-handbook/
> mailto:chr...@ne...
> twitter: @ChrFolini
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/
|
