Re: [mod-security-users] Sanitize JSON Request / Response
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] Sanitize JSON Request / Response
|
From: Osama E. <oel...@gm...> - 2018-03-15 20:08:04
|
I don't think the proposed patch actually works. I tried patching v2.9.2 with it and even using v2 master but with no success. Have you been able to get the patch working Robert? -- Osama Elnaggar On March 15, 2018 at 11:06:37 AM, Robert Paprocki ( rpa...@fe...) wrote: Have a look at https://github.com/SpiderLabs/ModSecurity/commit/f86de566d18dda6351ecba52d5e5f1d29ad02a12 JSON body audit log sanitization was only very recently introduced, it's not yet made its way to a formal release. (I need to check sources before opening my mouth :p). So you can rebuild ModSecurity off `v2/master` if you want to test this functionality. :) On Wed, Mar 14, 2018 at 4:47 PM, Cristiano Galdino <cri...@ga...> wrote: > Hello there! > > If modsecurity can parse the values of JSON payloads, why can not it > sanitize? > > This is non-sense for me. > > Look this request: > $> curl -H "Content-Type: application/json" -X POST -d > '{"CVV":"123","blah":"/bin/bash"}' localhost/Authenticate > > and this is audit-log: > > --9eb5dc70-A-- > > [14/Mar/2018:20:37:35 --0300] WqmyP6wfJasAAFQJf@AAAAAS 127.0.0.1 53230 > 127.0.0.1 80 > > --9eb5dc70-B-- > > POST /Authenticate HTTP/1.1 > > Host: localhost > > User-Agent: curl/7.47.0 > > Accept: */* > > Content-Type: application/json > > Content-Length: 36 > > > --9eb5dc70-C-- > > {"CVV":"123","blah":"/bin/bash"} > > --9eb5dc70-E-- > > {"message":"Failed"} > > --9eb5dc70-F-- > > HTTP/1.1 400 Bad Request > > Access-Control-Allow-Origin: * > > Content-Type: application/json > > Content-Length: 190 > > X-Content-Type-Options: nosniff > > X-Frame-Options: sameorigin > > Connection: close > > > --9eb5dc70-H-- > > Message: Warning. Matched phrase "bin/bash" at ARGS:blah. [file > "/usr/share/modsecurity-crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] > [line "448"] [id "932160"] [rev "1"] [msg "Remote Command Execution: Unix > Shell Code Found"] [data "Matched Data: bin/bash found within ARGS:blah: > /bin/bash"] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "1"] > [accuracy "8"] [tag "application-multi"] [tag "language-shell"] [tag > "platform-unix"] [tag "attack-rce"] [tag "OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION"] > [tag "WASCTC/WASC-31"] [tag "OWASP_TOP_10/A1"] [tag "PCI/6.5.2"] > > Message: Warning. Operator GE matched 5 at TX:anomaly_score. [file > "/usr/share/modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] > [line "57"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total > Score: 5)"] [severity "CRITICAL"] [tag "application-multi"] [tag > "language-multi"] [tag "platform-multi"] [tag "attack-generic"] > > Message: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file > "/usr/share/modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf"] [line > "73"] [id "980130"] [msg "Inbound Anomaly Score Exceeded (Total Inbound > Score: 5 - SQLI=0,XSS=0,RFI=0,LFI=0,RCE=5,PHPI=0,HTTP=0,SESS=0): Remote > Command Execution: Unix Shell Code Found"] [tag "event-correlation"] > > Apache-Handler: proxy-server > > Stopwatch: 1521070655519139 8420 (- - -) > > Stopwatch2: 1521070655519139 8420; combined=1400, p1=343, p2=801, p3=40, > p4=129, p5=86, sr=35, sw=1, l=0, gc=0 > > Response-Body-Transformed: Dechunked > > Producer: ModSecurity for Apache/2.9.0 (http://www.modsecurity.org/); > OWASP_CRS/3.0.0. > > Server: Apache/2.4.18 > > Sanitised-Args: "CVV". > > Engine-Mode: "DETECTION_ONLY" > > > --9eb5dc70-Z-- > > > > Cristiano Galdino > (61) 9860 1 9860 > cri...@ga... > > On 14 Mar 2018 19:05 -0300, Christian Folini <chr...@ne...>, > wrote: > > Sorry, I was a bit quick to jump to that conclusion. Overlooked your remark > on JSON. > > I confirm this does not work. > > Sanitation is generally an issue as there is no sanitation in the alerts > written into the error-log. Even it is less severe as the audit log. > > Best, > > Christian > > > On Wed, Mar 14, 2018 at 06:41:25PM -0300, Cristiano Galdino wrote: > > Yep! My application use JSON payloads. > Christian, please try it: > $> curl -H "Content-Type: application/json" -X POST -d '{"cvv”:"123"}' > [1]http://localhost/?id=/bin/bash > > Cristiano Galdino > (61) 9860 1 9860 > cri...@ga... > > On 14 Mar 2018 18:38 -0300, Robert Paprocki > <rpa...@fe...>, wrote: > > Christian, you tested with a application/x-www-form-urlencoded > request; Christiano's use case involves JSON-encoded bodies. > I do not believe JSON request bodies can be translated into data > collections that can have sanitize actions applied on them at this > point. > > On Wed, Mar 14, 2018 at 2:34 PM, Christian Folini > <[2]chr...@ne...> wrote: > > Hello Cristiano, > I did the following request: > $> curl localhost -d "CVV=0000-0000-0000-0000" -d "exec=/bin/bash" > and got the following audit-log when using CRS3 (parameter exec > triggering > the writing of the audit log): > --a7997f3d-A-- > [14/Mar/2018:22:29:03 +0100] WqmUH6r6pkVX9OUmJm3aggAAAAM 127.0.0.1 > 50058 127.0.0.1 40080 > --a7997f3d-B-- > POST / HTTP/1.1 > Host: localhost > User-Agent: curl/7.50.1 > Accept: */* > Content-Length: 38 > Content-Type: application/x-www-form-urlencoded > --a7997f3d-C-- > CVV=*******************&exec=/bin/bash > --a7997f3d-F-- > HTTP/1.1 200 OK > Last-Modified: Sun, 17 Dec 2017 11:08:45 GMT > ETag: "2d-5608741dac6fd" > Accept-Ranges: bytes > Content-Length: 45 > Content-Type: text/html > ... > I'm running ModSec 2.9.2 on Apache 2.4.29, both self compiled > according to > the tutorials on [3]netnea.com. > My ModSec Configuration: > ------------------------------------------------------------ > ------------------ > SecRuleEngine On > SecRequestBodyAccess On > SecRequestBodyLimit 10000000 > SecRequestBodyNoFilesLimit 64000 > SecResponseBodyAccess On > SecResponseBodyLimit 10000000 > SecTmpDir /tmp/ > SecDataDir /tmp/ > SecUploadDir /tmp/ > SecDebugLog /apache/logs/modsec_debug.log > SecDebugLogLevel 3 > SecAuditEngine RelevantOnly > SecAuditLogRelevantStatus "^(?:5|4(?!04))" > SecAuditLogParts ABEFHIJZ > SecAuditLogType Concurrent > SecAuditLog /apache/logs/modsec_audit.log > SecAuditLogStorageDir /apache/logs/audit/ > SecPcreMatchLimit 500000 > SecPcreMatchLimitRecursion 500000 > SecDefaultAction "phase:2,pass,log" > # == ModSec Rule ID Namespace Definition > # Service-specific before Core-Rules: 10000 - 49999 > # Service-specific after Core-Rules: 50000 - 79999 > # Locally shared rules: 80000 - 99999 > # - Performance: 90000 - 90199 > # Recommended ModSec Rules (few): 200000 - 200010 > # OWASP Core-Rules: 900000 - 999999 > # === ModSec timestamps at the start of each phase (ids: 90000 - > 90009) > SecAction "id:'90000',phase:1,nolog,pass,setvar:TX. > ModSecTimestamp1start=%{DURATION}" > SecAction "id:'90001',phase:2,nolog,pass,setvar:TX. > ModSecTimestamp2start=%{DURATION}" > SecAction "id:'90002',phase:3,nolog,pass,setvar:TX. > ModSecTimestamp3start=%{DURATION}" > SecAction "id:'90003',phase:4,nolog,pass,setvar:TX. > ModSecTimestamp4start=%{DURATION}" > SecAction "id:'90004',phase:5,nolog,pass,setvar:TX. > ModSecTimestamp5start=%{DURATION}" > # SecRule REQUEST_FILENAME "@beginsWith /" > "id:'90005',phase:5,t:none,nolog,noauditlog,pass,setenv: > write_perflog" > # === ModSec Recommended Rules (in modsec src package) (ids: > 200000-200010) > SecRule REQUEST_HEADERS:Content-Type "text/xml" > "id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl: > requestBodyProcessor=XML" > SecRule REQBODY_ERROR "!@eq 0" "id:'200001',phase:2,t:none, > deny,status:400,log,msg:'Failed to parse request body.',\ > logdata:'%{reqbody_error_msg}',severity:2" > SecRule MULTIPART_STRICT_ERROR "!@eq 0" \ > "id:'200002',phase:2,t:none,log,deny,status:403, \ > msg:'Multipart request body failed strict validation: \ > PE %{REQBODY_PROCESSOR_ERROR}, \ > BQ %{MULTIPART_BOUNDARY_QUOTED}, \ > BW %{MULTIPART_BOUNDARY_WHITESPACE}, \ > DB %{MULTIPART_DATA_BEFORE}, \ > DA %{MULTIPART_DATA_AFTER}, \ > HF %{MULTIPART_HEADER_FOLDING}, \ > LF %{MULTIPART_LF_LINE}, \ > SM %{MULTIPART_MISSING_SEMICOLON}, \ > IQ %{MULTIPART_INVALID_QUOTING}, \ > IP %{MULTIPART_INVALID_PART}, \ > IH %{MULTIPART_INVALID_HEADER_FOLDING}, \ > FL %{MULTIPART_FILE_LIMIT_EXCEEDED}'" > SecRule TX:/^MSC_/ "!@streq 0" "id:'200004',phase:2,t:none, > deny,status:500,msg:'ModSecurity internal error flagged: > %{MATCHED_VAR_NAME}'" > # === ModSecurity Rules (ids: 900000-999999) > # === ModSec Core Rules Base Configuration (ids: 900001-900021) > Include /home/dune73/data/git/crs-official/crs-setup.conf. > example > SecAction "id:900111,phase:1,nolog,pass,t:none,setvar:tx.inbound_ > anomaly_score_threshold=500,setvar:tx.outbound_anomaly_ > score_threshold=500" > SecAction "id:'900000',phase:1,nolog,pass,t:none,setvar:tx. > paranoia_level=4" > # === ModSecurity Ignore Rules Before Core Rules Inclusion; order by > id of ignored rule (ids: 10000-49999) > # SecRule ARGS:a "." > "id:1001,phase:2,pass,log,msg:'XXX1: %{MATCHED_VAR}'" > # SecRule ARGS_GET:a "." > "id:1002,phase:2,pass,log,msg:'XXX2: %{MATCHED_VAR}'" > # SecRule ARGS_POST:a "." > "id:1003,phase:2,pass,log,msg:'XXX3: %{MATCHED_VAR}'" > # SecRule REQUEST_URI "." > "id:1004,phase:2,pass,log,msg:'XXX4: %{MATCHED_VAR}'" > # SecRule REQUEST_HEADERS:User-Agent "." > "id:1005,phase:2,pass,log,msg:'XXX5: %{MATCHED_VAR}'" > SecRule ARGS:b "." "id:1006,phase:2,pass,log, > auditlog,msg:'XXX6: %{MATCHED_VAR}'" > SecAction "nolog,phase:2,id:101,sanitiseArg:CVV" > SecAction "nolog,phase:4,id:102,sanitiseArg:CVV_Reponse" > # === ModSecurity Core Rules Inclusion > Include /home/dune73/data/git/crs-official/rules/*.conf > # === ModSec Core Rules: Startup Time Rules Exclusions > # === ModSec timestamps at the end of each phase (ids: 90010 - > 90019) > SecAction "id:'90010',phase:1,pass,nolog,setvar:TX. > ModSecTimestamp1end=%{DURATION}" > SecAction "id:'90011',phase:2,pass,nolog,setvar:TX. > ModSecTimestamp2end=%{DURATION}" > SecAction "id:'90012',phase:3,pass,nolog,setvar:TX. > ModSecTimestamp3end=%{DURATION}" > SecAction "id:'90013',phase:4,pass,nolog,setvar:TX. > ModSecTimestamp4end=%{DURATION}" > SecAction "id:'90014',phase:5,pass,nolog,setvar:TX. > ModSecTimestamp5end=%{DURATION}" > # === ModSec performance calculations and variable export (ids: > 90100 - 90199) > SecAction "id:'90100',phase:5,pass,nolog,setvar:TX.perf_ > modsecinbound=%{PERF_PHASE1}" > SecAction "id:'90101',phase:5,pass,nolog,setvar:TX.perf_ > modsecinbound=+%{PERF_PHASE2}" > SecAction "id:'90102',phase:5,pass,nolog,setvar:TX.perf_ > application=%{TX.ModSecTimestamp3start}" > SecAction "id:'90103',phase:5,pass,nolog,setvar:TX.perf_ > application=-%{TX.ModSecTimestamp2end}" > SecAction "id:'90104',phase:5,pass,nolog,setvar:TX.perf_ > modsecoutbound=%{PERF_PHASE3}" > SecAction "id:'90105',phase:5,pass,nolog,setvar:TX.perf_ > modsecoutbound=+%{PERF_PHASE4}" > SecAction "id:'90106',phase:5,pass,nolog,setenv:ModSecTimeIn=%{ > TX.perf_modsecinbound}" > SecAction "id:'90107',phase:5,pass,nolog,setenv:ApplicationTime=% > {TX.perf_application}" > SecAction "id:'90108',phase:5,pass,nolog,setenv:ModSecTimeOut=%{ > TX.perf_modsecoutbound}" > SecAction "id:'90109',phase:5,pass,nolog,setenv: > ModSecAnomalyScoreIn=%{TX.anomaly_score}" > SecAction "id:'90110',phase:5,pass,nolog,setenv: > ModSecAnomalyScoreOut=%{TX.outbound_anomaly_score}" > # === End ModSec Configuration > ------------------------------------------------------------ > ------------------ > So I think this generally works. If it does not for you, then please > try and > reproduce the behaviour on the latest ModSec version of the 2.9 > series and > open a bug report in case. > Ahoj, > Christian > On Wed, Mar 14, 2018 at 06:13:04PM -0300, Cristiano Galdino wrote: > > Hi Christian! > Modsecurity: 2.9.0-1 (from Ubuntu repository) > Apache 2.4.18-2ubuntu3.5 > Tks! > > Cristiano Galdino > [4]cri...@ga... > > On 14 Mar 2018 17:55 -0300, Christian Folini > <[5]chr...@ne...>, wrote: > > Hello Christiano, > What platform are you using? (-> ModSec version, Apache / > > NGINX / > > IIS?) > Ahoj, > Christian > On Wed, Mar 14, 2018 at 05:06:28PM -0300, Cristiano Galdino > > wrote: > > > Hello! > I created a rule in ModSecurity to sanitize param CVV (credit > > card) > > but > it is not working. > Samples: > SecAction "nolog,phase:2,id:101,sanitiseArg:CVV” > SecAction "nolog,phase:4,id:102,sanitiseArg:CVV_Reponse" > This prevents me from using modsecurity because PCI does not > > allow > > CVV > to be stored. > I found this issue without response. > [1][6]https://github.com/SpiderLabs/ModSecurity/issues/715 > What can I do? > Cristiano Galdino > [7]cri...@ga... > References > 1. [8]https://github.com/SpiderLabs/ModSecurity/issues/715 > > ------------------------------------------------------------ > > -------- > > ---------- > Check out the vibrant tech community on one of the world's > > most > > engaging tech sites, Slashdot.org! > > [9]http://sdm.link/slashdot > > > _______________________________________________ > mod-security-users mailing list > [10]mod...@li... > [11]https://lists.sourceforge.net/ > > lists/listinfo/mod-security-users > > Commercial ModSecurity Rules and Support from Trustwave's > SpiderLabs: > [12]http://www.modsecurity.org/projects/commercial/rules/ > [13]http://www.modsecurity.org/projects/commercial/support/ > > -- > [14]https://www.feistyduck.com/training/modsecurity-training- > > course > > [15]https://www.feistyduck.com/books/modsecurity-handbook/ > mailto:[16]chr...@ne... > twitter: @ChrFolini > ------------------------------------------------------------ > > -------- > > ---------- > Check out the vibrant tech community on one of the world's > > most > > engaging tech sites, Slashdot.org! > > [17]http://sdm.link/slashdot > > _______________________________________________ > mod-security-users mailing list > [18]mod...@li... > [19]https://lists.sourceforge.net/ > > lists/listinfo/mod-security-users > > Commercial ModSecurity Rules and Support from Trustwave's > SpiderLabs: > [20]http://www.modsecurity.org/projects/commercial/rules/ > [21]http://www.modsecurity.org/projects/commercial/support/ > ------------------------------------------------------------ > > ------------------ > > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! [22]http://sdm.link/slashdot > _______________________________________________ > mod-security-users mailing list > [23]mod...@li... > [24]https://lists.sourceforge.net/lists/listinfo/mod-security- > > users > > Commercial ModSecurity Rules and Support from Trustwave's > > SpiderLabs: > > [25]http://www.modsecurity.org/projects/commercial/rules/ > [26]http://www.modsecurity.org/projects/commercial/support/ > > -- > [27]https://www.feistyduck.com/training/modsecurity-training-course > [28]https://www.feistyduck.com/books/modsecurity-handbook/ > mailto:[29]chr...@ne... > twitter: @ChrFolini > ------------------------------------------------------------ > ------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! [30]http://sdm.link/slashdot > _______________________________________________ > mod-security-users mailing list > [31]mod...@li... > [32]https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's > SpiderLabs: > [33]http://www.modsecurity.org/projects/commercial/rules/ > [34]http://www.modsecurity.org/projects/commercial/support/ > > -------------------------------------------------------------------- > ---------- > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's > SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ > > References > > 1. http://localhost:3000/api/login > 2. mailto:chr...@ne... > 3. http://netnea.com/ > 4. mailto:cri...@ga... > 5. mailto:chr...@ne... > 6. https://github.com/SpiderLabs/ModSecurity/issues/715 > 7. mailto:cri...@ga... > 8. https://github.com/SpiderLabs/ModSecurity/issues/715 > 9. http://sdm.link/slashdot > 10. mailto:mod...@li... > 11. https://lists.sourceforge.net/lists/listinfo/mod-security-users > 12. http://www.modsecurity.org/projects/commercial/rules/ > 13. http://www.modsecurity.org/projects/commercial/support/ > 14. https://www.feistyduck.com/training/modsecurity-training-course > 15. https://www.feistyduck.com/books/modsecurity-handbook/ > 16. mailto:chr...@ne... > 17. http://sdm.link/slashdot > 18. mailto:mod...@li... > 19. https://lists.sourceforge.net/lists/listinfo/mod-security-users > 20. http://www.modsecurity.org/projects/commercial/rules/ > 21. http://www.modsecurity.org/projects/commercial/support/ > 22. http://sdm.link/slashdot > 23. mailto:mod...@li... > 24. https://lists.sourceforge.net/lists/listinfo/mod-security-users > 25. http://www.modsecurity.org/projects/commercial/rules/ > 26. http://www.modsecurity.org/projects/commercial/support/ > 27. https://www.feistyduck.com/training/modsecurity-training-course > 28. https://www.feistyduck.com/books/modsecurity-handbook/ > 29. mailto:chr...@ne... > 30. http://sdm.link/slashdot > 31. mailto:mod...@li... > 32. https://lists.sourceforge.net/lists/listinfo/mod-security-users > 33. http://www.modsecurity.org/projects/commercial/rules/ > 34. http://www.modsecurity.org/projects/commercial/support/ > > > ------------------------------------------------------------ > ------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ > > > > -- > https://www.feistyduck.com/training/modsecurity-training-course > https://www.feistyduck.com/books/modsecurity-handbook/ > mailto:chr...@ne... > twitter: @ChrFolini > > ------------------------------------------------------------ > ------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ > > > ------------------------------------------------------------ > ------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ > > ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot_______________________________________________ mod-security-users mailing list mod...@li... https://lists.sourceforge.net/lists/listinfo/mod-security-users Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: http://www.modsecurity.org/projects/commercial/rules/ http://www.modsecurity.org/projects/commercial/support/ |
