Re: [mod-security-users] Sanitize JSON Request / Response
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] Sanitize JSON Request / Response
|
From: Robert P. <rpa...@fe...> - 2018-04-04 18:50:03
|
Hi, On Wed, Apr 4, 2018 at 3:48 AM, Osama Elnaggar <oel...@gm...> wrote: > Hi Robert, > > Sorry for the late reply. I was a little busy the past 2 weeks. > > I just retested it (on 2.9.2 + manually patching the two files mentioned > here - https://github.com/SpiderLabs/ModSecurity/pull/1714/files) It > looks like: > > - it works if the output format (SecAuditLogFormat) is JSON > - it doesn't work if the output is Native > > For example, with the following rule: > > SecAction "phase:5,id:22,nolog,pass,sanitiseArg:cvv" > > and the following request: > > curl -H "Content-Type: application/json" -X POST -d '{"cvv":"123"}' > http://localhost/?id=/bin/bash > > and SecAuditLogFormat JSON, I get the following: > > .. "body":["{\"cvv\":\"***\"}"]} .. > > while with normal native logging, I get the following: > > --c2397953-C-- > {"cvv":"123"} > > In my previous email below, I was looking at native logging so it appeared > that it wasn’t sanitizing the output. > > Thanks. > Are you sure you applied the patch and rebuilt correctly? I have modsec built against commit 8d4124eee26cc018f6ed306e0d404737ce82c849 and loaded into Apache 2.4. JSON body sanitization does indeed work for me with native audit logging with this: root@mini-vm:~# curl -H "Content-Type: application/json" -X POST -d '{"cvv":"123"}' http://localhost/?id=/bin/bash root@mini-vm:~# cat /var/log/apache2/modsec_audit.log --0c9caa71-A-- [04/Apr/2018:11:46:49 --0700] WsUdmX8AAQEAAbGcdh4AAAAA 127.0.0.1 39072 127.0.0.1 80 --0c9caa71-B-- POST /?id=/bin/bash HTTP/1.1 Host: localhost User-Agent: curl/7.47.0 Accept: */* Content-Type: application/json Content-Length: 13 --0c9caa71-C-- {"cvv":"***"} --0c9caa71-F-- HTTP/1.1 200 OK Last-Modified: Mon, 12 Mar 2018 20:28:52 GMT ETag: "2c39-5673cfd7c5884" Accept-Ranges: bytes Content-Length: 11321 Vary: Accept-Encoding Content-Type: text/html --0c9caa71-H-- Apache-Error: [file "mod_authz_core.c"] [line 809] [level 7] AH01626: authorization result of Require all granted: granted Apache-Error: [file "mod_authz_core.c"] [line 809] [level 7] AH01626: authorization result of <RequireAny>: granted Stopwatch: 1522867609080274 935 (- - -) Stopwatch2: 1522867609080274 935; combined=202, p1=93, p2=69, p3=3, p4=3, p5=34, sr=0, sw=0, l=0, gc=0 Producer: ModSecurity for Apache/2.9.2 (http://www.modsecurity.org/). Server: Apache/2.4.18 (Ubuntu) Sanitised-Args: "cvv". Engine-Mode: "ENABLED" --0c9caa71-Z-- |
