Re: [mod-security-users] Mod security rule
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] Mod security rule
|
From: Manuel S. <spa...@gm...> - 2019-01-29 02:47:07
|
Hi Matthijs, You will have lots of trouble with that type of requests it will trigger many rules, you will end up with a huge list of disabled rules, take a look at rule 9002700 from the CRS which similar to your use case have to deal with scary payloads and ended whitelisting a similar ARG from several rules by id and by tag to make it work https://github.com/SpiderLabs/owasp-modsecurity-crs/blob/v3.2/dev/rules/REQUEST-903.9002-WORDPRESS-EXCLUSION-RULES.conf Remember that doing that also opens you site to attacks and php is a powerful language that can easily be used for doing nasty stuff, so try as much as possible to do positive validation and whitelist the content ARG from as little rules as you can and if you can add apparmor or selinux in top of it to prevent some of the attacks ( there are several tutorials but here is an easy one to follow https://www.secjuice.com/apparmor-say-goodbye-to-remote-command-execution/ ) Good luck! Sent from my iPhone > On 28 Jan 2019, at 10:23, Matthijs Möhlmann <mat...@ca...> wrote: > > Hello all, > > This is my first post on the mod security mailinglist. Do tel me if I am on the wrong list or did not give enough information. > > Currently I have modsecurity running on our webserver but am getting a 403 on a valid request. I don't blame modsecurity but the webdeveloper because it's not really standard practice how they send the data. > The developer tells me that he can't change the current code and asked me to whitelist this request. > > It is a POST request to a webform with an parameter 'content' which is problematic. After adding the following rule: > SecRule REQUEST_URI "@beginsWith /php/xhr/ajax.php" "id:1,phase:1,pass,ctl:ruleRemoveTargetById=941110;ARGS:content,ctl:ruleRemoveTargetById=941160;ARGS:content,ctl:ruleRemoveTargetById=941100;ARGS:content" > > I can see in the logs that the rule is evaluated and the rules are not evaluated (according how I interprete the logs). > > Before adding this rule, I get the following log: > [Mon Jan 28 16:11:41.786860 2019] [:error] [pid 29543] [client 127.0.0.1:52049] [client 127.0.0.1] ModSecurity: Warning. detected XSS using libinjection. [file "/usr/share/modsecurity-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "56"] [id "941100"] [rev "2"] [msg "XSS Attack Detected via libinjection"] [data "Matched Data: expect found within ARGS:content: <p style=\\x22font-family: Arial, Helvetica, sans-serif; margin: 0; padding: 0; font-size: 14px; line-height: 19px; color: #555555;\\x22><strong> Beste<span class=\\x22js-customer-name\\x22></span>, </strong></p>\\x0a<p style=\\x22font-family: Arial, Helvetica, sans-serif; margin: 0; padding: 0; font-size: 14px; line-height: 19px; color: #555555;\\x22>Bedankt voor je interesse in Gardini. We hebben je aanvraag bekeken en versturen hierbij een aantal ontwerpen voor..."] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "1"] [accuracy "9"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-xss"] [tag "OWASP_CRS/WEB_ATTACK/XSS"] [tag "WASCTC/WASC-8"] [tag "WASCTC/WASC-22"] [tag "OWASP_TOP_10/A3"] [tag "OWASP_AppSensor/IE1"] [hostname "example.com"] [uri "/php/xhr/ajax.php"] [unique_id "XE8brR1hhu4iGRiJND3QdgAAAEo"], referer: https://example.com/tuinen-archief.html > [Mon Jan 28 16:11:41.788859 2019] [:error] [pid 29543] [client 127.0.0.1:52049] [client 127.0.0.1] ModSecurity: Warning. Pattern match "(?i)<[^\\\\w<>]*(?:[^<>\\"'\\\\s]*:)?[^\\\\w<>]*(?:\\\\W*?s\\\\W*?c\\\\W*?r\\\\W*?i\\\\W*?p\\\\W*?t|\\\\W*?f\\\\W*?o\\\\W*?r\\\\W*?m|\\\\W*?s\\\\W*?t\\\\W*?y\\\\W*?l\\\\W*?e|\\\\W*?s\\\\W*?v\\\\W*?g|\\\\W*?m\\\\W*?a\\\\W*?r\\\\W*?q\\\\W*?u\\\\W*?e\\\\W*?e|(?:\\\\W*?l\\\\W*?i\\\\W*?n\\\\W*?k|\\\\W*?o\\\\W*?b\\\\W*?j\\\\W*?e\\ ..." at ARGS:content. [file "/usr/share/modsecurity-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "267"] [id "941160"] [rev "2"] [msg "NoScript XSS InjectionChecker: HTML Injection"] [data "Matched Data: <p style=\\x22font-family: Arial, Helvetica, sans-serif; margin: 0; padding: 0; font-size: 14px; line-height: 19px; color: #555555;\\x22><strong> Beste<span class=\\x22js-customer-name\\x22></span>, </strong></p>\\x0a<p style=\\x22font-family: Arial, Helvetica, sans-serif; margin: 0; padding: 0; font-size: 14px; line-height: 19px; color: #555555;\\x22>Bedankt voor je interesse in Gardini. We hebben je aanvraag bekeken en versturen hierbij een aantal ontwerpen voor jouw tuin. We hebben een selectie..."] [severity "CRITICAL"] [ver "O [hostname "example.com"] [uri "/php/xhr/ajax.php"] [unique_id "XE8brR1hhu4iGRiJND3QdgAAAEo"], referer: https://example.com/tuinen-archief.html > [Mon Jan 28 16:11:41.806143 2019] [:error] [pid 29543] [client 127.0.0.1:52049] [client 127.0.0.1] ModSecurity: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file "/usr/share/modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "57"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 15)"] [severity "CRITICAL"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "example.com"] [uri "/php/xhr/ajax.php"] [unique_id "XE8brR1hhu4iGRiJND3QdgAAAEo"], referer: https://example.com/tuinen-archief.html > [Mon Jan 28 16:11:41.806488 2019] [:error] [pid 29543] [client 127.0.0.1:52049] [client 127.0.0.1] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/usr/share/modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf"] [line "73"] [id "980130"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 15 - SQLI=0,XSS=15,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0): NoScript XSS InjectionChecker: HTML Injection"] [tag "event-correlation"] [hostname "example.com"] [uri "/php/xhr/ajax.php"] [unique_id "XE8brR1hhu4iGRiJND3QdgAAAEo"], referer: https://example.com/tuinen-archief.html > > And those are the logs after I added the rule: > [Mon Jan 28 16:13:04.299976 2019] [:error] [pid 6007] [client 127.0.0.1:52054] [client 127.0.0.1] ModSecurity: Warning. String match "/php/xhr/ajax.php" at REQUEST_URI. [file "/etc/apache2/sites-enabled/000-example.com.conf"] [line "76"] [id "1"] [hostname "example.com"] [uri "/php/xhr/ajax.php"] [unique_id "XE8cANrOxSULdso9GnrLGwAAAGU"], referer: https://example.com/tuinen-archief.html > [Mon Jan 28 16:13:04.366574 2019] [:error] [pid 6007] [client 127.0.0.1:52054] [client 127.0.0.1] ModSecurity: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file "/usr/share/modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "57"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [severity "CRITICAL"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "example.com"] [uri "/php/xhr/ajax.php"] [unique_id "XE8cANrOxSULdso9GnrLGwAAAGU"], referer: https://example.com/tuinen-archief.html > [Mon Jan 28 16:13:04.367032 2019] [:error] [pid 6007] [client 127.0.0.1:52054] [client 127.0.0.1] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/usr/share/modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf"] [line "73"] [id "980130"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 5 - SQLI=0,XSS=5,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0): XSS Filter - Category 5: Disallowed HTML Attributes"] [tag "event-correlation"] [hostname "example.com"] [uri "/php/xhr/ajax.php"] [unique_id "XE8cANrOxSULdso9GnrLGwAAAGU"], referer: https://example.com/tuinen-archief.html > > As you can see, I still get an '403 Forbidden'. > > I am obviously missing something but I cannot find why. I already tried adding 'setvar:anomaly_score-=5' and other parts. In my opinion one should not disable the rules 949110 and 980130, then SQL injections won't be detected properly (as example)? > > Can someone help me out what I am missing here? > > Regards, Matthijs > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ |
