Re: [mod-security-users] Rule breaks access to website
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] Rule breaks access to website
|
From: Christian F. <chr...@ne...> - 2019-10-10 08:03:36
|
Joe, Did you put that rule 131 before the CRS include in the configuration? It may be that you try to sanitize after the alert has been written. Christian On Thu, Oct 10, 2019 at 07:53:58AM +0000, Madden, Joe via mod-security-users wrote: > Hi All, > > So adding pass workds but it doesn't work as expected. > > For example, I have a login page and I use ''''select * fromusers '''' to trigger the SQL injection rule 942190 > > With this in place: > > # Never log passwords > SecAction "nolog,pass,phase:2,id:131,sanitiseArg:password,sanitiseArg:newPassword,sanitiseArg:oldPassword" > > The website is accessible, but the log entry Is not sanitised: > > Message: Warning. Pattern match "(?i:(?:[\"'`](?:;?\\s*?(?:having|select|union)\\b\\s*?[^\\s]|\\s*?!\\s*?[\"'`\\w])|(?:c(?:onnection_id|urrent_user)|database)\\s*?\\([^\\)]*?|u(?:nion(?:[\\w(\\s]*?select| select @)|ser\\s*?\\([^\\)]*?)|s(?:chema\\s*?\\([^\\)]*?|elect.*?\\w?user\\()|in ..." at ARGS:password. [file "/etc/httpd/modsecurity.d/owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "190"] [id "942190"] [msg "Detects MSSQL code execution and information gathering attempts"] [data "Matched Data: 'select* found within ARGS:password: ''''select* fromusers''''"] [severity "CRITICAL"] [ver "OWASP_CRS/3.2.0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "OWASP_CRS"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"] > > Am I missing something in order to blank out the matched data fields? > > Thanks > > Joe. > > -----Original Message----- > From: Madden, Joe via mod-security-users <mod...@li...> > Sent: 10 October 2019 08:21 > To: mod...@li... > Cc: Madden, Joe <Joe...@mo...> > Subject: Re: [mod-security-users] Rule breaks access to website > > Thank you all - I'll give it a try today! > > Joe. > > -----Original Message----- > From: Reindl Harald <h.r...@th...> > Sent: 09 October 2019 15:53 > To: mod...@li... > Subject: Re: [mod-security-users] Rule breaks access to website > > > > Am 09.10.19 um 16:28 schrieb Madden, Joe via mod-security-users: > > Hi there, > > > > I was kinda following this example here: > > > > https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FSpiderLabs%2FModSecurity%2Fwiki%2FReference-Manual-(v2.x&data=01%7C01%7Cjoe.madden%40mottmac.com%7Ca061d2cc4db8481a7d2408d74d52861e%7Ca2bed0c459574f73b0c2a811407590fb%7C0&sdata=eAKku%2FES4qBTsxoMbh7Gjj6cGfdD6TxWOuqi5YsZtb0%3D&reserved=0) > > > > Where would the pass go just after nolog,? > > it don't matter > > ,phase:1,pass,nolog, > ,phase:1,nolog,pass, > ,pass,phase:1,nolog, > > it's all the same > > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.sourceforge.net%2Flists%2Flistinfo%2Fmod-security-users&data=01%7C01%7Cjoe.madden%40mottmac.com%7Ca061d2cc4db8481a7d2408d74d52861e%7Ca2bed0c459574f73b0c2a811407590fb%7C0&sdata=PmFMFalMqGYPt5fbg%2FP1%2B7JzuPrb7fyQyriU8NkKtjY%3D&reserved=0 > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.modsecurity.org%2Fprojects%2Fcommercial%2Frules%2F&data=01%7C01%7Cjoe.madden%40mottmac.com%7Ca061d2cc4db8481a7d2408d74d52861e%7Ca2bed0c459574f73b0c2a811407590fb%7C0&sdata=7f654dDQwtspGxvh7FlJnORKrY4tBe%2FjdT5okic5dhg%3D&reserved=0 > https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.modsecurity.org%2Fprojects%2Fcommercial%2Fsupport%2F&data=01%7C01%7Cjoe.madden%40mottmac.com%7Ca061d2cc4db8481a7d2408d74d52861e%7Ca2bed0c459574f73b0c2a811407590fb%7C0&sdata=1yn8Q3vNZ11lPxUWsDcCtB6utZbUKEe4%2FwpOu6zHkns%3D&reserved=0 > > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.sourceforge.net%2Flists%2Flistinfo%2Fmod-security-users&data=01%7C01%7Cjoe.madden%40mottmac.com%7Ca061d2cc4db8481a7d2408d74d52861e%7Ca2bed0c459574f73b0c2a811407590fb%7C0&sdata=PmFMFalMqGYPt5fbg%2FP1%2B7JzuPrb7fyQyriU8NkKtjY%3D&reserved=0 > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.modsecurity.org%2Fprojects%2Fcommercial%2Frules%2F&data=01%7C01%7Cjoe.madden%40mottmac.com%7Ca061d2cc4db8481a7d2408d74d52861e%7Ca2bed0c459574f73b0c2a811407590fb%7C0&sdata=7f654dDQwtspGxvh7FlJnORKrY4tBe%2FjdT5okic5dhg%3D&reserved=0 > https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.modsecurity.org%2Fprojects%2Fcommercial%2Fsupport%2F&data=01%7C01%7Cjoe.madden%40mottmac.com%7Ca061d2cc4db8481a7d2408d74d52861e%7Ca2bed0c459574f73b0c2a811407590fb%7C0&sdata=1yn8Q3vNZ11lPxUWsDcCtB6utZbUKEe4%2FwpOu6zHkns%3D&reserved=0 > > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ |
