[mod-security-users] Writing a ctl:ruleRemoveTargetById rule
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
[mod-security-users] Writing a ctl:ruleRemoveTargetById rule
|
From: micah a. <mi...@ri...> - 2020-11-02 22:06:06
|
Hi, I'd like to make the following a bit better: SecRuleUpdateTargetById 942260 !ARGS:password SecRuleUpdateTargetById 942430 !ARGS:password SecRuleUpdateTargetById 941310 !ARGS:password To override those rules for passwords submitted to my application, which are incorrectly triggering those rules (see below). However, I wanted to scope it more narrowly by doing something like: SecRule REQUEST_URI "@strEq /session" "phase:2,log,pass,id:442200,ctl:ruleRemoveTargetById=942260;ARGS:password" SecRule REQUEST_URI "@strEq /session" "phase:2,log,pass,id:442201,ctl:ruleRemoveTargetById=942430;ARGS:password" SecRule REQUEST_URI "@strEq /session" "phase:2,log,pass,id:442202,ctl:ruleRemoveTargetById=941310;ARGS:password" but when I put these into place, they do not seem to work. This is the log from when its caught (i've replaced sensitive things with xxx): --2722c108-A-- [02/Nov/2020:12:54:08 --0800] X6Bx8Mb8mfcAAAeXNtcAAAAO 127.0.0.1 52022 127.0.0.1 80 --2722c108-B-- POST /session HTTP/1.1 Host: xxx User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://xxx Content-Type: application/x-www-form-urlencoded Content-Length: 388 Origin: http://xxx Connection: keep-alive Cookie: nest_session=xxx Upgrade-Insecure-Requests: 1 --2722c108-C-- utf8=%E2%9C%93&authenticity_token=xxx&username=yyy&password=asdasdasd&button= --2722c108-F-- HTTP/1.1 403 Forbidden Content-Length: 327 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1 --2722c108-E-- <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>403 Forbidden</title> </head><body> <h1>Forbidden</h1> <p>You don't have permission to access this resource.</p> <hr> <address>Apache/2.4.25 (Debian) Server at xxx Port 80</address> </body></html> --2722c108-H-- Message: Pattern match "xxx" at ARGS:password. [file "/usr/share/modsecurity-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "552"] [id "941310"] [msg "US-ASCII Malformed Encoding XSS Filter - Attack Detected"] [data "Matched Data: xxx found within ARGS:password: xxx"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-tomcat"] [tag "attack-xss"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/242"] Message: Access denied with code 403 (phase 2). [file "/usr/share/modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "91"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] Action: Intercepted (phase 2) Stopwatch: 1604350448184704 14273 (- - -) Stopwatch2: 1604350448184704 14273; combined=12511, p1=1103, p2=10834, p3=0, p4=0, p5=573, sr=94, sw=1, l=0, gc=0 Response-Body-Transformed: Dechunked Producer: ModSecurity for Apache/2.9.1 (http://www.modsecurity.org/); OWASP_CRS/3.3.0. Server: Apache/2.4.25 (Debian) Engine-Mode: "ENABLED" -- micah |
