Re: [Mod-security-developers] rule 921170

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Hey Huiming,

Please be aware this is the ModSecurity mailing list and your question refers
to the Core Rule Set, which has its own mailing list.

But no problem, I'll respond here.

A request parameter xxx with value yyy is added to two collection in
ModSecurity.

* ARGS_NAMES will get an item xxx
* ARGS will get an item yyy

A duplicate parameter means that a given parameter (ab in your baidu example)
has been submitted multiple times in a request.

So ARGS_NAMES would carry ab twice for the example. Like [ "ab", "ab" ].

Now rule 921170 iterates over ARGS_NAMES and creates a variable
TX.paramcounter_ab. This is set to 1 for the first occurrence of ab, and then
to 2 with the 2nd occurrence.

So TX.paramcounter_ab is 2 after 921170.

921180 will then check whether any of these paramcounters is greater than one.
The ab paramcounter is, thus the rule 921180 is triggered.

This is a PL3 rule. Thus a very sensitive rule that brings quite a few false
positives on certain applications. Issuing a parameter multiple times in a
request is no problem per se and perfectly valid for a web application. But it
is also a technique of attackers. So if a service makes use of multiple
submission of the same parameter in a given request, you need to fix the false
positive with a rule exclusion.

This is a special case since you can not simply remove ab from 921180. Instead
you need to do the following:

# ModSec Rule Exclusion: 921180 : HTTP Parameter Pollution (ARGS_NAMES:ab)
SecRuleUpdateTargetById 921180 "!TX:paramcounter_ARGS_NAMES:ab"

Hope this helps!

Christian

On Wed, Feb 23, 2022 at 04:09:10PM +0800, huiming via mod-security-developers
wrote:
> hi,
> 
> 
> SecRule ARGS_NAMES "@rx ." \ &nbsp; &nbsp; "id:921170,\ &nbsp; &nbsp;
> phase:2,\ &nbsp; &nbsp; pass,\ &nbsp; &nbsp; nolog,\ &nbsp; &nbsp;
> tag:'application-multi',\ &nbsp; &nbsp; tag:'language-multi',\ &nbsp; &nbsp;
> tag:'platform-multi',\ &nbsp; &nbsp; tag:'attack-protocol',\ &nbsp; &nbsp;
> tag:'paranoia-level/3',\ &nbsp; &nbsp; tag:'OWASP_CRS',\ &nbsp; &nbsp;
> tag:'capec/1000/152/137/15/460',\ &nbsp; &nbsp; ver:'OWASP_CRS/3.4.0-dev',\
> &nbsp; &nbsp; setvar:'TX.paramcounter_%{MATCHED_VAR_NAME}=+1'"
> 
> 
> 
> The rule generate only one variable named&nbsp; TX.paramcount_ARGS_NAMES,
> and assigned the count item in&nbsp; ARGS_NAMES.&nbsp; but this should not
> be the target I think. because the target is to find duplicate parameters.
> It should generate a different variable named TX.paramcount_xxx for every
> variable name,&nbsp; xxx is the variable name.  The value is
> TX.paramcount_xxx is the count of xxx in ARGS_NAMES.&nbsp; &nbsp;same
> variable name can exist&nbsp; in ARGS_NAMES multiple times. for example
> http://www.baidu.com?ab=3&amp;ab=6
> 
> 
> my understanding is wrong?
> 
> 
> huiming thanks

> _______________________________________________
> mod-security-developers mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-developers
> ModSecurity Services from Trustwave's SpiderLabs:
> https://www.trustwave.com/spiderLabs.php