Re: [Mod-security-developers] rule 921170
Brought to you by:
victorhora,
zimmerletw
From: Christian F. <chr...@ne...> - 2022-02-23 08:25:14
|
Hey Huiming, Please be aware this is the ModSecurity mailing list and your question refers to the Core Rule Set, which has its own mailing list. But no problem, I'll respond here. A request parameter xxx with value yyy is added to two collection in ModSecurity. * ARGS_NAMES will get an item xxx * ARGS will get an item yyy A duplicate parameter means that a given parameter (ab in your baidu example) has been submitted multiple times in a request. So ARGS_NAMES would carry ab twice for the example. Like [ "ab", "ab" ]. Now rule 921170 iterates over ARGS_NAMES and creates a variable TX.paramcounter_ab. This is set to 1 for the first occurrence of ab, and then to 2 with the 2nd occurrence. So TX.paramcounter_ab is 2 after 921170. 921180 will then check whether any of these paramcounters is greater than one. The ab paramcounter is, thus the rule 921180 is triggered. This is a PL3 rule. Thus a very sensitive rule that brings quite a few false positives on certain applications. Issuing a parameter multiple times in a request is no problem per se and perfectly valid for a web application. But it is also a technique of attackers. So if a service makes use of multiple submission of the same parameter in a given request, you need to fix the false positive with a rule exclusion. This is a special case since you can not simply remove ab from 921180. Instead you need to do the following: # ModSec Rule Exclusion: 921180 : HTTP Parameter Pollution (ARGS_NAMES:ab) SecRuleUpdateTargetById 921180 "!TX:paramcounter_ARGS_NAMES:ab" Hope this helps! Christian On Wed, Feb 23, 2022 at 04:09:10PM +0800, huiming via mod-security-developers wrote: > hi, > > > SecRule ARGS_NAMES "@rx ." \ "id:921170,\ > phase:2,\ pass,\ nolog,\ > tag:'application-multi',\ tag:'language-multi',\ > tag:'platform-multi',\ tag:'attack-protocol',\ > tag:'paranoia-level/3',\ tag:'OWASP_CRS',\ > tag:'capec/1000/152/137/15/460',\ ver:'OWASP_CRS/3.4.0-dev',\ > setvar:'TX.paramcounter_%{MATCHED_VAR_NAME}=+1'" > > > > The rule generate only one variable named TX.paramcount_ARGS_NAMES, > and assigned the count item in ARGS_NAMES. but this should not > be the target I think. because the target is to find duplicate parameters. > It should generate a different variable named TX.paramcount_xxx for every > variable name, xxx is the variable name. The value is > TX.paramcount_xxx is the count of xxx in ARGS_NAMES. same > variable name can exist in ARGS_NAMES multiple times. for example > http://www.baidu.com?ab=3&ab=6 > > > my understanding is wrong? > > > huiming thanks > _______________________________________________ > mod-security-developers mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-developers > ModSecurity Services from Trustwave's SpiderLabs: > https://www.trustwave.com/spiderLabs.php |