Re: [Mod-security-developers] 回复: rule 921170
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [Mod-security-developers] 回复: rule 921170
|
From: Christian F. <chr...@ne...> - 2022-02-23 08:37:32
|
On Wed, Feb 23, 2022 at 04:28:37PM +0800, huiming via mod-security-developers wrote:
> but MATCHED_VAR_NAME is ARGS_NAMES, not ab. so I will not work as expected.
Hmm. It's supposed to be ARGS_NAMES:ab.
What is your platform?
It works fine on my Apache / ModSec 2.9 and I am not aware of issues on
different platforms.
$ curl "http://localhost/?ab=3&ab=6"
-> [2022-02-23 09:35:17.466868] [-:error] 127.0.0.1:52484
YhXxxRDDjxbxdo51x3q-xAAAAAI [client 127.0.0.1] ModSecurity: Warning. Pattern
match "TX:paramcounter_(.*)" at TX:paramcounter_ARGS_NAMES:ab. [file
"/home/dune73/data/git/crs-official/rules/REQUEST-921-PROTOCOL-ATTACK.conf"]
[line "346"] [id "921180"] [msg "HTTP Parameter Pollution (ARGS_NAMES:ab)"]
[data "Matched Data: TX:paramcounter_ARGS_NAMES:ab found within
TX:paramcounter_ARGS_NAMES:ab: TX:paramcounter_ARGS_NAMES:ab"] [severity
"CRITICAL"] [ver "OWASP_CRS/3.4.0-dev"] [tag "application-multi"] [tag
"language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag
"OWASP_CRS"] [tag "capec/1000/152/137/15/460"] [tag "paranoia-level/3"]
[hostname "localhost"] [uri "/"] [unique_id "YhXxxRDDjxbxdo51x3q-xAAAAAI"]
Best,
Christian
>
>
>
>
> ------------------ 原始邮件 ------------------ 发件人:
> "Christian Folini"
> <chr...@ne...>; 发送时间: 2022年2月23日(星期三)
> 下午4:25 收件人: "huiming via
> mod-security-developers"<mod...@li...>;
> 抄送: "huiming"<877...@qq...>; 主题: Re:
> [Mod-security-developers] rule 921170
>
>
>
> Hey Huiming,
>
> Please be aware this is the ModSecurity mailing list and your question
> refers to the Core Rule Set, which has its own mailing list.
>
> But no problem, I'll respond here.
>
> A request parameter xxx with value yyy is added to two collection in
> ModSecurity.
>
> * ARGS_NAMES will get an item xxx * ARGS will get an item yyy
>
> A duplicate parameter means that a given parameter (ab in your baidu
> example) has been submitted multiple times in a request.
>
> So ARGS_NAMES would carry ab twice for the example. Like [ "ab", "ab" ].
>
> Now rule 921170 iterates over ARGS_NAMES and creates a variable
> TX.paramcounter_ab. This is set to 1 for the first occurrence of ab, and
> then to 2 with the 2nd occurrence.
>
> So TX.paramcounter_ab is 2 after 921170.
>
> 921180 will then check whether any of these paramcounters is greater than
> one. The ab paramcounter is, thus the rule 921180 is triggered.
>
> This is a PL3 rule. Thus a very sensitive rule that brings quite a few false
> positives on certain applications. Issuing a parameter multiple times in a
> request is no problem per se and perfectly valid for a web application. But
> it is also a technique of attackers. So if a service makes use of multiple
> submission of the same parameter in a given request, you need to fix the
> false positive with a rule exclusion.
>
> This is a special case since you can not simply remove ab from 921180.
> Instead you need to do the following:
>
> # ModSec Rule Exclusion: 921180 : HTTP Parameter Pollution (ARGS_NAMES:ab)
> SecRuleUpdateTargetById 921180 "!TX:paramcounter_ARGS_NAMES:ab"
>
> Hope this helps!
>
> Christian
>
>
>
>
>
>
> On Wed, Feb 23, 2022 at 04:09:10PM +0800, huiming via
> mod-security-developers wrote: > hi, > > > SecRule ARGS_NAMES
> "@rx ." \ &nbsp; &nbsp; "id:921170,\ &nbsp; &nbsp; >
> phase:2,\ &nbsp; &nbsp; pass,\ &nbsp; &nbsp; nolog,\
> &nbsp; &nbsp; > tag:'application-multi',\ &nbsp; &nbsp;
> tag:'language-multi',\ &nbsp; &nbsp; > tag:'platform-multi',\
> &nbsp; &nbsp; tag:'attack-protocol',\ &nbsp; &nbsp; >
> tag:'paranoia-level/3',\ &nbsp; &nbsp; tag:'OWASP_CRS',\ &nbsp;
> &nbsp; > tag:'capec/1000/152/137/15/460',\ &nbsp; &nbsp;
> ver:'OWASP_CRS/3.4.0-dev',\ > &nbsp; &nbsp;
> setvar:'TX.paramcounter_%{MATCHED_VAR_NAME}=+1'" > > > > The
> rule generate only one variable named&nbsp; TX.paramcount_ARGS_NAMES,
> > and assigned the count item in&nbsp; ARGS_NAMES.&nbsp; but this
> should not > be the target I think. because the target is to find
> duplicate parameters. > It should generate a different variable named
> TX.paramcount_xxx for every > variable name,&nbsp; xxx is the
> variable name. The value is > TX.paramcount_xxx is the count of xxx
> in ARGS_NAMES.&nbsp; &nbsp;same > variable name can
> exist&nbsp; in ARGS_NAMES multiple times. for example >
> http://www.baidu.com?ab=3&amp;ab=6 > > > my understanding is
> wrong? > > > huiming thanks
>
>
> > _______________________________________________ >
> mod-security-developers mailing list >
> mod...@li... >
> https://lists.sourceforge.net/lists/listinfo/mod-security-developers >
> ModSecurity Services from Trustwave's SpiderLabs: >
> https://www.trustwave.com/spiderLabs.php
> _______________________________________________
> mod-security-developers mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-developers
> ModSecurity Services from Trustwave's SpiderLabs:
> https://www.trustwave.com/spiderLabs.php
|
