Re: [Mod-security-developers] 回复： 回复： rule 921170

[Christian F. <chr...@ne...>]

On Wed, Feb 23, 2022 at 04:31:15PM +0800, huiming wrote:
> MATCHED_VAR_NAME should be changed to MATCHED_VAR. 

No, MATCHED_VAR is the value of the variable, while MATCHED_VAR_NAME is the
key. So MATCHED_VAR is 3 and then 6, while MATCHED_VAR_NAME is ab in both
cases.

> will send a log after a while.

Please do.

Cheers,

Christian

> 
> 
> 
> 
> 
> 
> ------------------ 原始邮件 ------------------
> 发件人:                                                                                                                        "mod-security-developers"                                                                                    <mod...@li...&gt;;
> 发送时间:&nbsp;2022年2月23日(星期三) 下午4:28
> 收件人:&nbsp;"Christian Folini"<chr...@ne...&gt;;"huiming via mod-security-developers"<mod...@li...&gt;;
> 抄送:&nbsp;"huiming"<877...@qq...&gt;;
> 主题:&nbsp;[Mod-security-developers] 回复：  rule 921170
> 
> 
> 
> but MATCHED_VAR_NAME is ARGS_NAMES, not ab. so I will not work as expected.
> 
> 
> 
> 
> ------------------ 原始邮件 ------------------
> 发件人:                                                                                                                        "Christian Folini"                                                                                    <chr...@ne...&gt;;
> 发送时间:&nbsp;2022年2月23日(星期三) 下午4:25
> 收件人:&nbsp;"huiming via mod-security-developers"<mod...@li...&gt;;
> 抄送:&nbsp;"huiming"<877...@qq...&gt;;
> 主题:&nbsp;Re: [Mod-security-developers] rule 921170
> 
> 
> 
> Hey Huiming,
> 
> Please be aware this is the ModSecurity mailing list and your question refers
> to the Core Rule Set, which has its own mailing list.
> 
> But no problem, I'll respond here.
> 
> A request parameter xxx with value yyy is added to two collection in
> ModSecurity.
> 
> * ARGS_NAMES will get an item xxx
> * ARGS will get an item yyy
> 
> A duplicate parameter means that a given parameter (ab in your baidu example)
> has been submitted multiple times in a request.
> 
> So ARGS_NAMES would carry ab twice for the example. Like [ "ab", "ab" ].
> 
> Now rule 921170 iterates over ARGS_NAMES and creates a variable
> TX.paramcounter_ab. This is set to 1 for the first occurrence of ab, and then
> to 2 with the 2nd occurrence.
> 
> So TX.paramcounter_ab is 2 after 921170.
> 
> 921180 will then check whether any of these paramcounters is greater than one.
> The ab paramcounter is, thus the rule 921180 is triggered.
> 
> This is a PL3 rule. Thus a very sensitive rule that brings quite a few false
> positives on certain applications. Issuing a parameter multiple times in a
> request is no problem per se and perfectly valid for a web application. But it
> is also a technique of attackers. So if a service makes use of multiple
> submission of the same parameter in a given request, you need to fix the false
> positive with a rule exclusion.
> 
> This is a special case since you can not simply remove ab from 921180. Instead
> you need to do the following:
> 
> # ModSec Rule Exclusion: 921180 : HTTP Parameter Pollution (ARGS_NAMES:ab)
> SecRuleUpdateTargetById 921180 "!TX:paramcounter_ARGS_NAMES:ab"
> 
> Hope this helps!
> 
> Christian
> 
> 
> 
> 
> 
> 
> On Wed, Feb 23, 2022 at 04:09:10PM +0800, huiming via mod-security-developers
> wrote:
> &gt; hi,
> &gt; 
> &gt; 
> &gt; SecRule ARGS_NAMES "@rx ." \ &amp;nbsp; &amp;nbsp; "id:921170,\ &amp;nbsp; &amp;nbsp;
> &gt; phase:2,\ &amp;nbsp; &amp;nbsp; pass,\ &amp;nbsp; &amp;nbsp; nolog,\ &amp;nbsp; &amp;nbsp;
> &gt; tag:'application-multi',\ &amp;nbsp; &amp;nbsp; tag:'language-multi',\ &amp;nbsp; &amp;nbsp;
> &gt; tag:'platform-multi',\ &amp;nbsp; &amp;nbsp; tag:'attack-protocol',\ &amp;nbsp; &amp;nbsp;
> &gt; tag:'paranoia-level/3',\ &amp;nbsp; &amp;nbsp; tag:'OWASP_CRS',\ &amp;nbsp; &amp;nbsp;
> &gt; tag:'capec/1000/152/137/15/460',\ &amp;nbsp; &amp;nbsp; ver:'OWASP_CRS/3.4.0-dev',\
> &gt; &amp;nbsp; &amp;nbsp; setvar:'TX.paramcounter_%{MATCHED_VAR_NAME}=+1'"
> &gt; 
> &gt; 
> &gt; 
> &gt; The rule generate only one variable named&amp;nbsp; TX.paramcount_ARGS_NAMES,
> &gt; and assigned the count item in&amp;nbsp; ARGS_NAMES.&amp;nbsp; but this should not
> &gt; be the target I think. because the target is to find duplicate parameters.
> &gt; It should generate a different variable named TX.paramcount_xxx for every
> &gt; variable name,&amp;nbsp; xxx is the variable name.&nbsp; The value is
> &gt; TX.paramcount_xxx is the count of xxx in ARGS_NAMES.&amp;nbsp; &amp;nbsp;same
> &gt; variable name can exist&amp;nbsp; in ARGS_NAMES multiple times. for example
> &gt; http://www.baidu.com?ab=3&amp;amp;ab=6
> &gt; 
> &gt; 
> &gt; my understanding is wrong?
> &gt; 
> &gt; 
> &gt; huiming thanks
> 
> 
> &gt; _______________________________________________
> &gt; mod-security-developers mailing list
> &gt; mod...@li...
> &gt; https://lists.sourceforge.net/lists/listinfo/mod-security-developers
> &gt; ModSecurity Services from Trustwave's SpiderLabs:
> &gt; https://www.trustwave.com/spiderLabs.php