Re: [Mod-security-developers] 回复: 回复: rule 921170
Brought to you by:
victorhora,
zimmerletw
From: Christian F. <chr...@ne...> - 2022-02-23 08:38:38
|
On Wed, Feb 23, 2022 at 04:31:15PM +0800, huiming wrote: > MATCHED_VAR_NAME should be changed to MATCHED_VAR. No, MATCHED_VAR is the value of the variable, while MATCHED_VAR_NAME is the key. So MATCHED_VAR is 3 and then 6, while MATCHED_VAR_NAME is ab in both cases. > will send a log after a while. Please do. Cheers, Christian > > > > > > > ------------------ 原始邮件 ------------------ > 发件人: "mod-security-developers" <mod...@li...>; > 发送时间: 2022年2月23日(星期三) 下午4:28 > 收件人: "Christian Folini"<chr...@ne...>;"huiming via mod-security-developers"<mod...@li...>; > 抄送: "huiming"<877...@qq...>; > 主题: [Mod-security-developers] 回复: rule 921170 > > > > but MATCHED_VAR_NAME is ARGS_NAMES, not ab. so I will not work as expected. > > > > > ------------------ 原始邮件 ------------------ > 发件人: "Christian Folini" <chr...@ne...>; > 发送时间: 2022年2月23日(星期三) 下午4:25 > 收件人: "huiming via mod-security-developers"<mod...@li...>; > 抄送: "huiming"<877...@qq...>; > 主题: Re: [Mod-security-developers] rule 921170 > > > > Hey Huiming, > > Please be aware this is the ModSecurity mailing list and your question refers > to the Core Rule Set, which has its own mailing list. > > But no problem, I'll respond here. > > A request parameter xxx with value yyy is added to two collection in > ModSecurity. > > * ARGS_NAMES will get an item xxx > * ARGS will get an item yyy > > A duplicate parameter means that a given parameter (ab in your baidu example) > has been submitted multiple times in a request. > > So ARGS_NAMES would carry ab twice for the example. Like [ "ab", "ab" ]. > > Now rule 921170 iterates over ARGS_NAMES and creates a variable > TX.paramcounter_ab. This is set to 1 for the first occurrence of ab, and then > to 2 with the 2nd occurrence. > > So TX.paramcounter_ab is 2 after 921170. > > 921180 will then check whether any of these paramcounters is greater than one. > The ab paramcounter is, thus the rule 921180 is triggered. > > This is a PL3 rule. Thus a very sensitive rule that brings quite a few false > positives on certain applications. Issuing a parameter multiple times in a > request is no problem per se and perfectly valid for a web application. But it > is also a technique of attackers. So if a service makes use of multiple > submission of the same parameter in a given request, you need to fix the false > positive with a rule exclusion. > > This is a special case since you can not simply remove ab from 921180. Instead > you need to do the following: > > # ModSec Rule Exclusion: 921180 : HTTP Parameter Pollution (ARGS_NAMES:ab) > SecRuleUpdateTargetById 921180 "!TX:paramcounter_ARGS_NAMES:ab" > > Hope this helps! > > Christian > > > > > > > On Wed, Feb 23, 2022 at 04:09:10PM +0800, huiming via mod-security-developers > wrote: > > hi, > > > > > > SecRule ARGS_NAMES "@rx ." \ &nbsp; &nbsp; "id:921170,\ &nbsp; &nbsp; > > phase:2,\ &nbsp; &nbsp; pass,\ &nbsp; &nbsp; nolog,\ &nbsp; &nbsp; > > tag:'application-multi',\ &nbsp; &nbsp; tag:'language-multi',\ &nbsp; &nbsp; > > tag:'platform-multi',\ &nbsp; &nbsp; tag:'attack-protocol',\ &nbsp; &nbsp; > > tag:'paranoia-level/3',\ &nbsp; &nbsp; tag:'OWASP_CRS',\ &nbsp; &nbsp; > > tag:'capec/1000/152/137/15/460',\ &nbsp; &nbsp; ver:'OWASP_CRS/3.4.0-dev',\ > > &nbsp; &nbsp; setvar:'TX.paramcounter_%{MATCHED_VAR_NAME}=+1'" > > > > > > > > The rule generate only one variable named&nbsp; TX.paramcount_ARGS_NAMES, > > and assigned the count item in&nbsp; ARGS_NAMES.&nbsp; but this should not > > be the target I think. because the target is to find duplicate parameters. > > It should generate a different variable named TX.paramcount_xxx for every > > variable name,&nbsp; xxx is the variable name. The value is > > TX.paramcount_xxx is the count of xxx in ARGS_NAMES.&nbsp; &nbsp;same > > variable name can exist&nbsp; in ARGS_NAMES multiple times. for example > > http://www.baidu.com?ab=3&amp;ab=6 > > > > > > my understanding is wrong? > > > > > > huiming thanks > > > > _______________________________________________ > > mod-security-developers mailing list > > mod...@li... > > https://lists.sourceforge.net/lists/listinfo/mod-security-developers > > ModSecurity Services from Trustwave's SpiderLabs: > > https://www.trustwave.com/spiderLabs.php |