Re: [mod-security-users] base64Decode
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] base64Decode
|
From: Ryan B. <Rya...@Br...> - 2007-07-12 11:01:46
|
The lowercase transformation function is breaking the Base64 encoded
data as it is case sensitive. This is a great example of the additive
nature of inherited transformation function values. =20
I am guessing that you updated Core Rule ID 950004 and added the
t:lowercase action to it. As your debug output shows, this rule also
inherited the SecDefaultAction transformation functions from the top of
the modsecurity_crs_40_generic_attacks.conf file -
SecDefaultAction
"log,pass,phase:2,status:500,t:urlDecodeUni,t:htmlEntityDecode,t:lowerca
se"
If you want to use the base64Decode transformation function, then you
will need to first specify "t:none" in the action portion of your rule
(to clear out the inherited data) and then explicitly specify your own
(excluding t:lowercase). Your updated action line would look like this
-
"t:none,t:urlDecodeUni,t:htmlEntityDecode,t:base64Decode,capture,ctl:aud
itLogParts=3D+E,log,auditlog,msg:'Cross-site Scripting (XSS) Attack.
Matched signature <%{TX.0}>',,id:'950004',severity:'2'"
And here is the new debug output -
T (0) urlDecodeUni: PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=3D=3D
T (0) htmlEntityDecode: PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=3D=3D
T (1) base64Decode: <script>alert(1)</script>\x00\x00
Executing operator rx with param
"(?:\\b(?:on(?:(?:mo(?:use(?:o(?:ver|ut)|down|move|up)|ve)|key(?:press|d
own|up)|c(?
:hange|lick)|s(?:elec|ubmi)t|(?:un)?load|dragdrop|resize|focus|blur)\\b\
\W*?=3D|abort\\b)|(?:l(?:owsrc\\b\\W*?\\b(?:(?:
java|vb)script|shell)|ivescript)|(?:href|url)\\b\\W*?\\b(?:(?:java|vb)sc
ript|shell)|background-image|mocha):|type\\b\
\W*?\\b(?:text\\b(?:\\W*?\\b(?:j(?:ava)?|ecma)script\\b|
[vbscript])|application\\b\\W*?\\bx-(?:java|vb)script\\b)|s(
?:(?:tyle\\b\\W*=3D.*\\bexpression\\b\\W*|ettimeout\\b\\W*?)\\(|rc\\b\\W*=
?
\\b(?:(?:java|vb)script|shell|http):)|(?:c(?:
opyparentfolder|reatetextrange)|get(?:special|parent)folder)\\b|a(?:ctiv
exobject\\b|lert\\b\\W*?\\())|<(?:(?:body\\b.
*?\\b(?:backgroun|onloa)d|input\\b.*?\\btype\\b\\W*?\\bimage)\\b|!\\[CDA
TA\\[|script|meta)|(?:\\.(?:(?:execscrip|addi
mpor)t|(?:fromcharcod|cooki)e|innerhtml)|\\@import)\\b)" against
ARGS:param.
Target value: <script>alert(1)</script>\x00\x00
Adding regex subexpression to TXVARS (0): <script
Operator completed in 102 usec.
Ctl: Set auditLogParts to ABIFHZE.
Rule returned 1.
Match, intercepted -> returning.
[31/May/2007:06:30:14 --0400]
[blah/sid#8b66f48][rid#8cdc2f0][/cgi-bin/fup.cgi][1] Access denied with
code 403 (phase
2). Pattern match
"(?:\\b(?:on(?:(?:mo(?:use(?:o(?:ver|ut)|down|move|up)|ve)|key(?:press|d
own|up)|c(?:hange|lick)|s(
?:elec|ubmi)t|(?:un)?load|dragdrop|resize|focus|blur)\\b\\W*?=3D|abort\\b=
)
|(?:l(?:owsrc\\b\\W*?\\b(?:(?:java|vb)script|
shell)|ivescript)|(?:href|url)\\b\\W*? ..." at ARGS:param. [id "950004"]
[msg "Cross-site Scripting (XSS) Attack. Mat
ched signature <<script>"] [severity "CRITICAL"]
Hope this helps.
--=20
Ryan C. Barnett
ModSecurity Community Manager
Breach Security: Director of Application Security Training
Web Application Security Consortium (WASC) Member
CIS Apache Benchmark Project Lead
SANS Instructor, GCIA, GCFA, GCIH, GSNA, GCUX, GSEC
Author: Preventing Web Attacks with Apache
=20
=20
> -----Original Message-----
> From: mod...@li... [mailto:mod-
> sec...@li...] On Behalf Of SR
> Sent: Thursday, July 12, 2007 6:17 AM
> To: mod...@li...
> Subject: [mod-security-users] base64Decode
>=20
> Hi!
>=20
> I'm sending some base64 encoded xss vector. mod_security does not
block
> the request so I've set SecDebugLogLevel to 9.
> The vector '<script>alert(1)</script>' -> base64Decode
> 'PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=3D=3D' has been sent in the =
request
body
> (POST parameter).
>=20
> ...
> ...[9] Target value: \xf3]\x00
> ...[4] Operator completed in 7 usec.
> ...[9] T (0) urlDecodeUni: PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=3D=3D
> ...[9] T (0) htmlEntityDecode: =
PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=3D=3D
> ...[9] T (1) lowercase: phnjcmlwdd5hbgvydcgxktwvc2nyaxb0pg=3D=3D
> ...[9] T (1) base64Decode:
> \xa6\x19\xe3ripu\xdean\v\xf2u\xc81\x92\xdc/si\xf2k\x16\xf4\xa6\x00f
> ...[4] Executing operator rx with param
>
"(?:\\b(?:on(?:(?:mo(?:use(?:o(?:ver|ut)|down|move|up)|ve)|key(?:press|d
ow
>
n|up)|c(?:hange|lick)|s(?:elec|ubmi)t|(?:un)?load|dragdrop|resize|focus|
bl
>
ur)\\b\\W*?=3D|abort\\b)|(?:l(?:owsrc\\b\\W*?\\b(?:(?:java|vb)script|shel=
l
)|
>
ivescript)|(?:href|url)\\b\\W*?\\b(?:(?:java|vb)script|shell)|background
-
>
image|mocha):|type\\b\\W*?\\b(?:text\\b(?:\\W*?\\b(?:j(?:ava)?|ecma)scri
pt
> \\b|
> [vbscript])|application\\b\\W*?\\bx-
>
(?:java|vb)script\\b)|s(?:(?:tyle\\b\\W*=3D.*\\bexpression\\b\\W*|ettimeo=
u
t\
>
\b\\W*?)\\(|rc\\b\\W*?\\b(?:(?:java|vb)script|shell|http):)|(?:c(?:opypa
re
>
ntfolder|reatetextrange)|get(?:special|parent)folder)\\b|a(?:ctivexobjec
t\
>
\b|lert\\b\\W*?\\())|<(?:(?:body\\b.*?\\b(?:backgroun|onloa)d|input\\b.*
?\
>
\btype\\b\\W*?\\bimage)\\b|!\\[CDATA\\[|script|meta)|(?:\\.(?:(?:execscr
ip
> |addimpor)t|(?:fromcharcod|cooki)e|innerhtml)|\\@import)\\b)"
> against ARGS:input.
> ...
>=20
> The output of base64Decode looks some kind of scrambled. Anybody else
> trying to use t:base64Decode?
>=20
>=20
> Regards,
>=20
> SR
>=20
>=20
>
------------------------------------------------------------------------
-
> This SF.net email is sponsored by DB2 Express
> Download DB2 Express C - the FREE version of DB2 express and take
> control of your XML. No limits. Just data. Click to get it now.
> http://sourceforge.net/powerbar/db2/
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
|
