Thread: Re[3]: [mod-security-users] escape character problem - mod_security v1.9.2

Brought to you by: victorhora, zimmerletw

mod-security-users

Re[3]: [mod-security-users] escape character problem - mod_security v1.9.2

From: <gyo...@hi...> - 2006-05-19 09:42:52

Thank Ivan.

I tested this rule.
###
SecFilterSelective ARG_parameter1 "\\\""
###

It filters all messages which includes character ",
For example,
1, eewre"
2, \\\\\"
3, wert"dfgdf
4, fdf\\"dfgsd

I thought that the character \ was ignored.
Still need your help.
Thanks again.

>> Hi all:
>>
>> I am using mod_security 1.9.2 and Apache 2.0.55(Win32).
>> The server and client OS are Windows XP Pro SP2(Japanese).
>> Client browser is IE 6.0 SP2.
>>
>> Here is my problem. I want mod_security to filter a combined character \"(escape + double quotation).
>> I set modsecurity.conf like below.
>>
>> ##
>> SecFilterSelective POST_PAYLOAD "&ARG_parameter1=" chain
>> SecFilter "&ARG_parameter1=\\\"&"
>> ##
>>
>> I thought that regex patern \\\" can match string \". Unfortunately, It doesn't work at all.
>
>It can, you just need to write the correct rule ;)
>
>Here it is:
>
>  SecFilterSelective ARG_parameter1 "\\\""
>
>
>> But if you set modsecurity.conf like this,
>>
>> ##
>> SecFilterSelective POST_PAYLOAD "&ARG_parameter1=" chain
>> SecFilter "\\\""
>> ##
>>
>> It works well.
>
>Except if parameter1 is the first parameter in the payload, in which
>case it doesn't. It also matches cases when \" appears in some other
>parameter.
>
>-- 
>Ivan Ristic, Technical Director
>Thinking Stone, http://www.thinkingstone.com
>ModSecurity: Open source Web Application Firewall
>

Re[4]: [mod-security-users] escape character problem - mod_security v1.9.2

From: <gyo...@hi...> - 2006-05-19 10:33:27

Thank Ivan.

Here is real debug log:
...
[19/May/2006:13:17:56 +0900] [localhost/sid#2bc0a8][rid#6ef768][/post.html][4] Adding parameter: "username"="/\""
...
[19/May/2006:13:17:56 +0900] [localhost/sid#2bc0a8][rid#6ef768][/post.html][2] Checking signature "(username=\\\"&)" at POST_PAYLOAD
[19/May/2006:13:17:56 +0900] [localhost/sid#2bc0a8][rid#6ef768][/post.html][4] Checking against "bbsID=feedback&MsgID=12329&threadcode=00006051!&sticky=0&username=/\"&password=1&title=\x82\xa0\x82\xa0\x82\xa0\x82\xa0\x82\xa0\x82\xa0\x82\xa0\x82\xa0&msgbody=&img=&file=&dig=1&120=&Submit=submit"
[19/May/2006:13:17:56 +0900] [localhost/sid#2bc0a8][rid#6ef768][/post.html][9] Check took 0 usec
...
Here is the audit log.
...
--29000000-A--
[19/May/2006:13:17:56 +0900] b@zvogrdeZcAAA0EEk8AAAD5 127.0.0.1 3385 127.0.0.1 80
--29000000-B--
POST /post.html HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-powerpoint, application/vnd.ms-excel, application/msword, */*
Referer: http://localhost/post.html
Accept-Language: ja,zh-cn;q=0.8,zh-tw;q=0.5,en;q=0.3
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Maxthon; .NET CLR 1.1.4322)
Host: localhost
Content-Length: 185
Connection: Keep-Alive
Cache-Control: no-cache

--29000000-C--
bbsID=feedback&MsgID=12329&threadcode=00006051%21&sticky=0&username=%5C%22&password=1&title=%82%A0%82%A0%82%A0%82%A0%82%A0%82%A0%82%A0%82%A0&msgbody=&img=&file=&dig=1&120=&Submit=submit
--29000000-F--
...
What is wrong with it?
My configuration is like below,
############
LoadModule security_module modules/mod_security/mod_security.so

<IfModule mod_security.c>
    SecFilterEngine On
    SecFilterScanPOST On
    SecFilterSelective HTTP_Content-Type \
"!(^$|^application/x-www-form-urlencoded$|^multipart/form-data;)"
    SecFilterSelective HTTP_Content-Type "^multipart/form-data;" nolog,pass
    SetEnvIfNoCase Content-Type \
    "^multipart/form-data;" "MODSEC_NOPOSTBUFFERING=Do not buffer file uploads"

    SecFilterSelective HTTP_Transfer-Encoding "!^$"

    SecFilterInheritance On
    SecFilterInheritanceMandatory On

    SecFilterCheckURLEncoding On
    SecFilterCheckUnicodeEncoding On
    #SecFilter DynamicOnly

    # enable version 1 (RFC 2965) cookies
    SecFilterCookieFormat 1
    SecFilterNormalizeCookies On

    # only for Apache2
    #Application error infor disclosure protect
    SecFilterScanOutput On
    SecFilterSelective OUTPUT "Fatal error:" deny,status:406
    ErrorDocument 406 error.html

    #for Apache2 info off
    SecServerSignature Off

    SecFilterDefaultAction "deny,log,status:406"
    SecServerResponseToken On

    # Error rules
   SecFilterSignatureAction log,deny,status:500
   SecAuditLogType Concurrent
   SecAuditLogStorageDir audit_log/
   SecAuditLog audit_log/index
   SecAuditLogParts ABCDEFGHZ
   SecFilterSelective "REQUEST_METHOD" "!(GET|POST|HEAD)"

   # Error rules
   SecFilterSignatureAction log,deny,status:406
   SecAuditEngine On
   SecAuditLogRelevantStatus 200|406|500
   SecAuditLog logs/audit.log
   # You normally won't need debug logging
   <Location /post.html>
   SecFilterDebugLevel 9
   </Location>
   SecFilterDebugLog logs/modsec_debug.log 

SecFilterSelective REQUEST_METHOD "^POST$" chain
SecFilterSelective HTTP_Content-Length "^$"

SecFilterSelective POST_PAYLOAD "username=" chain
SecFilter "(username=\\\"&)"

SecFilterSelective POST_PAYLOAD "username=" chain
SecFilter "(username=\\'&)"

</IfModule>
############

When you set 
############
SecFilterSelective POST_PAYLOAD "username=" chain
SecFilter "\\\""
############
instead, then debug log is like below,
...
[19/May/2006:13:56:17 +0900] [localhost/sid#2bc130][rid#6ef6f8][/post.html][4] Adding parameter: "username"="/\""
...
[19/May/2006:13:56:17 +0900] [localhost/sid#2bc130][rid#6ef6f8][/post.html][2] Checking signature "\\\"" at POST_PAYLOAD
[19/May/2006:13:56:17 +0900] [localhost/sid#2bc130][rid#6ef6f8][/post.html][4] Checking against "bbsID=feedback&MsgID=12329&threadcode=00006051!&sticky=0&username=/\"&password=1&title=\x82\xa0\x82\xa0\x82\xa0\x82\xa0\x82\xa0\x82\xa0\x82\xa0\x82\xa0&msgbody=&img=&file=&dig=1&120=&Submit=submit"
[19/May/2006:13:56:17 +0900] [localhost/sid#2bc130][rid#6ef6f8][/post.html][9] Check took 0 usec
[19/May/2006:13:56:17 +0900] [localhost/sid#2bc130][rid#6ef6f8][/post.html][1] Access denied with code 406. Pattern match "\\\"" at POST_PAYLOAD
[19/May/2006:13:56:17 +0900] [localhost/sid#2bc130][rid#6ef6f8][/post.html][9] Signature check returned 406
[19/May/2006:13:56:17 +0900] [localhost/sid#2bc130][rid#6ef6f8][/post.html][9] Rule match, returning code 406
[19/May/2006:13:56:17 +0900] [localhost/sid#2bc130][rid#6ef6f8][/post.html][4] Time #2: 31250 usec
...
I can't see where is bad setting.
Thanks.

>> Hi all:
>>
>> I am using mod_security 1.9.2 and Apache 2.0.55(Win32).
>> The server and client OS are Windows XP Pro SP2(Japanese).
>> Client browser is IE 6.0 SP2.
>>
>> Here is my problem. I want mod_security to filter a combined character \"(escape + double quotation).
>> I set modsecurity.conf like below.
>>
>> ##
>> SecFilterSelective POST_PAYLOAD "&ARG_parameter1=" chain
>> SecFilter "&ARG_parameter1=\\\"&"
>> ##
>>
>> I thought that regex patern \\\" can match string \". Unfortunately, It doesn't work at all.
>
>It can, you just need to write the correct rule ;)
>
>Here it is:
>
>  SecFilterSelective ARG_parameter1 "\\\""
>
>
>> But if you set modsecurity.conf like this,
>>
>> ##
>> SecFilterSelective POST_PAYLOAD "&ARG_parameter1=" chain
>> SecFilter "\\\""
>> ##
>>
>> It works well.
>
>Except if parameter1 is the first parameter in the payload, in which
>case it doesn't. It also matches cases when \" appears in some other
>parameter.
>
>-- 
>Ivan Ristic, Technical Director
>Thinking Stone, http://www.thinkingstone.com
>ModSecurity: Open source Web Application Firewall
>

Re: Re[3]: [mod-security-users] escape character problem - mod_security v1.9.2

From: Ivan R. <iva...@gm...> - 2006-05-22 08:48:16

On 5/19/06, gyo...@hi... <gyo...@hi...> wrote:
> Thank Ivan.
>
> I tested this rule.
> ###
> SecFilterSelective ARG_parameter1 "\\\""
> ###
>
> It filters all messages which includes character ",

Ah, sorry, my mistake. We want to use:

SecFilterSelective ARG_parameter1 "\\\\\""

After Apache is done with the parameter (regex pattern) it will
convert "\\\\\"" to \\", which is what you want (since \ is used to
escape characters in regex patterns too).

--=20
Ivan Ristic, Technical Director
Thinking Stone, http://www.thinkingstone.com
ModSecurity: Open source Web Application Firewall

Re[5]: [mod-security-users] escape character problem - mod_security v1.9.2

From: <gyo...@hi...> - 2006-05-23 00:59:06

Ivan, thanks.
Here is debug log,
...
[23/May/2006:09:42:33 +0900] [localhost/sid#2bc130][rid#6f1768][/post.html][4] Adding parameter: "username"="/\""
...
[23/May/2006:09:42:33 +0900] [localhost/sid#2bc130][rid#6f1768][/post.html][2] Checking signature "username=" at POST_PAYLOAD
[23/May/2006:09:42:33 +0900] [localhost/sid#2bc130][rid#6f1768][/post.html][4] Checking against "bbsID=feedback&MsgID=12329&threadcode=00006051!&sticky=0&username=/\"&password=1&title=\x82\xa0\x82\xa0\x82\xa0\x82\xa0\x82\xa0\x82\xa0\x82\xa0\x82\xa0&msgbody=&img=&file=&dig=1&120=&Submit=submit"
[23/May/2006:09:42:33 +0900] [localhost/sid#2bc130][rid#6f1768][/post.html][9] Check took 0 usec
[23/May/2006:09:42:33 +0900] [localhost/sid#2bc130][rid#6f1768][/post.html][3] Warning (chained rule). Pattern match "username=" at POST_PAYLOAD
[23/May/2006:09:42:33 +0900] [localhost/sid#2bc130][rid#6f1768][/post.html][9] Signature check returned 403
[23/May/2006:09:42:33 +0900] [localhost/sid#2bc130][rid#6f1768][/post.html][9] Chained rule with match, continue in the loop
[23/May/2006:09:42:33 +0900] [localhost/sid#2bc130][rid#6f1768][/post.html][2] Checking signature "username=\\\\\"&" at ARG("username")
[23/May/2006:09:42:33 +0900] [localhost/sid#2bc130][rid#6f1768][/post.html][4] Checking against "/\""
[23/May/2006:09:42:33 +0900] [localhost/sid#2bc130][rid#6f1768][/post.html][9] Check took 0 usec
[23/May/2006:09:42:33 +0900] [localhost/sid#2bc130][rid#6f1768][/post.html][9] Signature check returned 0
...
It doesn't work yet :(
I also wonder why post form parameter value \" changed to /\". 

When I input string \', I see the debug log is like this,
..
[23/May/2006:09:47:51 +0900] [localhost/sid#2bc130][rid#7079e8][/post.html][4] Adding parameter: "username"="/'"
...
So, it seems character \ to be ignored.

Conan,

>> Thank Ivan.
>>
>> I tested this rule.
>> ###
>> SecFilterSelective ARG_parameter1 "\\\""
>> ###
>>
>> It filters all messages which includes character ",
>
>Ah, sorry, my mistake. We want to use:
>
>SecFilterSelective ARG_parameter1 "\\\\\""
>
>After Apache is done with the parameter (regex pattern) it will
>convert "\\\\\"" to \\", which is what you want (since \ is used to
>escape characters in regex patterns too).
>
>-- 
>Ivan Ristic, Technical Director
>Thinking Stone, http://www.thinkingstone.com
>ModSecurity: Open source Web Application Firewall
>

Re: Re[5]: [mod-security-users] escape character problem - mod_security v1.9.2

From: Ivan R. <iva...@gm...> - 2006-05-23 09:18:41

On 5/23/06, gyo...@hi... <gyo...@hi...> wrote:
>
> When I input string \', I see the debug log is like this,
> ..
> [23/May/2006:09:47:51 +0900] [localhost/sid#2bc130][rid#7079e8][/post.htm=
l][4] Adding parameter: "username"=3D"/'"
> ...
> So, it seems character \ to be ignored.

That's because you are running on Windows. It isn't ignored but it's
converted to a forward slash. It's an implicit anti-evasion measure
that cannot be turned off (unless you change the source code, which is
a perfectly valid approach). Changing your signature to check for /"
should provide results in your case.

FYI, because this implicit anti-evasion is often very annoying (and it
isn't the right way to do things) it has been removed from ModSecurity
2.x (which is currently in beta).

--=20
Ivan Ristic, Technical Director
Thinking Stone, http://www.thinkingstone.com
ModSecurity: Open source Web Application Firewall