Thread: [mod-security-users] Adding a rule to sanitise a particular GET variable
Brought to you by:
victorhora,
zimmerletw
From: Tom B. <to...@t0...> - 2010-08-27 11:41:30
|
Hi guys, Not being all that experienced with mod_sec, I've set out today to read a load of docs, and write a rule to fix a particular hole in a legacy web application. Here is my rule: *SecRule ARGS:domain_name "!@rx (?i:[[:alnum:]\.\-]+)" "log,deny,msg:'argument to domain_name parameter disallowed'"* At the moment, the rule is triggered if the domain_name variable is blank, but not if I put in something like *<script>alert('xss')</script>* The audit log shows this when matching the blank argument: *Message: Access denied with code 501 (phase 4). Match of "rx (?i:[[:alnum:]\\.\\-]+)" against "ARGS:domain_name" required. [msg "argument to domain_name parameter disallowed"]* Can anyone suggest what I'm doing wrong, and how I can ensure that the argument to the domain_name= parameter matches *[[:alnum:]\.\-]+ *and nothing else.* *Thanks. Tom* * |
From: Tom B. <to...@t0...> - 2010-08-27 11:46:57
|
Just to note, I removed the exclamation mark to de-invert the match, and it started blocking things I wanted to allow, so I'm doubly confused as to why it's not blocking things I don't want to allow: *GET MyURL.exe?domain_process=domain_overview&domain_action=configure&domain_name=a-domain-name.tld HTTP/1.1 Message: Access denied with code 501 (phase 4). Pattern match "(?i:[[:alnum:]\\.\\-]*)" at ARGS:domain_name. [msg "argument to domain_name parameter disallowed"] * On 27/08/10 12:07, Tom Boland wrote: > Hi guys, > > Not being all that experienced with mod_sec, I've set out today to > read a load of docs, and write a rule to fix a particular hole in a > legacy web application. > > Here is my rule: > > *SecRule ARGS:domain_name "!@rx (?i:[[:alnum:]\.\-]+)" > "log,deny,msg:'argument to domain_name parameter disallowed'"* > > At the moment, the rule is triggered if the domain_name variable is > blank, but not if I put in something like *<script>alert('xss')</script>* > > The audit log shows this when matching the blank argument: > > *Message: Access denied with code 501 (phase 4). Match of "rx > (?i:[[:alnum:]\\.\\-]+)" against "ARGS:domain_name" required. [msg > "argument to domain_name parameter disallowed"]* > > > Can anyone suggest what I'm doing wrong, and how I can ensure that the > argument to the domain_name= parameter matches *[[:alnum:]\.\-]+ *and > nothing else.* > > *Thanks. Tom* > * > > > ------------------------------------------------------------------------------ > Sell apps to millions through the Intel(R) Atom(Tm) Developer Program > Be part of this innovative community and reach millions of netbook users > worldwide. Take advantage of special opportunities to increase revenue and > speed time-to-market. Join now, and jumpstart your future. > http://p.sf.net/sfu/intel-atom-d2d > > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Appliances, Rule Sets and Support: > http://www.modsecurity.org/breach/index.html > |
From: Ryan B. <RBa...@tr...> - 2010-08-27 12:57:52
|
Tom, So you want a regex that will match domain name formats, correct? I recommend that you take a look at one of the higher rated Email regexs like here - http://regexlib.com/REDetails.aspx?regexp_id=140 You can then just use the end domain matching portion (after the @) and have a rule like this - SecRule ARGS:domain_name "!@rx (?:^[a-zA-Z0-9-]+(\.[a-zA-Z0-9-]+)*\.(([0-9]{1,3})|([a-zA-Z]{2,3})|(aero|coop|info|museum|name))$)" "log,deny,msg:'argument to domain_name parameter disallowed'" Test this one out and let me know if it works. -Ryan On 8/27/10 7:43 AM, "Tom Boland" <to...@t0...> wrote: Just to note, I removed the exclamation mark to de-invert the match, and it started blocking things I wanted to allow, so I'm doubly confused as to why it's not blocking things I don't want to allow: GET MyURL.exe?domain_process=domain_overview&domain_action=configure&domain_name=a-domain-name.tld HTTP/1.1 Message: Access denied with code 501 (phase 4). Pattern match "(?i:[[:alnum:]\\.\\-]*)" at ARGS:domain_name. [msg "argument to domain_name parameter disallowed"] On 27/08/10 12:07, Tom Boland wrote: Hi guys, Not being all that experienced with mod_sec, I've set out today to read a load of docs, and write a rule to fix a particular hole in a legacy web application. Here is my rule: SecRule ARGS:domain_name "!@rx (?i:[[:alnum:]\.\-]+)" <mailto:%21@rx%28?i:[[:alnum:]%5C.%5C-]+%29> "log,deny,msg:'argument to domain_name parameter disallowed'" At the moment, the rule is triggered if the domain_name variable is blank, but not if I put in something like <script>alert('xss')</script> The audit log shows this when matching the blank argument: Message: Access denied with code 501 (phase 4). Match of "rx (?i:[[:alnum:]\\.\\-]+)" against "ARGS:domain_name" required. [msg "argument to domain_name parameter disallowed"] Can anyone suggest what I'm doing wrong, and how I can ensure that the argument to the domain_name= parameter matches [[:alnum:]\.\-]+ and nothing else. Thanks. Tom ------------------------------------------------------------------------------ Sell apps to millions through the Intel(R) Atom(Tm) Developer Program Be part of this innovative community and reach millions of netbook users worldwide. Take advantage of special opportunities to increase revenue and speed time-to-market. Join now, and jumpstart your future. http://p.sf.net/sfu/intel-atom-d2d _______________________________________________ mod-security-users mailing list mod...@li... https://lists.sourceforge.net/lists/listinfo/mod-security-users Commercial ModSecurity Appliances, Rule Sets and Support: http://www.modsecurity.org/breach/index.html |
From: tom <to...@t0...> - 2010-08-27 19:40:21
|
Hi Ryan, Thanks for getting back to me so soon. I'm quite happy to keep the rule simple for the moment, and really did just want to know why it wasn't working. I do have more complex rules in the armory so to speak, and will probably do more with mod_sec, which I'm just dipping my toes in to at the moment :) I can see from the rule that you posted that I was just missing the beginning and end of line specifiers ^$, so that's fixed my rule so that it's matching the things I want it to match now, so thanks for that! It still seems to let requests through though, I've tried both drop and deny, and the request still hits the webservers that my modsec boxes are acting as proxies for? This is from the audit log: --31685509-A-- [27/Aug/2010:20:10:38 +0100] 3r6cB38AAAEAADAvI6IAAAAg redacted 46791 redactedIP 444 --31685509-B-- GET /MyAPP.exe?domain_process=domain_overview&domain_action=configure&domain_name=!%C2%A3%22$%C2%A3 HTTP/1.1 Host: control.redacted User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-GB; rv:1.9.2.8) Gecko/20100723 Ubuntu/10.04 (lucid) Firefox/3.6.8 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-gb,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 115 Connection: keep-alive Cookie: __utma=169308086.959934979.1262112588.1262112588.1262112588.1; SessionID=redacted; ControlPanelSessionID=redacted; domains_per_page=10 --31685509-F-- HTTP/1.1 200 OK Content-Length: 10794 Content-Type: text/html IISExport: This web site was exported using IIS Export v4.2 X-Powered-By: ASP.NET Keep-Alive: timeout=15, max=1000 Connection: Keep-Alive --31685509-H-- Message: Access denied with connection close (phase 4). Match of "rx (?i:^[[:alnum:]\\.\\-]*$)" against "ARGS:domain_name" required. [msg "argument to domain_name parameter disallowed"] Action: Intercepted (phase 4) Apache-Handler: proxy-server Stopwatch: 1282936238152711 735100 (66 1852 -) Producer: ModSecurity v2.1.6 (Apache 2.x) Server: Apache/2.2.3 (Red Hat) --31685509-Z-- Thanks for all your help! Tom. On 27/08/10 13:57, Ryan Barnett wrote: > Tom, > So you want a regex that will match domain name formats, correct? I recommend that you take a look at one of the higher rated Email regexs like here - > > http://regexlib.com/REDetails.aspx?regexp_id=140 > > You can then just use the end domain matching portion (after the @) and have a rule like this - > > SecRule ARGS:domain_name "!@rx (?:^[a-zA-Z0-9-]+(\.[a-zA-Z0-9-]+)*\.(([0-9]{1,3})|([a-zA-Z]{2,3})|(aero|coop|info|museum|name))$)" "log,deny,msg:'argument to domain_name parameter disallowed'" > > Test this one out and let me know if it works. > > -Ryan > > On 8/27/10 7:43 AM, "Tom Boland"<to...@t0...> wrote: > > Just to note, I removed the exclamation mark to de-invert the match, and it started blocking things I wanted to allow, so I'm doubly confused as to why it's not blocking things I don't want to allow: > > GET MyURL.exe?domain_process=domain_overview&domain_action=configure&domain_name=a-domain-name.tld HTTP/1.1 > Message: Access denied with code 501 (phase 4). Pattern match "(?i:[[:alnum:]\\.\\-]*)" at ARGS:domain_name. [msg "argument to domain_name parameter disallowed"] > > > On 27/08/10 12:07, Tom Boland wrote: > Hi guys, > > Not being all that experienced with mod_sec, I've set out today to read a load of docs, and write a rule to fix a particular hole in a legacy web application. > > Here is my rule: > > SecRule ARGS:domain_name "!@rx (?i:[[:alnum:]\.\-]+)"<mailto:%21@rx%28?i:[[:alnum:]%5C.%5C-]+%29> "log,deny,msg:'argument to domain_name parameter disallowed'" > > At the moment, the rule is triggered if the domain_name variable is blank, but not if I put in something like<script>alert('xss')</script> > > The audit log shows this when matching the blank argument: > > Message: Access denied with code 501 (phase 4). Match of "rx (?i:[[:alnum:]\\.\\-]+)" against "ARGS:domain_name" required. [msg "argument to domain_name parameter disallowed"] > > > Can anyone suggest what I'm doing wrong, and how I can ensure that the argument to the domain_name= parameter matches [[:alnum:]\.\-]+ and nothing else. > > Thanks. Tom > > > > > ------------------------------------------------------------------------------ > Sell apps to millions through the Intel(R) Atom(Tm) Developer Program > Be part of this innovative community and reach millions of netbook users > worldwide. Take advantage of special opportunities to increase revenue and > speed time-to-market. Join now, and jumpstart your future. > http://p.sf.net/sfu/intel-atom-d2d > > > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Appliances, Rule Sets and Support: > http://www.modsecurity.org/breach/index.html > > > > |
From: Jamuse <ja...@gm...> - 2010-08-28 19:57:29
|
On Fri, Aug 27, 2010 at 10:40 PM, tom <to...@t0...> wrote: > Hi Ryan, > > Thanks for getting back to me so soon. I'm quite happy to keep the rule > simple for the moment, and really did just want to know why it wasn't > working. I do have more complex rules in the armory so to speak, and > will probably do more with mod_sec, which I'm just dipping my toes in to > at the moment :) I can see from the rule that you posted that I was > just missing the beginning and end of line specifiers ^$, so that's > fixed my rule so that it's matching the things I want it to match now, > so thanks for that! It still seems to let requests through though, Hi Tom, Does ModSec let all requests that match through or just intermittent ones? Did you try increasing the SecDebugLogLevel to clarify what is happening? Also silly question, but is SecRuleEngine set to On? -- - Josh |
From: Tom B. <to...@t0...> - 2010-09-07 09:59:38
|
Thanks for this reply. I've actually been on holiday for a week, so have only just got to see your mail. I changed the rule to match the secdefaultaction in most ways, as well as adding my msg: argument. The rule is working now. I think that not specifying the phase wasa the problem perhaps? I'm going to re-read the docs to see if I can figure out precisely why I've fixed it anyway :) SecRule ARGS:domain_name "!(?i:^[[:alnum:]\.\-]*$)" "phase:2,log,deny,status:403,msg:'argument to domain_name parameter disallowed'" Thanks for all the assistance. Tom. On 28/08/10 20:57, Jamuse wrote: > > > On Fri, Aug 27, 2010 at 10:40 PM, tom <to...@t0... > <mailto:to...@t0...>> wrote: > > Hi Ryan, > > Thanks for getting back to me so soon. I'm quite happy to keep > the rule > simple for the moment, and really did just want to know why it wasn't > working. I do have more complex rules in the armory so to speak, and > will probably do more with mod_sec, which I'm just dipping my toes > in to > at the moment :) I can see from the rule that you posted that I was > just missing the beginning and end of line specifiers ^$, so that's > fixed my rule so that it's matching the things I want it to match now, > so thanks for that! It still seems to let requests through though, > > > > Hi Tom, > > Does ModSec let all requests that match through or just intermittent > ones? Did you try increasing the SecDebugLogLevel to clarify what is > happening? Also silly question, but is SecRuleEngine set to On? > > -- > - Josh |