We have validated that Apache Include directives is in the core directives. When we are trying a* SQL injection* on HTTPS it detects the attack and throws an exception.This means mod-security and CRS is working for HTTPS as well.
In case of double header this is not working for HTTPS. Do we need to make any changes in rule set? Regards Gagandeep On Thu, Mar 1, 2012 at 6:40 PM, Ryan Barnett <rbarn...@trustwave.com> wrote: > How do you have the CRS conf files activated in Apache for the port 80 > server? If you are using Apache Includes, then you should include them > also within your HTTPS/443 vhost container. > > The other option is, if you want to run the CRS for all HTTP and HTTPS > sites, is to specify the Apache Include directives in the core directives > location instead of further down within specific vhost containers. This > will propagate to all vhosts. > > -- > Ryan Barnett > Trustwave SpiderLabs > ModSecurity Project Leader > OWASP ModSecurity CRS Project Leader > > From: Gagandeep Singh <gagandeeps...@gmail.com> > Date: Thu, 1 Mar 2012 18:03:47 +0000 > To: <owasp-modsecurity-core-rule-set@lists.owasp.org>, Ryan Barnett < > ryan.barn...@owasp.org> > Subject: Re: [Owasp-modsecurity-core-rule-set] Mod security is not > detecting double header's > > Thanks Ryan for your help, > > FURTHER ISSUE- its working for HTTP and we got the below response. Our > issue is with HTTPS as well, this rule is not working for https. Our > client has raised a concern for HTTPS. Could you please advise what we can > do to enable this for HTTPS as well. > > > Message: Warning. Pattern match > "[\n\r](?:content-(type|length)|set-cookie|location):" at REQUEST_FILENAME. > [file "/etc/httpd/modsecurity.d/modsecurity_localrules.conf"] [line "4"] > [id "950910"] [rev "2.2.4"] [msg "HTTP Response Splitting Attack"] [data > "\x0alocation:"] [severity "ALERT"] > Message: Warning. Pattern match > "[\n\r](?:content-(type|length)|set-cookie|location):" at REQUEST_FILENAME. > [file > "/etc/httpd/modsecurity.d/base_rules/modsecurity_crs_40_generic_attacks.conf"] > [line "139"] [id "950910"] [rev "2.2.4"] [msg "HTTP Response Splitting > Attack"] [data "\x0alocation:"] [severity "CRITICAL"] > Message: Access denied with code 403 (phase 2). [file > "/etc/httpd/modsecurity.d/base_rules/modsecurity_crs_49_enforcement.conf"] > [line "25"] [msg "Anomaly Score Exceeded (score 40): HTTP Response > Splitting Attack"] > Action: Intercepted (phase 2) > Apache-Handler: jakarta-servlet > Stopwatch: 1330624314422822 1653262 (1471 1258692 -) > Producer: ModSecurity for Apache/2.5.12 (http://www.modsecurity.org/); > core ruleset/2.0.5. > > > > > > > On Thu, Mar 1, 2012 at 5:25 PM, Ryan Barnett <ryan.barn...@owasp.org>wrote: > >> I have pushed CRS v2.2.4 out to SVN and you can access the updated rule >> file here - >> >> http://mod-security.svn.sourceforge.net/viewvc/mod-security/crs/trunk/base_rules/modsecurity_crs_40_generic_attacks.conf?revision=1900 >> >> Here is the updated rule - >> >> SecRule >> REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* >> "[\n\r](?:content-(type|length)|set-cookie|location):" \ >> >> "phase:2,rev:'2.2.4',t:none,t:lowercase,capture,ctl:auditLogParts=+E,block,msg:'HTTP >> Response Splitting >> Attack',id:'950910',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.response_splitting_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/RESPONSE_SPLITTING-%{matched_var_name}=%{tx.0}" >> >> -Ryan >> >> From: Gagandeep Singh <gagandeeps...@gmail.com> >> Date: Thu, 1 Mar 2012 17:15:36 +0000 >> To: <owasp-modsecurity-core-rule-set@lists.owasp.org> >> Subject: [Owasp-modsecurity-core-rule-set] Mod security is not detecting >> double header's >> >> Hi >> >> We have configured modsecurity apache_2.6.3 and its working fine for >> most of the cases but we have identified a special attack which is causing >> a double header injection to the site. >> >> Example :- >> >> https://www.XYZ.com/%0d%0aLocation:http://www.google.com<https://www.xyz.com/%0d%0aLocation:http://www.google.com> >> Note - XYZ is any site. >> >> This generates a Duplicate headers error page which is shown below- >> >> Duplicate headers received from the server >>> >> >> >>> The response from the server contained duplicate headers. This problem >>> is generally the result of a misconfigured website or proxy. Only the >>> website or proxy administrator can fix this issue. >>> >> >> >>> Error 350 (net::ERR_RESPONSE_HEADERS_MULTIPLE_LOCATION): Multiple >>> Location headers received. This is disallowed to protect against HTTP >>> response-splitting attacks. >> >> >> >> As per the discussion with Bren we came to know that this will be fixed >> in CRS 2.2.4 but we need this urgently, Is it possible to get the rule for >> above issue so we can apply the patch for the time being and will apply >> 2.2.4 soon as it becomes available. >> >> Could you please also assist on this, what configuration changes are >> required to handle this? >> >> Regards >> Gagandeep Singh Sohi >> _______________________________________________ >> Owasp-modsecurity-core-rule-set mailing list >> Owasp-modsecurity-core-rule-set@lists.owasp.org >> https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set >> >> > > > -- > *Regards, > **Gagandeep Singh Sohi* > *9717920072* > > > ------------------------------ > This transmission may contain information that is privileged, > confidential, and/or exempt from disclosure under applicable law. If you > are not the intended recipient, you are hereby notified that any > disclosure, copying, distribution, or use of the information contained > herein (including any reliance thereon) is STRICTLY PROHIBITED. If you > received this transmission in error, please immediately contact the sender > and destroy the material in its entirety, whether in electronic or hard > copy format. > -- *Regards, **Gagandeep Singh Sohi* *9717920072*
_______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
