The rules work the same whether the port is 80 or 443. There must be something else going. I see you are using jakarta-servlet. Perhaps this handler is working differently for HTTPS traffic.
-- Ryan Barnett Trustwave SpiderLabs ModSecurity Project Leader OWASP ModSecurity CRS Project Leader From: Gagandeep Singh <gagandeeps...@gmail.com<mailto:gagandeeps...@gmail.com>> Date: Fri, 2 Mar 2012 05:53:15 -0600 To: Ryan Barnett <rbarn...@trustwave.com<mailto:rbarn...@trustwave.com>>, "owasp-modsecurity-core-rule-set@lists.owasp.org<mailto:owasp-modsecurity-core-rule-set@lists.owasp.org>" <owasp-modsecurity-core-rule-set@lists.owasp.org<mailto:owasp-modsecurity-core-rule-set@lists.owasp.org>> Subject: Re: [Owasp-modsecurity-core-rule-set] Mod security is not detecting double header's We have validated that Apache Include directives is in the core directives. When we are trying a SQL injection on HTTPS it detects the attack and throws an exception.This means mod-security and CRS is working for HTTPS as well. In case of double header this is not working for HTTPS. Do we need to make any changes in rule set? Regards Gagandeep On Thu, Mar 1, 2012 at 6:40 PM, Ryan Barnett <rbarn...@trustwave.com<mailto:rbarn...@trustwave.com>> wrote: How do you have the CRS conf files activated in Apache for the port 80 server? If you are using Apache Includes, then you should include them also within your HTTPS/443 vhost container. The other option is, if you want to run the CRS for all HTTP and HTTPS sites, is to specify the Apache Include directives in the core directives location instead of further down within specific vhost containers. This will propagate to all vhosts. -- Ryan Barnett Trustwave SpiderLabs ModSecurity Project Leader OWASP ModSecurity CRS Project Leader From: Gagandeep Singh <gagandeeps...@gmail.com<mailto:gagandeeps...@gmail.com>> Date: Thu, 1 Mar 2012 18:03:47 +0000 To: <owasp-modsecurity-core-rule-set@lists.owasp.org<mailto:owasp-modsecurity-core-rule-set@lists.owasp.org>>, Ryan Barnett <ryan.barn...@owasp.org<mailto:ryan.barn...@owasp.org>> Subject: Re: [Owasp-modsecurity-core-rule-set] Mod security is not detecting double header's Thanks Ryan for your help, FURTHER ISSUE- its working for HTTP and we got the below response. Our issue is with HTTPS as well, this rule is not working for https. Our client has raised a concern for HTTPS. Could you please advise what we can do to enable this for HTTPS as well. Message: Warning. Pattern match "[\n\r](?:content-(type|length)|set-cookie|location):" at REQUEST_FILENAME. [file "/etc/httpd/modsecurity.d/modsecurity_localrules.conf"] [line "4"] [id "950910"] [rev "2.2.4"] [msg "HTTP Response Splitting Attack"] [data "\x0alocation:"] [severity "ALERT"] Message: Warning. Pattern match "[\n\r](?:content-(type|length)|set-cookie|location):" at REQUEST_FILENAME. [file "/etc/httpd/modsecurity.d/base_rules/modsecurity_crs_40_generic_attacks.conf"] [line "139"] [id "950910"] [rev "2.2.4"] [msg "HTTP Response Splitting Attack"] [data "\x0alocation:"] [severity "CRITICAL"] Message: Access denied with code 403 (phase 2). [file "/etc/httpd/modsecurity.d/base_rules/modsecurity_crs_49_enforcement.conf"] [line "25"] [msg "Anomaly Score Exceeded (score 40): HTTP Response Splitting Attack"] Action: Intercepted (phase 2) Apache-Handler: jakarta-servlet Stopwatch: 1330624314422822 1653262 (1471 1258692 -) Producer: ModSecurity for Apache/2.5.12 (http://www.modsecurity.org/); core ruleset/2.0.5.<http://2.0.5.> On Thu, Mar 1, 2012 at 5:25 PM, Ryan Barnett <ryan.barn...@owasp.org<mailto:ryan.barn...@owasp.org>> wrote: I have pushed CRS v2.2.4 out to SVN and you can access the updated rule file here - http://mod-security.svn.sourceforge.net/viewvc/mod-security/crs/trunk/base_rules/modsecurity_crs_40_generic_attacks.conf?revision=1900 Here is the updated rule - SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "[\n\r](?:content-(type|length)|set-cookie|location):" \ "phase:2,rev:'2.2.4',t:none,t:lowercase,capture,ctl:auditLogParts=+E,block,msg:'HTTP Response Splitting Attack',id:'950910',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.response_splitting_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id<http://rule.id>}-WEB_ATTACK/RESPONSE_SPLITTING-%{matched_var_name}=%{tx.0}" -Ryan From: Gagandeep Singh <gagandeeps...@gmail.com<mailto:gagandeeps...@gmail.com>> Date: Thu, 1 Mar 2012 17:15:36 +0000 To: <owasp-modsecurity-core-rule-set@lists.owasp.org<mailto:owasp-modsecurity-core-rule-set@lists.owasp.org>> Subject: [Owasp-modsecurity-core-rule-set] Mod security is not detecting double header's Hi We have configured modsecurity apache_2.6.3 and its working fine for most of the cases but we have identified a special attack which is causing a double header injection to the site. Example :- https://www.XYZ.com/%0d%0aLocation:http://www.google.com<https://www.xyz.com/%0d%0aLocation:http://www.google.com> Note - XYZ is any site. This generates a Duplicate headers error page which is shown below- Duplicate headers received from the server The response from the server contained duplicate headers. This problem is generally the result of a misconfigured website or proxy. Only the website or proxy administrator can fix this issue. Error 350 (net::ERR_RESPONSE_HEADERS_MULTIPLE_LOCATION): Multiple Location headers received. This is disallowed to protect against HTTP response-splitting attacks. As per the discussion with Bren we came to know that this will be fixed in CRS 2.2.4 but we need this urgently, Is it possible to get the rule for above issue so we can apply the patch for the time being and will apply 2.2.4 soon as it becomes available. Could you please also assist on this, what configuration changes are required to handle this? Regards Gagandeep Singh Sohi _______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org<mailto:Owasp-modsecurity-core-rule-set@lists.owasp.org>https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set -- Regards, Gagandeep Singh Sohi 9717920072 ________________________________ This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. -- Regards, Gagandeep Singh Sohi 9717920072 ________________________________ This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.
_______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
