We have the below rule in for sanitizing user passwords , looks like it is not
working all the time .
SecAction
"phase:5,nolog,pass,sanitiseArg:password,sanitiseArg:newPassword"
What I noticed is if we request with a single XSS, SQLi request it will be
sanitized , suppose if we remove the referrer/accept header then the rules of
modsecurity_crs_21_protocol_anomalies will be hit and it will not be sanitized,
irrespective of whether there were other pattern matches as well.
This only happens for protocol anomaly issues, if there was a pattern match for
file 21 , the password in the post body is not being sanitized ,has anybody
come across such issues ? any clue on what could be wrong ? We use Apache/2.6.8
with ruleset/2.2.5
--c0462570-A--
[28/Jan/2013:15:48:41 +0000] UQad0gr-ihYAAGfqXUgAAADT 63.78.242.16 56811
10.255.138.22 4499
--c0462570-B--
POST /mobileservice/authenticate HTTP/1.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.2.8)
Gecko/20100722 Firefox/3.6.8
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
X-Scan-Memo: Category="Audit";
Function="createStateRequestFromAttackDefinition";
SID="ACB328923297B9BDE3F8200E483A3D05";
PSID="23B3A87EEBF8C7453E112BF4E4A43265"; SessionType="AuditAttack";
CrawlType="None"; AttackType="Search";
OriginatingEngineID="63a283c6-6b75-41e3-b0c2-d7b0821c2902"; AttackSequence="0";
AttackParamDesc=""; AttackParamIndex="0"; AttackParamSubIndex="0";
CheckId="4897"; Engine="Fixed"; Retry="False";
SmartMode="NonServerSpecificOnly"; ThreadId="270";
ThreadType="AuditDBReaderSessionDrivenAudit";
X-StateRequest-Memo: StateID="9734";
X-WIPP: AscVersion="9.20.247.0"
X-Request-Memo: ID="1ee130af-7317-47a3-bb1d-3c85537ce63c"; Sequence="0";
ThreadId="59";
Content-Length: 44
--c0462570-C--
userID=user123&password=Happy123&version=2.0
--c0462570-H--
Message: Warning. Match of "rx ^0$" against "REQUEST_HEADERS:Content-Length"
required. [file
"/cust/docs/config/qa01/mobile/crs/base_rules/modsecurity_crs_21_protocol_anomalies.conf"]
[line "84"] [id "960904"] [rev "2.2.5"] [msg "Request Containing Content, but
Missing Content-Type header"] [severity "NOTICE"]
Message: Warning. Pattern match "^(?i:0|allow)$" at RESPONSE_HEADERS. [file
"/cust/docs/config/qa01/mobile/crs/base_rules/modsecurity_crs_55_application_defects.conf"]
[line "151"] [id "981405"] [msg "AppDefect: X-FRAME-OPTIONS Response Header is
Missing or not set to Deny."] [data "X-FRAME-OPTIONS: "] [tag "WASCTC/WASC-15"]
[tag "MISCONFIGURATION"] [tag
"http://websecuritytool.codeplex.com/wikipage?title=Checks#http-header-x-frame-options";]
Message: Warning. Operator LT matched 5 at TX:inbound_anomaly_score. [file
"/cust/docs/config/qa01/mobile/crs/base_rules/modsecurity_crs_60_correlation.conf"]
[line "33"] [id "981203"] [msg "Inbound Anomaly Score (Total Inbound Score: 2,
SQLi=, XSS=): Request Containing Content, but Missing Content-Type header"]
Apache-Handler: proxy-server
Stopwatch: 1359388114515371 6931912 (- - -)
Stopwatch2: 1359388114515371 6931912; combined=2977, p1=303, p2=2010, p3=34,
p4=82, p5=461, sr=98, sw=87, l=0, gc=0
Producer: ModSecurity for Apache/2.6.8 (http://www.modsecurity.org/); core
ruleset/2.2.5.
Server: Apache
--c0462570-Z--
Thanks
Subin
Barclaycard
www.barclaycardus.com
This email and any files transmitted with it may contain confidential and/or
proprietary information. It is intended solely for the use of the individual or
entity who is the intended recipient. Unauthorized use of this information is
prohibited. If you have received this in error, please contact the sender by
replying to this message and delete this material from any system it may be on.
_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
Owasp-modsecurity-core-rule-set@lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
