Re: [Owasp-modsecurity-core-rule-set] Issues with "SecRuleUpdateTargetByTag" and Apache-Location

Tue, 29 Oct 2013 03:36:05 -0700

In addition I want to try something without apache2-<location> for cross-webserver-compatibility. 

Due to
  http://comments.gmane.org/gmane.comp.apache.mod-security.user/9988
and
  https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#ctl
this should also be possible:
SecRule REQUEST_URI "^/../login" "phase:1,id:2001,t:none,nolog,pass,ctl:ruleRemoveTargetByTag=OWASP_CRS/(WEB_ATTACK/(SQL_INJECTION|XSS|LDAP_INJECTION)|PROTOCOL_VIOLATION/EVASION);ARGS:login[password]" 

Now the problem is that I don't know if it should added before CRS in
  modsecurity_crs_15_pre_custom.conf
or after the CRS in
  modsecurity_crs_70_post_custom.conf.






Am 29.10.2013 10:48, schrieb Jan Phillip Greimann:

Hi everyone,

The argument 'login[password]' causes many false-positives because of
special-characters. I didn't want to remove the argument globally, so I
tried to limit it only to our login-sites. This could be multiple sites
because of internationalization, example:

https://www.mydomain.invalid/fr/login
https://www.mydomain.invalid/en/login
https://www.mydomain.invalid/nl/login

So i created the configuration like below but it doesn't trigger at all.
Did I make a mistake? It works without the Location-tags like a charm,
but it isn't good to ignore arguments globally.


Software-Versions:
libapache2-modsecurity 2.7.5
modsecurity-crs        2.2.8
apache2*               2.2.16-6+squeeze11


===============================
~> cat modsecurity_crs_70_post_custom.conf

<Location ~ "^/../login$">
     SecRuleUpdateTargetByTag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"
"!ARGS:login[password]"
     SecRuleUpdateTargetByTag "OWASP_CRS/PROTOCOL_VIOLATION/EVASION"
"!ARGS:login[password]"
     SecRuleUpdateTargetByTag "OWASP_CRS/WEB_ATTACK/XSS"
"!ARGS:login[password]"
     SecRuleUpdateTargetByTag "OWASP_CRS/WEB_ATTACK/LDAP_INJECTION"
"!ARGS:login[password]"
</Location>
===============================


Best regards,

Jan


_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
Owasp-modsecurity-core-rule-set@lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set

Reply via email to