Hi Piotr,
In my experience, you need to use a utf8toUnicode transformation to
properly map UTF8 strings to Unicode before the rule processes the input
as Unicode, as well as fine-tune the urlDecodeUni transformation to
properly normalize Central European Unicode characters.
Add a utf8toUnicode transformation BEFORE decoding the URL,
in order to map the UTF8 string to Unicode BEFORE it is normalized
by urlDecodeUni
---------------------------------------------------
SecRule "phase:1,id:'981318',t:utf8toUnicode,t:urlDecodeUni,...
---------------------------------------------------
Provide a code point declaration for the urlDecodeUni transformation,
in order to properly normalize Unicode strings (in modsecurity.conf)
---------------------------------------------------
# With the 1250 code point for Central Europe:
SecUnicodeMapFile /etc/modsecurity/unicode.mapping
SecUnicodeCodePage 1250
---------------------------------------------------
See these resources for more info:
http://blog.spiderlabs.com/2011/06/modsecurity-advanced-topic-of-the-week-unicode-mapping-support.html
http://blog.spiderlabs.com/2012/08/waf-normalization-and-i18n.html
Ramy Darwish
On 10/03/2014 00:42, Piotr Gackiewicz wrote:
Hello OWASP,
There is a problem with some characters used in SQL Injection rule:
In rule id:981318, some regex characters are encoded as UTF multibyte
characters.
My testbed:
latest CentOS 6.5
mod_security-2.7.3-2.el6.x86_64 from EPEL
mod_security_crs-2.2.6-3.el6.noarch from EPEL
Problem: rule id:981318 regular expression:
"(^[\"'`´’‘;]+|[\"'`´’‘;]+$)"
is encoded to:
"(^[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98;]+|[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98;]+$)"
This is wrong, as it catches also some valid multibyte characters as
polish "ę"
(\xc4\x99) at the end of the URL arg, i.e. requesting:
http://blah.blah/script?removeins=Odinstaluj+aplikację
audit.log:
Message: Access denied with code 403 (phase 2).
Pattern match
"(^[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98;]+|[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98;]+$)"
at ARGS:removeins. [file
"/etc/httpd/modsecurity.d/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"]
[line "64"] [id "981318"] [rev "2"] [msg "SQL Injection Attack: Common
Injection Testing Detected"]
[data "Matched Data: \x99 found within ARGS:removeins: Odinstaluj
aplikacj\xc4\x99"]
[severity "CRITICAL"] [ver "OWASP_CRS/2.2.6"] [maturity "9"] [accuracy
"8"]
[tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"]
[tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"]
IMO, these this regex should be modified to treat these characters
specially, i.e.:
"(^([\"'`;]|´|’|‘)+|([\"'`;]|´|’|‘)+$)"
With such regexp in forementioned rule, requesting:
http://blah.blah/script?a=’
audit.log:
Message: Access denied with code 403 (phase 2). Pattern match
"(^([\"'`;]|\xc2\xb4|\xe2\x80\x99|\xe2\x80\x98)+|([\"'`;]|\xc2\xb4|\xe2\x80\x99|\xe2\x80\x98)+$)"
at ARGS:a. [file
"/etc/httpd/modsecurity.d/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"]
[line "64"] [id "981318"] [rev "2"] [msg "SQL Injection Attack: Common
Injection Testing Detected"]
[data "Matched Data: \xe2\x80\x99 found within ARGS:a: \xe2\x80\x99"]
[severity "CRITICAL"] [ver "OWASP_CRS/2.2.6"]
[maturity "9"] [accuracy "8"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"]
[tag "WASCTC/WASC-19"] [tag "OWASP_TOP_10/A1"] [tag
"OWASP_AppSensor/CIE1"]
[tag "PCI/6.5.2"]
Regards,
_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
Owasp-modsecurity-core-rule-set@lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
Owasp-modsecurity-core-rule-set@lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
