Thank you Josh, but I don't really want to create an exception.
Since it's just one client that triggers this, it's better to help him
configure payment settings for his shop.
So the question would be Where does that "d=d" come from, I can see it's
in a cookie but why?
Regards
Peter
2014-07-23 11:41, Josh Amishav-Zlatin skrev:
On Wed, Jul 23, 2014 at 12:02 PM, Logg <l...@certitrade.net
<mailto:l...@certitrade.net>> wrote:
Hello
We are running a payment system used by webshops. Now one new
client gets a 403, I want to find out why so I can help client to
configure their shop correctly.
modsec logs tell me what rule is triggered, but I can't read out
what data the client sends in.
This only happens to this new client, so I will not modify my
ruleset. I just need to assist our client who is obviously doing
something wrong.
Hi,
If you look at section H below, the _jss_pstor cookie contains the
string d=d which created a false positive on rule 950901. You can use
the SecRuleUpdateTargetById directive to create an exception
(e.g. SecRuleUpdateTargetById 950901 !REQUEST_COOKIES:_jss_pstor).
- Josh
[22/Jul/2014:13:10:37 +0200] U85GrQpABwsAAGYtLgkAAAAC
10.64.7.5 49941 10.64.7.11 443
--ed091d42-B--
POST /webshophtml/e/auth.php HTTP/1.1
Host: our.payment.net <http://our.payment.net>
Connection: keep-alive
Content-Length: 951
Cache-Control: max-age=0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://client_webshop.se
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125
Safari/537.36
Content-Type: application/x-www-form-urlencoded
Referer: http://client_webshop.se/checkout.php?sl=0&st=0
Accept-Encoding: gzip,deflate,sdch
Accept-Language: sv-SE,sv;q=0.8,en-US;q=0.6,en;q=0.4
Cookie: _jss_popform_1524_count=1;
_jss_pstor=id%3Dda15bb533c3296281a7a3bad96266f93%3Afi%3D1404769754%3Ali%3D1404770148%3Aic%3D5%3Avc%3D1%3Anc%3D9f3d16019cf6fe2b%3A19f22ab828ca19a9cac8b0eed51911c0;
__utma=188767033.1851339114.1404769702.1404769702.1404769702.1;
__utmz=188767033.1404769702.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)
X-Forwarded-For: #.#.#.#
--ed091d42-F--
HTTP/1.1 403 Forbidden
Content-Length: 224
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1
--ed091d42-E--
--ed091d42-H--
Message: Access denied with code 403 (phase 2). Pattern match
"(?i:([\\s'\"`\xc2\xb4\xe2\x80\x99\xe2\x80\x98\\(\\)]*?)([\\d\\w]++)([\\s'\"`\xc2\xb4\xe2\x80\x99\xe2\x80\x98\\(\\)]*?)(?:(?:=|<=>|r?like|sounds\\s+like|regexp)([\\s'\"`\xc2\xb4\xe2\x80\x99\xe2\x80\x98\\(\\)]*?)\\2|(?:!=|<=|>=|<>|<|>|\\^|is\\s+not|not\\
..." at REQUEST_COOKIES:_jss_pstor. [file
"sec_rules/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"]
[line "77"] [id "950901"] [rev "2"] [msg "SQL Injection
Attack: SQL Tautology Detected."] [data "Matched Data: d=d
found within REQUEST_COOKIES:_jss_pstor:
id=da15bb533c3296281a7a3bad96266f93:fi=1404769754:li=1404770148:ic=5:vc=1:nc=9f3d16019cf6fe2b:19f22ab828ca19a9cac8b0eed51911c0"]
[severity "CRITICAL"] [ver "OWASP_CRS/2.2.7"] [maturity "9"]
[accuracy "8"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [tag
"WASCTC/WASC-19"] [tag "OWASP_TOP_10/A1"] [tag
"OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"]
Action: Intercepted (phase 2)
Apache-Handler: php5-script
Stopwatch: 1406027437541081 3150 (- - -)
Stopwatch2: 1406027437541081 3150; combined=1945, p1=330,
p2=1581, p3=0, p4=0, p5=33, sr=99, sw=1, l=0, gc=0
Response-Body-Transformed: Dechunked
Producer: ModSecurity for Apache/2.8.0
(http://www.modsecurity.org/); OWASP_CRS/2.2.7. <http://2.2.7.>
Server: Apache
Engine-Mode: "ENABLED"
Regards
Peter Haraldson
_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
Owasp-modsecurity-core-rule-set@lists.owasp.org
<mailto:Owasp-modsecurity-core-rule-set@lists.owasp.org>
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
Owasp-modsecurity-core-rule-set@lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
