[Owasp-modsecurity-core-rule-set] OWASP CRS: Request-method and content-type rules don't work

[Ove Hansen -X (ohansen - TEKSYSTEMS at Cisco)]

Hello all,

I'm using mod_security 2.7.7 on nginx, and I have a problem with the OWASP 
CRS/2.2.9:

The rules in modsecurity_crs_30_http_policy.conf that should allow GET, HEAD 
POST and options always triggers, even for a GET. Similarly, the rule for the 
Content-Type header won't allow "application/json", even though that should be 
allowed. These rules have not been edited from their default:

SecAction \
  "id:'900012', \
  phase:1, \
  t:none, \
  setvar:'tx.allowed_methods=GET HEAD POST OPTIONS', \
  
setvar:'tx.allowed_request_content_type=application/x-www-form-urlencoded|multipart/form-data|text/xml|application/xml|application/x-amf|application/json',
 \

SecRule REQUEST_METHOD "!@within %{tx.allowed_methods}" 
"phase:1,t:none,block,msg:'Method is not allowed by 
policy',logdata:'%{matched_var}',severity:'2',rev:'2',ver:'OWASP_CRS/2.2.9',maturity:'9',accuracy:'9',id:'960032',tag:'OWASP_CRS/POLICY/METHOD_NOT_ALLOWED',tag:'WASCTC/WASC-15',tag:'OWASP_TOP_10/A6',tag:'OWASP_AppSensor/RE1',tag:'PCI/12.1',logdata:'%{matched_var}',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/POLICY/METHOD_NOT_ALLOWED-%{matched_var_name}=%{matched_var}"

SecRule REQUEST_METHOD "!^(?:GET|HEAD|PROPFIND|OPTIONS)$" 
"phase:1,chain,t:none,block,msg:'Request content type is not allowed by 
policy',rev:'2',ver:'OWASP_CRS/2.2.9',maturity:'9',accuracy:'9',id:'960010',tag:'OWASP_CRS/POLICY/ENCODING_NOT_ALLOWED',tag:'WASCTC/WASC-20',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/EE2',tag:'PCI/12.1',severity:'2',logdata:'%{matched_var}'"
        SecRule REQUEST_HEADERS:Content-Type "^([^;\s]+)" "chain,capture"
                SecRule TX:0 "!^%{tx.allowed_request_content_type}$" 
"t:none,ctl:forceRequestBodyVariable=On,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/POLICY/CONTENT_TYPE_NOT_ALLOWED-%{matched_var_name}=%{matched_var}"

If I try:

curl -k https://nginx/v2.0

I get:

==> modsec_debug.log <==
[25/Jul/2014:22:57:18 +0000] [/sid#1af8178][rid#1b1acf8][/v2.0][2] Warning. 
Match of "within %{tx.allowed_methods}" against "REQUEST_METHOD" required. 
[file 
"/usr/local/nginx/conf/modsec/activated_rules/modsecurity_crs_30_http_policy.conf"]
 [line "31"] [id "960032"] [rev "2"] [msg "Method is not allowed by policy"] 
[data "GET"] [severity "CRITICAL"] [ver "OWASP_CRS/2.2.9"] [maturity "9"] 
[accuracy "9"] [tag "OWASP_CRS/POLICY/METHOD_NOT_ALLOWED"] [tag 
"WASCTC/WASC-15"] [tag "OWASP_TOP_10/A6"] [tag "OWASP_AppSensor/RE1"] [tag 
"PCI/12.1"]

==> access.log <==
10.154.96.140 - - [25/Jul/2014:22:57:18 +0000] "GET /v2.0 HTTP/1.1" 200 612 "-" 
"curl/7.33.0"

==> modsec_audit.log <==
10.154.96.140 -  [25/Jul/2014:22:57:18 +0000] "GET /v2.0 HTTP/1.1" 200 0 "-" 
"-" AcALAc5cA9ncAcAcucAcAcAc "-" 
/20140725/20140725-2257/20140725-225718-AcALAc5cA9ncAcAcucAcAcAc 0 1231 
md5:41b0733d42240146fc9df3f80ba8936d

# more audit/20140725/20140725-2257/20140725-225718-AcALAc5cA9ncAcAcucAcAcAc
--b5d00648-A--
[25/Jul/2014:22:57:18 +0000] AcALAc5cA9ncAcAcucAcAcAc 10.154.96.140 63740 
127.0.0.1 80
--b5d00648-B--
GET /v2.0 HTTP/1.1
Host: nginx
User-Agent: curl/7.33.0
Accept: */*

--b5d00648-F--
HTTP/1.1 200 OK
Vary: X-Auth-Token
Content-Type: application/json
Content-Length: 612
Connection: keep-alive

--b5d00648-E--

--b5d00648-H--
Message: Warning. Match of "within %{tx.allowed_methods}" against 
"REQUEST_METHOD" required. [file 
"/usr/local/nginx/conf/modsec/activated_rules/modsecu
rity_crs_30_http_policy.conf"] [line "31"] [id "960032"] [rev "2"] [msg "Method 
is not allowed by policy"] [data "GET"] [severity "CRITICAL"] [ver "OWAS
P_CRS/2.2.9"] [maturity "9"] [accuracy "9"] [tag 
"OWASP_CRS/POLICY/METHOD_NOT_ALLOWED"] [tag "WASCTC/WASC-15"] [tag 
"OWASP_TOP_10/A6"] [tag "OWASP_AppSe
nsor/RE1"] [tag "PCI/12.1"]
Apache-Handler: IIS
Stopwatch: 1406329038000190 555175 (- - -)
Stopwatch2: 1406329038000190 555175; combined=1179, p1=365, p2=592, p3=5, 
p4=144, p5=73, sr=18, sw=0, l=0, gc=0
Response-Body-Transformed: Dechunked
Producer: ModSecurity for nginx (STABLE)/2.7.7 (http://www.modsecurity.org/); 
OWASP_CRS/2.2.9.
Server: ModSecurity Standalone
Engine-Mode: "ENABLED"

--b5d00648-Z-


If I try to request a content-tupe of application/json (which *should* be 
allowed), I get the following:

[25/Jul/2014:23:04:05 +0000] [/sid#1af8178][rid#24f3f38][/v2.0/][2] Warning. 
Match of "rx ^%{tx.allowed_request_content_type}$" against "TX:0" required. 
[file 
"/usr/local/nginx/conf/modsec/activated_rules/modsecurity_crs_30_http_policy.conf"]
 [line "64"] [id "960010"] [rev "2"] [msg "Request content type is not allowed 
by policy"] [data "application/json"] [severity "CRITICAL"] [ver 
"OWASP_CRS/2.2.9"] [maturity "9"] [accuracy "9"] [tag 
"OWASP_CRS/POLICY/ENCODING_NOT_ALLOWED"] [tag "WASCTC/WASC-20"] [tag 
"OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/EE2"] [tag "PCI/12.1"]

If anyone has any idea then I would be very grateful!!!

_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
Owasp-modsecurity-core-rule-set@lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set