Hi, this is a typical "header injection" attack. AFAIK CRS has no spezial rules for that. What best fits is the HTTP Response Splitting rule 950911, but it is far to specific to match in this case.
I'd suggest to craft a new set of rules for header injections. Also a variant of your example would be the meta tag, if the aplication writes the paramter there. In OWASP Top 10 (2013) this is A1 and A10. Ciao Achim On 03.03.2015 06:23, Christian Folini wrote: > Hi there, > > Lately, I have encountered a successful redirect attack on an > application server protected by ModSec / CoreRules. > > Here is the request against a vanilla ModSec Install > (2.9.0, latest core rules): > $> curl -v > "http://localhost/submit?file=foo.txt%0D%0ARefresh:%201;%20url=http:www.example.com"; > > Here is the only rule that triggers: > 981173 Restricted SQL Character Anomaly Detection Alert - Total # ... > > [Tue Mar 03 06:11:40.733143 2015] [:error] [pid 983:tid 139737876645632] > [client 127.0.0.1] ModSecurity: Warning. Pattern match > "([\\\\~\\\\!\\\\@\\\\#\\\\$\\\\%\\\\^\\\\&\\\\*\\\\(\\\\)\\\\-\\\\+\\\\=\\\\{\\\\}\\\\[\\\\]\\\\|\\\\:\\\\;\\"\\\\'\\\\\\xc2\\xb4\\\\\\xe2\\x80\\x99\\\\\\xe2\\x80\\x98\\\\`\\\\<\\\\>].*?){4,}" > at ARGS:file. [file > "/core-rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "159"] [id > "981173"] [rev "2"] [msg "Restricted SQL Character Anomaly Detection Alert - > Total # of special characters exceeded"] [data "Matched Data: : found within > ARGS:file: foo.txt\\x0d\\x0aRefresh: 1; url=http:www.example.com"] [ver > "OWASP_CRS/2.2.8"] [maturity "9"] [accuracy "8"] [tag "Local Lab Service"] > [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [hostname "localhost"] [uri > "/submit"] [unique_id "VPVCjH8AAQEAAAPXe50AAAAH"] > > This brings a score of 3, which is really low and below a sane > limit for the said legacy app, which had to be tuned in far too > many aspects already. > > Does anybody have a good idea on how to protect against this > _class_ of attacks? Obviously, it's a weak spot for the core rules. > Maybe an extension is due. > > Ahoj, > > Christian _______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
