Hello, Thanks Chaim - your right, modsecurity works ok - I do not…
In your example I can update the rule, but where shoud I place this update, in apache container (example <Directory>) or add local.conf file to activated_rules? CRS v3 looks interesting (even beta) - maybe stupid question, but how to update CRS rules to v 3? (now: modsecurity 2.7.7-2, crs 2.9) Giga thanks, again ;) Tom Kazm > Wiadomość napisana przez Chaim Sanders <csand...@trustwave.com> w dniu 4 lip > 2015, o godz. 17:37: > > ModSecurity will indeed will block HTML tags because they are exactly how > HTML injection/XSS is introduced. Sending HTML is often indicative of these > vulnerabilities being exploited, in general it is considered poor form/dev to > send such content across the wire. However, you can always, easily create > exceptions for rules in particular places. Just look at the particular rule > that is triggering and the particular parameter that is triggering them and > you can add an exception by doing something similar to the following > ‘SecRuleUpdateTargetById 950907 !ARGS:test’. For more information see > https://www.trustwave.com/Resources/SpiderLabs-Blog/ModSecurity-Advanced-Topic-of-the-Week--(Updated)-Exception-Handling/ > > <https://www.trustwave.com/Resources/SpiderLabs-Blog/ModSecurity-Advanced-Topic-of-the-Week--(Updated)-Exception-Handling/>. > In addition, if you are using CRS 3.0 this feature is already built in see > your config file: > https://github.com/SpiderLabs/owasp-modsecurity-crs/blob/v3.0.0-dev/modsecurity_crs_10_setup.conf.example#L420 > > <https://github.com/SpiderLabs/owasp-modsecurity-crs/blob/v3.0.0-dev/modsecurity_crs_10_setup.conf.example#L420>. > > For more detail see the issue that someone opened yesterday about this and my > reply, I think it goes into a tad more > detail.https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/235 > <https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/235> > > Chaim Sanders > Security Researcher, SpiderLabs > > Trustwave | SMART SECURITY ON DEMAND > www.trustwave.com <http://www.trustwave.com/> > > From: owasp-modsecurity-core-rule-set-boun...@lists.owasp.org > [mailto:owasp-modsecurity-core-rule-set-boun...@lists.owasp.org] On Behalf Of > Adrián > Sent: Friday, July 3, 2015 5:12 AM > To: kazik; owasp-modsecurity-core-rule-set@lists.owasp.org > Subject: Re: [Owasp-modsecurity-core-rule-set] modsecurity - trouble with > SecRequestBodyAccess > > Hi Tom, > > it seems to me that ModSecurity is 'rightly' detecting XSS attempts due to > the HTML tags that you submit when creating blog posts. As far as I know, > what you would need to do is create exceptions for the URLs and parameters > you know contain HTML tags, and if possible make them specific to the tags > that your site allows. This is a tedious (for a lack of a better word) work > that comes with the installation of ModSecurity in front of a new > application. Think that the default CRS is generic and doesn't understand the > idiosyncrasy of your application, so the rules need adjusting. > > Good luck! > Adrian > > El vie., 3 jul. 2015 a las 9:35, kazik (<ka...@agape.org.pl > <mailto:ka...@agape.org.pl>>) escribió: > helo, > > Server - Ubuntu 14 LTS | Apache/2.4.7 | modsecurity 2.7.7-2 > > I was enabled modsecurity in DetectionPnly mode - default configuration from > Ubuntu. > > On our server we have a few site, CMS (Joomla, wordpress) and own CMS. > All of them work with WYSWIG editors. > > When I set SecRequestBodyAccess On and try update or create article, > there is a lot of errors, especially SQL-injecttion and XSS. > > But I only update article, its no a crime :) > > Look like modsecurity treats all html tags like SQL or XSS attack, > is there any special module for that or parser? > > HELP ME, PLEASE :) > > tom kazm > > example of logs from apache2 errors > > > > [Fri Jul 03 10:14:05.628018 2015] [:error] [pid 28133:tid 139652430276352] > [client 192.168.20.129] ModSecurity: Warning. Pattern match "(?i:[\\"\\\\'][ > ]*(([^a-z0-9~_:\\\\' ])|(in)).+?\\\\(.*?\\\\)) > <file://////'][%20]*(([%5ea-z0-9~_:/'%20%5d)|(in)).+%3f/(.*%3f/))>" at > ARGS:art_lid. [file > "/etc/modsecurity/owasp-modsecurity-crs/activated_rules/modsecurity_crs_41_xss_attacks.conf"] > [line "506"] [id "973335"] [rev "2"] [msg "IE XSS Filters - Attack > Detected."] [data "Matched Data: \\x22 <file://///x22>> <tbody> <tr> <td > valign=\\x22top\\x22> <h5 style=\\x22text-align: center\\x22><span > style=\\x22color: rgb(128,0,0) found within ARGS:art_lid: <p> </p> <table > class=\\x22contentpaneopen\\x22> <tbody> <tr> <td valign=\\x22top\\x22> <h5 > style=\\x22text-align: center\\x22><span style=\\x22color: > rgb(128,0,0)\\x22><a > <file://///x22%3e%3ca>href=\\x22http://www.emigracja.chrystusowcy.pl/index.php?option=com_sobi2&Itemid=74\\x22 > target=\\x22_blank\\x22><span style=\\x22color: rgb(128,0,0)\\x22>Wybierasz > <file://///x22%3eWybierasz> si\\xc4\\x99 za granic\\xc4\\x99?..."] [ver > "OWASP_CRS/2.2.9"] [maturity "8"] [accuracy "8"] [tag > "OWASP_CRS/WEB_ATTACK/XSS"] [tag "WASCTC/WASC-8"] [tag "WASCTC/WASC-22"] [tag > "OWASP_TOP_10/A2"] [tag "OWASP_AppSensor/IE1"] [tag "PCI/6.5.1"] [hostname > „XXXXXXXXXXXXX"] [uri "/admin/index.php"] [unique_id > "VZZETQoKASsAAG3lzAAAAADL"] > [Fri Jul 03 10:14:05.628575 2015] [:error] [pid 28133:tid 139652430276352] > [client 192.168.20.129] ModSecurity: Warning. Pattern match > "(?i:[\\"\\\\'].*?\\\\)[ ]*(([^a-z0-9~_:\\\\' ])|(in)).+?\\\\() > <file://////'].*%3f/)%5b%20%5d*((%5b%5ea-z0-9~_:/'%20%5d)|(in)).+%3f/()>" at > ARGS:art_lid. [file > "/etc/modsecurity/owasp-modsecurity-crs/activated_rules/modsecurity_crs_41_xss_attacks.conf"] > [line "508"] [id "973334"] [rev "2"] [msg "IE XSS Filters - Attack > Detected."] [data "Matched Data: \\x22contentpaneopen\\x22 > <file://///x22contentpaneopen/x22>> <tbody> <tr> <td valign=\\x22top\\x22> > <h5 style=\\x22text-align: center\\x22><span style=\\x22color: > rgb(128,0,0)\\x22><a <file://///x22%3e%3ca> > href=\\x22http://www.emigracja.chrystusowcy.pl/index.php?option=com_sobi2&Itemid=74\\x22 > target=\\x22_blank\\x22><span style=\\x22color: rgb( found within > ARGS:art_lid: <p> </p> <table class=\\x22contentpaneopen\\x22> <tbody> <tr> > <td valign=\\x22top\\x22> <h5 style=\\x22text-align: center\\x22><span > style=\\x22color: rgb(128,0,0)\\x22><a <file://///x22%3e%3ca> > href=\\x22http://www.emigr...";] [ver "OWASP_CRS/2.2.9"] [maturity "8"] > [accuracy "8"] [tag "OWASP_CRS/WEB_ATTACK/XSS"] [tag "WASCTC/WASC-8"] [tag > "WASCTC/WASC-22"] [tag "OWASP_TOP_10/A2"] [tag "OWASP_AppSensor/IE1"] [tag > "PCI/6.5.1"] [hostname "XXXXXXXXXXXXX"] [uri "/admin/index.php"] [unique_id > "VZZETQoKASsAAG3lzAAAAADL"] > [Fri Jul 03 10:14:05.628689 2015] [:error] [pid 28133:tid 139652430276352] > [client 192.168.20.129] ModSecurity: Rule 7f036a3bc248 [id "973334"][file > "/etc/modsecurity/owasp-modsecurity-crs/activated_rules/modsecurity_crs_41_xss_attacks.conf"][line > "508"] - Execution error - PCRE limits exceeded (-8): (null). [hostname > "milujciesie.org.pl > <http://scanmail.trustwave.com/?c=4062&d=ttiW1fhCz_rKo3NNzBoPQNtxYhh3oIniz93CCaGRUg&s=5&u=http%3a%2f%2fmilujciesie%2eorg%2epl>"] > [uri "/admin/index.php"] [unique_id "VZZETQoKASsAAG3lzAAAAADL"] > [Fri Jul 03 10:14:05.629212 2015] [:error] [pid 28133:tid 139652430276352] > [client 192.168.20.129] ModSecurity: Warning. Pattern match "(?i:[\\"\\\\'][ > ]*(([^a-z0-9~_:\\\\' ])|(in)).+?[.].+?=) > <file://////'][%20]*(([%5ea-z0-9~_:/'%20%5d)|(in)).+%3f%5b.%5d.+%3f=)>" at > ARGS:art_lid. [file > "/etc/modsecurity/owasp-modsecurity-crs/activated_rules/modsecurity_crs_41_xss_attacks.conf"] > [line "510"] [id "973333"] [rev "2"] [msg "IE XSS Filters - Attack > Detected."] [data "Matched Data: \\x22 <file://///x22>> <tbody> <tr> <td > valign=\\x22top\\x22> <h5 style=\\x22text-align: center\\x22><span > style=\\x22color: rgb(128,0,0)\\x22><a <file://///x22%3e%3ca> > href=\\x22http://www.emigracja.chrystusowcy.pl/index.php?option= found within > ARGS:art_lid: <p> </p> <table class=\\x22contentpaneopen\\x22> <tbody> <tr> > <td valign=\\x22top\\x22> <h5 style=\\x22text-align: center\\x22><span > style=\\x22color: rgb(128,0,0)\\x22><a <file://///x22%3e%3ca> > href=\\x22http://www.emigracja.chrystusowcy.pl/index.php?option=com_sobi2&Itemid=74\\x22 > target=\\x22_blank\\x22><span st..."] [ver "OWASP_CRS/2.2.9"] [maturity "8"] > [accuracy "8"] [tag "OWASP_CRS/WEB_ATTACK/XSS"] [tag "WASCTC/WASC-8"] [tag > "WASCTC/WASC-22"] [tag "OWASP_TOP_10/A2"] [tag "OWASP_AppSensor/IE1"] [tag > "PCI/6.5.1"] [hostname "XXXXXXXXXXXXX"] [uri "/admin/index.php"] [unique_id > "VZZETQoKASsAAG3lzAAAAADL"] > [Fri Jul 03 10:14:05.629414 2015] [:error] [pid 28133:tid 139652430276352] > [client 192.168.20.129] ModSecurity: Warning. Pattern match "(?i:[\\"\\\\'][ > ]*(([^a-z0-9~_:\\\\' ])|(in)).+?[.].+?=) > <file://////'][%20]*(([%5ea-z0-9~_:/'%20%5d)|(in)).+%3f%5b.%5d.+%3f=)>" at > ARGS:art_text. [file > "/etc/modsecurity/owasp-modsecurity-crs/activated_rules/modsecurity_crs_41_xss_attacks.conf"] > [line "510"] [id "973333"] [rev "2"] [msg "IE XSS Filters - Attack > Detected."] [data "Matched Data: \\x22><a <file://///x22%3e%3ca> > href=\\x22http://www.emigracja.chrystusowcy.pl/index.php?option= found within > ARGS:art_text: <p><span style=\\x22color: rgb(128,0,0)\\x22><a > <file://///x22%3e%3ca> > href=\\x22http://www.emigracja.chrystusowcy.pl/index.php?option=com_sobi2&Itemid=74\\x22 > target=\\x22_blank\\x22><img align=\\x22left\\x22 alt=\\x22\\x22 > src=\\x22https://milujciesie.org.pl/upload/articles/r_u_c_k_i/PL/logo_IDE.png\\x22 > /></a>Na stronie <a href=\\x22http://www.emigracja.chrystusowcy.pl/\\x22 > target=\\x22_blank\\x22>Instytutu Duszpasterstwa Emig..."] [ver > "OWASP_CRS/2.2.9"] [maturity "8"] [accuracy "8"] [tag > "OWASP_CRS/WEB_ATTACK/XSS"] [tag "WASCTC/WASC-8"] [tag "WASCTC/WASC-22"] [tag > "OWASP_TOP_10/A2"] [tag "OWASP_AppSensor/IE1"] [tag "PCI/6.5.1"] [hostname > "XXXXXXXXXXXXX"] [uri "/admin/index.php"] [unique_id > "VZZETQoKASsAAG3lzAAAAADL"] > [Fri Jul 03 10:14:05.631654 2015] [:error] [pid 28133:tid 139652430276352] > [client 192.168.20.129] ModSecurity: Warning. Pattern match "(?i:[ > /+\\\\t\\"\\\\'`]style[ > /+\\\\t]*?=.*([:=]|(&#x?0*((58)|(3A)|(61)|(3D));?)).*?([(\\\\\\\\]|(&#x?0*((40)|(28)|(92)|(5C));?))) > > <file://////'%60]style[%20/+/t%5d*%3f=.*(%5b:=%5d|(&%23x%3f0*((58)|(3A)|(61)|(3D));%3f)).*%3f(%5b(/%5d|(&%23x%3f0*((40)|(28)|(92)|(5C));%3f)))>" > at ARGS:art_lid. [file > "/etc/modsecurity/owasp-modsecurity-crs/activated_rules/modsecurity_crs_41_xss_attacks.conf"] > [line "520"] [id "973316"] [rev "2"] [msg "IE XSS Filters - Attack > Detected."] [data "Matched Data: style=\\x22text-align: center\\x22><span > style=\\x22color: rgb(128,0,0)\\x22><a <file://///x22%3e%3ca> > href=\\x22http://www.emigracja.chrystusowcy.pl/index.php?option=com_sobi2&Itemid=74\\x22 > target=\\x22_blank\\x22><span style=\\x22color: rgb(128,0,0)\\x22>Wybierasz > <file://///x22%3eWybierasz> si\\xc4\\x99 za > granic\\xc4\\x99?</span></a></span><br /> <a > href=\\x22http://www.emigracja.chrystusowcy.pl/index.php?option=com_sobi2&Itemid=74\\x22 > target=\\x22_blank\\x22>Szukasz Mszy \\xc5\\x9awi\\xc4\\x99tej > <file://///xc5/x9awi/xc4/x99tej> w j\\xc4\\x99zyku polskim? <span > style=\\x22color: rgb( found..."] [ver "OWASP_CRS/2.2.9"] [maturity "8"] > [accuracy "8"] [tag "OWASP_CRS/WEB_ATTACK/XSS"] [tag "WASCTC/WASC-8"] [tag > "WASCTC/WASC-22"] [tag "OWASP_TOP_10/A2"] [tag [hostname "XXXXXXXXXXXXX"] > [uri "/admin/index.php"] [unique_id "VZZETQoKASsAAG3lzAAAAADL"] > _______________________________________________ > Owasp-modsecurity-core-rule-set mailing list > Owasp-modsecurity-core-rule-set@lists.owasp.org > <mailto:Owasp-modsecurity-core-rule-set@lists.owasp.org> > https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set > <http://scanmail.trustwave.com/?c=4062&d=ttiW1fhCz_rKo3NNzBoPQNtxYhh3oIniz9rFVqXGWg&s=5&u=https%3a%2f%2flists%2eowasp%2eorg%2fmailman%2flistinfo%2fowasp-modsecurity-core-rule-set> > > This transmission may contain information that is privileged, confidential, > and/or exempt from disclosure under applicable law. If you are not the > intended recipient, you are hereby notified that any disclosure, copying, > distribution, or use of the information contained herein (including any > reliance thereon) is strictly prohibited. If you received this transmission > in error, please immediately contact the sender and destroy the material in > its entirety, whether in electronic or hard copy format.
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
