Unfortunately, you are hitting an unsolved issue in ModSecurity: requests
which have content type other than application/json but include json in
some of the parameters. ModSecurity doesn't know how to handle this and
treats the whole argument as one single variable, thus triggering multiple
rules that shouldn't be triggered if the json object was parsed
appropriately. There is an issue open in GitHub to support something like
t:jsonDecode to aid with these situations, but it hasn't been actioned yet.
What you could do is, for those arguments you know are json format, create
a rule that reduces the score of the anomaly detection rules. That may do
the trick for many cases.
On Wed 9 Sep 2015 at 17:38 Ilyass Kaouam <ilyassi...@gmail.com> wrote:
> Hi,
>
> I have this request :
> POST /beta/servlet/EspaceClientServlet?Action=Ajax$SaveWidgetConfig
>
> with this parameters :
> left={ mod : 'mod-historique', hidden : 0, collapsed : 0 }, { mod :
> 'mod-cercle-inforisk', hidden : 0, collapsed : 0 }, { mod : 'mod-graph',
> hidden : 0, collapsed : 0 }&right={ mod : 'mod-surveillance-implicit',
> hidden : 0, collapsed : 0 }, { mod : 'mod-dernieres-creations', hidden :
> 0, collapsed : 0 }, { mod : 'mod-service', hidden : 0, collapsed : 1 },
> { mod : 'mod-recherche', hidden : 0, collapsed : 0 }
>
> When I execute this request modsecurity block my request.
>
>
> Log :
>
>
> --1354a526-A--
>
> [09/Sep/2015:17:48:39 +0200] VfBU138AAAEAAFm8PlQAAAAk
> XXX.XXX.XXX
> 53935
> XXX.XXX.XXX
> 80
>
> --1354a526-B--
>
> POST /beta/servlet/EspaceClientServlet?Action=Ajax$SaveWidgetConfig
> HTTP/1.1
>
> Host: www.
> abc
> .
> com
>
> User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:40.0)
> Gecko/20100101 Firefox/40.0
>
> Accept: */*
>
> Accept-Language: fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3
>
> Accept-Encoding: gzip, deflate
>
> Content-Type: application/x-www-form-urlencoded; charset=UTF-8
>
> X-Requested-With: XMLHttpRequest
>
> Referer: http://www.
> abc
> .
> com
> /beta/servlet/EspaceClientServlet?plateform=new
>
> Content-Length: 413
>
> Cookie: JSESSIONID=6B370AFFEA03BE2B80F916C5755EEEC5;
> __utma=37027576.1259853019.1435675370.1441795926.1441813263.22;
> __utmz=37027576.1435675370.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none);
> style=null; JSESSIONID=DACE18AC3CBA86CAF59264F47E99B028; __utmc=37027576;
> __utmb=37027576.3.10.1441813263
>
> Connection: keep-alive
>
> Pragma: no-cache
>
> Cache-Control: no-cache
>
>
> --1354a526-C--
>
> left={ mod : 'mod-historique', hidden : 0, collapsed : 0 }, { mod :
> 'mod-cercle-inforisk', hidden : 0, collapsed : 0 }, { mod : 'mod-graph',
> hidden : 0, collapsed : 0 }&right={ mod : 'mod-surveillance-implicit',
> hidden : 0, collapsed : 0 }, { mod : 'mod-dernieres-creations', hidden :
> 0, collapsed : 0 }, { mod : 'mod-service', hidden : 0, collapsed : 1 }, {
> mod : 'mod-recherche', hidden : 0, collapsed : 0 }
>
> --1354a526-F--
>
> HTTP/1.1 403 Forbidden
>
> Content-Length: 296
>
> Connection: close
>
> Content-Type: text/html; charset=iso-8859-1
>
>
> --1354a526-E--
>
>
> --1354a526-H--
>
> Message: Access denied with code 403 (phase 2). Pattern match
> "([\\~\\!\\@\\#\\$\\%\\^\\&\\*\\(\\)\\-\\+\\=\\{\\}\\[\\]\\|\\:\\;\"\\'\\\xc2\xb4\\\xe2\x80\x99\\\xe2\x80\x98\\`\\<\\>].*?){4,}"
> at ARGS:left. [file
> "/etc/httpd/modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"]
> [line "159"] [id "981173"] [rev "2"] [msg "Restricted SQL Character Anomaly
> Detection Alert - Total # of special characters exceeded"] [data "Matched
> Data: - found within ARGS:left: { mod : 'mod-historique', hidden : 0,
> collapsed : 0 }, { mod : 'mod-cercle-inforisk', hidden : 0, collapsed : 0
> }, { mod : 'mod-graph', hidden : 0, collapsed : 0 }"] [ver
> "OWASP_CRS/2.2.9"] [maturity "9"] [accuracy "8"] [tag
> "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"]
>
> Action: Intercepted (phase 2)
>
> Apache-Handler: proxy-server
>
> Stopwatch: 1441813719351394 3237 (- - -)
>
> Stopwatch2: 1441813719351394 3237; combined=2824, p1=202, p2=2592, p3=0,
> p4=0, p5=30, sr=26, sw=0, l=0, gc=0
>
> Response-Body-Transformed: Dechunked
>
> Producer: ModSecurity for Apache/2.7.3 (http://www.modsecurity.org/);
> OWASP_CRS/2.2.9.
>
> Server: Apache/2.2.15 (CentOS) DAV/2
>
> Engine-Mode: "ENABLED"
>
>
> --1354a526-Z--
>
>
>
>
>
>
> Who can I allow like this request safety
> ?
>
> Thank's
>
> _______________________________________________
> Owasp-modsecurity-core-rule-set mailing list
> Owasp-modsecurity-core-rule-set@lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
>
_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
Owasp-modsecurity-core-rule-set@lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
