Hi Adrián, It's work perfectly thank's :)
2015-09-11 13:18 GMT+01:00 Adrián <adria...@gmail.com>: > What I am saying is that ModSecurity understands a properly formatted JSON > request. One that has the Content-Type set to application/json and which > body is a JSON object. If you change the content type and the format of the > body, then it should work. > > > On Thu, 10 Sep 2015 at 10:17 Ilyass Kaouam <ilyassi...@gmail.com> wrote: > >> Hi, >> >> Thank your for your reply. >> I don't Know If I understood correctly. Now if I change the content-type >> to json, It should work ? >> Thank's >> >> 2015-09-10 10:01 GMT+01:00 Adrián <adria...@gmail.com>: >> >>> Unfortunately, you are hitting an unsolved issue in ModSecurity: >>> requests which have content type other than application/json but include >>> json in some of the parameters. ModSecurity doesn't know how to handle this >>> and treats the whole argument as one single variable, thus triggering >>> multiple rules that shouldn't be triggered if the json object was parsed >>> appropriately. There is an issue open in GitHub to support something like >>> t:jsonDecode to aid with these situations, but it hasn't been actioned yet. >>> >>> What you could do is, for those arguments you know are json format, >>> create a rule that reduces the score of the anomaly detection rules. That >>> may do the trick for many cases. >>> >>> >>> On Wed 9 Sep 2015 at 17:38 Ilyass Kaouam <ilyassi...@gmail.com> wrote: >>> >>>> Hi, >>>> >>>> I have this request : >>>> POST /beta/servlet/EspaceClientServlet?Action=Ajax$SaveWidgetConfig >>>> >>>> with this parameters : >>>> left={ mod : 'mod-historique', hidden : 0, collapsed : 0 }, { mod : >>>> 'mod-cercle-inforisk', hidden : 0, collapsed : 0 }, { mod : 'mod-graph', >>>> hidden : 0, collapsed : 0 }&right={ mod : 'mod-surveillance-implicit', >>>> hidden : 0, collapsed : 0 }, { mod : 'mod-dernieres-creations', >>>> hidden : 0, collapsed : 0 }, { mod : 'mod-service', hidden : 0, >>>> collapsed : 1 }, { mod : 'mod-recherche', hidden : 0, collapsed : 0 } >>>> >>>> When I execute this request modsecurity block my request. >>>> >>>> >>>> Log : >>>> >>>> >>>> --1354a526-A-- >>>> >>>> [09/Sep/2015:17:48:39 +0200] VfBU138AAAEAAFm8PlQAAAAk >>>> XXX.XXX.XXX >>>> 53935 >>>> XXX.XXX.XXX >>>> 80 >>>> >>>> --1354a526-B-- >>>> >>>> POST /beta/servlet/EspaceClientServlet?Action=Ajax$SaveWidgetConfig >>>> HTTP/1.1 >>>> >>>> Host: www. >>>> abc >>>> . >>>> com >>>> >>>> User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:40.0) >>>> Gecko/20100101 Firefox/40.0 >>>> >>>> Accept: */* >>>> >>>> Accept-Language: fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3 >>>> >>>> Accept-Encoding: gzip, deflate >>>> >>>> Content-Type: application/x-www-form-urlencoded; charset=UTF-8 >>>> >>>> X-Requested-With: XMLHttpRequest >>>> >>>> Referer: http://www. >>>> abc >>>> . >>>> com >>>> /beta/servlet/EspaceClientServlet?plateform=new >>>> >>>> Content-Length: 413 >>>> >>>> Cookie: JSESSIONID=6B370AFFEA03BE2B80F916C5755EEEC5; >>>> __utma=37027576.1259853019.1435675370.1441795926.1441813263.22; >>>> __utmz=37027576.1435675370.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); >>>> style=null; JSESSIONID=DACE18AC3CBA86CAF59264F47E99B028; __utmc=37027576; >>>> __utmb=37027576.3.10.1441813263 >>>> >>>> Connection: keep-alive >>>> >>>> Pragma: no-cache >>>> >>>> Cache-Control: no-cache >>>> >>>> >>>> --1354a526-C-- >>>> >>>> left={ mod : 'mod-historique', hidden : 0, collapsed : 0 }, { mod : >>>> 'mod-cercle-inforisk', hidden : 0, collapsed : 0 }, { mod : 'mod-graph', >>>> hidden : 0, collapsed : 0 }&right={ mod : 'mod-surveillance-implicit', >>>> hidden : 0, collapsed : 0 }, { mod : 'mod-dernieres-creations', hidden : >>>> 0, collapsed : 0 }, { mod : 'mod-service', hidden : 0, collapsed : 1 }, { >>>> mod : 'mod-recherche', hidden : 0, collapsed : 0 } >>>> >>>> --1354a526-F-- >>>> >>>> HTTP/1.1 403 Forbidden >>>> >>>> Content-Length: 296 >>>> >>>> Connection: close >>>> >>>> Content-Type: text/html; charset=iso-8859-1 >>>> >>>> >>>> --1354a526-E-- >>>> >>>> >>>> --1354a526-H-- >>>> >>>> Message: Access denied with code 403 (phase 2). Pattern match >>>> "([\\~\\!\\@\\#\\$\\%\\^\\&\\*\\(\\)\\-\\+\\=\\{\\}\\[\\]\\|\\:\\;\"\\'\\\xc2\xb4\\\xe2\x80\x99\\\xe2\x80\x98\\`\\<\\>].*?){4,}" >>>> at ARGS:left. [file >>>> "/etc/httpd/modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"] >>>> [line "159"] [id "981173"] [rev "2"] [msg "Restricted SQL Character Anomaly >>>> Detection Alert - Total # of special characters exceeded"] [data "Matched >>>> Data: - found within ARGS:left: { mod : 'mod-historique', hidden : 0, >>>> collapsed : 0 }, { mod : 'mod-cercle-inforisk', hidden : 0, collapsed : 0 >>>> }, { mod : 'mod-graph', hidden : 0, collapsed : 0 }"] [ver >>>> "OWASP_CRS/2.2.9"] [maturity "9"] [accuracy "8"] [tag >>>> "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] >>>> >>>> Action: Intercepted (phase 2) >>>> >>>> Apache-Handler: proxy-server >>>> >>>> Stopwatch: 1441813719351394 3237 (- - -) >>>> >>>> Stopwatch2: 1441813719351394 3237; combined=2824, p1=202, p2=2592, >>>> p3=0, p4=0, p5=30, sr=26, sw=0, l=0, gc=0 >>>> >>>> Response-Body-Transformed: Dechunked >>>> >>>> Producer: ModSecurity for Apache/2.7.3 (http://www.modsecurity.org/); >>>> OWASP_CRS/2.2.9. >>>> >>>> Server: Apache/2.2.15 (CentOS) DAV/2 >>>> >>>> Engine-Mode: "ENABLED" >>>> >>>> >>>> --1354a526-Z-- >>>> >>>> >>>> >>>> >>>> >>>> >>>> Who can I allow like this request safety >>>> ? >>>> >>>> Thank's >>>> >>>> _______________________________________________ >>>> Owasp-modsecurity-core-rule-set mailing list >>>> Owasp-modsecurity-core-rule-set@lists.owasp.org >>>> https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set >>>> >>> >> >> >>
_______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set