> Controversial Paranoia Mode Candidate 950120 (2.2.X) / 931130 (3.0.0rc1) > msg: Possible Remote File Inclusion (RFI) Attack: Off-Domain Reference/Link > > […] > > In my blogpost at > https://www.netnea.com/cms/2016/01/17/most-frequent-false-positives-triggered-by-owasp-modsecurity-core-rules-2-2-x/ > I identified the said rule as one with very few false positives. Walter > however brought it up as a rule with many false positives. > > A wider perspective is thus needed. > > Does anybody has anything to add?
To talk about my opinion of with this rule a bit, it’s super easy to trigger it. Just any text input for a URL will do. For example: http://example/?url=https://yahoo.com/ That is super common and bound to give various false positives on registration forms, contact forms, blog comment forms, etcetera. Firing on any plain URL submitted in a form? That’s a prime example of being paranoid :) Whether the rule annoys a user depends on the blocking score I guess. I personally block on first sight and think everybody should. As you guys said, with SQLi and XSS you usually get high scores, but with this type of vulnerability you just get one shot. What could improve false positives? - I have multiple whitelistings for this rule on ARGS:url. If I was non-paranoid, I would assume that IF a web application accepts a parameter called “url”, it’s pretty likely that this was intended to be a URL field and not an avenue for RFI. So ARGS:url could be excluded in normal mode. - From a quick log grep, people absolutely LOVE to do LFI and RFI on parameters like ARGS:page and ARGS:id. Maybe others have more suggestions. My recommendation would be: 1) Put the full rule in paranoid set 2) In the basic set, clone this rule, but ensure it doesn’t work on ARGS:url 3) In the basic set, possibly consider raising the anomaly score if it’s sent as ARGS:id, ARGS:page -- Walter Hop | PGP key: https://lifeforms.nl/pgp
_______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
