You know, I should have thought about this to begin with but that makes perfect sense - Barry, good eye! There is an open ticket right now for indicating when there is a base64 decoding issue, this will be included within ModSecurityv3. Generally spaces are not valid Base64 chars and would have resulted in such a fix firing and saved us all a little bit of headache. -- Chaim Sanders Security Researcher
Trustwave | SMART SECURITY ON DEMAND www.trustwave.com<http://www.trustwave.com/> From: Barry Pollard <barry_poll...@hotmail.com<mailto:barry_poll...@hotmail.com>> Date: Friday, April 15, 2016 at 8:29 AM To: "Mansell, Gary" <gary.mans...@ricardo.com<mailto:gary.mans...@ricardo.com>>, Chaim Sanders <csand...@trustwave.com<mailto:csand...@trustwave.com>>, "owasp-modsecurity-core-rule-set@lists.owasp.org<mailto:owasp-modsecurity-core-rule-set@lists.owasp.org>" <owasp-modsecurity-core-rule-set@lists.owasp.org<mailto:owasp-modsecurity-core-rule-set@lists.owasp.org>> Subject: RE: [Owasp-modsecurity-core-rule-set] Is it possible to use modsecurity rules to prevent logins by specific user accounts? OK so the audit log shows shows this in your header: Authorization: Basic Z3JtYXdjYWRtaW46dGVzdA== The value of the Authorization header is therefore "Basic Z3JtYXdjYWRtaW46dGVzdA==" which cannot be base64 decoded due to that initial "Basic " part which is not Base 64 encoded. This is what you are supposed to send so nothing wrong with your header, but it explains why your rule is not working as ModSecurity does not know you only want to base64 decode part of the header. So you need to write a chained rule to capture the actual base64 encoded part using backets and "capture" and then base 64 decode the TX:1 variable which is captured: SecRule "REQUEST_HEADERS:Authorization" "^Basic (.*)$" "phase:1,id:1003,log,capture,chain,deny,status:403" SecRule TX:1 "@contains admin" "t:base64Decode" I've tested this and it seems to work. Thanks, Barry > From: gary.mans...@ricardo.com<mailto:gary.mans...@ricardo.com> > To: barry_poll...@hotmail.com<mailto:barry_poll...@hotmail.com>; > csand...@trustwave.com<mailto:csand...@trustwave.com>; > owasp-modsecurity-core-rule-set@lists.owasp.org<mailto:owasp-modsecurity-core-rule-set@lists.owasp.org> > Subject: RE: [Owasp-modsecurity-core-rule-set] Is it possible to use > modsecurity rules to prevent logins by specific user accounts? > Date: Fri, 15 Apr 2016 10:37:16 +0000 > > I added the rule, cleared the logs and logged in again with the grmawcadmin > user > > Here are the updated logs as requested. > ________________________________ This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.
_______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
