Re: [Owasp-modsecurity-core-rule-set] arg name not resolving for large post value

Thu, 05 May 2016 12:37:14 -0700 

Colin,

This is funny, indeed.

The audit-log states, the "rc+is+knoowledgeable%2C+experienced%2C..."
does not have a variable name. So either
(a) your browser did not send the name (and inspector lied to you) 
(b) you discovered a bug
(c) the request body limit(s) is very low and you have processPartial
    enabled and the beginning of the argument is cut, rather then the
    end.

(c) is highly speculative and I doubt that would be the behaviour
in that particular case.

What is puzzling me is that the response body documented in the audit
log is indeed shorter (2930) then the 2975 announced in that request
headers. 

What to do?

I think you need to sniff the traffic. Try and reproduce the behaviour
in cleartext and then use wireshark / tcpdump to sniff it.

If you are not proficient with the said tools, here is how you
could dump it clientside or serverside with tcpdump:

$> tcpdump -A -s0 port 80

That should give you clear proof what is happening.

Keep us posted, please!

Christian

    

On Thu, May 05, 2016 at 06:29:36PM +0000, Colin MacAllister wrote:
> Hi, all,
> 
> As I fine-tune my CMS not to bark at me for valid traffic, I’ve come upon the 
> following problem. When a rule matches (in anomaly scoring mode, haven’t 
> tested the other way) sometimes part of the value of the argument the will 
> come through as the argument name, not the name itself, in this case, “Blurb.”
> 
> ARGS_NAMES:rc is knowledgeable, experienced, empathetic, and kind… [followed 
> by a chunk of the rest of the arg value]
> 
> I checked it in the inspector, and indeed the ARG_NAME should be “Blurb”. As 
> it is coming through, of course, it is impossible to check for, as it is 
> variable. It might be possible to whitelist the last part of the URL path, 
> but I’d rather not.
> 
> Have I found a bug? See the snippet from the audit log I attached to this 
> email.
> 


> _______________________________________________
> Owasp-modsecurity-core-rule-set mailing list
> Owasp-modsecurity-core-rule-set@lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set

_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
Owasp-modsecurity-core-rule-set@lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set

Reply via email to