Okay, more data. What's going on in this system I inherited is that I receive a
friendly URL and rewrite it to /index.cfm?404;/[friendly URL]/. This has been
working for decades. The friendly URL pass truncates the body of the form data,
but the rewritten version doesn't (and just happens to correctly fail other
tests I haven't whitelisted yet.)
I attached the winmerge report comparing the headers of the two to show that
there's really very little that's different.
This one breaks ...
--d25c0000-A--
[11/May/2016:11:07:11 --0400] 12177733394557306202 69.12.26.106:23691 80
127.0.0.1 80
--d25c0000-B--
POST /featured_vols/description HTTP/1.1
Cache-Control: max-age=0
Connection: keep-alive
Content-Length: 2975
Content-Type: application/x-www-form-urlencoded
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8
Cookie: _ga=GA1.2.219992625.1458320050;
CFID=Z1ykjrnh8rurd9kwjtcny1xlrbk2vcm3wvhlcq9mo2zxexkbmqy-267771;
CFTOKEN=Z1ykjrnh8rurd9kwjtcny1xlrbk2vcm3wvhlcq9mo2zxexkbmqy-4eaddd7ee5a61753-DFBE0B9D-9D0A-05B8-72ADDAE8098402E1;
__utma=165789951.219992625.1458320050.1462818223.1462821173.2;
__utmc=165789951;
__utmz=165789951.1462818223.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none);
JSESSIONID=63EE19F6E809FFAF93F6A49EF57E3693.cfusion;
__utma=220594061.606745990.1458227854.1462818276.1462978225.14;
__utmb=220594061.2.10.1462978225; __utmc=220594061;
__utmz=220594061.1458227854.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none);
Host: my.server.com
Referer: http://my.server.com/featured_vols/description
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/50.0.2661.94 Safari/537.36
Origin: http://my.server.com
Upgrade-Insecure-Requests: 1
--d25c0000-C--
rc+is+knowledgeable%2C+and+kind [which a segment of my form post starting
further down, truncated so that it doesn't even include the ARG_NAME for this
bit of data, followed by the rest of the post.]
This one works (but fails the tests) ...
--4e120000-A--
[11/May/2016:11:07:11 --0400] 12177733394557306202 69.12.26.106:23691 80
127.0.0.1 80
--4e120000-B--
POST /index.cfm?404;/featured_vols/description HTTP/1.1
Cache-Control: max-age=0
Connection: keep-alive
Content-Length: 11167
Content-Type: application/x-www-form-urlencoded
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8
Cookie: _ga=GA1.2.219992625.1458320050;
CFID=Z1ykjrnh8rurd9kwjtcny1xlrbk2vcm3wvhlcq9mo2zxexkbmqy-267771;
CFTOKEN=Z1ykjrnh8rurd9kwjtcny1xlrbk2vcm3wvhlcq9mo2zxexkbmqy-4eaddd7ee5a61753-DFBE0B9D-9D0A-05B8-72ADDAE8098402E1;
__utma=165789951.219992625.1458320050.1462818223.1462821173.2;
__utmc=165789951;
__utmz=165789951.1462818223.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none);
JSESSIONID=63EE19F6E809FFAF93F6A49EF57E3693.cfusion;
__utma=220594061.606745990.1458227854.1462818276.1462978225.14;
__utmb=220594061.2.10.1462978225; __utmc=220594061;
__utmz=220594061.1458227854.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none);
Host: my.server.com
Referer: http://my.server.com/featured_vols/description
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/50.0.2661.94 Safari/537.36
Origin: http://my.server.com
Upgrade-Insecure-Requests: 1
X-Original-URL: /featured_vols/description
--dc220000-C--
Description=%3Ch3%3EWelcome+to [... the rest of the full post]
From: Colin MacAllister
Sent: Wednesday, May 11, 2016 11:03 AM
To: OWASP List <owasp-modsecurity-core-rule-set@lists.owasp.org>
Subject: RE: [Owasp-modsecurity-core-rule-set] arg name not resolving for large
post value
I added part C (request body) to the audit log, and it also is showing
truncated data. It's actually the entire form data post that is truncated so
that just the last part gets through. But the entire post is received by the
database.
From: Colin MacAllister
Sent: Tuesday, May 10, 2016 1:38 PM
To: OWASP List
<owasp-modsecurity-core-rule-set@lists.owasp.org<mailto:owasp-modsecurity-core-rule-set@lists.owasp.org>>
Subject: RE: [Owasp-modsecurity-core-rule-set] arg name not resolving for large
post value
Resurrecting this. I'm sure the arg value is being passed from the browser
intact, because it show up in the database in one piece, and because Firefox
reports that it is being sent in the Developer/Network view.
I've attempted switching back from anomaly scoring mode to
one-strike-you're-out, and am still getting the problem. Should I being having
this conversation with whoever puts out the Windows port of modsecurity?
Sent from Mail<https://go.microsoft.com/fwlink/?LinkId=550986> for Windows 10
From: Colin MacAllister<mailto:cmacallis...@probono.net>
Sent: Thursday, May 5, 2016 2:39 PM
To: OWASP List<mailto:owasp-modsecurity-core-rule-set@lists.owasp.org>
Subject: [Owasp-modsecurity-core-rule-set] arg name not resolving for large
post value
Hi, all,
As I fine-tune my CMS not to bark at me for valid traffic, I've come upon the
following problem. When a rule matches (in anomaly scoring mode, haven't tested
the other way) sometimes part of the value of the argument the will come
through as the argument name, not the name itself, in this case, "Blurb."
ARGS_NAMES:rc is knowledgeable, experienced, empathetic, and kind... [followed
by a chunk of the rest of the arg value]
I checked it in the inspector, and indeed the ARG_NAME should be "Blurb". As it
is coming through, of course, it is impossible to check for, as it is variable.
It might be possible to whitelist the last part of the URL path, but I'd rather
not.
Have I found a bug? See the snippet from the audit log I attached to this email.
Title: WinMerge File Compare Report
| Untitled left |
| Untitled right |
| --4e120000-A-- |
| --d25c0000-A-- |
| [11/May/2016:11:07:11 --0400] 12177733394557306202 69.12.26.106:23691 80 127.0.0.1 80 |
| [11/May/2016:11:07:11 --0400] 12177733394557306202 69.12.26.106:23691 80 127.0.0.1 80 |
| --4e120000-B-- |
| --d25c0000-B-- |
| POST /index.cfm?404;/featured_vols/description HTTP/1.1 |
| POST /featured_vols/description HTTP/1.1 |
| Cache-Control: max-age=0 |
| Cache-Control: max-age=0 |
| Connection: keep-alive |
| Connection: keep-alive |
| Content-Length: 11167 |
| Content-Length: 2975 |
| Content-Type: application/x-www-form-urlencoded |
| Content-Type: application/x-www-form-urlencoded |
| Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 |
| Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 |
| Accept-Encoding: gzip, deflate |
| Accept-Encoding: gzip, deflate |
| Accept-Language: en-US,en;q=0.8 |
| Accept-Language: en-US,en;q=0.8 |
| Cookie: _ga=GA1.2.219992625.1458320050; CFID=Z1ykjrnh8rurd9kwjtcny1xlrbk2vcm3wvhlcq9mo2zxexkbmqy-267771; CFTOKEN=Z1ykjrnh8rurd9kwjtcny1xlrbk2vcm3wvhlcq9mo2zxexkbmqy-4eaddd7ee5a61753-DFBE0B9D-9D0A-05B8-72ADDAE8098402E1; __utma=165789951.219992625.1458320050.1462818223.1462821173.2; __utmc=165789951; __utmz=165789951.1462818223.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); JSESSIONID=63EE19F6E809FFAF93F6A49EF57E3693.cfusion; __utma=220594061.606745990.1458227854.1462818276.1462978225.14; __utmb=220594061.2.10.1462978225; __utmc=220594061; __utmz=220594061.1458227854.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); EDITORAREAID=31 |
| Cookie: _ga=GA1.2.219992625.1458320050; CFID=Z1ykjrnh8rurd9kwjtcny1xlrbk2vcm3wvhlcq9mo2zxexkbmqy-267771; CFTOKEN=Z1ykjrnh8rurd9kwjtcny1xlrbk2vcm3wvhlcq9mo2zxexkbmqy-4eaddd7ee5a61753-DFBE0B9D-9D0A-05B8-72ADDAE8098402E1; __utma=165789951.219992625.1458320050.1462818223.1462821173.2; __utmc=165789951; __utmz=165789951.1462818223.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); JSESSIONID=63EE19F6E809FFAF93F6A49EF57E3693.cfusion; __utma=220594061.606745990.1458227854.1462818276.1462978225.14; __utmb=220594061.2.10.1462978225; __utmc=220594061; __utmz=220594061.1458227854.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); EDITORAREAID=31 |
| Host: my.server.com |
| Host: my.server.com |
| Referer: http://my.server.com/featured_vols/description |
| Referer: http://my.server.com/featured_vols/description |
| User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.94 Safari/537.36 |
| User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.94 Safari/537.36 |
| Origin: http://my.server.com |
| Origin: http://my.server.com |
| Upgrade-Insecure-Requests: 1 |
| Upgrade-Insecure-Requests: 1 |
| X-Original-URL: /featured_vols/description
|
| |
| |
| |
_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
Owasp-modsecurity-core-rule-set@lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set