We can certainly change the default, but certainly the idea is that users will actually go through the configuration file and change it to their liking. One of the things particularly of interest here is that 920350 will always fire if you are using IP access anyway - this is most certainly confusing to first time users - I'd be nice to think of a good solution, since this rule, when a domain is in use, is a really effective rule. -- Chaim Sanders Security Researcher
Trustwave | SMART SECURITY ON DEMAND www.trustwave.com<http://www.trustwave.com/> From: <owasp-modsecurity-core-rule-set-boun...@lists.owasp.org<mailto:owasp-modsecurity-core-rule-set-boun...@lists.owasp.org>> on behalf of Walter Hop <mod...@spam.lifeforms.nl<mailto:mod...@spam.lifeforms.nl>> Date: Sunday, June 5, 2016 at 7:02 AM To: "owasp-modsecurity-core-rule-set@lists.owasp.org<mailto:owasp-modsecurity-core-rule-set@lists.owasp.org>" <owasp-modsecurity-core-rule-set@lists.owasp.org<mailto:owasp-modsecurity-core-rule-set@lists.owasp.org>> Subject: Re: [Owasp-modsecurity-core-rule-set] rule 920350 - "host header is a numeric ip address" - redirect loop using default 3.0.0 conf It looks to me that rule 920350, "Host header is a numeric IP address" (REQUEST-20-PROTOCOL-ENFORCEMENT.conf) will cause a redirect loop when combined with the default "modsecurity_crs_10_setup.conf" action.. SecDefaultAction "phase:1,log,redirect:'http://%{request_headers.host}/',tag:'Host:<http://scanmail.trustwave.com/?c=4062&d=3IzU13mVgqBUXoqE6Tbxbpqy708ilxnGznm-IuvyRg&s=5&u=http%3a%2f%2f%25%7brequest%5fheaders%2ehost%7d%2f%27%2ctag%3a%27Host%3a> %{request_headers.host}'" SecDefaultAction "phase:2,log,redirect:'http://%{request_headers.host}/',tag:'Host:<http://scanmail.trustwave.com/?c=4062&d=3IzU13mVgqBUXoqE6Tbxbpqy708ilxnGznm-IuvyRg&s=5&u=http%3a%2f%2f%25%7brequest%5fheaders%2ehost%7d%2f%27%2ctag%3a%27Host%3a> %{request_headers.host}'" request_headers.host will always be the IP address, and the rule therefore will keep firing. 1. Is this the intended action even for this rule? 2. Is there a way to override the action for this (or any specific) rule? It seems like this could really hammer a site unintentionally, especially if you have a browser that isn't catching the redirect or some other script?? You make a very good point. It's a bigger problem and not restricted to this rule though. I think the redirect loop will also happen if the client has been blocked due to a cookie. After all, the client will usually re-send the same cookie on the redirect to the homepage. And I think it will then redirect again and again. I'd have to check to make sure though. Personally I am not a fan of doing this redirect in case of a block. I can see how the redirect would be an interesting choice for some sites. An error page might scare the visitor too much. If they get thrown back to the homepage, that is still extremely frustrating, but they might re-try their request in some other way. At the other hand, it seems much better to configure a friendly error page and send the customer to a "report the problem, what did you do?" form which will help ironing out false positives much better. I would prefer that the default would be to just serve an error 403, but leaving the redirect as a commented-out example. What do others think? -- Walter Hop | PGP key: https://lifeforms.nl/pgp<http://scanmail.trustwave.com/?c=4062&d=3IzU13mVgqBUXoqE6Tbxbpqy708ilxnGziy9IOynEQ&s=5&u=https%3a%2f%2flifeforms%2enl%2fpgp> ________________________________ This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.
_______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
