Hi,
I have question about management of blocking case with rule 960010.
First information about context:
# Audit log
--7d320124-B--
# Request
POST /foo HTTP/1.1
Host: <domaine>
..
Content-Type: application/foo.bar.v1+json
..
--7d320124-H--
# Trace of blocking action
Message: Access denied with code 406 (phase 2). Pattern match "(.*)" at
TX:960010-OWASP_CRS/POLICY/CONTENT_TYPE_NOT_ALLOWED-TX:0. [file
"/etc/httpd/modsecurity.d/base_rules/modsecurity_crs_49_inbound_blocking.conf"]
[line "26"] [id "981176"] [msg "Inbound Anomaly Score Exceeded (Total Score:
10, SQLi=0, XSS=0): Last Matched Message: Request content type is not allowed
by policy"] [data "Last Matched Data: application/foo.bar.v1+json"]
Message: Warning. Operator GE matched 10 at TX:inbound_anomaly_score. [file
"/etc/httpd/modsecurity.d/base_rules/modsecurity_crs_60_correlation.conf"]
[line "37"] [id "981204"] [msg "Inbound Anomaly Score Exceeded (Total Inbound
Score: 10, SQLi=0, XSS=0): Request content type is not allowed by policy"]
Action: Intercepted (phase 2)
# Rule: 960010 (modsecurity_crs_30_http_policy.conf)
SecRule REQUEST_METHOD "!^(?:GET|HEAD|PROPFIND|OPTIONS)$"
"phase:1,chain,t:none,block,msg:'Request content type is not allowed by
policy',rev:'2',ver:'OWASP_CRS/2.2.9',maturity:'9',accuracy:'9',id:'960010',tag:'OWASP_CRS/POLICY/ENCODING_NOT_ALLOWED',tag:'WASCTC/WASC-20',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/EE2',tag:'PCI/12.1',severity:'2',logdata:'%{matched_var}'"
SecRule REQUEST_HEADERS:Content-Type "^([^;\s]+)" "chain,capture"
SecRule TX:0 "!^%{tx.allowed_request_content_type}$"
"t:none,ctl:forceRequestBodyVariable=On,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/POLICY/CONTENT_TYPE_NOT_ALLOWED-%{matched_var_name}=%{matched_var}"
# Configuration of variable allowed_request_content_type
(modsecurity_crs_10_setup.conf)
SecAction \
"id:'900012', \
phase:1, \
t:none, \
...
setvar:'tx.allowed_request_content_type=application/x-www-form-urlencoded|multipart/form-data|text/xml|text/plain|application/xml|application/x-amf|application/json|application/soap+xml|application/octet-stream|multipart/related',
\
...
nolog, \
pass"
Whitelist on this specific case is working with something like this:
SecRule SERVER_NAME <domaine>
"chain,phase:1,id:'2414',t:none,nolog,pass,msg:'authorize special content-type'"
SecRule REQUEST_URI /foo/
setvar:'tx.allowed_request_content_type=%{tx.allowed_request_content_type}|application/foo.bar.v1+json'
But the version in the content-type will change (foo.bar.v1.1+json,
foo.bar.v2+json, ...) and i want to prevent to add new value at each new
version of application. (I know, it is recommanded to use dedicated field for
this custom usage).
To enable multiple version, I am trying to use regex on
setvar:'tx.allowed_request_content_type' action but regex is escaped:
setvar:'tx.allowed_request_content_type=...|application/foo.bar.v?+json'
# Debug log
[31/Jan/2017:15:09:36 +0100]
[<domaine>/sid#7f9d2318ec38][rid#7f9ce4019ed0][/foo][9] Target value:
"application/foo.bar.v1+json"
[31/Jan/2017:15:09:36 +0100]
[<domaine>/sid#7f9d2318ec38][rid#7f9ce4019ed0][/foo][9] Resolved macro
%{tx.allowed_request_content_type} to: ....|application/foo.bar.v1+json
[31/Jan/2017:15:09:36 +0100]
[<domaine>/sid#7f9d2318ec38][rid#7f9ce4019ed0][/foo][6] Escaping pattern
[^...|application\/foo\.bar\.v\?\+json$]
Is it possible to use regex on setvar:'tx.allowed_request_content_type' action
(prevent escaping regex)? Which solution is recommanded to cover this case
(whitelist multiple value in variable allowed_request_content_type without add
one by one each version)?
My environnement is Centons7, versions of packages:
mod_security-2.7.3-5.el7.x86_64
modsecurity-crs_2.2.9
Thank you for your help !
--
David GOUDET
LYRA NETWORK
Poste | Service
Tel : +33 (0)5 32 09 09 74 | Poste : 574
_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
Owasp-modsecurity-core-rule-set@lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
