Hi,
there is an existing web application, which have an API: the
client sends the requests to server in a fixed structure, and the
server answers to them. This app works since 4 years.
Now I've installed Libmodsecurity, and OWASP CRS (3.0.2).
Here is a client request (HTTP POST)
action filter_tree
extraParams {"sort":"folderid"}
node 0
table tea_user_folders
In extraParams, there could be several keys and values.
The modsecurity bans this request with these lines (in
audit.log):
---1InxQ6aA---B--
POST /api/tree HTTP/1.1
Referer: http://my.app/
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Accept-Encoding: gzip, deflate
Cookie: _ga=GA1.2.978766370.1489422665; PHPSESSID=bbfcaq0r0ahruiqn49mjg9bcc6
Content-Length: 94
Accept-Language: hu-HU,hu;q=0.8,en-US;q=0.5,en;q=0.3
Accept: */*
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:53.0) Gecko/20100101
Firefox/53.0
Host: my.app
Connection: keep-alive
---1InxQ6aA---D--
---1InxQ6aA---F--
Server: nginx/1.6.2
Date: Tue, 30 May 2017 13:55:47 GMT
Content-Length: 168
Content-Type: text/html
Connection: keep-alive
---1InxQ6aA---H--
ModSecurity: Warning. Matched "Operator `Rx' with parameter
`(?i)(?:;|\{|\||\|\||&|&&|\n|\r|`)\s*[\(,@\'\"\s]*(?:[\w'\"\./]+/|[\\\\'\"\^]*\w[\\\\'\"\^]*:.*\\\\|[\^\.\w'\"/\\\\]*\\\\)?[\"\^]*(?:s[\"\^]*(?:y[\"\^]*s[\"\^]*(?:t[\"\^]*e[\"\^]*m[\"\^]*(?:p[\"\^]*r[
(5092 characters omitted)' against variable `ARGS:extraParams' (Value:
`{"sort":"folderid"}' ) [file
"/etc/nginx/owasp-modsecurity-crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"]
[line "182"] [id "932115"] [rev "4"] [msg "Remote Command Execution: Windows
Command Injection"] [data "Matched Data: {"sort found within ARGS:extraParams:
{"sort":"folderid"}"] [severity "2"] [ver "OWASP_CRS/3.0.0"] [maturity "9"]
[accuracy "8"] [tag "application-multi"] [tag "language-shell"] [tag
"platform-windows"] [tag "attack-rce"] [tag
"OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION"] [tag "WASCTC/WASC-31"] [tag
"OWASP_TOP_10/A1"] [tag "PCI/6.5.2"] [ref "o0,6v621,19"]
ModSecurity: Warning. Matched "Operator `Ge' with parameter
`%{tx.inbound_anomaly_score_threshold}' against variable `TX:ANOMALY_SCORE'
(Value: `5' ) [file
"/etc/nginx/owasp-modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"]
[line "36"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total
Score: 5)"] [data ""] [severity "2"] [ver ""] [maturity "0"] [accuracy "0"]
[tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag
"attack-generic"] [ref ""]
ModSecurity: Warning. Matched "Operator `Ge' with parameter
`%{tx.inbound_anomaly_score_threshold}' against variable
`TX:INBOUND_ANOMALY_SCORE' (Value: `5' ) [file
"/etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf"] [line
"61"] [id "980130"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total
Inbound Score: 5 - SQLI=0,XSS=0,RFI=0,LFI=0,RCE=5,PHPI=0,HTTP=0,SESS=0): Remote
Command Execution: Windows Command Injection'"] [data ""] [severity "0"] [ver
""] [maturity "0"] [accuracy "0"] [tag "event-correlation"] [ref ""]
---1InxQ6aA---I--
My question is: what can I do?
- ignore that rule (remove the
/etc/nginx/owasp-modsecurity-crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf
file?)
- change the "sort" keyword in full API (that would be a very
hard work)? (and what should be the good choice? eg.
"sorting"?)
There isn't any Windows based OS, there are several Linux
containers, and nGInx is a front-end proxy.
Many thanks,
a.
_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
Owasp-modsecurity-core-rule-set@lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
