Hey Ervin,
Thanks for the report. It it is a combination of the curly and the word
'sort' (https://regex101.com/r/oV5rl6/1). As you noted this is a new rule
to the 3.x branch. Put together based on the list available here:
https://github.com/SpiderLabs/owasp-modsecurity-crs/blob/v3.0/master/util/regexp-assemble/regexp-932115.txt.
There is probably an argument to be made for removing 'sort' from this
list. The other item of interest here is ModSecurity's pretty poor job at
being able to parse JSON (which this looks to be). In any event, I think it
is something we can probably address. At least for this version (3.0.2) you
can either add an exception for that argument to this rule (see below), or
rebuild the regex as outlined in the rule. If you wouldn't mind opening an
issue on our GitHub, we'll be able to have a more persistent log of the
issue and also be able to reach out to you if we have more questions. If
you don't have a GitHub or don't want to take the time I can also do it,
just let me know! Thanks!
SecRule REQUEST_URI "@beginsWith /api/tree"
"id:1001,phase:1,pass,nolog,ctl:ruleRemoveTargetById=932115;ARGS:ExtraParams"
On Tue, May 30, 2017 at 10:19 AM, Ervin Hegedüs <airw...@gmail.com> wrote:
> Hi,
>
> there is an existing web application, which have an API: the
> client sends the requests to server in a fixed structure, and the
> server answers to them. This app works since 4 years.
>
> Now I've installed Libmodsecurity, and OWASP CRS (3.0.2).
>
> Here is a client request (HTTP POST)
>
> action filter_tree
> extraParams {"sort":"folderid"}
> node 0
> table tea_user_folders
>
> In extraParams, there could be several keys and values.
>
> The modsecurity bans this request with these lines (in
> audit.log):
>
> ---1InxQ6aA---B--
> POST /api/tree HTTP/1.1
> Referer: http://my.app/
> Content-Type: application/x-www-form-urlencoded; charset=UTF-8
> X-Requested-With: XMLHttpRequest
> Accept-Encoding: gzip, deflate
> Cookie: _ga=GA1.2.978766370.1489422665; PHPSESSID=
> bbfcaq0r0ahruiqn49mjg9bcc6
> Content-Length: 94
> Accept-Language: hu-HU,hu;q=0.8,en-US;q=0.5,en;q=0.3
> Accept: */*
> Cache-Control: max-age=0
> User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:53.0) Gecko/20100101
> Firefox/53.0
> Host: my.app
> Connection: keep-alive
>
> ---1InxQ6aA---D--
>
> ---1InxQ6aA---F--
> Server: nginx/1.6.2
> Date: Tue, 30 May 2017 13:55:47 GMT
> Content-Length: 168
> Content-Type: text/html
> Connection: keep-alive
>
> ---1InxQ6aA---H--
> ModSecurity: Warning. Matched "Operator `Rx' with parameter
> `(?i)(?:;|\{|\||\|\||&|&&|\n|\r|`)\s*[\(,@\'\"\s]*(?:[\w'\"\
> ./]+/|[\\\\'\"\^]*\w[\\\\'\"\^]*:.*\\\\|[\^\.\w'\"/\\\\]*\\\
> \)?[\"\^]*(?:s[\"\^]*(?:y[\"\^]*s[\"\^]*(?:t[\"\^]*e[\"\^]*m[\"\^]*(?:p[\"\^]*r[
> (5092 characters omitted)' against variable `ARGS:extraParams' (Value:
> `{"sort":"folderid"}' ) [file "/etc/nginx/owasp-modsecurity-
> crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "182"] [id
> "932115"] [rev "4"] [msg "Remote Command Execution: Windows Command
> Injection"] [data "Matched Data: {"sort found within ARGS:extraParams:
> {"sort":"folderid"}"] [severity "2"] [ver "OWASP_CRS/3.0.0"] [maturity "9"]
> [accuracy "8"] [tag "application-multi"] [tag "language-shell"] [tag
> "platform-windows"] [tag "attack-rce"] [tag
> "OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION"]
> [tag "WASCTC/WASC-31"] [tag "OWASP_TOP_10/A1"] [tag "PCI/6.5.2"] [ref
> "o0,6v621,19"]
> ModSecurity: Warning. Matched "Operator `Ge' with parameter
> `%{tx.inbound_anomaly_score_threshold}' against variable
> `TX:ANOMALY_SCORE' (Value: `5' ) [file "/etc/nginx/owasp-modsecurity-
> crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "36"] [id
> "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"]
> [data ""] [severity "2"] [ver ""] [maturity "0"] [accuracy "0"] [tag
> "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag
> "attack-generic"] [ref ""]
> ModSecurity: Warning. Matched "Operator `Ge' with parameter
> `%{tx.inbound_anomaly_score_threshold}' against variable
> `TX:INBOUND_ANOMALY_SCORE' (Value: `5' ) [file
> "/etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf"]
> [line "61"] [id "980130"] [rev ""] [msg "Inbound Anomaly Score Exceeded
> (Total Inbound Score: 5 -
> SQLI=0,XSS=0,RFI=0,LFI=0,RCE=5,PHPI=0,HTTP=0,SESS=0):
> Remote Command Execution: Windows Command Injection'"] [data ""] [severity
> "0"] [ver ""] [maturity "0"] [accuracy "0"] [tag "event-correlation"] [ref
> ""]
>
> ---1InxQ6aA---I--
>
>
> My question is: what can I do?
> - ignore that rule (remove the /etc/nginx/owasp-modsecurity-
> crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf file?)
> - change the "sort" keyword in full API (that would be a very
> hard work)? (and what should be the good choice? eg.
> "sorting"?)
>
> There isn't any Windows based OS, there are several Linux
> containers, and nGInx is a front-end proxy.
>
>
> Many thanks,
>
>
> a.
> _______________________________________________
> Owasp-modsecurity-core-rule-set mailing list
> Owasp-modsecurity-core-rule-set@lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
>
--
--
Chaim Sanders
http://www.ChaimSanders.com
_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
Owasp-modsecurity-core-rule-set@lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
