Hi Chaim, many thanks for your detailed answer.
On Tue, May 30, 2017 at 09:15:53PM -0400, Chaim Sanders wrote: > Hey Ervin, > Thanks for the report. It it is a combination of the curly and the word > 'sort' (https://regex101.com/r/oV5rl6/1). As you noted this is a new rule > to the 3.x branch. Put together based on the list available here: > https://github.com/SpiderLabs/owasp-modsecurity-crs/blob/v3.0/master/util/regexp-assemble/regexp-932115.txt. > There is probably an argument to be made for removing 'sort' from this > list. you propose should I remove the "sort" word from that list, and re-assemble the CSR? (I just grabbed the CSR rules, and made a package for my Debian distros.) > The other item of interest here is ModSecurity's pretty poor job at > being able to parse JSON (which this looks to be). In any event, I think it > is something we can probably address. At least for this version (3.0.2) you > can either add an exception for that argument to this rule (see below), thanks, I'll check out your example. > or > rebuild the regex as outlined in the rule. yep', now I reviewed the rule file, and I found the rebuild flow - thanks. > If you wouldn't mind opening an > issue on our GitHub, we'll be able to have a more persistent log of the > issue and also be able to reach out to you if we have more questions. If > you don't have a GitHub or don't want to take the time I can also do it, > just let me know! Thanks! I thank you - I have Github account (@airween), and I think that would be bigger help to you, when I open a new issue. Just let me know, what should I put the riport? > SecRule REQUEST_URI "@beginsWith /api/tree" > "id:1001,phase:1,pass,nolog,ctl:ruleRemoveTargetById=932115;ARGS:ExtraParams" thanks again. And there is an another issue with 3.0.2 (but may be that affects another versions too). The request is similar that I detailed in my first post. The "extraParams" value (JSON field) is this: extraParams {"node":"3","text":"végső fejezet"} As you can see, this is a UTF8 text, and client sends it as UTF8: Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Accept-Encoding: gzip, deflate The encoded URI will be: extraParams=%7B%22node%22%3A%223%22%2C%22text%22%3A%22v%C3%A9gs%C5%91%20fejezet%22 The characters "é" and "ő" are two bytes utf8 characters: \xC3\xA9 and \xC5\x91. But in audit log I get: ModSecurity: Warning. Matched "Operator `ValidadeByteRange' with parameter `1-255' against variable `ARGS:extraParams' (Value: `{"node":"3","text":"v\xffffffc3\xffffffa9gs\xffffffc5\xffffff91 fejezet","parentNode":"0","tid":"144 (3 characters omitted)' ) [file "/etc/nginx/owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "488"] [id "920270"] [rev "2"] [msg "Invalid character in request (null character)"] [data ""] [severity "2"] [ver "OWASP_CRS/3.0.0"] [maturity "9"] [accuracy "9"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/EVASION"] [ref "o21,1o22,1o25,1o26,1v921,67t:urlDecodeUni"] Why is the ValidadeByteRange is 1-255? And why converts the urlDecodeUni the UTF8 chars to UTF32? What would be the right way to send legal UTF8 (or UTF32) characters to server? (An addition note: I just see the "ver OWASP_CRS/3.0.0" string now, when I copied the line, but I'm sure I've pulled out the 3.0.2: $ git log commit e4e0497be4d598cce0e0a8fef20d1f1e5578c8d0 Merge: d46913e 9d2465d Author: Chaim Sanders <chaim.sand...@gmail.com> Date: Fri May 12 13:11:20 2017 -0400 pushing to v3.0.2 ) Many thanks again! a. > On Tue, May 30, 2017 at 10:19 AM, Ervin Hegedüs <airw...@gmail.com> wrote: > > > Hi, > > > > there is an existing web application, which have an API: the > > client sends the requests to server in a fixed structure, and the > > server answers to them. This app works since 4 years. > > > > Now I've installed Libmodsecurity, and OWASP CRS (3.0.2). > > > > Here is a client request (HTTP POST) > > > > action filter_tree > > extraParams {"sort":"folderid"} > > node 0 > > table tea_user_folders > > > > In extraParams, there could be several keys and values. > > > > The modsecurity bans this request with these lines (in > > audit.log): > > > > ---1InxQ6aA---B-- > > POST /api/tree HTTP/1.1 > > Referer: http://my.app/ > > Content-Type: application/x-www-form-urlencoded; charset=UTF-8 > > X-Requested-With: XMLHttpRequest > > Accept-Encoding: gzip, deflate > > Cookie: _ga=GA1.2.978766370.1489422665; PHPSESSID= > > bbfcaq0r0ahruiqn49mjg9bcc6 > > Content-Length: 94 > > Accept-Language: hu-HU,hu;q=0.8,en-US;q=0.5,en;q=0.3 > > Accept: */* > > Cache-Control: max-age=0 > > User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:53.0) Gecko/20100101 > > Firefox/53.0 > > Host: my.app > > Connection: keep-alive > > > > ---1InxQ6aA---D-- > > > > ---1InxQ6aA---F-- > > Server: nginx/1.6.2 > > Date: Tue, 30 May 2017 13:55:47 GMT > > Content-Length: 168 > > Content-Type: text/html > > Connection: keep-alive > > > > ---1InxQ6aA---H-- > > ModSecurity: Warning. Matched "Operator `Rx' with parameter > > `(?i)(?:;|\{|\||\|\||&|&&|\n|\r|`)\s*[\(,@\'\"\s]*(?:[\w'\"\ > > ./]+/|[\\\\'\"\^]*\w[\\\\'\"\^]*:.*\\\\|[\^\.\w'\"/\\\\]*\\\ > > \)?[\"\^]*(?:s[\"\^]*(?:y[\"\^]*s[\"\^]*(?:t[\"\^]*e[\"\^]*m[\"\^]*(?:p[\"\^]*r[ > > (5092 characters omitted)' against variable `ARGS:extraParams' (Value: > > `{"sort":"folderid"}' ) [file "/etc/nginx/owasp-modsecurity- > > crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "182"] [id > > "932115"] [rev "4"] [msg "Remote Command Execution: Windows Command > > Injection"] [data "Matched Data: {"sort found within ARGS:extraParams: > > {"sort":"folderid"}"] [severity "2"] [ver "OWASP_CRS/3.0.0"] [maturity "9"] > > [accuracy "8"] [tag "application-multi"] [tag "language-shell"] [tag > > "platform-windows"] [tag "attack-rce"] [tag > > "OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION"] > > [tag "WASCTC/WASC-31"] [tag "OWASP_TOP_10/A1"] [tag "PCI/6.5.2"] [ref > > "o0,6v621,19"] > > ModSecurity: Warning. Matched "Operator `Ge' with parameter > > `%{tx.inbound_anomaly_score_threshold}' against variable > > `TX:ANOMALY_SCORE' (Value: `5' ) [file "/etc/nginx/owasp-modsecurity- > > crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "36"] [id > > "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] > > [data ""] [severity "2"] [ver ""] [maturity "0"] [accuracy "0"] [tag > > "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag > > "attack-generic"] [ref ""] > > ModSecurity: Warning. Matched "Operator `Ge' with parameter > > `%{tx.inbound_anomaly_score_threshold}' against variable > > `TX:INBOUND_ANOMALY_SCORE' (Value: `5' ) [file > > "/etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf"] > > [line "61"] [id "980130"] [rev ""] [msg "Inbound Anomaly Score Exceeded > > (Total Inbound Score: 5 - > > SQLI=0,XSS=0,RFI=0,LFI=0,RCE=5,PHPI=0,HTTP=0,SESS=0): > > Remote Command Execution: Windows Command Injection'"] [data ""] [severity > > "0"] [ver ""] [maturity "0"] [accuracy "0"] [tag "event-correlation"] [ref > > ""] > > > > ---1InxQ6aA---I-- > > > > > > My question is: what can I do? > > - ignore that rule (remove the /etc/nginx/owasp-modsecurity- > > crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf file?) > > - change the "sort" keyword in full API (that would be a very > > hard work)? (and what should be the good choice? eg. > > "sorting"?) > > > > There isn't any Windows based OS, there are several Linux > > containers, and nGInx is a front-end proxy. > > > > > > Many thanks, > > > > > > a. > > _______________________________________________ > > Owasp-modsecurity-core-rule-set mailing list > > Owasp-modsecurity-core-rule-set@lists.owasp.org > > https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set > > > > > > -- > -- > Chaim Sanders > http://www.ChaimSanders.com > _______________________________________________ > Owasp-modsecurity-core-rule-set mailing list > Owasp-modsecurity-core-rule-set@lists.owasp.org > https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set _______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
