Skip to content
This repository has been archived by the owner on May 14, 2020. It is now read-only.

Easy to trigger these rule id blocks just with keywords [932115, 942360] #1725

Open
jeremyjpj0916 opened this issue Mar 25, 2020 · 0 comments
Open

Easy to trigger these rule id blocks just with keywords [932115, 942360] #1725

jeremyjpj0916 opened this issue Mar 25, 2020 · 0 comments
Labels
False Positive

Comments

@jeremyjpj0916
Copy link
Contributor

Description

Seems many CRS rules rely on keywords without considering the context. See below XML sample that just has the word select trigger two blocking rules:

Audit Logs / Triggered Rule Numbers

[25/Mar/2020:23:35:05 +0000] 158517930530.743426 10.94.145.56 0 10.128.92.228 8443---kEH6JnYf---B--POST /F5/status HTTP/1.1content-length: 73accept-encoding: gzip, deflatecookie: a059ce45e82c5cab86ab7ac96d4463f7=14e07a82a885a3ca7799c5efc441fc2b; 4232c4f06959cd0cb3a6baf6ea4e6b5f=1106bd9b4cebdab8bb61eba98afc3b11
Accept: */*cache-control: no-cachePostman-Token: af909ee0-f2e7-4c80-a862-9e6b68b55836Host: gateway-dev-core-ctc.optum.comAuthorization: Bearer Y9AH6cbxUkDIcwxEfzeUDv2ukRzDME8WUser-Agent: PostmanRuntime/7.6.1
Content-Type: application/xmlConnection: keep-aliveX-Forwarded-For: 10.94.145.56

---kEH6JnYf---C--
<xml>
<QuestionText>select the decision to be taken</QuestionText>
</xml>

---kEH6JnYf---D--

---kEH6JnYf---E--
<html>\x0d\x0a<head><title>403 Forbidden</title></head>\x0d\x0a<body>\x0d\x0a<center><h1>403 Forbidden</h1></center>\x0d\x0a</body>\x0d\x0a</html>\x0d\x0a


---kEH6JnYf---H--
ModSecurity: Warning. Matched "Operator `Rx' with parameter `(?i)(?:;|\{|\||\|\||&|&&|\n|\r|`)\s*[\(,@\'\"\s]*(?:[\w'\"\./]+/|[\\\\'\"\^]*\w[\\\\'\"\^]*:.*\\\\|[\^\.\w '\"/\\\\]*\\\\)?[\"\^]*(?:s[\"\^]*(?:y[\"\^]*s[\"\^]*(?:t[\"\^]*e[\"\^]*m[\"\^]*(?:p[\"\^]*r[ (5092 characters omitted)' against variable `XML:/*' (Value: `\x0aselect the decision to be taken\x0a' ) [file "/usr/local/owasp-modsecurity-crs-3.2.0/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "279"] [id "932115"] [rev ""] [msg "Remote Command Execution: Windows Command Injection"] [data "Matched Data: \x0aselect found within XML:/*: \x0aselect the decision to be taken\x0a"] [severity "2"] [ver "OWASP_CRS/3.2.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-shell"] [tag "platform-windows"] [tag "attack-rce"] [tag "OWASP_CRS"] [tag "OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION"] [tag "WASCTC/WASC-31"] [tag "OWASP_TOP_10/A1"] [tag "PCI/6.5.2"] [hostname "10.128.92.228"] [uri "/F5/status"] [unique_id "158517930530.743426"] [ref "o0,7"]
ModSecurity: Warning. Matched "Operator `Rx' with parameter `(?i:(?:^[\W\d]+\s*?(?:alter\s*(?:a(?:(?:pplication\s*rol|ggregat)e|s(?:ymmetric\s*ke|sembl)y|u(?:thorization|dit)|vailability\s*group)|c(?:r(?:yptographic\s*provider|edential)|o(?:l(?:latio|um)|nversi (1029 characters omitted)' against variable `XML:/*' (Value: `\x0aselect the decision to be taken\x0a' ) [file "/usr/local/owasp-modsecurity-crs-3.2.0/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "450"] [id "942360"] [rev ""] [msg "Detects concatenated basic SQL injection and SQLLFI attempts"] [data "Matched Data: \x0aselect found within XML:/*: \x0aselect the decision to be taken\x0a"] [severity "2"] [ver "OWASP_CRS/3.2.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "OWASP_CRS"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"][tag "PCI/6.5.2"] [hostname "10.128.92.228"] [uri "/F5/status"] [unique_id "158517930530.743426"] [ref "o0,7t:urlDecodeUni"]
ModSecurity: Access denied with code 403 (phase 2). Matched "Operator `Ge' with parameter `5' against variable `TX:ANOMALY_SCORE' (Value: `10' ) [file "/usr/local/owasp-modsecurity-crs-3.2.0/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "79"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 10)"] [data ""] [severity "2"] [ver ""] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "10.128.92.228"] [uri "/F5/status"] [unique_id "158517930530.743426"] [ref ""]

---kEH6JnYf---J--

Your Environment

  • CRS version (e.g., v3.2.0): CRS 3.2/master
  • Paranoia level setting: 1
  • ModSecurity version (e.g., 2.9.3): 3.0.4
  • Web Server and version (e.g., apache 2.4.41): nginx
  • Operating System and version: alpine linux

Confirmation

[x] I have removed any personal data (email addresses, IP addresses,
passwords, domain names) from any logs posted.
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
False Positive
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@jeremyjpj0916