[Owasp-modsecurity-core-rule-set] [mod-security-users] Posting HTML contents

Thu Nov 5 08:42:46 EST 2009

On Thursday 05 November 2009 05:23:07 am Fabian Martintoni wrote:
> First of all thanks for the answer.
>
> I'm using Gentoo, and upgrading from mod_security vesrion 2.5.9 to
> 2.5.10-r1 fired the hell. I didnt notice anything before. Probably this was
> caused by mod_deflate [msg "ModSecurity does not support content
> encodings"]
>
No I don't think it was a mod_deflate issue but rather improved security 
coverage for CRS v2.  We improved the XSS identification considerably in the 
newer version.  In the previous versions, XSS detection was pretty poor and 
had some serious false negative/bypass issues.  Check out this blackhat XSS 
bypass preso in which they highlight older CRS issues - 
http://www.blackhat.com/presentations/bh-usa-09/VELANAVA/BHUSA09-VelaNava-
FavoriteXSS-SLIDES.pdf

> Now there are a whole lot of webapps who stopped working. I've just found
> another one: impossible to login in dev-db/phppgadmin-4.2.2.
>
Are you using the default anomaly scoring approach?  What scoring threshold do 
you have set?  You can easily add exception rules to increase the score or 
only inspect certain categories of issues for certain locations as well - say 
for your phppgadmin login.

> I confess, ther first thought was about removing mod_security.
>
Please don't go that route!  We went to great lengths with CRSv2 so that it 
will be easier for user to do exceptions.  You can either raise the overall 
anomaly scoring threshold or you can get granular and handle false positives 
in the exception file.  Take a look at some of the examples in the 48 local 
exceptions file for help.

> There are many strong restrictions even in the naming of the form fields. I
> know, security is expensive, I can live with that but I need to allow
> thrusted users to send html content through forms.
>
How are these *trusted* users identified?  By source IP or username or 
something?  Whatever it is, you can configure the rules to be more lenient for 
them or to let them bypass the rules altogether.

> I write in PHP and JSP so I'm looking for an all-inclusive solution (but I
> gived a short look at HTMLpurifier and it seems to me an interesting
> product).
>
> AntiSamy Project is very interesting too! And i will surely take a serious
> look in the future, but right now I need a more immediate solution.
>
> To disable a whole vhost is possible to add SecRuleEngine Off in <Directory
> > but I wont go that far. Is there any whitelist? a list of files who would
> skipped by the security engine ?
>
You can always add whitelist directives to a new 
modsecurity_crs_15_local_exceptions.conf file.  The rules in this file would 
execute before all of the other rules and would allow you to use either the 
ctl:ruleEngine=Off or allow:request actions.  I prefer the latter as it would 
still allow outbound inspection.

Hope this helps.

> Many thanks,
> Fabian
>
> In data martedì 3 novembre 2009 15:41:30, hai scritto:
> > Fabian,
> > This is a CRS issue so for future issues please use the OWASP CRS
> > mail-list
> > (https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
> >) .  I am cross-posting this to both lists.
> >
> > You bring up an important and challenging issue related to detecting XSS
> >  attacks and that is how to identify malicious payloads while still
> >  allowing benign html conent.  Here are a few items to consider -
> >
> > 1) For the CRS v2 - you can add some exception rules to the 48 local
> >  exceptions file so that you can adjust the anomaly score based on the
> >  authorized page/parameter you have for the FCKeditor app, etc...).  If
> > you send some audit log data related to these html posts, I could show
> > you a more specific exception example.
> >
> > 2) What language is your app written in?  If it is php - then you could
> >  look at installing something like htmlpurifier to help weed out bad html
> >  from good html - http://htmlpurifier.org/
> >
> > 3) On a similar front - look at something like the OWASP Anti-Sammy app.
> >
> > Hope this helps,
> > Ryan
> >
> > ________________________________________
> > From: Fabian Martintoni [assistenza at alfait.org]
> > Sent: Tuesday, November 03, 2009 8:29 AM
> > To: mod-security-users at lists.sourceforge.net
> > Subject: [mod-security-users] Posting HTML contents
> >
> > Hi all,
> > today I've upgraded modsecurity to 2.5.10-r1 and more than half of my web
> > applications are giving me headache.
> >
> > The more troublesome issue is (at least for now) that I cannot understand
> >  how I can send HTML contents with a form...
> >
> > For example... I have a form with an wysiwyg editor (FCKeditor, TinyMce
> >  etc) how can I allow him to send his data? Every try is blocked by
> >  modsecurity:
> >
> > [msg "Detects obfuscated script tags and XML wrapped HTML"]
> > [msg "Detects basic directory traversal"]
> > [msg "finds attribute breaking injections including obfuscated
> > attributes"] [msg "finds html breaking injections including whitespace
> > attacks"] [msg "Detects possibly malicious html elements including some
> > attributes"]
> >
> > I really need help on this thing, please.
> >
> > Fabian
> >
> > -------------------------------------------------------------------------
> >-- --- Come build with us! The BlackBerry(R) Developer Conference in SF,
> > CA is the only developer event you need to attend this year. Jumpstart
> > your developing skills, take BlackBerry mobile applications to market and
> > stay ahead of the curve. Join us from November 9 - 12, 2009. Register
> > now! http://p.sf.net/sfu/devconference
> > _______________________________________________
> > mod-security-users mailing list
> > mod-security-users at lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/mod-security-users
> > Commercial ModSecurity Appliances, Rule Sets and Support:
> > http://www.modsecurity.org/breach/index.html
>
> _______________________________________________
> Owasp-modsecurity-core-rule-set mailing list
> Owasp-modsecurity-core-rule-set at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-modsecurity-core-rule-set/attachments/20091105/8689a43f/attachment.html 