[Owasp-modsecurity-core-rule-set] sql injection and xss bypassing 2.2.0 core-rule-set

Alexandre Biancalana biancalana at gmail.com
Sun Jul 10 11:20:37 EDT 2011


Hi list,

 I've configured mod_security 2.6.0 with modsecurity-crs_2.2.0 rules
in paranoid mode.

 Looking at apache logs I've perceived that some tries of sql
injection and xss aren't blocked by mod_security even in paranoid
mode.

 Follow my mod_security_crs_10_config.conf:

SecComponentSignature "core ruleset/2.2.0"
SecRuleEngine On
SecDefaultAction "phase:2,pass,log"
SecAction "phase:1,id:'981206',t:none,nolog,pass,setvar:tx.anomaly_score_blocking=on"
SecAction "phase:1,id:'981207',t:none,nolog,pass, \
setvar:tx.critical_anomaly_score=10, \
setvar:tx.error_anomaly_score=4, \
setvar:tx.warning_anomaly_score=3, \
setvar:tx.notice_anomaly_score=2"
SecAction "phase:1,id:'981208',t:none,nolog,pass,setvar:tx.inbound_anomaly_score_level=5"
SecAction "phase:1,id:'981209',t:none,nolog,pass,setvar:tx.outbound_anomaly_score_level=4"
SecAction "phase:1,id:'981210',t:none,nolog,pass,setvar:tx.paranoid_mode=1"
SecAction "phase:1,id:'981211',t:none,nolog,pass,setvar:tx.max_num_args=255"
SecAction "phase:1,id:'981212',t:none,nolog,pass, \
setvar:'tx.allowed_methods=GET HEAD POST OPTIONS', \
setvar:'tx.allowed_request_content_type=application/x-www-form-urlencoded
multipart/form-data text/xml application/xml application/x-amf', \
setvar:'tx.allowed_http_versions=HTTP/0.9 HTTP/1.0 HTTP/1.1', \
setvar:'tx.restricted_extensions=.asa/ .asax/ .ascx/ .axd/ .backup/
.bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/
.csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .ht
r/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/
.old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .resources/ .resx/ .sql/
.sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webin
fo/ .xsd/ .xsx/', \
setvar:'tx.restricted_headers=/Proxy-Connection/ /Lock-Token/
/Content-Range/ /Translate/ /via/ /if/'"
SecRule REQUEST_HEADERS:Content-Type "text/xml" \
        "chain,phase:1,id:'981053',t:none,t:lowercase,pass,nolog"
        SecRule REQBODY_PROCESSOR "!@streq XML" "ctl:requestBodyProcessor=XML"
SecRule REQUEST_HEADERS:User-Agent "^(.*)$"
"phase:1,id:'981217',t:none,pass,nolog,t:sha1,t:hexEncode,setvar:tx.ua_hash=%{matched_var}"
SecRule REQUEST_HEADERS:x-forwarded-for
"^\b(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\b"
"phase:1,id:'981225',t:none,pass,nolog,capture,setvar:tx.real_ip=%{tx.1}"
SecRule &TX:REAL_IP "!@eq 0"
"phase:1,id:'981226',t:none,pass,nolog,initcol:global=global,initcol:ip=%{tx.real_ip}_%{tx.ua_hash}"
SecRule &TX:REAL_IP "@eq 0"
"phase:1,id:'981218',t:none,pass,nolog,initcol:global=global,initcol:ip=%{remote_addr}_%{tx.ua_hash}"


  Here are some examples of request that aren't blocked:

 /search.php?idS=c4ca4238a0b923820dcc509a6f75849b%27%20or%20%28sleep%284%29%2b1%29%20limit%201%20--
%20

/album.php?idalbum=35&idfoto=163&idsel=1%3C%00ScRiPt%20%0d%0a%3Eprompt%28973555%29%3C%2fScRiPt%3E

/stats.php?idJ=%21%28%28%29%26%26%21%7c*%7c*%7c

I added the word "sleep" to modsecurity_41_sql_injection_attacks.data
and that starts to stop some requests, but not all.

That is suppose to happen ?

Best Regards,

Alexandre


More information about the Owasp-modsecurity-core-rule-set mailing list