[Owasp-modsecurity-core-rule-set] CRS 2.2.4 Rules 981220 and 981222 Puzzle

Owens, Mike, DoIT Mike.Owens at state.nm.us
Wed Mar 28 15:27:50 UTC 2012


I have encountered a puzzle involving rules 981220 and 981222. The two rules are testing for the presence of a default charset being sent either in the Content-type response header or a meta tag in the response body. The rules themselves inspect the RESPONSE_CONTENT_TYPE (Apache internal area) rather than the Content-type header per se.

In my audit log, I have a case where the Content-type response header is "text/html; charset=utf-8", but the log entry reports that the RESPONSE_CONTENT_TYPE contains on "text/html". This causes the two rules to fire.

My question is, why does ModSecurity show a difference betweent the Content-type header and the RESPONSE_CONTENT_TYPE area?

Here's a typical audit log entry (identifying data replaced with "***"):

--4b594116-A--
[28/Mar/2012:09:02:46 --0600] T3MoFn8AAAEAACg91mkAAADM *** 30254 ***
--4b594116-B--
GET / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible MSIE 6.0 Windows NT 5.1
Connection: close
Host: ***
Accept: text/html

--4b594116-F--
HTTP/1.1 200 OK
Last-Modified: Tue, 06 Oct 2009 14:45:37 GMT
ETag: "198-4754548896640"
Accept-Ranges: bytes
Content-Length: 408
Connection: close
Content-Type: text/html; charset=utf-8

--4b594116-H--
Message: Warning. Match of "rx (?i:(<meta.*?(content|value)=\"text/html;\\s?charset=|<\\?xml.*?encoding=))" against "RESPONSE_BODY" required. [file "/usr/local/apache/conf/site-conf/modsecurity/activated_rules/modsecurity_crs_55_application_defects.conf"] [line "23"] [id "981220"] [msg "[Watcher Check] No charset was specified in the HTTP Content-Type header nor the HTML content's meta tag."] [data "Content-Type Response Header: text/html"] [tag "WASCTC/WASC-15"] [tag "APP_DEFECT/MISCONFIGURATION"] [tag "http://code.google.com/p/browsersec/wiki/Part2#Content_handling_mechanisms"]
Message: Warning. Match of "rx (<meta.*?(content|value)=\"text/html;\\s?charset=utf-8|<\\?xml.*?encoding=\"utf-8\")" against "RESPONSE_BODY" required. [file "/usr/local/apache/conf/site-conf/modsecurity/activated_rules/modsecurity_crs_55_application_defects.conf"] [line "36"] [id "981222"] [msg "[Watcher Check]  The charset specified was not utf-8 in the HTTP Content-Type header nor the HTML content's meta tag."] [data "Content-Type Response Header: text/html"] [tag "WASCTC/WASC-15"] [tag "MISCONFIGURATION"] [tag "http://websecuritytool.codeplex.com/wikipage?title=Checks#charset-not-utf8"]
Stopwatch: 1332946966251284 24295 (- - -)
Stopwatch2: 1332946966251284 24295; combined=7754, p1=1161, p2=4497, p3=48, p4=298, p5=1545, sr=344, sw=205, l=0, gc=0
Producer: ModSecurity for Apache/2.6.5 (http://www.modsecurity.org/); core ruleset/2.2.4.
Server: 
Sanitised-Request-Headers: "Authorization".

--4b594116-Z--

My setup, in case that helps:

Red Hat Enterprise Linux; kernel 2.6.18-274.el5 #1 SMP Fri Jul 8 17:36:59 EDT 2011 x86_64 x86_64 x86_64 GNU/Linux
Apache 2.4.1
ModSecurity 2.6.5
ModSecurity CRS 2.2.4

--
Michael Owens <mike.owens at state.nm.us>



More information about the Owasp-modsecurity-core-rule-set mailing list