[Owasp-modsecurity-core-rule-set] FALSE POSITIVE

Thayyilekandy, Subin : Barclaycard US sthayyilekan at BarclaycardUS.com
Thu Jul 3 19:12:02 UTC 2014




1) for :  SecRuleUpdateTargetById 950120!ARGS: data_567             data_576  data is static but not the number, are there any solution for that

                -              Are you saying that any of your parameters data_000 – data _999 can have a url data and you want to allow that ? This rule is meant for file inclusion attempts and will look for URL patterns so if you want to allow urls in any/all of your parameters for this particular request alone you might just want to conditionally remove the rule itself for this request
SecRule REQUEST_FILENAME "@rx /XXX/your request url" "id:999008,phase:2,t:none,nolog,pass,ctl:removeRuleById =950120 "



2) I don't understand  /XXX/Register\.action

                        This was just an example for an URL , you should substitute it with your request url





2014-07-02 14:57 GMT+00:00 Thayyilekandy, Subin : Barclaycard US <sthayyilekan at barclaycardus.com<mailto:sthayyilekan at barclaycardus.com>>:
If data_567 will always have the Url data you can do in your custom rules file (AFTER the CRS rules)

SecRuleUpdateTargetById 950120!ARGS: data_567

Or conditionally check the url particular to this request and allow the parameter in your custom rules file (BRFORE the CRS rules)


SecRule REQUEST_FILENAME "@rx /XXX/Register\.action" "id:999008,phase:2,t:none,nolog,pass,ctl:ruleRemoveTargetById=950120;ARGS: data_567 "



Thanks

Subin
Application Security consultant | GISTR

From: owasp-modsecurity-core-rule-set-bounces at lists.owasp.org<mailto:owasp-modsecurity-core-rule-set-bounces at lists.owasp.org> [mailto:owasp-modsecurity-core-rule-set-bounces at lists.owasp.org<mailto:owasp-modsecurity-core-rule-set-bounces at lists.owasp.org>] On Behalf Of Ilyass Kaouam
Sent: Wednesday, July 02, 2014 6:08 AM
To: owasp-modsecurity-core-rule-set at lists.owasp.org<mailto:owasp-modsecurity-core-rule-set at lists.owasp.org>
Subject: [Owasp-modsecurity-core-rule-set] FALSE POSITIVE

Hello,

Our website is a directory that is to say we always have users who insert their data such as the URL of their website, télephonen, fax ...
during validation by our team I noticed that the mo_security to prohibit the request because it contains URL: http://www.companyhacham.sitew.com/

Do you have a solution (secure) to allow url ?

Thank you

log:


codeAction=1&entid=395342&bilid=345129&idMkt=518&denomination=&capital=100+000+&activite=COMPANY+HACHAM+offre+des+produits+et+services+de+grande+qualit%C3%A9+dans+les+domaines+de+%3A+Menuiserie+Aluminium%2C+PVC%2C+Inox%2C+Vitrine+en+Verre%2C+Cloisons+aluminium%2C+Cuisine+Moderne+Sur+Mesure%2C+Tablier+en+lames+Micro+perfor%C3%A9es%2C+Habillage+de+Fa%C3%A7ade.+(ALUCOBOND)%2C+Faux+Plafonds%2C+Mur+Rideau%2C+Moustiquaire%2C+les+Stores%2C+Travaux+divers.&effectif=0&effectifCadre=0&segmentEffectif=1&dateContribution=06%2F08%2F13+14%3A32&loginUser=sgh5%40hotmail.fr<http://40hotmail.fr/>&emailUser=sgh5%40hotmail.fr<http://40hotmail.fr/>&id=518&denomination_validator=&rc_validator=&tribunal_validator=&fmj_validator=&capital_validator=&adresse_validator=&ville_validator=&activite_validator=&effectif_validator=&segmentEffectif_validator=&effectifCadre_validator=&telfaxmailweb_565=on&telfaxmailweb_565_validator=1&data_565=0618555477&type_565=1&idMktTelfaxmailweb_565=0&telfaxmailweb_566=on&telfaxmailweb_566_validator=1&data_566=companyhacham%40gmail.com<http://40gmail.com/>&type_566=3&idMktTelfaxmailweb_566=0&telfaxmailweb_567=on&telfaxmailweb_567_validator=1&data_567=http%3A%2F%2Fwww.companyhacham.sitew.com<http://www.companyhacham.sitew.com/>%2F&type_567=4&idMktTelfaxmailweb_567=0&statut=1&remarque=

--c307bc39-F--

HTTP/1.1 403 Forbidden

Content-Length: 245

Connection: close

Content-Type: text/html; charset=iso-8859-1



Message: Access denied with code 403 (phase 2). Match of "beginsWith %{request_headers.host}" against "TX:1" required. [file "/etc/httpd/modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf"] [line "163"] [id "950120"] [rev "3"] [msg "Possible Remote File Inclusion (RFI) Attack: Off-Domain Reference/Link"] [data "Matched Data: http://www.companyhacham.sitew.com/ found within TX:1:www.companyhacham.sitew.com/<http://www.companyhacham.sitew.com/>"] [severity "CRITICAL"] [ver "OWASP_CRS/2.2.9"] [maturity "9"] [accuracy "9"] [tag "OWASP_CRS/WEB_ATTACK/RFI"]


Barclaycard

www.barclaycardus.com<http://www.barclaycardus.com>

This email and any files transmitted with it may contain confidential and/or proprietary information. It is intended solely for the use of the individual or entity who is the intended recipient. Unauthorized use of this information is prohibited. If you have received this in error, please contact the sender by replying to this message and delete this material from any system it may be on.



--
Ilyass kaouam
Systems administrator at Inforisk Group Finaccess
European Masters in Information Technology
Portable : (212) 6 34 57 14 36
http://www.inforisk.ma

Barclaycard

www.barclaycardus.com<http://www.barclaycardus.com>

This email and any files transmitted with it may contain confidential and/or proprietary information. It is intended solely for the use of the individual or entity who is the intended recipient. Unauthorized use of this information is prohibited. If you have received this in error, please contact the sender by replying to this message and delete this material from any system it may be on.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-modsecurity-core-rule-set/attachments/20140703/caf33b11/attachment-0001.html>


More information about the Owasp-modsecurity-core-rule-set mailing list