[Owasp-modsecurity-core-rule-set] Backport HTTP Parameter Pollution rule for CRSv2 Users

Morris Taylor morris at eml.cc
Wed Aug 24 08:57:39 UTC 2016


Hi there:

   We have backported a rule from CRSv3 to CRSv2 for preventing web
   applications from HTTP parameter pollution attacks. Followings are
   the rules:

SecRule ARGS_NAMES "." "phase:2, id:2001, rev:'2',
ver:'OWASP_CRS/3.0.0', pass, nolog, tag:'application-multi',
tag:'language-multi', tag:'platform-multi', tag:'attack-protocol',
tag:'paranoia-level/3',
tag:'CAPEC-460',setvar:'TX.paramcounter_%{MATCHED_VAR_NAME}=+1'"

SecRule TX:/paramcounter_.*/ "@gt 1" "msg:'HTTP Parameter Pollution
(%{TX.1})', chain, phase:2, id:2002, rev:'2', ver:'OWASP_CRS/3.0.0',
maturity:'7', accuracy:'8', severity:'CRITICAL', block,
tag:'application-multi',
tag:'language-multi',tag:'platform-multi',tag:'attack-protocol',tag:'paranoia-level/3',tag:'CAPEC-460',logdata:'Matched
Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}'"
    SecRule MATCHED_VARS_NAMES "TX:paramcounter_(.*)"
    "capture,setvar:tx.msg=%{rule.msg},
    setvar:tx.http_violation_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/HTTP_PARAMETER_POLLUTION-%{matched_var_name}=%{tx.0}"

The differences between CRSv3 and the rules above are as following:
1. Phase value are set to 2 instead of "request" to ensure the
compatibility for ancient modsecurity users who are not using
modsecurity with early request module enabled.
2. Rule id is modified to suit our case. 
3. Multiline rules is reformatted into one line per rule.
4. Default action of the second rule is changed to block from pass,
please be noted this change may cause some new alarms on your side.

I have performed several simple test with modsecurity 2.8 on my side,
and it works perfectly. I hope this sharing will help those who are also
suffering in http parameter attacks and don't have enough time to patch
their applications. Please correct me directly if you see anything is
wrong here. Thanks!


--
BR, Morris


More information about the Owasp-modsecurity-core-rule-set mailing list