[Owasp-modsecurity-core-rule-set] Backport HTTP Parameter Pollution rule for CRSv2 Users

Christian Folini christian.folini at netnea.com
Wed Aug 24 10:50:40 UTC 2016


Morris,

This works as advertised. Thanks for sharing.

If you are running it outside of the CRS, you may want to remove all
the tags and the CRS-specific setvars.

Ahoj,

Christian

On Wed, Aug 24, 2016 at 04:57:39PM +0800, Morris Taylor wrote:
> Hi there:
> 
>    We have backported a rule from CRSv3 to CRSv2 for preventing web
>    applications from HTTP parameter pollution attacks. Followings are
>    the rules:
> 
> SecRule ARGS_NAMES "." "phase:2, id:2001, rev:'2',
> ver:'OWASP_CRS/3.0.0', pass, nolog, tag:'application-multi',
> tag:'language-multi', tag:'platform-multi', tag:'attack-protocol',
> tag:'paranoia-level/3',
> tag:'CAPEC-460',setvar:'TX.paramcounter_%{MATCHED_VAR_NAME}=+1'"
> 
> SecRule TX:/paramcounter_.*/ "@gt 1" "msg:'HTTP Parameter Pollution
> (%{TX.1})', chain, phase:2, id:2002, rev:'2', ver:'OWASP_CRS/3.0.0',
> maturity:'7', accuracy:'8', severity:'CRITICAL', block,
> tag:'application-multi',
> tag:'language-multi',tag:'platform-multi',tag:'attack-protocol',tag:'paranoia-level/3',tag:'CAPEC-460',logdata:'Matched
> Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}'"
>     SecRule MATCHED_VARS_NAMES "TX:paramcounter_(.*)"
>     "capture,setvar:tx.msg=%{rule.msg},
>     setvar:tx.http_violation_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/HTTP_PARAMETER_POLLUTION-%{matched_var_name}=%{tx.0}"
> 
> The differences between CRSv3 and the rules above are as following:
> 1. Phase value are set to 2 instead of "request" to ensure the
> compatibility for ancient modsecurity users who are not using
> modsecurity with early request module enabled.
> 2. Rule id is modified to suit our case. 
> 3. Multiline rules is reformatted into one line per rule.
> 4. Default action of the second rule is changed to block from pass,
> please be noted this change may cause some new alarms on your side.
> 
> I have performed several simple test with modsecurity 2.8 on my side,
> and it works perfectly. I hope this sharing will help those who are also
> suffering in http parameter attacks and don't have enough time to patch
> their applications. Please correct me directly if you see anything is
> wrong here. Thanks!
> 
> 
> --
> BR, Morris
> _______________________________________________
> Owasp-modsecurity-core-rule-set mailing list
> Owasp-modsecurity-core-rule-set at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set

-- 
https://www.feistyduck.com/training/modsecurity-training-course
mailto:christian.folini at netnea.com
twitter: @ChrFolini


More information about the Owasp-modsecurity-core-rule-set mailing list