[Owasp-modsecurity-core-rule-set] modsecurity - trouble with SecRequestBodyAccess

Adrián adrianbn at gmail.com
Fri Jul 3 09:12:09 UTC 2015


Hi Tom,

it seems to me that ModSecurity is 'rightly' detecting XSS attempts due to
the HTML tags that you submit when creating blog posts. As far as I know,
what you would need to do is create exceptions for the URLs and parameters
you know contain HTML tags, and if possible make them specific to the tags
that your site allows. This is a tedious (for a lack of a better word) work
that comes with the installation of ModSecurity in front of a new
application. Think that the default CRS is generic and doesn't understand
the idiosyncrasy of your application, so the rules need adjusting.

Good luck!
Adrian

El vie., 3 jul. 2015 a las 9:35, kazik (<kazik at agape.org.pl>) escribió:

> helo,
>
> Server - *Ubuntu 14 LTS* | *Apache/2.4.7* | modsecurity *2.7.7-2*
>
> I was enabled modsecurity in DetectionPnly mode - default configuration
> from Ubuntu.
>
> On our server we have a few site, CMS (Joomla, wordpress) and own CMS.
> All of them work with WYSWIG editors.
>
> When I set *SecRequestBodyAccess On* and try update or create article,
> there is a lot of errors, especially SQL-injecttion and XSS.
>
> But I only update article, its no a crime :)
>
> Look like modsecurity treats all html tags like SQL or XSS attack,
> is there any special module for that or parser?
>
> HELP ME, PLEASE :)
>
> tom kazm
>
> example of logs from apache2 errors
>
>
>
> [Fri Jul 03 10:14:05.628018 2015] [:error] [pid 28133:tid 139652430276352]
> [client 192.168.20.129] ModSecurity: Warning. Pattern match
> "(?i:[\\"\\\\'][ ]*(([^a-z0-9~_:\\\\' ])|(in)).+?\\\\(.*?\\\\))" at
> ARGS:art_lid. [file
> "/etc/modsecurity/owasp-modsecurity-crs/activated_rules/modsecurity_crs_41_xss_attacks.conf"]
> [line "506"] [id "973335"] [rev "2"] [msg "IE XSS Filters - Attack
> Detected."] [data "Matched Data: \\x22> <tbody> <tr> <td
> valign=\\x22top\\x22> <h5 style=\\x22text-align: center\\x22><span
> style=\\x22color: rgb(128,0,0) found within ARGS:art_lid: <p> </p> <table
> class=\\x22contentpaneopen\\x22> <tbody> <tr> <td valign=\\x22top\\x22> <h5
> style=\\x22text-align: center\\x22><span style=\\x22color: rgb(128,0,0)
> \\x22><a href=\\
> x22http://www.emigracja.chrystusowcy.pl/index.php?option=com_sobi2&Itemid=74\\x22
> target=\\x22_blank\\x22><span style=\\x22color: rgb(128,0,0)\\x22>Wybierasz
> si\\xc4\\x99 za granic\\xc4\\x99?..."] [ver "OWASP_CRS/2.2.9"] [maturity
> "8"] [accuracy "8"] [tag "OWASP_CRS/WEB_ATTACK/XSS"] [tag "WASCTC/WASC-8"]
> [tag "WASCTC/WASC-22"] [tag "OWASP_TOP_10/A2"] [tag "OWASP_AppSensor/IE1"]
> [tag "PCI/6.5.1"] [hostname „XXXXXXXXXXXXX"] [uri "/admin/index.php"]
> [unique_id "VZZETQoKASsAAG3lzAAAAADL"]
> [Fri Jul 03 10:14:05.628575 2015] [:error] [pid 28133:tid 139652430276352]
> [client 192.168.20.129] ModSecurity: Warning. Pattern match
> "(?i:[\\"\\\\'].*?\\\\)[ ]*(([^a-z0-9~_:\\\\' ])|(in)).+?\\\\()" at
> ARGS:art_lid. [file
> "/etc/modsecurity/owasp-modsecurity-crs/activated_rules/modsecurity_crs_41_xss_attacks.conf"]
> [line "508"] [id "973334"] [rev "2"] [msg "IE XSS Filters - Attack
> Detected."] [data "Matched Data: \\x22contentpaneopen\\x22> <tbody> <tr>
> <td valign=\\x22top\\x22> <h5 style=\\x22text-align: center\\x22><span
> style=\\x22color: rgb(128,0,0)\\x22><a href=\\
> x22http://www.emigracja.chrystusowcy.pl/index.php?option=com_sobi2&Itemid=74\\x22
> target=\\x22_blank\\x22><span style=\\x22color: rgb( found within
> ARGS:art_lid: <p> </p> <table class=\\x22contentpaneopen\\x22> <tbody> <tr>
> <td valign=\\x22top\\x22> <h5 style=\\x22text-align: center\\x22><span
> style=\\x22color: rgb(128,0,0)\\x22><a href=\\x22http://www.emigr..."]
> [ver "OWASP_CRS/2.2.9"] [maturity "8"] [accuracy "8"] [tag
> "OWASP_CRS/WEB_ATTACK/XSS"] [tag "WASCTC/WASC-8"] [tag "WASCTC/WASC-22"]
> [tag "OWASP_TOP_10/A2"] [tag "OWASP_AppSensor/IE1"] [tag "PCI/6.5.1"]
> [hostname "XXXXXXXXXXXXX"] [uri "/admin/index.php"] [unique_id
> "VZZETQoKASsAAG3lzAAAAADL"]
> [Fri Jul 03 10:14:05.628689 2015] [:error] [pid 28133:tid 139652430276352]
> [client 192.168.20.129] ModSecurity: Rule 7f036a3bc248 [id "973334"][file
> "/etc/modsecurity/owasp-modsecurity-crs/activated_rules/modsecurity_crs_41_xss_attacks.conf"][line
> "508"] - Execution error - PCRE limits exceeded (-8): (null). [hostname "
> milujciesie.org.pl"] [uri "/admin/index.php"] [unique_id
> "VZZETQoKASsAAG3lzAAAAADL"]
> [Fri Jul 03 10:14:05.629212 2015] [:error] [pid 28133:tid 139652430276352]
> [client 192.168.20.129] ModSecurity: Warning. Pattern match
> "(?i:[\\"\\\\'][ ]*(([^a-z0-9~_:\\\\' ])|(in)).+?[.].+?=)" at ARGS:art_lid.
> [file
> "/etc/modsecurity/owasp-modsecurity-crs/activated_rules/modsecurity_crs_41_xss_attacks.conf"]
> [line "510"] [id "973333"] [rev "2"] [msg "IE XSS Filters - Attack
> Detected."] [data "Matched Data: \\x22> <tbody> <tr> <td
> valign=\\x22top\\x22> <h5 style=\\x22text-align: center\\x22><span
> style=\\x22color: rgb(128,0,0)\\x22><a href=\\
> x22http://www.emigracja.chrystusowcy.pl/index.php?option= found within
> ARGS:art_lid: <p> </p> <table class=\\x22contentpaneopen\\x22> <tbody> <tr>
> <td valign=\\x22top\\x22> <h5 style=\\x22text-align: center\\x22><span
> style=\\x22color: rgb(128,0,0)\\x22><a href=\\
> x22http://www.emigracja.chrystusowcy.pl/index.php?option=com_sobi2&Itemid=74\\x22
> target=\\x22_blank\\x22><span st..."] [ver "OWASP_CRS/2.2.9"] [maturity
> "8"] [accuracy "8"] [tag "OWASP_CRS/WEB_ATTACK/XSS"] [tag "WASCTC/WASC-8"]
> [tag "WASCTC/WASC-22"] [tag "OWASP_TOP_10/A2"] [tag "OWASP_AppSensor/IE1"]
> [tag "PCI/6.5.1"] [hostname "XXXXXXXXXXXXX"] [uri "/admin/index.php"]
> [unique_id "VZZETQoKASsAAG3lzAAAAADL"]
> [Fri Jul 03 10:14:05.629414 2015] [:error] [pid 28133:tid 139652430276352]
> [client 192.168.20.129] ModSecurity: Warning. Pattern match
> "(?i:[\\"\\\\'][ ]*(([^a-z0-9~_:\\\\' ])|(in)).+?[.].+?=)" at
> ARGS:art_text. [file
> "/etc/modsecurity/owasp-modsecurity-crs/activated_rules/modsecurity_crs_41_xss_attacks.conf"]
> [line "510"] [id "973333"] [rev "2"] [msg "IE XSS Filters - Attack
> Detected."] [data "Matched Data: \\x22><a href=\\
> x22http://www.emigracja.chrystusowcy.pl/index.php?option= found within
> ARGS:art_text: <p><span style=\\x22color: rgb(128,0,0)\\x22><a href=\\
> x22http://www.emigracja.chrystusowcy.pl/index.php?option=com_sobi2&Itemid=74\\x22
> target=\\x22_blank\\x22><img align=\\x22left\\x22 alt=\\x22\\x22 src=\\
> x22https://milujciesie.org.pl/upload/articles/r_u_c_k_i/PL/logo_IDE.png\\x22
> /></a>Na stronie <a href=\\x22http://www.emigracja.chrystusowcy.pl/\\x22
> target=\\x22_blank\\x22>Instytutu Duszpasterstwa Emig..."] [ver
> "OWASP_CRS/2.2.9"] [maturity "8"] [accuracy "8"] [tag
> "OWASP_CRS/WEB_ATTACK/XSS"] [tag "WASCTC/WASC-8"] [tag "WASCTC/WASC-22"]
> [tag "OWASP_TOP_10/A2"] [tag "OWASP_AppSensor/IE1"] [tag "PCI/6.5.1"]
> [hostname "XXXXXXXXXXXXX"] [uri "/admin/index.php"] [unique_id
> "VZZETQoKASsAAG3lzAAAAADL"]
> [Fri Jul 03 10:14:05.631654 2015] [:error] [pid 28133:tid 139652430276352]
> [client 192.168.20.129] ModSecurity: Warning. Pattern match "(?i:[
> /+\\\\t\\"\\\\'`]style[
> /+\\\\t]*?=.*([:=]|(&#x?0*((58)|(3A)|(61)|(3D));?)).*?([(\\\\\\\\]|(&#x?0*((40)|(28)|(92)|(5C));?)))"
> at ARGS:art_lid. [file
> "/etc/modsecurity/owasp-modsecurity-crs/activated_rules/modsecurity_crs_41_xss_attacks.conf"]
> [line "520"] [id "973316"] [rev "2"] [msg "IE XSS Filters - Attack
> Detected."] [data "Matched Data:  style=\\x22text-align: center\\x22><span
> style=\\x22color: rgb(128,0,0)\\x22><a href=\\
> x22http://www.emigracja.chrystusowcy.pl/index.php?option=com_sobi2&Itemid=74\\x22
> target=\\x22_blank\\x22><span style=\\x22color: rgb(128,0,0)\\x22>Wybierasz
> si\\xc4\\x99 za granic\\xc4\\x99?</span></a></span><br /> <a href=\\
> x22http://www.emigracja.chrystusowcy.pl/index.php?option=com_sobi2&Itemid=74\\x22
> target=\\x22_blank\\x22>Szukasz Mszy \\xc5\\x9awi\\xc4\\x99tej w
> j\\xc4\\x99zyku polskim? <span style=\\x22color: rgb( found..."] [ver
> "OWASP_CRS/2.2.9"] [maturity "8"] [accuracy "8"] [tag
> "OWASP_CRS/WEB_ATTACK/XSS"] [tag "WASCTC/WASC-8"] [tag "WASCTC/WASC-22"]
> [tag "OWASP_TOP_10/A2"] [tag [hostname "XXXXXXXXXXXXX"] [uri
> "/admin/index.php"] [unique_id "VZZETQoKASsAAG3lzAAAAADL"]
> _______________________________________________
> Owasp-modsecurity-core-rule-set mailing list
> Owasp-modsecurity-core-rule-set at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-modsecurity-core-rule-set/attachments/20150703/8efbc1d5/attachment-0001.html>


More information about the Owasp-modsecurity-core-rule-set mailing list