[Owasp-modsecurity-core-rule-set] modsecurity - trouble with SecRequestBodyAccess

Chaim Sanders CSanders at trustwave.com
Sat Jul 4 15:37:26 UTC 2015


ModSecurity will indeed will block HTML tags because they are exactly how HTML injection/XSS is introduced. Sending HTML is often indicative of these vulnerabilities being exploited, in general it is considered poor form/dev to send such content across the wire. However, you can always, easily create exceptions for rules in particular places. Just look at the particular rule that is triggering and the particular parameter that is triggering them and you can add an exception by doing something similar to the following ‘SecRuleUpdateTargetById 950907 !ARGS:test’. For more information see https://www.trustwave.com/Resources/SpiderLabs-Blog/ModSecurity-Advanced-Topic-of-the-Week--(Updated)-Exception-Handling/. In addition, if you are using CRS 3.0 this feature is already built in see your config file: https://github.com/SpiderLabs/owasp-modsecurity-crs/blob/v3.0.0-dev/modsecurity_crs_10_setup.conf.example#L420.

For more detail see the issue that someone opened yesterday about this and my reply, I think it goes into a tad more detail. https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/235

Chaim Sanders
Security Researcher, SpiderLabs

Trustwave | SMART SECURITY ON DEMAND
www.trustwave.com<http://www.trustwave.com/>

From: owasp-modsecurity-core-rule-set-bounces at lists.owasp.org [mailto:owasp-modsecurity-core-rule-set-bounces at lists.owasp.org] On Behalf Of Adrián
Sent: Friday, July 3, 2015 5:12 AM
To: kazik; owasp-modsecurity-core-rule-set at lists.owasp.org
Subject: Re: [Owasp-modsecurity-core-rule-set] modsecurity - trouble with SecRequestBodyAccess

Hi Tom,
it seems to me that ModSecurity is 'rightly' detecting XSS attempts due to the HTML tags that you submit when creating blog posts. As far as I know, what you would need to do is create exceptions for the URLs and parameters you know contain HTML tags, and if possible make them specific to the tags that your site allows. This is a tedious (for a lack of a better word) work that comes with the installation of ModSecurity in front of a new application. Think that the default CRS is generic and doesn't understand the idiosyncrasy of your application, so the rules need adjusting.
Good luck!
Adrian

El vie., 3 jul. 2015 a las 9:35, kazik (<kazik at agape.org.pl<mailto:kazik at agape.org.pl>>) escribió:
helo,

Server - Ubuntu 14 LTS | Apache/2.4.7 | modsecurity 2.7.7-2

I was enabled modsecurity in DetectionPnly mode - default configuration from Ubuntu.

On our server we have a few site, CMS (Joomla, wordpress) and own CMS.
All of them work with WYSWIG editors.

When I set SecRequestBodyAccess On and try update or create article,
there is a lot of errors, especially SQL-injecttion and XSS.

But I only update article, its no a crime :)

Look like modsecurity treats all html tags like SQL or XSS attack,
is there any special module for that or parser?

HELP ME, PLEASE :)

tom kazm

example of logs from apache2 errors



[Fri Jul 03 10:14:05.628018 2015] [:error] [pid 28133:tid 139652430276352] [client 192.168.20.129] ModSecurity: Warning. Pattern match "(?i:[\\"\\\\'][ ]*(([^a-z0-9~_:\\\\' ])|(in)).+?\\\\(.*?\\\\))<file:///\\\'][%20]*(([%5ea-z0-9~_:\'%20%5d)|(in)).+%3f\(.*%3f\))>" at ARGS:art_lid. [file "/etc/modsecurity/owasp-modsecurity-crs/activated_rules/modsecurity_crs_41_xss_attacks.conf"] [line "506"] [id "973335"] [rev "2"] [msg "IE XSS Filters - Attack Detected."] [data "Matched Data: \\x22<file:///\\x22>> <tbody> <tr> <td valign=\\x22top\\x22> <h5 style=\\x22text-align: center\\x22><span style=\\x22color: rgb(128,0,0) found within ARGS:art_lid: <p> </p> <table class=\\x22contentpaneopen\\x22> <tbody> <tr> <td valign=\\x22top\\x22> <h5 style=\\x22text-align: center\\x22><span style=\\x22color: rgb(128,0,0)\\x22><a<file:///\\x22%3e%3ca> href=\\x22http://www.emigracja.chrystusowcy.pl/index.php?option=com_sobi2&Itemid=74\\x22 target=\\x22_blank\\x22><span style=\\x22color: rgb(128,0,0)\\x22>Wybierasz<file:///\\x22%3eWybierasz> si\\xc4\\x99 za granic\\xc4\\x99?..."] [ver "OWASP_CRS/2.2.9"] [maturity "8"] [accuracy "8"] [tag "OWASP_CRS/WEB_ATTACK/XSS"] [tag "WASCTC/WASC-8"] [tag "WASCTC/WASC-22"] [tag "OWASP_TOP_10/A2"] [tag "OWASP_AppSensor/IE1"] [tag "PCI/6.5.1"] [hostname „XXXXXXXXXXXXX"] [uri "/admin/index.php"] [unique_id "VZZETQoKASsAAG3lzAAAAADL"]
[Fri Jul 03 10:14:05.628575 2015] [:error] [pid 28133:tid 139652430276352] [client 192.168.20.129] ModSecurity: Warning. Pattern match "(?i:[\\"\\\\'].*?\\\\)[ ]*(([^a-z0-9~_:\\\\' ])|(in)).+?\\\\()<file:///\\\'].*%3f\)%5b%20%5d*((%5b%5ea-z0-9~_:\'%20%5d)|(in)).+%3f\()>" at ARGS:art_lid. [file "/etc/modsecurity/owasp-modsecurity-crs/activated_rules/modsecurity_crs_41_xss_attacks.conf"] [line "508"] [id "973334"] [rev "2"] [msg "IE XSS Filters - Attack Detected."] [data "Matched Data: \\x22contentpaneopen\\x22<file:///\\x22contentpaneopen\x22>> <tbody> <tr> <td valign=\\x22top\\x22> <h5 style=\\x22text-align: center\\x22><span style=\\x22color: rgb(128,0,0)\\x22><a<file:///\\x22%3e%3ca> href=\\x22http://www.emigracja.chrystusowcy.pl/index.php?option=com_sobi2&Itemid=74\\x22 target=\\x22_blank\\x22><span style=\\x22color: rgb( found within ARGS:art_lid: <p> </p> <table class=\\x22contentpaneopen\\x22> <tbody> <tr> <td valign=\\x22top\\x22> <h5 style=\\x22text-align: center\\x22><span style=\\x22color: rgb(128,0,0)\\x22><a<file:///\\x22%3e%3ca> href=\\x22http://www.emigr..."] [ver "OWASP_CRS/2.2.9"] [maturity "8"] [accuracy "8"] [tag "OWASP_CRS/WEB_ATTACK/XSS"] [tag "WASCTC/WASC-8"] [tag "WASCTC/WASC-22"] [tag "OWASP_TOP_10/A2"] [tag "OWASP_AppSensor/IE1"] [tag "PCI/6.5.1"] [hostname "XXXXXXXXXXXXX"] [uri "/admin/index.php"] [unique_id "VZZETQoKASsAAG3lzAAAAADL"]
[Fri Jul 03 10:14:05.628689 2015] [:error] [pid 28133:tid 139652430276352] [client 192.168.20.129] ModSecurity: Rule 7f036a3bc248 [id "973334"][file "/etc/modsecurity/owasp-modsecurity-crs/activated_rules/modsecurity_crs_41_xss_attacks.conf"][line "508"] - Execution error - PCRE limits exceeded (-8): (null). [hostname "milujciesie.org.pl<http://scanmail.trustwave.com/?c=4062&d=ttiW1fhCz_rKo3NNzBoPQNtxYhh3oIniz93CCaGRUg&s=5&u=http%3a%2f%2fmilujciesie%2eorg%2epl>"] [uri "/admin/index.php"] [unique_id "VZZETQoKASsAAG3lzAAAAADL"]
[Fri Jul 03 10:14:05.629212 2015] [:error] [pid 28133:tid 139652430276352] [client 192.168.20.129] ModSecurity: Warning. Pattern match "(?i:[\\"\\\\'][ ]*(([^a-z0-9~_:\\\\' ])|(in)).+?[.].+?=)<file:///\\\'][%20]*(([%5ea-z0-9~_:\'%20%5d)|(in)).+%3f%5b.%5d.+%3f=)>" at ARGS:art_lid. [file "/etc/modsecurity/owasp-modsecurity-crs/activated_rules/modsecurity_crs_41_xss_attacks.conf"] [line "510"] [id "973333"] [rev "2"] [msg "IE XSS Filters - Attack Detected."] [data "Matched Data: \\x22<file:///\\x22>> <tbody> <tr> <td valign=\\x22top\\x22> <h5 style=\\x22text-align: center\\x22><span style=\\x22color: rgb(128,0,0)\\x22><a<file:///\\x22%3e%3ca> href=\\x22http://www.emigracja.chrystusowcy.pl/index.php?option= found within ARGS:art_lid: <p> </p> <table class=\\x22contentpaneopen\\x22> <tbody> <tr> <td valign=\\x22top\\x22> <h5 style=\\x22text-align: center\\x22><span style=\\x22color: rgb(128,0,0)\\x22><a<file:///\\x22%3e%3ca> href=\\x22http://www.emigracja.chrystusowcy.pl/index.php?option=com_sobi2&Itemid=74\\x22 target=\\x22_blank\\x22><span st..."] [ver "OWASP_CRS/2.2.9"] [maturity "8"] [accuracy "8"] [tag "OWASP_CRS/WEB_ATTACK/XSS"] [tag "WASCTC/WASC-8"] [tag "WASCTC/WASC-22"] [tag "OWASP_TOP_10/A2"] [tag "OWASP_AppSensor/IE1"] [tag "PCI/6.5.1"] [hostname "XXXXXXXXXXXXX"] [uri "/admin/index.php"] [unique_id "VZZETQoKASsAAG3lzAAAAADL"]
[Fri Jul 03 10:14:05.629414 2015] [:error] [pid 28133:tid 139652430276352] [client 192.168.20.129] ModSecurity: Warning. Pattern match "(?i:[\\"\\\\'][ ]*(([^a-z0-9~_:\\\\' ])|(in)).+?[.].+?=)<file:///\\\'][%20]*(([%5ea-z0-9~_:\'%20%5d)|(in)).+%3f%5b.%5d.+%3f=)>" at ARGS:art_text. [file "/etc/modsecurity/owasp-modsecurity-crs/activated_rules/modsecurity_crs_41_xss_attacks.conf"] [line "510"] [id "973333"] [rev "2"] [msg "IE XSS Filters - Attack Detected."] [data "Matched Data: \\x22><a<file:///\\x22%3e%3ca> href=\\x22http://www.emigracja.chrystusowcy.pl/index.php?option= found within ARGS:art_text: <p><span style=\\x22color: rgb(128,0,0)\\x22><a<file:///\\x22%3e%3ca> href=\\x22http://www.emigracja.chrystusowcy.pl/index.php?option=com_sobi2&Itemid=74\\x22 target=\\x22_blank\\x22><img align=\\x22left\\x22 alt=\\x22\\x22 src=\\x22https://milujciesie.org.pl/upload/articles/r_u_c_k_i/PL/logo_IDE.png\\x22 /></a>Na stronie <a href=\\x22http://www.emigracja.chrystusowcy.pl/\\x22 target=\\x22_blank\\x22>Instytutu Duszpasterstwa Emig..."] [ver "OWASP_CRS/2.2.9"] [maturity "8"] [accuracy "8"] [tag "OWASP_CRS/WEB_ATTACK/XSS"] [tag "WASCTC/WASC-8"] [tag "WASCTC/WASC-22"] [tag "OWASP_TOP_10/A2"] [tag "OWASP_AppSensor/IE1"] [tag "PCI/6.5.1"] [hostname "XXXXXXXXXXXXX"] [uri "/admin/index.php"] [unique_id "VZZETQoKASsAAG3lzAAAAADL"]
[Fri Jul 03 10:14:05.631654 2015] [:error] [pid 28133:tid 139652430276352] [client 192.168.20.129] ModSecurity: Warning. Pattern match "(?i:[ /+\\\\t\\"\\\\'`]style[ /+\\\\t]*?=.*([:=]|(&#x?0*((58)|(3A)|(61)|(3D));?)).*?([(\\\\\\\\]|(&#x?0*((40)|(28)|(92)|(5C));?)))<file:///\\\'%60]style[%20\+\t%5d*%3f=.*(%5b:=%5d|(&%23x%3f0*((58)|(3A)|(61)|(3D));%3f)).*%3f(%5b(\%5d|(&%23x%3f0*((40)|(28)|(92)|(5C));%3f)))>" at ARGS:art_lid. [file "/etc/modsecurity/owasp-modsecurity-crs/activated_rules/modsecurity_crs_41_xss_attacks.conf"] [line "520"] [id "973316"] [rev "2"] [msg "IE XSS Filters - Attack Detected."] [data "Matched Data:  style=\\x22text-align: center\\x22><span style=\\x22color: rgb(128,0,0)\\x22><a<file:///\\x22%3e%3ca> href=\\x22http://www.emigracja.chrystusowcy.pl/index.php?option=com_sobi2&Itemid=74\\x22 target=\\x22_blank\\x22><span style=\\x22color: rgb(128,0,0)\\x22>Wybierasz<file:///\\x22%3eWybierasz> si\\xc4\\x99 za granic\\xc4\\x99?</span></a></span><br /> <a href=\\x22http://www.emigracja.chrystusowcy.pl/index.php?option=com_sobi2&Itemid=74\\x22 target=\\x22_blank\\x22>Szukasz Mszy \\xc5\\x9awi\\xc4\\x99tej<file:///\\xc5\x9awi\xc4\x99tej> w j\\xc4\\x99zyku polskim? <span style=\\x22color: rgb( found..."] [ver "OWASP_CRS/2.2.9"] [maturity "8"] [accuracy "8"] [tag "OWASP_CRS/WEB_ATTACK/XSS"] [tag "WASCTC/WASC-8"] [tag "WASCTC/WASC-22"] [tag "OWASP_TOP_10/A2"] [tag [hostname "XXXXXXXXXXXXX"] [uri "/admin/index.php"] [unique_id "VZZETQoKASsAAG3lzAAAAADL"]
_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
Owasp-modsecurity-core-rule-set at lists.owasp.org<mailto:Owasp-modsecurity-core-rule-set at lists.owasp.org>
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set<http://scanmail.trustwave.com/?c=4062&d=ttiW1fhCz_rKo3NNzBoPQNtxYhh3oIniz9rFVqXGWg&s=5&u=https%3a%2f%2flists%2eowasp%2eorg%2fmailman%2flistinfo%2fowasp-modsecurity-core-rule-set>

________________________________

This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-modsecurity-core-rule-set/attachments/20150704/072b3aca/attachment-0001.html>


More information about the Owasp-modsecurity-core-rule-set mailing list