[Owasp-modsecurity-core-rule-set] modsecurity - trouble with SecRequestBodyAccess

kazik kazik at agape.org.pl
Tue Jul 7 08:05:56 UTC 2015


Hello,

Thanks Chaim - your right, modsecurity works ok - I do not…

In your example I can update the rule, but where shoud I place this update,
in apache container (example <Directory>) or add local.conf file to activated_rules?

CRS v3 looks interesting (even beta) - maybe stupid question, but how to update CRS rules to v 3?
(now: modsecurity 2.7.7-2, crs 2.9)

Giga thanks, again ;)

Tom Kazm


> Wiadomość napisana przez Chaim Sanders <CSanders at trustwave.com> w dniu 4 lip 2015, o godz. 17:37:
> 
> ModSecurity will indeed will block HTML tags because they are exactly how HTML injection/XSS is introduced. Sending HTML is often indicative of these vulnerabilities being exploited, in general it is considered poor form/dev to send such content across the wire. However, you can always, easily create exceptions for rules in particular places. Just look at the particular rule that is triggering and the particular parameter that is triggering them and you can add an exception by doing something similar to the following ‘SecRuleUpdateTargetById 950907 !ARGS:test’. For more information see https://www.trustwave.com/Resources/SpiderLabs-Blog/ModSecurity-Advanced-Topic-of-the-Week--(Updated)-Exception-Handling/ <https://www.trustwave.com/Resources/SpiderLabs-Blog/ModSecurity-Advanced-Topic-of-the-Week--(Updated)-Exception-Handling/>. In addition, if you are using CRS 3.0 this feature is already built in see your config file: https://github.com/SpiderLabs/owasp-modsecurity-crs/blob/v3.0.0-dev/modsecurity_crs_10_setup.conf.example#L420 <https://github.com/SpiderLabs/owasp-modsecurity-crs/blob/v3.0.0-dev/modsecurity_crs_10_setup.conf.example#L420>.
> 
> For more detail see the issue that someone opened yesterday about this and my reply, I think it goes into a tad more detail.https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/235 <https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/235>
> 
> Chaim Sanders
> Security Researcher, SpiderLabs
> 
> Trustwave | SMART SECURITY ON DEMAND
> www.trustwave.com <http://www.trustwave.com/>
> 
> From: owasp-modsecurity-core-rule-set-bounces at lists.owasp.org [mailto:owasp-modsecurity-core-rule-set-bounces at lists.owasp.org] On Behalf Of Adrián
> Sent: Friday, July 3, 2015 5:12 AM
> To: kazik; owasp-modsecurity-core-rule-set at lists.owasp.org
> Subject: Re: [Owasp-modsecurity-core-rule-set] modsecurity - trouble with SecRequestBodyAccess
> 
> Hi Tom,
> 
> it seems to me that ModSecurity is 'rightly' detecting XSS attempts due to the HTML tags that you submit when creating blog posts. As far as I know, what you would need to do is create exceptions for the URLs and parameters you know contain HTML tags, and if possible make them specific to the tags that your site allows. This is a tedious (for a lack of a better word) work that comes with the installation of ModSecurity in front of a new application. Think that the default CRS is generic and doesn't understand the idiosyncrasy of your application, so the rules need adjusting.
> 
> Good luck!
> Adrian
> 
> El vie., 3 jul. 2015 a las 9:35, kazik (<kazik at agape.org.pl <mailto:kazik at agape.org.pl>>) escribió:
> helo,
> 
> Server - Ubuntu 14 LTS | Apache/2.4.7 | modsecurity 2.7.7-2
> 
> I was enabled modsecurity in DetectionPnly mode - default configuration from Ubuntu.
> 
> On our server we have a few site, CMS (Joomla, wordpress) and own CMS.
> All of them work with WYSWIG editors.
> 
> When I set SecRequestBodyAccess On and try update or create article,
> there is a lot of errors, especially SQL-injecttion and XSS.
> 
> But I only update article, its no a crime :)
> 
> Look like modsecurity treats all html tags like SQL or XSS attack,
> is there any special module for that or parser?
> 
> HELP ME, PLEASE :)
> 
> tom kazm
> 
> example of logs from apache2 errors
> 
> 
> 
> [Fri Jul 03 10:14:05.628018 2015] [:error] [pid 28133:tid 139652430276352] [client 192.168.20.129] ModSecurity: Warning. Pattern match "(?i:[\\"\\\\'][ ]*(([^a-z0-9~_:\\\\' ])|(in)).+?\\\\(.*?\\\\)) <file://////'][%20]*(([%5ea-z0-9~_:/'%20%5d)|(in)).+%3f/(.*%3f/))>" at ARGS:art_lid. [file "/etc/modsecurity/owasp-modsecurity-crs/activated_rules/modsecurity_crs_41_xss_attacks.conf"] [line "506"] [id "973335"] [rev "2"] [msg "IE XSS Filters - Attack Detected."] [data "Matched Data: \\x22 <file://///x22>> <tbody> <tr> <td valign=\\x22top\\x22> <h5 style=\\x22text-align: center\\x22><span style=\\x22color: rgb(128,0,0) found within ARGS:art_lid: <p> </p> <table class=\\x22contentpaneopen\\x22> <tbody> <tr> <td valign=\\x22top\\x22> <h5 style=\\x22text-align: center\\x22><span style=\\x22color: rgb(128,0,0)\\x22><a <file://///x22%3e%3ca>href=\\x22http://www.emigracja.chrystusowcy.pl/index.php?option=com_sobi2&Itemid=74\\x22 target=\\x22_blank\\x22><span style=\\x22color: rgb(128,0,0)\\x22>Wybierasz <file://///x22%3eWybierasz> si\\xc4\\x99 za granic\\xc4\\x99?..."] [ver "OWASP_CRS/2.2.9"] [maturity "8"] [accuracy "8"] [tag "OWASP_CRS/WEB_ATTACK/XSS"] [tag "WASCTC/WASC-8"] [tag "WASCTC/WASC-22"] [tag "OWASP_TOP_10/A2"] [tag "OWASP_AppSensor/IE1"] [tag "PCI/6.5.1"] [hostname „XXXXXXXXXXXXX"] [uri "/admin/index.php"] [unique_id "VZZETQoKASsAAG3lzAAAAADL"]
> [Fri Jul 03 10:14:05.628575 2015] [:error] [pid 28133:tid 139652430276352] [client 192.168.20.129] ModSecurity: Warning. Pattern match "(?i:[\\"\\\\'].*?\\\\)[ ]*(([^a-z0-9~_:\\\\' ])|(in)).+?\\\\() <file://////'].*%3f/)%5b%20%5d*((%5b%5ea-z0-9~_:/'%20%5d)|(in)).+%3f/()>" at ARGS:art_lid. [file "/etc/modsecurity/owasp-modsecurity-crs/activated_rules/modsecurity_crs_41_xss_attacks.conf"] [line "508"] [id "973334"] [rev "2"] [msg "IE XSS Filters - Attack Detected."] [data "Matched Data: \\x22contentpaneopen\\x22 <file://///x22contentpaneopen/x22>> <tbody> <tr> <td valign=\\x22top\\x22> <h5 style=\\x22text-align: center\\x22><span style=\\x22color: rgb(128,0,0)\\x22><a <file://///x22%3e%3ca> href=\\x22http://www.emigracja.chrystusowcy.pl/index.php?option=com_sobi2&Itemid=74\\x22 target=\\x22_blank\\x22><span style=\\x22color: rgb( found within ARGS:art_lid: <p> </p> <table class=\\x22contentpaneopen\\x22> <tbody> <tr> <td valign=\\x22top\\x22> <h5 style=\\x22text-align: center\\x22><span style=\\x22color: rgb(128,0,0)\\x22><a <file://///x22%3e%3ca> href=\\x22http://www.emigr..."] [ver "OWASP_CRS/2.2.9"] [maturity "8"] [accuracy "8"] [tag "OWASP_CRS/WEB_ATTACK/XSS"] [tag "WASCTC/WASC-8"] [tag "WASCTC/WASC-22"] [tag "OWASP_TOP_10/A2"] [tag "OWASP_AppSensor/IE1"] [tag "PCI/6.5.1"] [hostname "XXXXXXXXXXXXX"] [uri "/admin/index.php"] [unique_id "VZZETQoKASsAAG3lzAAAAADL"]
> [Fri Jul 03 10:14:05.628689 2015] [:error] [pid 28133:tid 139652430276352] [client 192.168.20.129] ModSecurity: Rule 7f036a3bc248 [id "973334"][file "/etc/modsecurity/owasp-modsecurity-crs/activated_rules/modsecurity_crs_41_xss_attacks.conf"][line "508"] - Execution error - PCRE limits exceeded (-8): (null). [hostname "milujciesie.org.pl <http://scanmail.trustwave.com/?c=4062&d=ttiW1fhCz_rKo3NNzBoPQNtxYhh3oIniz93CCaGRUg&s=5&u=http%3a%2f%2fmilujciesie%2eorg%2epl>"] [uri "/admin/index.php"] [unique_id "VZZETQoKASsAAG3lzAAAAADL"]
> [Fri Jul 03 10:14:05.629212 2015] [:error] [pid 28133:tid 139652430276352] [client 192.168.20.129] ModSecurity: Warning. Pattern match "(?i:[\\"\\\\'][ ]*(([^a-z0-9~_:\\\\' ])|(in)).+?[.].+?=) <file://////'][%20]*(([%5ea-z0-9~_:/'%20%5d)|(in)).+%3f%5b.%5d.+%3f=)>" at ARGS:art_lid. [file "/etc/modsecurity/owasp-modsecurity-crs/activated_rules/modsecurity_crs_41_xss_attacks.conf"] [line "510"] [id "973333"] [rev "2"] [msg "IE XSS Filters - Attack Detected."] [data "Matched Data: \\x22 <file://///x22>> <tbody> <tr> <td valign=\\x22top\\x22> <h5 style=\\x22text-align: center\\x22><span style=\\x22color: rgb(128,0,0)\\x22><a <file://///x22%3e%3ca> href=\\x22http://www.emigracja.chrystusowcy.pl/index.php?option= found within ARGS:art_lid: <p> </p> <table class=\\x22contentpaneopen\\x22> <tbody> <tr> <td valign=\\x22top\\x22> <h5 style=\\x22text-align: center\\x22><span style=\\x22color: rgb(128,0,0)\\x22><a <file://///x22%3e%3ca> href=\\x22http://www.emigracja.chrystusowcy.pl/index.php?option=com_sobi2&Itemid=74\\x22 target=\\x22_blank\\x22><span st..."] [ver "OWASP_CRS/2.2.9"] [maturity "8"] [accuracy "8"] [tag "OWASP_CRS/WEB_ATTACK/XSS"] [tag "WASCTC/WASC-8"] [tag "WASCTC/WASC-22"] [tag "OWASP_TOP_10/A2"] [tag "OWASP_AppSensor/IE1"] [tag "PCI/6.5.1"] [hostname "XXXXXXXXXXXXX"] [uri "/admin/index.php"] [unique_id "VZZETQoKASsAAG3lzAAAAADL"]
> [Fri Jul 03 10:14:05.629414 2015] [:error] [pid 28133:tid 139652430276352] [client 192.168.20.129] ModSecurity: Warning. Pattern match "(?i:[\\"\\\\'][ ]*(([^a-z0-9~_:\\\\' ])|(in)).+?[.].+?=) <file://////'][%20]*(([%5ea-z0-9~_:/'%20%5d)|(in)).+%3f%5b.%5d.+%3f=)>" at ARGS:art_text. [file "/etc/modsecurity/owasp-modsecurity-crs/activated_rules/modsecurity_crs_41_xss_attacks.conf"] [line "510"] [id "973333"] [rev "2"] [msg "IE XSS Filters - Attack Detected."] [data "Matched Data: \\x22><a <file://///x22%3e%3ca> href=\\x22http://www.emigracja.chrystusowcy.pl/index.php?option= found within ARGS:art_text: <p><span style=\\x22color: rgb(128,0,0)\\x22><a <file://///x22%3e%3ca> href=\\x22http://www.emigracja.chrystusowcy.pl/index.php?option=com_sobi2&Itemid=74\\x22 target=\\x22_blank\\x22><img align=\\x22left\\x22 alt=\\x22\\x22 src=\\x22https://milujciesie.org.pl/upload/articles/r_u_c_k_i/PL/logo_IDE.png\\x22 /></a>Na stronie <a href=\\x22http://www.emigracja.chrystusowcy.pl/\\x22 target=\\x22_blank\\x22>Instytutu Duszpasterstwa Emig..."] [ver "OWASP_CRS/2.2.9"] [maturity "8"] [accuracy "8"] [tag "OWASP_CRS/WEB_ATTACK/XSS"] [tag "WASCTC/WASC-8"] [tag "WASCTC/WASC-22"] [tag "OWASP_TOP_10/A2"] [tag "OWASP_AppSensor/IE1"] [tag "PCI/6.5.1"] [hostname "XXXXXXXXXXXXX"] [uri "/admin/index.php"] [unique_id "VZZETQoKASsAAG3lzAAAAADL"]
> [Fri Jul 03 10:14:05.631654 2015] [:error] [pid 28133:tid 139652430276352] [client 192.168.20.129] ModSecurity: Warning. Pattern match "(?i:[ /+\\\\t\\"\\\\'`]style[ /+\\\\t]*?=.*([:=]|(&#x?0*((58)|(3A)|(61)|(3D));?)).*?([(\\\\\\\\]|(&#x?0*((40)|(28)|(92)|(5C));?))) <file://////'%60]style[%20/+/t%5d*%3f=.*(%5b:=%5d|(&%23x%3f0*((58)|(3A)|(61)|(3D));%3f)).*%3f(%5b(/%5d|(&%23x%3f0*((40)|(28)|(92)|(5C));%3f)))>" at ARGS:art_lid. [file "/etc/modsecurity/owasp-modsecurity-crs/activated_rules/modsecurity_crs_41_xss_attacks.conf"] [line "520"] [id "973316"] [rev "2"] [msg "IE XSS Filters - Attack Detected."] [data "Matched Data:  style=\\x22text-align: center\\x22><span style=\\x22color: rgb(128,0,0)\\x22><a <file://///x22%3e%3ca> href=\\x22http://www.emigracja.chrystusowcy.pl/index.php?option=com_sobi2&Itemid=74\\x22 target=\\x22_blank\\x22><span style=\\x22color: rgb(128,0,0)\\x22>Wybierasz <file://///x22%3eWybierasz> si\\xc4\\x99 za granic\\xc4\\x99?</span></a></span><br /> <a href=\\x22http://www.emigracja.chrystusowcy.pl/index.php?option=com_sobi2&Itemid=74\\x22 target=\\x22_blank\\x22>Szukasz Mszy \\xc5\\x9awi\\xc4\\x99tej <file://///xc5/x9awi/xc4/x99tej> w j\\xc4\\x99zyku polskim? <span style=\\x22color: rgb( found..."] [ver "OWASP_CRS/2.2.9"] [maturity "8"] [accuracy "8"] [tag "OWASP_CRS/WEB_ATTACK/XSS"] [tag "WASCTC/WASC-8"] [tag "WASCTC/WASC-22"] [tag "OWASP_TOP_10/A2"] [tag [hostname "XXXXXXXXXXXXX"] [uri "/admin/index.php"] [unique_id "VZZETQoKASsAAG3lzAAAAADL"]
> _______________________________________________
> Owasp-modsecurity-core-rule-set mailing list
> Owasp-modsecurity-core-rule-set at lists.owasp.org <mailto:Owasp-modsecurity-core-rule-set at lists.owasp.org>
> https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set <http://scanmail.trustwave.com/?c=4062&d=ttiW1fhCz_rKo3NNzBoPQNtxYhh3oIniz9rFVqXGWg&s=5&u=https%3a%2f%2flists%2eowasp%2eorg%2fmailman%2flistinfo%2fowasp-modsecurity-core-rule-set>
> 
> This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-modsecurity-core-rule-set/attachments/20150707/99715ebe/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 495 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.owasp.org/pipermail/owasp-modsecurity-core-rule-set/attachments/20150707/99715ebe/attachment-0001.pgp>


More information about the Owasp-modsecurity-core-rule-set mailing list