[Owasp-modsecurity-core-rule-set] modsecurity - trouble with SecRequestBodyAccess

Chaim Sanders CSanders at trustwave.com
Tue Jul 7 14:13:07 UTC 2015


So there are two questions here and I’ll try and address them independently (unfortunately they are slightly intertwined).
There is a common mistake people make when dealing with removing/modify rules  so I’ll get that out of the way first. There are two ways to do this. One can either do it with a ctl: action (https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#ctl) such as

SecRule REQUEST_URI "@beginsWith /index.php" "phase:1,t:none,pass, \
  nolog,ctl:ruleRemoveTargetById=981260;ARGS:user

 Or via the way I showed you previously

SecRuleUpdateTargetById 950907 !ARGS:test

The placement of these depends on which one you use. The rule version, featuring the ctl action must come BEFORE the rule in question. Anywhere really will work. In the CRS 3.0 world there is a file called REQUEST-00-LOCAL-WHITELIST.conf.example. Renaming this file to REQUEST-00-LOCAL-WHITELIST.conf and adding it there is what it was designed for. There is no reason that you can’t do this with an earlier version of OWASP too. The key being that it just needs to be loaded before the rest of the rules.
A similar file exists for SecRuleUpdateTargetById type directives. These must be places AFTER all the rules (it has to do with when these are run … at startup versus at time of rule check). CRS 3.0 also has a file just for this named RESPONSE-99-EXCEPTIONS.conf.example. This can also be renamed RESPONSE-99-EXCEPTIONS.conf and the SecRuleUpdateTargetById directive could be included there.

Now onto your second question how to upgrade to CRS 3.0. Fortunately this is the easier part. CRS is just a number of configuration files. So you can find those typically in your apache config area… depending on the OS this might be /etc/httpd/. Grep/find will be your friend in this instance. Once you’ve found all the files it is simply a matter of deleting (or moving) them. You can now download CRS 3.0 from the following URL: https://github.com/SpiderLabs/owasp-modsecurity-crs/tree/v3.0.0-dev. Extract these and move these rules to the same area.
You will then have to find the file from where CRS was included (either httpd.conf, modsecurity.conf, sometimes if installed via yum this can be named 10-modsecurity.conf (or something like that).  In the end you are looking for something like this (which you can grep). Note, these might have a folder path in front of them:
Include modsecurity_crs_10_setup.conf
Include activated_rules/*.conf


Simply change these to reflect the new folder layout of 3.0. I.E

Include modsecurity_crs_10_setup.conf
Include rules/*.conf

 That should do it, make sure the rules load correctly and you are using 3.0. Hopefully this helps!


From: kazik <kazik at agape.org.pl<mailto:kazik at agape.org.pl>>
Date: Tuesday, July 7, 2015 at 4:05 AM
To: Chaim Sanders <csanders at trustwave.com<mailto:csanders at trustwave.com>>
Cc: Adrián <adrianbn at gmail.com<mailto:adrianbn at gmail.com>>, "owasp-modsecurity-core-rule-set at lists.owasp.org<mailto:owasp-modsecurity-core-rule-set at lists.owasp.org>" <owasp-modsecurity-core-rule-set at lists.owasp.org<mailto:owasp-modsecurity-core-rule-set at lists.owasp.org>>
Subject: Re: [Owasp-modsecurity-core-rule-set] modsecurity - trouble with SecRequestBodyAccess

Hello,

Thanks Chaim - your right, modsecurity works ok - I do not…

In your example I can update the rule, but where shoud I place this update,
in apache container (example <Directory>) or add local.conf file to activated_rules?

CRS v3 looks interesting (even beta) - maybe stupid question, but how to update CRS rules to v 3?
(now: modsecurity 2.7.7-2, crs 2.9)

Giga thanks, again ;)

Tom Kazm


Wiadomość napisana przez Chaim Sanders <CSanders at trustwave.com<mailto:CSanders at trustwave.com>> w dniu 4 lip 2015, o godz. 17:37:

ModSecurity will indeed will block HTML tags because they are exactly how HTML injection/XSS is introduced. Sending HTML is often indicative of these vulnerabilities being exploited, in general it is considered poor form/dev to send such content across the wire. However, you can always, easily create exceptions for rules in particular places. Just look at the particular rule that is triggering and the particular parameter that is triggering them and you can add an exception by doing something similar to the following ‘SecRuleUpdateTargetById 950907 !ARGS:test’. For more information see https://www.trustwave.com/Resources/SpiderLabs-Blog/ModSecurity-Advanced-Topic-of-the-Week--(Updated)-Exception-Handling/. In addition, if you are using CRS 3.0 this feature is already built in see your config file: https://github.com/SpiderLabs/owasp-modsecurity-crs/blob/v3.0.0-dev/modsecurity_crs_10_setup.conf.example#L420<http://scanmail.trustwave.com/?c=4062&d=joib1XwoaC3QMPIMFmFAYVrQyTAV7DV0YUkDP0xdSg&s=5&u=https%3a%2f%2fgithub%2ecom%2fSpiderLabs%2fowasp-modsecurity-crs%2fblob%2fv3%2e0%2e0-dev%2fmodsecurity%5fcrs%5f10%5fsetup%2econf%2eexample%23L420>.

For more detail see the issue that someone opened yesterday about this and my reply, I think it goes into a tad more detail.https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/235<http://scanmail.trustwave.com/?c=4062&d=joib1XwoaC3QMPIMFmFAYVrQyTAV7DV0YU5SYEUKSg&s=5&u=https%3a%2f%2fgithub%2ecom%2fSpiderLabs%2fowasp-modsecurity-crs%2fissues%2f235>

Chaim Sanders
Security Researcher, SpiderLabs

Trustwave | SMART SECURITY ON DEMAND
www.trustwave.com<http://www.trustwave.com/>

From: owasp-modsecurity-core-rule-set-bounces at lists.owasp.org<mailto:owasp-modsecurity-core-rule-set-bounces at lists.owasp.org> [mailto:owasp-modsecurity-core-rule-set-bounces at lists.owasp.org] On Behalf Of Adrián
Sent: Friday, July 3, 2015 5:12 AM
To: kazik; owasp-modsecurity-core-rule-set at lists.owasp.org<mailto:owasp-modsecurity-core-rule-set at lists.owasp.org>
Subject: Re: [Owasp-modsecurity-core-rule-set] modsecurity - trouble with SecRequestBodyAccess

Hi Tom,
it seems to me that ModSecurity is 'rightly' detecting XSS attempts due to the HTML tags that you submit when creating blog posts. As far as I know, what you would need to do is create exceptions for the URLs and parameters you know contain HTML tags, and if possible make them specific to the tags that your site allows. This is a tedious (for a lack of a better word) work that comes with the installation of ModSecurity in front of a new application. Think that the default CRS is generic and doesn't understand the idiosyncrasy of your application, so the rules need adjusting.
Good luck!
Adrian

El vie., 3 jul. 2015 a las 9:35, kazik (<kazik at agape.org.pl<mailto:kazik at agape.org.pl>>) escribió:
helo,

Server - Ubuntu 14 LTS | Apache/2.4.7 | modsecurity 2.7.7-2

I was enabled modsecurity in DetectionPnly mode - default configuration from Ubuntu.

On our server we have a few site, CMS (Joomla, wordpress) and own CMS.
All of them work with WYSWIG editors.

When I set SecRequestBodyAccess On and try update or create article,
there is a lot of errors, especially SQL-injecttion and XSS.

But I only update article, its no a crime :)

Look like modsecurity treats all html tags like SQL or XSS attack,
is there any special module for that or parser?

HELP ME, PLEASE :)

tom kazm

example of logs from apache2 errors



[Fri Jul 03 10:14:05.628018 2015] [:error] [pid 28133:tid 139652430276352] [client 192.168.20.129] ModSecurity: Warning. Pattern match "(?i:[\\"\\\\'][ ]*(([^a-z0-9~_:\\\\' ])|(in)).+?\\\\(.*?\\\\))<file://////'][%20]*(([%5ea-z0-9~_:/'%20%5d)|(in)).+%3f/(.*%3f/))>" at ARGS:art_lid. [file "/etc/modsecurity/owasp-modsecurity-crs/activated_rules/modsecurity_crs_41_xss_attacks.conf"] [line "506"] [id "973335"] [rev "2"] [msg "IE XSS Filters - Attack Detected."] [data "Matched Data: \\x22<file://///x22>> <tbody> <tr> <td valign=\\x22top\\x22> <h5 style=\\x22text-align: center\\x22><span style=\\x22color: rgb(128,0,0) found within ARGS:art_lid: <p> </p> <table class=\\x22contentpaneopen\\x22> <tbody> <tr> <td valign=\\x22top\\x22> <h5 style=\\x22text-align: center\\x22><span style=\\x22color: rgb(128,0,0)\\x22><a<file://///x22%3e%3ca>href=\\x22http://www.emigracja.chrystusowcy.pl/index.php?option=com_sobi2&Itemid=74\\x22 target=\\x22_blank\\x22><span style=\\x22color: rgb(128,0,0)\\x22>Wybierasz<file://///x22%3eWybierasz> si\\xc4\\x99 za granic\\xc4\\x99?..."] [ver "OWASP_CRS/2.2.9"] [maturity "8"] [accuracy "8"] [tag "OWASP_CRS/WEB_ATTACK/XSS"] [tag "WASCTC/WASC-8"] [tag "WASCTC/WASC-22"] [tag "OWASP_TOP_10/A2"] [tag "OWASP_AppSensor/IE1"] [tag "PCI/6.5.1"] [hostname „XXXXXXXXXXXXX"] [uri "/admin/index.php"] [unique_id "VZZETQoKASsAAG3lzAAAAADL"]
[Fri Jul 03 10:14:05.628575 2015] [:error] [pid 28133:tid 139652430276352] [client 192.168.20.129] ModSecurity: Warning. Pattern match "(?i:[\\"\\\\'].*?\\\\)[ ]*(([^a-z0-9~_:\\\\' ])|(in)).+?\\\\()<file://////'].*%3f/)%5b%20%5d*((%5b%5ea-z0-9~_:/'%20%5d)|(in)).+%3f/()>" at ARGS:art_lid. [file "/etc/modsecurity/owasp-modsecurity-crs/activated_rules/modsecurity_crs_41_xss_attacks.conf"] [line "508"] [id "973334"] [rev "2"] [msg "IE XSS Filters - Attack Detected."] [data "Matched Data: \\x22contentpaneopen\\x22<file://///x22contentpaneopen/x22>> <tbody> <tr> <td valign=\\x22top\\x22> <h5 style=\\x22text-align: center\\x22><span style=\\x22color: rgb(128,0,0)\\x22><a<file://///x22%3e%3ca> href=\\x22http://www.emigracja.chrystusowcy.pl/index.php?option=com_sobi2&Itemid=74\\x22 target=\\x22_blank\\x22><span style=\\x22color: rgb( found within ARGS:art_lid: <p> </p> <table class=\\x22contentpaneopen\\x22> <tbody> <tr> <td valign=\\x22top\\x22> <h5 style=\\x22text-align: center\\x22><span style=\\x22color: rgb(128,0,0)\\x22><a<file://///x22%3e%3ca> href=\\x22http://www.emigr..."] [ver "OWASP_CRS/2.2.9"] [maturity "8"] [accuracy "8"] [tag "OWASP_CRS/WEB_ATTACK/XSS"] [tag "WASCTC/WASC-8"] [tag "WASCTC/WASC-22"] [tag "OWASP_TOP_10/A2"] [tag "OWASP_AppSensor/IE1"] [tag "PCI/6.5.1"] [hostname "XXXXXXXXXXXXX"] [uri "/admin/index.php"] [unique_id "VZZETQoKASsAAG3lzAAAAADL"]
[Fri Jul 03 10:14:05.628689 2015] [:error] [pid 28133:tid 139652430276352] [client 192.168.20.129] ModSecurity: Rule 7f036a3bc248 [id "973334"][file "/etc/modsecurity/owasp-modsecurity-crs/activated_rules/modsecurity_crs_41_xss_attacks.conf"][line "508"] - Execution error - PCRE limits exceeded (-8): (null). [hostname "milujciesie.org.pl<http://scanmail.trustwave.com/?c=4062&d=joib1XwoaC3QMPIMFmFAYVrQyTAV7DV0YU5VYEkOSw&s=5&u=http%3a%2f%2fmilujciesie%2eorg%2epl>"] [uri "/admin/index.php"] [unique_id "VZZETQoKASsAAG3lzAAAAADL"]
[Fri Jul 03 10:14:05.629212 2015] [:error] [pid 28133:tid 139652430276352] [client 192.168.20.129] ModSecurity: Warning. Pattern match "(?i:[\\"\\\\'][ ]*(([^a-z0-9~_:\\\\' ])|(in)).+?[.].+?=)<file://////'][%20]*(([%5ea-z0-9~_:/'%20%5d)|(in)).+%3f%5b.%5d.+%3f=)>" at ARGS:art_lid. [file "/etc/modsecurity/owasp-modsecurity-crs/activated_rules/modsecurity_crs_41_xss_attacks.conf"] [line "510"] [id "973333"] [rev "2"] [msg "IE XSS Filters - Attack Detected."] [data "Matched Data: \\x22<file://///x22>> <tbody> <tr> <td valign=\\x22top\\x22> <h5 style=\\x22text-align: center\\x22><span style=\\x22color: rgb(128,0,0)\\x22><a<file://///x22%3e%3ca> href=\\x22http://www.emigracja.chrystusowcy.pl/index.php?option= found within ARGS:art_lid: <p> </p> <table class=\\x22contentpaneopen\\x22> <tbody> <tr> <td valign=\\x22top\\x22> <h5 style=\\x22text-align: center\\x22><span style=\\x22color: rgb(128,0,0)\\x22><a<file://///x22%3e%3ca> href=\\x22http://www.emigracja.chrystusowcy.pl/index.php?option=com_sobi2&Itemid=74\\x22 target=\\x22_blank\\x22><span st..."] [ver "OWASP_CRS/2.2.9"] [maturity "8"] [accuracy "8"] [tag "OWASP_CRS/WEB_ATTACK/XSS"] [tag "WASCTC/WASC-8"] [tag "WASCTC/WASC-22"] [tag "OWASP_TOP_10/A2"] [tag "OWASP_AppSensor/IE1"] [tag "PCI/6.5.1"] [hostname "XXXXXXXXXXXXX"] [uri "/admin/index.php"] [unique_id "VZZETQoKASsAAG3lzAAAAADL"]
[Fri Jul 03 10:14:05.629414 2015] [:error] [pid 28133:tid 139652430276352] [client 192.168.20.129] ModSecurity: Warning. Pattern match "(?i:[\\"\\\\'][ ]*(([^a-z0-9~_:\\\\' ])|(in)).+?[.].+?=)<file://////'][%20]*(([%5ea-z0-9~_:/'%20%5d)|(in)).+%3f%5b.%5d.+%3f=)>" at ARGS:art_text. [file "/etc/modsecurity/owasp-modsecurity-crs/activated_rules/modsecurity_crs_41_xss_attacks.conf"] [line "510"] [id "973333"] [rev "2"] [msg "IE XSS Filters - Attack Detected."] [data "Matched Data: \\x22><a<file://///x22%3e%3ca> href=\\x22http://www.emigracja.chrystusowcy.pl/index.php?option= found within ARGS:art_text: <p><span style=\\x22color: rgb(128,0,0)\\x22><a<file://///x22%3e%3ca> href=\\x22http://www.emigracja.chrystusowcy.pl/index.php?option=com_sobi2&Itemid=74\\x22 target=\\x22_blank\\x22><img align=\\x22left\\x22 alt=\\x22\\x22 src=\\x22https://milujciesie.org.pl/upload/articles/r_u_c_k_i/PL/logo_IDE.png\\x22 /></a>Na stronie <a href=\\x22http://www.emigracja.chrystusowcy.pl/\\x22 target=\\x22_blank\\x22>Instytutu Duszpasterstwa Emig..."] [ver "OWASP_CRS/2.2.9"] [maturity "8"] [accuracy "8"] [tag "OWASP_CRS/WEB_ATTACK/XSS"] [tag "WASCTC/WASC-8"] [tag "WASCTC/WASC-22"] [tag "OWASP_TOP_10/A2"] [tag "OWASP_AppSensor/IE1"] [tag "PCI/6.5.1"] [hostname "XXXXXXXXXXXXX"] [uri "/admin/index.php"] [unique_id "VZZETQoKASsAAG3lzAAAAADL"]
[Fri Jul 03 10:14:05.631654 2015] [:error] [pid 28133:tid 139652430276352] [client 192.168.20.129] ModSecurity: Warning. Pattern match "(?i:[ /+\\\\t\\"\\\\'`]style[ /+\\\\t]*?=.*([:=]|(&#x?0*((58)|(3A)|(61)|(3D));?)).*?([(\\\\\\\\]|(&#x?0*((40)|(28)|(92)|(5C));?)))<file://////'%60]style[%20/+/t%5d*%3f=.*(%5b:=%5d|(&%23x%3f0*((58)|(3A)|(61)|(3D));%3f)).*%3f(%5b(/%5d|(&%23x%3f0*((40)|(28)|(92)|(5C));%3f)))>" at ARGS:art_lid. [file "/etc/modsecurity/owasp-modsecurity-crs/activated_rules/modsecurity_crs_41_xss_attacks.conf"] [line "520"] [id "973316"] [rev "2"] [msg "IE XSS Filters - Attack Detected."] [data "Matched Data:  style=\\x22text-align: center\\x22><span style=\\x22color: rgb(128,0,0)\\x22><a<file://///x22%3e%3ca> href=\\x22http://www.emigracja.chrystusowcy.pl/index.php?option=com_sobi2&Itemid=74\\x22 target=\\x22_blank\\x22><span style=\\x22color: rgb(128,0,0)\\x22>Wybierasz<file://///x22%3eWybierasz> si\\xc4\\x99 za granic\\xc4\\x99?</span></a></span><br /> <a href=\\x22http://www.emigracja.chrystusowcy.pl/index.php?option=com_sobi2&Itemid=74\\x22 target=\\x22_blank\\x22>Szukasz Mszy \\xc5\\x9awi\\xc4\\x99tej<file://///xc5/x9awi/xc4/x99tej> w j\\xc4\\x99zyku polskim? <span style=\\x22color: rgb( found..."] [ver "OWASP_CRS/2.2.9"] [maturity "8"] [accuracy "8"] [tag "OWASP_CRS/WEB_ATTACK/XSS"] [tag "WASCTC/WASC-8"] [tag "WASCTC/WASC-22"] [tag "OWASP_TOP_10/A2"] [tag [hostname "XXXXXXXXXXXXX"] [uri "/admin/index.php"] [unique_id "VZZETQoKASsAAG3lzAAAAADL"]
_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
Owasp-modsecurity-core-rule-set at lists.owasp.org<mailto:Owasp-modsecurity-core-rule-set at lists.owasp.org>
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set<http://scanmail.trustwave.com/?c=4062&d=joib1XwoaC3QMPIMFmFAYVrQyTAV7DV0YUlSP01ZQw&s=5&u=https%3a%2f%2flists%2eowasp%2eorg%2fmailman%2flistinfo%2fowasp-modsecurity-core-rule-set>

________________________________

This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.


________________________________

This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-modsecurity-core-rule-set/attachments/20150707/2e31ab84/attachment-0001.html>


More information about the Owasp-modsecurity-core-rule-set mailing list