[Owasp-modsecurity-core-rule-set] Modsecurity block JSON

Ilyass Kaouam ilyassikai at gmail.com
Wed Sep 9 16:24:49 UTC 2015


Hi,

I have this request :
POST /beta/servlet/EspaceClientServlet?Action=Ajax$SaveWidgetConfig

with this parameters :
left={ mod : 'mod-historique', hidden : 0, collapsed : 0 }, { mod :
'mod-cercle-inforisk', hidden : 0, collapsed : 0 }, { mod : 'mod-graph',
hidden : 0, collapsed : 0 }&right={ mod : 'mod-surveillance-implicit',
hidden :  0, collapsed : 0 }, { mod : 'mod-dernieres-creations', hidden :  0,
collapsed : 0 }, { mod : 'mod-service', hidden :  0, collapsed : 1 }, { mod
: 'mod-recherche', hidden :  0, collapsed : 0 }

When I execute this request modsecurity block my request.


Log :


--1354a526-A--

[09/Sep/2015:17:48:39 +0200] VfBU138AAAEAAFm8PlQAAAAk
​XXX.XXX.XXX
 53935
​XXX.XXX.XXX
 80

--1354a526-B--

POST /beta/servlet/EspaceClientServlet?Action=Ajax$SaveWidgetConfig HTTP/1.1

Host: www.
​abc
.
​com​

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:40.0)
Gecko/20100101 Firefox/40.0

Accept: */*

Accept-Language: fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3

Accept-Encoding: gzip, deflate

Content-Type: application/x-www-form-urlencoded; charset=UTF-8

X-Requested-With: XMLHttpRequest

Referer: http://www.
​abc
.
​com
/beta/servlet/EspaceClientServlet?plateform=new

Content-Length: 413

Cookie: JSESSIONID=6B370AFFEA03BE2B80F916C5755EEEC5;
__utma=37027576.1259853019.1435675370.1441795926.1441813263.22;
__utmz=37027576.1435675370.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none);
style=null; JSESSIONID=DACE18AC3CBA86CAF59264F47E99B028; __utmc=37027576;
__utmb=37027576.3.10.1441813263

Connection: keep-alive

Pragma: no-cache

Cache-Control: no-cache


--1354a526-C--

left={ mod : 'mod-historique', hidden : 0, collapsed : 0 }, { mod :
'mod-cercle-inforisk', hidden : 0, collapsed : 0 }, { mod : 'mod-graph',
hidden : 0, collapsed : 0 }&right={ mod : 'mod-surveillance-implicit',
hidden :  0, collapsed : 0 }, { mod : 'mod-dernieres-creations', hidden :
0, collapsed : 0 }, { mod : 'mod-service', hidden :  0, collapsed : 1 }, {
mod : 'mod-recherche', hidden :  0, collapsed : 0 }

--1354a526-F--

HTTP/1.1 403 Forbidden

Content-Length: 296

Connection: close

Content-Type: text/html; charset=iso-8859-1


--1354a526-E--


--1354a526-H--

Message: Access denied with code 403 (phase 2). Pattern match
"([\\~\\!\\@\\#\\$\\%\\^\\&\\*\\(\\)\\-\\+\\=\\{\\}\\[\\]\\|\\:\\;\"\\'\\\xc2\xb4\\\xe2\x80\x99\\\xe2\x80\x98\\`\\<\\>].*?){4,}"
at ARGS:left. [file
"/etc/httpd/modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"]
[line "159"] [id "981173"] [rev "2"] [msg "Restricted SQL Character Anomaly
Detection Alert - Total # of special characters exceeded"] [data "Matched
Data: - found within ARGS:left: { mod : 'mod-historique', hidden : 0,
collapsed : 0 }, { mod : 'mod-cercle-inforisk', hidden : 0, collapsed : 0
}, { mod : 'mod-graph', hidden : 0, collapsed : 0 }"] [ver
"OWASP_CRS/2.2.9"] [maturity "9"] [accuracy "8"] [tag
"OWASP_CRS/WEB_ATTACK/SQL_INJECTION"]

Action: Intercepted (phase 2)

Apache-Handler: proxy-server

Stopwatch: 1441813719351394 3237 (- - -)

Stopwatch2: 1441813719351394 3237; combined=2824, p1=202, p2=2592, p3=0,
p4=0, p5=30, sr=26, sw=0, l=0, gc=0

Response-Body-Transformed: Dechunked

Producer: ModSecurity for Apache/2.7.3 (http://www.modsecurity.org/);
OWASP_CRS/2.2.9.

Server: Apache/2.2.15 (CentOS) DAV/2

Engine-Mode: "ENABLED"


--1354a526-Z--






Who can I allow like this request safety
​ ?​

Thank's  ​
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-modsecurity-core-rule-set/attachments/20150909/b9eb56e4/attachment.html>


More information about the Owasp-modsecurity-core-rule-set mailing list