[Owasp-modsecurity-core-rule-set] Modsecurity block JSON

Adrián adrianbn at gmail.com
Thu Sep 10 09:01:24 UTC 2015


Unfortunately, you are hitting an unsolved issue in ModSecurity: requests
which have content type other than application/json but include json in
some of the parameters. ModSecurity doesn't know how to handle this and
treats the whole argument as one single variable, thus triggering multiple
rules that shouldn't be triggered if the json object was parsed
appropriately. There is an issue open in GitHub to support something like
t:jsonDecode to aid with these situations, but it hasn't been actioned yet.

What you could do is, for those arguments you know are json format, create
a rule that reduces the score of the anomaly detection rules. That may do
the trick for many cases.


On Wed 9 Sep 2015 at 17:38 Ilyass Kaouam <ilyassikai at gmail.com> wrote:

> Hi,
>
> I have this request :
> POST /beta/servlet/EspaceClientServlet?Action=Ajax$SaveWidgetConfig
>
> with this parameters :
> left={ mod : 'mod-historique', hidden : 0, collapsed : 0 }, { mod :
> 'mod-cercle-inforisk', hidden : 0, collapsed : 0 }, { mod : 'mod-graph',
> hidden : 0, collapsed : 0 }&right={ mod : 'mod-surveillance-implicit',
> hidden :  0, collapsed : 0 }, { mod : 'mod-dernieres-creations', hidden :
> 0, collapsed : 0 }, { mod : 'mod-service', hidden :  0, collapsed : 1 },
> { mod : 'mod-recherche', hidden :  0, collapsed : 0 }
>
> When I execute this request modsecurity block my request.
>
>
> Log :
>
>
> --1354a526-A--
>
> [09/Sep/2015:17:48:39 +0200] VfBU138AAAEAAFm8PlQAAAAk
> ​XXX.XXX.XXX
>  53935
> ​XXX.XXX.XXX
>  80
>
> --1354a526-B--
>
> POST /beta/servlet/EspaceClientServlet?Action=Ajax$SaveWidgetConfig
> HTTP/1.1
>
> Host: www.
> ​abc
> .
> ​com​
>
> User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:40.0)
> Gecko/20100101 Firefox/40.0
>
> Accept: */*
>
> Accept-Language: fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3
>
> Accept-Encoding: gzip, deflate
>
> Content-Type: application/x-www-form-urlencoded; charset=UTF-8
>
> X-Requested-With: XMLHttpRequest
>
> Referer: http://www.
> ​abc
> .
> ​com
> /beta/servlet/EspaceClientServlet?plateform=new
>
> Content-Length: 413
>
> Cookie: JSESSIONID=6B370AFFEA03BE2B80F916C5755EEEC5;
> __utma=37027576.1259853019.1435675370.1441795926.1441813263.22;
> __utmz=37027576.1435675370.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none);
> style=null; JSESSIONID=DACE18AC3CBA86CAF59264F47E99B028; __utmc=37027576;
> __utmb=37027576.3.10.1441813263
>
> Connection: keep-alive
>
> Pragma: no-cache
>
> Cache-Control: no-cache
>
>
> --1354a526-C--
>
> left={ mod : 'mod-historique', hidden : 0, collapsed : 0 }, { mod :
> 'mod-cercle-inforisk', hidden : 0, collapsed : 0 }, { mod : 'mod-graph',
> hidden : 0, collapsed : 0 }&right={ mod : 'mod-surveillance-implicit',
> hidden :  0, collapsed : 0 }, { mod : 'mod-dernieres-creations', hidden :
> 0, collapsed : 0 }, { mod : 'mod-service', hidden :  0, collapsed : 1 }, {
> mod : 'mod-recherche', hidden :  0, collapsed : 0 }
>
> --1354a526-F--
>
> HTTP/1.1 403 Forbidden
>
> Content-Length: 296
>
> Connection: close
>
> Content-Type: text/html; charset=iso-8859-1
>
>
> --1354a526-E--
>
>
> --1354a526-H--
>
> Message: Access denied with code 403 (phase 2). Pattern match
> "([\\~\\!\\@\\#\\$\\%\\^\\&\\*\\(\\)\\-\\+\\=\\{\\}\\[\\]\\|\\:\\;\"\\'\\\xc2\xb4\\\xe2\x80\x99\\\xe2\x80\x98\\`\\<\\>].*?){4,}"
> at ARGS:left. [file
> "/etc/httpd/modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"]
> [line "159"] [id "981173"] [rev "2"] [msg "Restricted SQL Character Anomaly
> Detection Alert - Total # of special characters exceeded"] [data "Matched
> Data: - found within ARGS:left: { mod : 'mod-historique', hidden : 0,
> collapsed : 0 }, { mod : 'mod-cercle-inforisk', hidden : 0, collapsed : 0
> }, { mod : 'mod-graph', hidden : 0, collapsed : 0 }"] [ver
> "OWASP_CRS/2.2.9"] [maturity "9"] [accuracy "8"] [tag
> "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"]
>
> Action: Intercepted (phase 2)
>
> Apache-Handler: proxy-server
>
> Stopwatch: 1441813719351394 3237 (- - -)
>
> Stopwatch2: 1441813719351394 3237; combined=2824, p1=202, p2=2592, p3=0,
> p4=0, p5=30, sr=26, sw=0, l=0, gc=0
>
> Response-Body-Transformed: Dechunked
>
> Producer: ModSecurity for Apache/2.7.3 (http://www.modsecurity.org/);
> OWASP_CRS/2.2.9.
>
> Server: Apache/2.2.15 (CentOS) DAV/2
>
> Engine-Mode: "ENABLED"
>
>
> --1354a526-Z--
>
>
>
>
>
>
> Who can I allow like this request safety
> ​ ?​
>
> Thank's  ​
>
> _______________________________________________
> Owasp-modsecurity-core-rule-set mailing list
> Owasp-modsecurity-core-rule-set at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-modsecurity-core-rule-set/attachments/20150910/5af7bd05/attachment-0001.html>


More information about the Owasp-modsecurity-core-rule-set mailing list