[Owasp-modsecurity-core-rule-set] Modsecurity block JSON

Ilyass Kaouam ilyassikai at gmail.com
Thu Sep 10 09:16:44 UTC 2015


Hi,

Thank your for your reply.
I don't Know If I understood correctly. Now if I change the content-type to
json, It should work ?
Thank's

2015-09-10 10:01 GMT+01:00 Adrián <adrianbn at gmail.com>:

> Unfortunately, you are hitting an unsolved issue in ModSecurity: requests
> which have content type other than application/json but include json in
> some of the parameters. ModSecurity doesn't know how to handle this and
> treats the whole argument as one single variable, thus triggering multiple
> rules that shouldn't be triggered if the json object was parsed
> appropriately. There is an issue open in GitHub to support something like
> t:jsonDecode to aid with these situations, but it hasn't been actioned yet.
>
> What you could do is, for those arguments you know are json format, create
> a rule that reduces the score of the anomaly detection rules. That may do
> the trick for many cases.
>
>
> On Wed 9 Sep 2015 at 17:38 Ilyass Kaouam <ilyassikai at gmail.com> wrote:
>
>> Hi,
>>
>> I have this request :
>> POST /beta/servlet/EspaceClientServlet?Action=Ajax$SaveWidgetConfig
>>
>> with this parameters :
>> left={ mod : 'mod-historique', hidden : 0, collapsed : 0 }, { mod :
>> 'mod-cercle-inforisk', hidden : 0, collapsed : 0 }, { mod : 'mod-graph',
>> hidden : 0, collapsed : 0 }&right={ mod : 'mod-surveillance-implicit',
>> hidden :  0, collapsed : 0 }, { mod : 'mod-dernieres-creations', hidden :
>> 0, collapsed : 0 }, { mod : 'mod-service', hidden :  0, collapsed : 1 },
>> { mod : 'mod-recherche', hidden :  0, collapsed : 0 }
>>
>> When I execute this request modsecurity block my request.
>>
>>
>> Log :
>>
>>
>> --1354a526-A--
>>
>> [09/Sep/2015:17:48:39 +0200] VfBU138AAAEAAFm8PlQAAAAk
>> ​XXX.XXX.XXX
>>  53935
>> ​XXX.XXX.XXX
>>  80
>>
>> --1354a526-B--
>>
>> POST /beta/servlet/EspaceClientServlet?Action=Ajax$SaveWidgetConfig
>> HTTP/1.1
>>
>> Host: www.
>> ​abc
>> .
>> ​com​
>>
>> User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:40.0)
>> Gecko/20100101 Firefox/40.0
>>
>> Accept: */*
>>
>> Accept-Language: fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3
>>
>> Accept-Encoding: gzip, deflate
>>
>> Content-Type: application/x-www-form-urlencoded; charset=UTF-8
>>
>> X-Requested-With: XMLHttpRequest
>>
>> Referer: http://www.
>> ​abc
>> .
>> ​com
>> /beta/servlet/EspaceClientServlet?plateform=new
>>
>> Content-Length: 413
>>
>> Cookie: JSESSIONID=6B370AFFEA03BE2B80F916C5755EEEC5;
>> __utma=37027576.1259853019.1435675370.1441795926.1441813263.22;
>> __utmz=37027576.1435675370.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none);
>> style=null; JSESSIONID=DACE18AC3CBA86CAF59264F47E99B028; __utmc=37027576;
>> __utmb=37027576.3.10.1441813263
>>
>> Connection: keep-alive
>>
>> Pragma: no-cache
>>
>> Cache-Control: no-cache
>>
>>
>> --1354a526-C--
>>
>> left={ mod : 'mod-historique', hidden : 0, collapsed : 0 }, { mod :
>> 'mod-cercle-inforisk', hidden : 0, collapsed : 0 }, { mod : 'mod-graph',
>> hidden : 0, collapsed : 0 }&right={ mod : 'mod-surveillance-implicit',
>> hidden :  0, collapsed : 0 }, { mod : 'mod-dernieres-creations', hidden :
>> 0, collapsed : 0 }, { mod : 'mod-service', hidden :  0, collapsed : 1 }, {
>> mod : 'mod-recherche', hidden :  0, collapsed : 0 }
>>
>> --1354a526-F--
>>
>> HTTP/1.1 403 Forbidden
>>
>> Content-Length: 296
>>
>> Connection: close
>>
>> Content-Type: text/html; charset=iso-8859-1
>>
>>
>> --1354a526-E--
>>
>>
>> --1354a526-H--
>>
>> Message: Access denied with code 403 (phase 2). Pattern match
>> "([\\~\\!\\@\\#\\$\\%\\^\\&\\*\\(\\)\\-\\+\\=\\{\\}\\[\\]\\|\\:\\;\"\\'\\\xc2\xb4\\\xe2\x80\x99\\\xe2\x80\x98\\`\\<\\>].*?){4,}"
>> at ARGS:left. [file
>> "/etc/httpd/modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"]
>> [line "159"] [id "981173"] [rev "2"] [msg "Restricted SQL Character Anomaly
>> Detection Alert - Total # of special characters exceeded"] [data "Matched
>> Data: - found within ARGS:left: { mod : 'mod-historique', hidden : 0,
>> collapsed : 0 }, { mod : 'mod-cercle-inforisk', hidden : 0, collapsed : 0
>> }, { mod : 'mod-graph', hidden : 0, collapsed : 0 }"] [ver
>> "OWASP_CRS/2.2.9"] [maturity "9"] [accuracy "8"] [tag
>> "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"]
>>
>> Action: Intercepted (phase 2)
>>
>> Apache-Handler: proxy-server
>>
>> Stopwatch: 1441813719351394 3237 (- - -)
>>
>> Stopwatch2: 1441813719351394 3237; combined=2824, p1=202, p2=2592, p3=0,
>> p4=0, p5=30, sr=26, sw=0, l=0, gc=0
>>
>> Response-Body-Transformed: Dechunked
>>
>> Producer: ModSecurity for Apache/2.7.3 (http://www.modsecurity.org/);
>> OWASP_CRS/2.2.9.
>>
>> Server: Apache/2.2.15 (CentOS) DAV/2
>>
>> Engine-Mode: "ENABLED"
>>
>>
>> --1354a526-Z--
>>
>>
>>
>>
>>
>>
>> Who can I allow like this request safety
>> ​ ?​
>>
>> Thank's  ​
>>
>> _______________________________________________
>> Owasp-modsecurity-core-rule-set mailing list
>> Owasp-modsecurity-core-rule-set at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-modsecurity-core-rule-set/attachments/20150910/aec3b64c/attachment.html>


More information about the Owasp-modsecurity-core-rule-set mailing list