[Owasp-modsecurity-core-rule-set] Modsecurity block JSON

Adrián adrianbn at gmail.com
Fri Sep 11 12:18:38 UTC 2015


What I am saying is that ModSecurity understands a properly formatted JSON
request. One that has the Content-Type set to application/json and which
body is a JSON object. If you change the content type and the format of the
body, then it should work.

On Thu, 10 Sep 2015 at 10:17 Ilyass Kaouam <ilyassikai at gmail.com> wrote:

> Hi,
>
> Thank your for your reply.
> I don't Know If I understood correctly. Now if I change the content-type
> to json, It should work ?
> Thank's
>
> 2015-09-10 10:01 GMT+01:00 Adrián <adrianbn at gmail.com>:
>
>> Unfortunately, you are hitting an unsolved issue in ModSecurity: requests
>> which have content type other than application/json but include json in
>> some of the parameters. ModSecurity doesn't know how to handle this and
>> treats the whole argument as one single variable, thus triggering multiple
>> rules that shouldn't be triggered if the json object was parsed
>> appropriately. There is an issue open in GitHub to support something like
>> t:jsonDecode to aid with these situations, but it hasn't been actioned yet.
>>
>> What you could do is, for those arguments you know are json format,
>> create a rule that reduces the score of the anomaly detection rules. That
>> may do the trick for many cases.
>>
>>
>> On Wed 9 Sep 2015 at 17:38 Ilyass Kaouam <ilyassikai at gmail.com> wrote:
>>
>>> Hi,
>>>
>>> I have this request :
>>> POST /beta/servlet/EspaceClientServlet?Action=Ajax$SaveWidgetConfig
>>>
>>> with this parameters :
>>> left={ mod : 'mod-historique', hidden : 0, collapsed : 0 }, { mod :
>>> 'mod-cercle-inforisk', hidden : 0, collapsed : 0 }, { mod : 'mod-graph',
>>> hidden : 0, collapsed : 0 }&right={ mod : 'mod-surveillance-implicit',
>>> hidden :  0, collapsed : 0 }, { mod : 'mod-dernieres-creations', hidden
>>> :  0, collapsed : 0 }, { mod : 'mod-service', hidden :  0, collapsed :
>>> 1 }, { mod : 'mod-recherche', hidden :  0, collapsed : 0 }
>>>
>>> When I execute this request modsecurity block my request.
>>>
>>>
>>> Log :
>>>
>>>
>>> --1354a526-A--
>>>
>>> [09/Sep/2015:17:48:39 +0200] VfBU138AAAEAAFm8PlQAAAAk
>>> ​XXX.XXX.XXX
>>>  53935
>>> ​XXX.XXX.XXX
>>>  80
>>>
>>> --1354a526-B--
>>>
>>> POST /beta/servlet/EspaceClientServlet?Action=Ajax$SaveWidgetConfig
>>> HTTP/1.1
>>>
>>> Host: www.
>>> ​abc
>>> .
>>> ​com​
>>>
>>> User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:40.0)
>>> Gecko/20100101 Firefox/40.0
>>>
>>> Accept: */*
>>>
>>> Accept-Language: fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3
>>>
>>> Accept-Encoding: gzip, deflate
>>>
>>> Content-Type: application/x-www-form-urlencoded; charset=UTF-8
>>>
>>> X-Requested-With: XMLHttpRequest
>>>
>>> Referer: http://www.
>>> ​abc
>>> .
>>> ​com
>>> /beta/servlet/EspaceClientServlet?plateform=new
>>>
>>> Content-Length: 413
>>>
>>> Cookie: JSESSIONID=6B370AFFEA03BE2B80F916C5755EEEC5;
>>> __utma=37027576.1259853019.1435675370.1441795926.1441813263.22;
>>> __utmz=37027576.1435675370.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none);
>>> style=null; JSESSIONID=DACE18AC3CBA86CAF59264F47E99B028; __utmc=37027576;
>>> __utmb=37027576.3.10.1441813263
>>>
>>> Connection: keep-alive
>>>
>>> Pragma: no-cache
>>>
>>> Cache-Control: no-cache
>>>
>>>
>>> --1354a526-C--
>>>
>>> left={ mod : 'mod-historique', hidden : 0, collapsed : 0 }, { mod :
>>> 'mod-cercle-inforisk', hidden : 0, collapsed : 0 }, { mod : 'mod-graph',
>>> hidden : 0, collapsed : 0 }&right={ mod : 'mod-surveillance-implicit',
>>> hidden :  0, collapsed : 0 }, { mod : 'mod-dernieres-creations', hidden :
>>> 0, collapsed : 0 }, { mod : 'mod-service', hidden :  0, collapsed : 1 }, {
>>> mod : 'mod-recherche', hidden :  0, collapsed : 0 }
>>>
>>> --1354a526-F--
>>>
>>> HTTP/1.1 403 Forbidden
>>>
>>> Content-Length: 296
>>>
>>> Connection: close
>>>
>>> Content-Type: text/html; charset=iso-8859-1
>>>
>>>
>>> --1354a526-E--
>>>
>>>
>>> --1354a526-H--
>>>
>>> Message: Access denied with code 403 (phase 2). Pattern match
>>> "([\\~\\!\\@\\#\\$\\%\\^\\&\\*\\(\\)\\-\\+\\=\\{\\}\\[\\]\\|\\:\\;\"\\'\\\xc2\xb4\\\xe2\x80\x99\\\xe2\x80\x98\\`\\<\\>].*?){4,}"
>>> at ARGS:left. [file
>>> "/etc/httpd/modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"]
>>> [line "159"] [id "981173"] [rev "2"] [msg "Restricted SQL Character Anomaly
>>> Detection Alert - Total # of special characters exceeded"] [data "Matched
>>> Data: - found within ARGS:left: { mod : 'mod-historique', hidden : 0,
>>> collapsed : 0 }, { mod : 'mod-cercle-inforisk', hidden : 0, collapsed : 0
>>> }, { mod : 'mod-graph', hidden : 0, collapsed : 0 }"] [ver
>>> "OWASP_CRS/2.2.9"] [maturity "9"] [accuracy "8"] [tag
>>> "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"]
>>>
>>> Action: Intercepted (phase 2)
>>>
>>> Apache-Handler: proxy-server
>>>
>>> Stopwatch: 1441813719351394 3237 (- - -)
>>>
>>> Stopwatch2: 1441813719351394 3237; combined=2824, p1=202, p2=2592, p3=0,
>>> p4=0, p5=30, sr=26, sw=0, l=0, gc=0
>>>
>>> Response-Body-Transformed: Dechunked
>>>
>>> Producer: ModSecurity for Apache/2.7.3 (http://www.modsecurity.org/);
>>> OWASP_CRS/2.2.9.
>>>
>>> Server: Apache/2.2.15 (CentOS) DAV/2
>>>
>>> Engine-Mode: "ENABLED"
>>>
>>>
>>> --1354a526-Z--
>>>
>>>
>>>
>>>
>>>
>>>
>>> Who can I allow like this request safety
>>> ​ ?​
>>>
>>> Thank's  ​
>>>
>>> _______________________________________________
>>> Owasp-modsecurity-core-rule-set mailing list
>>> Owasp-modsecurity-core-rule-set at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
>>>
>>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-modsecurity-core-rule-set/attachments/20150911/ef4efaef/attachment.html>


More information about the Owasp-modsecurity-core-rule-set mailing list