[Owasp-modsecurity-core-rule-set] Modsecurity block JSON

Ilyass Kaouam ilyassikai at gmail.com
Mon Sep 14 09:18:21 UTC 2015


Hi Adrián,

It's work perfectly thank's  :)

2015-09-11 13:18 GMT+01:00 Adrián <adrianbn at gmail.com>:

> What I am saying is that ModSecurity understands a properly formatted JSON
> request. One that has the Content-Type set to application/json and which
> body is a JSON object. If you change the content type and the format of the
> body, then it should work.
>
>
> On Thu, 10 Sep 2015 at 10:17 Ilyass Kaouam <ilyassikai at gmail.com> wrote:
>
>> Hi,
>>
>> Thank your for your reply.
>> I don't Know If I understood correctly. Now if I change the content-type
>> to json, It should work ?
>> Thank's
>>
>> 2015-09-10 10:01 GMT+01:00 Adrián <adrianbn at gmail.com>:
>>
>>> Unfortunately, you are hitting an unsolved issue in ModSecurity:
>>> requests which have content type other than application/json but include
>>> json in some of the parameters. ModSecurity doesn't know how to handle this
>>> and treats the whole argument as one single variable, thus triggering
>>> multiple rules that shouldn't be triggered if the json object was parsed
>>> appropriately. There is an issue open in GitHub to support something like
>>> t:jsonDecode to aid with these situations, but it hasn't been actioned yet.
>>>
>>> What you could do is, for those arguments you know are json format,
>>> create a rule that reduces the score of the anomaly detection rules. That
>>> may do the trick for many cases.
>>>
>>>
>>> On Wed 9 Sep 2015 at 17:38 Ilyass Kaouam <ilyassikai at gmail.com> wrote:
>>>
>>>> Hi,
>>>>
>>>> I have this request :
>>>> POST /beta/servlet/EspaceClientServlet?Action=Ajax$SaveWidgetConfig
>>>>
>>>> with this parameters :
>>>> left={ mod : 'mod-historique', hidden : 0, collapsed : 0 }, { mod :
>>>> 'mod-cercle-inforisk', hidden : 0, collapsed : 0 }, { mod : 'mod-graph',
>>>> hidden : 0, collapsed : 0 }&right={ mod : 'mod-surveillance-implicit',
>>>> hidden :  0, collapsed : 0 }, { mod : 'mod-dernieres-creations',
>>>> hidden :  0, collapsed : 0 }, { mod : 'mod-service', hidden :  0,
>>>> collapsed : 1 }, { mod : 'mod-recherche', hidden :  0, collapsed : 0 }
>>>>
>>>> When I execute this request modsecurity block my request.
>>>>
>>>>
>>>> Log :
>>>>
>>>>
>>>> --1354a526-A--
>>>>
>>>> [09/Sep/2015:17:48:39 +0200] VfBU138AAAEAAFm8PlQAAAAk
>>>> ​XXX.XXX.XXX
>>>>  53935
>>>> ​XXX.XXX.XXX
>>>>  80
>>>>
>>>> --1354a526-B--
>>>>
>>>> POST /beta/servlet/EspaceClientServlet?Action=Ajax$SaveWidgetConfig
>>>> HTTP/1.1
>>>>
>>>> Host: www.
>>>> ​abc
>>>> .
>>>> ​com​
>>>>
>>>> User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:40.0)
>>>> Gecko/20100101 Firefox/40.0
>>>>
>>>> Accept: */*
>>>>
>>>> Accept-Language: fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3
>>>>
>>>> Accept-Encoding: gzip, deflate
>>>>
>>>> Content-Type: application/x-www-form-urlencoded; charset=UTF-8
>>>>
>>>> X-Requested-With: XMLHttpRequest
>>>>
>>>> Referer: http://www.
>>>> ​abc
>>>> .
>>>> ​com
>>>> /beta/servlet/EspaceClientServlet?plateform=new
>>>>
>>>> Content-Length: 413
>>>>
>>>> Cookie: JSESSIONID=6B370AFFEA03BE2B80F916C5755EEEC5;
>>>> __utma=37027576.1259853019.1435675370.1441795926.1441813263.22;
>>>> __utmz=37027576.1435675370.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none);
>>>> style=null; JSESSIONID=DACE18AC3CBA86CAF59264F47E99B028; __utmc=37027576;
>>>> __utmb=37027576.3.10.1441813263
>>>>
>>>> Connection: keep-alive
>>>>
>>>> Pragma: no-cache
>>>>
>>>> Cache-Control: no-cache
>>>>
>>>>
>>>> --1354a526-C--
>>>>
>>>> left={ mod : 'mod-historique', hidden : 0, collapsed : 0 }, { mod :
>>>> 'mod-cercle-inforisk', hidden : 0, collapsed : 0 }, { mod : 'mod-graph',
>>>> hidden : 0, collapsed : 0 }&right={ mod : 'mod-surveillance-implicit',
>>>> hidden :  0, collapsed : 0 }, { mod : 'mod-dernieres-creations', hidden :
>>>> 0, collapsed : 0 }, { mod : 'mod-service', hidden :  0, collapsed : 1 }, {
>>>> mod : 'mod-recherche', hidden :  0, collapsed : 0 }
>>>>
>>>> --1354a526-F--
>>>>
>>>> HTTP/1.1 403 Forbidden
>>>>
>>>> Content-Length: 296
>>>>
>>>> Connection: close
>>>>
>>>> Content-Type: text/html; charset=iso-8859-1
>>>>
>>>>
>>>> --1354a526-E--
>>>>
>>>>
>>>> --1354a526-H--
>>>>
>>>> Message: Access denied with code 403 (phase 2). Pattern match
>>>> "([\\~\\!\\@\\#\\$\\%\\^\\&\\*\\(\\)\\-\\+\\=\\{\\}\\[\\]\\|\\:\\;\"\\'\\\xc2\xb4\\\xe2\x80\x99\\\xe2\x80\x98\\`\\<\\>].*?){4,}"
>>>> at ARGS:left. [file
>>>> "/etc/httpd/modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"]
>>>> [line "159"] [id "981173"] [rev "2"] [msg "Restricted SQL Character Anomaly
>>>> Detection Alert - Total # of special characters exceeded"] [data "Matched
>>>> Data: - found within ARGS:left: { mod : 'mod-historique', hidden : 0,
>>>> collapsed : 0 }, { mod : 'mod-cercle-inforisk', hidden : 0, collapsed : 0
>>>> }, { mod : 'mod-graph', hidden : 0, collapsed : 0 }"] [ver
>>>> "OWASP_CRS/2.2.9"] [maturity "9"] [accuracy "8"] [tag
>>>> "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"]
>>>>
>>>> Action: Intercepted (phase 2)
>>>>
>>>> Apache-Handler: proxy-server
>>>>
>>>> Stopwatch: 1441813719351394 3237 (- - -)
>>>>
>>>> Stopwatch2: 1441813719351394 3237; combined=2824, p1=202, p2=2592,
>>>> p3=0, p4=0, p5=30, sr=26, sw=0, l=0, gc=0
>>>>
>>>> Response-Body-Transformed: Dechunked
>>>>
>>>> Producer: ModSecurity for Apache/2.7.3 (http://www.modsecurity.org/);
>>>> OWASP_CRS/2.2.9.
>>>>
>>>> Server: Apache/2.2.15 (CentOS) DAV/2
>>>>
>>>> Engine-Mode: "ENABLED"
>>>>
>>>>
>>>> --1354a526-Z--
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> Who can I allow like this request safety
>>>> ​ ?​
>>>>
>>>> Thank's  ​
>>>>
>>>> _______________________________________________
>>>> Owasp-modsecurity-core-rule-set mailing list
>>>> Owasp-modsecurity-core-rule-set at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
>>>>
>>>
>>
>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-modsecurity-core-rule-set/attachments/20150914/2e43a558/attachment.html>


More information about the Owasp-modsecurity-core-rule-set mailing list