Merge pull request #1507 from na1ex/patch-1

lifeforms · web-flow · commit 8a7ca62d484f · 2019-08-24T18:37:58.000+02:00
920275: request header Sec-Fetch-User uses '?'
diff --git a/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf b/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf
@@ -1393,7 +1393,7 @@ SecRule ARGS|ARGS_NAMES|REQUEST_BODY "@validateByteRange 38,44-46,48-58,61,65-90
 #
 # This is a stricter sibling of 920270.
 #
-SecRule REQUEST_HEADERS|!REQUEST_HEADERS:User-Agent|!REQUEST_HEADERS:Referer|!REQUEST_HEADERS:Cookie "@validateByteRange 32,34,38,42-59,61,65-90,95,97-122" \
+SecRule REQUEST_HEADERS|!REQUEST_HEADERS:User-Agent|!REQUEST_HEADERS:Referer|!REQUEST_HEADERS:Cookie|!REQUEST_HEADERS:Sec-Fetch-User "@validateByteRange 32,34,38,42-59,61,65-90,95,97-122" \
     "id:920274,\
     phase:2,\
     block,\
@@ -1411,6 +1411,28 @@ SecRule REQUEST_HEADERS|!REQUEST_HEADERS:User-Agent|!REQUEST_HEADERS:Referer|!RE
     severity:'CRITICAL',\
     setvar:'tx.anomaly_score_pl4=+%{tx.critical_anomaly_score}'"
 
+#
+# This is a stricter sibling of 920270.
+# The 'Sec-Fetch-User' header may contain the '?' (63) character.
+# Therefore we exclude this header from rule 920274 which forbids '?'.
+# https://www.w3.org/TR/fetch-metadata/#http-headerdef-sec-fetch-user
+#
+SecRule REQUEST_HEADERS:Sec-Fetch-User "@validateByteRange 32,34,38,42-59,61,63,65-90,95,97-122" \
+    "id:920275,\
+    phase:2,\
+    block,\
+    t:none,t:urlDecodeUni,\
+    msg:'Invalid character in request headers (outside of very strict set)',\
+    logdata:'%{MATCHED_VAR_NAME}=%{MATCHED_VAR}',\
+    tag:'application-multi',\
+    tag:'language-multi',\
+    tag:'platform-multi',\
+    tag:'attack-protocol',\
+    tag:'OWASP_CRS/PROTOCOL_VIOLATION/EVASION',\
+    tag:'paranoia-level/4',\
+    ver:'OWASP_CRS/3.1.0',\
+    severity:'CRITICAL',\
+    setvar:'tx.anomaly_score_pl4=+%{tx.critical_anomaly_score}'"
 
 # -=[ Abnormal Character Escapes ]=-
 #
