This repository was archived by the owner on May 14, 2020. It is now read-only.
Easy to trigger these rule id blocks just with keywords [932115, 942360] #1725
Description
Description
Seems many CRS rules rely on keywords without considering the context. See below XML sample that just has the word select trigger two blocking rules:
Audit Logs / Triggered Rule Numbers
[25/Mar/2020:23:35:05 +0000] 158517930530.743426 10.94.145.56 0 10.128.92.228 8443---kEH6JnYf---B--POST /F5/status HTTP/1.1content-length: 73accept-encoding: gzip, deflatecookie: a059ce45e82c5cab86ab7ac96d4463f7=14e07a82a885a3ca7799c5efc441fc2b; 4232c4f06959cd0cb3a6baf6ea4e6b5f=1106bd9b4cebdab8bb61eba98afc3b11
Accept: */*cache-control: no-cachePostman-Token: af909ee0-f2e7-4c80-a862-9e6b68b55836Host: gateway-dev-core-ctc.optum.comAuthorization: Bearer Y9AH6cbxUkDIcwxEfzeUDv2ukRzDME8WUser-Agent: PostmanRuntime/7.6.1
Content-Type: application/xmlConnection: keep-aliveX-Forwarded-For: 10.94.145.56
---kEH6JnYf---C--
<xml>
<QuestionText>select the decision to be taken</QuestionText>
</xml>
---kEH6JnYf---D--
---kEH6JnYf---E--
<html>\x0d\x0a<head><title>403 Forbidden</title></head>\x0d\x0a<body>\x0d\x0a<center><h1>403 Forbidden</h1></center>\x0d\x0a</body>\x0d\x0a</html>\x0d\x0a
---kEH6JnYf---H--
ModSecurity: Warning. Matched "Operator `Rx' with parameter `(?i)(?:;|\{|\||\|\||&|&&|\n|\r|`)\s*[\(,@\'\"\s]*(?:[\w'\"\./]+/|[\\\\'\"\^]*\w[\\\\'\"\^]*:.*\\\\|[\^\.\w '\"/\\\\]*\\\\)?[\"\^]*(?:s[\"\^]*(?:y[\"\^]*s[\"\^]*(?:t[\"\^]*e[\"\^]*m[\"\^]*(?:p[\"\^]*r[ (5092 characters omitted)' against variable `XML:/*' (Value: `\x0aselect the decision to be taken\x0a' ) [file "/usr/local/owasp-modsecurity-crs-3.2.0/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "279"] [id "932115"] [rev ""] [msg "Remote Command Execution: Windows Command Injection"] [data "Matched Data: \x0aselect found within XML:/*: \x0aselect the decision to be taken\x0a"] [severity "2"] [ver "OWASP_CRS/3.2.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-shell"] [tag "platform-windows"] [tag "attack-rce"] [tag "OWASP_CRS"] [tag "OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION"] [tag "WASCTC/WASC-31"] [tag "OWASP_TOP_10/A1"] [tag "PCI/6.5.2"] [hostname "10.128.92.228"] [uri "/F5/status"] [unique_id "158517930530.743426"] [ref "o0,7"]
ModSecurity: Warning. Matched "Operator `Rx' with parameter `(?i:(?:^[\W\d]+\s*?(?:alter\s*(?:a(?:(?:pplication\s*rol|ggregat)e|s(?:ymmetric\s*ke|sembl)y|u(?:thorization|dit)|vailability\s*group)|c(?:r(?:yptographic\s*provider|edential)|o(?:l(?:latio|um)|nversi (1029 characters omitted)' against variable `XML:/*' (Value: `\x0aselect the decision to be taken\x0a' ) [file "/usr/local/owasp-modsecurity-crs-3.2.0/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "450"] [id "942360"] [rev ""] [msg "Detects concatenated basic SQL injection and SQLLFI attempts"] [data "Matched Data: \x0aselect found within XML:/*: \x0aselect the decision to be taken\x0a"] [severity "2"] [ver "OWASP_CRS/3.2.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "OWASP_CRS"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"][tag "PCI/6.5.2"] [hostname "10.128.92.228"] [uri "/F5/status"] [unique_id "158517930530.743426"] [ref "o0,7t:urlDecodeUni"]
ModSecurity: Access denied with code 403 (phase 2). Matched "Operator `Ge' with parameter `5' against variable `TX:ANOMALY_SCORE' (Value: `10' ) [file "/usr/local/owasp-modsecurity-crs-3.2.0/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "79"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 10)"] [data ""] [severity "2"] [ver ""] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "10.128.92.228"] [uri "/F5/status"] [unique_id "158517930530.743426"] [ref ""]
---kEH6JnYf---J--
Your Environment
- CRS version (e.g., v3.2.0): CRS 3.2/master
- Paranoia level setting: 1
- ModSecurity version (e.g., 2.9.3): 3.0.4
- Web Server and version (e.g., apache 2.4.41): nginx
- Operating System and version: alpine linux
Confirmation
[x] I have removed any personal data (email addresses, IP addresses,
passwords, domain names) from any logs posted.