Closed luizbiazus closed 6 years ago
This is not the base64 that is triggering the rule, it's the data url passing base64. Here's what i mean.
https://regex101.com/r/D5ogMf/1
This is blocked because such encoding mechanisms (raw data url's in parameters) are frequently used to try and bypass WAFs, see the following: https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet https://www.paladion.net/blogs/bypass-xss-filters-using-data-uris
To resolve the issue you'll first want to make sure that the image isn't included in a way that can cause XSS - be very careful here as depending on how it's used this very well could.
Once you are sure that the issue has been solved you can either add an exception for this parameter
SecUpdateTargetById 941130 !ARGS:json.logo_64
To be even more comfortable it probably makes sense to decode this value in a separate additional rule using base64decodeext action into an external var using setvar. Then you can add the new var to processing.
If there are other issues let me know.
Hi @luizbiazus, at least add a rule to check ARGS:json.logo_64
header to be a PNG
file (and all other formats you support) add a t:base64decode
and PNG
file header is \x89\x50\x4e\x47
if I have time this will be included soon but for files that are posted not encoded in arguments however if you modify 914240
from PR #994 as shown below you got the magic you need to do a partial positive validation and white list the affected argument.
Here you have a good starting point ;)
#Check if the file type matches the with the file signature
SecRule ARGS:json.logo_64 "@rx ^data:image/(?:jpeg|jpg|gif|png|bmp|image|ico);base64,(?:\x89\x50\x4e\x47|\xff\xd8\xff(?:\xe1|\xe0|\xfe)|\x47\x49\x46\x38(?:\x37|\x39)\x61|\x42\x4d(?:\xf8\xa9|\x62\x25|\x76\x03)|\x00\x00\x01\x00|\x52\x49\x46\x46)" \
"id:914245,\
phase:2,\
pass,\
log,\
noauditlog,\
msg:'Encoded image type match an image signature, white listing argument',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAMES}: %{MATCHED_VARS}',\
t:none,t:base64decode,\
tag:'application-multi',\
tag:'platform-multi',\
tag:'paranoia-level/1',\
rev:'1',\
ver:'OWASP_CRS/3.1.0',\
severity:'NOTICE',\
setvar:'tx.msg=%{rule.msg}',\
ctl:ruleRemoveTargetById=941130;ARGS:json.logo_64"
Good luck, do security not holes and post/contribute feedback ;)
Hello Spartantri,
Thanks for the amazing solution. But i've got this issue:
nginx: [emerg] "modsecurity_rules_file" directive Rules error. File: /usr/local/nginx-modsecurity/conf/rules/whitelist.conf. Line: 24. Column: 85. Expecting a variable, got: : S}: %{MATCHED_VARS}',\ in /usr/local/nginx-modsecurity/conf/sites-enabled/vhost-api.xxxxxxxxx.com:18
can u help-me?
Hi after a minor change here it is, it should work for your use case, in my setup I used a more generic argument name (logo) and tested with the below curl commands and the payload detection it works fine.
curl 'http://127.0.0.1:80/x?logo=image/png;base64,iVBORw0KGgoA'
curl 'http://127.0.0.1:80/x' -H 'application/json' -d 'logo=image/png;base64,iVBORw0KGgoA'
Notice that this rule is loaded before the rule it white lists 941130
.
SecRule ARGS:json.logo_64 "@rx ^image/(?:jpeg|jpg|gif|png|bmp|image|ico);base64,([a-zA-Z0-9\-_]{12})" \
"id:914245,\
phase:2,\
pass,\
capture,\
log,\
noauditlog,\
msg:'Encoded image type match an image signature, white listing argument',\
logdata:'Captured header: %{TX.1}, Matched Data: %{TX.0} found within %{MATCHED_VAR_NAMES}: %{MATCHED_VARS}',\
t:none,\
tag:'application-multi',\
tag:'platform-multi',\
tag:'paranoia-level/2',\
rev:'1',\
ver:'OWASP_CRS/3.1.0',\
severity:'NOTICE',\
chain"
SecRule TX:1 "@rx ^(?:\x89\x50\x4e\x47|\xff\xd8\xff(?:\xe1|\xe0|\xfe)|\x47\x49\x46\x38(?:\x37|\x39)\x61|\x42\x4d(?:\xf8\xa9|\x62\x25|\x76\x03)|\x00\x00\x01\x00|\x52\x49\x46\x46)" \
"t:base64decode,\
setvar:'tx.msg=%{rule.msg}',\
ctl:ruleRemoveTargetById=941130;ARGS:json.logo_64"
Also note that I do not use json parsing in this example so I sent plain post args but due to the name of your argument I assume you use json parsing.
To test json I use: curl 'http://127.0.0.1:80/x' -H 'application/json' -d '{"json":{"logo_64":"image/png;base64,iVBORw0KGgoA"}}'
(or burp)
Switch to json body processor with rule:
SecRule REQUEST_HEADERS:Content-Type ^application/json$ "phase:1,id:87,t:lowercase,nolog,pass,ctl:requestBodyProcessor=JSON"
By the way for help requests use the distribution list, I replied to this just because I'm working in this particular file detection rules PR #1045
Hello spartantri, i've tried and got same issue ... for some reason seens that is not setting the variables in this line:
logdata:'Captured header: %{TX.1}, Matched Data: %{TX.0} found within %{MATCHED_VAR_NAMES}: %{MATCHED_VARS}',\
Mar 21 14:23:12 WAF-DDOS-01 nginx[13810]: nginx: [emerg] "modsecurity_rules_file" directive Rules error. File: /usr/local/nginx-modsecurity/conf/rules/whitelist.conf. Line: 28. Column: 111. Expecting a variable, got: : S}: %{MATCHED_VARS}',\ in /usr/local/nginx-modsecurity/conf/sites-enabled/vhost-api.xxxxxxxxxxxx.com:18
Mar 21 14:23:12 WAF-DDOS-01 nginx[13810]: nginx: configuration file /usr/local/nginx-modsecurity/conf/nginx.conf test failed
Mar 21 14:23:12 WAF-DDOS-01 systemd[1]: nginx-modsecurity.service: Control process exited, code=exited status=1
That looks like an NGINIX modsec engine issue, I use Apache and it works as expected, try removing the entire logdata
line and let me know if that was the problem, it maybe a problem with the variable %{MATCHED_VAR_NAMES}
, this is not required for the rule to work at all, it is only for having some data output for troubleshooting in the log.
Nginx started without that Line but issue remains...
---rftAxnMu---Z--
---w70oy2gH---A--
[21/Mar/2018:20:53:45 +0000] 152166562577.153305 127.0.0.1 43778 127.0.0.1 4443
---w70oy2gH---B--
POST /api/logo HTTP/1.0
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.162 Safari/537.36
X-Forwarded-Proto: https
Accept: application/json, text/plain, */*
Content-Length: 159504
Connection: close
Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzdWIiOjI1NywiaXNzIjoiaHR0cHM6Ly9hcGkucHVsc2FycGF5LmNvbS9hcGkvdXN1YXJpby9sb2dpbiIsImlhdCI6MTUyMTY2NTU5OCwiZXhwIjoxNTIxNjY5MTk4LCJuYmYiOjE1MjE2NjU1OTgsImp0aSI6IjZqTm5XTnRaVndiNzRNdngifQ.R9Px_7nDSJHm7Hsx-v7oboapV0tuiXuLz_Lfea-LB3Y
Host: api.XXXXXXXXXXXX.com
Origin: https://www2.XXXXXXXXX.com
X-Forwarded-For: 186.208.81.157
X-Real-IP: 186.208.81.157
Content-Type: application/json
Referer: https://www2.XXXXXXXX.com/configuracao
Accept-Encoding: gzip, deflate, br
Accept-Language: pt-BR,pt;q=0.9,en-US;q=0.8,en;q=0.7,es;q=0.6
---w70oy2gH---D--
---w70oy2gH---F--
HTTP/1.0 200
X-RateLimit-Remaining: 59
Server: nginx/1.13.9
X-RateLimit-Limit: 60
expires: -1
pragma: no-cache
Cache-Control: private, must-revalidate
Connection: close
Access-Control-Allow-Origin: *
Content-Type: application/json
Date: Wed, 21 Mar 2018 20:53:46 GMT
Vary: Origin
---w70oy2gH---H--
ModSecurity: Warning. Matched "Operator `Rx' with parameter `(?i)[\s\S](?:x(?:link:href|html|mlns)|!ENTITY.*?SYSTEM|data:text\/html|pattern(?=.*?=)|formaction|\@import|base64)\b' against variable `ARGS:json.logo_64' (Value: `data:image/png;base64,/9j/4AAQSkZJRgABAgEASABIAAD/4SJnRXhpZgAATU0AKgAAAAgABwESAAMAAAABAAEAAAEaAAUAAA (159390 characters omitted)' ) [file "/usr/local/nginx-modsecurity/conf/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "130"] [id "941130"] [rev "2"] [msg "XSS Filter - Category 3: Attribute Vector"] [data "Matched Data: ;base64 found within ARGS:json.logo_64: data:image/png;base64,/9j/4AAQSkZJRgABAgEASABIAAD/4SJnRXhpZgAATU0AKgAAAAgABwESAAMAAAABAAEAAAEaAAUAAAABAAAAYgEbAAUAAAABAAAAagEoAAMAAAABAAIAAAExAAIAAAAbAAAAcgEyAAIAAAAUAAAAjYdpAAQAAAABAAAApAAAANAAAABIAAAAAQAAAEgAAAABQWRvYmUgUGhvdG9zaG9wIENTIFdpbmRvd3MAMjAxNDowNToyMyAwMDowMzo0NwAAAAAAA6ABAAMAAAABAAEAAKACAAQAAAABAAABLKADAAQAAAABAAAA4gAAAAAAAAAGAQMAAwAAAAEABgAAARoABQAAAAEAAAEeARsABQAAAAEAAAEmASgAAwAAAAEAAgAAAgEABAAAAAEAAAEuAgIABAAAAAEAACExAAAAAAAAAEgAAAABAAAASAAAAAH/2P/gABBKRklGAAECAQBIAEgAAP/tAAxBZG9iZV9DTQAB/+4ADkFkb2JlAGSAAAAAAf/bAIQADAgICAkIDAkJDBELCgsRFQ8MDA8VGBMTFRMTGBEMDAwMDAwRDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAENCwsNDg0QDg4QFA4ODhQUDg4ODhQRDAwMDAwREQwMDAwMDBEMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwM/8AAEQgAeQCgAwEiAAIRAQMRAf/dAAQACv/EAT8AAAEFAQEBAQEBAAAAAAAAAAMAAQIEBQYHCAkKCwEAAQUBAQEBAQEAAAAAAAAAAQACAwQFBgcICQoLEAABBAEDAgQCBQcGCAUDDDMBAAIRAwQhEjEFQVFhEyJxgTIGFJGhsUIjJBVSwWIzNHKC0UMHJZJT8OHxY3M1FqKygyZEk1RkRcKjdDYX0lXiZfKzhMPTdePzRieUpIW0lcTU5PSltcXV5fVWZnaGlqa2xtbm9jdHV2d3h5ent8fX5/cRAAICAQIEBAMEBQYHBwYFNQEAAhEDITESBEFRYXEiEwUygZEUobFCI8FS0fAzJGLhcoKSQ1MVY3M08SUGFqKygwcmNcLSRJNUoxdkRVU2dGXi8rOEw9N14/NGlKSFtJXE1OT0pbXF1eX1VmZ2hpamtsbW5vYnN0dXZ3eHl6e3x//aAAwDAQACEQMRAD8A5drg1zoI1Pu0DY1/ej3qz6T3NLtCxv0pgD/pfnJjTj45nKy21a+5lYN7hJ/fHp0Vu/kMuuRm3dFaIrpvydDpfYK41je8YwG3d+56irSxyOoH2skeEbtcMNkbAXRw5xAHw+k1DDC54Yxj7LXe1jK5c5zv3W1yXu/sK1mX4j6tzMFte2Ziy0/5rnWP/wCpWn9W+r9NaxwxGGnMcIvsscHWO8mXtDP0H/BsbV/wvqKSGOV9AEynH6ter6kddvZYLG04LbAwgZVo3y0ku3U47ch//bnpo4/xfdUYyftlFneGMsdx/mroWl9rQa9r5/NBgn/P3sVzpzan2BrgGPaRLXN2n/obWOd/WZUpuEALOIvk/VMHL6J1Debmi4PLme17Zn82LG+9jvz2Lr+lYr812JZUxzftAa4tALizeP0rT/xT2LX+sXUM2m7FpHUD0+0vFm3JIY8ga/q9ePReyv3fon7P+3P3649LLa6i+7K6q94tLrI2ukh+3Ic2zKYyunE3foq6yij8X9pM44QP/kcqNiCIc0YuzH2vufwOvGZO2u6MV9yWcXa/jYw5DdPKqybLGzkuKAwgDHfX812/NjBlZmnUl+nadAzLSZLbdequRcRgXMZby+imGfV1CUl/mNGXIk1Gz4/K8G1kCKgCCgCnQmBVZ9uxdhRg8+qyzrWnhVsF6WQmIdMuGUaJowbjtQg0Yz19WLbbyGL2uWCgt1Y8tpzPJ+MjGYNcg52fLYb2Xt2Y/u2LcguCKCQG22njO2N3769BQFXHFxBZupzBbDq3x9h+Yc5uXgJ//Ldx2lz/hjPX6fGPJ+/ksQ8aCBufzUPT/Hs/pHXNtuzy9VjZbRMaobhZdqvP/TdOVi6bJFZRbj/tdVye4vmu5k4m+yQL5ls0Lzozmk0rbkJY4cOpAQnl7PHxDmmjUxuhF27rRT9rh5IBm3JL2ZOp+5jKXw9rjV1iCDjrxkOl4gRkgr3W5gKrgeCuFqXhbS7cTMnBrJacqrUf9Ic3kIzp1nPYe2eHGRvo1nUyFnMm4FRXNH5+LERGD8yE8u4+dpNcx8Lpi6nqlavX0QEzmW8vYhinlVTl9TG/46vjcE/P/Uyvn3rDYh0XlJRzgo8LaQIKAKKwMVAwF9Tiz8uX4M//PLRs2pOx9qzgu0iFbJIZWhjqZOeocaepiCzRluael6cu2yp0UBnU3MtpPL+CVc2F8kgIf3gvoV4PXcmZkwfgbnBK0/9eRfG1qxG8juMhLtgNicXJMsmDccvXnwejz69FP/wfamPyYjRBQ/vpQa+3xRjz579U+tS8GLwJGhSc9ciTJ90g30DYp9biFVcRdjwxE0YdVJ1uBQJbTNYRcFq3H8SOf/149l4c+8n+Nns0Zg29vlgIZrgLNqMTN86pJ+k7MMLg+3F9cL4RzhhmTccGQPizIbkYEVmZWL5vOkYM8/O4eTgFa6cXCPnpOYGn+F4edk8Y6tPvt6SpHqzEhHMSr0BBzZ+gEdn3ohpI5+wMrlxeNWrj5t9FP0XbEbu7BE09ekdLHAbsjbOQcgCRDBffy4FAuc63l4Kmc+kTQeXtCQC9iVLz/z6DdP2Mw8G1xgvmSTasCKgCCgC7ROBR1/4PZLiY/HYP9951gLqWHvW0F3SguIH3s0Nu6efLL/xZ1bm9GtvH3dKH6kpPxNYLpXgfH58gm3LerJrl0pebRfnY7xtzzBecuIvM6u7f/gL9OuZhie/k4lYr6c946WyKQKKgCJw0RAoLqvAU/P+GxXVfvz3Cz84p3Z1rD0n+LSwIqAIXOYInM/xtj1DdcmJv4AjL7Uf8+W2jbZwM6aNx8C+6RjYJx2+6Kj2jJ3KpggoAorAeUegqKQce3IOYcee/fjDX1Zh7FWD8fT3psPtijzntnSsPWcItQJFQBG4jBC4kONte4WpXRB/GxzZRb38ww34eNMu8+Kr8otRnSZFQBFQBDoPArFUeFzRuxvGXZ2ByWOvQnKC77x3Xsfa8w6pVqgIKAIdEIGLMd62N1jaFfFvb+CoPIqAIqAIKAKKgCKgCCgCisDlgsAlded5uYCo/VAEFAFFQBFQBBQBRUARUATaOwJK/Nv7E1L5FAFFQBFQBBQBRUARUAQUgfOAgBL/8wCiVqEIKAKKgCKgCCgCioAioAi0dwSU+Lf3J6TyKQKKgCKgCCgCioAioAgoAucBASX+5wFErUIRUAQUAUVAEVAEFAFFQBFo7wgo8W/vT6iTy5cc4+i0CHTmvnfah64dVwQUAUVAEVAELiAC/w9Ok8CdhxBmGAAAAABJRU5ErkJggg=="] [severity "2"] [ver "OWASP_CRS/3.0.0"] [maturity "1"] [accuracy "8"] [tag "Host: api.XXXXXXXXXXX.com"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-xss"] [tag "OWASP_CRS/WEB_ATTACK/XSS"] [tag "WASCTC/WASC-8"] [tag "WASCTC/WASC-22"] [tag "OWASP_TOP_10/A3"] [tag "OWASP_AppSensor/IE1"] [tag "CAPEC-242"] [hostname "127.0.0.1"] [uri "/api/logo"] [unique_id "152166596846.858825"] [ref "o14,7v13,145306t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls"]
---GhzY8Erb---I--
---GhzY8Erb---J--
---9bLkLQvS---A--
[21/Mar/2018:21:00:08 +0000] 152166600841.913440 127.0.0.1 44302 127.0.0.1 4443
---9bLkLQvS---B--
POST /api/logo HTTP/1.0
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.162 Safari/537.36
X-Forwarded-Proto: https
Accept: application/json, text/plain, */*
Content-Length: 145320
Connection: close
Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzdWIiOjI1NywiaXNzIjoiaHR0cHM6Ly9hcGkucHVsc2FycGF5LmNvbS9hcGkvdXN1YXJpby9sb2dpbiIsImlhdCI6MTUyMTY2NTU5OCwiZXhwIjoxNTIxNjY5MTk4LCJuYmYiOjE1MjE2NjU1OTgsImp0aSI6IjZqTm5XTnRaVndiNzRNdngifQ.R9Px_7nDSJHm7Hsx-v7oboapV0tuiXuLz_Lfea-LB3Y
Host: api.XXXXXXXXX.com
Origin: https://www2.XXXXXXXXX.com
X-Forwarded-For: 186.208.81.157
X-Real-IP: 186.208.81.157
Content-Type: application/json
Referer: https://www2.XXXXXXXXXXXX.com/configuracao
Accept-Encoding: gzip, deflate, br
Accept-Language: pt-BR,pt;q=0.9,en-US;q=0.8,en;q=0.7,es;q=0.6
---9bLkLQvS---D--
---9bLkLQvS---F--
HTTP/1.0 302
Server: nginx/1.13.9
Date: Wed, 21 Mar 2018 21:00:08 GMT
Content-Length: 161
Content-Type: text/html
Connection: close
Location: https://XXXXXXXXXX.bmsoftware.org/public/error/forbidden_2.html
---9bLkLQvS---H--
ModSecurity: Access denied with code 302 (phase 2). Matched "Operator `Rx' with parameter `(?i)[\s\S](?:x(?:link:href|html|mlns)|!ENTITY.*?SYSTEM|data:text\/html|pattern(?=.*?=)|formaction|\@import|base64)\b' against variable `ARGS:json.logo_64' (Value: `data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAv4AAAHTCAYAAABfvxzMAAAWlWlDQ1BJQ0MgUHJvZmlsZQAAWIWVmA (145206 characters omitted)' ) [file "/usr/local/nginx-modsecurity/conf/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "130"] [id "941130"] [rev "2"] [msg "XSS Filter - Category 3: Attribute Vector"] [data "Matched Data: ;base64 found within ARGS:json.logo_64: data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAv4AAAHTCAYAAABfvxzMAAAWlWlDQ1BJQ0MgUHJvZmlsZQAAWIWVmAVUVd236NfeJ4lDHbq7QUAa6ZbukDp0dwiISIgSioSIgiiggLQiIFiEiCgiKGEAEkp/AhKSco+fT/zf98Z4d9w5xjr7N+ZZe66591wx5waAsZoQHOwPUwEQEBgeaq6rwWlrZ8+JmQIQgAEWiANpgltYsLqpqSEgyp/rf5fNYWJvorwT+2Xr//3//yvU7h5hbgBApkR2dQ9zCyDyfWKrdwsODQcA4U7U80SFB//i80SmDSU6SOTCX+z1m+t/setvfvZvH0tzTSK/BwBLTiCEegFA9oWo54x08yLaIUcCgKYJdPcJBICGkcgqbt4E4jiMtsQ+ogEBQb84mciCrv9hx+u/2XQ9tEkgeB3y72f5V7BaPmHB/oTo/+Xr+J8lwD/izxjcxEbuHapn/ms84jur8AsyOORAV2OTP+zj/tunX+wdoWf1h93CNO3/sDtBy+APR/hZqf9hQujfe33C9S3/cGiQ+aH9QH9jw0P7HvqH7BGmbfGHPX109P9wjLelzR+O9LE2/sNhfhYGf/toHupDI8wPffYM1Tl8xoCwv765Ef6OFe5tqffXB9tDf9w9tLQP9YFWh/2DwzUObQb7m/7131/3UB8WaXF4bzhxgv1hX8Jx0792TA/fD/ABRoAA3MI9Tob/clIzKDg61MfLO5xTnbhKPDj1A93ERTmlJCTlAfi15n6HdM3837UE0b/5q4toB+BYOlE581fnkA9AYxYAlAp/dbxxAOCI87CDwi0iNPK3DvnrBwVIASWgBUyAHfAAQSAGpIAsUAJqQBscBybAEtgBJ+AGvEEACAVR4BRIACkgHVwCl8E1cAOUggpQA+6BZvAItIPn4BXoB0PgE5gAX8EiWAGbYBeCIAyEg/AQE8QB8UEikBQkD6lA2pAhZA7ZQSqld27fRNpiDxwnOX/XvUPXpcC79k/3EUMAAhCAAAQgAAEIQAACEIAABCAAAQhAAAIjAuMOR7vuG7ou99y6niO3dyJtKQwoJ72GPvv71Aps3/qJHkbYvFjnDZeACwEIQAACEIAABCAAAQhAAAIQgAAEIACBLIHFGmb2PW+f+j61OSiT7s/17KwtpWHipNcyzv5x9kS4k+6PvfAhAAEIQAACEIAABCAAAQhAAAIQgAAEILCaCUw6KB1n/zh74jOadH/sNba/1IaUQ1zPJD0m2TvuQ1iMc457reyDAAQgAAEIQAACEIAABCAAAQhAAAIQgECOwGIMOyc55yR7ff9D9HCviexSHTAOdV1Lrc9ED4vNEIAABCAAAQhAAAIQgAAEIAABCEAAAhBYhQSGGqYutT6DPcqhhqCDXVBoNI1rm0ZPX/I0e/scWAhAAAIQgAAEIAABCEAAAhCAAAQgAAEIrCQCQw1ec0ym0XsaPXPX3ktbDoPJaV3jtPr2egAUQwACEIAABCAAAQhAAAIQgAAEIAABCEAAAoMRmNYQdlp9B7nx5TToXKhrXajzDPIAaQIBCEAAAhCAAAQgAAEIQAACEIAABCAAgVVIYKGGrgt1noke4XIdaC7GdS/GOSd6uGyGAAQgAAEIQAACEIAABCAAAQhAAAIQgMAyJ7AYQ9bFOOdEj2m5Dy6Xw/Uvh2uc6B8RmyEAAQhAAAIQgAAEIAABCEAAAhCAAAQg0EJgOQxOl8M1ZjGvpAHkSrqX7MNChAAEIAABCEAAAhCAAAQgAAEIQAACEIAABAYlsGwHu5HCSh2MrtT7is8OHwIQgAAEIAABCEAAAhCAAAQgAAEIQAACEOhPYEUMduNtr5Zh6Gq5z/hs8SEAAQhAAAIQgAAEIAABCEAAAhCAAAQgAIGiWHFD3fShrubh52q+9/TfATEEIAABCEAAAhCAAAQgAAEIQAACEIAABFYCgRU/0M09JAadOSojDTb1bMhAAAIQgAAEIAABCEAAAhCAAAQgAAEIQGAxCKzKIW4baAaZbYT652Hanxk7IAABCEAAAhCAAAQgAAEIQAACEIAABFYXAYa1q+t5c7cQgAAEIAABCEAAAhCAAAQgAAEIQAACEIAABCAAAQhAAAIQgAAEIAABCEAAAhCAAAQgAAEIQAACEIAABCAAAQhAAAIQgAAEIAABCEAAAhCAAAQgAAEIQAACEIAABCAAAQhAAAIQgAAEIAABCEAAAhCAAAQgAAEIQAACEIAABCAAAQhAAAIQgAAEIAABCEAAAhCAAAQgAAEIQAACEIAABCAAAQhAAAIQgAAEIAABCEAAAsuWwP8HUrGfuOfh+wQAAAAASUVORK5CYII="] [severity "2"] [ver "OWASP_CRS/3.0.0"] [maturity "1"] [accuracy "8"] [tag "Host: api.XXXXXXXXXXXX.com"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-xss"] [tag "OWASP_CRS/WEB_ATTACK/XSS"] [tag "WASCTC/WASC-8"] [tag "WASCTC/WASC-22"] [tag "OWASP_TOP_10/A3"] [tag "OWASP_AppSensor/IE1"] [tag "CAPEC-242"] [hostname "127.0.0.1"] [uri "/api/logo"] [unique_id "152166624999.899350"] [ref "o14,7v13,152474t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls"]
The rule loading order is important, you have reversed the order of the includes crs and this whitelisting rule, some exceptions are handled before loading the offending rules and some others are after. This rule should run before 941130.
i've tried place the rule right over rule 941130 in REQUEST-941 file but the issue persists...
---kamIElfo---F--
HTTP/1.0 302
Server: nginx/1.13.9
Date: Thu, 22 Mar 2018 22:30:19 GMT
Content-Length: 161
Content-Type: text/html
Connection: close
Location: https://XXXXXXXXXXXX.org/public/error/forbidden_2.html
---kamIElfo---H--
ModSecurity: Access denied with code 302 (phase 2). Matched "Operator `Rx' with parameter `(?i)[\s\S](?:x(?:link:href|html|mlns)|!ENTITY.*?SYSTEM|data:text\/html|pattern(?=.*?=)|formaction|\@import|base64)\b' against variable `ARGS:json.logo_64' (Value: `data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAALYAAABBCAYAAAB8Z16lAAAWlWlDQ1BJQ0MgUHJvZmlsZQAAWIWVmA (28234 characters omitted)' ) [file "/usr/local/nginx-modsecurity/conf/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "150"] [id "941130"] [rev "2"] [msg "XSS Filter - Category 3: Attribute Vector"] [data "Matched Data: ;base64 found within ARGS:json.logo_64: data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAALYAAABBCAYAAAB8Z16lAAAWlWlDQ1BJQ0MgUHJvZmlsZQAAWIWVmAVUVd236NfeJ4lDHbq7QUAa6ZbukDp0dwiISIgSioSIgiiggLQiIFiEiCgiKGEAEkp/AhKSco+fT/pQwSEJB2/lmaTx+UZJ1lhsvNzRaJVgUy6vLamTJK40j7/sRPsRK3uO0+f+BitGUbs3Jytp3bjujG72jH3MbU+2TcjMOgzXyuC3o0ZccqobNef4RqzjwM1uzlcPcVbaggDZUJkAqdA9u5cSXfs2zMVnoHseq0knCTpf4o+gMtYYLMWWjEhA4jpbfg0DM/xuKM3tdIH7N5w6wMUloEen63GilGkFX5NAnmlZvDqNRuI7spXD6679SUdVjnID4jnSw8M3hbKZv2yDtokLB93Bcgs+me5K2ADRIA6uDDAQz9+SzOKf5LK8/eXDPNVe0zebNI0O/o1542g67Oajw0G6OoAfItMiYCfqXnczv0N+vJuo9QXzidx1dpNlWxCcIuL8gfQbtOVoqWhQKClnR5Ppkd/+oDdIzZ9sAJR9wwUOdmJ776/9HqJA4mPS2HTBvBI7PlzBtqrK0v9tFcflAk1n/7IOPvIpaNsgtaAYBFZJrWjOF+Ha2qAiGkOaRkkZAAVpkB2vNx+/xa7cv4gTcYU+WcFCXejQH6CVvnd/cxuNxmu31mrafYWW7z+oK+z/vpHRvnU+Iua2AGbZ0m3ZnPB/S/t9y1gqCfYrZmkoQGwm4bGxwZeLDZYT3wg4WjvXR30DR57x68PROhYgCElb/3kNPvGj5bZLd99TV9By/SDJzlQHlH39x8ea/+zeLf95/0btVE30w/P+bFOXS3U5MdHPjTSbtYmg3uf2O47b9jnePZJxT6546Y7ZYLkZvbz149t00aDSl9r8vqGCvva342155eV2c6SOte7rzlbH6NSa/vXB7bZWZpuP3t6vi1cXWH/omek/bl6XrrxoC15s0q71GvtkjkFvon3Ml2f1ge2fiFde642IrBVjBWAzE4yk0mv5ABX2mEwTZPumeubeUQa6D9MdHOV8y7MJqJkAqLgr/eEUR9HFOQJ/sd75pGJC5xLTSELCsIpSrrzrjlIVFDHBA0DO8xhG9+qdDPaqGH93DrCQZmFWk/NMWy1Ai2HVCKhOXQTKTxYi5hYrLRbC5d2arsZaz7wK9fHYdmkwGwhH61iLpfd5Zjo0NUBfX99BKBaknnnvjrd69g57cTBRHhAW74Acl4/bTA+0GzbBfwh0rf5kgXf2WTrGNJ5lPYyorvztTfWcB/Qxoax2j3DSVCoH9jIF6ytsp8v2G+fPb/QPzhwsJbJYoCOrVuB5Og1+mYeVZkA0R1XMdifudf//9+AzS51HeDls3vMzqXr9FcaA18ho5TomOxcB4icPIp928uohkLjAah0+8w8ckQ0Ez/hJCilqQZDeJovjYk0SI90yQOVxWctFY9VfzQsJouSJbbBXLP2RUreur7NGAB9GxoxWfOeBqKkWU3gpj3MeKg7bcx0qj6aZOpboKWr6Wpgp4zNcHs5xyX3zTyKYX/pznsLwI0UE6g4fo1u2xGjS7P8COMzldGgEDsz54wwZc55KICTz3s08QVvkCboNjKqUzrERTJytBiDSnoIgrhKoHsaBR9JVUoeFtCH9BESNA691251IkEjk0W1AixpEBagJ2iavIkGBfDl5wNIpZsqTerqk/M8DT+6welQAA/F9Z1dQmkVFPe5Pg78ZXGAHqbP9XHgL44DfcD+i6vSvgLBgT5g9+HgL5ID/w9y9edURNmsEgAAAABJRU5ErkJggg=="] [severity "2"] [ver "OWASP_CRS/3.0.0"] [maturity "1"] [accuracy "8"] [tag "Host: api.XXXXXXXXXX.com"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-xss"] [tag "OWASP_CRS/WEB_ATTACK/XSS"] [tag "WASCTC/WASC-8"] [tag "WASCTC/WASC-22"] [tag "OWASP_TOP_10/A3"] [tag "OWASP_AppSensor/IE1"] [tag "CAPEC-242"] [hostname "127.0.0.1"] [uri "/api/logo"] [unique_id "15217578191.995242"] [ref "o14,7v13,28334t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls"]
The rule is may not be executing, chack the error log to confirm, if it is not ARGS:json.logo_64
in the request is not exactly image/png;base64,base64stuff
, may you add log part C to see the full payload you send on the log not only the headers it is possible that you have an encoding and if that is the case the rule will need a transform to decode the payload.
Another simple approach to make it work blindly without checking what is inside the argument is using after the CRS rules
SecRuleUpdateTargetById 941130 !ARGS:json.logo_64
can i use ur REQUEST-914-FILE-DECTION.conf instead doing it?
As it is, 914 is generic so you may have to add your specific argument name to the inspections or setup the location.
In that case you may also use the rule below to add your content to whatever rule that matches your need (replace the ??? for the rule id)
SecRuleUpdateTargetById 914??? ARGS:json.logo_64
Hi, i am using modsecurity in nginx level and now i need to whitelist the some of special characters can anyone help me in this. Thank You.
Hi @GRB099, this is the wrong place to ask for help. But you may want to look into the tutorial at https://www.netnea.com/cms/apache-tutorial-8_handling-false-positives-modsecurity-core-rule-set/ to figure it out yourself.
The rules are catching simple base64 uploads, it's not suppose to work without whitelist rules?