Open sunskyyao opened 4 years ago
Hi @sunskyyao,
thanks for the report.
Could you tell us your ModSecurity version exactly? There isn't any release with version 3.2. If your HTTP server is Nginx, then it could be libmodsecurity3 with version 3.0.[01234], or mod_security2.
Also we need the variables from your modsecurity config with these names:
grep -w "\(SecRequestBodyLimit\|SecRequestBodyNoFilesLimit\)" /path/to/your/modsecurity.conf
Thanks.
Test environment: modsecurity: 3.0.4 CRS : OWASP_CRS/3.2.0 server: nginx
test web: html.zip
modsecurity.conf
root@liangay-virtual-machine:/usr/local/nginx/conf# grep -w "(SecRequestBodyLimit|SecRequestBodyNoFilesLimit)" modsecurity.conf SecRequestBodyLimit 13107200 SecRequestBodyNoFilesLimit 131072
gdb trace thead
It is suspected that the regular expression of this rule caused pcre processing to time out. The problem may be PCRE or the rule.
Hi @sunskyyao,
thanks for more details. The issue is still under investigating, please be patient.
We talked about this a big deal during (or rather after) our monthly chat.
@dune73 (thus me) came up with a simpler variant of this rule that should kill the performance / DoS problems and still match the same payloads.
"(?i)([\s\"'`;\/0-9\=\x0B\x09\x0C\x3B\x2C\x28\x3B]on(load|...|...)[\s\x0B\x09\x0C\x3B\x2C\x28\x3B]*?=)"
@airween is going to test this and provide a PR if it works. If not, we need to continue our discussion.
Meeting minutes: https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/1671#issuecomment-584320407
@airween : Do you have any update on your test with this rule?
With @theMiddleBlue we're still working on this issue. Needs more time to finish.
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer|ARGS_NAMES|ARGS|XML:/ "@rx (?i)[\s\"'`;\/0-9=\x0B\x09\x0C\x3B\x2C\x28\x3B]+on[a-zA-Z]+[\s\x0B\x09\x0C\x3B\x2C\x28\x3B]?=" \ "id:941120,\ phase:2,\ block,\ capture,\ t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\ msg:'XSS Filter - Category 2: Event Handler Vector',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-xss',\ tag:'OWASP_CRS',\ tag:'OWASP_CRS/WEB_ATTACK/XSS',\ tag:'WASCTC/WASC-8',\ tag:'WASCTC/WASC-22',\ tag:'OWASP_TOP_10/A3',\ tag:'OWASP_AppSensor/IE1',\ tag:'CAPEC-242',\ ctl:auditLogParts=+E,\ ver:'OWASP_CRS/3.2.0',\ severity:'CRITICAL',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
Type of Issue Rule processing takes longer
Description Post more than 1M request body,The content of request body exceeds 1M, crs processing timeout. rule id is 941120. Form data submit.The content of the file is submitted through the input box, not through the file. 1M.txt
Your Environment nginx CRS version (e.g. v3.2.0): ModSecurity version (e.g. 3.2):