search

SpiderLabs / owasp-modsecurity-crs

OWASP ModSecurity Core Rule Set (CRS) Project (Official Repository)
https://modsecurity.org/crs
Apache License 2.0
2.45k stars 726 forks source link

Rule 941120 Processing time is too long #1665

Open sunskyyao opened 4 years ago

sunskyyao commented 4 years ago

SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer|ARGS_NAMES|ARGS|XML:/ "@rx (?i)[\s\"'`;\/0-9=\x0B\x09\x0C\x3B\x2C\x28\x3B]+on[a-zA-Z]+[\s\x0B\x09\x0C\x3B\x2C\x28\x3B]?=" \ "id:941120,\ phase:2,\ block,\ capture,\ t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\ msg:'XSS Filter - Category 2: Event Handler Vector',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-xss',\ tag:'OWASP_CRS',\ tag:'OWASP_CRS/WEB_ATTACK/XSS',\ tag:'WASCTC/WASC-8',\ tag:'WASCTC/WASC-22',\ tag:'OWASP_TOP_10/A3',\ tag:'OWASP_AppSensor/IE1',\ tag:'CAPEC-242',\ ctl:auditLogParts=+E,\ ver:'OWASP_CRS/3.2.0',\ severity:'CRITICAL',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"

Type of Issue Rule processing takes longer

Description Post more than 1M request body,The content of request body exceeds 1M, crs processing timeout. rule id is 941120. Form data submit.The content of the file is submitted through the input box, not through the file. 1M.txt

eg

Your Environment nginx CRS version (e.g. v3.2.0): ModSecurity version (e.g. 3.2):

airween commented 4 years ago

Hi @sunskyyao,

thanks for the report.

Could you tell us your ModSecurity version exactly? There isn't any release with version 3.2. If your HTTP server is Nginx, then it could be libmodsecurity3 with version 3.0.[01234], or mod_security2.

Also we need the variables from your modsecurity config with these names: grep -w "\(SecRequestBodyLimit\|SecRequestBodyNoFilesLimit\)" /path/to/your/modsecurity.conf

Thanks.

sunskyyao commented 4 years ago

Test environment: modsecurity: 3.0.4 CRS : OWASP_CRS/3.2.0 server: nginx

test web: html.zip

modsecurity.conf

modsecurity.conf.txt

root@liangay-virtual-machine:/usr/local/nginx/conf# grep -w "(SecRequestBodyLimit|SecRequestBodyNoFilesLimit)" modsecurity.conf SecRequestBodyLimit 13107200 SecRequestBodyNoFilesLimit 131072

gdb trace thead

trace

It is suspected that the regular expression of this rule caused pcre processing to time out. The problem may be PCRE or the rule.

airween commented 4 years ago

Hi @sunskyyao,

thanks for more details. The issue is still under investigating, please be patient.

dune73 commented 4 years ago

We talked about this a big deal during (or rather after) our monthly chat.

@dune73 (thus me) came up with a simpler variant of this rule that should kill the performance / DoS problems and still match the same payloads.

"(?i)([\s\"'`;\/0-9\=\x0B\x09\x0C\x3B\x2C\x28\x3B]on(load|...|...)[\s\x0B\x09\x0C\x3B\x2C\x28\x3B]*?=)"

@airween is going to test this and provide a PR if it works. If not, we need to continue our discussion.

Meeting minutes: https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/1671#issuecomment-584320407

dune73 commented 4 years ago

@airween : Do you have any update on your test with this rule?

airween commented 4 years ago

With @theMiddleBlue we're still working on this issue. Needs more time to finish.