Open jeremyjpj0916 opened 4 years ago
Seems many CRS rules rely on keywords without considering the context. See below XML sample that just has the word select trigger two blocking rules:
[25/Mar/2020:23:35:05 +0000] 158517930530.743426 10.94.145.56 0 10.128.92.228 8443---kEH6JnYf---B--POST /F5/status HTTP/1.1content-length: 73accept-encoding: gzip, deflatecookie: a059ce45e82c5cab86ab7ac96d4463f7=14e07a82a885a3ca7799c5efc441fc2b; 4232c4f06959cd0cb3a6baf6ea4e6b5f=1106bd9b4cebdab8bb61eba98afc3b11 Accept: */*cache-control: no-cachePostman-Token: af909ee0-f2e7-4c80-a862-9e6b68b55836Host: gateway-dev-core-ctc.optum.comAuthorization: Bearer Y9AH6cbxUkDIcwxEfzeUDv2ukRzDME8WUser-Agent: PostmanRuntime/7.6.1 Content-Type: application/xmlConnection: keep-aliveX-Forwarded-For: 10.94.145.56 ---kEH6JnYf---C-- <xml> <QuestionText>select the decision to be taken</QuestionText> </xml> ---kEH6JnYf---D-- ---kEH6JnYf---E-- <html>\x0d\x0a<head><title>403 Forbidden</title></head>\x0d\x0a<body>\x0d\x0a<center><h1>403 Forbidden</h1></center>\x0d\x0a</body>\x0d\x0a</html>\x0d\x0a ---kEH6JnYf---H-- ModSecurity: Warning. Matched "Operator `Rx' with parameter `(?i)(?:;|\{|\||\|\||&|&&|\n|\r|`)\s*[\(,@\'\"\s]*(?:[\w'\"\./]+/|[\\\\'\"\^]*\w[\\\\'\"\^]*:.*\\\\|[\^\.\w '\"/\\\\]*\\\\)?[\"\^]*(?:s[\"\^]*(?:y[\"\^]*s[\"\^]*(?:t[\"\^]*e[\"\^]*m[\"\^]*(?:p[\"\^]*r[ (5092 characters omitted)' against variable `XML:/*' (Value: `\x0aselect the decision to be taken\x0a' ) [file "/usr/local/owasp-modsecurity-crs-3.2.0/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "279"] [id "932115"] [rev ""] [msg "Remote Command Execution: Windows Command Injection"] [data "Matched Data: \x0aselect found within XML:/*: \x0aselect the decision to be taken\x0a"] [severity "2"] [ver "OWASP_CRS/3.2.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-shell"] [tag "platform-windows"] [tag "attack-rce"] [tag "OWASP_CRS"] [tag "OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION"] [tag "WASCTC/WASC-31"] [tag "OWASP_TOP_10/A1"] [tag "PCI/6.5.2"] [hostname "10.128.92.228"] [uri "/F5/status"] [unique_id "158517930530.743426"] [ref "o0,7"] ModSecurity: Warning. Matched "Operator `Rx' with parameter `(?i:(?:^[\W\d]+\s*?(?:alter\s*(?:a(?:(?:pplication\s*rol|ggregat)e|s(?:ymmetric\s*ke|sembl)y|u(?:thorization|dit)|vailability\s*group)|c(?:r(?:yptographic\s*provider|edential)|o(?:l(?:latio|um)|nversi (1029 characters omitted)' against variable `XML:/*' (Value: `\x0aselect the decision to be taken\x0a' ) [file "/usr/local/owasp-modsecurity-crs-3.2.0/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "450"] [id "942360"] [rev ""] [msg "Detects concatenated basic SQL injection and SQLLFI attempts"] [data "Matched Data: \x0aselect found within XML:/*: \x0aselect the decision to be taken\x0a"] [severity "2"] [ver "OWASP_CRS/3.2.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "OWASP_CRS"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"][tag "PCI/6.5.2"] [hostname "10.128.92.228"] [uri "/F5/status"] [unique_id "158517930530.743426"] [ref "o0,7t:urlDecodeUni"] ModSecurity: Access denied with code 403 (phase 2). Matched "Operator `Ge' with parameter `5' against variable `TX:ANOMALY_SCORE' (Value: `10' ) [file "/usr/local/owasp-modsecurity-crs-3.2.0/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "79"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 10)"] [data ""] [severity "2"] [ver ""] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "10.128.92.228"] [uri "/F5/status"] [unique_id "158517930530.743426"] [ref ""] ---kEH6JnYf---J--
[x] I have removed any personal data (email addresses, IP addresses, passwords, domain names) from any logs posted.
Description
Seems many CRS rules rely on keywords without considering the context. See below XML sample that just has the word select trigger two blocking rules:
Audit Logs / Triggered Rule Numbers
Your Environment
Confirmation
[x] I have removed any personal data (email addresses, IP addresses, passwords, domain names) from any logs posted.