search

SpiderLabs / owasp-modsecurity-crs

OWASP ModSecurity Core Rule Set (CRS) Project (Official Repository)
https://modsecurity.org/crs
Apache License 2.0
2.44k stars 725 forks source link

Password Scrubbing within the libinjection rule #1747

Closed a-zb closed 4 years ago

a-zb commented 4 years ago

Describe the bug

Sanitization of passwords does not seem to work. Password is recorded in audit log when caught by owasp CRS 3.2 libinjection rule.

Libinjection CRS rule has an output format that outputs the VAR name and values, and mod_sec module does not sanitize it, please see this log output. The rule can be triggered by putting in a character sequence of !@# within the password. How do we prevent showing these values within the H section:

configuration We have following config as an example

SecAction "nolog,auditlog,phase:2,id:131,sanitiseArg:password" SecRule ARGS "password" "phase:1,log,deny,id:119,t:removeNulls,t:lowercase,multiMatch" SecRule REQUEST_URI "@beginswith /apply/" "phase:5,nolog,auditlog,id:10004,ctl:ruleRemoveTargetById=942100;ARGS:password"

Logs and dumps

The audit log masks some of the arguments: --40105004-C-- login=USER&password=****&submitButton=Log+In&csrf=0762a687ea5b99774b6dd3194576f184 --40105004-F-- HTTP/1.1 303 See Other X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN

--40105004-H-- Message: Unconditional match in SecAction. [file "/etc/httpd/conf.d/mod_security.conf"] [line "5"] [id "131"] Message: detected SQLi using libinjection with fingerprint 'novc' [file "/etc/httpd/owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "67"] [id "942100"] [msg "SQL Injection Attack Detected via libinjection"] [data "Matched Data: novc found within ARGS:password: Pass555!@#"] [severity "CRITICAL"] [ver "OWASP_CRS/3.2.0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "OWASP_CRS"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"] Message: Warning. Operator GE matched 5 at TX:anomaly_score. [file "/etc/httpd/owasp-modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "91"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [severity "CRITICAL"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] Message: String match "/apply/" at REQUEST_URI. [file "/etc/httpd/conf.d/mod_security.conf"] [line "12"] [id "10004"] Message: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/etc/httpd/owasp-modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf"] [line "86"] [id "980130"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 5 - SQLI=5,XSS=0,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0): individual paranoia level scores: 5, 0, 0, 0"] [tag "event-correlation"] Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client 192.168.0.16] ModSecurity: Warning. Operator GE matched 5 at TX:anomaly_score. [file "/etc/httpd/owasp-modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "91"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [severity "CRITICAL"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "host"] [uri "/apply/toolset/en_CA/user/login"] [unique_id "Xqchg5Xdaqirl7Fz7LwtvwAAAME"] Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client 192.168.0.16] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/etc/httpd/owasp-modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf"] [line "86"] [id "980130"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 5 - SQLI=5,XSS=0,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0): individual paranoia level scores: 5, 0, 0, 0"] [tag "event-correlation"] [hostname "host"] [uri "/user/login"] [unique_id "Xqchg5Xdaqirl7Fz7LwtvwAAAME"] Apache-Handler: proxy-server Stopwatch: 1588011395366437 46766 (- - -) Stopwatch2: 1588011395366437 46766; combined=5048, p1=391, p2=4297, p3=37, p4=153, p5=169, sr=16, sw=1, l=0, gc=0 Response-Body-Transformed: Dechunked Producer: ModSecurity for Apache/2.9.2 (http://www.modsecurity.org/); OWASP_CRS/3.2.0. Server: Apache/2.4.6 () OpenSSL/1.0.2k-fips Sanitised-Args: "password". Engine-Mode: "DETECTION_ONLY"

dune73 commented 4 years ago

I feel your pain @arekzb, but this is unfortunately a ModSecurity limitation and nothing we can control.

Likewise: It's also in your error-log.