search

corazawaf / coraza-caddy

OWASP Coraza middleware for Caddy. It provides Web Application Firewall capabilities
https://www.coraza.io/
Apache License 2.0
323 stars 40 forks source link

Duplicate modsecurity fields's in caddy logs's #32

Open Barnoux opened 1 year ago

Barnoux commented 1 year ago

Hello,

At first thank a lot for you work for this project he is very nice. I found that some field in the log from coraza are duplicated see the log bellow when i tested an SQL injection.

{"level":"error","ts":1668631193.1862295,"logger":"http.handlers.waf","msg":"[client \"192.168.1.1\"] Coraza: Warning. SQL Injection Attack: SQL Boolean-based attack detected [file \"/ruleset/coreruleset/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf\"] [line \"0\"] [id \"942130\"] [rev \"\"] [msg \"SQL Injection Attack: SQL Boolean-based attack detected\"] [data \"Matched Data:  1=1 found within ARGS:q: '1 OR 1=1\\\"\"] [severity \"critical\"] [ver \"OWASP_CRS/4.0.0-rc1\"] [maturity \"0\"] [accuracy \"0\"] [tag \"application-multi\"] [tag \"language-multi\"] [tag \"platform-multi\"] [tag \"attack-sqli\"] [tag \"OWASP_CRS\"] [tag \"capec/1000/152/248/66\"] [tag \"PCI/6.5.2\"] [tag \"paranoia-level/2\"] [hostname \"\"] [uri \"/?q=%271%20OR%201=1%22\"] [unique_id \"VLS1AeezUlAFnWQyFd2\"]\n[client \"192.168.1.1\"] Coraza: Warning. SQL Injection Attack: SQL Boolean-based attack detected [file \"/ruleset/coreruleset/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf\"] [line \"0\"] [id \"942130\"] [rev \"\"] [msg \"\"] [data \"\"] [severity \"critical\"] [ver \"OWASP_CRS/4.0.0-rc1\"] [maturity \"0\"] [accuracy \"0\"] [tag \"application-multi\"] [tag \"language-multi\"] [tag \"platform-multi\"] [tag \"attack-sqli\"] [tag \"OWASP_CRS\"] [tag \"capec/1000/152/248/66\"] [tag \"PCI/6.5.2\"] [tag \"paranoia-level/2\"] [hostname \"\"] [uri \"/?q=%271%20OR%201=1%22\"] [unique_id \"VLS1AeezUlAFnWQyFd2\"]\n"}

if you beautify it:

{"level":"error","ts":1668631193.1862295,"logger":"http.handlers.waf","msg":"[client \"192.168.1.1\"] Coraza: Warning. SQL Injection Attack: SQL Boolean-based attack detected [file \"/ruleset/coreruleset/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf\"]
[line \"0\"]
[id \"942130\"]
[rev \"\"]
[msg \"SQL Injection Attack: SQL Boolean-based attack detected\"]
[data \"Matched Data:  1=1 found within ARGS:q: '1 OR 1=1\\\"\"]
[severity \"critical\"]
[ver \"OWASP_CRS/4.0.0-rc1\"]
[maturity \"0\"]
[accuracy \"0\"]
[tag \"application-multi\"]
[tag \"language-multi\"]
[tag \"platform-multi\"]
[tag \"attack-sqli\"]
[tag \"OWASP_CRS\"]
[tag \"capec/1000/152/248/66\"]
[tag \"PCI/6.5.2\"]
[tag \"paranoia-level/2\"]
[hostname \"\"]
[uri \"/?q=%271%20OR%201=1%22\"] #After unique_id this is exatcly the same.
[unique_id \"VLS1AeezUlAFnWQyFd2\"]\n[client \"192.168.1.1\"] Coraza: Warning. SQL Injection Attack: SQL Boolean-based attack detected [file \"/ruleset/coreruleset/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf\"]
[line \"0\"]
[id \"942130\"]
[rev \"\"]
[msg \"\"]
[data \"\"]
[severity \"critical\"]
[ver \"OWASP_CRS/4.0.0-rc1\"]
[maturity \"0\"]
[accuracy \"0\"]
[tag \"application-multi\"]
[tag \"language-multi\"]
[tag \"platform-multi\"]
[tag \"attack-sqli\"]
[tag \"OWASP_CRS\"]
[tag \"capec/1000/152/248/66\"]
[tag \"PCI/6.5.2\"]
[tag \"paranoia-level/2\"]
[hostname \"\"]
[uri \"/?q=%271%20OR%201=1%22\"]
[unique_id \"VLS1AeezUlAFnWQyFd2\"]\n"}

We can see that there is duplication, is it me or ?

Regards,

BBA

jptosso commented 1 year ago

Please validate if https://github.com/corazawaf/coraza-caddy/releases/tag/v1.2.2 fixes this

Barnoux commented 1 year ago

Hello, it doesn't fix it. I'm still having the same issue.

Barnoux commented 1 year ago

From another question that i have on the wiki conversation of coraza : https://github.com/corazawaf/coraza/discussions/662, i got the same issue duplicate modsecurity fields's in caddy logs's .