Some configurations of coraza.conf-recommended do not work

sky9090 commented 2 years ago

Hi,

I did some tests on the settings in the coraza.conf-recommended file and included this file in the Coraza-Server config.yml file, but some configurations don't work. Please have a took and give me some advice.

coraza-server config.yml

log_level: debug
agents:
-
transactions_active_limit: 100000
transaction_ttl: 3
bind: 0.0.0.0:9000
protocol: spoa
include:
  - ./docs/coraza.conf-recommended
  - ./coreruleset/crs-setup.conf
  - ./coreruleset/rules/*.conf

Case1: set SecRequestBodyAccess to Off but it still check the request_body info and block the offend traffic

set coraza.conf-recommended file

# vi coraza.conf-recommended
SecRuleEngine On
SecRequestBodyAccess Off

SecAuditEngine On
SecAuditLogType Serial
SecAuditLog /var/log/nginx/modsec_audit.log
SecAuditLogParts BCFGHIJK

execute curl

# curl localhost -X POST -d "var=%0aPOST / HTTP/1.0" -i
HTTP/1.1 403 Forbidden
content-length: 93
cache-control: no-cache
content-type: text/html

<html><body><h1>403 Forbidden</h1>
Request forbidden by administrative rules.
</body></html>

check audit.log

--bC7RhsM9Q7-A--
[2022/01/10 08:56:59] c1be0623-d563-4dd2-b309-6a279265f9a5 127.0.0.1 0  0
--bC7RhsM9Q7-B--
POST / 1.1
host: localhost
user-agent: curl/7.61.1
accept: */*
content-length: 22
content-type: application/x-www-form-urlencoded

--bC7RhsM9Q7-C--
var=%0aPOST / HTTP/1.0
--bC7RhsM9Q7-E--

--bC7RhsM9Q7-F--

--bC7RhsM9Q7-H--
Stopwatch: 
Response-Body-Transformed: 
Producer: 
Server: 
--bC7RhsM9Q7-K--
SecRule TX:ANOMALY_SCORE "@ge %{tx.inbound_anomaly_score_threshold}" "id:949110,phase:2,deny,t:none,msg:'Inbound Anomaly Score Exceeded (Total Score: %{TX.ANOMALY_SCORE})',tag:'application-multi',tag:'language-multi',tag:'platform-multi',tag:'attack-generic',ver:'OWASP_CRS/3.4.0-dev',severity:'CRITICAL',setvar:'tx.inbound_anomaly_score=%{tx.anomaly_score}'"

--bC7RhsM9Q7-Z--

Case2: Enable XML request body parser but cannot find the log showing it working properly

set coraza.conf-recommended file

# vi coraza.conf-recommended
SecRuleEngine On
SecRule REQUEST_HEADERS:Content-Type "(?:application(?:/soap\+|/)|text/)xml" \
"id:'200000',phase:1,t:none,t:lowercase,pass,ctl:requestBodyProcessor=XML"

SecAuditEngine On
SecAuditLogType Serial
SecAuditLog /var/log/nginx/modsec_audit.log
SecAuditLogParts BCFGHIJK

execute curl

# curl localhost  -H "Content-Type: text/xml" -i
HTTP/1.1 200 OK
server: nginx/1.14.1
date: Mon, 10 Jan 2022 09:51:31 GMT
content-type: text/html
content-length: 612
last-modified: Mon, 10 Jan 2022 07:24:43 GMT
etag: "61dbdf3b-264"
accept-ranges: bytes

<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
body {
width: 35em;
margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif;
}
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>

<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>

<p><em>Thank you for using nginx.</em></p>
</body>
</html>

check audit.log

--gZHBSNbRws-A--
[2022/01/10 09:51:31] 127b000a-bce5-4d65-bf58-62c1ef515549 127.0.0.1 0  0
--gZHBSNbRws-B--
GET / 1.1
accept: */*
content-type: text/xml
host: localhost
user-agent: curl/7.61.1

--gZHBSNbRws-C--

--gZHBSNbRws-E--

--gZHBSNbRws-F--

--gZHBSNbRws-H--
Stopwatch: 
Response-Body-Transformed: 
Producer: 
Server: 
--gZHBSNbRws-K--

--gZHBSNbRws-Z--

Case3: Enable JSON request body parser but cannot find the log showing it working properly

set coraza.conf-recommended file

vi coraza.conf-recommended
SecRuleEngine On
SecRule REQUEST_HEADERS:Content-Type "application/json" \
"id:'200001',phase:1,t:none,t:lowercase,pass,ctl:requestBodyProcessor=JSON"

SecAuditEngine On
SecAuditLogType Serial
SecAuditLog /var/log/nginx/modsec_audit.log
SecAuditLogParts BCFGHIJK

execute curl

# curl localhost  -H "Content-Type: application/json" -i
HTTP/1.1 200 OK
server: nginx/1.14.1
date: Mon, 10 Jan 2022 09:57:23 GMT
content-type: text/html
content-length: 612
last-modified: Mon, 10 Jan 2022 07:24:43 GMT
etag: "61dbdf3b-264"
accept-ranges: bytes

<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
body {
width: 35em;
margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif;
}
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>

<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>

<p><em>Thank you for using nginx.</em></p>
</body>
</html>

check audit.log

--jlU2e99SUD-A--
[2022/01/10 09:57:23] 5e4922b0-57cb-4dfc-97ed-c6e6466ce5cd 127.0.0.1 0  0
--jlU2e99SUD-B--
GET / 1.1
user-agent: curl/7.61.1
accept: */*
content-type: application/json
host: localhost

--jlU2e99SUD-C--

--jlU2e99SUD-E--

--jlU2e99SUD-F--

--jlU2e99SUD-H--
Stopwatch: 
Response-Body-Transformed: 
Producer: 
Server: 
--jlU2e99SUD-K--

--jlU2e99SUD-Z--

Case4: The size of request_body is greater than SecRequestBodyLimit, but it still check the request_body info and block the offend traffic.

set coraza.conf-recommended file

vi coraza.conf-recommended
SecRuleEngine On
SecRequestBodyAccess On
SecRequestBodyLimit 5
SecRequestBodyLimitAction ProcessPartial

execute curl

# curl localhost -X POST -d "var=%0aPOST / HTTP/1.0" -i
HTTP/1.1 403 Forbidden
content-length: 93
cache-control: no-cache
content-type: text/html

<html><body><h1>403 Forbidden</h1>
Request forbidden by administrative rules.
</body></html>

check audit.log

--TCTLRGVCzb-A--
[2022/01/10 13:12:57] 3521664b-5cf4-4c78-b066-1f2d0c428fd7 127.0.0.1 0  0
--TCTLRGVCzb-B--
POST / 1.1
host: localhost
user-agent: curl/7.61.1
accept: */*
content-length: 22
content-type: application/x-www-form-urlencoded

--TCTLRGVCzb-C--
var=%0aPOST / HTTP/1.0
--TCTLRGVCzb-E--

--TCTLRGVCzb-F--

--TCTLRGVCzb-H--
Stopwatch: 
Response-Body-Transformed: 
Producer: 
Server: 
--TCTLRGVCzb-K--
SecRule TX:ANOMALY_SCORE "@ge %{tx.inbound_anomaly_score_threshold}" "id:949110,phase:2,deny,t:none,msg:'Inbound Anomaly Score Exceeded (Total Score: %{TX.ANOMALY_SCORE})',tag:'application-multi',tag:'language-multi',tag:'platform-multi',tag:'attack-generic',ver:'OWASP_CRS/3.4.0-dev',severity:'CRITICAL',setvar:'tx.inbound_anomaly_score=%{tx.anomaly_score}'"

--TCTLRGVCzb-Z--

Case5: Set the response_body mimeType in or not in the list of SecResponseBodyMimeType, but find the test result is the same. When the response_body mimeType in the list, the offened traffic should be blocked as reponse_body contains the info that in the web-shells-php.data file.

SecResponseBodyMimeType

set coraza.conf-recommended

vi coraza.conf-recommended
SecRuleEngine On
SecResponseBodyAccess On
SecResponseBodyMimeType text/plain text/html text/xml

SecAuditEngine On
SecAuditLogType Serial
SecAuditLog /var/log/nginx/modsec_audit.log
SecAuditLogParts BCFGHIJK

execute curl (reponse MIME type application/json vs. text/plain)

# curl localhost -i
HTTP/1.1 200 OK
server: nginx/1.14.1
date: Mon, 10 Jan 2022 11:49:08 GMT
content-type: application/json
content-length: 77
last-modified: Mon, 10 Jan 2022 11:45:49 GMT
etag: "61dc1c6d-4d"
accept-ranges: bytes

{
"msg": "PHPShell by MAX666, Private Exploit, For Server Hacking"
}

# curl localhost -i
HTTP/1.1 200 OK
server: nginx/1.14.1
date: Mon, 10 Jan 2022 11:54:57 GMT
content-type: text/plain
content-length: 77
last-modified: Mon, 10 Jan 2022 11:45:49 GMT
etag: "61dc1c6d-4d"
accept-ranges: bytes

{
"msg": "PHPShell by MAX666, Private Exploit, For Server Hacking"
}

check audit.log (reponse MIME type application/json vs. text/plain)

--H4QVMq1QB0-A--
[2022/01/10 11:49:08] d3f601b5-a7e9-4e5d-bee5-b47b6ba9d32c 127.0.0.1 0  0
--H4QVMq1QB0-B--
GET / 1.1
host: localhost
user-agent: curl/7.61.1
accept: */*

--H4QVMq1QB0-C--

--H4QVMq1QB0-E--

--H4QVMq1QB0-F--

--H4QVMq1QB0-H--
Stopwatch: 
Response-Body-Transformed: 
Producer: 
Server: 
--H4QVMq1QB0-K--

--H4QVMq1QB0-Z--

--YSqcGXOk4w-A--
[2022/01/10 11:54:57] 154a6639-84ba-4782-b95d-dd128f878bc4 127.0.0.1 0  0
--YSqcGXOk4w-B--
GET / 1.1
user-agent: curl/7.61.1
accept: */*
host: localhost

--YSqcGXOk4w-C--

--YSqcGXOk4w-E--

--YSqcGXOk4w-F--

--YSqcGXOk4w-H--
Stopwatch: 
Response-Body-Transformed: 
Producer: 
Server: 
--YSqcGXOk4w-K--

--YSqcGXOk4w-Z--

jptosso commented 2 years ago

Hey! Thank you for you interest in Coraza, coraza-server is an experimental project and it requires a lot of testing, so your feedback is valuable. I have updated coraza-server to the latest coraza version, could you try with the last commit? It contains many fixes.

About the body size enforcing and mimes, it is handled by coraza-waf and not coraza-server, so I will review that and keep you posted.

ShiMing-Q commented 2 years ago

For case2, I changed the rule below and got the auditlog successfully

SecRule REQUEST_HEADERS:Content-Type "(?:application(?:/soap\+|/)|text/)xml" "id:'200000', phase:1, log, auditlog, deny, status:403, ctl:requestBodyProcessor=XML"

sky9090 commented 2 years ago

Thank you @jptosso @ShiMing-Q, I will recheck the test results according to your advice.

ShiMing-Q commented 2 years ago

https://github.com/jptosso/coraza-waf/pull/142 this may fix the case 1 and case 4. @sky9090

ShiMing-Q commented 2 years ago

Working on the fix for case 5

ShiMing-Q commented 2 years ago

https://github.com/jptosso/coraza-server/pull/4, this will fix for case 5

sky9090 commented 2 years ago

Thanks @ShiMing-Q @jptosso , I have rechecked these five issues and they have all passed now.

Also, I found that the current default value for SecResponseBodyAccess is Off, and the version of the Coraza-waf package included in go.mod is not the latest one, I manually updated the version in my local to recheck the test.

corazawaf / coraza

Some configurations of coraza.conf-recommended do not work #141