search

corazawaf / coraza

OWASP Coraza WAF is a golang modsecurity compatible web application firewall library
https://www.coraza.io
Apache License 2.0
2.21k stars 217 forks source link

Unable to read variables in the audit/error.log #847

Open dextermallo opened 1 year ago

dextermallo commented 1 year ago

Description

I am doing some experiments on Coraza and found something different from ModSec. When I tried to read from the debug/debug logs, ModSec will interpret variable (e.g., ), whereas Coraza does not, e.g., In ModSec 2/3:

2023/07/10 10:41:42 [info] 96#96: *1 ModSecurity: Warning. Matched "Operator Ge' with parameter 5' against variable TX:BLOCKING_INBOUND_ANOMALY_SCORE' (Value: '62' ) [file "/etc/modsecurity.d/owasp-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "176"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 62)"] [data ""] [severity "0"] [ver "OWASP_CRS/4.0.0-rc1"] [maturity "0"] [accuracy "0"] [tag "anomaly-evaluation"] [hostname "172.18.0.3"] [uri "/"] [unique_id "168898570219.399093"] [ref ""], client: 172.18.0.1, server: localhost, request: "HEAD /?param="> HTTP/1.1", host: "localhost"

But in Coraza, none of the variables shows its value:

2023/07/11 12:53:56 [DEBUG] Parsing directive line="SecAction \"id:980170,phase:5,pass,t:none,noauditlog,msg:'Anomaly Scores: (Inbound Scores: blocking=%{tx.blocking_inbound_anomaly_score}, detection=%{tx.detection_inbound_anomaly_score}, per_pl=%{tx.inbound_anomaly_score_pl1}-%{tx.inbound_anomaly_score_pl2}-%{tx.inbound_anomaly_score_pl3}-%{tx.inbound_anomaly_score_pl4}, threshold=%{tx.inbound_anomaly_score_threshold}) - (Outbound Scores: blocking=%{tx.blocking_outbound_anomaly_score}, detection=%{tx.detection_outbound_anomaly_score}, per_pl=%{tx.outbound_anomaly_score_pl1}-%{tx.outbound_anomaly_score_pl2}-%{tx.outbound_anomaly_score_pl3}-%{tx.outbound_anomaly_score_pl4}, threshold=%{tx.outbound_anomaly_score_threshold}) - (SQLI=%{tx.sql_injection_score}, XSS=%{tx.xss_score}, RFI=%{tx.rfi_score}, LFI=%{tx.lfi_score}, RCE=%{tx.rce_score}, PHPI=%{tx.php_injection_score}, HTTP=%{tx.http_violation_score}, SESS=%{tx.session_fixation_score}, COMBINED_SCORE=%{tx.anomaly_score})',tag:'reporting',ver:'OWASP_CRS/4.0.0-rc1'\""

Log configurations:

SecDebugLogLevel 9
SecDebugLog "./debug.log"
SecAuditLog "./audit.log"
SecAuditEngine RelevantOnly
SecAuditEngine On
SecAuditLogParts ABCHIJKZ
SecAuditLogFormat JSON
SecAuditLogType Serial

I also checked the doc and wrote separate rules to test, and it seems I cannot retrieve any tx value from Coraza in audit/error.log. In brief, I can get variables in error/audit from ModSec, whereas both logs cannot get the variables in Coraza

Steps to reproduce

Start ModSec v2.9 / v3 (using docker-crs) and run the following requests. Next, run with Coraza

curl -I 'http://localhost/?param="><script>alert(1);</script>' --insecure

Expected result

The log should display the variable ts.variable

Actual result

In the Coraza logs (audit/error), the variable tx cannot be interpolated.

dextermallo commented 1 year ago

Did another test, and it can see from the terminal using example code, where

func logError(error types.MatchedRule) {
    msg := error.ErrorLog()
    fmt.Printf("[logError][%s] %s", error.Rule().Severity(), msg)
}
image
M4tteoP commented 1 year ago

Hey @dextermallo! Thanks for the report! So, if I have correctly understood, both debug.log and audit.log variables are not expanded into the actual value, but it happens on error logs? Are all your experiments been conducted with the example http-server or have you used a connector like coraza-caddy?

I will take a look asap

dextermallo commented 1 year ago

Hey @dextermallo! Thanks for the report! So, if I have correctly understood, both debug.log and audit.log variables are not expanded into the actual value, but it happens on error logs?

Yes, both debug.log and audit.log does not interpret the variables. But the logging shown in the terminal can see the value.

Are all your experiments been conducted with the example http-server or have you used a connector like coraza-caddy?

Yes, I am using the example http-server and just slightly changed the default.conf for creating the log files.

Thanks!

jptosso commented 1 year ago

You should try using the error callback: https://pkg.go.dev/github.com/corazawaf/coraza/v3#section-readme:~:text=type%20WAFConfig-,%C2%B6,-type%20WAFConfig%20interface 

config := coraza.NewWAFConfig().WithErrorCallback(func(rule types.MatchedRule){
    fmt.Println(rule)
})