Simple false positive on live website mcmo.xyz, cannot find proper rule exclusion in CRS4.

Danrancan commented 7 months ago

Description

I am running a live Woocommerce Wordpress website. If you go to https://www.mcmo.xyz/shop/ and click on the "add to cart" button embedded in on of the items, the button does nothing and is blocked by Modsecurity. For the life of me, I cannot figure out the proper rule exclusion for these buttons to work properly. So far, my non-working rule exclusions look like this:

### Fix "Add to cart" buttons not working on www.McMo.xyz/shop
SecRule REQUEST_URI "@streq /" \
    "id:1044,\
    phase:1,\
    pass,\
    nolog,\
    ctl:ruleRemoveById=932236,\
    ctl:ruleRemoveById=949110"

If anyone could please help me figure out the proper rules exclusions here, it would be greatly appreciated. I am still a noob and just learning RE's, so any help would be great.

How to reproduce the misbehavior (-> curl call)

I don't know how to submit curl requests. But if you go to https://www.mcmo.xyz/shop/ and try to add one of the items to your cart, you won't be able to add anything to your card.

Logs

---uJuHBDDc---A--
[04/Apr/2024:10:31:28 -0500] 17122446880.886527 108.231.125.253 50422 10.10.10.2 443
---uJuHBDDc---B--
POST /?wc-ajax=add_to_cart HTTP/2.0
user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15
sec-fetch-site: same-origin
origin: https://www.mcmo.xyz
accept-encoding: gzip, deflate, br
cookie: sbjs_current=typ%3Dtypein%7C%7C%7Csrc%3D%28direct%29%7C%7C%7Cmdm%3D%28none%29%7C%7C%7Ccmp%3D%28none%29%7C%7C%7Ccnt%3D%28none%29%7C%7C%7Ctrm%3D%28none%29%7C%7C%7Cid%3D%28none%29; sbjs_current_add=fd%3D2024-04-04%2015%3A31%3A26%7C%7C%7Cep%3Dhttps%3A%2F%2Fwww.mcmo.xyz%2Fshop%2F%7C%7C%7Crf%3D%28none%29; sbjs_first=typ%3Dtypein%7C%7C%7Csrc%3D%28direct%29%7C%7C%7Cmdm%3D%28none%29%7C%7C%7Ccmp%3D%28none%29%7C%7C%7Ccnt%3D%28none%29%7C%7C%7Ctrm%3D%28none%29%7C%7C%7Cid%3D%28none%29; sbjs_first_add=fd%3D2024-04-04%2015%3A31%3A26%7C%7C%7Cep%3Dhttps%3A%2F%2Fwww.mcmo.xyz%2Fshop%2F%7C%7C%7Crf%3D%28none%29; sbjs_migrations=1418474375998%3D1; sbjs_session=pgs%3D1%7C%7C%7Ccpg%3Dhttps%3A%2F%2Fwww.mcmo.xyz%2Fshop%2F; sbjs_udata=vst%3D1%7C%7C%7Cuip%3D%28none%29%7C%7C%7Cuag%3DMozilla%2F5.0%20%28Macintosh%3B%20Intel%20Mac%20OS%20X%2010_15_7%29%20AppleWebKit%2F605.1.15%20%28KHTML%2C%20like%20Gecko%29%20Version%2F17.4.1%20Safari%2F605.1.15; _pk_id.1.b754=8c87a1dbeefb4a28.1712244685.; _pk_ses.1.b754=1
content-length: 48
accept-language: en-US,en;q=0.9
accept: application/json, text/javascript, */*; q=0.01
x-requested-with: XMLHttpRequest
content-type: application/x-www-form-urlencoded; charset=UTF-8
sec-fetch-mode: cors
host: www.mcmo.xyz
referer: https://www.mcmo.xyz/shop/
sec-fetch-dest: empty

---uJuHBDDc---C--
product_sku=00000016&product_id=24798&quantity=1

---uJuHBDDc---E--
\xa1\x88\x04\x00 :\xb7\xceF\xe8\x84\x06\x0c\xf2\xa3)X\xc4\x82\x1bI=Y\xc8\x99]2\x92L\x0a\x0aZ\xa37|\xdc\xbe5I\xe4bPIXo\xd5\x05mi!\xeb\xcdn\xd3!\x14&\xcb$\x98d!\xd8Q\x19\xc5\x95\xca\xc5\xaar\x8c\x1bY\xd6\x80\xf0\xfa\xdc\xfe\xb8kD\xd3l\x00

---uJuHBDDc---F--
HTTP/2.0 403
Server: nginx
Date: Thu, 04 Apr 2024 15:31:28 GMT
Content-Type: text/html
X-Content-Type-Options: nosniff
Connection: close
X-XSS-Protection: 1; mode=block
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
Content-Encoding: br
Content-Security-Policy: default-src * data: 'unsafe-eval' 'unsafe-inline'
Referrer-Policy: no-referrer-when-downgrade
x-frame-options: SAMEORIGIN

---uJuHBDDc---H--
ModSecurity: Warning. Matched "Operator `Rx' with parameter `(?i)(?:^|b[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?u[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?s[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\ (8043 characters omitted)' against variable `ARGS_NAMES:wc-ajax' (Value: `wc-ajax' ) [file "/etc/nginx/modsec/crs4.0/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "1348"] [id "932236"] [rev ""] [msg "Remote Command Execution: Unix Command Injection (command without evasion)"] [data "Matched Data: wc found within ARGS_NAMES:wc-ajax: wc-ajax"] [severity "2"] [ver "OWASP_CRS/4.0.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-shell"] [tag "platform-unix"] [tag "attack-rce"] [tag "paranoia-level/2"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/88"] [tag "PCI/6.5.2"] [hostname "10.10.10.2"] [uri "/"] [unique_id "17122446880.886527"] [ref "o0,2v7,7"]
ModSecurity: Access denied with code 403 (phase 2). Matched "Operator `Ge' with parameter `5' against variable `TX:BLOCKING_INBOUND_ANOMALY_SCORE' (Value: `5' ) [file "/etc/nginx/modsec/crs4.0/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "176"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [data ""] [severity "0"] [ver "OWASP_CRS/4.0.0"] [maturity "0"] [accuracy "0"] [tag "anomaly-evaluation"] [hostname "10.10.10.2"] [uri "/"] [unique_id "17122446880.886527"] [ref ""]

Your Environment

CRS version (e.g., v3.3.4): 4.0
Paranoia level setting (e.g. PL1) : PL2
ModSecurity version (e.g., 2.9.6): Latest
Web Server and version or cloud provider / CDN (e.g., Apache httpd 2.4.54): Nginx 1.25.4 Mainline
Operating System and version: Ubuntu Server 22.04.4 on Raspberry Pi 4 (aarch64)

Confirmation

[X ] I have removed any personal data (email addresses, IP addresses, passwords, domain names) from any logs posted.

azurit commented 7 months ago

Hi @Danrancan, try this:

SecRule REQUEST_FILENAME "@streq /" \
    "id:1044,\
    phase:1,\
    pass,\
    t:none,\
    nolog,\
    ctl:ruleRemoveTargetById=932236;ARGS_NAMES:wc-ajax"

Your exclusion rule doesn't work because you used REQUEST_URI variable which, in this case, is /?wc-ajax=add_to_cart and not only /.

Note: Never exclude rule 949110 (or any 949XXX) because you will completely disable firewall with it - this is a blocking rule.

Danrancan commented 7 months ago

This worked! Thank you again @azurit! Also, thank you for the tip about never excluding rule 949xxx. But to enhance my knowledge and help me with further rule exclusions, how were you able to tell that the REQUEST_URIis /?wc-ajax=add_to_cart ? I thought the REQUEST_URI is just the [uri "/"] found in the logs? If that is not the case, then what exactly does [uri "/"] indicate in the logs? What is that telling me?

Thanks again friend!

azurit commented 7 months ago

@Danrancan It is a REQUEST_FILENAME, see the docs: REQUEST_FILENAME REQUEST_URI

coreruleset / coreruleset