Closed ne20002 closed 3 months ago
I updated one of my own websites' Modsecurity WAF with the new Core Rule Set from OWASP. As I started to test it with the website test the test failed due to a rule violation:
This is the entry in the logfile:
2024/03/20 09:15:41 [info] 98#98: *14976 ModSecurity: Warning. Matched "Operator Gt' with parameter50' against variable REQUEST_HEADERS:Accept-Encoding' (Value:compress, deflate, exi, gzip, pack200-gzip, x-compress, x-gzip' ) [file "/etc/modsecurity.d/owasp-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "1207"] [id "920520"] [rev ""] [msg "Accept-Encoding header exceeded sensible length"] [data "62"] [severity "2"] [ver "OWASP_CRS/4.0.0"] [maturity "0"] [accuracy "0"] [tag "modsecurity"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/255/153"] [tag "PCI/12.1"] [hostname "10.0.2.100"] [uri "/"] [unique_id "171092254153.715809"] [ref "v585,62t:lowercase,t:length"], client: 62.204.66.10, server: , request: "GET / HTTP/1.1", host: "fedi.****.ch"
Gt' with parameter
REQUEST_HEADERS:Accept-Encoding' (Value:
The rule 920520 is defined as:
#
# SecRule REQUEST_HEADERS:Accept-Encoding "@gt 50" \ "id:920520,\ phase:1,\ block,\ t:none,t:lowercase,t:length,\ msg:'Accept-Encoding header exceeded sensible length',\ logdata:'%{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-protocol',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/255/153',\ tag:'PCI/12.1',\ ver:'OWASP_CRS/4.0.1-dev',\ severity:'CRITICAL',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
It is that the Accept-Encoding header value from your test is violating the 50 characters limit.
duplicate
ne20002
commented
3 months ago
I updated one of my own websites' Modsecurity WAF with the new Core Rule Set from OWASP. As I started to test it with the website test the test failed due to a rule violation:
This is the entry in the logfile:
2024/03/20 09:15:41 [info] 98#98: *14976 ModSecurity: Warning. Matched "Operator
Gt' with parameter50' against variableREQUEST_HEADERS:Accept-Encoding' (Value:compress, deflate, exi, gzip, pack200-gzip, x-compress, x-gzip' ) [file "/etc/modsecurity.d/owasp-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "1207"] [id "920520"] [rev ""] [msg "Accept-Encoding header exceeded sensible length"] [data "62"] [severity "2"] [ver "OWASP_CRS/4.0.0"] [maturity "0"] [accuracy "0"] [tag "modsecurity"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/255/153"] [tag "PCI/12.1"] [hostname "10.0.2.100"] [uri "/"] [unique_id "171092254153.715809"] [ref "v585,62t:lowercase,t:length"], client: 62.204.66.10, server: , request: "GET / HTTP/1.1", host: "fedi.****.ch"The rule 920520 is defined as:
#
Rule against CVE-2022-21907
This rule blocks Accept-Encoding headers longer than 50 characters.
The length of 50 is a heuristic based on the length of values from
the RFC (https://datatracker.ietf.org/doc/rfc9110/)
and the respective values assigned by IANA
(https://www.iana.org/assignments/http-parameters/http-parameters.xml#content-coding).
#
This rule has a stricter sibling: 920521
# SecRule REQUEST_HEADERS:Accept-Encoding "@gt 50" \ "id:920520,\ phase:1,\ block,\ t:none,t:lowercase,t:length,\ msg:'Accept-Encoding header exceeded sensible length',\ logdata:'%{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-protocol',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/255/153',\ tag:'PCI/12.1',\ ver:'OWASP_CRS/4.0.1-dev',\ severity:'CRITICAL',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
It is that the Accept-Encoding header value from your test is violating the 50 characters limit.