ModSecurity and disabling rules the best way

[Obsiye]

After giving a Developer Presentation on ModSecurity, we got a question about how do we compensate for a security rule that was disabled i.e. how do we test for HTTP Smuggling attacks now that we've disabled it on the firewall.

      SecRule REQUEST_URI "@contains /messages" \
        "id:1000,phase:2,pass,nolog,ctl:ruleRemoveById=921110"

Extra: There was also a question of if we needed to disable the rule and instead can we fine tune it further?

[Obsiye]

I believe it's best to re-enable this but fine tune it. This is because HTTP Smuggling attack protection isn't built into Rails. I think puma has it but i'll need to do further digging into that.

CCCD uses Unicorn (web server). I can't seem to find Unicorn in the Snyk database :/ but i do see stuff around https://yhbt.net/unicorn.git/ . I've emailed Unicorn unicorn@yhbt.net to ask them if they protect against http smuggling attacks by default.

However, we do have HTTP 2 set on the nginx server which provides some level of protection (more info here).

We can turn the rule back on in the firewall and then fine tune it to allow specific types of sentences with regex.

ATM, i want to try and POC a way to alert us on slack when modsecurity has matched on data relating to a http smuggling attack. This means we'll be alerted of false positives, if any.

[Obsiye]

Snyk has an excellent blog on http smuggling attaacks https://snyk.io/blog/demystifying-http-request-smuggling/