search

owasp-modsecurity / ModSecurity

ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. It has a robust event-based programming language which provides protection from a range of attacks against web applications and allows for HTTP traffic monitoring, logging and real-time analysis.
https://www.modsecurity.org
Apache License 2.0
8.21k stars 1.6k forks source link

LOG boundary of response body #2382

Closed gaetano23061984 closed 2 years ago

gaetano23061984 commented 4 years ago

Describe the bug

A clear and concise description of what the bug is.

Logs and dumps

Output of:

  1. DebugLogs (level 9)
  2. AuditLogs
  3. Error logs
  4. If there is a crash, the core dump file.

Notice: Be carefully to not leak any confidential information.

To Reproduce

Steps to reproduce the behavior:

A curl command line that mimics the original request and reproduces the problem. Or a ModSecurity v3 test case.

[e.g: curl "modsec-full/ca/..\..\..\..\..\..\/\etc/\passwd" or issue-394.json]

Expected behavior

A clear and concise description of what you expected to happen.

Server (please complete the following information):

Rule Set (please complete the following information):

Additional context

Add any other context about the problem here.

gaetano23061984 commented 4 years ago

Hi all, can you help me.

I have the following response HTTP/1.1 200 OK Date: Fri, 07 Aug 2020 13:45:07 GMT Server: Apache/2.4.6 (Red Hat Enterprise Linux) OpenSSL/1.0.2k-fips Content-Type: multipart/related; type="application/xop+xml"; boundary="uuid:177aabe6-cd2f-421f-a0a7-be233c7832f6"; start="root.message@cxf.apache.org"; start-info="text/xml" Content-Length: 3202 Keep-Alive: timeout=60 Connection: Keep-Alive

--uuid:177aabe6-cd2f-421f-a0a7-be233c7832f6 Content-Type: application/xop+xml; charset=UTF-8; type="text/xml" Content-Transfer-Encoding: binary Content-ID: root.message@cxf.apache.org

content --uuid:177aabe6-cd2f-421f-a0a7-be233c7832f6-- But modSecurity doesn't log the content of boundary --uuid:177aabe6-cd2f-421f-a0a7-be233c7832f6-- Can you help me with the correct configuration to do?
zimmerle commented 4 years ago

Hi @gaetano23061984,

What kind of logging are you looking for? AuditLogs?

gaetano23061984 commented 4 years ago

Yes. AuditLogs.

Il giorno ven 7 ago 2020 alle 17:06 Felipe Zimmerle < notifications@github.com> ha scritto:

Hi @gaetano23061984 https://github.com/gaetano23061984,

What kind of logging are you looking for? AuditLogs?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/SpiderLabs/ModSecurity/issues/2382#issuecomment-670562920, or unsubscribe https://github.com/notifications/unsubscribe-auth/AQREHXGDQ44XYCUO4LPPDP3R7QJ7TANCNFSM4PXUYYCQ .

-- Gaetano L.

martinhsv commented 2 years ago

Hello @gaetano23061984 ,

I just tried this and the final boundary was included in part 'E' of the audit log.

There is no setting that I am aware of (either in ModSecurity 2.x, or Apache HTTP Server) that would purposefully result in otherwise identical part 'E' logging -- with the sole difference that only the final boundary is missing or not.

One thing you could try to do is create a ModSecurity rule that prints out the RESPONSE_BODY variable as a separate action. This is what the response body content is, as far as ModSecurity is concerned.

Since this issue is rather dated, it is possible that there formerly was some minor issue that has been fixed (either in Apache, or perhaps even ModSecurity) since your original report. You could try upgrading and retrying this.

I'm going to presumptively close this item. However, if you see additional indicators that there is a bug (the final boundary being present in the RESPONSE_BODY variable but still absent in Part 'E' might be such an indicator) in ModSecurity, feel free to raise this anew.