search

p0pr0ck5 / lua-resty-waf

High-performance WAF built on the OpenResty stack
GNU General Public License v3.0
1.28k stars 305 forks source link

Should REQUEST_ARGS include cookies? #283

Open rayward opened 7 years ago

rayward commented 7 years ago

I'm getting many SQL injection rules being triggered for a simple GET request that includes no request URI or post body, but there are some complex cookies being sent.

There are cookie specific rules (eg SQL Injection character anomaly - COOKIES - 41014) that are being triggered while I've been testing, but many other rules are also being matched:

{
  "timestamp": 1502860171,
  "method": "GET",
  "uri": "/blah",
  "id": "45cea3a42e2f5845d032",
  "client": "192.168.33.1",
  "alerts": [
    {
      "match": 6,
      "msg": "SQL Injection character anomaly - COOKIES",
      "id": 41014
    },
    {
      "match": 6,
      "msg": "SQL Injection character anomaly - ARGS",
      "id": 41015
    },
    {
      "match": 26,
      "msg": "MySQL comment-/space-obfuscated injections and backtick termination",
      "id": 41018
    },
    {
      "match": 2,
      "msg": " SQL injection (authentication bypass)",
      "id": 41033
    },
    {
      "match": 11,
      "msg": "SQL probing attempt",
      "id": 41036
    },
    {
      "logdata": 20,
      "match": 20,
      "msg": "Request score greater than score threshold",
      "id": 99001
    },
    {
      "logdata": 20,
      "match": 20,
      "msg": "Request score greater than score threshold",
      "id": 99002
    },
    {
      "logdata": 20,
      "match": 20,
      "msg": "Request score greater than score threshold",
      "id": 99003
    }
  ]
}

Is it correct to be including cookies in REQUEST_ARGS?

My interpretation of https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#args is that its query string + post body.

I guess it depends on how closely the rules were translated from ModSec...

Do you think this is working as intended?

Also, it would be useful if the alerts indicated the var and its value that triggered it.

p0pr0ck5 commented 7 years ago

Hey @rayward,

Thanks for the report! Indeed, the REQUEST_ARGS collection should not contain cookie data. This is a bit of a mistranslation leftover from initial work before we tried to closely match ModSecurity functionality. I have plans to migrate the included rules to use the OWASP CRS v3 ruleset, but have not yet had the time to work on this (development here has slowed a bit in recent months).

Also, it would be useful if the alerts indicated the var and its value that triggered it.

Indeed! This would be up to the msg or data metadata field in the rule to report it. Again, moving to CRS v3 would be the fix here :)