Rule 941120 Processing time is too long

Question

Rule 941120 Processing time is too long

sunskyyao opened this issue 4 years ago · comments

SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer|ARGS_NAMES|ARGS|XML:/* "@rx (?i)[\s"'`;/0-9=\x0B\x09\x0C\x3B\x2C\x28\x3B]+on[a-zA-Z]+[\s\x0B\x09\x0C\x3B\x2C\x28\x3B]*?="
"id:941120,
phase:2,
block,
capture,
t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,
msg:'XSS Filter - Category 2: Event Handler Vector',
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',
tag:'application-multi',
tag:'language-multi',
tag:'platform-multi',
tag:'attack-xss',
tag:'OWASP_CRS',
tag:'OWASP_CRS/WEB_ATTACK/XSS',
tag:'WASCTC/WASC-8',
tag:'WASCTC/WASC-22',
tag:'OWASP_TOP_10/A3',
tag:'OWASP_AppSensor/IE1',
tag:'CAPEC-242',
ctl:auditLogParts=+E,
ver:'OWASP_CRS/3.2.0',
severity:'CRITICAL',
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"

Type of Issue
Rule processing takes longer

Description
Post more than 1M request body,The content of request body exceeds 1M, crs processing timeout. rule id is 941120. Form data submit.The content of the file is submitted through the input box, not through the file.
1M.txt

Your Environment
nginx
CRS version (e.g. v3.2.0):
ModSecurity version (e.g. 3.2):

Ervin Hegedus · Answer 1 · Mon Jan 20 2020 03:53:55 GMT+0800 (China Standard Time)

Hi @sunskyyao,

thanks for the report.

Could you tell us your ModSecurity version exactly? There isn't any release with version 3.2. If your HTTP server is Nginx, then it could be libmodsecurity3 with version 3.0.[01234], or mod_security2.

Also we need the variables from your modsecurity config with these names:
grep -w "\(SecRequestBodyLimit\|SecRequestBodyNoFilesLimit\)" /path/to/your/modsecurity.conf

Thanks.

sunskyyao · Answer 2 · Mon Jan 20 2020 10:13:43 GMT+0800 (China Standard Time)

Test environment:
modsecurity: 3.0.4
CRS : OWASP_CRS/3.2.0
server: nginx

test web:
html.zip

modsecurity.conf

modsecurity.conf.txt

root@liangay-virtual-machine:/usr/local/nginx/conf# grep -w "(SecRequestBodyLimit|SecRequestBodyNoFilesLimit)" modsecurity.conf
SecRequestBodyLimit 13107200
SecRequestBodyNoFilesLimit 131072

gdb trace thead

It is suspected that the regular expression of this rule caused pcre processing to time out. The problem may be PCRE or the rule.

Ervin Hegedus · Answer 3 · Tue Jan 21 2020 04:27:04 GMT+0800 (China Standard Time)

Hi @sunskyyao,

thanks for more details. The issue is still under investigating, please be patient.

Christian Folini · Answer 4 · Tue Feb 11 2020 21:50:56 GMT+0800 (China Standard Time)

We talked about this a big deal during (or rather after) our monthly chat.

@dune73 (thus me) came up with a simpler variant of this rule that should kill the performance / DoS problems and still match the same payloads.

"(?i)([\s\"'`;\/0-9\=\x0B\x09\x0C\x3B\x2C\x28\x3B]on(load|...|...)[\s\x0B\x09\x0C\x3B\x2C\x28\x3B]*?=)"

@airween is going to test this and provide a PR if it works. If not, we need to continue our discussion.

Meeting minutes: #1671 (comment)

Christian Folini · Answer 5 · Mon Mar 02 2020 23:08:00 GMT+0800 (China Standard Time)

@airween : Do you have any update on your test with this rule?

Ervin Hegedus · Answer 6 · Tue Mar 03 2020 03:37:41 GMT+0800 (China Standard Time)

With @theMiddleBlue we're still working on this issue. Needs more time to finish.