Giters

SpiderLabs / owasp-modsecurity-crs

OWASP ModSecurity Core Rule Set (CRS) Project (Official Repository)

Home Page:https://modsecurity.org/crs

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Rule 920220 Query Parameters detecting malformed UrlEncoding?

jeremyjpj0916 opened this issue · comments

commented

Description

Seems the REQUEST_URI is valid to me in this request (%25's replacing for the % character for url encoded). Unsure why it's blocking it, I see no % signs isolated by themselves?

Irrelevant headers removed from Audit log.

---69CqtRLC---A--
[14/Feb/2020:17:24:21 +0000] 158170106129.651497 10.204.108.126 0 10.131.25.147 8443
---69CqtRLC---B--
GET /api/cpa/dev/admin/getInventoryAge?isProvider=%25&par=%25&userId1=ltester3&isFromRange=0&isDelegatedInd=%25&review=02077&isToRange=99999&isClearedClaims=x&isExceptionInd=0&phySite=OEB&legalEntity=%25&UserId2=ltester3 HTTP/1.1
Accept: application/json, application/*+json

---69CqtRLC---D--

---69CqtRLC---H--
ModSecurity: Warning. Matched "Operator ValidateUrlEncoding' with parameter ' against variable REQUEST_URI' (Value: /api/cpa/dev/admin/getInventoryAge?isProvider=%&par=%&userId1=lharvey3&isFromRange=0&isDelegatedInd= (108 characters omitted)' ) [file "/usr/local/owasp-modsecurity-crs-3.2.0/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "328"] [id "920220"] [rev ""] [msg "URL Encoding Abuse Attack Attempt"] [data "/api/cpa/dev/admin/getInventoryAge?isProvider=%&par=%&userId1=lharvey3&isFromRange=0&isDelegatedInd=%&review=02077&isToRange=99999&isClearedClaims=x&isExceptionInd=0&phySite=OEB&legalEntity=%&UserId2= (8 characters omitted)"] [severity "4"] [ver "OWASP_CRS/3.2.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "OWASP_CRS"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/EVASION"] [hostname "10.131.25.147"] [uri "/api/cpa/dev/admin/getInventoryAge"] [unique_id "158170106129.651497"] [ref "o190,1o100,1o52,1o46,1v4,216o46,208v4,216"]

Audit Logs / Triggered Rule Numbers

https://github.com/SpiderLabs/owasp-modsecurity-crs/blob/v3.2/master/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf#L328

Your Environment

  • CRS version (e.g., v3.2.0): 3.2/master
  • Paranoia level setting: 1
  • ModSecurity version (e.g., 2.9.3): 3.0.4
  • Web Server and version (e.g., apache 2.4.41): nginx
  • Operating System and version: Alpine Linux
commented

Opp, closing this. Oddly enough my modsec audit logs are set to only log 400/403 events (blocking) but this one is 200 response and even though it says it found a match in the H section like above its not actually blocking the tx? Very strange, probably a mod security bug itself but not core rulsets problem, rule is working as expected and allowing this tx to pass.