Rule 941130 Blocking XML Payload
jeremyjpj0916 opened this issue · comments
Description
application/xml
payload gets blocked:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<ns3:RootCanonical xmlns:ns2="urn:company.com:schemas" xmlns:ns3="urn:company.com:schemas:claim:pricing">
<ClaimPrice>
<Claim>
<ns2:Providers>
<ns2:Pricing>
<ns2:TIN></ns2:TIN>
<ns2:Address>
<ns2:State>MD</ns2:State>
<ns2:ZipSfx>123</ns2:ZipSfx>
</ns2:Address>
</ns2:Pricing>
</ns2:Providers>
</Claim>
</ClaimPrice>
</ns3:RootCanonical>
I don't necessarily think there will be a "fix" in this mother of all regex'es perhaps. I suppose next steps are how to whitelist certain URI paths to drop this check on XML payloads. Would really like it if I can regex in the URI(*) and the check to exclude on a rule, something maybe like:
SecRule REQUEST_URI "@beginsWith /api/*/pdr/clm/prices/" \
"id:4200001,\
phase:1,\
t:none,\
pass,\
nolog,\
ctl:ruleRemoveTargetById= 932110;XML:*"
That could say for any environment (alpha/bravo/charlie/stage) etc in the URI path match on, and then remove the XML check for everything for that rule. Possible?
Audit Logs / Triggered Rule Numbers
Something like:
ModSecurity: Warning. Matched "Operator
Rx' with parameter
(?i)(?:;|{||||||&|&&|\n|\r|)\s*[\(,@\'\"\s]*(?:[\w'\"\./]+/|[\\\\'\"\^]*\w[\\\\'\"\^]*:.*\\\\|[\^\.\w '\"/\\\\]*\\\\)?[\"\^]*(?:m[\"\^]*(?:y[\"\^]*s[\"\^]*q[\"\^]*l(?:[\"\^]*(?:d[\"\^]*u[\"\^]*m[ (4978 characters omitted)' against variable
XML:/*' (Value: `\x0a \x0a New\x0a Y\x0a N\x0a \x0a \x0a 000 (10868 characters omitted)' ) [file "/usr/local/owasp-modsecurity-crs-3.2.0/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "237"] [id "932110"] [rev ""] [msg "Remote Command Execution: Windows Command Injection"] [data "Matched Data: \x0a \x0a \x0a MD\x0a 21201\x0a 4606\x0a \x0a 0019491\x0a (17805 characters omitted)"] [severity "2"] [ver "OWASP_CRS/3.2.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-shell"] [tag "platform-windows"] [tag "attack-rce"] [tag "OWASP_CRS"] [tag "OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION"] [tag "WASCTC/WASC-31"] [tag "OWASP_TOP_10/A1"] [tag "PCI/6.5.2"] [hostname "10.131.25.147"] [uri "/api/alpha/pdr/clm/prices/v1"] [unique_id "158170374661.521559"] [ref "o1063,8450"]
941130
Your Environment
- CRS version (e.g., v3.2.0): 3.2/master
- Paranoia level setting: 1
- ModSecurity version (e.g., 2.9.3): 3.0.4
- Web Server and version (e.g., apache 2.4.41): nginx
- Operating System and version: Alpine Linux
As noted by airween, ways to whitelist this issue:
SecRule REQUEST_URI "@rx /api/.*/pdr/clm/prices/.*" \
"id:9XXXXX1,\
phase:1,\
t:none,\
pass,\
nolog,\
ctl:ruleRemoveTargetById=94130;XML:/*"
OR
SecRule REQUEST_URI "@rx /api/.*/pdr/clm/prices/.*" \
"id:9XXXXX1,\
phase:1,\
t:none,\
pass,\
nolog,\
ctl:ruleRemoveById=94130"