Giters

SpiderLabs / owasp-modsecurity-crs

OWASP ModSecurity Core Rule Set (CRS) Project (Official Repository)

Home Page:https://modsecurity.org/crs

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Rule 941130 Blocking XML Payload

jeremyjpj0916 opened this issue · comments

commented

Description

application/xml payload gets blocked:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<ns3:RootCanonical xmlns:ns2="urn:company.com:schemas" xmlns:ns3="urn:company.com:schemas:claim:pricing">
    <ClaimPrice>
        <Claim>
            <ns2:Providers>
                <ns2:Pricing>
                    <ns2:TIN></ns2:TIN>
                    <ns2:Address>
                        <ns2:State>MD</ns2:State>
                        <ns2:ZipSfx>123</ns2:ZipSfx>
                    </ns2:Address>
                </ns2:Pricing>
            </ns2:Providers>
        </Claim>
    </ClaimPrice>
</ns3:RootCanonical>

https://github.com/SpiderLabs/owasp-modsecurity-crs/blob/v3.2/master/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf#L126

I don't necessarily think there will be a "fix" in this mother of all regex'es perhaps. I suppose next steps are how to whitelist certain URI paths to drop this check on XML payloads. Would really like it if I can regex in the URI(*) and the check to exclude on a rule, something maybe like:

SecRule REQUEST_URI "@beginsWith /api/*/pdr/clm/prices/" \
    "id:4200001,\
    phase:1,\
    t:none,\
    pass,\
    nolog,\
    ctl:ruleRemoveTargetById= 932110;XML:*"

That could say for any environment (alpha/bravo/charlie/stage) etc in the URI path match on, and then remove the XML check for everything for that rule. Possible?

Audit Logs / Triggered Rule Numbers

Something like:

ModSecurity: Warning. Matched "Operator Rx' with parameter (?i)(?:;|{||||||&|&&|\n|\r|)\s*[\(,@\'\"\s]*(?:[\w'\"\./]+/|[\\\\'\"\^]*\w[\\\\'\"\^]*:.*\\\\|[\^\.\w '\"/\\\\]*\\\\)?[\"\^]*(?:m[\"\^]*(?:y[\"\^]*s[\"\^]*q[\"\^]*l(?:[\"\^]*(?:d[\"\^]*u[\"\^]*m[ (4978 characters omitted)' against variable XML:/*' (Value: `\x0a \x0a New\x0a Y\x0a N\x0a \x0a \x0a 000 (10868 characters omitted)' ) [file "/usr/local/owasp-modsecurity-crs-3.2.0/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "237"] [id "932110"] [rev ""] [msg "Remote Command Execution: Windows Command Injection"] [data "Matched Data: \x0a \x0a \x0a MD\x0a 21201\x0a 4606\x0a \x0a 0019491\x0a (17805 characters omitted)"] [severity "2"] [ver "OWASP_CRS/3.2.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-shell"] [tag "platform-windows"] [tag "attack-rce"] [tag "OWASP_CRS"] [tag "OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION"] [tag "WASCTC/WASC-31"] [tag "OWASP_TOP_10/A1"] [tag "PCI/6.5.2"] [hostname "10.131.25.147"] [uri "/api/alpha/pdr/clm/prices/v1"] [unique_id "158170374661.521559"] [ref "o1063,8450"]

941130

Your Environment

  • CRS version (e.g., v3.2.0): 3.2/master
  • Paranoia level setting: 1
  • ModSecurity version (e.g., 2.9.3): 3.0.4
  • Web Server and version (e.g., apache 2.4.41): nginx
  • Operating System and version: Alpine Linux
commented

As noted by airween, ways to whitelist this issue:

SecRule REQUEST_URI "@rx /api/.*/pdr/clm/prices/.*" \
    "id:9XXXXX1,\
    phase:1,\
    t:none,\
    pass,\
    nolog,\
    ctl:ruleRemoveTargetById=94130;XML:/*"

OR

SecRule REQUEST_URI "@rx /api/.*/pdr/clm/prices/.*" \
    "id:9XXXXX1,\
    phase:1,\
    t:none,\
    pass,\
    nolog,\
    ctl:ruleRemoveById=94130"