SOAPUI SOAP Tx multipart/related call False Positive id: 920470
jeremyjpj0916 opened this issue · comments
Description
I already have a pending PR to help with the fact multipart/related is not allowed:
#1721
But, another rule after the above one gets fixed will get hit, which is 920470,
https://github.com/SpiderLabs/owasp-modsecurity-crs/blob/v3.2/master/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf#L870
This only allows (?:boundary|charset) options it looks like for MIME attributes. I think this can be expanded to: (?:boundary|charset|type|start) ( EDIT - Yeah this still didn't work for unblocking me... urgggg)?
Audit Logs / Triggered Rule Numbers
Audit log:
POST /api/test/ext/cimtest/XYZServices/v1
HTTP/1.1Accept-Encoding: gzip,deflate
Content-Type: multipart/related; type="text/xml"; start="<rootpart@soapui.org>"; boundary="----=_Part_0_811603706.1584078662023"
SOAPAction: "urn:PegaRULES:SOAP:XYZServices:Services#ProcessGroupECMM"
Authorization: bearer XXXXXXXX
Host: gateway.company.com
MIME-Version: 1.0
Content-Length: 161250
Connection: Keep-Alive
User-Agent: Apache-HttpClient/4.1.1 (java 1.5)
X-Forwarded-For: xxxxxxxx
---YimwH2Cz---C--
------=_Part_0_811603706.1584078662023
...... (Redacted payload due to confidential stuff in here)
------=_Part_0_811603706.1584078662023--
---YimwH2Cz---D--
---YimwH2Cz---H--
ModSecurity: Warning. Matched "Operator `Rx' with parameter `^[\w/.+-]+(?:\s?;\s?(?:boundary|charset)\s?=\s?['\"\w.()+,/:=?-]+)?$' against variable `REQUEST_HEADERS:Content-Type' (Value: `multipart/related; type="text/xml"; start="<rootpart@soapui.org>"; boundary="----=_Part_0_811603706. (14 characters omitted)' ) [file "/usr/local/owasp-modsecurity-crs-3.2.0/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "873"] [id "920470"] [rev ""] [msg "Illegal Content-Type header"] [data "multipart/related; type="text/xml"; start="<rootpart@soapui.org>"; boundary="----=_part_0_811603706.1584078662023""] [severity "2"] [ver "OWASP_CRS/3.2.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "OWASP_CRS"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/CONTENT_TYPE"] [tag "WASCTC/WASC-20"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/EE2"] [tag "PCI/12.1"] [hostname "xxxxxxx"] [uri "/api/test/ext/cimtest/XYZServices/v1"] [unique_id "158407866551.291542"] [ref "v100,114t:lowercase"]
So how about modifying the rule to be like:
#
# Restrict which content-types we accept.
#
# Restrict Content-Type header to established patterns.
#
# This provides generic whitelist protection against vulnerabilities like
# Apache Struts Content-Type arbitrary command execution (CVE-2017-5638).
#
# Examples of allowed patterns:
# - text/plain
# - text/plain; charset="UTF-8"
# - multipart/form-data; boundary=----WebKitFormBoundary12345
# - multipart/related; type="text/xml"
# - multipart/related; start="<rootpart@company.org>"
#
SecRule REQUEST_HEADERS:Content-Type "!@rx ^[\w\d/\.\-\+]+(?:\s?;\s?(?:boundary|charset|type|start)\s?=\s?['\"\w\d\.\-]+)?$" \
"id:920470,\
phase:1,\
block,\
t:none,t:lowercase,\
msg:'Illegal Content-Type header',\
logdata:'%{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-protocol',\
tag:'OWASP_CRS',\
tag:'OWASP_CRS/PROTOCOL_VIOLATION/CONTENT_TYPE',\
tag:'WASCTC/WASC-20',\
tag:'OWASP_TOP_10/A1',\
tag:'OWASP_AppSensor/EE2',\
tag:'PCI/12.1',\
ver:'OWASP_CRS/3.2.0',\
severity:'CRITICAL',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
Or maybe that will cause problems w regex to because of 3 attributes deep? Unsure at the moment. EDIT - Yeah this still didn't work for unblocking me... urgggg
Your Environment
- CRS version (e.g., v3.2.0): 3.2/master
- Paranoia level setting: 1
- ModSecurity version (e.g., 2.9.3): 3.0.4
- Web Server and version (e.g., apache 2.4.41): NGINX
- Operating System and version: Alpine Linux
Confirmation
[X ] I have removed any personal data (email addresses, IP addresses,
passwords, domain names) from any logs posted.
Thank you for reporting. I'm more and more seeing a need to review all the content-type rules in its own little project to overhaul them all. Thanks for the contribution.
Not the best at fixing them but playing the role of QA and providing FP's is right up my wheelhouse, I can make small fixes 😄 .
I also see start-info in this multipart/related Content-Type.
And I see this is also a valid param: https://tools.ietf.org/html/rfc2387
So the full list would be: (?:boundary|charset|type|start|start-info) or (?:boundary|charset|type|start(?:-info)?).
I haven't tested that yet.
Example Request Header:
Content-Type: multipart/related; type="application/xop+xml"; boundary="uuid:a111aaa1-aa11-1a11-a11a-11a1111aa11a"; start="<root.message@cxf.apache.org>"; start-info="application/soap+xml
And here I see more params like action:
https://issues.apache.org/jira/browse/CXF-6431
Example for action:
Content-Type: application/soap+xml; action="urn:hl7-org:v3:PRPA_IN201305UV02"; charset=UTF-8
Source: https://groups.google.com/forum/#!topic/ipf-user/evT5vZb42_w
I'll open a PR with the following suggestion for rule 920470:
^[\w\d\/\.\-\+]+(?:\s?;\s?(?:action|boundary|charset|type|start(?:-info)?)\s?=\s?['\"\w\d\.\-\/+<>@:]+)*$