Giters

SpiderLabs / owasp-modsecurity-crs

OWASP ModSecurity Core Rule Set (CRS) Project (Official Repository)

Home Page:https://modsecurity.org/crs

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Password Scrubbing within the libinjection rule

a-zb opened this issue · comments

commented

Describe the bug

Sanitization of passwords does not seem to work. Password is recorded
in audit log when caught by owasp CRS 3.2 libinjection rule.

Libinjection CRS rule has an output format that outputs the VAR name and values, and mod_sec module does not sanitize it, please see this log output. The rule can be triggered by putting in a character sequence of !@# within the password. How do we prevent showing these values within the H section:

configuration
We have following config as an example

SecAction "nolog,auditlog,phase:2,id:131,sanitiseArg:password"
SecRule ARGS "password" "phase:1,log,deny,id:119,t:removeNulls,t:lowercase,multiMatch"
SecRule REQUEST_URI "@beginswith /apply/" "phase:5,nolog,auditlog,id:10004,ctl:ruleRemoveTargetById=942100;ARGS:password"

Logs and dumps

The audit log masks some of the arguments:
--40105004-C--
login=USER&password=****************&submitButton=Log+In&csrf=0762a687ea5b99774b6dd3194576f184
--40105004-F--
HTTP/1.1 303 See Other
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN

--40105004-H--
Message: Unconditional match in SecAction. [file "/etc/httpd/conf.d/mod_security.conf"] [line "5"] [id "131"]
Message: detected SQLi using libinjection with fingerprint 'novc' [file "/etc/httpd/owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "67"] [id "942100"] [msg "SQL Injection Attack Detected via libinjection"] [data "Matched Data: novc found within ARGS:password: Pass555!@#"] [severity "CRITICAL"] [ver "OWASP_CRS/3.2.0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "OWASP_CRS"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"]
Message: Warning. Operator GE matched 5 at TX:anomaly_score. [file "/etc/httpd/owasp-modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "91"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [severity "CRITICAL"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"]
Message: String match "/apply/" at REQUEST_URI. [file "/etc/httpd/conf.d/mod_security.conf"] [line "12"] [id "10004"]
Message: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/etc/httpd/owasp-modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf"] [line "86"] [id "980130"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 5 - SQLI=5,XSS=0,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0): individual paranoia level scores: 5, 0, 0, 0"] [tag "event-correlation"]
Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client 192.168.0.16] ModSecurity: Warning. Operator GE matched 5 at TX:anomaly_score. [file "/etc/httpd/owasp-modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "91"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [severity "CRITICAL"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "host"] [uri "/apply/toolset/en_CA/user/login"] [unique_id "Xqchg5Xdaqirl7Fz7LwtvwAAAME"]
Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client 192.168.0.16] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/etc/httpd/owasp-modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf"] [line "86"] [id "980130"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 5 - SQLI=5,XSS=0,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0): individual paranoia level scores: 5, 0, 0, 0"] [tag "event-correlation"] [hostname "host"] [uri "/user/login"] [unique_id "Xqchg5Xdaqirl7Fz7LwtvwAAAME"]
Apache-Handler: proxy-server
Stopwatch: 1588011395366437 46766 (- - -)
Stopwatch2: 1588011395366437 46766; combined=5048, p1=391, p2=4297, p3=37, p4=153, p5=169, sr=16, sw=1, l=0, gc=0
Response-Body-Transformed: Dechunked
Producer: ModSecurity for Apache/2.9.2 (http://www.modsecurity.org/); OWASP_CRS/3.2.0.
Server: Apache/2.4.6 () OpenSSL/1.0.2k-fips
Sanitised-Args: "password".
Engine-Mode: "DETECTION_ONLY"

commented

I feel your pain @arekzb, but this is unfortunately a ModSecurity limitation and nothing we can control.

Likewise: It's also in your error-log.