在ModSecurity规则中添加例外(SecRuleUpdateTargetById)不起作用?
[英]Adding exceptions (SecRuleUpdateTargetById) in ModSecurity rule does not work?
问题描述
I have installed ModSecurity in nginx and install OWASP CRS with the help of this documentation . 
我已经在nginx中安装了ModSecurity,并在此文档的帮助下安装了OWASP CRS。
Everything works fine except, one of the rules is denying a valid request. 一切正常,除了其中一项规则是拒绝有效请求。 I am getting 403 Access Denied error. 我收到“ 403访问被拒绝”错误。 The reason seems to be that I have a key name imagebase64 in my URL parameter or request body. 原因似乎是我的URL参数或请求正文中有一个键名imagebase64 。
This rule file is causing the Access Denied issue for me. 此规则文件对我造成了“访问被拒绝”问题。 Here is the rule: 这是规则:
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|ARGS_NAMES|ARGS|XML:/* "@rx (?i)[\s\S](?:x(?:link:href|html|mlns)|!ENTITY.*?SYSTEM|data:text\/html|pattern(?=.*?=)|formaction|\@import|base64)\b" \
"id:941130,\
phase:2,\
block,\
capture,\
t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\
msg:'XSS Filter - Category 3: Attribute Vector',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-xss',\
tag:'OWASP_CRS/WEB_ATTACK/XSS',\
tag:'WASCTC/WASC-8',\
tag:'WASCTC/WASC-22',\
tag:'OWASP_TOP_10/A3',\
tag:'OWASP_AppSensor/IE1',\
tag:'CAPEC-242',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.1.0',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
As we can see the regular expression below matches string which end with base64 . 如我们所见,下面的正则表达式匹配以base64结尾的字符串。 So the key imagebase64 in request body is matched and the request is denied. 因此,请求主体中的键imagebase64被匹配并且请求被拒绝。
(?i)[\\s\\S](?:x(?:link:href|html|mlns)|!ENTITY.*?SYSTEM|data:text\\/html|pattern(?=.*?=)|formaction|\\@import|base64)
Here are the logs(I have changed the actual Endpoints, tokens etc keeping the generated logs untouched): 这是日志(我更改了实际的端点,令牌等,使生成的日志保持不变):
---kmzyGTME---H--
ModSecurity: Warning. Matched "Operator `Rx' with parameter `(?i)[\s\S](?:x(?:link:href|html|mlns)|!ENTITY.*?SYSTEM|data:text\/html|pattern(?=.*?=)|formaction|\@import|base64)\b' against variable `ARGS_NAMES:json.some.randomStuff.randomList.array_0.imageBase64' (Value: `json.some.randomStuff.randomList.array_0.imageBase64' ) [file "/usr/local/owasp-modsecurity-crs-3.0.2/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "139"] [id "941130"] [rev "2"] [msg "XSS Filter - Category 3: Attribute Vector"] [data "Matched Data: eBase64 found within ARGS_NAMES:json.some.randomStuff.randomList.array_0.imageBase64: json.some.randomStuff.randomList.array_0.imageBase64"] [severity "2"] [ver "OWASP_CRS/3.0.0"] [maturity "1"] [accuracy "8"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-xss"] [tag "OWASP_CRS/WEB_ATTACK/XSS"] [tag "WASCTC/WASC-8"] [tag "WASCTC/WASC-22"] [tag "OWASP_TOP_10/A3"] [tag "OWASP_AppSensor/IE1"] [tag "CAPEC-242"] [hostname "00.00.2.1"] [uri "/some/fake/endpoint"] [unique_id "83423785723453523523.234324234"] [ref "o47,7v0,54t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls"]
ModSecurity: Access denied with code 403 (phase 2). Matched "Operator `Ge' with parameter `5' against variable `TX:ANOMALY_SCORE' (Value: `5' ) [file "/usr/local/owasp-modsecurity-crs-3.0.2/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "44"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [data ""] [severity "2"] [ver ""] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "00.00.0.0"] [uri "/some/fake/endpoint"] [unique_id "156150510827.687874"] [ref ""]
ModSecurity: Warning. Matched "Operator `Ge' with parameter `5' against variable `TX:INBOUND_ANOMALY_SCORE' (Value: `5' ) [file "/usr/local/owasp-modsecurity-crs-3.0.2/rules/RESPONSE-980-CORRELATION.conf"] [line "65"] [id "980130"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 5 - SQLI=0,XSS=5,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0): XSS Filter - Category 3: Attribute Vector"] [data ""] [severity "0"] [ver ""] [maturity "0"] [accuracy "0"] [tag "event-correlation"] [hostname "00.00.0.0"] [uri "/some/fake/endpoint"] [unique_id "238472356327653256235.2352353"] [ref ""]
I tried adding imagebase64 as an exceptional key by adding the below line in the rule file: 我尝试通过在规则文件中添加以下行来将imagebase64添加为特殊键:
SecRuleUpdateTargetById 941130 !ARGS_NAMES:imagebase64
I referred to this reference manual. 我参考了此参考手册。 It doesn't work for me. 它对我不起作用。
However, adding an exception in regular expression directly using (?<!imagebase64) works. 但是,可以直接使用(?<!imagebase64)在正则表达式中添加异常。
What am I doing wrong? 我究竟做错了什么? How do I modify the rule to only accept imagebase64 as a key? 如何修改规则以仅接受imagebase64作为键?
1 个解决方案
解决方案1
0 2019-06-28 19:43:48
The error log entry has this snippet: 错误日志条目包含以下代码段:
data "Matched Data: eBase64 found within ARGS_NAMES:json.some.randomStuff.randomList.array_0.imageBase64
So the argument name is not imageBase64 but json.some.randomStuff.randomList.array_0.imageBase64 因此参数名称不是imageBase64而是json.some.randomStuff.randomList.array_0.imageBase64
You need to include the full argument name, or a regex that matches to it. 您需要包括完整的参数名称或与其匹配的正则表达式。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.