堆栈内存溢出
  简体   繁体   English

CONNECT方法触发的OWASP corerulet警告“无效的http请求行”

[英]OWASP corerulet warning "invalid http request line" triggered by CONNECT method

 原文  2021-10-04 09:32:08       owasp/ mod-security/ web-application-firewall/ mod-security2

问题描述

Summary:概括:

I have setup a basic WAF with mod-security and the OWASP coreruleset 3.3.2.我已经设置了一个带有 mod-security 和OWASP coreruleset 3.3.2 的基本 WAF。 When using the WAF I see lots of warnings in modsec_audit.log regarding the CONNECT method, which trigger crs rule 920100:使用 WAF 时,我在 modsec_audit.log 中看到很多关于 CONNECT 方法的警告,这些警告触发了 crs 规则 920100:

Message: Warning.消息:警告。 Match of "rx ^(?i:(?:[az]{3,10}\\s+(?:\\w{3,7}?://[\\w\\-\\./] (?::\\d+)?)?/[^?#] (?:\\?[^#\\s] )?(?:#[\\S] )?|connect (?:\\d{1,3}\\.){3}\\d{1,3}\\.?(?::\\d+)?|options \\ )\\s+[\\w\\./]+|get /[^?#] (?:\\?[^#\\s] )?(?:#[\\S] )?)$" against "REQUEST_LINE" required. "rx ^(?i:(?:[az]{3,10}\\s+(?:\\w{3,7}?://[\\w\\-\\./] (?::\\ d+)?)?/[^?#] (?:\\?[^#\\s] )?(?:#[\\S] )?|connect (?:\\d{1,3}\\.){ 3}\\d{1,3}\\.?(?::\\d+)?|options \\ )\\s+[\\w\\./]+|get /[^?#] (?:\\?[^# \\s] )?(?:#[\\S] )?)$" 反对 "REQUEST_LINE" 需要。 [file "/etc/httpd/modsecurity.d/owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "63"] [id "920100"] [msg "Invalid HTTP Request Line"] [data "CONNECT oneofmy.longer.hostname.here.abcde.com:443 HTTP/1.1"] [severity "WARNING"] [ver "OWASP_CRS/3.3.2"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/210/272"] [文件“/etc/httpd/modsecurity.d/owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf”] [行“63”] [id“920100”] [msg“无效的HTTP请求行"] [数据 "CONNECT oneofmy.longer.hostname.here.abcde.com:443 HTTP/1.1"] [严重性 "警告"] [ver "OWASP_CRS/3.3.2"] [标签 "application-multi"] [标签"language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/210/272"]

Details regarding setup: I set up the WAF with mod_security 2.9.2 and httpd.有关设置的详细信息:我使用 mod_security 2.9.2 和 httpd 设置了 WAF。 I used the crs-setup.conf.example provided by crs and only modified these two settings regarding threshhold and allowing the CONNECT http method.我使用了crs-setup.conf.example提供的crs-setup.conf.example并且只修改了关于阈值和允许 CONNECT http 方法的这两个设置。 (CONNECT method is used in our setup for proxy purposes). (CONNECT 方法在我们的设置中用于代理目的)。

SecAction \
 "id:900110,\
  phase:1,\
  nolog,\
  pass,\
  t:none,\
  setvar:tx.inbound_anomaly_score_threshold=5,\
  setvar:tx.outbound_anomaly_score_threshold=4"

SecAction \
 "id:900200,\
  phase:1,\
  nolog,\
  pass,\
  t:none,\
  setvar:'tx.allowed_methods=GET HEAD POST OPTIONS CONNECT'"

What I have tried so far:到目前为止我尝试过的:

  • Google a lot about crs and mod-security rules.谷歌很多关于 crs 和 mod-security 规则。 As per my current, admittedly limited mod-security/crs understanding, basically the regex of the rule 920100 does not match against the request line CONNECT oneofmy.longer.hostname.here.abcde.com:443 HTTP/1.1根据我目前公认的有限的 mod-security/crs 理解,基本上规则 920100 的正则表达式与请求行不匹配CONNECT oneofmy.longer.hostname.here.abcde.com:443 HTTP/1.1
  • Tried to find more details how the regex for 920100 is constructed.试图找到有关如何构造 920100 的正则表达式的更多详细信息。
  • looked up how the request line for a CONNECT string is defined in RFC .查找如何在RFC 中定义 CONNECT 字符串的请求行。 To me, the request line looks fine as per the RFC.对我来说,请求行根据 RFC 看起来不错。
  • tried to debug the regexp with a site like regex101 and my request line.尝试使用诸如regex101 之类的站点和我的请求行调试正则表达式。 I did not succeed in debugging.我没有调试成功。

1 个解决方案

解决方案1
 1 已采纳  2021-10-05 20:02:47

Looking at the part of the regular expression for rule 920100 that deals with the CONNECT method:查看处理CONNECT方法的规则 920100 的正则表达式部分:

connect (?:\d{1,3}\.){3}\d{1,3}\.?(?::\d+)?

we can see that it's looking for an IPv4 address.我们可以看到它正在寻找一个 IPv4 地址。 For example, it would match on (and hence not raise an alert for) a request line like the following:例如,它将匹配(因此不会发出警报)请求行,如下所示:

CONNECT 1.2.3.4:80 HTTP/1.1

As you say, the RFC seems to allow for domain names to be used with the CONNECT method, however, rule 920100 is not currently written to allow for this.正如您所说,RFC 似乎允许将域名与CONNECT方法一起使用,但是,当前未编写规则 920100 来允许此操作。 This seems to be the cause of your issue.这似乎是您的问题的原因。

With further investigation and testing, the rule can probably be expanded in a future CRS release to allow for domain names in CONNECT requests.通过进一步的调查和测试,该规则可能会在未来的 CRS 版本中扩展,以允许在CONNECT请求中使用域名。

What can you do here and now?你现在可以做什么?

To address this issue right now, you can add a rule exclusion to your Apache configuration.要立即解决此问题,您可以在 Apache 配置中添加规则排除项。 There are two ways you can do this:有两种方法可以做到这一点:

  1. Remove the offending rule completely by excluding it at configure time, like so:通过在配置时将其排除来完全删除违规规则,如下所示:
#
# -- CRS Rule Exclusion: 920100 - Invalid HTTP Request Line
#
# Turn off rule due to issues with CONNECT requests
#
SecRuleRemoveById 920100

As a configure time rule exclusion, this should be placed after the inclusion of the Core Rule Set in your Apache configuration (because the rule that's being removed must be added/included in the first place before it can then be removed!).作为配置的时间规则的排斥,这应该被放置在你的Apache配置列入核心规则集之后(因为必须加入多数民众赞成被删除的规则/包括在首位然后才能删除!)。

  1. Remove the offending rule conditionally , only for CONNECT requests, by excluding it at runtime, like so:有条件地删除违规规则,针对 CONNECT 请求,通过在运行时排除它,如下所示:
#
# -- CRS Rule Exclusion: 920100 - Invalid HTTP Request Line
#
# Turn off rule for CONNECT requests, which cause issues
#
SecRule REQUEST_METHOD "@streq CONNECT" \
    "id:1000,\
    phase:1,\
    pass,\
    nolog,\
    ctl:ruleRemoveById=920100"

As a runtime time rule exclusion, this should be placed before the inclusion of the CRS in your Apache configuration (because the rule that's being modified must be modified before it fires off during execution).作为运行时规则排除,这应该放在 Apache 配置中包含 CRS之前(因为必须在执行期间触发之前修改正在修改的规则)。

A small word of warning一个小小的警告

I can't find any mention of anyone else using ModSecurity with the CRS in this way, ie fielding CONNECT requests.我找不到任何其他人以这种方式将 ModSecurity 与 CRS 一起使用,即处理CONNECT请求。 The CRS rules aren't written to accommodate having a domain name in the request line, so you may find that you run into further false positives as a result. CRS 规则不是为了适应在请求行中包含域名而编写的,因此您可能会发现结果会遇到更多误报。 You would need to deal with those in a similar way to that described above.您需要以与上述类似的方式处理这些问题。

(You can find an excellent tutorial on the subject of writing rule exclusions here: https://www.netnea.com/cms/apache-tutorial-8_handling-false-positives-modsecurity-core-rule-set/ ). (您可以在此处找到有关编写规则排除主题的优秀教程: https : //www.netnea.com/cms/apache-tutorial-8_handling-false-positives-modsecurity-core-rule-set/ )。

Hopefully this helps.希望这会有所帮助。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 比较 OWASP ZAP 中的多个 HTTP 响应 - Comparing multiple HTTP responses in OWASP ZAP 如何在 docker ZAP OWASP zap-full-scan 的每个 http 请求中添加参数 - How to add a parameter in every http request in docker ZAP OWASP zap-full-scan owasp html清理程序中的isValid()方法 - isValid() method in owasp html sanitizer 无法连接到 OWASP BWA 提供的 ip - Cannot connect to the ip provided by the OWASP BWA OWASP ZAP如何通过ZAP API发送POST请求 - OWASP ZAP How to send POST request through ZAP API 如何在蛮力模式下使用OWASP ZAP在授权请求中获取CSRF令牌 - How to get CSRF token on authorization request with OWASP ZAP in bruteforce mode OWASP ZAP -(身份验证)从响应中提取令牌并将其用于下一个请求 - OWASP ZAP - (Authentication) Extract Token from Response and use it for a next Request OWASP AntiSamy正在替换espace的换行符(JAVA) - OWASP AntiSamy are replacing line breaks to espaces (JAVA) owasp-modsecurity-crs已检测到但未拒绝该请求 - owasp-modsecurity-crs detected but not deny the request owasp zap 如何检查发布请求的漏洞 - owasp zap how to check vulnerabilities of post request
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM