[英]Modsecurity OWASP Core Rule Set - base64 false positive rule 941170
We use ModSecurity 3.X for NGIX with the OWASP core rule set.我们使用带有 OWASP 核心规则集的 NGIX 的 ModSecurity 3.X。
We have a problem with image in base64 and the rule 941170
.我们在 base64 中的图像和规则
941170
有问题。
The pattern of the rule is规则的模式是
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(?:\W|^)(?:javascript:(?:[\s\S]+[=\\\(\[\.<]|[\s\S]*?(?:\bname\b|\\[ux]\d))|data:(?:(?:[a-z]\w+\/\w[\w+-]+\w)?[;,]|[\s\S]*?;[\s\S]*?\b(?:base64|charset=)|[\s\S]*?,[\s\S]*?<[\s\S]*?\w[\s\S]*?>))|@\W*?i\W*?m\W*?p\W*?o\W*?r\W*?t\W*?(?:\/\*[\s\S]*?)?(?:[\"']|\W*?u\W*?r\W*?l[\s\S]*?\()|\W*?-\W*?m\W*?o\W*?z\W*?-\W*?b\W*?i\W*?n\W*?d\W*?i\W*?n\W*?g[\s\S]*?:[\s\S]*?\W*?u\W*?r\W*?l[\s\S]*?\("
Log:日志:
HTTP/1.1 200
Access-Control-Max-Age: 600
Access-Control-Allow-Headers: x-requested-with, Content-Type, origin, authorization, accept, client-security-token
Set-Cookie: SESSION_ID=b57248f3aa2ac2c169e664b1862e49ed_; path=/
Access-Control-Allow-Methods: POST, GET, OPTIONS, DELETE, PUT
Date: Wed, 06 Oct 2021 16:06:52 GMT
Cache-Control: no-cache, no-store
Connection: keep-alive
Content-Type: text/xml; charset=utf-8; boundary=xYzZY
Access-Control-Expose-Headers: Content-Security-Policy, Location
Content-Length: 67
Server: nginx
Pragma: no-cache
Access-Control-Allow-Origin: *
---RleKJMgH---H--
ModSecurity: Warning. Matched "Operator `Rx' with parameter `(?i)(?:\W|^)(?:javascript:(?:[\s\S]+[=\\\(\[\.<]|[\s\S]*?(?:\bname\b|\\[ux]\d))|data:(?:(?:[a-z]\w+\/\w[\w+-]+\w)?[;,]|[\s\S]*?;[\s\S]*?\b(?:base64|charset=)|[\s\S]*?,[\s\S]*?<[\s\S]*?\w[\s\S]*?>))|@\ (188 characters omitted)' against variable `ARGS:screen' (Value: `data:image/jpeg;base64,/9j/4AAQSkZJRgABAQAAAQABAAD/4gIoSUNDX1BST0ZJTEUAAQEAAAIYAAAAAAIQAABtbnRyUkdCI (47619 characters omitted)' ) [file "/etc/nginx/owasp-modsecurity-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "236"] [id "941170"] [rev ""] [msg "NoScript XSS InjectionChecker: Attribute Injection"] [data "Matched Data: data:image/jpeg; found within ARGS:screen: data:image/jpeg;base64,/9j/4AAQSkZJRgABAQAAAQABAAD/4gIoSUNDX1BST0ZJTEUAAQEAAAIYAAAAAAIQAABtbnRyUkdCIFhZWiAAAAAAAAAAAAAAAABhY3NwAAAAAAAAAAAAAAAA (47576 characters omitted)"] [severity "2"] [ver "OWASP_CRS/3.2.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-xss"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "OWASP_CRS/WEB_ATTACK/XSS"] [tag "WASCTC/WASC-8"] [tag "WASCTC/WASC-22"] [tag "OWASP_TOP_10/A3"] [tag "OWASP_AppSensor/IE1"] [tag "CAPEC-242"] [hostname "192.168.1.1"] [uri "/wsrfef.subirArchivo"] [unique_id "1633536412"] [ref "o0,16v1288,47719t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls"]
ModSecurity: Warning. Matched "Operator `Ge' with parameter `5' against variable `TX:ANOMALY_SCORE' (Value: `5' ) [file "/etc/nginx/owasp-modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "80"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [data ""] [severity "2"] [ver "OWASP_CRS/3.2.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "192.168.1.1"] [uri "/wsrfef.subirArchivo"] [unique_id "1633536412"] [ref ""]
Now we are using the SecRuleUpdateTargetById 941170 "!ARGS:screen"
command but this way the rest of the checks are not applied现在我们正在使用
SecRuleUpdateTargetById 941170 "!ARGS:screen"
命令,但这样其余的检查就不会应用
Is there any way to modify the pattern of the rule so that it does not detect base64 as NoScript XSS InjectionChecker: Attribute Injection?有什么方法可以修改规则的模式,使其不会将 base64 检测为 NoScript XSS InjectionChecker: Attribute Injection?
The SecRuleUpdateTargetById
rule exclusion you provided looks good to me.您提供的
SecRuleUpdateTargetById
规则排除对我来说很好。
To be clear, the effect of that rule exclusion is:需要明确的是,该规则排除的效果是:
screen
argumentscreen
参数screen
, as usualscreen
,像往常一样Is there a reason you're not happy with this?你有什么理由对此不满意吗?
If you're running a super-high security setup which means that the SecRuleUpdateTargetById
rule exclusion is too coarse, two suggestions I would make:如果您正在运行超高安全性设置,这意味着
SecRuleUpdateTargetById
规则排除过于粗糙,我会提出两个建议:
If appropriate for your web application, limit the rule exclusion for rule 941170 to only apply to the screen
argument and only for a given location (for example, only for requests to /login.php
)如果适用于您的 Web 应用程序,请将规则 941170 的规则排除限制为仅适用于
screen
参数且仅适用于给定位置(例如,仅适用于对/login.php
请求)
Limit the rule exclusion for rule 941170 to only apply to the screen
argument and only when screen
begins with the string data:image/jpeg;base64
将规则 941170 的规则排除限制为仅适用于
screen
参数,并且仅当screen
以字符串data:image/jpeg;base64
开头时
You could even combine both of those suggestions to be extremely specific.您甚至可以将这两个建议结合起来,使其非常具体。
If either, or both, of those sound applicable to your situation, let me know if you would like help to put those rule exclusions together.如果其中一个或两个听起来适用于您的情况,请告诉我您是否需要帮助将这些规则排除放在一起。
Also, what paranoia level are you currently running in, out of interest?另外,出于兴趣,您目前处于什么偏执程度?
Regarding your suggestion to modify rule 941170's regular expression, it's a bad idea to directly modify third-party rules, such as the Core Rule Set rules.关于你修改规则941170的正则表达式的建议,直接修改第三方规则,比如Core Rule Set规则,是个坏主意。 You essentially end up creating your own fork of the rule set, and you're left with the responsibility for maintaining any modifications you make.
您基本上最终会创建自己的规则集分支,并且您有责任维护您所做的任何修改。 Upgrading the rule set would become difficult: you would have to remember to keep re-applying, and possibly change, your modifications.
升级规则集将变得困难:您必须记住不断重新应用并可能更改您的修改。 In short: rule exclusions are the way to go!
简而言之:规则排除是要走的路!
The second rule exclusion described above may look something like this:上面描述的第二个规则排除可能如下所示:
#
# -- CRS Rule Exclusion: 941170 - NoScript XSS InjectionChecker: Attribute
# Injection
#
# Disable this rule for the "screen" argument when it begins with the string
# "data:image/jpeg;base64,". This resolves a false positive caused by base64
# encoded images.
#
SecRule ARGS:screen "@beginsWith data:image/jpeg;base64," \
"id:1000,\
phase:2,\
pass,\
nolog,\
ctl:ruleRemoveTargetById=941170;ARGS:screen"
The exclusion would need to be placed before the directive(s) that includes the Core Rule Set.排除项需要放在包含核心规则集的指令之前。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.