[英]Modsecurity OWASP Core Rule Set - base64 false positive rule 941170
我们使用带有 OWASP 核心规则集的 NGIX 的 ModSecurity 3.X。
我们在 base64 中的图像和规则941170有问题。
规则的模式是
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(?:\W|^)(?:javascript:(?:[\s\S]+[=\\\(\[\.<]|[\s\S]*?(?:\bname\b|\\[ux]\d))|data:(?:(?:[a-z]\w+\/\w[\w+-]+\w)?[;,]|[\s\S]*?;[\s\S]*?\b(?:base64|charset=)|[\s\S]*?,[\s\S]*?<[\s\S]*?\w[\s\S]*?>))|@\W*?i\W*?m\W*?p\W*?o\W*?r\W*?t\W*?(?:\/\*[\s\S]*?)?(?:[\"']|\W*?u\W*?r\W*?l[\s\S]*?\()|\W*?-\W*?m\W*?o\W*?z\W*?-\W*?b\W*?i\W*?n\W*?d\W*?i\W*?n\W*?g[\s\S]*?:[\s\S]*?\W*?u\W*?r\W*?l[\s\S]*?\("
日志:
HTTP/1.1 200
Access-Control-Max-Age: 600
Access-Control-Allow-Headers: x-requested-with, Content-Type, origin, authorization, accept, client-security-token
Set-Cookie: SESSION_ID=b57248f3aa2ac2c169e664b1862e49ed_; path=/
Access-Control-Allow-Methods: POST, GET, OPTIONS, DELETE, PUT
Date: Wed, 06 Oct 2021 16:06:52 GMT
Cache-Control: no-cache, no-store
Connection: keep-alive
Content-Type: text/xml; charset=utf-8; boundary=xYzZY
Access-Control-Expose-Headers: Content-Security-Policy, Location
Content-Length: 67
Server: nginx
Pragma: no-cache
Access-Control-Allow-Origin: *
---RleKJMgH---H--
ModSecurity: Warning. Matched "Operator `Rx' with parameter `(?i)(?:\W|^)(?:javascript:(?:[\s\S]+[=\\\(\[\.<]|[\s\S]*?(?:\bname\b|\\[ux]\d))|data:(?:(?:[a-z]\w+\/\w[\w+-]+\w)?[;,]|[\s\S]*?;[\s\S]*?\b(?:base64|charset=)|[\s\S]*?,[\s\S]*?<[\s\S]*?\w[\s\S]*?>))|@\ (188 characters omitted)' against variable `ARGS:screen' (Value: `data:image/jpeg;base64,/9j/4AAQSkZJRgABAQAAAQABAAD/4gIoSUNDX1BST0ZJTEUAAQEAAAIYAAAAAAIQAABtbnRyUkdCI (47619 characters omitted)' ) [file "/etc/nginx/owasp-modsecurity-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "236"] [id "941170"] [rev ""] [msg "NoScript XSS InjectionChecker: Attribute Injection"] [data "Matched Data: data:image/jpeg; found within ARGS:screen: data:image/jpeg;base64,/9j/4AAQSkZJRgABAQAAAQABAAD/4gIoSUNDX1BST0ZJTEUAAQEAAAIYAAAAAAIQAABtbnRyUkdCIFhZWiAAAAAAAAAAAAAAAABhY3NwAAAAAAAAAAAAAAAA (47576 characters omitted)"] [severity "2"] [ver "OWASP_CRS/3.2.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-xss"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "OWASP_CRS/WEB_ATTACK/XSS"] [tag "WASCTC/WASC-8"] [tag "WASCTC/WASC-22"] [tag "OWASP_TOP_10/A3"] [tag "OWASP_AppSensor/IE1"] [tag "CAPEC-242"] [hostname "192.168.1.1"] [uri "/wsrfef.subirArchivo"] [unique_id "1633536412"] [ref "o0,16v1288,47719t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls"]
ModSecurity: Warning. Matched "Operator `Ge' with parameter `5' against variable `TX:ANOMALY_SCORE' (Value: `5' ) [file "/etc/nginx/owasp-modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "80"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [data ""] [severity "2"] [ver "OWASP_CRS/3.2.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "192.168.1.1"] [uri "/wsrfef.subirArchivo"] [unique_id "1633536412"] [ref ""]
现在我们正在使用SecRuleUpdateTargetById 941170 "!ARGS:screen"命令,但这样其余的检查就不会应用
有什么方法可以修改规则的模式,使其不会将 base64 检测为 NoScript XSS InjectionChecker: Attribute Injection?
您提供的SecRuleUpdateTargetById规则排除对我来说很好。
需要明确的是,该规则排除的效果是:
screen参数screen ,像往常一样你有什么理由对此不满意吗?
如果您正在运行超高安全性设置,这意味着SecRuleUpdateTargetById规则排除过于粗糙,我会提出两个建议:
如果适用于您的 Web 应用程序,请将规则 941170 的规则排除限制为仅适用于screen参数且仅适用于给定位置(例如,仅适用于对/login.php请求)
将规则 941170 的规则排除限制为仅适用于screen参数,并且仅当screen以字符串data:image/jpeg;base64开头时
您甚至可以将这两个建议结合起来,使其非常具体。
如果其中一个或两个听起来适用于您的情况,请告诉我您是否需要帮助将这些规则排除放在一起。
另外,出于兴趣,您目前处于什么偏执程度?
关于你修改规则941170的正则表达式的建议,直接修改第三方规则,比如Core Rule Set规则,是个坏主意。 您基本上最终会创建自己的规则集分支,并且您有责任维护您所做的任何修改。 升级规则集将变得困难:您必须记住不断重新应用并可能更改您的修改。 简而言之:规则排除是要走的路!
上面描述的第二个规则排除可能如下所示:
#
# -- CRS Rule Exclusion: 941170 - NoScript XSS InjectionChecker: Attribute
# Injection
#
# Disable this rule for the "screen" argument when it begins with the string
# "data:image/jpeg;base64,". This resolves a false positive caused by base64
# encoded images.
#
SecRule ARGS:screen "@beginsWith data:image/jpeg;base64," \
"id:1000,\
phase:2,\
pass,\
nolog,\
ctl:ruleRemoveTargetById=941170;ARGS:screen"
排除项需要放在包含核心规则集的指令之前。
在ModSecurity规则中添加例外(SecRuleUpdateTargetById)不起作用?
[英]Adding exceptions (SecRuleUpdateTargetById) in ModSecurity rule does not work?
如何添加 ModSecurity 规则来阻止某些 http 请求?
[英]How do I add a ModSecurity rule to block certain http requests?
使用NGINX的WAF owasp modsecurity crs中“尚不支持SecCollectionTimeout”
[英]“SecCollectionTimeout is not yet supported” in WAF owasp modsecurity crs with NGINX
如何防止 owasp/modsecurity Docker 容器覆盖我的 nginx.conf
[英]How do I prevent owasp/modsecurity Docker container from overwriting my nginx.conf
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.