Comments (6)
choptastic
commented on May 29, 2024
Hi there @dotsiadia ,
I'm just following up on this.
Were you able to solve the problem?
Given that it looks like the string "1c" is all it took for your ModSecurity to detect a SQL injection, that sounds like a really aggressive filter.
from nitrogenproject.com.
SserwangaV
commented on May 29, 2024
@choptastic It was affecting about 200 users per hour, I took a temporarily solution by removing that rule. The newcookie character set conflicts so much with the default OWASP ModSecurity Core Rule Set (CRS) to the extent that even after disabling that rule, It still get other false positive below affecting about 5 users per hour.
ModSecurity: Warning. Matched "Operator ``PmFromFile' with parameter unix-shell.data' against variable ``REQUEST_COOKIES_NAMES:$Path' (Value: $Path' ) [file "/etc/nginx/modsec/owasp-modsecurity-crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "488"] [id "932160"] [rev ""] [msg "Remote Command Execution: Unix Shell Code Found"] [data "Matched Data: $PATH found within REQUEST_COOKIES_NAMES:$Path: $path"] [severity "2"] [ver "OWASP_CRS/3.2.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-shell"] [tag "platform-unix"] [tag "attack-rce"] [tag "OWASP_CRS"] [tag "OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION"] [tag "WASCTC/WASC-3WASC-31"] [tag "OWASP_TOP_10/A1"] [tag "PCI/6.5.2"] [hostname "154.230.176.22"] [uri "/"] [unique_id "157509529453.398563"] [ref "o0,5v248,5t:urlDecodeUni,t:cmdLine,t:normalizePath,t:lowercaseo0,5v430,5t:urlDecodeUni,t:cmdLine,t:normalizePath,t:lowercase"]
from nitrogenproject.com.
choptastic
commented on May 29, 2024
@dotsiadia Thanks for the followup.
The second error message actually looks to me like legit attack attempts, since it mentions (what looks to me):
[data "Matched Data: $PATH found within REQUEST_COOKIES_NAMES:$Path: $path"]
That looks to me like something arbitrarily adding a $Path:$path cookie to a request, and seems unrelated to the newcookie cookie. Or am I misreading your message?
from nitrogenproject.com.
SserwangaV
commented on May 29, 2024
@choptastic I suspected that is could be a legit attack until I vetted the user agent. I found out it is an android user agent on a certain phone brand that was only being affected. The user complained and we advised that they switch to our recommend user agents, Mozilla Firefox, Google Chrome, Opera, Safari. We could not risk removing that particular rule.
Is there something we can do and still keep the rule that was removed temporarily.
The same rule also affects the pageContext parameter.
from nitrogenproject.com.
choptastic
commented on May 29, 2024
Wow, interesting. Mind sharing which browser they were using that would set
such a suspicious looking cookie?
I'm very curious.
…-Jesse
On Mon, Dec 2, 2019, 1:28 AM dotsiadia ***@***.***> wrote:
@choptastic <https://github.com/choptastic> I suspected that is could be
a legit attack until I vetted the user agent. I found out it is an android
user agent on a certain phone brand that was only being affected. The user
complained and we advised that they switch to our recommend user agents,
Mozilla Firefox, Google Chrome, Opera, Safari. We could not risk removing
that particular rule.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#12?email_source=notifications&email_token=AABNRHBGT5F44K6LDKD263LQWS2IXA5CNFSM4JQ7W7Q2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEFSQKSY#issuecomment-560268619>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AABNRHBOOMFK3ZSQRWRTFATQWS2IXANCNFSM4JQ7W7QQ>
.
from nitrogenproject.com.
SserwangaV
commented on May 29, 2024
This is the request header.
GET / HTTP/1.1 User-Agent: Dalvik/2.1.0 (Linux; U; Android 6.0; itel S31 Build/MRA58K) Cookie: $Version="1"; fbtest1="1pXDcjkI1MLVASken73aXQG8m2GdHqfGI5bWjoG1O3JoeeJKD4J0Q0c3S8V7YDcv2M";$Path="/";$Domain="domain.com"; newcookie="D23vPAuSdRTI190GnIKRqZ0XQMs3wNuh-...Y4nehH_g8HWxQAcMq4GKIvVSyiJ1GDdiuNVA5KLFDsoezpM-v7vGT7-yA";$Path="/";$Domain="domain.com" Host: domain.com Connection: Keep-Alive Accept-Encoding: gzip
We are even getting more suspicious, that this could be a genuine attacker using this particular user-agent because, it keeps appearing in the firewall logs!
from nitrogenproject.com.
Related Issues (6)
- NitrogenProject lacks /etc/app.config HOT 2
- Mobile demos HOT 1
- Autocomplete textbox HOT 9
- tutorial suggestion HOT 1
- expected output from wf:qs -> [] vs [[]] HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from nitrogenproject.com.