Comments (4)
Hi @mirkodziadzka-avi, thanks for the report. Yes, this is an "old" and "know" problem, and guess you saw the PR for modsec 3x :).
I'll review the whole rule set for all occurrence of TX:UPPER_CASE_VARIABLES
, and make a PR for this issue - or feel free to make it.
Anyway (just for the sake of completeness), there is an another way to fix (but I'm sure your suggestion is more elegant and clear of course).
diff --git a/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf b/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf
index 880c8c4..666f59b 100644
--- a/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf
+++ b/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf
@@ -1130,7 +1130,7 @@ SecRule REQUEST_HEADERS_NAMES "@rx ^.*$" \
severity:'CRITICAL',\
setvar:'tx.header_name_%{tx.0}=/%{tx.0}/',\
chain"
- SecRule TX:/^HEADER_NAME_/ "@within %{tx.restricted_headers}" \
+ SecRule TX:/(?i)^HEADER_NAME_/ "@within %{tx.restricted_headers}" \
"setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
from owasp-modsecurity-crs.
First, there is a new PR which fixes this bug.
I did some research on how we use the TX variables in SecRule
's.
There are 3 rule, where the variable contains a regex:
920450:
owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf
Lines 1133 to 1134 in cf57fd5
921180:
owasp-modsecurity-crs/rules/REQUEST-921-PROTOCOL-ATTACK.conf
Lines 296 to 297 in cf57fd5
931130:
owasp-modsecurity-crs/rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf
Lines 127 to 128 in cf57fd5
Only this one (920450) where the variable name is with uppercase.
But there are many other occurrance of TX:VARIABLE
, and in most cases the names are typed with uppercase too. Eg: TX:EXECUTING_PARANOIA_LEVEL
, TX:PARANOIA_LEVEL
, TX:INBOUND_ANOMALY_SCORE
... Perhaps that's why the author created it like this.
I think using of this form contradicts the naming convention.
Any opinion?
I'm going to make a PR for this issue soon.
from owasp-modsecurity-crs.
But there are many other occurrance of
TX:VARIABLE
, and in most cases the names are typed with uppercase too. Eg:TX:EXECUTING_PARANOIA_LEVEL
,TX:PARANOIA_LEVEL
,TX:INBOUND_ANOMALY_SCORE
... Perhaps that's why the author created it like this.
Yes. But for normal access TX:foo and TX:FOO was always be the same (case insensitive). And modsec did not change the behaviour. As far as I know this is true for all collections. And I can see a reason why this is (was?) a good thing to do.
I can also find a reason why regexes should be case sensitive by default. Although I do not know if the change between modsec 2 and 3 is on purpose or by accident.
By the way, thanks for the fix
from owasp-modsecurity-crs.
Yes. But for normal access TX:foo and TX:FOO was always be the same (case insensitive). And modsec did not change the behaviour. As far as I know this is true for all collections. And I can see a reason why this is (was?) a good thing to do.
sure, that's no problem, it works as well.
I can also find a reason why regexes should be case sensitive by default. Although I do not know if the change between modsec 2 and 3 is on purpose or by accident.
I just found a short text about this behavior in documentation:
Variable names are case-insensitive.
So because it doesn't matter the variable is with lower or uppercase, if the rule references that with a regex, there also no matter - I assume this is an accident.
By the way, thanks for the fix
You're welcome.
from owasp-modsecurity-crs.
Related Issues (20)
- SOAPUI SOAP Tx multipart/related call False Positive id: 920470 HOT 4
- DOS protection is invalid
- Crazy Long Processing time of XML of a certain kinda payload body. HOT 2
- Easy to trigger these rule id blocks just with keywords [932115, 942360]
- DoS rule triggering with static (png) file
- SQLi bypass at PL1(CRS 3.2.0) HOT 1
- JSON Payloads process significantly slower (600%) than XML Payloads of a similar size and format HOT 9
- XSS Attack Detected via libinjection for AWS AWSALBCORS Cookie HOT 4
- Block QQGameHall in UA HOT 4
- Monthly Chat Agenda April (2020-04-06) HOT 1
- NextCloud False Positive HOT 9
- WordPress JetPack False Positive
- Password Scrubbing within the libinjection rule HOT 1
- Monthly Chat Agenda May (2020-05-04) HOT 1
- rule 920300 title / details mismatch HOT 1
- Note config change of tx.allowed_request_content_type in the v3.3 release notes
- false positive on rule 932110
- Incompatible with ModSecurity 3.x? HOT 1
- False positive with WordPress when hosted from http://example.com/update-prefix HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from owasp-modsecurity-crs.