Comments (7)
rcbarnett-zz
commented on August 11, 2024
I ran your test multipart payload through my own CRS install and the debug log showed this -
#####################################
T (0) htmlEntityDecode: ")(objectClass%3D_"
T (0) lowercase: ")(objectclass%3d_"
Transformation completed in 69 usec.
Executing operator "rx" with param "(?:((?:\W_?(?:objectc(?:ategory|lass)|homedirectory|[gu]idnumber|cn)\b\W_?=|[^\w\x80-\xFF]?[!&|][^\w\x80-\xFF]?()|)[^\w\x80-\xFF]?([^\w\x80-\xFF]?[!&|])" against ARGS:.cgifields.
Target value: ")(objectclass%3d*"
Operator completed in 2 usec.
Rule returned 0.
#####################################
I believe the issue is that the %3d data is not being decoded to "=" as it is by default when it is when in a query_string. I would suggest you modify the rule to add in the t:urlDecodeUni tfns action and retest.
from owasp-modsecurity-crs.
utdpauls
commented on August 11, 2024
Ryan, thanks for your incredible responsiveness. I implemented the rule with the addition of t:urlDecodeUni in the custom rule set and reran the LDAP Injection attacks.
That one change stopped every attack dead in its tracks except this one (some vals obfuscated):
GET /application/?)(objectClass= HTTP/1.1
2 Host: hostname.utdallas.edu
3 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9) Gecko/20080630 Firefox/3.0
4 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
5 Accept-Language: en-us,en;q=0.5
6 Accept-Encoding:
7 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
8 Keep-Alive: 15
9 Connection: keep-alive
10 X-Cenzic-Spider-Send-HeadRequest: true
11 Referer: https://hostname.utdallas.edu/application/A-CS3341-FALL2013/
An incredible yield from one simple change.
from owasp-modsecurity-crs.
rcbarnett-zz
commented on August 11, 2024
I will test soon but this should be caught in the ARGS_NAMES collection.
from owasp-modsecurity-crs.
rcbarnett-zz
commented on August 11, 2024
In looking at the debug log - this payload does not match as the regex is looking for a trailing "=" however when ModSecurity is parsing the query string value, it breaks up the data using "=" as the separator for ARGS_NAMES and ARGS values.
What you could do would be to add QUERY_STRING to the SecRule variable list.
from owasp-modsecurity-crs.
rcbarnett-zz
commented on August 11, 2024
Did checking QUERY_STRING work for you?
from owasp-modsecurity-crs.
utdpauls
commented on August 11, 2024
I haven't tried that yet, but I'll do it now. I got sidetracked with other issues.
from owasp-modsecurity-crs.
fgsch
commented on August 11, 2024
This is long overdue. If this is still a problem please reopen it.
from owasp-modsecurity-crs.
Related Issues (20)
- SOAPUI SOAP Tx multipart/related call False Positive id: 920470 HOT 4
- DOS protection is invalid
- Crazy Long Processing time of XML of a certain kinda payload body. HOT 2
- Easy to trigger these rule id blocks just with keywords [932115, 942360]
- DoS rule triggering with static (png) file
- SQLi bypass at PL1(CRS 3.2.0) HOT 1
- JSON Payloads process significantly slower (600%) than XML Payloads of a similar size and format HOT 9
- XSS Attack Detected via libinjection for AWS AWSALBCORS Cookie HOT 4
- Block QQGameHall in UA HOT 4
- Monthly Chat Agenda April (2020-04-06) HOT 1
- NextCloud False Positive HOT 9
- WordPress JetPack False Positive
- Rule 920450 and modsec 3x HOT 4
- Password Scrubbing within the libinjection rule HOT 1
- Monthly Chat Agenda May (2020-05-04) HOT 1
- rule 920300 title / details mismatch HOT 1
- Note config change of tx.allowed_request_content_type in the v3.3 release notes
- false positive on rule 932110
- Incompatible with ModSecurity 3.x? HOT 1
- False positive with WordPress when hosted from http://example.com/update-prefix HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from owasp-modsecurity-crs.