Comments (4)
Original reporter: samiux
from owasp-modsecurity-crs.
brectanus: I'll repeat my comments on this here...
I agree, it is still an issue, but it is one of "Impedance Mismatch".
This is documented here:
And a blog on it here:
http://thread.gmane.org/gmane.comp.apache.mod-security.user/5637
ModSecurity was designed in an Apache centric manner and with Apache
centric technologies in mind (PHP especially as that was what Ivan was
using at the time). So, adding IIS specifics to ModSecurity may make
sense in your case, it may cause some strange side effects in most other
installs -- especially when not used as a reverse proxy.
What needs to be done -- and some thought has gone into it -- is to have
a setting that allows ModSecurity to know what flavor of webserver it is
trying to protect and what technologies are being used. Only then
should it try to workaround issues like you are seeing. If it tries to
guess, it will get it wrong.
You have some other options (workarounds, but require some effort):
-
Use QUERY_STRING, REQUEST_BODY and HTTP_HEADERS:Cookie instead of
ARGS. This will give you the raw data to match against. You will need
to modify rule patterns accordingly. -
Extend ModSecurity and add another target variable or two (ASP_ARGS,
ASPNET_ARGS maybe). ModSecurity has an API for doing this. An example
is included in the source (apache2/api/mod_var_remote_addr_port.c).
If you do go the extension route, I am available to answer questions
(well, the mod-users list is). And if it is quality code, then release
it back to us and maybe we can include it in a future version of
ModSecurity.
While it is an issue, it is also a fairly common issue among WAF/IDS/IPS
and one that is rather difficult to solve. Essentially ModSecurity
needs to know how things are parsed by the web app and it can only know
that if you tell it the specifics. In this case, it is just rather
difficult to tell it without some dev efforts in rules and/or additional
targets.
from owasp-modsecurity-crs.
brectanus: Adding Ryan Barnett's comment with a workaround...
Here is the rule to detect if there are multiple parameters submitted that have the same name -
SecRule ARGS_NAMES "." "chain,phase:2,t:none,nolog,pass,capture,setvar:'tx.arg_name%{tx.0}=+1',msg:'Multiple Parameters with the same Name.'"
SecRule TX:/ARG_NAME__/ "@gt 1"
As you can see, we are simply creating a TX collection using macro expansion for the variable name and we are incrementing a counter each time we see a parameter. The 2nd part of the chained rule is then evaluating the TX collection to see if any of them are greater than 1. Keep in mind that this isn't a direct HTTP Parameter Pollution rule per se, as it may in fact be legitimate functionality of your app to have multiple parameters with the same name. This rule works to alert you to where those occurrences are happening. If you find that this is legit functionality, you could incorporate an exception into the rule to exclude those specific parameter names.
from owasp-modsecurity-crs.
rcbarnett: We added this HTTP Parameter Pollution (HPP) rule to the CRS v.2.0.0.
from owasp-modsecurity-crs.
Related Issues (20)
- SOAPUI SOAP Tx multipart/related call False Positive id: 920470 HOT 4
- DOS protection is invalid
- Crazy Long Processing time of XML of a certain kinda payload body. HOT 2
- Easy to trigger these rule id blocks just with keywords [932115, 942360]
- DoS rule triggering with static (png) file
- SQLi bypass at PL1(CRS 3.2.0) HOT 1
- JSON Payloads process significantly slower (600%) than XML Payloads of a similar size and format HOT 9
- XSS Attack Detected via libinjection for AWS AWSALBCORS Cookie HOT 4
- Block QQGameHall in UA HOT 4
- Monthly Chat Agenda April (2020-04-06) HOT 1
- NextCloud False Positive HOT 9
- WordPress JetPack False Positive
- Rule 920450 and modsec 3x HOT 4
- Password Scrubbing within the libinjection rule HOT 1
- Monthly Chat Agenda May (2020-05-04) HOT 1
- rule 920300 title / details mismatch HOT 1
- Note config change of tx.allowed_request_content_type in the v3.3 release notes
- false positive on rule 932110
- Incompatible with ModSecurity 3.x? HOT 1
- False positive with WordPress when hosted from http://example.com/update-prefix HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from owasp-modsecurity-crs.