Hello there. I'm having some trouble with this rule in the 2.0.9 ruleset.
There does not seem to be any appreciable difference in the latest
version, so I'm going to have to toss this out to the community.
I realize that this is part of a series of chained rules, but this is the
one that's tripping me up:
SecRule ARGS "\%((?!$|\W)|[0-9a-fA-F]{2}|u[0-9a-fA-F]{4})" \
"phase:2,rev:'2.0.9',t:none,pass,nolog,auditlog,status:400,msg:'Multiple
URL Encoding
Detected',id:'950109',tag:'PROTOCOL_VIOLATION/EVASION',severity:'5',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.protocol_violation_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/EVASION-%{matched_var_name}=%{matched_var}"
I've seen some threads where it's said that there is an implicit decode of
the ARGS collection upon loading, but I can't find any evidence of it
happening.
In this specific case, a username field gets appended with '@something'
upon submit, and even though the login form contains virtually no other
data, we get a positive.
It seems to me like this rule is finding urlencoded data in a POST body
that was specifically set up to be urlencoded. There's no t:urlDecode in
the rule, so it's tripping on normal traffic. I can't even say it's a
'false positive' .
What am I missing?
Thanks in advance.
Nik Ogura
Application Systems Administrator
MSA Apache Group
US Bank, NA
U.S. BANCORP made the following annotations
---------------------------------------------------------------------
Electronic Privacy Notice. This e-mail, and any attachments, contains
information that is, or may be, covered by electronic communications privacy
laws, and is also confidential and proprietary in nature. If you are not the
intended recipient, please be advised that you are legally prohibited from
retaining, using, copying, distributing, or otherwise disclosing this
information in any manner. Instead, please reply to the sender that you have
received this communication in error, and then immediately delete it. Thank you
in advance for your cooperation.
---------------------------------------------------------------------
_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
[email protected]
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
