Hello all,
I'm using mod_security 2.7.7 on nginx, and I have a problem with the OWASP
CRS/2.2.9:
The rules in modsecurity_crs_30_http_policy.conf that should allow GET, HEAD
POST and options always triggers, even for a GET. Similarly, the rule for the
Content-Type header won't allow "application/json", even though that should be
allowed. These rules have not been edited from their default:
SecAction \
"id:'900012', \
phase:1, \
t:none, \
setvar:'tx.allowed_methods=GET HEAD POST OPTIONS', \
setvar:'tx.allowed_request_content_type=application/x-www-form-urlencoded|multipart/form-data|text/xml|application/xml|application/x-amf|application/json',
\
SecRule REQUEST_METHOD "!@within %{tx.allowed_methods}"
"phase:1,t:none,block,msg:'Method is not allowed by
policy',logdata:'%{matched_var}',severity:'2',rev:'2',ver:'OWASP_CRS/2.2.9',maturity:'9',accuracy:'9',id:'960032',tag:'OWASP_CRS/POLICY/METHOD_NOT_ALLOWED',tag:'WASCTC/WASC-15',tag:'OWASP_TOP_10/A6',tag:'OWASP_AppSensor/RE1',tag:'PCI/12.1',logdata:'%{matched_var}',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/POLICY/METHOD_NOT_ALLOWED-%{matched_var_name}=%{matched_var}"
SecRule REQUEST_METHOD "!^(?:GET|HEAD|PROPFIND|OPTIONS)$"
"phase:1,chain,t:none,block,msg:'Request content type is not allowed by
policy',rev:'2',ver:'OWASP_CRS/2.2.9',maturity:'9',accuracy:'9',id:'960010',tag:'OWASP_CRS/POLICY/ENCODING_NOT_ALLOWED',tag:'WASCTC/WASC-20',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/EE2',tag:'PCI/12.1',severity:'2',logdata:'%{matched_var}'"
SecRule REQUEST_HEADERS:Content-Type "^([^;\s]+)" "chain,capture"
SecRule TX:0 "!^%{tx.allowed_request_content_type}$"
"t:none,ctl:forceRequestBodyVariable=On,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/POLICY/CONTENT_TYPE_NOT_ALLOWED-%{matched_var_name}=%{matched_var}"
If I try:
curl -k https://nginx/v2.0
I get:
==> modsec_debug.log <==
[25/Jul/2014:22:57:18 +0000] [/sid#1af8178][rid#1b1acf8][/v2.0][2] Warning.
Match of "within %{tx.allowed_methods}" against "REQUEST_METHOD" required.
[file
"/usr/local/nginx/conf/modsec/activated_rules/modsecurity_crs_30_http_policy.conf"]
[line "31"] [id "960032"] [rev "2"] [msg "Method is not allowed by policy"]
[data "GET"] [severity "CRITICAL"] [ver "OWASP_CRS/2.2.9"] [maturity "9"]
[accuracy "9"] [tag "OWASP_CRS/POLICY/METHOD_NOT_ALLOWED"] [tag
"WASCTC/WASC-15"] [tag "OWASP_TOP_10/A6"] [tag "OWASP_AppSensor/RE1"] [tag
"PCI/12.1"]
==> access.log <==
10.154.96.140 - - [25/Jul/2014:22:57:18 +0000] "GET /v2.0 HTTP/1.1" 200 612 "-"
"curl/7.33.0"
==> modsec_audit.log <==
10.154.96.140 - [25/Jul/2014:22:57:18 +0000] "GET /v2.0 HTTP/1.1" 200 0 "-"
"-" AcALAc5cA9ncAcAcucAcAcAc "-"
/20140725/20140725-2257/20140725-225718-AcALAc5cA9ncAcAcucAcAcAc 0 1231
md5:41b0733d42240146fc9df3f80ba8936d
# more audit/20140725/20140725-2257/20140725-225718-AcALAc5cA9ncAcAcucAcAcAc
--b5d00648-A--
[25/Jul/2014:22:57:18 +0000] AcALAc5cA9ncAcAcucAcAcAc 10.154.96.140 63740
127.0.0.1 80
--b5d00648-B--
GET /v2.0 HTTP/1.1
Host: nginx
User-Agent: curl/7.33.0
Accept: */*
--b5d00648-F--
HTTP/1.1 200 OK
Vary: X-Auth-Token
Content-Type: application/json
Content-Length: 612
Connection: keep-alive
--b5d00648-E--
--b5d00648-H--
Message: Warning. Match of "within %{tx.allowed_methods}" against
"REQUEST_METHOD" required. [file
"/usr/local/nginx/conf/modsec/activated_rules/modsecu
rity_crs_30_http_policy.conf"] [line "31"] [id "960032"] [rev "2"] [msg "Method
is not allowed by policy"] [data "GET"] [severity "CRITICAL"] [ver "OWAS
P_CRS/2.2.9"] [maturity "9"] [accuracy "9"] [tag
"OWASP_CRS/POLICY/METHOD_NOT_ALLOWED"] [tag "WASCTC/WASC-15"] [tag
"OWASP_TOP_10/A6"] [tag "OWASP_AppSe
nsor/RE1"] [tag "PCI/12.1"]
Apache-Handler: IIS
Stopwatch: 1406329038000190 555175 (- - -)
Stopwatch2: 1406329038000190 555175; combined=1179, p1=365, p2=592, p3=5,
p4=144, p5=73, sr=18, sw=0, l=0, gc=0
Response-Body-Transformed: Dechunked
Producer: ModSecurity for nginx (STABLE)/2.7.7 (http://www.modsecurity.org/);
OWASP_CRS/2.2.9.
Server: ModSecurity Standalone
Engine-Mode: "ENABLED"
--b5d00648-Z-
If I try to request a content-tupe of application/json (which *should* be
allowed), I get the following:
[25/Jul/2014:23:04:05 +0000] [/sid#1af8178][rid#24f3f38][/v2.0/][2] Warning.
Match of "rx ^%{tx.allowed_request_content_type}$" against "TX:0" required.
[file
"/usr/local/nginx/conf/modsec/activated_rules/modsecurity_crs_30_http_policy.conf"]
[line "64"] [id "960010"] [rev "2"] [msg "Request content type is not allowed
by policy"] [data "application/json"] [severity "CRITICAL"] [ver
"OWASP_CRS/2.2.9"] [maturity "9"] [accuracy "9"] [tag
"OWASP_CRS/POLICY/ENCODING_NOT_ALLOWED"] [tag "WASCTC/WASC-20"] [tag
"OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/EE2"] [tag "PCI/12.1"]
If anyone has any idea then I would be very grateful!!!
_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
[email protected]
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
