Hi there, Lately, I have encountered a successful redirect attack on an application server protected by ModSec / CoreRules.
Here is the request against a vanilla ModSec Install (2.9.0, latest core rules): $> curl -v "http://localhost/submit?file=foo.txt%0D%0ARefresh:%201;%20url=http:www.example.com"; Here is the only rule that triggers: 981173 Restricted SQL Character Anomaly Detection Alert - Total # ... [Tue Mar 03 06:11:40.733143 2015] [:error] [pid 983:tid 139737876645632] [client 127.0.0.1] ModSecurity: Warning. Pattern match "([\\\\~\\\\!\\\\@\\\\#\\\\$\\\\%\\\\^\\\\&\\\\*\\\\(\\\\)\\\\-\\\\+\\\\=\\\\{\\\\}\\\\[\\\\]\\\\|\\\\:\\\\;\\"\\\\'\\\\\\xc2\\xb4\\\\\\xe2\\x80\\x99\\\\\\xe2\\x80\\x98\\\\`\\\\<\\\\>].*?){4,}" at ARGS:file. [file "/core-rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "159"] [id "981173"] [rev "2"] [msg "Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded"] [data "Matched Data: : found within ARGS:file: foo.txt\\x0d\\x0aRefresh: 1; url=http:www.example.com"] [ver "OWASP_CRS/2.2.8"] [maturity "9"] [accuracy "8"] [tag "Local Lab Service"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [hostname "localhost"] [uri "/submit"] [unique_id "VPVCjH8AAQEAAAPXe50AAAAH"] This brings a score of 3, which is really low and below a sane limit for the said legacy app, which had to be tuned in far too many aspects already. Does anybody have a good idea on how to protect against this _class_ of attacks? Obviously, it's a weak spot for the core rules. Maybe an extension is due. Ahoj, Christian -- If you have men who will only come if they know there is a good road, I don't want them. I want men who will come if there is no road at all. -- David Livingstone _______________________________________________ Owasp-modsecurity-core-rule-set mailing list [email protected] https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
