What I am saying is that ModSecurity understands a properly formatted JSON request. One that has the Content-Type set to application/json and which body is a JSON object. If you change the content type and the format of the body, then it should work.
On Thu, 10 Sep 2015 at 10:17 Ilyass Kaouam <[email protected]> wrote: > Hi, > > Thank your for your reply. > I don't Know If I understood correctly. Now if I change the content-type > to json, It should work ? > Thank's > > 2015-09-10 10:01 GMT+01:00 Adrián <[email protected]>: > >> Unfortunately, you are hitting an unsolved issue in ModSecurity: requests >> which have content type other than application/json but include json in >> some of the parameters. ModSecurity doesn't know how to handle this and >> treats the whole argument as one single variable, thus triggering multiple >> rules that shouldn't be triggered if the json object was parsed >> appropriately. There is an issue open in GitHub to support something like >> t:jsonDecode to aid with these situations, but it hasn't been actioned yet. >> >> What you could do is, for those arguments you know are json format, >> create a rule that reduces the score of the anomaly detection rules. That >> may do the trick for many cases. >> >> >> On Wed 9 Sep 2015 at 17:38 Ilyass Kaouam <[email protected]> wrote: >> >>> Hi, >>> >>> I have this request : >>> POST /beta/servlet/EspaceClientServlet?Action=Ajax$SaveWidgetConfig >>> >>> with this parameters : >>> left={ mod : 'mod-historique', hidden : 0, collapsed : 0 }, { mod : >>> 'mod-cercle-inforisk', hidden : 0, collapsed : 0 }, { mod : 'mod-graph', >>> hidden : 0, collapsed : 0 }&right={ mod : 'mod-surveillance-implicit', >>> hidden : 0, collapsed : 0 }, { mod : 'mod-dernieres-creations', hidden >>> : 0, collapsed : 0 }, { mod : 'mod-service', hidden : 0, collapsed : >>> 1 }, { mod : 'mod-recherche', hidden : 0, collapsed : 0 } >>> >>> When I execute this request modsecurity block my request. >>> >>> >>> Log : >>> >>> >>> --1354a526-A-- >>> >>> [09/Sep/2015:17:48:39 +0200] VfBU138AAAEAAFm8PlQAAAAk >>> XXX.XXX.XXX >>> 53935 >>> XXX.XXX.XXX >>> 80 >>> >>> --1354a526-B-- >>> >>> POST /beta/servlet/EspaceClientServlet?Action=Ajax$SaveWidgetConfig >>> HTTP/1.1 >>> >>> Host: www. >>> abc >>> . >>> com >>> >>> User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:40.0) >>> Gecko/20100101 Firefox/40.0 >>> >>> Accept: */* >>> >>> Accept-Language: fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3 >>> >>> Accept-Encoding: gzip, deflate >>> >>> Content-Type: application/x-www-form-urlencoded; charset=UTF-8 >>> >>> X-Requested-With: XMLHttpRequest >>> >>> Referer: http://www. >>> abc >>> . >>> com >>> /beta/servlet/EspaceClientServlet?plateform=new >>> >>> Content-Length: 413 >>> >>> Cookie: JSESSIONID=6B370AFFEA03BE2B80F916C5755EEEC5; >>> __utma=37027576.1259853019.1435675370.1441795926.1441813263.22; >>> __utmz=37027576.1435675370.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); >>> style=null; JSESSIONID=DACE18AC3CBA86CAF59264F47E99B028; __utmc=37027576; >>> __utmb=37027576.3.10.1441813263 >>> >>> Connection: keep-alive >>> >>> Pragma: no-cache >>> >>> Cache-Control: no-cache >>> >>> >>> --1354a526-C-- >>> >>> left={ mod : 'mod-historique', hidden : 0, collapsed : 0 }, { mod : >>> 'mod-cercle-inforisk', hidden : 0, collapsed : 0 }, { mod : 'mod-graph', >>> hidden : 0, collapsed : 0 }&right={ mod : 'mod-surveillance-implicit', >>> hidden : 0, collapsed : 0 }, { mod : 'mod-dernieres-creations', hidden : >>> 0, collapsed : 0 }, { mod : 'mod-service', hidden : 0, collapsed : 1 }, { >>> mod : 'mod-recherche', hidden : 0, collapsed : 0 } >>> >>> --1354a526-F-- >>> >>> HTTP/1.1 403 Forbidden >>> >>> Content-Length: 296 >>> >>> Connection: close >>> >>> Content-Type: text/html; charset=iso-8859-1 >>> >>> >>> --1354a526-E-- >>> >>> >>> --1354a526-H-- >>> >>> Message: Access denied with code 403 (phase 2). Pattern match >>> "([\\~\\!\\@\\#\\$\\%\\^\\&\\*\\(\\)\\-\\+\\=\\{\\}\\[\\]\\|\\:\\;\"\\'\\\xc2\xb4\\\xe2\x80\x99\\\xe2\x80\x98\\`\\<\\>].*?){4,}" >>> at ARGS:left. [file >>> "/etc/httpd/modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"] >>> [line "159"] [id "981173"] [rev "2"] [msg "Restricted SQL Character Anomaly >>> Detection Alert - Total # of special characters exceeded"] [data "Matched >>> Data: - found within ARGS:left: { mod : 'mod-historique', hidden : 0, >>> collapsed : 0 }, { mod : 'mod-cercle-inforisk', hidden : 0, collapsed : 0 >>> }, { mod : 'mod-graph', hidden : 0, collapsed : 0 }"] [ver >>> "OWASP_CRS/2.2.9"] [maturity "9"] [accuracy "8"] [tag >>> "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] >>> >>> Action: Intercepted (phase 2) >>> >>> Apache-Handler: proxy-server >>> >>> Stopwatch: 1441813719351394 3237 (- - -) >>> >>> Stopwatch2: 1441813719351394 3237; combined=2824, p1=202, p2=2592, p3=0, >>> p4=0, p5=30, sr=26, sw=0, l=0, gc=0 >>> >>> Response-Body-Transformed: Dechunked >>> >>> Producer: ModSecurity for Apache/2.7.3 (http://www.modsecurity.org/); >>> OWASP_CRS/2.2.9. >>> >>> Server: Apache/2.2.15 (CentOS) DAV/2 >>> >>> Engine-Mode: "ENABLED" >>> >>> >>> --1354a526-Z-- >>> >>> >>> >>> >>> >>> >>> Who can I allow like this request safety >>> ? >>> >>> Thank's >>> >>> _______________________________________________ >>> Owasp-modsecurity-core-rule-set mailing list >>> [email protected] >>> https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set >>> >> > > >
_______________________________________________ Owasp-modsecurity-core-rule-set mailing list [email protected] https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
