Modsecurity OWASP 核心规则集 - base64 误报规则 941170
Modsecurity OWASP Core Rule Set - base64 false positive rule 941170
我们将 ModSecurity 3.X 用于带有 OWASP 核心规则集的 NGIX。
我们在 base64 和规则 941170 中遇到图像问题。
规则的模式是
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(?:\W|^)(?:javascript:(?:[\s\S]+[=\\(\[\.<]|[\s\S]*?(?:\bname\b|\[ux]\d))|data:(?:(?:[a-z]\w+\/\w[\w+-]+\w)?[;,]|[\s\S]*?;[\s\S]*?\b(?:base64|charset=)|[\s\S]*?,[\s\S]*?<[\s\S]*?\w[\s\S]*?>))|@\W*?i\W*?m\W*?p\W*?o\W*?r\W*?t\W*?(?:\/\*[\s\S]*?)?(?:[\"']|\W*?u\W*?r\W*?l[\s\S]*?\()|\W*?-\W*?m\W*?o\W*?z\W*?-\W*?b\W*?i\W*?n\W*?d\W*?i\W*?n\W*?g[\s\S]*?:[\s\S]*?\W*?u\W*?r\W*?l[\s\S]*?\("
日志:
HTTP/1.1 200
Access-Control-Max-Age: 600
Access-Control-Allow-Headers: x-requested-with, Content-Type, origin, authorization, accept, client-security-token
Set-Cookie: SESSION_ID=b57248f3aa2ac2c169e664b1862e49ed_; path=/
Access-Control-Allow-Methods: POST, GET, OPTIONS, DELETE, PUT
Date: Wed, 06 Oct 2021 16:06:52 GMT
Cache-Control: no-cache, no-store
Connection: keep-alive
Content-Type: text/xml; charset=utf-8; boundary=xYzZY
Access-Control-Expose-Headers: Content-Security-Policy, Location
Content-Length: 67
Server: nginx
Pragma: no-cache
Access-Control-Allow-Origin: *
---RleKJMgH---H--
ModSecurity: Warning. Matched "Operator `Rx' with parameter `(?i)(?:\W|^)(?:javascript:(?:[\s\S]+[=\\(\[\.<]|[\s\S]*?(?:\bname\b|\[ux]\d))|data:(?:(?:[a-z]\w+\/\w[\w+-]+\w)?[;,]|[\s\S]*?;[\s\S]*?\b(?:base64|charset=)|[\s\S]*?,[\s\S]*?<[\s\S]*?\w[\s\S]*?>))|@\ (188 characters omitted)' against variable `ARGS:screen' (Value: `data:image/jpeg;base64,/9j/4AAQSkZJRgABAQAAAQABAAD/4gIoSUNDX1BST0ZJTEUAAQEAAAIYAAAAAAIQAABtbnRyUkdCI (47619 characters omitted)' ) [file "/etc/nginx/owasp-modsecurity-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "236"] [id "941170"] [rev ""] [msg "NoScript XSS InjectionChecker: Attribute Injection"] [data "Matched Data: data:image/jpeg; found within ARGS:screen: data:image/jpeg;base64,/9j/4AAQSkZJRgABAQAAAQABAAD/4gIoSUNDX1BST0ZJTEUAAQEAAAIYAAAAAAIQAABtbnRyUkdCIFhZWiAAAAAAAAAAAAAAAABhY3NwAAAAAAAAAAAAAAAA (47576 characters omitted)"] [severity "2"] [ver "OWASP_CRS/3.2.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-xss"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "OWASP_CRS/WEB_ATTACK/XSS"] [tag "WASCTC/WASC-8"] [tag "WASCTC/WASC-22"] [tag "OWASP_TOP_10/A3"] [tag "OWASP_AppSensor/IE1"] [tag "CAPEC-242"] [hostname "192.168.1.1"] [uri "/wsrfef.subirArchivo"] [unique_id "1633536412"] [ref "o0,16v1288,47719t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls"]
ModSecurity: Warning. Matched "Operator `Ge' with parameter `5' against variable `TX:ANOMALY_SCORE' (Value: `5' ) [file "/etc/nginx/owasp-modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "80"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [data ""] [severity "2"] [ver "OWASP_CRS/3.2.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "192.168.1.1"] [uri "/wsrfef.subirArchivo"] [unique_id "1633536412"] [ref ""]
现在我们正在使用 SecRuleUpdateTargetById 941170 "!ARGS:screen" 命令,但这样就不会应用其余的检查
是否有任何方法可以修改规则的模式,使其不会将 base64 检测为 NoScript XSS InjectionChecker:属性注入?
更新
我有另一个误报,页面名为 /organirama,按钮带有 btn-warning class。 OWASP 将页面名称和 btn-warning class 检测为 Oracle SQL 信息泄漏。
---X96Job8w---A--
[26/Oct/2021:09:43:43 +0200] 1635234223 2.152.144.73 57524 10.10.2.11 443
---X96Job8w---B--
GET /organigrama HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 Safari/537.36
Sec-Fetch-Site: same-origin
sec-ch-ua-platform: "Windows"
Referer: domain.net/inicio
Upgrade-Insecure-Requests: 1
sec-ch-ua-mobile: ?0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Cache-Control: max-age=0
sec-ch-ua: "Google Chrome";v="95", "Chromium";v="95", ";Not A Brand";v="99"
Sec-Fetch-User: ?1
Connection: keep-alive
Sec-Fetch-Mode: navigate
Host: domain.net
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate, br
Cookie: SESSION_ID=06699c6dd9769a905e968ba2932edd75
Accept-Language: es-ES,es;q=0.9
---X96Job8w---D--
---X96Job8w---E--
ModSecurity: Warning. Matched "Operator `Rx' with parameter `(?i:ORA-[0-9][0-9][0-9][0-9]|java\.sql\.SQLException|Oracle error|Oracle.*Driver|Warning.*oci_.*|Warning.*ora_.*)' against variable `RESPONSE_BODY' (Value: `<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">\x0a<html>\x0a <head>\x0a <!--\x0 (304143 characters omitted)' ) [file "/etc/nginx/coreruleset/rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf"] [line "69"] [id "951120"] [rev ""] [msg "Oracle SQL Information Leakage"] [data "Matched Data: warning" title="F\xc3\xbatbol - Infantil - Infantil +40 Masculino">\x0d\x0a <strong>F\xc3\xbatbol - Infantil - Infantil +40 Masculino</strong>\x0d\x0a </button>\x0d\x0a </div> (420740 characters omitted)"] [severity "2"] [ver "OWASP_CRS/3.3.2"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-oracle"] [tag "attack-disclosure"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/118/116/54"] [hostname "192.168.1.1"] [uri "/organigrama"] [unique_id "1635235649"] [ref "o33323,193787v756,227110"]
ModSecurity: Access denied with code 403 (phase 4). Matched "Operator `Ge' with parameter `4' against variable `TX:OUTBOUND_ANOMALY_SCORE' (Value: `5' ) [file "/etc/nginx/coreruleset/rules/RESPONSE-959-BLOCKING-EVALUATION.conf"] [line "68"] [id "959100"] [rev ""] [msg "Outbound Anomaly Score Exceeded (Total Score: 5)"] [data ""] [severity "0"] [ver "OWASP_CRS/3.3.2"] [maturity "0"] [accuracy "0"] [tag "anomaly-evaluation"] [hostname "192.168.1.1"] [uri "/organigrama"] [unique_id "1635235649"] [ref ""]
我尽量不应用 RESPONSE BODY 的规则,但继续抓住它
SecRule REQUEST_FILENAME "@beginsWith /organigrama" \
"id:1030,\
phase:2,\
pass,\
nolog,\
ctl:ruleRemoveTargetById=959100;RESPONSE_BODY"
我觉得你提供的 SecRuleUpdateTargetById 排除规则不错。
明确地说,该规则排除的效果是:
- 规则 941170 不再适用于
screen 参数
- 规则 941170 仍然照常适用于所有其他参数
- 所有其他规则仍然适用于所有参数,包括
screen,一如既往
您对此不满意的原因是什么?
如果您是 运行 超高安全设置,这意味着 SecRuleUpdateTargetById 规则排除过于粗略,我会提出两个建议:
如果适用于您的 Web 应用程序,请将规则 941170 的规则排除限制为 仅 适用于 screen 参数 并且 仅 用于给定位置(例如,仅针对 /login.php 的请求)
将规则 941170 的规则排除限制为 仅 适用于 screen 参数 和 仅当 screen 以字符串 data:image/jpeg;base64
开头时
您甚至可以将这两个建议结合起来非常具体。
如果其中一个或两个听起来适用于您的情况,请告诉我您是否愿意帮助将这些规则排除放在一起。
此外,出于兴趣,您目前 运行 的偏执狂程度如何?
关于您修改规则941170的正则表达式的建议,直接修改第三方规则是个坏主意,比如Core Rule Set规则。您实际上最终创建了您自己的规则集分支,并且您有责任维护您所做的任何修改。升级规则集将变得困难:您必须记住不断重新应用并可能更改您的修改。简而言之:规则排除是正确的选择!
更新
上面描述的第二个规则排除可能看起来像这样:
#
# -- CRS Rule Exclusion: 941170 - NoScript XSS InjectionChecker: Attribute
# Injection
#
# Disable this rule for the "screen" argument when it begins with the string
# "data:image/jpeg;base64,". This resolves a false positive caused by base64
# encoded images.
#
SecRule ARGS:screen "@beginsWith data:image/jpeg;base64," \
"id:1000,\
phase:2,\
pass,\
nolog,\
ctl:ruleRemoveTargetById=941170;ARGS:screen"
需要将排除项放在之前包含核心规则集的指令。
更新 2
关于您的第二个误报:您是 运行 Oracle SQL 服务器吗?规则 951120 是 Oracle SQL 特定的。如果您不是 运行 这样的服务器,我建议您禁用该规则,如下所示:
#
# -- CRS Rule Exclusion: 951120 - Oracle SQL Information Leakage
#
# Disable this Oracle SQL specific rule, as the rule causes false positives for
# the /organirama page and the Oracle SQL server/service is not in use.
#
SecRuleRemoveById 951120
此排除项需要放置在包含核心规则集的指令之后。
我们将 ModSecurity 3.X 用于带有 OWASP 核心规则集的 NGIX。
我们在 base64 和规则 941170 中遇到图像问题。
规则的模式是
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(?:\W|^)(?:javascript:(?:[\s\S]+[=\\(\[\.<]|[\s\S]*?(?:\bname\b|\[ux]\d))|data:(?:(?:[a-z]\w+\/\w[\w+-]+\w)?[;,]|[\s\S]*?;[\s\S]*?\b(?:base64|charset=)|[\s\S]*?,[\s\S]*?<[\s\S]*?\w[\s\S]*?>))|@\W*?i\W*?m\W*?p\W*?o\W*?r\W*?t\W*?(?:\/\*[\s\S]*?)?(?:[\"']|\W*?u\W*?r\W*?l[\s\S]*?\()|\W*?-\W*?m\W*?o\W*?z\W*?-\W*?b\W*?i\W*?n\W*?d\W*?i\W*?n\W*?g[\s\S]*?:[\s\S]*?\W*?u\W*?r\W*?l[\s\S]*?\("
日志:
HTTP/1.1 200
Access-Control-Max-Age: 600
Access-Control-Allow-Headers: x-requested-with, Content-Type, origin, authorization, accept, client-security-token
Set-Cookie: SESSION_ID=b57248f3aa2ac2c169e664b1862e49ed_; path=/
Access-Control-Allow-Methods: POST, GET, OPTIONS, DELETE, PUT
Date: Wed, 06 Oct 2021 16:06:52 GMT
Cache-Control: no-cache, no-store
Connection: keep-alive
Content-Type: text/xml; charset=utf-8; boundary=xYzZY
Access-Control-Expose-Headers: Content-Security-Policy, Location
Content-Length: 67
Server: nginx
Pragma: no-cache
Access-Control-Allow-Origin: *
---RleKJMgH---H--
ModSecurity: Warning. Matched "Operator `Rx' with parameter `(?i)(?:\W|^)(?:javascript:(?:[\s\S]+[=\\(\[\.<]|[\s\S]*?(?:\bname\b|\[ux]\d))|data:(?:(?:[a-z]\w+\/\w[\w+-]+\w)?[;,]|[\s\S]*?;[\s\S]*?\b(?:base64|charset=)|[\s\S]*?,[\s\S]*?<[\s\S]*?\w[\s\S]*?>))|@\ (188 characters omitted)' against variable `ARGS:screen' (Value: `data:image/jpeg;base64,/9j/4AAQSkZJRgABAQAAAQABAAD/4gIoSUNDX1BST0ZJTEUAAQEAAAIYAAAAAAIQAABtbnRyUkdCI (47619 characters omitted)' ) [file "/etc/nginx/owasp-modsecurity-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "236"] [id "941170"] [rev ""] [msg "NoScript XSS InjectionChecker: Attribute Injection"] [data "Matched Data: data:image/jpeg; found within ARGS:screen: data:image/jpeg;base64,/9j/4AAQSkZJRgABAQAAAQABAAD/4gIoSUNDX1BST0ZJTEUAAQEAAAIYAAAAAAIQAABtbnRyUkdCIFhZWiAAAAAAAAAAAAAAAABhY3NwAAAAAAAAAAAAAAAA (47576 characters omitted)"] [severity "2"] [ver "OWASP_CRS/3.2.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-xss"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "OWASP_CRS/WEB_ATTACK/XSS"] [tag "WASCTC/WASC-8"] [tag "WASCTC/WASC-22"] [tag "OWASP_TOP_10/A3"] [tag "OWASP_AppSensor/IE1"] [tag "CAPEC-242"] [hostname "192.168.1.1"] [uri "/wsrfef.subirArchivo"] [unique_id "1633536412"] [ref "o0,16v1288,47719t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls"]
ModSecurity: Warning. Matched "Operator `Ge' with parameter `5' against variable `TX:ANOMALY_SCORE' (Value: `5' ) [file "/etc/nginx/owasp-modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "80"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [data ""] [severity "2"] [ver "OWASP_CRS/3.2.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "192.168.1.1"] [uri "/wsrfef.subirArchivo"] [unique_id "1633536412"] [ref ""]
现在我们正在使用 SecRuleUpdateTargetById 941170 "!ARGS:screen" 命令,但这样就不会应用其余的检查
是否有任何方法可以修改规则的模式,使其不会将 base64 检测为 NoScript XSS InjectionChecker:属性注入?
更新
我有另一个误报,页面名为 /organirama,按钮带有 btn-warning class。 OWASP 将页面名称和 btn-warning class 检测为 Oracle SQL 信息泄漏。
---X96Job8w---A--
[26/Oct/2021:09:43:43 +0200] 1635234223 2.152.144.73 57524 10.10.2.11 443
---X96Job8w---B--
GET /organigrama HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 Safari/537.36
Sec-Fetch-Site: same-origin
sec-ch-ua-platform: "Windows"
Referer: domain.net/inicio
Upgrade-Insecure-Requests: 1
sec-ch-ua-mobile: ?0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Cache-Control: max-age=0
sec-ch-ua: "Google Chrome";v="95", "Chromium";v="95", ";Not A Brand";v="99"
Sec-Fetch-User: ?1
Connection: keep-alive
Sec-Fetch-Mode: navigate
Host: domain.net
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate, br
Cookie: SESSION_ID=06699c6dd9769a905e968ba2932edd75
Accept-Language: es-ES,es;q=0.9
---X96Job8w---D--
---X96Job8w---E--
ModSecurity: Warning. Matched "Operator `Rx' with parameter `(?i:ORA-[0-9][0-9][0-9][0-9]|java\.sql\.SQLException|Oracle error|Oracle.*Driver|Warning.*oci_.*|Warning.*ora_.*)' against variable `RESPONSE_BODY' (Value: `<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">\x0a<html>\x0a <head>\x0a <!--\x0 (304143 characters omitted)' ) [file "/etc/nginx/coreruleset/rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf"] [line "69"] [id "951120"] [rev ""] [msg "Oracle SQL Information Leakage"] [data "Matched Data: warning" title="F\xc3\xbatbol - Infantil - Infantil +40 Masculino">\x0d\x0a <strong>F\xc3\xbatbol - Infantil - Infantil +40 Masculino</strong>\x0d\x0a </button>\x0d\x0a </div> (420740 characters omitted)"] [severity "2"] [ver "OWASP_CRS/3.3.2"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-oracle"] [tag "attack-disclosure"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/118/116/54"] [hostname "192.168.1.1"] [uri "/organigrama"] [unique_id "1635235649"] [ref "o33323,193787v756,227110"]
ModSecurity: Access denied with code 403 (phase 4). Matched "Operator `Ge' with parameter `4' against variable `TX:OUTBOUND_ANOMALY_SCORE' (Value: `5' ) [file "/etc/nginx/coreruleset/rules/RESPONSE-959-BLOCKING-EVALUATION.conf"] [line "68"] [id "959100"] [rev ""] [msg "Outbound Anomaly Score Exceeded (Total Score: 5)"] [data ""] [severity "0"] [ver "OWASP_CRS/3.3.2"] [maturity "0"] [accuracy "0"] [tag "anomaly-evaluation"] [hostname "192.168.1.1"] [uri "/organigrama"] [unique_id "1635235649"] [ref ""]
我尽量不应用 RESPONSE BODY 的规则,但继续抓住它
SecRule REQUEST_FILENAME "@beginsWith /organigrama" \
"id:1030,\
phase:2,\
pass,\
nolog,\
ctl:ruleRemoveTargetById=959100;RESPONSE_BODY"
我觉得你提供的 SecRuleUpdateTargetById 排除规则不错。
明确地说,该规则排除的效果是:
- 规则 941170 不再适用于
screen参数 - 规则 941170 仍然照常适用于所有其他参数
- 所有其他规则仍然适用于所有参数,包括
screen,一如既往
您对此不满意的原因是什么?
如果您是 运行 超高安全设置,这意味着 SecRuleUpdateTargetById 规则排除过于粗略,我会提出两个建议:
如果适用于您的 Web 应用程序,请将规则 941170 的规则排除限制为 仅 适用于
screen参数 并且 仅 用于给定位置(例如,仅针对/login.php的请求)将规则 941170 的规则排除限制为 仅 适用于
开头时screen参数 和 仅当screen以字符串data:image/jpeg;base64
您甚至可以将这两个建议结合起来非常具体。
如果其中一个或两个听起来适用于您的情况,请告诉我您是否愿意帮助将这些规则排除放在一起。
此外,出于兴趣,您目前 运行 的偏执狂程度如何?
关于您修改规则941170的正则表达式的建议,直接修改第三方规则是个坏主意,比如Core Rule Set规则。您实际上最终创建了您自己的规则集分支,并且您有责任维护您所做的任何修改。升级规则集将变得困难:您必须记住不断重新应用并可能更改您的修改。简而言之:规则排除是正确的选择!
更新
上面描述的第二个规则排除可能看起来像这样:
#
# -- CRS Rule Exclusion: 941170 - NoScript XSS InjectionChecker: Attribute
# Injection
#
# Disable this rule for the "screen" argument when it begins with the string
# "data:image/jpeg;base64,". This resolves a false positive caused by base64
# encoded images.
#
SecRule ARGS:screen "@beginsWith data:image/jpeg;base64," \
"id:1000,\
phase:2,\
pass,\
nolog,\
ctl:ruleRemoveTargetById=941170;ARGS:screen"
需要将排除项放在之前包含核心规则集的指令。
更新 2
关于您的第二个误报:您是 运行 Oracle SQL 服务器吗?规则 951120 是 Oracle SQL 特定的。如果您不是 运行 这样的服务器,我建议您禁用该规则,如下所示:
#
# -- CRS Rule Exclusion: 951120 - Oracle SQL Information Leakage
#
# Disable this Oracle SQL specific rule, as the rule causes false positives for
# the /organirama page and the Oracle SQL server/service is not in use.
#
SecRuleRemoveById 951120
此排除项需要放置在包含核心规则集的指令之后。