核心 OWASP ModSecurity - 允许 JSON
Core OWASP ModSecurity - Allowing JSON
我已经安装了 ModSecurity 和核心 OWASP 规则集版本 2.2.5 几个月了,但是站点上的一个 JSON 端点最近停止响应,Apache 日志得到以下信息:
[Tue Jul 21 10:41:12 2015] [error] [client 194.54.11.146] ModSecurity:
Warning. Match of "streq %{SESSION.IP_HASH}" against "TX:ip_hash"
required. [file
"/etc/modsecurity/activated_rules/modsecurity_crs_16_session_hijacking.conf"]
[line "35"] [id "981059"] [msg "Warning - Sticky SessionID Data
Changed - IP Address Mismatch."] [hostname "************"] [uri
"/api/campaigns/d3c735cb-0773-11e4-98bd-02f651afdab5"] [unique_id
"Va4hyKwfKiYAAAYSLigAAAAJ"]
[Tue Jul 21 10:41:12 2015] [error] [client 194.54.11.146] ModSecurity:
Warning. Match of "streq %{SESSION.UA_HASH}" against "TX:ua_hash"
required. [file
"/etc/modsecurity/activated_rules/modsecurity_crs_16_session_hijacking.conf"]
[line "36"] [id "981060"] [msg "Warning - Sticky SessionID Data
Changed - User-Agent Mismatch."] [hostname "************"] [uri
"/api/campaigns/d3c735cb-0773-11e4-98bd-02f651afdab5"] [unique_id
"Va4hyKwfKiYAAAYSLigAAAAJ"]
[Tue Jul 21 10:41:12 2015] [error] [client 194.54.11.146] ModSecurity:
Warning. Operator EQ matched 2 at TX:sticky_session_anomaly. [file
"/etc/modsecurity/activated_rules/modsecurity_crs_16_session_hijacking.conf"]
[line "37"] [id "981061"] [msg "Possible Session Hijacking - IP
Address and User-Agent Mismatch."] [hostname "************"] [uri
"/api/campaigns/d3c735cb-0773-11e4-98bd-02f651afdab5"] [unique_id
"Va4hyKwfKiYAAAYSLigAAAAJ"]
[Tue Jul 21 10:41:12 2015] [error] [client 194.54.11.146] ModSecurity:
Warning. Match of "rx ^%{tx.allowed_request_content_type}$" against
"TX:0" required. [file
"/etc/modsecurity/activated_rules/modsecurity_crs_30_http_policy.conf"]
[line "64"] [id "960010"] [msg "Request content type is not allowed by
policy"] [data "application/json"] [severity "WARNING"] [tag
"POLICY/ENCODING_NOT_ALLOWED"] [tag "WASCTC/WASC-20"] [tag
"OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/EE2"] [tag "PCI/12.1"]
[hostname "************"] [uri
"/api/campaigns/d3c735cb-0773-11e4-98bd-02f651afdab5"] [unique_id
"Va4hyKwfKiYAAAYSLigAAAAJ"]
我是 mod_security 和 OWASP 规则的新手(我基本上遵循了指南 here),但据我所知,规则是有评分的,如果请求超过阈值,它就会被取消.我想这就是我在这里看到的。
最后一个是我关心的 - "application/json" 当然应该允许。通过查看 /etc/modsecurity/modsecurity_crs_10_setup.conf,我看到:
setvar:'tx.allowed_request_content_type=application/x-www-form-urlencoded|multipart/form-data|text/xml|application/xml|application/x-amf'
我的问题是:
1. 我可以在这里添加 application/json 来消除错误吗?
2. 这是正确的做法吗?
是的,你可以这样写:
setvar:'tx.allowed_request_content_type=application/x-www-form-urlencoded|multipart/form-data|text/xml|application/xml|application/x-amf|application/json'
是的,这才是正确的做法。
我已经安装了 ModSecurity 和核心 OWASP 规则集版本 2.2.5 几个月了,但是站点上的一个 JSON 端点最近停止响应,Apache 日志得到以下信息:
[Tue Jul 21 10:41:12 2015] [error] [client 194.54.11.146] ModSecurity: Warning. Match of "streq %{SESSION.IP_HASH}" against "TX:ip_hash" required. [file "/etc/modsecurity/activated_rules/modsecurity_crs_16_session_hijacking.conf"] [line "35"] [id "981059"] [msg "Warning - Sticky SessionID Data Changed - IP Address Mismatch."] [hostname "************"] [uri "/api/campaigns/d3c735cb-0773-11e4-98bd-02f651afdab5"] [unique_id "Va4hyKwfKiYAAAYSLigAAAAJ"]
[Tue Jul 21 10:41:12 2015] [error] [client 194.54.11.146] ModSecurity: Warning. Match of "streq %{SESSION.UA_HASH}" against "TX:ua_hash" required. [file "/etc/modsecurity/activated_rules/modsecurity_crs_16_session_hijacking.conf"] [line "36"] [id "981060"] [msg "Warning - Sticky SessionID Data Changed - User-Agent Mismatch."] [hostname "************"] [uri "/api/campaigns/d3c735cb-0773-11e4-98bd-02f651afdab5"] [unique_id "Va4hyKwfKiYAAAYSLigAAAAJ"]
[Tue Jul 21 10:41:12 2015] [error] [client 194.54.11.146] ModSecurity: Warning. Operator EQ matched 2 at TX:sticky_session_anomaly. [file "/etc/modsecurity/activated_rules/modsecurity_crs_16_session_hijacking.conf"] [line "37"] [id "981061"] [msg "Possible Session Hijacking - IP Address and User-Agent Mismatch."] [hostname "************"] [uri "/api/campaigns/d3c735cb-0773-11e4-98bd-02f651afdab5"] [unique_id "Va4hyKwfKiYAAAYSLigAAAAJ"]
[Tue Jul 21 10:41:12 2015] [error] [client 194.54.11.146] ModSecurity: Warning. Match of "rx ^%{tx.allowed_request_content_type}$" against "TX:0" required. [file "/etc/modsecurity/activated_rules/modsecurity_crs_30_http_policy.conf"] [line "64"] [id "960010"] [msg "Request content type is not allowed by policy"] [data "application/json"] [severity "WARNING"] [tag "POLICY/ENCODING_NOT_ALLOWED"] [tag "WASCTC/WASC-20"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/EE2"] [tag "PCI/12.1"] [hostname "************"] [uri "/api/campaigns/d3c735cb-0773-11e4-98bd-02f651afdab5"] [unique_id "Va4hyKwfKiYAAAYSLigAAAAJ"]
我是 mod_security 和 OWASP 规则的新手(我基本上遵循了指南 here),但据我所知,规则是有评分的,如果请求超过阈值,它就会被取消.我想这就是我在这里看到的。
最后一个是我关心的 - "application/json" 当然应该允许。通过查看 /etc/modsecurity/modsecurity_crs_10_setup.conf,我看到:
setvar:'tx.allowed_request_content_type=application/x-www-form-urlencoded|multipart/form-data|text/xml|application/xml|application/x-amf'
我的问题是: 1. 我可以在这里添加 application/json 来消除错误吗? 2. 这是正确的做法吗?
是的,你可以这样写:
setvar:'tx.allowed_request_content_type=application/x-www-form-urlencoded|multipart/form-data|text/xml|application/xml|application/x-amf|application/json'
是的,这才是正确的做法。