Comments (10)
Hello,
Are there any rules for phase response header/body ?
What happens if you change SecRuleEngine to DetectionOnly ?
Is there any message into error.log ?
Thanks
from modsecurity.
Hi,
SecRuleEngine is set to DetectionOnly by default.
I didn't find any error message in log.
The rules I used is bundled with MSI package(modsecurity.conf), and its effective rules are:
`SecRuleEngine DetectionOnly
SecRequestBodyAccess On
SecRule REQUEST_HEADERS:Content-Type "text/xml"
"id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML"
SecRequestBodyLimit 13107200
SecRequestBodyNoFilesLimit 131072
SecRequestBodyInMemoryLimit 131072
SecRequestBodyLimitAction Reject
SecRule REQBODY_ERROR "!@eq 0"
"id:'200001', phase:2,t:none,log,deny,status:400,msg:'Failed to parse request body.',logdata:'%{reqbody_error_msg}',severity:2"
SecRule MULTIPART_STRICT_ERROR "!@eq 0"
"id:'200002',phase:2,t:none,log,deny,status:44,
msg:'Multipart request body failed strict validation:
PE %{REQBODY_PROCESSOR_ERROR},
BQ %{MULTIPART_BOUNDARY_QUOTED},
BW %{MULTIPART_BOUNDARY_WHITESPACE},
DB %{MULTIPART_DATA_BEFORE},
DA %{MULTIPART_DATA_AFTER},
HF %{MULTIPART_HEADER_FOLDING},
LF %{MULTIPART_LF_LINE},
SM %{MULTIPART_MISSING_SEMICOLON},
IQ %{MULTIPART_INVALID_QUOTING},
IP %{MULTIPART_INVALID_PART},
IH %{MULTIPART_INVALID_HEADER_FOLDING},
FL %{MULTIPART_FILE_LIMIT_EXCEEDED}'"
SecRule MULTIPART_UNMATCHED_BOUNDARY "!@eq 0"
"id:'200003',phase:2,t:none,log,deny,status:44,msg:'Multipart parser detected a possible unmatched boundary.'"
SecPcreMatchLimit 1000
SecPcreMatchLimitRecursion 1000
SecRule TX:/^MSC_/ "!@Streq 0"
"id:'200004',phase:2,t:none,deny,msg:'ModSecurity internal error flagged: %{MATCHED_VAR_NAME}'"
SecResponseBodyMimeType text/plain text/html text/xml
SecResponseBodyLimit 524288
SecResponseBodyLimitAction ProcessPartial
SecTmpDir c:\inetpub\temp\
SecDataDir c:\inetpub\temp\
SecDebugLog C:\Logs\ModSecurity\debug.log
SecDebugLogLevel 4
SecArgumentSeparator &
SecCookieFormat 0`
from modsecurity.
Right,
Can you turn debug level to 9 ? Maybe there is an important debug information we are missing.
Thanks
from modsecurity.
OK, now it looks like this.
[4] Initialising transaction (txid 11673330240586785225). [5] Adding request cookie: name "wp-settings-time-2", value "1358523685" [5] Adding request cookie: name "wp-settings-1", value "editor%3Dhtml%26m6%3Do%26m10%3Do%26m5%3Do%26m8%3Dc%26m7%3Do%26m9%3Dc%26hidetb%3D1" [5] Adding request cookie: name "wp-settings-time-1", value "1362152354" [5] Adding request cookie: name "__atssc", value "facebook%3B2%2Ctwitter%3B1" [5] Adding request cookie: name "__atuvc", value "40%7C11%2C48%7C12%2C11%7C13%2C43%7C14%2C12%7C15" [5] Adding request cookie: name "__utma", value "97011023.318241276.1354960109.1365500826.1365587281.611" [5] Adding request cookie: name "__utmc", value "97011023" [5] Adding request cookie: name "__utmz", value "97011023.1365002021.581.7.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=(not%20provided)" [5] Adding request cookie: name "wordpress_test_cookie", value "WP+Cookie+check" [4] Transaction context created (dcfg 2459290). [4] First phase starting (dcfg 2459290). [4] Starting phase REQUEST_HEADERS. [9] This phase consists of 1 rule(s). [4] Recipe: Invoking rule 2b2ec08; [file "c:\inetpub\wwwroot\owasp_crs\modsecurity.conf"] [line "24"] [id "200000"]. [5] Rule 2b2ec08: SecRule "REQUEST_HEADERS:Content-Type" "@rx text/xml" "phase:1,auditlog,id:200000,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML" [9] T (0) lowercase: "application/x-www-form-urlencoded" [4] Transformation completed in 0 usec. [4] Executing operator "rx" with param "text/xml" against REQUEST_HEADERS:Content-Type. [9] Target value: "application/x-www-form-urlencoded" [4] Operator completed in 0 usec. [4] Rule returned 0. [9] No match, not chained -> mode NEXT_RULE. [4] Second phase starting (dcfg 2459290). [4] Input filter: Reading request body. [9] Input filter: Bucket type POOL contains 109 bytes. [9] Input filter: Bucket type POOL contains 0 bytes. [9] Input filter: Bucket type EOS contains 0 bytes. [5] Adding request argument (BODY): name "log", value "******" [5] Adding request argument (BODY): name "pwd", value "******" [5] Adding request argument (BODY): name "wp-submit", value "Log In" [5] Adding request argument (BODY): name "redirect_to", value "https://atifans.net/wp-admin/" [5] Adding request argument (BODY): name "testcookie", value "1" [4] Input filter: Completed receiving request body (length 109). [4] Starting phase REQUEST_BODY. [9] This phase consists of 4 rule(s). [4] Recipe: Invoking rule 2b2d168; [file "c:\inetpub\wwwroot\owasp_crs\modsecurity.conf"] [line "55"] [id "200001"]. [5] Rule 2b2d168: SecRule "REQBODY_ERROR" "!@eq 0" "phase:2,auditlog,id:200001,t:none,log,deny,status:400,msg:'Failed to parse request body.',logdata:%{reqbody_error_msg},severity:2" [4] Transformation completed in 0 usec. [4] Executing operator "!eq" with param "0" against REQBODY_ERROR. [9] Target value: "0" [4] Operator completed in 0 usec. [4] Rule returned 0. [9] No match, not chained -> mode NEXT_RULE. [4] Recipe: Invoking rule 2b304a8; [file "c:\inetpub\wwwroot\owasp_crs\modsecurity.conf"] [line "76"] [id "200002"]. [5] Rule 2b304a8: SecRule "MULTIPART_STRICT_ERROR" "!@eq 0" "phase:2,auditlog,id:200002,t:none,log,deny,status:44,msg:'Multipart request body failed strict validation: PE %{REQBODY_PROCESSOR_ERROR}, BQ %{MULTIPART_BOUNDARY_QUOTED}, BW %{MULTIPART_BOUNDARY_WHITESPACE}, DB %{MULTIPART_DATA_BEFORE}, DA %{MULTIPART_DATA_AFTER}, HF %{MULTIPART_HEADER_FOLDING}, LF %{MULTIPART_LF_LINE}, SM %{MULTIPART_MISSING_SEMICOLON}, IQ %{MULTIPART_INVALID_QUOTING}, IP %{MULTIPART_INVALID_PART}, IH %{MULTIPART_INVALID_HEADER_FOLDING}, FL %{MULTIPART_FILE_LIMIT_EXCEEDED}'" [4] Transformation completed in 0 usec. [4] Executing operator "!eq" with param "0" against MULTIPART_STRICT_ERROR. [9] Target value: "0" [4] Operator completed in 0 usec. [4] Rule returned 0. [9] No match, not chained -> mode NEXT_RULE. [4] Recipe: Invoking rule 2b344d0; [file "c:\inetpub\wwwroot\owasp_crs\modsecurity.conf"] [line "81"] [id "200003"]. [5] Rule 2b344d0: SecRule "MULTIPART_UNMATCHED_BOUNDARY" "!@eq 0" "phase:2,auditlog,id:200003,t:none,log,deny,status:44,msg:'Multipart parser detected a possible unmatched boundary.'" [4] Transformation completed in 0 usec. [4] Executing operator "!eq" with param "0" against MULTIPART_UNMATCHED_BOUNDARY. [9] Target value: "0" [4] Operator completed in 0 usec. [4] Rule returned 0. [9] No match, not chained -> mode NEXT_RULE. [4] Recipe: Invoking rule 2b35408; [file "c:\inetpub\wwwroot\owasp_crs\modsecurity.conf"] [line "95"] [id "200004"]. [5] Rule 2b35408: SecRule "TX:/^MSC_/" "!@streq 0" "phase:2,log,auditlog,id:200004,t:none,deny,msg:'ModSecurity internal error flagged: %{MATCHED_VAR_NAME}'" [4] Rule returned 0. [9] No match, not chained -> mode NEXT_RULE. [4] Hook insert_filter: Adding input forwarding filter (r 2b39440). [4] Hook insert_filter: Adding output filter (r 2b39440).
from modsecurity.
After few tests conducted, it seems POST-based pages are effected.
No post-data detected at PHP side if Modsec enabled.
from modsecurity.
Right,
What happens if you turn SecRequestBodyAccess Off ?
from modsecurity.
Now pages work after setting SecRequestBodyAccess Off.
from modsecurity.
This is a known issue. Looks like some modules other than ASP.NET have problem forward request body with ModSecurity.
Right now you cannot enable request body in this cases.
Thanks
Breno
from modsecurity.
Thanks for your help, Breno.
from modsecurity.
There is actually another issue with ModSecurity with IIS, and that is, it does not allow objects to be created (error '80004005'). Took quite a while for us to figure this out. Using very latest version, and problem still exists.
from modsecurity.
Related Issues (20)
- xss attack not blocked on juice shop HOT 1
- Best solution/workaround sanitise modsecurity v3 HOT 2
- @pmFromFile problems HOT 1
- Not Working with IIS HOT 11
- None human readable AuditLog examples. HOT 7
- Assistance Required with ModSecurity Rule Compatibility for OpenLiteSpeed HOT 3
- Problem about proxy action HOT 7
- Build error related to APR in config.c HOT 4
- `[client <ip address>]` field is missing in `modsec_audit.log` in section H HOT 10
- [modsecurity.conf-recommended] align processing on request & response for json HOT 4
- Not working with Nginx + HTTP/3 HOT 1
- Discussion of the new XML processing feature HOT 32
- 350001 rule blocks the Facebook Sharing Debugger bot HOT 1
- No error log if noauditlog is set HOT 4
- [BUG] multiMatch lead to unexpected match HOT 1
- Detect user agent and execute action HOT 1
- Bazel build on Windows HOT 4
- [FEATURE] Add a new `t:removeSQLComments` transformation HOT 2
- Mod3 ./configuration show missing HOT 2
- configure: error: PCRE2 was explicitly referenced but it was not found in v3.0.12 HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from modsecurity.