Modsecurity: Secrule not capturing 'alert'

Created on 24 Oct 2018  路  4Comments  路  Source: SpiderLabs/ModSecurity

Hi,
We have a secrule like this :
'SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "(fromcharcode|alert|eval)\s*(" \
"phase:2,rev:'2.0.10',id:'973307',capture,t:none,t:htmlEntityDecode,t:jsDecode,t:lowercase,pass,nolog,auditlog,msg:'XSS Attack Detected',logdata:'%{TX.0}',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"'

When user supplies url like this :

?param1=test%27,alert(document.cookie),%27test&param2

Its not being blocked. Please suggest

All 4 comments

You have the pass,nolog attributes in the SecRule. If you want to block the request, change the pass,nolog to deny,log and it will block the request as well as generate the audit log.

SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "(fromcharcode|alert|eval)\s*(" 
"phase:2,rev:'2.0.10',id:'973307',capture,t:none,t:htmlEntityDecode,t:jsDecode,t:lowercase,deny,log,auditlog,msg:'XSS Attack Detected',logdata:'%{TX.0}',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"

Hi

Here anamaly scoring mode is followed :

setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"

Can we see these values/debug these values some where ...

At the end some rule like this needs to be written
SecRule TX:PM_XSS_SCORE "@eq 0" "phase:2,t:none,deny,status:406,skipAfter:END_XSS_CHECK,nolog"

We are using :
"ModSecurity for Apache/2.9.1 (http://www.modsecurity.org/); core ruleset/1.6.1"

Also can we get the modsecurity_crs_41_xss_attacks.conf file source ?

Hi @venkibits,

The variable values can be seen at the DebugLogs:

SecDebugLog /tmp/a.txt
SecDebugLogLevel 9

The OWASP CRS is a separated project and can be found here:
https://github.com/SpiderLabs/owasp-modsecurity-crs

Was this page helpful?
0 / 5 - 0 ratings

Related issues

DeoMortis picture DeoMortis  路  4Comments

emphazer picture emphazer  路  3Comments

Daijobou picture Daijobou  路  6Comments

GustavoKatel picture GustavoKatel  路  6Comments

davidjrh picture davidjrh  路  5Comments