Owasp-modsecurity-crs: False Positive when using question mark in URL at paranoia level 4.

Created on 17 Apr 2018  路  2Comments  路  Source: SpiderLabs/owasp-modsecurity-crs

When trying to access my site from an external IP, I always get blocked by mod security with the following info in the log file.
Everything works fine if I remove the question mark from the URL. May that have to do with the paranoia level 4?

Authorization: Digest username="", realm="", nonce="flk23lkr3l1=lkjfaskl13nkn23lafdlew", uri="/api.php?summary", response="89fdsf7s9dnfsa77718asdfa0", algorithm="MD5", cnonce="324376d4d64u564564d4dd453e", nc=00000001, qop="auth"
Connection: keep-alive
Upgrade-Insecure-Requests: 1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
User-Agent: Mozilla/5.0 (Linux; U; Android 2.2; de-de; HTC Magic Build/FRF91) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1
Accept-Language: de-de
DNT: 1
Accept-Encoding: br, gzip, deflate
GEOIP_ADDR: 95.157.121.142
GEOIP_CONTINENT_CODE: EU
GEOIP_COUNTRY_CODE: GR
GEOIP_COUNTRY_NAME: Greece
GEOIP_DMA_CODE: 0
GEOIP_METRO_CODE: 0
GEOIP_AREA_CODE: 0
GEOIP_LATITUDE: 74.1302292
GEOIP_LONGITUDE: 4.94552

HTTP/1.1 403 Forbidden
Content-Length: 216
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /api.php
on this server.<br />
</p>
</body></html>

--a134467e-H--
Message: Warning. Found 1 byte(s) in REQUEST_HEADERS:Authorization outside range: 32,34,38,42-59,61,65-90,95,97-122. [file "owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "1475"] [id "920274"] [rev "2"] [msg "Invalid character in request headers (outside of very strict set)"] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "9"] [accuracy "9"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/EVASION"] [tag "paranoia-level/4"]
Message: Access denied with code 403 (phase 2). Operator GE matched 4 at TX:anomaly_score. [file "owasp-modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "57"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [severity "CRITICAL"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"]
Message: Warning. Operator GE matched 4 at TX:inbound_anomaly_score. [file "owasp-modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf"] [line "73"] [id "980130"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 5 - SQLI=0,XSS=0,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0): Invalid character in request headers (outside of very strict set)"] [tag "event-correlation"]
Apache-Error: [file "apache2_util.c"] [line 273] [level 3] [client %s] ModSecurity: %s%s [uri "%s"]%s
Apache-Error: [file "apache2_util.c"] [line 273] [level 3] [client %s] ModSecurity: %s%s [uri "%s"]%s
Apache-Error: [file "apache2_util.c"] [line 273] [level 3] [client %s] ModSecurity: %s%s [uri "%s"]%s
Action: Intercepted (phase 2)
Apache-Handler: application/x-httpd-php
Stopwatch: 1523979028701958 359391 (- - -)
Stopwatch2: 1523979028701958 359391; combined=354658, p1=2697, p2=350993, p3=0, p4=0, p5=790, sr=255, sw=178, l=0, gc=0
Response-Body-Transformed: Dechunked
Producer: ModSecurity for Apache/ (http://www.modsecurity.org/); OWASP_CRS/3.0.2.
Server: Apache
Engine-Mode: "ENABLED"

Most helpful comment

Thanks, you're great! It works. @spartantri

All 2 comments

Hi @welljsjs PL4 is very strict in terms of allowed character set, unfortunately '?' (ascii 63) is not in the allowed characters as you may see on your log.

From the rule set comments:

# 920274: PL4 : REQUEST_HEADERS without User-Agent, Referer and Cookie
#       ASCII 32,34,38,42-59,61,65-90,95,97-122
#       A-Z a-z 0-9 = - _ . , : & " * + / SPACE

REQUEST_HEADERS:Authorization outside range: 32,34,38,42-59,61,65-90,95,97-122

You have a few options to make it work:
1) Lower the Paranoia Level down to 2
2) White list that header similar to User-Agent, Referer and Cookie headers SecRuleUpdateTargetById 920274 !REQUEST_HEADERS:Authorization
3) Remove the ? from the header

If you go with 2 then also make sure you do some check, like a derivation of the original rule just for the Authorization header:

SecRule REQUEST_HEADERS:Authorization "@validateByteRange 32,34,38,42-59,61,63,65-90,95,97-122" \
    "id:920275,\
    phase:2,\
    block,\
    t:none,t:urlDecodeUni,\
    msg:'Invalid character in request headers (outside of very strict set)',\
    logdata:'%{matched_var_name}=%{matched_var}',\
    tag:'application-multi',\
    tag:'language-multi',\
    tag:'platform-multi',\
    tag:'attack-protocol',\
    tag:'OWASP_CRS/PROTOCOL_VIOLATION/EVASION',\
    tag:'paranoia-level/4',\
    rev:2,\
    ver:'OWASP_CRS/3.0.0',\
    severity:'CRITICAL',\
    setvar:'tx.msg=%{rule.msg}',\
    setvar:'tx.anomaly_score=+%{tx.critical_anomaly_score}',\
    setvar:'tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/EVASION-%{matched_var_name}=%{matched_var}'"

Cheers!

Thanks, you're great! It works. @spartantri

Was this page helpful?
0 / 5 - 0 ratings