My Nextcloud desktop client often gets banned due to false positives by ModSecurity.
I am using CRS 3.0.2.
The following lines were copied from the Apache error log. The IP address and the hostname are changed.
[Tue Jul 31 15:49:41.146345 2018] [:error] [pid 2720] [client 76.31.223.151:52176] [client 76.31.223.151] ModSecurity: Warning. detected XSS using libinjection. [file "/etc/apache2/modsecurity.d/owasp-modsecurity-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "64"] [id "941100"] [rev "2"] [msg "XSS Attack Detected via libinjection"] [data "Matched Data: session_id found within ARGS:<?xml version: \\x221.0\\x22?><d:propfind xmlns:d=\\x22DAV:\\x22><d:prop><d:resourcetype/></d:prop></d:propfind>"] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "1"] [accuracy "9"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-xss"] [tag "OWASP_CRS/WEB_ATTACK/XSS"] [tag "WASCTC/WASC-8"] [tag "WASCTC/WASC-22"] [tag "OWASP_TOP_10/A3"] [tag "OWASP_AppSensor/IE1"] [tag "CAPEC-242"] [hostname ""] [uri "/nextcloud/remote.php/webdav"] [unique_id "W2Bo9X8AAQEAAAqgiQYAAAAI"]
[Tue Jul 31 15:49:41.147713 2018] [:error] [pid 2720] [client 76.31.223.151:52176] [client 76.31.223.151] ModSecurity: Warning. Pattern match "(?i)[\\\\s\\\\S](?:x(?:link:href|html|mlns)|!ENTITY.*?SYSTEM|data:text\\\\/html|pattern(?=.*?=)|formaction|\\\\@import|base64)\\\\b" at ARGS:<?xml version. [file "/etc/apache2/modsecurity.d/owasp-modsecurity-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "166"] [id "941130"] [rev "2"] [msg "XSS Filter - Category 3: Attribute Vector"] [data "Matched Data: xmlns found within ARGS:<?xml version: \\x221.0\\x22?><d:propfind xmlns:d=\\x22DAV:\\x22><d:prop><d:resourcetype/></d:prop></d:propfind>"] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "1"] [accuracy "8"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-xss"] [tag "OWASP_CRS/WEB_ATTACK/XSS"] [tag "WASCTC/WASC-8"] [tag "WASCTC/WASC-22"] [tag "OWASP_TOP_10/A3"] [tag "OWASP_AppSensor/IE1"] [tag "CAPEC-242"] [hostname ""] [uri "/nextcloud/remote.php/webdav"] [unique_id "W2Bo9X8AAQEAAAqgiQYAAAAI"]
[Tue Jul 31 15:49:41.156582 2018] [:error] [pid 2720] [client 76.31.223.151:52176] [client 76.31.223.151] ModSecurity: Warning. Pattern match "(^[\\"'`;]+|[\\"'`]+$)" at ARGS:<?xml version. [file "/etc/apache2/modsecurity.d/owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "494"] [id "942110"] [rev "4"] [msg "SQL Injection Attack: Common Injection Testing Detected"] [data "Matched Data: \\x22 found within ARGS:<?xml version: \\x221.0\\x22?><d:propfind xmlns:d=\\x22DAV:\\x22><d:prop><d:resourcetype/></d:prop></d:propfind>"] [severity "WARNING"] [ver "OWASP_CRS/3.0.0"] [maturity "9"] [accuracy "8"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"] [tag "paranoia-level/2"] [hostname ""] [uri "/nextcloud/remote.php/webdav"] [unique_id "W2Bo9X8AAQEAAAqgiQYAAAAI"]
[Tue Jul 31 15:49:41.157466 2018] [:error] [pid 2720] [client 76.31.223.151:52176] [client 76.31.223.151] ModSecurity: Warning. Pattern match "(?i:([\\\\s'\\"`\\\\(\\\\)]*?)([\\\\d\\\\w]++)([\\\\s'\\"`\\\\(\\\\)]*?)(?:(?:=|<=>|r?like|sounds\\\\s+like|regexp)([\\\\s'\\"`\\\\(\\\\)]*?)\\\\2|(?:!=|<=|>=|<>|<|>|\\\\^|is\\\\s+not|not\\\\s+like|not\\\\s+regexp)([\\\\s'\\"`\\\\(\\\\)]*?)(?!\\\\2)([\\\\d\\\\w]+)))" at ARGS:<?xml version. [file "/etc/apache2/modsecurity.d/owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "558"] [id "942130"] [rev "2"] [msg "SQL Injection Attack: SQL Tautology Detected."] [data "Matched Data: d=\\x22D found within ARGS:<?xml version: \\x221.0\\x22?><d:propfind xmlns:d=\\x22DAV:\\x22><d:prop><d:resourcetype/></d:prop></d:propfind>"] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "9"] [accuracy "8"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"] [tag "paranoia-level/2"] [hostname ""] [uri "/nextcloud/remote.php/webdav"] [unique_id "W2Bo9X8AAQEAAAqgiQYAAAAI"]
[Tue Jul 31 15:49:41.161103 2018] [:error] [pid 2720] [client 76.31.223.151:52176] [client 76.31.223.151] ModSecurity: Warning. Pattern match "(?i:(?:union\\\\s*?(?:all|distinct|[(!@]*?)?\\\\s*?[([]*?\\\\s*?select\\\\s+)|(?:\\\\w+\\\\s+like\\\\s+[\\"'`])|(?:like\\\\s*?[\\"'`]\\\\%)|(?:[\\"'`]\\\\s*?like\\\\W*?[\\"'`\\\\d])|(?:[\\"'`]\\\\s*?(?:n?and|x?x?or|div|like|between|and|not|\\\\|\\\\||\\\\&\\\\&)\\\\s+[\\\\s\\\\w]+=\\\\s*?\\\\w+\\\\s*?h ..." at ARGS:<?xml version. [file "/etc/apache2/modsecurity.d/owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "705"] [id "942260"] [rev "2"] [msg "Detects basic SQL authentication bypass attempts 2/3"] [data "Matched Data: \\x22><d:p found within ARGS:<?xml version: \\x221.0\\x22?><d:propfind xmlns:d=\\x22DAV:\\x22><d:prop><d:resourcetype/></d:prop></d:propfind>"] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "9"] [accuracy "8"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"] [tag "paranoia-level/2"] [hostname ""] [uri "/nextcloud/remote.php/webdav"] [unique_id "W2Bo9X8AAQEAAAqgiQYAAAAI"]
[Tue Jul 31 15:49:41.164310 2018] [:error] [pid 2720] [client 76.31.223.151:52176] [client 76.31.223.151] ModSecurity: Warning. Pattern match "(?i:(?:in\\\\s*?\\\\(+\\\\s*?select)|(?:(?:n?and|x?x?or|div|like|between|and|not|\\\\|\\\\||\\\\&\\\\&)\\\\s+[\\\\s\\\\w+]+(?:regexp\\\\s*?\\\\(|sounds\\\\s+like\\\\s*?[\\"'`]|[=\\\\d]+x))|([\\"'`]\\\\s*?\\\\d\\\\s*?(?:--|#))|(?:[\\"'`][\\\\%&<>^=]+\\\\d\\\\s*?(=|x?or|div|like|between|and))|(?:[\\ ..." at ARGS:<?xml version. [file "/etc/apache2/modsecurity.d/owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "817"] [id "942340"] [rev "2"] [msg "Detects basic SQL authentication bypass attempts 3/3"] [data "Matched Data: \\x22DAV:\\x22 found within ARGS:<?xml version: \\x221.0\\x22?><d:propfind xmlns:d=\\x22DAV:\\x22><d:prop><d:resourcetype/></d:prop></d:propfind>"] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "9"] [accuracy "8"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"] [tag "paranoia-level/2"] [hostname ""] [uri "/nextcloud/remote.php/webdav"] [unique_id "W2Bo9X8AAQEAAAqgiQYAAAAI"]
[Tue Jul 31 15:49:41.165556 2018] [:error] [pid 2720] [client 76.31.223.151:52176] [client 76.31.223.151] ModSecurity: Warning. Pattern match "(?i:(?:[\\"'`]\\\\s*?\\\\*.+(?:x?or|div|like|between|and|id)\\\\W*?[\\"'`]\\\\d)|(?:\\\\^[\\"'`])|(?:^[\\\\w\\\\s\\"'`-]+(?<=and\\\\s)(?<=or|xor|div|like|between|and\\\\s)(?<=xor\\\\s)(?<=nand\\\\s)(?<=not\\\\s)(?<=\\\\|\\\\|)(?<=\\\\&\\\\&)\\\\w+\\\\()|(?:[\\"'`][\\\\s\\\\d]*?[^\\\\w\\\\s]+\\\\W*?\\\\d\\ ..." at ARGS:<?xml version. [file "/etc/apache2/modsecurity.d/owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "845"] [id "942370"] [rev "2"] [msg "Detects classic SQL injection probings 2/2"] [data "Matched Data: \\x221.0\\x22 found within ARGS:<?xml version: \\x221.0\\x22?><d:propfind xmlns:d=\\x22DAV:\\x22><d:prop><d:resourcetype/></d:prop></d:propfind>"] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "9"] [accuracy "8"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"] [tag "paranoia-level/2"] [hostname ""] [uri "/nextcloud/remote.php/webdav"] [unique_id "W2Bo9X8AAQEAAAqgiQYAAAAI"]
[Tue Jul 31 15:49:41.172306 2018] [:error] [pid 2720] [client 76.31.223.151:52176] [client 76.31.223.151] ModSecurity: Warning. Pattern match "((?:[\\\\~\\\\!\\\\@\\\\#\\\\$\\\\%\\\\^\\\\&\\\\*\\\\(\\\\)\\\\-\\\\+\\\\=\\\\{\\\\}\\\\[\\\\]\\\\|\\\\:\\\\;\\"\\\\'\\\\\\xc2\\xb4\\\\\\xe2\\x80\\x99\\\\\\xe2\\x80\\x98\\\\`\\\\<\\\\>][^\\\\~\\\\!\\\\@\\\\#\\\\$\\\\%\\\\^\\\\&\\\\*\\\\(\\\\)\\\\-\\\\+\\\\=\\\\{\\\\}\\\\[\\\\]\\\\|\\\\:\\\\;\\"\\\\'\\\\\\xc2\\xb4\\\\\\xe2\\x80\\x99\\\\\\xe2\\x80\\x98\\\\`\\\\<\\\\>]*?){12})" at ARGS:<?xml version. [file "/etc/apache2/modsecurity.d/owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "1006"] [id "942430"] [rev "2"] [msg "Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (12)"] [data "Matched Data: \\x221.0\\x22?><d:propfind xmlns:d=\\x22DAV:\\x22>< found within ARGS:<?xml version: \\x221.0\\x22?><d:propfind xmlns:d=\\x22DAV:\\x22><d:prop><d:resourcetype/></d:prop></d:propfind>"] [severity "WARNING"] [ver "OWASP_CRS/3.0.0"] [maturity "9"] [accuracy "8"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [ta [hostname ""] [uri "/nextcloud/remote.php/webdav"] [unique_id "W2Bo9X8AAQEAAAqgiQYAAAAI"]
As there are several rules that take effect, I am not sure how to deal with the current situation.
As a result, ModSecurity often induces a close of the connection.
I am using Nextcloud 14.
Hi @welljsjs
The log you shared contains content which ModSecurity could not parse properly ARGS:<?xml if this is a POST request containing pure valid XML then it is missing a content-type like application/xml or text/xml if it does then what you need is add a rule that switch the body processor to XML
SecRule REQUEST_HEADERS:Content-Type ^text/xml$ "phase:1,id:87,t:lowercase,nolog,pass,ctl:requestBodyProcessor=XML"
This should be one of the first rules your configuration hits so that the entire content is properly parsed and then referred as XML instead of ARGS
I had a look into the modsec_audit.log.
It's actually the Nextcloud Desktop client that sends
Content-Type: application/x-www-form-urlencoded; charset=UTF-8 instead of application/xml.
This is the request body (one of the requests, they all contain xml):
<?xml version="1.0"?><d:propfind xmlns:d="DAV:"><d:prop><d:resourcetype/></d:prop></d:propfind>
So I would add the following rule:
SecRule REQUEST_HEADERS:Content-Type ^application/x-www-form-urlencoded$ "phase:1,id:87,t:lowercase,nolog,pass,ctl:requestBodyProcessor=XML"
In what file would I include this rule?
Thanks a lot
No that is too generic, it will break all webforms, instead it is better to do this only for the affected URL's if there is only a few, use an rx (regular expression) match, otherwise, a pmf to save all the affected url into a file and reference it
SecRule REQUEST_URI "@rx ^/whateverurl/buggyfeature.php$" "phase:1,id:88,t:lowercase,nolog,pass,ctl:requestBodyProcessor=XML"
SecRule REQUEST_URI "@pmf /path/to/file.data" "phase:1,id:89,t:lowercase,nolog,pass,ctl:requestBodyProcessor=XML"
Yes, that worked. Thank you!
Good, @welljsjs if your setup is generic can you provide the fix as a PR for the exception file or send the config you did so we can add the PR.
I think it's a specific fix for nextcloud.
SecRule REQUEST_URI "@rx ^/nextcloud/index.php/apps/files/.*$" "phase:1,id:200021,t:lowercase,nolog,pass,ctl:requestBodyProcessor=XML"
Thanks for contributing @welljsjs. Are you aware, that v3.1dev comes with Nextcloud rule exclusions packaged? You should be able to try them out with your setup with some manual intervention. See the Nextcloud/Owncloud specific rule file and the config extension in crs-setup.conf in the 3.1 dev branch.
Nope, didn't know that at all. Sounds great! Thank you both!
The new rules are definitely great. However, I think I just came across another FP.
SecRule REQUEST_URI "@rx ^/nextcloud/data/\.ocdata\?t=\d+$" \
"id:1005,\
phase:2,\
pass,\
nolog,\
ctl:ruleRemoveByTag=attack-dos"
The browser often requests that file (/nextcloud/data/.ocdata?t=1533216999587, where t seems to be the current time stamp) and gets back a 403.
If it happens too often, the user's connection will get closed due to the dos-attack rules, although this is a usual behavior.
I think the rule above should fix this.
Just another question regarding this: Am I able to increase the dos_counter_threshold for sub-directories? Initially, I changed the default value (100) to 75, but users got banned very often when using nextcloud, so I increased the value again.
Would such a rule:
SecRule REQUEST_FILENAME "@beginsWith /nextcloud" \
"id:1006,\
phase:2,\
pass,\
nolog,\
t:none,\
t:lowercase,\
setvar:'tx.dos_counter_threshold=150'"
work to increase the threshold only for the nextcloud subfolder?
Hi again @welljsjs , it depends, that rule will work if two criteria are met,
1) the variable is already defined
2) you adjust the variable threshold before it reaches the score evaluation that will cause the request drop
In v3.1 that is set in crs-setup by rule 900700 and it is evaluated at REQUEST-912-DOS-PROTECTION so you need to add your rule in between.
You can achieve that using your Apache config and add the rule after the Include to crs-setup but before the include to rules/*.conf or using your custom REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.
Cheers!