Owasp-modsecurity-crs: SOAPUI SOAP Tx multipart/related call False Positive id: 920470

Created on 14 Mar 2020  路  4Comments  路  Source: SpiderLabs/owasp-modsecurity-crs

Description

I already have a pending PR to help with the fact multipart/related is not allowed:
https://github.com/SpiderLabs/owasp-modsecurity-crs/pull/1721

But, another rule after the above one gets fixed will get hit, which is 920470,
https://github.com/SpiderLabs/owasp-modsecurity-crs/blob/v3.2/master/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf#L870

This only allows (?:boundary|charset) options it looks like for MIME attributes. I think this can be expanded to: (?:boundary|charset|type|start) ( EDIT - Yeah this still didn't work for unblocking me... urgggg)?

Audit Logs / Triggered Rule Numbers

Audit log:

POST /api/test/ext/cimtest/XYZServices/v1 
HTTP/1.1Accept-Encoding: gzip,deflate
Content-Type: multipart/related; type="text/xml"; start="<[email protected]>"; boundary="----=_Part_0_811603706.1584078662023"
SOAPAction: "urn:PegaRULES:SOAP:XYZServices:Services#ProcessGroupECMM"
Authorization: bearer XXXXXXXX
Host: gateway.company.com
MIME-Version: 1.0
Content-Length: 161250
Connection: Keep-Alive
User-Agent: Apache-HttpClient/4.1.1 (java 1.5)
X-Forwarded-For: xxxxxxxx
---YimwH2Cz---C--

------=_Part_0_811603706.1584078662023
...... (Redacted payload due to confidential stuff in here)
------=_Part_0_811603706.1584078662023--


---YimwH2Cz---D--


---YimwH2Cz---H--
ModSecurity: Warning. Matched "Operator `Rx' with parameter `^[\w/.+-]+(?:\s?;\s?(?:boundary|charset)\s?=\s?['\"\w.()+,/:=?-]+)?$' against variable `REQUEST_HEADERS:Content-Type' (Value: `multipart/related; type="text/xml"; start="<[email protected]>"; boundary="----=_Part_0_811603706. (14 characters omitted)' ) [file "/usr/local/owasp-modsecurity-crs-3.2.0/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "873"] [id "920470"] [rev ""] [msg "Illegal Content-Type header"] [data "multipart/related; type="text/xml"; start="<[email protected]>"; boundary="----=_part_0_811603706.1584078662023""] [severity "2"] [ver "OWASP_CRS/3.2.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "OWASP_CRS"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/CONTENT_TYPE"] [tag "WASCTC/WASC-20"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/EE2"] [tag "PCI/12.1"] [hostname "xxxxxxx"] [uri "/api/test/ext/cimtest/XYZServices/v1"] [unique_id "158407866551.291542"] [ref "v100,114t:lowercase"]

So how about modifying the rule to be like:

#
# Restrict which content-types we accept.
#

# Restrict Content-Type header to established patterns.
#
# This provides generic whitelist protection against vulnerabilities like
# Apache Struts Content-Type arbitrary command execution (CVE-2017-5638).
#
# Examples of allowed patterns:
# - text/plain
# - text/plain; charset="UTF-8"
# - multipart/form-data; boundary=----WebKitFormBoundary12345
# - multipart/related; type="text/xml"
# - multipart/related; start="<[email protected]>"
#
SecRule REQUEST_HEADERS:Content-Type "!@rx ^[\w\d/\.\-\+]+(?:\s?;\s?(?:boundary|charset|type|start)\s?=\s?['\"\w\d\.\-]+)?$" \
    "id:920470,\
    phase:1,\
    block,\
    t:none,t:lowercase,\
    msg:'Illegal Content-Type header',\
    logdata:'%{MATCHED_VAR}',\
    tag:'application-multi',\
    tag:'language-multi',\
    tag:'platform-multi',\
    tag:'attack-protocol',\
    tag:'OWASP_CRS',\
    tag:'OWASP_CRS/PROTOCOL_VIOLATION/CONTENT_TYPE',\
    tag:'WASCTC/WASC-20',\
    tag:'OWASP_TOP_10/A1',\
    tag:'OWASP_AppSensor/EE2',\
    tag:'PCI/12.1',\
    ver:'OWASP_CRS/3.2.0',\
    severity:'CRITICAL',\
    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"

Or maybe that will cause problems w regex to because of 3 attributes deep? Unsure at the moment. EDIT - Yeah this still didn't work for unblocking me... urgggg

Your Environment

  • CRS version (e.g., v3.2.0): 3.2/master
  • Paranoia level setting: 1
  • ModSecurity version (e.g., 2.9.3): 3.0.4
  • Web Server and version (e.g., apache 2.4.41): NGINX
  • Operating System and version: Alpine Linux

Confirmation

[X ] I have removed any personal data (email addresses, IP addresses,
passwords, domain names) from any logs posted.

False Positive PR available

Most helpful comment

Thank you for reporting. I'm more and more seeing a need to review all the content-type rules in its own little project to overhaul them all. Thanks for the contribution.

All 4 comments

Thank you for reporting. I'm more and more seeing a need to review all the content-type rules in its own little project to overhaul them all. Thanks for the contribution.

Not the best at fixing them but playing the role of QA and providing FP's is right up my wheelhouse, I can make small fixes 馃槃 .

I also see start-info in this multipart/relatedContent-Type.
And I see this is also a valid param: https://tools.ietf.org/html/rfc2387

So the full list would be: (?:boundary|charset|type|start|start-info) or (?:boundary|charset|type|start(?:-info)?).

I haven't tested that yet.

Example Request Header:
Content-Type: multipart/related; type="application/xop+xml"; boundary="uuid:a111aaa1-aa11-1a11-a11a-11a1111aa11a"; start="<[email protected]>"; start-info="application/soap+xml

And here I see more params like action:
https://issues.apache.org/jira/browse/CXF-6431

Example for action:
Content-Type: application/soap+xml; action="urn:hl7-org:v3:PRPA_IN201305UV02"; charset=UTF-8
Source: https://groups.google.com/forum/#!topic/ipf-user/evT5vZb42_w

I'll open a PR with the following suggestion for rule 920470:

^[\w\d\/\.\-\+]+(?:\s?;\s?(?:action|boundary|charset|type|start(?:-info)?)\s?=\s?['\"\w\d\.\-\/+<>@:]+)*$

Was this page helpful?
0 / 5 - 0 ratings

Related issues

dune73 picture dune73  路  6Comments

elexisvenator picture elexisvenator  路  3Comments

nicksloan picture nicksloan  路  6Comments

ygrek picture ygrek  路  7Comments

spartantri picture spartantri  路  3Comments