[Owasp-modsecurity-core-rule-set] Issues with tx.restricted

Discussion:

[Owasp-modsecurity-core-rule-set] Issues with tx.restricted_extensions

Thayyile kandy, Subin : CSO GIS

2017-05-09 16:27:30 UTC

Hello

Im having some issues with some of my requests being blocked based on extension , I do not have .php or .html on my restricted extensions list.
Has anyone come across this before ?

This happens when I run in detection mode by default and turn on blocking using

SecRuleUpdateActionById 920440 "deny,ctl:ruleEngine=On"

http://localhost /forms.php (works fine)
http://localhost /forms.php? (blocked by : [id "920440"] [rev "2"] [msg "URL file extension is restricted by policy"] [data ".php"] )
http://localhost /forms.php?id=0 (blocked by : [id "920440"] [rev "2"] [msg "URL file extension is restricted by policy"] [data ".php"] )
http://localhost /forms.html (works fine)
http://localhost /forms.html? (blocked by : [id "920440"] [rev "2"] [msg "URL file extension is restricted by policy"] [data ".html"] )
http://localhost /forms.html?id=0 (blocked by : [id "920440"] [rev "2"] [msg "URL file extension is restricted by policy"] [data ".html"] )

debug logs
-------------

[08/May/2017:11:27:18 --0500]

[localhost/sid#b6968228][rid#b69c8058][/forms.php][4] Recipe: Invoking rule b6536900; [file "/etc/modsecurity/modsecurity/owasp-modsecurity-crs-3.0-master/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"]

[line "1031"] [id "920430"] [rev "2"].

[08/May/2017:11:27:18 --0500]

[localhost/sid#b6968228][rid#b69c8058][/forms.php][5] Rule b6536900:

SecRule "REQUEST_PROTOCOL" "!@within %{tx.allowed_http_versions}<mailto:!@within%20%25%7btx.allowed_http_versions%7d>"

"phase:request,nolog,auditlog,t:none,block,msg:'HTTP protocol version is not allowed by policy',severity:CRITICAL,rev:2,ver:OWASP_CRS/3.0.0,maturity:9,accuracy:9,id:920430,tag:application-multi,tag:language-multi,tag:platform-multi,tag:attack-protocol,tag:OWASP_CRS/POLICY/PROTOCOL_NOT_ALLOWED,tag:WASCTC/WASC-21,tag:OWASP_TOP_10/A6,tag:PCI/6.5.10,logdata:%{matched_var},setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/POLICY/PROTOCOL_NOT_ALLOWED-%{matched_var_name}=%{matched_var}"

[08/May/2017:11:27:18 --0500]

[localhost/sid#b6968228][rid#b69c8058][/forms.php][4] Transformation completed in 0 usec.

[08/May/2017:11:27:18 --0500]

[localhost/sid#b6968228][rid#b69c8058][/forms.php][4] Executing operator "!within" with param "%{tx.allowed_http_versions}" against REQUEST_PROTOCOL.

[08/May/2017:11:27:18 --0500]

[localhost/sid#b6968228][rid#b69c8058][/forms.php][9] Target value: "HTTP/1.1"

[08/May/2017:11:27:18 --0500]

[localhost/sid#b6968228][rid#b69c8058][/forms.php][9] Resolved macro %{tx.allowed_http_versions} to: HTTP/1.0 HTTP/1.1 HTTP/2 HTTP/2.0

[08/May/2017:11:27:18 --0500]

[localhost/sid#b6968228][rid#b69c8058][/forms.php][4] Operator completed in 6 usec.

[08/May/2017:11:27:18 --0500]

[localhost/sid#b6968228][rid#b69c8058][/forms.php][4] Rule returned 0.

[08/May/2017:11:27:18 --0500]

[localhost/sid#b6968228][rid#b69c8058][/forms.php][9] No match, not chained -> mode NEXT_RULE.

[08/May/2017:11:27:18 --0500]

[localhost/sid#b6968228][rid#b69c8058][/forms.php][4] Recipe: Invoking rule b652be08; [file "/etc/modsecurity/modsecurity/owasp-modsecurity-crs-3.0-master/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"]

[line "1058"] [id "920440"] [rev "2"].

[08/May/2017:11:27:18 --0500]

[localhost/sid#b6968228][rid#b69c8058][/forms.php][5] Rule b652be08: SecRule "REQUEST_BASENAME" "@rx \\.(.*)$<file:///\\.(.*)$>" "phase:request,nolog,auditlog,chain,capture,t:none,t:urlDecodeUni,t:lowercase,msg:'URL

file extension is restricted by policy',severity:CRITICAL,rev:2,ver:OWASP_CRS/3.0.0,maturity:9,accuracy:9,id:920440,logdata:%{TX.0},tag:application-multi,tag:language-multi,tag:platform-multi,tag:attack-protocol,tag:OWASP_CRS/POLICY/EXT_RESTRICTED,tag:WASCTC/WASC-15,tag:OWASP_TOP_10/A7,tag:PCI/6.5.10,setvar:tx.extension=.%{tx.1}/,deny,ctl:ruleEngine=On"

[08/May/2017:11:27:18 --0500]

[localhost/sid#b6968228][rid#b69c8058][/forms.php][9] T (0) urlDecodeUni: "forms.php"

[08/May/2017:11:27:18 --0500]

[localhost/sid#b6968228][rid#b69c8058][/forms.php][9] T (0) lowercase: "forms.php"

[08/May/2017:11:27:18 --0500]

[localhost/sid#b6968228][rid#b69c8058][/forms.php][4] Transformation completed in 12 usec.

[08/May/2017:11:27:18 --0500]

[localhost/sid#b6968228][rid#b69c8058][/forms.php][4] Executing operator "rx" with param "\\.(.*)$<file:///\\.(.*)$>" against REQUEST_BASENAME.

[08/May/2017:11:27:18 --0500]

[localhost/sid#b6968228][rid#b69c8058][/forms.php][9] Target value: "forms.php"

[08/May/2017:11:27:18 --0500]

[localhost/sid#b6968228][rid#b69c8058][/forms.php][9] Added regex subexpression to TX.0: .php

[08/May/2017:11:27:18 --0500]

[localhost/sid#b6968228][rid#b69c8058][/forms.php][9] Added regex subexpression to TX.1: php

[08/May/2017:11:27:18 --0500]

[localhost/sid#b6968228][rid#b69c8058][/forms.php][4] Operator completed in 11 usec.

[08/May/2017:11:27:18 --0500]

[localhost/sid#b6968228][rid#b69c8058][/forms.php][9] Setting variable: tx.extension=.%{tx.1}/

[08/May/2017:11:27:18 --0500]

[localhost/sid#b6968228][rid#b69c8058][/forms.php][9] Resolved macro %{tx.1} to: php

[08/May/2017:11:27:18 --0500]

[localhost/sid#b6968228][rid#b69c8058][/forms.php][9] Set variable "tx.extension" to ".php/".

[08/May/2017:11:27:18 --0500]

[localhost/sid#b6968228][rid#b69c8058][/forms.php][4] Ctl: Set ruleEngine to On.

[08/May/2017:11:27:18 --0500]

[localhost/sid#b6968228][rid#b69c8058][/forms.php][4] Rule returned 1.

[08/May/2017:11:27:18 --0500]

[localhost/sid#b6968228][rid#b69c8058][/forms.php][9] Match, intercepted -> returning.

[08/May/2017:11:27:18 --0500]

[localhost/sid#b6968228][rid#b69c8058][/forms.php][9] Resolved macro %{TX.0} to: .php

[08/May/2017:11:27:18 --0500]

[localhost/sid#b6968228][rid#b69c8058][/forms.php][9] Resolved macro %{TX.0} to: .php

[08/May/2017:11:27:18 --0500]

[localhost/sid#b6968228][rid#b69c8058][/forms.php][4] Access denied with code 403 (phase 2). Pattern match "\\.(.*)$<file:///\\.(.*)$>" at REQUEST_BASENAME.

[file "/etc/modsecurity/modsecurity/owasp-modsecurity-crs-3.0-master/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"]

[line "1058"] [id "920440"] [rev "2"] [msg "URL file extension is restricted by policy"] [data ".php"] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "9"] [accuracy "9"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "OWASP_CRS/POLICY/EXT_RESTRICTED"] [tag "WASCTC/WASC-15"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"]

audit logs
------------

--54296d51-A--

[08/May/2017:11:28:14 --0500] WRCcnn8AAQEAAAt0ypkAAAAE 127.0.0.1 36183

127.0.0.1 80

--54296d51-B--

GET /forms.html? HTTP/1.1

Host: localhost

User-Agent: Mozilla/5.0 (X11; Linux i686; rv:16.0) Gecko/20100101 Firefox/16.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Connection: keep-alive

--54296d51-F--

HTTP/1.1 403 Forbidden

Content-Length: 286

Keep-Alive: timeout=5, max=100

Connection: Keep-Alive

Content-Type: text/html; charset=iso-8859-1

--54296d51-H--

Message: Access denied with code 403 (phase 2). [file "/etc/modsecurity/modsecurity/owasp-modsecurity-crs-3.0-master/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"]

[line "1058"] [id "920440"] [rev "2"] [msg "URL file extension is restricted by policy"] [data ".html"] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "9"] [accuracy "9"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "OWASP_CRS/POLICY/EXT_RESTRICTED"] [tag "WASCTC/WASC-15"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"]

Action: Intercepted (phase 2)

Stopwatch: 1494260894110924 11283 (- - -)

Stopwatch2: 1494260894110924 11283; combined=6030, p1=2122, p2=3429, p3=0, p4=0, p5=479, sr=14, sw=0, l=0, gc=0

Producer: ModSecurity for Apache/2.9.1 (http://www.modsecurity.org/); OWASP_CRS/3.0.0.

Server: Apache/2.4.7 (Ubuntu)

Engine-Mode: "ENABLED"

--54296d51-Z--

audit log when in detection mode ( please note this is in case of an extension that is in the list )

--8092f761-A--
[09/May/2017:13:39:38 +0000] WRHGmawSZJUAADb7nuwAAAHN 40.77.167.66 54957 10.176.10.21 4464
--8092f761-B--
GET /activate.com?domainCPC=HCL&legacy=true HTTP/1.1

User-Agent: Mozilla/5.0 (X11; Linux i686; rv:16.0) Gecko/20100101 Firefox/16.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Connection: keep-alive

--8092f761-F--
HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
Content-Encoding: gzip
Connection: Keep-Alive
Transfer-Encoding: chunked

--8092f761-H--
Message: String match within ".asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .resources/ .resx/ .sql/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/" at TX:extension. [file "/etc/modsecurity/modsecurity/owasp-modsecurity-crs-3.0-master/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "1058"] [id "920440"] [rev "2"] [msg "URL file extension is restricted by policy"] [data ".com"] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "9"] [accuracy "9"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "OWASP_CRS/POLICY/EXT_RESTRICTED"] [tag "WASCTC/WASC-15"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"]
Apache-Handler: proxy-server
Stopwatch: 1494337177995510 28864 (- - -)
Stopwatch2: 1494337177995510 28864; combined=1228, p1=291, p2=865, p3=1, p4=2, p5=69, sr=32, sw=0, l=0, gc=0
Producer: ModSecurity for Apache/2.9.1 (http://www.modsecurity.org/); OWASP_CRS/3.0.0.
Server: Apache
Engine-Mode: "DETECTION_ONLY"

--8092f761-Z--

Thanks
Subin

Barclaycard

www.barclaycardus.com<http://www.barclaycardus.com>

This email and any files transmitted with it may contain confidential and/or proprietary information. It is intended solely for the use of the individual or entity who is the intended recipient. Unauthorized use of this information is prohibited. If you have received this in error, please contact the sender by replying to this message and delete this material from any system it may be on.

Barry Pollard

2017-05-09 18:59:53 UTC

Permalink

Rule 920440 looks to be in two parts but basically is this:

SecRule REQUEST_BASENAME "\.(.*)$" "id:920440,chain,block...etc."
SecRule TX:EXTENSION "@within %{tx.restricted_extensions}" "..."

This basically says is there a dot in the request basename?
And, if so, is the Extension of that request a restricted one?

When you are running this:

SecRuleUpdateActionById 920440 "deny,ctl:ruleEngine=On"

You are overwriting the whole "action" part of first rule in this chain - and removing the "chain" part of this, so breaking the chain and splitting this into two rules:

SecRule REQUEST_BASENAME "\.(.*)$" "id:920440,deny,ctl:ruleEngine=On"
SecRule TX:EXTENSION "@within %{tx.restricted_extensions}" "..."

Effectively you're ignoring the second rule in the chain completely, so EVERY request with a dot in the basename is suddenly matching.

I'd imagine if you did something like this, to keep this as a chained rule, then it should work:

SecRuleUpdateActionById 920440 "deny,chain,ctl:ruleEngine=On"

Though not tried this myself admittedly.

In fact the ModSecurity Reference Manual (https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#SecRuleUpdateActionById) does state:

Note : If the target rule is a chained rule, you must currently specify chain in the SecRuleUpdateActionById action list as well. This will be fixed in a future version.

Hope that helps,

Barry

________________________________
From: owasp-modsecurity-core-rule-set-bounces+barry_pollard=***@lists.owasp.org <owasp-modsecurity-core-rule-set-bounces+barry_pollard=***@lists.owasp.org> on behalf of Thayyile kandy, Subin : CSO GIS <***@BarclaycardUS.com>
Sent: 09 May 2017 17:27:30
To: owasp-modsecurity-core-rule-***@lists.owasp.org
Subject: [Owasp-modsecurity-core-rule-set] Issues with tx.restricted_extensions

Hello

Im having some issues with some of my requests being blocked based on extension , I do not have .php or .html on my restricted extensions list.
Has anyone come across this before ?

This happens when I run in detection mode by default and turn on blocking using

SecRuleUpdateActionById 920440 "deny,ctl:ruleEngine=On"

http://localhost /forms.php (works fine)
http://localhost /forms.php? (blocked by : [id "920440"] [rev "2"] [msg "URL file extension is restricted by policy"] [data ".php"] )
http://localhost /forms.php?id=0 (blocked by : [id "920440"] [rev "2"] [msg "URL file extension is restricted by policy"] [data ".php"] )
http://localhost /forms.html (works fine)
http://localhost /forms.html? (blocked by : [id "920440"] [rev "2"] [msg "URL file extension is restricted by policy"] [data ".html"] )
http://localhost /forms.html?id=0 (blocked by : [id "920440"] [rev "2"] [msg "URL file extension is restricted by policy"] [data ".html"] )

debug logs
-------------

[08/May/2017:11:27:18 --0500]

[localhost/sid#b6968228][rid#b69c8058][/forms.php][4] Recipe: Invoking rule b6536900; [file "/etc/modsecurity/modsecurity/owasp-modsecurity-crs-3.0-master/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"]

[line "1031"] [id "920430"] [rev "2"].

[08/May/2017:11:27:18 --0500]

[localhost/sid#b6968228][rid#b69c8058][/forms.php][5] Rule b6536900:

SecRule "REQUEST_PROTOCOL" "!@within %{tx.allowed_http_versions}<mailto:!@within%20%25%7btx.allowed_http_versions%7d>"

"phase:request,nolog,auditlog,t:none,block,msg:'HTTP protocol version is not allowed by policy',severity:CRITICAL,rev:2,ver:OWASP_CRS/3.0.0,maturity:9,accuracy:9,id:920430,tag:application-multi,tag:language-multi,tag:platform-multi,tag:attack-protocol,tag:OWASP_CRS/POLICY/PROTOCOL_NOT_ALLOWED,tag:WASCTC/WASC-21,tag:OWASP_TOP_10/A6,tag:PCI/6.5.10,logdata:%{matched_var},setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/POLICY/PROTOCOL_NOT_ALLOWED-%{matched_var_name}=%{matched_var}"

[08/May/2017:11:27:18 --0500]

[localhost/sid#b6968228][rid#b69c8058][/forms.php][4] Transformation completed in 0 usec.

[08/May/2017:11:27:18 --0500]

[localhost/sid#b6968228][rid#b69c8058][/forms.php][4] Executing operator "!within" with param "%{tx.allowed_http_versions}" against REQUEST_PROTOCOL.

[08/May/2017:11:27:18 --0500]

[localhost/sid#b6968228][rid#b69c8058][/forms.php][9] Target value: "HTTP/1.1"

[08/May/2017:11:27:18 --0500]

[localhost/sid#b6968228][rid#b69c8058][/forms.php][9] Resolved macro %{tx.allowed_http_versions} to: HTTP/1.0 HTTP/1.1 HTTP/2 HTTP/2.0

[08/May/2017:11:27:18 --0500]

[localhost/sid#b6968228][rid#b69c8058][/forms.php][4] Operator completed in 6 usec.

[08/May/2017:11:27:18 --0500]

[localhost/sid#b6968228][rid#b69c8058][/forms.php][4] Rule returned 0.

[08/May/2017:11:27:18 --0500]

[localhost/sid#b6968228][rid#b69c8058][/forms.php][9] No match, not chained -> mode NEXT_RULE.

[08/May/2017:11:27:18 --0500]

[localhost/sid#b6968228][rid#b69c8058][/forms.php][4] Recipe: Invoking rule b652be08; [file "/etc/modsecurity/modsecurity/owasp-modsecurity-crs-3.0-master/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"]

[line "1058"] [id "920440"] [rev "2"].

[08/May/2017:11:27:18 --0500]

[localhost/sid#b6968228][rid#b69c8058][/forms.php][5] Rule b652be08: SecRule "REQUEST_BASENAME" "@rx \\.(.*)$<file:///\\.(.*)$>" "phase:request,nolog,auditlog,chain,capture,t:none,t:urlDecodeUni,t:lowercase,msg:'URL

file extension is restricted by policy',severity:CRITICAL,rev:2,ver:OWASP_CRS/3.0.0,maturity:9,accuracy:9,id:920440,logdata:%{TX.0},tag:application-multi,tag:language-multi,tag:platform-multi,tag:attack-protocol,tag:OWASP_CRS/POLICY/EXT_RESTRICTED,tag:WASCTC/WASC-15,tag:OWASP_TOP_10/A7,tag:PCI/6.5.10,setvar:tx.extension=.%{tx.1}/,deny,ctl:ruleEngine=On"

[08/May/2017:11:27:18 --0500]

[localhost/sid#b6968228][rid#b69c8058][/forms.php][9] T (0) urlDecodeUni: "forms.php"

[08/May/2017:11:27:18 --0500]

[localhost/sid#b6968228][rid#b69c8058][/forms.php][9] T (0) lowercase: "forms.php"

[08/May/2017:11:27:18 --0500]

[localhost/sid#b6968228][rid#b69c8058][/forms.php][4] Transformation completed in 12 usec.

[08/May/2017:11:27:18 --0500]

[localhost/sid#b6968228][rid#b69c8058][/forms.php][4] Executing operator "rx" with param "\\.(.*)$<file:///\\.(.*)$>" against REQUEST_BASENAME.

[08/May/2017:11:27:18 --0500]

[localhost/sid#b6968228][rid#b69c8058][/forms.php][9] Target value: "forms.php"

[08/May/2017:11:27:18 --0500]

[localhost/sid#b6968228][rid#b69c8058][/forms.php][9] Added regex subexpression to TX.0: .php

[08/May/2017:11:27:18 --0500]

[localhost/sid#b6968228][rid#b69c8058][/forms.php][9] Added regex subexpression to TX.1: php

[08/May/2017:11:27:18 --0500]

[localhost/sid#b6968228][rid#b69c8058][/forms.php][4] Operator completed in 11 usec.

[08/May/2017:11:27:18 --0500]

[localhost/sid#b6968228][rid#b69c8058][/forms.php][9] Setting variable: tx.extension=.%{tx.1}/

[08/May/2017:11:27:18 --0500]

[localhost/sid#b6968228][rid#b69c8058][/forms.php][9] Resolved macro %{tx.1} to: php

[08/May/2017:11:27:18 --0500]

[localhost/sid#b6968228][rid#b69c8058][/forms.php][9] Set variable "tx.extension" to ".php/".

[08/May/2017:11:27:18 --0500]

[localhost/sid#b6968228][rid#b69c8058][/forms.php][4] Ctl: Set ruleEngine to On.

[08/May/2017:11:27:18 --0500]

[localhost/sid#b6968228][rid#b69c8058][/forms.php][4] Rule returned 1.

[08/May/2017:11:27:18 --0500]

[localhost/sid#b6968228][rid#b69c8058][/forms.php][9] Match, intercepted -> returning.

[08/May/2017:11:27:18 --0500]

[localhost/sid#b6968228][rid#b69c8058][/forms.php][9] Resolved macro %{TX.0} to: .php

[08/May/2017:11:27:18 --0500]

[localhost/sid#b6968228][rid#b69c8058][/forms.php][9] Resolved macro %{TX.0} to: .php

[08/May/2017:11:27:18 --0500]

[localhost/sid#b6968228][rid#b69c8058][/forms.php][4] Access denied with code 403 (phase 2). Pattern match "\\.(.*)$<file:///\\.(.*)$>" at REQUEST_BASENAME.

[file "/etc/modsecurity/modsecurity/owasp-modsecurity-crs-3.0-master/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"]

[line "1058"] [id "920440"] [rev "2"] [msg "URL file extension is restricted by policy"] [data ".php"] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "9"] [accuracy "9"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "OWASP_CRS/POLICY/EXT_RESTRICTED"] [tag "WASCTC/WASC-15"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"]

audit logs
------------

--54296d51-A--

[08/May/2017:11:28:14 --0500] WRCcnn8AAQEAAAt0ypkAAAAE 127.0.0.1 36183

127.0.0.1 80

--54296d51-B--

GET /forms.html? HTTP/1.1

Host: localhost

User-Agent: Mozilla/5.0 (X11; Linux i686; rv:16.0) Gecko/20100101 Firefox/16.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Connection: keep-alive

--54296d51-F--

HTTP/1.1 403 Forbidden

Content-Length: 286

Keep-Alive: timeout=5, max=100

Connection: Keep-Alive

Content-Type: text/html; charset=iso-8859-1

--54296d51-H--

Message: Access denied with code 403 (phase 2). [file "/etc/modsecurity/modsecurity/owasp-modsecurity-crs-3.0-master/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"]

[line "1058"] [id "920440"] [rev "2"] [msg "URL file extension is restricted by policy"] [data ".html"] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "9"] [accuracy "9"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "OWASP_CRS/POLICY/EXT_RESTRICTED"] [tag "WASCTC/WASC-15"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"]

Action: Intercepted (phase 2)

Stopwatch: 1494260894110924 11283 (- - -)

Stopwatch2: 1494260894110924 11283; combined=6030, p1=2122, p2=3429, p3=0, p4=0, p5=479, sr=14, sw=0, l=0, gc=0

Producer: ModSecurity for Apache/2.9.1 (http://www.modsecurity.org/); OWASP_CRS/3.0.0.

Server: Apache/2.4.7 (Ubuntu)

Engine-Mode: "ENABLED"

--54296d51-Z--

audit log when in detection mode ( please note this is in case of an extension that is in the list )

--8092f761-A--
[09/May/2017:13:39:38 +0000] WRHGmawSZJUAADb7nuwAAAHN 40.77.167.66 54957 10.176.10.21 4464
--8092f761-B--
GET /activate.com?domainCPC=HCL&legacy=true HTTP/1.1

User-Agent: Mozilla/5.0 (X11; Linux i686; rv:16.0) Gecko/20100101 Firefox/16.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Connection: keep-alive

--8092f761-F--
HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
Content-Encoding: gzip
Connection: Keep-Alive
Transfer-Encoding: chunked

--8092f761-H--
Message: String match within ".asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .resources/ .resx/ .sql/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/" at TX:extension. [file "/etc/modsecurity/modsecurity/owasp-modsecurity-crs-3.0-master/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "1058"] [id "920440"] [rev "2"] [msg "URL file extension is restricted by policy"] [data ".com"] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "9"] [accuracy "9"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "OWASP_CRS/POLICY/EXT_RESTRICTED"] [tag "WASCTC/WASC-15"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"]
Apache-Handler: proxy-server
Stopwatch: 1494337177995510 28864 (- - -)
Stopwatch2: 1494337177995510 28864; combined=1228, p1=291, p2=865, p3=1, p4=2, p5=69, sr=32, sw=0, l=0, gc=0
Producer: ModSecurity for Apache/2.9.1 (http://www.modsecurity.org/); OWASP_CRS/3.0.0.
Server: Apache
Engine-Mode: "DETECTION_ONLY"

--8092f761-Z--

Thanks
Subin

Barclaycard

www.barclaycardus.com<http://www.barclaycardus.com>

This email and any files transmitted with it may contain confidential and/or proprietary information. It is intended solely for the use of the individual or entity who is the intended recipient. Unauthorized use of this information is prohibited. If you have received this in error, please contact the sender by replying to this message and delete this material from any system it may be on.

Thayyile kandy, Subin : CSO GIS

2017-05-09 19:25:05 UTC

Permalink

Thanks very much Barry, It works perfectly after adding the chain in SecRuleUpdateActionById

Thanks
Subin

From: Barry Pollard [mailto:***@hotmail.com]
Sent: Tuesday, May 09, 2017 15:00
To: Thayyile kandy, Subin : CSO GIS; owasp-modsecurity-core-rule-***@lists.owasp.org
Subject: Re: [Owasp-modsecurity-core-rule-set] Issues with tx.restricted_extensions

Rule 920440 looks to be in two parts but basically is this:

SecRule REQUEST_BASENAME "\.(.*)$" "id:920440,chain,block...etc."
SecRule TX:EXTENSION "@within %{tx.restricted_extensions}" "..."

This basically says is there a dot in the request basename?
And, if so, is the Extension of that request a restricted one?

When you are running this:

SecRuleUpdateActionById 920440 "deny,ctl:ruleEngine=On"

You are overwriting the whole "action" part of first rule in this chain - and removing the "chain" part of this, so breaking the chain and splitting this into two rules:

SecRule REQUEST_BASENAME "\.(.*)$" "id:920440,deny,ctl:ruleEngine=On"
SecRule TX:EXTENSION "@within %{tx.restricted_extensions}" "..."

Effectively you're ignoring the second rule in the chain completely, so EVERY request with a dot in the basename is suddenly matching.

I'd imagine if you did something like this, to keep this as a chained rule, then it should work:

SecRuleUpdateActionById 920440 "deny,chain,ctl:ruleEngine=On"

Though not tried this myself admittedly.

In fact the ModSecurity Reference Manual (https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#SecRuleUpdateActionById) does state:

Note : If the target rule is a chained rule, you must currently specify chain in the SecRuleUpdateActionById action list as well. This will be fixed in a future version.

Hope that helps,

Barry

________________________________
From: owasp-modsecurity-core-rule-set-bounces+barry_pollard=***@lists.owasp.org<mailto:owasp-modsecurity-core-rule-set-bounces+barry_pollard=***@lists.owasp.org> <owasp-modsecurity-core-rule-set-bounces+barry_pollard=***@lists.owasp.org<mailto:owasp-modsecurity-core-rule-set-bounces+barry_pollard=***@lists.owasp.org>> on behalf of Thayyile kandy, Subin : CSO GIS <***@BarclaycardUS.com<mailto:***@BarclaycardUS.com>>
Sent: 09 May 2017 17:27:30
To: owasp-modsecurity-core-rule-***@lists.owasp.org<mailto:owasp-modsecurity-core-rule-***@lists.owasp.org>
Subject: [Owasp-modsecurity-core-rule-set] Issues with tx.restricted_extensions

Hello

Im having some issues with some of my requests being blocked based on extension , I do not have .php or .html on my restricted extensions list.
Has anyone come across this before ?

This happens when I run in detection mode by default and turn on blocking using

SecRuleUpdateActionById 920440 "deny,ctl:ruleEngine=On"

http://localhost /forms.php (works fine)
http://localhost /forms.php? (blocked by : [id "920440"] [rev "2"] [msg "URL file extension is restricted by policy"] [data ".php"] )
http://localhost /forms.php?id=0 (blocked by : [id "920440"] [rev "2"] [msg "URL file extension is restricted by policy"] [data ".php"] )
http://localhost /forms.html (works fine)
http://localhost /forms.html? (blocked by : [id "920440"] [rev "2"] [msg "URL file extension is restricted by policy"] [data ".html"] )
http://localhost /forms.html?id=0 (blocked by : [id "920440"] [rev "2"] [msg "URL file extension is restricted by policy"] [data ".html"] )

debug logs
-------------

[08/May/2017:11:27:18 --0500]

[localhost/sid#b6968228][rid#b69c8058][/forms.php][4] Recipe: Invoking rule b6536900; [file "/etc/modsecurity/modsecurity/owasp-modsecurity-crs-3.0-master/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"]

[line "1031"] [id "920430"] [rev "2"].

[08/May/2017:11:27:18 --0500]

[localhost/sid#b6968228][rid#b69c8058][/forms.php][5] Rule b6536900:

SecRule "REQUEST_PROTOCOL" "!@within %{tx.allowed_http_versions}<mailto:!@within%20%25%7btx.allowed_http_versions%7d>"

"phase:request,nolog,auditlog,t:none,block,msg:'HTTP protocol version is not allowed by policy',severity:CRITICAL,rev:2,ver:OWASP_CRS/3.0.0,maturity:9,accuracy:9,id:920430,tag:application-multi,tag:language-multi,tag:platform-multi,tag:attack-protocol,tag:OWASP_CRS/POLICY/PROTOCOL_NOT_ALLOWED,tag:WASCTC/WASC-21,tag:OWASP_TOP_10/A6,tag:PCI/6.5.10,logdata:%{matched_var},setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/POLICY/PROTOCOL_NOT_ALLOWED-%{matched_var_name}=%{matched_var}"

[08/May/2017:11:27:18 --0500]

[localhost/sid#b6968228][rid#b69c8058][/forms.php][4] Transformation completed in 0 usec.

[08/May/2017:11:27:18 --0500]

[localhost/sid#b6968228][rid#b69c8058][/forms.php][4] Executing operator "!within" with param "%{tx.allowed_http_versions}" against REQUEST_PROTOCOL.

[08/May/2017:11:27:18 --0500]

[localhost/sid#b6968228][rid#b69c8058][/forms.php][9] Target value: "HTTP/1.1"

[08/May/2017:11:27:18 --0500]

[localhost/sid#b6968228][rid#b69c8058][/forms.php][9] Resolved macro %{tx.allowed_http_versions} to: HTTP/1.0 HTTP/1.1 HTTP/2 HTTP/2.0

[08/May/2017:11:27:18 --0500]

[localhost/sid#b6968228][rid#b69c8058][/forms.php][4] Operator completed in 6 usec.

[08/May/2017:11:27:18 --0500]

[localhost/sid#b6968228][rid#b69c8058][/forms.php][4] Rule returned 0.

[08/May/2017:11:27:18 --0500]

[localhost/sid#b6968228][rid#b69c8058][/forms.php][9] No match, not chained -> mode NEXT_RULE.

[08/May/2017:11:27:18 --0500]

[localhost/sid#b6968228][rid#b69c8058][/forms.php][4] Recipe: Invoking rule b652be08; [file "/etc/modsecurity/modsecurity/owasp-modsecurity-crs-3.0-master/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"]

[line "1058"] [id "920440"] [rev "2"].

[08/May/2017:11:27:18 --0500]

[localhost/sid#b6968228][rid#b69c8058][/forms.php][5] Rule b652be08: SecRule "REQUEST_BASENAME" "@rx \\.(.*)$<file:///\\.(.*)$>" "phase:request,nolog,auditlog,chain,capture,t:none,t:urlDecodeUni,t:lowercase,msg:'URL

file extension is restricted by policy',severity:CRITICAL,rev:2,ver:OWASP_CRS/3.0.0,maturity:9,accuracy:9,id:920440,logdata:%{TX.0},tag:application-multi,tag:language-multi,tag:platform-multi,tag:attack-protocol,tag:OWASP_CRS/POLICY/EXT_RESTRICTED,tag:WASCTC/WASC-15,tag:OWASP_TOP_10/A7,tag:PCI/6.5.10,setvar:tx.extension=.%{tx.1}/,deny,ctl:ruleEngine=On"

[08/May/2017:11:27:18 --0500]

[localhost/sid#b6968228][rid#b69c8058][/forms.php][9] T (0) urlDecodeUni: "forms.php"

[08/May/2017:11:27:18 --0500]

[localhost/sid#b6968228][rid#b69c8058][/forms.php][9] T (0) lowercase: "forms.php"

[08/May/2017:11:27:18 --0500]

[localhost/sid#b6968228][rid#b69c8058][/forms.php][4] Transformation completed in 12 usec.

[08/May/2017:11:27:18 --0500]

[localhost/sid#b6968228][rid#b69c8058][/forms.php][4] Executing operator "rx" with param "\\.(.*)$<file:///\\.(.*)$>" against REQUEST_BASENAME.

[08/May/2017:11:27:18 --0500]

[localhost/sid#b6968228][rid#b69c8058][/forms.php][9] Target value: "forms.php"

[08/May/2017:11:27:18 --0500]

[localhost/sid#b6968228][rid#b69c8058][/forms.php][9] Added regex subexpression to TX.0: .php

[08/May/2017:11:27:18 --0500]

[localhost/sid#b6968228][rid#b69c8058][/forms.php][9] Added regex subexpression to TX.1: php

[08/May/2017:11:27:18 --0500]

[localhost/sid#b6968228][rid#b69c8058][/forms.php][4] Operator completed in 11 usec.

[08/May/2017:11:27:18 --0500]

[localhost/sid#b6968228][rid#b69c8058][/forms.php][9] Setting variable: tx.extension=.%{tx.1}/

[08/May/2017:11:27:18 --0500]

[localhost/sid#b6968228][rid#b69c8058][/forms.php][9] Resolved macro %{tx.1} to: php

[08/May/2017:11:27:18 --0500]

[localhost/sid#b6968228][rid#b69c8058][/forms.php][9] Set variable "tx.extension" to ".php/".

[08/May/2017:11:27:18 --0500]

[localhost/sid#b6968228][rid#b69c8058][/forms.php][4] Ctl: Set ruleEngine to On.

[08/May/2017:11:27:18 --0500]

[localhost/sid#b6968228][rid#b69c8058][/forms.php][4] Rule returned 1.

[08/May/2017:11:27:18 --0500]

[localhost/sid#b6968228][rid#b69c8058][/forms.php][9] Match, intercepted -> returning.

[08/May/2017:11:27:18 --0500]

[localhost/sid#b6968228][rid#b69c8058][/forms.php][9] Resolved macro %{TX.0} to: .php

[08/May/2017:11:27:18 --0500]

[localhost/sid#b6968228][rid#b69c8058][/forms.php][9] Resolved macro %{TX.0} to: .php

[08/May/2017:11:27:18 --0500]

[localhost/sid#b6968228][rid#b69c8058][/forms.php][4] Access denied with code 403 (phase 2). Pattern match "\\.(.*)$<file:///\\.(.*)$>" at REQUEST_BASENAME.

[file "/etc/modsecurity/modsecurity/owasp-modsecurity-crs-3.0-master/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"]

[line "1058"] [id "920440"] [rev "2"] [msg "URL file extension is restricted by policy"] [data ".php"] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "9"] [accuracy "9"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "OWASP_CRS/POLICY/EXT_RESTRICTED"] [tag "WASCTC/WASC-15"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"]

audit logs
------------

--54296d51-A--

[08/May/2017:11:28:14 --0500] WRCcnn8AAQEAAAt0ypkAAAAE 127.0.0.1 36183

127.0.0.1 80

--54296d51-B--

GET /forms.html? HTTP/1.1

Host: localhost

User-Agent: Mozilla/5.0 (X11; Linux i686; rv:16.0) Gecko/20100101 Firefox/16.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Connection: keep-alive

--54296d51-F--

HTTP/1.1 403 Forbidden

Content-Length: 286

Keep-Alive: timeout=5, max=100

Connection: Keep-Alive

Content-Type: text/html; charset=iso-8859-1

--54296d51-H--

Message: Access denied with code 403 (phase 2). [file "/etc/modsecurity/modsecurity/owasp-modsecurity-crs-3.0-master/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"]

[line "1058"] [id "920440"] [rev "2"] [msg "URL file extension is restricted by policy"] [data ".html"] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "9"] [accuracy "9"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "OWASP_CRS/POLICY/EXT_RESTRICTED"] [tag "WASCTC/WASC-15"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"]

Action: Intercepted (phase 2)

Stopwatch: 1494260894110924 11283 (- - -)

Stopwatch2: 1494260894110924 11283; combined=6030, p1=2122, p2=3429, p3=0, p4=0, p5=479, sr=14, sw=0, l=0, gc=0

Producer: ModSecurity for Apache/2.9.1 (http://www.modsecurity.org/); OWASP_CRS/3.0.0.

Server: Apache/2.4.7 (Ubuntu)

Engine-Mode: "ENABLED"

--54296d51-Z--

audit log when in detection mode ( please note this is in case of an extension that is in the list )

--8092f761-A--
[09/May/2017:13:39:38 +0000] WRHGmawSZJUAADb7nuwAAAHN 40.77.167.66 54957 10.176.10.21 4464
--8092f761-B--
GET /activate.com?domainCPC=HCL&legacy=true HTTP/1.1

User-Agent: Mozilla/5.0 (X11; Linux i686; rv:16.0) Gecko/20100101 Firefox/16.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Connection: keep-alive

--8092f761-F--
HTTP/1.1 404 Not Found
Content-Type: text/html;charset=UTF-8
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
Content-Encoding: gzip
Connection: Keep-Alive
Transfer-Encoding: chunked

--8092f761-H--
Message: String match within ".asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .resources/ .resx/ .sql/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/" at TX:extension. [file "/etc/modsecurity/modsecurity/owasp-modsecurity-crs-3.0-master/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "1058"] [id "920440"] [rev "2"] [msg "URL file extension is restricted by policy"] [data ".com"] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "9"] [accuracy "9"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "OWASP_CRS/POLICY/EXT_RESTRICTED"] [tag "WASCTC/WASC-15"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"]
Apache-Handler: proxy-server
Stopwatch: 1494337177995510 28864 (- - -)
Stopwatch2: 1494337177995510 28864; combined=1228, p1=291, p2=865, p3=1, p4=2, p5=69, sr=32, sw=0, l=0, gc=0
Producer: ModSecurity for Apache/2.9.1 (http://www.modsecurity.org/); OWASP_CRS/3.0.0.
Server: Apache
Engine-Mode: "DETECTION_ONLY"

--8092f761-Z--

Thanks
Subin

Barclaycard

www.barclaycardus.com<http://www.barclaycardus.com>

This email and any files transmitted with it may contain confidential and/or proprietary information. It is intended solely for the use of the individual or entity who is the intended recipient. Unauthorized use of this information is prohibited. If you have received this in error, please contact the sender by replying to this message and delete this material from any system it may be on.

Barclaycard

www.barclaycardus.com<http://www.barclaycardus.com>

This email and any files transmitted with it may contain confidential and/or proprietary information. It is intended solely for the use of the individual or entity who is the intended recipient. Unauthorized use of this information is prohibited. If you have received this in error, please contact the sender by replying to this message and delete this material from any system it may be on.

Continue reading on narkive:

Search results for '[Owasp-modsecurity-core-rule-set] Issues with tx.restricted_extensions' (Questions and Answers)

replies

21 to carry a hand gun in Florida??

started 2008-08-14 19:30:25 UTC

hunting

replies

Employer wants me to park offsite because I have gun in car.?

started 2018-12-11 21:58:21 UTC

hunting

replies

who was internet invented by?