Discussion:
[Owasp-modsecurity-core-rule-set] Remove Cookie inspection for SQL injection rules
Richard Jones
2016-01-14 14:45:35 UTC
Permalink
Hi All,

This list seems to be quite low volume, so if questions like the one
below are inappropriate then please let me know.

I’ve identified a few false positives for a web form on one of our
sites. The method is a POST and a sample of the cookie as follows

Cookie: VarQuestion_0001=Lots%of%percent%signs%and%similar%here%and%SQL%like%statements%select%join%delete

I’ve been trying to put together an exception for cookies with these
names but can’t get the syntax right. Can anyone help?

The following seems to parse but I’ve no idea if it’s working or not.
Specifically I doubt that chain will extend to all the following
SecRuleUpdate’s.

SecRule REQUEST_URI “(?i)/+nmsruntime” \
“chain,id:’000002’,phase:1,t:none,pass,log”
SecRuleUpdateTargetById 981317 “!REQUEST_COOKIES:/^VarQuestion_[0-9]+/”
SecRuleUpdateTargetById 981257 “!REQUEST_COOKIES:/^VarQuestion_[0-9]+/”
SecRuleUpdateTargetById 981245 “!REQUEST_COOKIES:/^VarQuestion_[0

And using the Anomaly scoring method I couldn’t work out how to update
the REQUEST_COOKIE target to exclude these cookies, and it doesn’t look
like I can use a regex to capture VarQuestion_[0-9]+.

Thanks,

Richard
--
http://www.jonze.com/privacy.html
Christian Folini
2016-01-15 08:16:52 UTC
Permalink
Richard,
Post by Richard Jones
The following seems to parse but I’ve no idea if it’s working or not.
Specifically I doubt that chain will extend to all the following
SecRuleUpdate’s.
SecRule REQUEST_URI “(?i)/+nmsruntime” \
“chain,id:’000002’,phase:1,t:none,pass,log”
SecRuleUpdateTargetById 981317 “!REQUEST_COOKIES:/^VarQuestion_[0-9]+/”
SecRuleUpdateTargetById 981257 “!REQUEST_COOKIES:/^VarQuestion_[0-9]+/”
SecRuleUpdateTargetById 981245 “!REQUEST_COOKIES:/^VarQuestion_[0
No, this does not work. chain is limited to SecRule.

I believe, what you want is:

SecRule REQUEST_URI "..." "phase:1,...,ctl:ruleRemoveTargetById=981317;REQUEST_COOKIES:/^VarQuestion/,ctl:ruleRemoveTargetById=981257;..."

I have not tried this out myself. But this is the basic pattern, I would
use.

What I am not sure is if you really want to limit the ignoring of the
said cookies to a certain path. This implies you want to check
these cookies for other paths as well. Would not it be simplet to
use SecRuleUpdateTargetById without path restriction and ignore
the cookies site-wide?

Likewise, my regex pattern assumes, VarQuestion_... brings only
numbers as suffix. And as this should cover all of them, I think
the simpler and faster regex pattern is good enough.
Post by Richard Jones
And using the Anomaly scoring method I couldn’t work out how to update
the REQUEST_COOKIE target to exclude these cookies, and it doesn’t look
like I can use a regex to capture VarQuestion_[0-9]+.
I have something in mind, that there is an issue with the +. Maybe you
want to try *. What certainly does not work is (a|b) patterns. Do not
know why.

Ahoj,

Christian
Post by Richard Jones
Thanks,
Richard
--
http://www.jonze.com/privacy.html
_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
--
Christian Folini
Ringstrasse 2
CH-3639 Kiesen
+41 (0)31 301 60 71 (H)
+41 (0)79 220 23 76 (M)
mailto:***@netnea.com (Business)
mailto:***@time-machine.ch (Private)
http://www.christian-folini.ch
Loading...