Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Should REQUEST_ARGS include cookies? #283

Open
rayward opened this issue Aug 16, 2017 · 1 comment
Open

Should REQUEST_ARGS include cookies? #283

rayward opened this issue Aug 16, 2017 · 1 comment
Labels
modsec compatability

Comments

@rayward
Copy link

rayward commented Aug 16, 2017
edited
Loading

I'm getting many SQL injection rules being triggered for a simple GET request that includes no request URI or post body, but there are some complex cookies being sent.

There are cookie specific rules (eg SQL Injection character anomaly - COOKIES - 41014) that are being triggered while I've been testing, but many other rules are also being matched:

{
  "timestamp": 1502860171,
  "method": "GET",
  "uri": "/blah",
  "id": "45cea3a42e2f5845d032",
  "client": "192.168.33.1",
  "alerts": [
    {
      "match": 6,
      "msg": "SQL Injection character anomaly - COOKIES",
      "id": 41014
    },
    {
      "match": 6,
      "msg": "SQL Injection character anomaly - ARGS",
      "id": 41015
    },
    {
      "match": 26,
      "msg": "MySQL comment-/space-obfuscated injections and backtick termination",
      "id": 41018
    },
    {
      "match": 2,
      "msg": " SQL injection (authentication bypass)",
      "id": 41033
    },
    {
      "match": 11,
      "msg": "SQL probing attempt",
      "id": 41036
    },
    {
      "logdata": 20,
      "match": 20,
      "msg": "Request score greater than score threshold",
      "id": 99001
    },
    {
      "logdata": 20,
      "match": 20,
      "msg": "Request score greater than score threshold",
      "id": 99002
    },
    {
      "logdata": 20,
      "match": 20,
      "msg": "Request score greater than score threshold",
      "id": 99003
    }
  ]
}

Is it correct to be including cookies in REQUEST_ARGS?

My interpretation of https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#args is that its query string + post body.

I guess it depends on how closely the rules were translated from ModSec...

Do you think this is working as intended?

Also, it would be useful if the alerts indicated the var and its value that triggered it.
@p0pr0ck5
Copy link
Owner

Hey @rayward,

Thanks for the report! Indeed, the REQUEST_ARGS collection should not contain cookie data. This is a bit of a mistranslation leftover from initial work before we tried to closely match ModSecurity functionality. I have plans to migrate the included rules to use the OWASP CRS v3 ruleset, but have not yet had the time to work on this (development here has slowed a bit in recent months).

Also, it would be useful if the alerts indicated the var and its value that triggered it.

Indeed! This would be up to the msg or data metadata field in the rule to report it. Again, moving to CRS v3 would be the fix here :)

@prashanth-prabhu-p prashanth-prabhu-p mentioned this issue Oct 21, 2019
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
modsec compatability
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@rayward @p0pr0ck5