Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

blocking allowed content-type

See original GitHub issue

Description

ModSecurity: Warning. Matched "Operator `Rx' with parameter `^application/repository.jdbcDataSource+json|application/x-www-form-urlencoded|multipart/form-data|text/xml|application/xml|application/soap+xml|application/x-amf|application/json|application/octet-str (69 characters omitted)' against variable `TX:0' (Value: `application/repository.jdbcDataSource+json' ) [file "/usr/local/owasp-modsecurity-crs-3.2.0/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "894"] [id "920420"] [rev ""] [msg "Request content type is not allowed by policy"] [data "application/repository.jdbcDataSource+json"] [severity "2"] [ver "OWASP_CRS/3.2.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "OWASP_CRS"] [tag "OWASP_CRS/POLICY/CONTENT_TYPE_NOT_ALLOWED"] [tag "WASCTC/WASC-20"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/EE2"] [tag "PCI/12.1"] [hostname "172.20.0.12"] [uri "/jasperserver/rest_v2/connections"] [unique_id "1626378869"] [ref "o0,42v468,42"]
ModSecurity: Access denied with code 403 (phase 2). Matched "Operator `Ge' with parameter `5' against variable `TX:ANOMALY_SCORE' (Value: `5' ) [file "/usr/local/owasp-modsecurity-crs-3.2.0/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "79"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [data ""] [severity "2"] [ver ""] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "172.20.0.12"] [uri "/jasperserver/rest_v2/connections"] [unique_id "1626378869"] [ref ""]

Audit Logs / Triggered Rule Numbers

900220 I think?

Your Environment

CRS version (e.g., v3.2.0): 3.2.0
Paranoia level setting: 1
ModSecurity version (e.g., 2.9.3): 3.2.0
Web Server and version (e.g., apache 2.4.41): nginx 1.21.1
Operating System and version: debian buster (in a docker container)

Confirmation

[*] I have removed any personal data (email addresses, IP addresses, passwords, domain names) from any logs posted.

As you can see from the audit log we have already added application/repository.jdbcDataSource+json to the tx.allowed_request_content_type but it is still blocking.

Thanks!

Issue Analytics

State:
Created 2 years ago
Comments:12 (8 by maintainers)

Top GitHub Comments

1reaction

dosfxcommented, Jul 19, 2021

No worries @airween, I’m on the same page now.

The only way I can get it to work is to escape the + in the allowed_request_content_type, so in our crs-setup.conf we’ve got setvar:'tx.allowed_request_content_type=application/repository.jdbcDataSource\+json|appli....... Which is all fine, it works, but if you want to keep digging as to why you’re able to make a request and I’m not, we can.

1reaction

fzipicommented, Jul 19, 2021

@airween Maybe adding something to our documentation would help others also?