Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Improve XML External Entity (XXE) detection
See original GitHub issueMotivation
I could be wrong but as far as I can tell, the XML External Entity (XXE) protection offered by CRS is fairly poor. There have been multiple attempts in the past to address these shortcomings but they have not succeeded and there are currently no ongoing efforts to improve the situation.
These are the issues and pull requests that have been created in the past:
- https://github.com/coreruleset/coreruleset/issues/1319
- https://github.com/coreruleset/coreruleset/issues/1320
- https://github.com/coreruleset/coreruleset/pull/2061
- https://github.com/coreruleset/coreruleset/pull/2163
From the discussions in the tickets and pull requests above, the problem appears to be that there is a shortcoming of ModSecurtiy which causes the targeted collections (REQUEST_BODY and FULL_REQUEST) to be empty if a body parser has been activated. This, of course, would be the case in most situation where XXE detection is desired, braking the proposed rules.
However, since the information related to XXEs is contained in <!DOCTYPE ...> tags, which are not accessible through the XML collection using XPath expressions, is not possible to write reliable ModSecurity rules to detect XXEs for these requests.
This issue is known but considering the following discussion, it is unlikely to be fixed in ModSecurity any time soon: https://github.com/SpiderLabs/ModSecurity/issues/2087.
There have been comments that a plugin leveraging ModSecurity’s Lua capabilities might help but as far as I can tell, this was never implemented: https://github.com/coreruleset/coreruleset/pull/2163#issuecomment-997432471.
Proposed solution
Implement a plugin similar to the antivirus plugin which can reliably detect XXEs in requests independently of whether or not a body parser has been activated.
Alternatives
A cleaner approach might be to create a pull request to ModSecurity to provide additional information about the payload like the DOCTYPE through either the existing XML collection or through a new collection. This would allow for regular rules to be written in order to detect XXEs. However, this would require a change to ModSecurity, which is outside the control of the Core Rule Set Project.
Additional context
There is a ModSecurity directive related to XXEs: SecXmlExternalEntity. This directive is turned off by default. From what I understand, this directive only configures whether ModSec expands External Entities in XML or not. It does not configure whether XXEs are allowed in general or not. XML containing XXEs are not blocked, even if SecXmlExternalEntity is turned off.
There are rules that might detect XXEs in certain circumstances, however, this is mostly incidental as they do not explicitly check for XXEs.
Issue Analytics
- State:
- Created a year ago
- Reactions:3
- Comments:57 (57 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
I’m able to maintain both versions.
Simple XPath expressions like the ones used in CRS for the XML collection could be implemented using Regexes as far as I can tell as long as the elements and their attributes are available in the TX collection. An example for this was given by @azurit.
This would not necessarily have been the case if CRS made use of more complex XPath expression.