Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Problem with exclusion rules and ruleRemoveTargetByTag
See original GitHub issue_Issue originally created by user j0k2r on date 2019-06-03 11:39:16. Link to original issue: https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/1444._
Hi guys,
I use OWASP CRS to protect a WordPress application, and I noticed some suspicious behavor (or I misunderstand how exclusion rules work).
For example, the request:
POST /wp-login.php HTTP/1.1
Accept: '*/*'
Content-Length: '124'
Content-Type: application/x-www-form-urlencoded
Host: example.fr
user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.153 Safari/537.36
log=abc&redirect_to=https%3A%2F%2Fexample.fr%2Fwp-admin%2F&wp-submit=log+In&testcookie=1&rememberme=forever&pwd=abc%21%40%23
is blocked by the rule 942100, caused by pwd=abc%21%40%23:
[155955490319.192434] [/wp-login.php] [9] Target value: "abc!@#" (Variable: ARGS:pwd)
[155955490319.192434] [/wp-login.php] [4] detected SQLi using libinjection with fingerprint 'novc' at: 'abc!@#'
[155955490319.192434] [/wp-login.php] [7] Added DetectSQLi match TX.0: novc
[155955490319.192434] [/wp-login.php] [9] Matched vars updated.
[155955490319.192434] [/wp-login.php] [4] Running [independent] (non-disruptive) action: setvar
[155955490319.192434] [/wp-login.php] [8] Saving variable: TX:anomaly_score_pl1 with value: 5
[155955490319.192434] [/wp-login.php] [4] Running [independent] (non-disruptive) action: setvar
[155955490319.192434] [/wp-login.php] [8] Saving variable: TX:sql_injection_score with value: 5
[155955490319.192434] [/wp-login.php] [4] Running [independent] (non-disruptive) action: setvar
[155955490319.192434] [/wp-login.php] [8] Saving variable: TX:msg with value: SQL Injection Attack Detected via libinjection
[155955490319.192434] [/wp-login.php] [4] Running [independent] (non-disruptive) action: setvar
[155955490319.192434] [/wp-login.php] [8] Saving variable: TX:942100-OWASP_CRS/WEB_ATTACK/SQL_INJECTION-ARGS:pwd with value: abc!@#
But since I enabled WordPress exclusion rules, this should not be trigggered (exclusion rule 9002100):
[155955490319.192434] [/wp-login.php] [8] Saving variable: TX:crs_exclusions_wordpress with value: 1
The exclusion rule (9002100) “ctl:ruleRemoveTargetByTag=CRS;ARGS:pwd” , should prevent 942100 to be trigggered.
PS: When I explicitly set “CRS” tag in rule 942100 (tag:‘CRS’), it works like charm.
Environment
Modsecurity V3/master c7fe50e CRS version v3.1.0
Confirmation
[X] I have removed any personal data (email addresses, IP addresses, passwords, domain names) from any logs posted.
Seems to be related to: #1419
Issue Analytics
- State:
- Created 3 years ago
- Comments:15
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
User j0k2r commented on date 2019-06-04 08:46:06:
Hi theMiddleBlue,
Same problem, it works when I explicitly specify the target rule:
But not with the range ID:
User dune73 commented on date 2019-06-03 13:51:29:
Adding it to tonight’s agenda.