question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Rule 920310 (CRS3) not firing if no User-Agent is submitted

See original GitHub issue

_Issue originally created by user dune73 on date 2016-06-21 09:16:41. Link to original issue: https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/370._

920310 (CRS3) is meant to alarm if there is no Accept header. There are cases where an alarm is suppressed based on the User-Agent. However, given the construction of the rule, a request without a User-Agent will never trigger 920310, which is a false negative.

Possible solutions:

  • 2nd rule covering this special case
  • replace @pm with regex and check for empty header

Thoughts?

This issue evolved from a discussion in #366.

Issue Analytics

  • State:closed
  • Created 3 years ago
  • Comments:5

github_iconTop GitHub Comments

1reaction
CRS-migration-botcommented, May 13, 2020

User dune73 commented on date 2016-07-02 15:11:17:

Can’t resist such an invitation. Please consider #389 as my offering.

1reaction
CRS-migration-botcommented, May 13, 2020

User dune73 commented on date 2016-06-28 12:34:10:

csanders-git : good remark about 920320 being notice. I overlooked that.

Covering the special case at a higher PL does not seem right to me as it allows a simple evasion at PL1 to go mostly unnoticed and it tears two rules with the same goal apart within the same rule file.

I think a PL1 sibling 920311 right after 920310 is the better solution:

SecRule REQUEST_HEADERS:Accept "^$" \
  ...id:920310
     SecRule REQUEST_METHOD "!^OPTIONS$" \
       "chain"
          SecRule &REQUEST_HEADERS:User-Agent "@eq 0"
          ...

That way the problem is contained at PL1 and within the same area in the rule file.

Read more comments on GitHub >

github_iconTop Results From Across the Web

Rule 920310 (CRS3) not firing if no User-Agent is submitted
920310 (CRS3) is meant to alarm if there is no Accept header. There are cases where an alarm is suppressed based on the...
Read more >
Create an exception for a blocked user agent - AWS WAF ...
If traffic from some non-browser user agents is being erroneously blocked, you can create an exception by setting the offending AWS WAF Bot...
Read more >
CRS rule groups and rules - Azure Web Application Firewall
If a request matches a custom rule, the corresponding rule action is applied. The request is either blocked or passed through to the...
Read more >
Is lack of User-Agent in HTTP request valid? - Stack Overflow
UPDATE My intention with the phrase "real-world" was to indicate that I am not asking what the HTTP protocol permits. It is permitted...
Read more >
User-Agent - HTTP - MDN Web Docs - Mozilla
The User-Agent request header is a characteristic string that lets servers and network peers identify the application, operating system, ...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found