Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Rule 921110

See original GitHub issue

Audit Logs / Triggered Rule Numbers

FP can be easily triggered, for example, with this text in any POST field (realworld example from music forum):

DJ Wich - soundtrack Gympl
anything other here so previous line ends with EOL

On HTTP Request Smuggling webpage ( http://projects.webappsec.org/HTTP-Request-Smuggling ), example of exploitation is using two Content-Length headers. Is there any other way how to exploit this? If not, we should add something like this to the rule: SecRule &REQUEST_HEADERS_NAMES:Content-Length "@ge 1"

EDIT: Seems explotation is possible also by other ways, see: https://www.cgisecurity.com/lib/HTTP-Request-Smuggling.pdf

Your Environment

CRS version (e.g., v3.2.0): 3.3.0
Paranoia level setting: PL1
ModSecurity version (e.g., 2.9.3): 2.9.3
Web Server and version (e.g., apache 2.4.41): 2.4.25
Operating System and version: Debian Stretch

Confirmation

[x] I have removed any personal data (email addresses, IP addresses, passwords, domain names) from any logs posted.

Issue Analytics

State:
Created 3 years ago
Comments:19 (19 by maintainers)

Top GitHub Comments

1reaction

ssigwartcommented, Oct 20, 2020

Actually, I forgot about the HTTP/1.1 part in this:

GET / HTTP/1.1
Host: www.example.com

Does this look right? I also added HTTPS checks.

- (?:get|post|head|options|connect|put|delete|trace|track|patch|propfind|propatch|mkcol|copy|move|lock|unlock)\s+(?:([\r\n]|\/\w|\/|http:\/\/))
+ (?:get|post|head|options|connect|put|delete|trace|track|patch|propfind|propatch|mkcol|copy|move|lock|unlock)\s+(?:(\/\w|\/|https?:\/\/))\S*\s+http\/

1reaction

ssigwartcommented, Oct 20, 2020

@airween, even with your update, multipart/form-data results in a lot of false positives. Some are below.

------WebKitFormBoundaryg15aUipbRYn3XubQ
Content-Disposition: form-data; name="test"

Clock
------WebKitFormBoundaryg15aUipbRYn3XubQ--

------WebKitFormBoundaryFtAB5BueWPz4uBaB
Content-Disposition: form-data; name="test"

Clock / chip time: 12:34
------WebKitFormBoundaryFtAB5BueWPz4uBaB--

What do you think of this rule? It removes the HTTP/0.9 version check, but maybe that can be put into a separate rule that can be enabled if HTTP/0.9 is enabled.

SecRule ARGS_NAMES|ARGS|REQUEST_BODY|XML:/* "@rx (?:get|post|head|options|connect|put|delete|trace|track|patch|propfind|propatch|mkcol|copy|move|lock|unlock)\s+(?:(\/\w|\/|http:\/\/))\w*[\r\n]" \

Top Results From Across the Web

False positive for rule 921110 · Issue #2054 - GitHub

Description Uploading an xml containing text budget foo) \n triggers this false positive. Audit Logs / Triggered Rule Numbers Rule ID: 921110 ...

ModSecurity CRS Rule Group 921 Protocol Attacks - HeatShield

921110 HTTP Request Smuggling Attack. 921180 checks if any multiple parameter counter is > 1. 921170 counts multiple parameters with the same name....

OWASP ModSecurity Core Rule Set v3.3.0 Release ...

The OWASP ModSecurity Core Rule Set team is proud to announce the release ... Prevent bypass of rule 921110 (Amit Klein, Franziska Bühler) ......

What are the different terms that are blocked by ModSecurity ...

The entry means the rule id 921110 has been violated. This rule id means ModSecurity has classified the request data as an attempt...

Core Rule Set Inventory – Welcome to netnea

Rule ID Paranoia Level Severity 901001 PL1 none 901450 PL1 none 905100 PL1 none