Detection of CRLF in automatically URLDecoded elements #638

CRS-migration-bot · 2020-05-13T12:53:55Z

Issue originally created by user csanders-git on date 2016-10-31 20:54:02.
Link to original issue: SpiderLabs/owasp-modsecurity-crs#638.

Apache and Nginx tend to be really annoying about automatically URL decoding certain things. Not all applications will in fact do this. There is currently a problem where URLDecoding twice is actually a bit of a nasty issue see #590. CRLF is actually quite easy to detect in non-urldecoded entities because valid use of /r or /n must be encoded. This was an issue in #633 and the reason we had to split the rule into a second PL.

CRS-migration-bot · 2020-05-13T12:53:57Z

User lifeforms commented on date 2016-10-31 21:30:14:

I think the mention of #633 in this issue is a misunderstanding; that issue was not related to encoding, the rule simply blocked (properly url-encoded) %0d%0a because of a risk of header injection through XSS. The rule seemed good but in my opinion just too strict for general use in PL1.

CRS-migration-bot · 2020-05-13T12:53:58Z

User csanders-git commented on date 2016-10-31 22:20:30:

well the issues are somewhat related. If Apache didn't automatically decode then we'd never have tolook for %0d%0a but rather raw \r\n. As encoded values in that sense wouldn't trigger header injection unless it was being decoded very early on in the process or via the DOM.

CRS-migration-bot · 2020-05-13T12:53:59Z

User lifeforms commented on date 2016-10-31 22:25:47:

Do you mean that the rule was supposed to be against actual newline chars in the url-encoded blob sent over the wire? I think those should lead to a new line in the HTTP protocol and not be interpreted as part of the args. But I admit I never looked into this. If that is a concern then maybe REQUEST_URI_RAW could be checked. (Something else I've never used ;) )

CRS-migration-bot · 2020-05-13T12:54:00Z

User csanders-git commented on date 2016-10-31 22:26:53:

I assumed it was for header injection / request smuggling type attacks. If this is the case only a REAL \r\n would work. maybe i'm wrong though.

CRS-migration-bot · 2020-05-13T12:54:02Z

User lifeforms commented on date 2016-10-31 22:29:01:

Could be right, I have little experience with those protocol related rules...

CRS-migration-bot · 2020-05-13T12:54:03Z

User fgsch commented on date 2019-10-20 22:12:15:

This issue has timed out as it has not received any update in over 2 years.
If this is still a problem please open a new issue.

CRS-migration-bot added the ⌛ Stale issue This issue has been open 120 days with no activity. label May 13, 2020

CRS-migration-bot closed this as completed May 13, 2020

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

Detection of CRLF in automatically URLDecoded elements #638

Detection of CRLF in automatically URLDecoded elements #638

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Detection of CRLF in automatically URLDecoded elements #638

Detection of CRLF in automatically URLDecoded elements #638

Comments

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!