REQUEST-944-APPLICATION-ATTACK-JAVA.conf #990

CRS-migration-bot · 2020-05-13T13:42:56Z

Issue for tracking original pull request created by user spartantri on date 2017-12-28 22:09:36.
Link to original PR: SpiderLabs/owasp-modsecurity-crs#990.

HEAD is: e8cc868
BASE is: ce36ede
Java attacks updated config

The text was updated successfully, but these errors were encountered:

CRS-migration-bot · 2020-05-13T13:42:58Z

User fzipi commented on date 2018-01-01 16:58:54:

Shouldn't this be 2018 now?

CRS-migration-bot · 2020-05-13T13:43:00Z

User fzipi commented on date 2018-01-01 17:00:18:

Is this normal indentation?

CRS-migration-bot · 2020-05-13T13:43:01Z

User fzipi commented on date 2018-01-01 17:01:03:

This 'SecRule' should be aligned with the previous 'chain'

CRS-migration-bot · 2020-05-13T13:43:02Z

User fzipi commented on date 2018-01-01 17:01:58:

This 'SecRule' should be aligned with the previous 'chain'

CRS-migration-bot · 2020-05-13T13:43:03Z

User fzipi commented on date 2018-01-01 17:02:10:

Same here.

CRS-migration-bot · 2020-05-13T13:43:04Z

User spartantri commented on date 2018-01-02 15:44:09:

Fixed all those, sorry about that, it is my personal identation style to distinguish short chains, anyway, removed all those extra 4 spaces to allign to contributing.md

CRS-migration-bot · 2020-05-13T13:43:06Z

User spartantri commented on date 2018-01-02 15:44:33:

I don't know but changed anyway

CRS-migration-bot · 2020-05-13T13:43:07Z

User lifeforms commented on date 2018-02-04 19:10:15:

Why do we have SecRequestBodyAccess On here? It's in mod_security2.conf, I would remove it here. Users should generally have this enabled (or the CRS will run ineffectively anyway), but if they should disable it (maybe for debugging purposes, etc.) I feel we should honor that.

CRS-migration-bot · 2020-05-13T13:43:08Z

User lifeforms commented on date 2018-02-04 19:14:28:

As a small nitpick for the msg, these are all Suspicious Java class instead of method.
There are many other strings I found in some exploit payloads. I had suggested some in the last PR. Could we change this rule to a @pmf with a java-classes.data file?
For completeness, my blacklist is as follows, but if you feel it's not necessary to use them all, I would still recommend using a data file, and then we can improve it later easily with another PR:

com.opensymphony.xwork2.
com.sun.org.apache.
java.io.BufferedInputStream
java.io.BufferedReader
java.io.ByteArrayInputStream
java.io.ByteArrayOutputStream
java.io.CharArrayReader
java.io.DataInputStream
java.io.File
java.io.FileOutputStream
java.io.FilterInputStream
java.io.FilterOutputStream
java.io.FilterReader
java.io.InputStream
java.io.InputStreamReader
java.io.LineNumberReader
java.io.ObjectOutputStream
java.io.OutputStream
java.io.PipedOutputStream
java.io.PipedReader
java.io.PrintStream
java.io.PushbackInputStream
java.io.Reader
java.io.StringReader
java.lang.Class
java.lang.Integer
java.lang.Number
java.lang.Object
java.lang.Process
java.lang.ProcessBuilder
java.lang.reflect.
java.lang.Runtime
java.lang.String
java.lang.StringBuilder
java.lang.System
javax.script.ScriptEngineManager
org.apache.commons.
org.omg.CORBA.

CRS-migration-bot · 2020-05-13T13:43:09Z

User lifeforms commented on date 2018-02-04 19:18:20:

I notice this rule is in Paranoia Level 3, which feels a bit high for me, since the rule is pretty nice and I think the byte sequence should be rare... Have you found false positives on this rule? I would advocate Paranoia Level 1 or if you found FPs Paranoia Level 2

CRS-migration-bot · 2020-05-13T13:43:11Z

User lifeforms commented on date 2018-02-04 19:20:18:

This rule seems pretty specific and not prone to FP, what about moving it to a lower Paranoia Level like 2?

CRS-migration-bot · 2020-05-13T13:43:12Z

User lifeforms commented on date 2018-02-04 19:21:31:

Is this rule duplicate?

CRS-migration-bot · 2020-05-13T13:43:13Z

User spartantri commented on date 2018-02-05 10:10:23:

You are right, I wrote these with an empty ruleset first so put this here to make sure it worked, I will remove this, and add a comment about it

CRS-migration-bot · 2020-05-13T13:43:15Z

User spartantri commented on date 2018-02-05 18:26:29:

I'm not sure how common this may be for legitimate purposes so let's start with 3 and lower it once we have some feedback.

CRS-migration-bot · 2020-05-13T13:43:16Z

User spartantri commented on date 2018-02-05 18:27:57:

fixed, missed that one

CRS-migration-bot · 2020-05-13T13:43:17Z

User spartantri commented on date 2018-02-05 18:37:14:

no there is no chain in this one is intended to complain on most common keywords to spawn a process

CRS-migration-bot · 2020-05-13T13:43:18Z

User spartantri commented on date 2018-02-05 18:38:08:

changed the message to class lets add this into a new rule, maybe a new PR if required

CRS-migration-bot · 2020-05-13T13:43:19Z

User spartantri commented on date 2018-02-05 18:48:50:

Added to 944230 and class list into java-classes.data

CRS-migration-bot · 2020-05-13T13:43:20Z

User lifeforms commented on date 2018-02-05 20:46:19:

We leave this in for now and create a separate issue on how to handle this generally in setup/initialization file.

CRS-migration-bot · 2020-05-13T13:43:22Z

User spartantri commented on date 2018-02-06 18:11:36:

lifeforms There are no false negative on my tests but some of the rules were on pass instead of block for testing, changed all back to block, please test again

http://localhost/?redirect:$%7B%23matt%3d%20%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse'),%23matt.setContentType('text/plain'),%23matt.getWriter().println%20('successsuccess'),%23matt.getWriter().flush(),%23matt.getWriter().close()%7D

[Tue Feb 06 19:04:15.778459 2018] [:error] [pid 13977] [client 127.0.0.1] ModSecurity: Warning. Matched phrase "com.opensymphony.xwork2" at ARGS_NAMES:redirect:${#matt= #context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse'),#matt.setContentType('text/plain'),#matt.getWriter().println ('successsuccess'),#matt.getWriter().flush(),#matt.getWriter().close()}. [file "/home/spartan/owasp-modsecurity-crs/rules/REQUEST-944-APPLICATION-ATTACK-JAVA.conf"] [line "160"] [id "944230"] [rev "1"] [msg "Suspicious Java class detected"] [data "Matched Data: redirect:${#matt= #context.get('com.opensymphony.xwork2.dispatcher.httpservletresponse'),#matt.setcontenttype('text/plain'),#matt.getwriter().println ('successsuccess'),#matt.getwriter().flush(),#matt.getwriter().close()} found within ARGS_NAMES:redirect:${#matt= #context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse'),#matt.setContentType('text/plain'),#matt.getWriter().println ('successsuccess'),#matt.getWriter().flush(),#matt.getWriter().close()}"] [severity "NOTICE"] [ver "OWASP_CRS/3.1.0"] [tag "application-multi"] [tag "l [hostname "localhost"] [uri "/"] [unique_id "WnnuH38AAQEAADaZIF4AAAAK"]

CRS-migration-bot closed this as completed May 13, 2020

This was referenced May 13, 2020

January monthly meeting agenda #991

Closed

February monthly meeting agenda #1003

Closed

March monthly meeting agenda #1026

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

REQUEST-944-APPLICATION-ATTACK-JAVA.conf #990

REQUEST-944-APPLICATION-ATTACK-JAVA.conf #990

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

REQUEST-944-APPLICATION-ATTACK-JAVA.conf #990

REQUEST-944-APPLICATION-ATTACK-JAVA.conf #990

Comments

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!