8000 Modsecurity with Passwordstate · Issue #1923 · coreruleset/coreruleset · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

Modsecurity with Passwordstate #1923

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
mackov83 opened this issue Nov 13, 2020 · 5 comments
Closed

Modsecurity with Passwordstate #1923

mackov83 opened this issue Nov 13, 2020 · 5 comments
Assignees
@azurit
Labels
➕ False Positive

Comments

@mackov83
Copy link

Description

When Modsecurity is enabled in my virtual hosts file, authentication into the application fails. It is supposed to authenticate with AD, then complete an OTP challenge. Even with the OTP challenge disabled, the AD authentication doesn't seem to happen - i.e. login credentials go blank, like the page is reset.

The backend IIS server does not seem to have anything to suggest that a login was even attempted.

Application is PasswordState - https://www.clickstudios.com.au/

Audit Logs / Triggered Rule Numbers

---C7fPeKv9---A--
[13/Nov/2020:16:13:03 +1100] 1605244383 0x565068435d80 14628 0x565068487440 443
---C7fPeKv9---B--
GET /Telerik.Web.UI.WebResource.axd?_TSM_HiddenField_=RadScriptManager1_TSM&compress=1&_TSM_CombinedScripts_=%3b%3bSystem.Web.Extensions%2c+Version%3d4.0.0.0%2c+Culture%3dneutral%2c+PublicKeyToken%3d31bf3856ad364e35%3aen-US%3a1b322a7c-dfaa-439f-aa80-5f3d155ef91d%3aea597d4b%3ab25378d2%3bTelerik.Web.UI%2c+Version%3d2020.2.617.45%2c+Culture%3dneutral%2c+PublicKeyToken%3d121fae78165ba3d4%3aen-US%3a77834329-9f9d-4011-8eac-a82ffa414dd7%3a16e4e7cd%3aed16cbdc%3a33715776%3af7645509%3a24ee1bba%3ac128760b%3a1e771326%3a88144a7a%3aeaae47ab HTTP/2.0
host: pw.domain.com
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:82.0) Gecko/20100101 Firefox/82.0
cookie: __Host-nc_sameSiteCookielax=true; __Host-nc_sameSiteCookiestrict=true; PasswordstateLoginDomain=ADDomainNetBIOS=domain; ASP.NET_SessionId=nitu3xx3q1dvyhdtoxqhncku
accept: */*
te: trailers
accept-language: en-US,en;q=0.5
accept-encoding: gzip, deflate, br
referer: https://pw.domain.com/logins/loginadan.aspx

---C7fPeKv9---D--

---C7fPeKv9---E--
<html>\x0d\x0a<head><title>403 Forbidden</title></head>\x0d\x0a<body>\x0d\x0a<center><h1>403 Forbidden</h1></center>\x0d\x0a<hr><center>nginx</center>\x0d\x0a</body>\x0d\x0a</html>\x0d\x0a

---C7fPeKv9---F--
HTTP/2.0 403
Server: nginx
Date: Fri, 13 Nov 2020 05:13:03 GMT
Content-Length: 146
Content-Type: text/html
Connection: close
Strict-Transport-Security: max-age=63072000; includeSubDomains

---C7fPeKv9---H--
ModSecurity: Warning. Matched "Operator `Within' with parameter `.asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .ln (150 characters omitted)' against variable `TX:EXTENSION' (Value: `.axd/' ) [file "/usr/local/coreruleset-3.3.0/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "1015"] [id "920440"] [rev ""] [msg "URL file extension is restricted by policy"] [data ".axd"] [severity "2"] [ver "OWASP_CRS/3.3.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/210/272"] [tag "PCI/6.5.10"] [hostname "10.83.10.40"] [uri "/Telerik.Web.UI.WebResource.axd"] [unique_id "1605244383"] [ref "o26,4o27,3v5,30o20,5t:urlDecodeUni,t:lowercase"]
ModSecurity: Access denied with code 403 (phase 2). Matched "Operator `Ge' with parameter `5' against variable `TX:ANOMALY_SCORE' (Value: `5' ) [file "/usr/local/coreruleset-3.3.0/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "80"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [data ""] [severity "2"] [ver "OWASP_CRS/3.3.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "10.83.10.40"] [uri "/Telerik.Web.UI.WebResource.axd"] [unique_id "1605244383"] [ref ""]

---C7fPeKv9---I--

---C7fPeKv9---J--

---C7fPeKv9---Z--

Virtual Host access.log

2020/11/13 12:50:54 [error] 574673#574673: *86035 [client 10.83.2.23] ModSecurity: Access denied with code 403 (phase 2). Matched "Operator `Ge' with parameter `5' against variable `TX:ANOMALY_SCORE' (Value: `5' ) [file "/usr/local/
coreruleset-3.3.0/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "80"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [data ""] [severity "2"] [ver "OWASP_CRS/3.3.0"] [maturity "0"] [accuracy "0"]
 [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "10.83.10.40"] [uri "/Telerik.Web.UI.WebResource.axd"] [unique_id "1605232254"] [ref ""], client: 10.83.2.23, server: pw.domain.com, request: "GET /Telerik.Web.UI.WebResource.axd?_TSM_HiddenField_=RadScriptManager1_TSM&compress=1&_TSM_CombinedScripts_=%3b%3bSystem.Web.Extensions%2c+Version%3d4.0.0.0%2c+Culture%3dneutral%2c+PublicKeyToken%3d31bf3856ad364e35%3aen-US%3a1b322a7c-dfaa-439f-aa80-5f3d155ef91d%3aea597d4b%3ab25378d2%3bTelerik.Web.UI%2c+Version%3d2020.2.617.45%2c+Culture%3dneutral%2c+PublicKeyToken%3d121fae78165ba3d4%3aen-US%3a77834329-9f9d-4011-8eac-a82ffa414dd7%3a16e4e7cd%3aed16cbdc%3a33715776%3af7645509%3a24ee1bba%3ac128760b%3a1e771326%3a88144a7a%3aeaae47ab HTTP/2.0", host: "pw.swmccarthy.com", referrer: "https://pw.domain.com/logins/loginadan.aspx"

Your Environment

Comments

A brief search led me to believe that this may be getting blocked because of a rule not allowing .axd extension - is my assumption here correct?
If so, is there a safe way to ignore it?

Confirmation

[ X ] I have removed any personal data (email addresses, IP addresses,
passwords, domain names) from any logs posted.
@azurit
Copy link
Member
azurit commented Nov 13, 2020

Yes, .axd is within restricted extensions list. Can you explain why is your application using this extension?

@mackov83
Copy link
Author
mackov83 commented Nov 13, 2020
edited
Loading

Is there any specifics of what I should be asking of the application vendor? They were upfront and told me that it is an ASP.NET application which I see commonly uses .axd extensions.

@azurit
Copy link
Member
azurit commented Nov 13, 2020
edited
Loading

Ok. You can remove this extension from restricted in configuration file crs-setup.conf:

  • uncomment rule ID 900240
  • remove .axd/ from line starting with setvar:'tx.restricted_extensions=
  • save file and reload web server configuration

@azurit azurit self-assigned this Nov 13, 2020
@azurit azurit mentioned this issue Nov 13, 2020
Merged
@mackov83
Copy link
Author

Thanks @azurit, that seems to have resolved that issue. However I now have another one related to rule 954120 - IIS Information Leakage. Should I raise this as a new issue?

@azurit
Copy link
Member
azurit commented Nov 13, 2020

Yes, thank you.

@mackov83 mackov83 mentioned this issue Nov 13, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@azurit azurit

Labels
➕ False Positive
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@azurit @theMiddleBlue @mackov83
0