Open
Description
Description
We encountered a problem with false positives when calling the GraphQL component in the application (/rest/graphql). Sometimes JSON Query contains data that is blocked by one of the rules from the REQUEST-932-APPLICATION-ATTACK-RCE.conf file. We created the following SecRule in REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf file:
SecRule REQUEST_URI "@endsWith /rest/graphql" \
"id:1001,\
phase:2,\
t:none,\
pass,\
msg:'Exception 1001',\
ctl:ruleRemoveTargetById=932100;ARGS:json.query,\
ctl:ruleRemoveTargetById=932110;ARGS:json.query,\
ctl:ruleRemoveTargetById=932115;ARGS:json.query"
According to the audit log, the request is processed by rule 1001, but also by other rules that should be ignored based on the ctl:ruleRemoveTargetById commands in rule 1001.
Audit Logs / Triggered Rule Numbers
---QtWzYjhx---A--
[16/Sep/2022:14:44:24 +0200] 1663332264 10.xxx.xxx.xxx 7882 10.xxx.xxx.xxx 443
---QtWzYjhx---B--
POST /rest/graphql HTTP/1.1
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36
sec-fetch-site: same-origin
origin: https://devportal
sec-ch-ua-mobile: ?0
referer: https://devportal/react/dashboard
sec-ch-ua-platform: "Windows"
pragma: no-cache
host: devportal
content-type: application/json
connection: keep-alive
sec-fetch-mode: cors
content-length: 351
accept-language: en-US,en;q=0.9
accept-encoding: gzip, deflate, br
accept: */*
cache-control: no-cache
sec-fetch-dest: empty
sec-ch-ua: "Google Chrome";v="105", "Not)A;Brand";v="8", "Chromium";v="105"
---QtWzYjhx---D--
---QtWzYjhx---F--
HTTP/1.1 200
content-language: en-US
content-length: 1216
content-type: application/json
date: Fri, 16 Sep 2022 12:44:24 GMT
x-powered-by: Servlet/3.1
strict-transport-security: max-age=31536000; includeSubDomains
---QtWzYjhx---H--
ModSecurity: Warning. Matched "Operator `Rx' with parameter `(?:;|\{|\||\|\||&|&&|\n|\r|\$\(|\$\(\(|`|\${|<\(|>\(|\(\s*\))\s*(?:{|\s*\(\s*|\w+=(?:[^\s]*|\$.*|\$.*|<.*|>.*|\'.*\'|\".*\")\s+|!\s*|\$)*\s*(?:'|\")*(?:[\?\*\[\]\(\)\-\|+\w'\"\./\\\\]+/)?[\\\\'\"]*(?: (5210 characters omitted)' against variable `ARGS:json.query' (Value: `{\x0a userTasks {\x0a type\x0a parameters {\x0a name\x0a value\x0a __typename\ (270 characters omitted)' ) [file "owasp-modsecurity-crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "102"] [id "932100"] [rev ""] [msg "Remote Command Execution: Unix Command Injection"] [data "Matched Data: \x0a id\x0a notificationText\x0a creationDate\x0a read\x0a car\x0a __typename\x0a }\x0a __typename found within ARGS:json.query: {\x0a userTasks {\x0a type\x0a parameters {\x0a (256 characters omitted)"] [severity "2"] [ver "OWASP_CRS/3.3.2"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-shell"] [tag "platform-unix"] [tag "attack-rce"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/88"] [tag "PCI/6.5.2"] [hostname "10.216.226.16"] [uri "/rest/graphql"] [unique_id "1663332264"] [ref "o185,110v11,301"]
ModSecurity: Warning. Matched "Operator `Rx' with parameter `(?i)(?:;|\{|\||\|\||&|&&|\n|\r|`)\s*[\(,@\'\"\
5DEE
s]*(?:[\w'\"\./]+/|[\\\\'\"\^]*\w[\\\\'\"\^]*:.*\\\\|[\^\.\w '\"/\\\\]*\\\\)?[\"\^]*(?:s[\"\^]*(?:y[\"\^]*s[\"\^]*(?:t[\"\^]*e[\"\^]*m[\"\^]*(?:p[\"\^]*r[ (5092 characters omitted)' against variable `ARGS:json.query' (Value: `{\x0a userTasks {\x0a type\x0a parameters {\x0a name\x0a value\x0a __typename\ (270 characters omitted)' ) [file "owasp-modsecurity-crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "274"] [id "932115"] [rev ""] [msg "Remote Command Execution: Windows Command Injection"] [data "Matched Data: {\x0a type\x0a parameters {\x0a name\x0a value\x0a __typename\x0a }\x0a __typename\x0a }\x0a notificationsForOverview {\x0a unreadCount\x0a userNotification {\x0a code\x0a id\x0a (427 characters omitted)"] [severity "2"] [ver "OWASP_CRS/3.3.2"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-shell"] [tag "platform-windows"] [tag "attack-rce"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/88"] [tag "PCI/6.5.2"] [hostname "10.216.226.16"] [uri "/rest/graphql"] [unique_id "1663332264"] [ref "o14,281v11,301"]
ModSecurity: Warning. Matched "Operator `EndsWith' with parameter `/rest/graphql' against variable `REQUEST_URI' (Value: `/rest/graphql' ) [file "owasp-modsecurity-crs/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf"] [line "169"] [id "1001"] [rev ""] [msg "Exception 1001"] [data ""] [severity "0"] [ver ""] [maturity "0"] [accuracy "0"] [hostname "10.216.226.16"] [uri "/rest/graphql"] [unique_id "1663332264"] [ref "o17,13v5,30"]
ModSecurity: Warning. Matched "Operator `Ge' with parameter `5' against variable `TX:ANOMALY_SCORE' (Value: `10' ) [file "owasp-modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "80"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 10)"] [data ""] [severity "2"] [ver "OWASP_CRS/3.3.2"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "10.216.226.16"] [uri "/rest/graphql"] [unique_id "1663332264"] [ref ""]
---QtWzYjhx---I--
---QtWzYjhx---J--
---QtWzYjhx---Z--
Your Environment
- CRS version (e.g., v3.2.0): v3.3.2
- Paranoia level setting: PL1
- ModSecurity version (e.g., 2.9.3): v3.0
Confirmation
[X] I have removed any personal data (email addresses, IP addresses,
passwords, domain names) from any logs posted.