From e20785b8a7e7e12fe4990673d0ed5c5892200048 Mon Sep 17 00:00:00 2001 From: dune73 Date: Wed, 10 Aug 2022 18:08:53 +0200 Subject: [PATCH 1/4] Adding rule 921210 and rule 921220 --- rules/REQUEST-921-PROTOCOL-ATTACK.conf | 82 ++++++++++++++++++++++++++ 1 file changed, 82 insertions(+) diff --git a/rules/REQUEST-921-PROTOCOL-ATTACK.conf b/rules/REQUEST-921-PROTOCOL-ATTACK.conf index 3c03c2859..f7bb856a5 100644 --- a/rules/REQUEST-921-PROTOCOL-ATTACK.conf +++ b/rules/REQUEST-921-PROTOCOL-ATTACK.conf @@ -350,6 +350,48 @@ SecRule TX:/paramcounter_.*/ "@gt 1" \ setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'" +# -=[ HTTP Parameter Pollution ]=- +# +# [ Rule Logic ] +# Parameter pollution rule 921180 PL3 can by bypassed when a weak backend parameter +# parser is ignoring additional characters in a parameter array name after the +# closing of the array. +# Rule 921210 PL3 prevents this by disallowing arbitrary strings after an array has +# been closed or inbetween the square brackets in multidimensional arrays. +# Please note that rule 921120 allows for 2-dimensional, but not for higher dimensional +# arrays. If these are flagged as attacks, a rule exclusion will have to be +# deployed; ideally for the parameter(s) in question. +# +# [ References ] +# Private bug bounty in Spring 2022, findings Z05OZUCH. +# +# [ Payloads ] +# * foo[1]a=bar&foo[1]b= - parameter parsers often cut after the closing of +# the array. 921180 PL3 takes the full name, though. +# This impediance mismatch allows for bypasses. +# * foo[1]x[1]=bar&foo[1]x[2]= - extension of 1; this has the advantage that +# the parameter name does end with "]" just like a valid array notation. +# +SecRule ARGS_NAMES "@rx (][^\]]+$|][^\]]+\[)" \ + "id:921210,\ + phase:2,\ + pass,\ + log,\ + msg:'HTTP Parameter Pollution after detecting bogus char after parameter array',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/152/137/15/460',\ + tag:'paranoia-level/3',\ + ver:'OWASP_CRS/4.0.0-rc1',\ + severity:'CRITICAL',\ + setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'" + + SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:921017,phase:1,pass,nolog,skipAfter:END-REQUEST-921-PROTOCOL-ATTACK" SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:921018,phase:2,pass,nolog,skipAfter:END-REQUEST-921-PROTOCOL-ATTACK" @@ -357,6 +399,46 @@ SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:921018,phase:2,pass,nolog,skipAf # -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher) # +# -=[ HTTP Parameter Pollution ]=- +# +# [ Rule Logic ] +# Parameter pollution rule 921180 PL3 and 921210 PL3 can by bypassed if a +# weak backend parameter parser ignores parameter array alltogether at +# cuts parameter names at the first occurrence of the "[" character. +# The rule 921220 PL4 prevents this by disallowing parameter array names. +# +# If an application needs parameter array names, then this rule should be +# disabled, ideally by issueing a rule exclusion for the parameter names +# that need it. +# +# [ References ] +# Private bug bounty in Spring 2022, finding 5UXE4RK0. +# +# [ Payloads ] +# * foo[1]=bar&foo[2]= +# * foo=bar&foo[1]= +# * foo[1]=bar&foo[1]acb]= - this is an edge case that 921210 PL3 is not +# able to catch since the parameter name ends with "]". +# +SecRule ARGS_NAMES "@rx \[" \ + "id:921220,\ + phase:2,\ + pass,\ + log,\ + msg:'HTTP Parameter Pollution possible via array notation',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/152/137/15/460',\ + tag:'paranoia-level/4',\ + ver:'OWASP_CRS/4.0.0-rc1',\ + severity:'CRITICAL',\ + setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'" + # From 1d5c3a153d93b21d23e99ddb2fe785ae9f1f2b2c Mon Sep 17 00:00:00 2001 From: dune73 Date: Wed, 10 Aug 2022 22:39:36 +0200 Subject: [PATCH 2/4] Tests for 921210 --- .../REQUEST-921-PROTOCOL-ATTACK/921210.yaml | 49 +++++++++++++++++++ 1 file changed, 49 insertions(+) create mode 100644 tests/regression/tests/REQUEST-921-PROTOCOL-ATTACK/921210.yaml diff --git a/tests/regression/tests/REQUEST-921-PROTOCOL-ATTACK/921210.yaml b/tests/regression/tests/REQUEST-921-PROTOCOL-ATTACK/921210.yaml new file mode 100644 index 000000000..42f0a4a4c --- /dev/null +++ b/tests/regression/tests/REQUEST-921-PROTOCOL-ATTACK/921210.yaml @@ -0,0 +1,49 @@ +--- +meta: + author: "Christian Folini (dune73)" + description: "HTTP Parameter Polution" + enabled: true + name: 921210.yaml +tests: + - test_title: 921210-1 + desc: "HTTP Parameter Pollution via bogus chars after parameter array name" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + headers: + Host: "localhost" + User-Agent: "OWASP ModSecurity Core Rule Set" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + port: 80 + uri: "/?foo[1]a=bar&foo[1]b=" + output: + log_contains: id "921210" + - test_title: 921210-2 + desc: "HTTP Parameter Pollution via bogus chars between square brackets of multi-dimensional array name" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + headers: + Host: "localhost" + User-Agent: "OWASP ModSecurity Core Rule Set" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + port: 80 + uri: "/?foo[1]a[2]=bar" + output: + log_contains: id "921210" + - test_title: 921210-3 + desc: "HTTP Parameter Pollution false positive test" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + headers: + Host: "localhost" + User-Agent: "OWASP ModSecurity Core Rule Set" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + port: 80 + uri: "/?foo[1][2]=bar" + output: + no_log_contains: id "921210" From 1e8bb091c4c106720e180dc23f1458bd52a4984b Mon Sep 17 00:00:00 2001 From: dune73 Date: Wed, 10 Aug 2022 22:40:21 +0200 Subject: [PATCH 3/4] typo --- tests/regression/tests/REQUEST-921-PROTOCOL-ATTACK/921210.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/regression/tests/REQUEST-921-PROTOCOL-ATTACK/921210.yaml b/tests/regression/tests/REQUEST-921-PROTOCOL-ATTACK/921210.yaml index 42f0a4a4c..f702e2395 100644 --- a/tests/regression/tests/REQUEST-921-PROTOCOL-ATTACK/921210.yaml +++ b/tests/regression/tests/REQUEST-921-PROTOCOL-ATTACK/921210.yaml @@ -1,7 +1,7 @@ --- meta: author: "Christian Folini (dune73)" - description: "HTTP Parameter Polution" + description: "HTTP Parameter Pollution" enabled: true name: 921210.yaml tests: From 439754e54fc230c664c65a38511d3b75adfa1603 Mon Sep 17 00:00:00 2001 From: dune73 Date: Wed, 10 Aug 2022 22:42:00 +0200 Subject: [PATCH 4/4] Tests for 921220 --- .../REQUEST-921-PROTOCOL-ATTACK/921220.yaml | 21 +++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 tests/regression/tests/REQUEST-921-PROTOCOL-ATTACK/921220.yaml diff --git a/tests/regression/tests/REQUEST-921-PROTOCOL-ATTACK/921220.yaml b/tests/regression/tests/REQUEST-921-PROTOCOL-ATTACK/921220.yaml new file mode 100644 index 000000000..d856292f1 --- /dev/null +++ b/tests/regression/tests/REQUEST-921-PROTOCOL-ATTACK/921220.yaml @@ -0,0 +1,21 @@ +--- +meta: + author: "Christian Folini (dune73)" + description: "HTTP Parameter Pollution" + enabled: true + name: 921220.yaml +tests: + - test_title: 921220-1 + desc: "Potential HTTP Parameter Pollution via parameter array" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + headers: + Host: "localhost" + User-Agent: "OWASP ModSecurity Core Rule Set" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + port: 80 + uri: "/?foo[1]=bar" + output: + log_contains: id "921220"