fix: Added t:urlDecodeUni for REQUEST_URI / REQUEST_BASENAME checks in phase 1 (921240 PL1, 920440 PL1, 920201 PL2, 920202 PL4) #3411
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Thank you for your review, @theMiddleBlue. |
|
Note, that you can find a script here which helps to find the affected rules. This script iterates through rules and print the rule's id if the rule:
We should inspect all identified rules, because not all of them are affected. Eg. 920200 is not affected because the second rule uses a negated condition. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The problem
This applies to variables for
REQUEST_URI,REQUEST_BASENAMEandREQUEST_FILENAME.ModSec3 does an implicit URL decoding on phase 1 and the same on phase 2.
ModSec2 does no implicit URL decoding on phase 1, but it does it on phase 2.
This allows an attacker to URL encode a URI and bypass detection on phase 1 rules on ModSec2.
Example: 920440 PL1 should detect this:
/dump%2Erdbas an encoded version ofdump.rdb.However it fails do to so in the v4 dev tree.
It used to work up to CRS v3.3, because rule 920440 used to run in phase 2, but when we introduced early blocking for CRS v4, we shifted 920440 and several other rules from phase 2 to phase 1 and the implicit decoding of the payload (see above) was removed for ModSec 2 and we no longer detected the attack.
Unfortunately, this behavior difference did not surface, since we apparently did not have any test for URL encoded payloads where it mattered.
The Solution
This is a behavior difference that would ideally be fixed in the engine, but it is not quite clear what the right behavior would be given the difference between ModSec2 and ModSec3 and chances are waiting for a fix could delay CRS v4.
So this PR adds the
t:urlDecodeUnitransformation to the rules inspectingREQUEST_URIandREQUEST_BASENAMEin phase 1. None of the rules targettingREQUEST_FILENAMEis affected, though.Implementation
I added the
t:urlDecodeUnitransformation following other rules where this is already done. For the 4 rules affected, I also did a new test with an encoded payload that is now detected on ModSec2.When thinking about URL encoding, namely of the URI, it makes sense to also look into 920220, which I cover in a separate PR (#3410). This rule looks for invalid URL encoding. The rule is working on
REQUEST_URI, but think this is wrong. The PR mentioned shifts the target toREQUEST_URI_RAW.Once CRSv4 is out, we may want to look into getting the engines in sync again and looking into systematic coverage of these encoding issues while also addressing double-encoding (an area where we have spotty coverage now).
But for the time being, I think this has got us covered for CRS v4.
I'm adding the
do not mergelabel, so we can discuss this or alternative approaches to this problem in the next CRS chat.List of rules carrying any of the targets named