Re: How to save value of a query string parameterthen use it in Phase 4?

Hi Christian,

> Stephen, I think this mailinglist would profit, if you would
> comment a bit on your project. How are you getting along?

I'm doing an OWASP Summer of Code project which is using ModSecurity
(2.5) to mitigate as many of the vulnerabilities as possible in
WebGoat (5.2).

Overloaded by my day job caused me to get a very late start, but I've
been working furiously on the project and aim to reach 50% by the end
of next week (Fri July 11). For those interested, check at that date
from here:
https://www.owasp.org/index.php/Category:OWASP_Securing_WebGoat_using_ModSecurity_Project
for project progress and details (there is nothing posted now).

To reach the 50% milestone, I'm aiming to mitigate 50% of the
vulnerabilities (which means preventing the WebGoat lessons from being
solved) that are the low-hanging fruit. Both ModSecurity & WebGoat
were new to me, so it's taken awhile to get up to speed on those,
learn a cool ruleset-making tool called Remo (!), and install all of
that and install/configure other bits such as Apache and Tomcat (on
Kubuntu 7.10).

For the 2nd half:
- deploy ModSecurity as a reverse proxy (now I'm using it in embedded mode)
- mitigate as many as the rest of the vulnerabilities as possible; I'm
looking forward to the juicy stuff like business logic flaws and
hopefully some LUA programming

Cannot locate special.mk file

-------------------------------------------------------------------------
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services for
just about anything Open Source.
http://sourceforge.net/services/buy/index.php

_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users

args ignored in POST - filter question

Hi,
I have modsecurity 2.2.5 with apache 2.2.3 in reverse proxy setup. I 
can create rules for arguments passed directly in URL but my rules are 
not triggered by argument sent by post.

The following rules works well for URL in format 
https://server.com/path_to_file/file.with.dots sent by GET/POST methods 
with argument, ie.
https://server.com/path_to_file/file.with.dots?lng=foo.
But once I send the argument in body of request, it is not detected on 
server. I tried to play with phase:1, phase:2 in rules but I it gave the

same result. I tried also REQUEST_BODY without success. It seems my 
proxy ignore the body of the request. What do I wrong?

Thanks

Kamil

My config:
----------------
ProxyRequests Off

<Proxy *>
       Order deny,allow
        Allow from all
</Proxy>

ProxyPreserveHost on
ProxyPass        /path123/  http://127.0.0.3:8080/path123/

SecRuleEngine On
SecRequestBodyAccess On
SecResponseBodyAccess Off
SecRequestBodyInMemoryLimit 131072
SecRequestBodyLimit 131072

SecDefaultAction "phase:2,log,auditlog,deny,status:500"

SecRule REQUEST_FILENAME "^/path_to_file/file\.with\.dots" \
        "chain,pass,log,auditlog,id:12344001,msg:'Unknown arguments 
ARGS_NAMES=%{ARGS_NAMES}'"
SecRule ARGS_NAMES "!^(call|page|session)$"

SecRule REQUEST_FILENAME "^/path_to_file/file\.with\.dots" \
        "chain,pass,log,auditlog,id:12344001,msg:'Unknown arguments 
ARGS_NAMES=%{ARGS_NAMES}'"
SecRule ARGS:lng "!^(cz|en)$"

-------------------------------------------------------------------------
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services for
just about anything Open Source.
http://sourceforge.net/services/buy/index.php

Re: args ignored in POST - filter question

Hi Kamil!

Did you enable the SecRequestBodyAccess property?
You should have a statement like:

	SecRequestBodyAccess On

in your rule-file.

Regards,
    Chris

Am 01.07.2008 um 16:28 schrieb <Kamil.Golombek <at> bdo-it.com> <Kamil.Golombek <at> bdo-it.com 
 >:

> Hi,
> I have modsecurity 2.2.5 with apache 2.2.3 in reverse proxy setup. I
> can create rules for arguments passed directly in URL but my rules are
> not triggered by argument sent by post.
>
> The following rules works well for URL in format
> https://server.com/path_to_file/file.with.dots sent by GET/POST  
> methods
> with argument, ie.
> https://server.com/path_to_file/file.with.dots?lng=foo.
> But once I send the argument in body of request, it is not detected on
> server. I tried to play with phase:1, phase:2 in rules but I it gave  
> the
>
> same result. I tried also REQUEST_BODY without success. It seems my
> proxy ignore the body of the request. What do I wrong?
>
> Thanks
>
> Kamil
>
>
> My config:
> ----------------
> ProxyRequests Off
>
> <Proxy *>
>       Order deny,allow
>        Allow from all
> </Proxy>
>
> ProxyPreserveHost on
> ProxyPass        /path123/  http://127.0.0.3:8080/path123/
>
> SecRuleEngine On
> SecRequestBodyAccess On
> SecResponseBodyAccess Off
> SecRequestBodyInMemoryLimit 131072
> SecRequestBodyLimit 131072
>
> SecDefaultAction "phase:2,log,auditlog,deny,status:500"
>
> SecRule REQUEST_FILENAME "^/path_to_file/file\.with\.dots" \
>        "chain,pass,log,auditlog,id:12344001,msg:'Unknown arguments
> ARGS_NAMES=%{ARGS_NAMES}'"
> SecRule ARGS_NAMES "!^(call|page|session)$"
>
> SecRule REQUEST_FILENAME "^/path_to_file/file\.with\.dots" \
>        "chain,pass,log,auditlog,id:12344001,msg:'Unknown arguments
> ARGS_NAMES=%{ARGS_NAMES}'"
> SecRule ARGS:lng "!^(cz|en)$"
>
> -------------------------------------------------------------------------
> Check out the new SourceForge.net Marketplace.
> It's the best place to buy or sell services for
> just about anything Open Source.
> http://sourceforge.net/services/buy/index.php
> _______________________________________________
> mod-security-users mailing list
> mod-security-users <at> lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/mod-security-users

-------------------------------------------------------------------------
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services for
just about anything Open Source.
http://sourceforge.net/services/buy/index.php

Re: args ignored in POST - filter question

Hi Kamil,

The best way to solve your problem is to enable debugging, crank it up
to top level:
SecDebugLog /etc/modsecurity/logs/modsec_debug.log
SecDebugLogLevel 9

Go to the page that's causing the problem.
Restart Apache.
Clear your browser cache; reload the page.
Examine the debug file. It won't be very big. You'll see exactly
what's going on.

Whenever debugging, it's best to have only the minimal amount in the
debug file as it can get large quickly. In Linux, just erase the debug
log file ('rm -f ...') and create a new blank one ('touch ...'), then
restart Apache and reproduce the problem.

Stephen

On Tue, Jul 1, 2008 at 10:28 PM,  <Kamil.Golombek <at> bdo-it.com> wrote:
> Hi,
> I have modsecurity 2.2.5 with apache 2.2.3 in reverse proxy setup. I
> can create rules for arguments passed directly in URL but my rules are
> not triggered by argument sent by post.
>
> The following rules works well for URL in format
> https://server.com/path_to_file/file.with.dots sent by GET/POST methods
> with argument, ie.
> https://server.com/path_to_file/file.with.dots?lng=foo.
> But once I send the argument in body of request, it is not detected on
> server. I tried to play with phase:1, phase:2 in rules but I it gave the
>
> same result. I tried also REQUEST_BODY without success. It seems my
> proxy ignore the body of the request. What do I wrong?
>
> Thanks
>
> Kamil
>
>
> My config:
> ----------------
> ProxyRequests Off
>
> <Proxy *>
>       Order deny,allow
>        Allow from all
> </Proxy>
>
> ProxyPreserveHost on
> ProxyPass        /path123/  http://127.0.0.3:8080/path123/
>
> SecRuleEngine On
> SecRequestBodyAccess On
> SecResponseBodyAccess Off
> SecRequestBodyInMemoryLimit 131072
> SecRequestBodyLimit 131072
>
> SecDefaultAction "phase:2,log,auditlog,deny,status:500"
>
> SecRule REQUEST_FILENAME "^/path_to_file/file\.with\.dots" \
>        "chain,pass,log,auditlog,id:12344001,msg:'Unknown arguments
> ARGS_NAMES=%{ARGS_NAMES}'"
> SecRule ARGS_NAMES "!^(call|page|session)$"
>
> SecRule REQUEST_FILENAME "^/path_to_file/file\.with\.dots" \
>        "chain,pass,log,auditlog,id:12344001,msg:'Unknown arguments
> ARGS_NAMES=%{ARGS_NAMES}'"
> SecRule ARGS:lng "!^(cz|en)$"
>
> -------------------------------------------------------------------------
> Check out the new SourceForge.net Marketplace.
> It's the best place to buy or sell services for
> just about anything Open Source.
> http://sourceforge.net/services/buy/index.php
> _______________________________________________
> mod-security-users mailing list
> mod-security-users <at> lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
>

-------------------------------------------------------------------------
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services for
just about anything Open Source.
http://sourceforge.net/services/buy/index.php

Re: Cannot locate special.mk file

Hi,

It should be in the build dir.  You can locate the build dir via an apxs
query shuch as:

$ apxs -q INSTALLBUILDDIR
/usr/share/apache2/build

Perhaps you do not have the apache2-devel package installed?  You will
also need the -devel packages for APR, APR-Util, PCRE, etc.

-B

Colly Murray wrote:
> Hi there
> 
>  
> 
> I'm getting an error when I execute the "make"
> /modsecurity-apache_2.1.7/apache2:
> 
>  
> 
> Makefile:40: /usr/local/apache2/build/special.mk: No such file or
> directory......... the
> special.mk doesnt exist in that directory...
> 
>  
> 
> The files that are in /usr/local/apache2/build/are: apr_rules.mk
>  libtool  make_exports.awk
> make_var_export.awk  mkdir.sh
> 
>  
> When I do a locate special.mk - it turns up nothing... Cannot proceed!
> Help
> 
> I'm using httpd 2.2.3 on RHEL5.1 (Tikanga)
> 
> Here are some lines from the MakeFile:
> 
> top_dir      = /usr/local/apache2
> 
> top_srcdir   = ${top_dir}
> top_builddir = ${top_dir}
> 
> include ${top_builddir}/build/special.mk
> 
> APXS      = apxs
> APACHECTL = apachectl
> 
> INCLUDES = -I /usr/lib/libxml2
> #INCLUDES = -I /usr/include/libxml2 -I /path/to/httpd-x.y/srclib/pcre
> DEFS = -DWITH_LIBXML2
> #DEFS = -DWITH_LIBXML2 -DNO_MODSEC_API
> #LIBS = -Lmy/lib/dir -lmylib
> 
> CFLAGS = -O2 -g -Wuninitialized -Wall -Wmissing-prototypes -Wshadow -
> Wunused-variable -Wunused-value -Wchar-subscripts -Wsign-compare
> 
> all: local-shared-build
> 
> clean:
>         -rm -f *.o *.lo *.slo *.la *~ .libs
> 
>  
> 
> Thanks in advance
> 
> 
> This message has been scanned for content and viruses by the DIT
> Information Services E-Mail Scanning Service, and is believed to be
> clean. http://www.dit.ie
> 

--

-- 
Brian Rectanus
Breach Security

-------------------------------------------------------------------------
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services for
just about anything Open Source.
http://sourceforge.net/services/buy/index.php

Re: Cannot locate special.mk file

Do you have a good reason for using 2.1.7 instead of the latest 2.5.5?

On Tue, Jul 1, 2008 at 10:56 AM, Colly Murray <colin.murray <at> dit.ie> wrote:
> Hi there
>
>
>
> I'm getting an error when I execute the "make"
> /modsecurity-apache_2.1.7/apache2:
>
>
>
> Makefile:40: /usr/local/apache2/build/special.mk: No such file or
> directory......... the
> special.mk doesnt exist in that directory...
>
>
>
> The files that are in /usr/local/apache2/build/are: apr_rules.mk  libtool
>  make_exports.awk
> make_var_export.awk  mkdir.sh
>
>
> When I do a locate special.mk - it turns up nothing... Cannot proceed!
> Help
>
> I'm using httpd 2.2.3 on RHEL5.1 (Tikanga)
>
> Here are some lines from the MakeFile:
>
> top_dir      = /usr/local/apache2
>
> top_srcdir   = ${top_dir}
> top_builddir = ${top_dir}
>
> include ${top_builddir}/build/special.mk
>
> APXS      = apxs
> APACHECTL = apachectl
>
> INCLUDES = -I /usr/lib/libxml2
> #INCLUDES = -I /usr/include/libxml2 -I /path/to/httpd-x.y/srclib/pcre
> DEFS = -DWITH_LIBXML2
> #DEFS = -DWITH_LIBXML2 -DNO_MODSEC_API
> #LIBS = -Lmy/lib/dir -lmylib
>
> CFLAGS = -O2 -g -Wuninitialized -Wall -Wmissing-prototypes -Wshadow -
> Wunused-variable -Wunused-value -Wchar-subscripts -Wsign-compare
>
> all: local-shared-build
>
> clean:
>         -rm -f *.o *.lo *.slo *.la *~ .libs
>
>
>
> Thanks in advance
>
> This message has been scanned for content and viruses by the DIT Information
> Services E-Mail Scanning Service, and is believed to be clean.
> http://www.dit.ie
>
> -------------------------------------------------------------------------
> Check out the new SourceForge.net Marketplace.
> It's the best place to buy or sell services for
> just about anything Open Source.
> http://sourceforge.net/services/buy/index.php
> _______________________________________________
> mod-security-users mailing list
> mod-security-users <at> lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
>
>

--

-- 
Ivan Ristic

-------------------------------------------------------------------------
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services for
just about anything Open Source.
http://sourceforge.net/services/buy/index.php

the <at> pm operator in modsecurity_crs_40_generic_attacks.conf

Hi,

Is there any way to get the  <at> pm operator to match only whole words?

I am using the Command Injection rule in
modsecurity_crs_40_generic_attacks.conf and it seems there should be a
better way.
SecRule ARGS " <at> pm ping id rm ..." ""t:htmlEntityDecode,t:lowercase..." matches:

Content-Type: application/x-www-form-urlencoded
Name=Sid
Destination=shipping

Or am I doing something wrong? The reference manual
(modsecurity2-apache-reference.pdf) infers that it's a word match.

TIA (Thanks In Advance),
Stephen

-------------------------------------------------------------------------
Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW!
Studies have shown that voting for your favorite open source project,
along with a healthy diet, reduces your potential for chronic lameness
and boredom. Vote Now at http://www.sourceforge.net/community/cca08

testing the ASCIIZ vulnerability test

-------------------------------------------------------------------------
Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW!
Studies have shown that voting for your favorite open source project,
along with a healthy diet, reduces your potential for chronic lameness
and boredom. Vote Now at http://www.sourceforge.net/community/cca08

_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users

Re: args ignored in POST - filter question

Hi Stephen,

I tried the debug level 9 before I wrote the question. But I found
nothing suspiciou in logs. I tried to google today and I found a log
that contains the following lines:

Adding request argument (BODY): name "FirstName", value "asdfasfd"
[/index.php/contact.process/]
Adding request argument (BODY): name "LastName", value

My log contains only lines of type 

Adding request argument (QUERY_STRING): name "Cmd" ...

The problem is probably that it does not read the body part of the
request. I have the line 'SecRequestBodyAccess On' in my config file
(Christian's remark), I tried to experiment with the phases,
but without success. Maybe the problem is in other part of my apache
settings. Can you send me your minimal config that works with argument
send in POST body? 

Thank you

Kamil

> -----Original Message-----
> From: Stephen Craig Evans [mailto:stephencraig.evans <at> gmail.com] 
> Sent: Tuesday, July 01, 2008 6:02 PM
> To: Golombek Kamil | BDO IT a.s.
> Cc: mod-security-users <at> lists.sourceforge.net
> Subject: Re: [mod-security-users] args ignored in POST - 
> filter question
> 
> Hi Kamil,
> 
> The best way to solve your problem is to enable debugging, crank it up
> to top level:
> SecDebugLog /etc/modsecurity/logs/modsec_debug.log
> SecDebugLogLevel 9
> 
> Go to the page that's causing the problem.
> Restart Apache.
> Clear your browser cache; reload the page.
> Examine the debug file. It won't be very big. You'll see exactly
> what's going on.
> 
> Whenever debugging, it's best to have only the minimal amount in the
> debug file as it can get large quickly. In Linux, just erase the debug
> log file ('rm -f ...') and create a new blank one ('touch ...'), then
> restart Apache and reproduce the problem.
> 
> Stephen
> 
> On Tue, Jul 1, 2008 at 10:28 PM,  <Kamil.Golombek <at> bdo-it.com> wrote:
> > Hi,
> > I have modsecurity 2.2.5 with apache 2.2.3 in reverse proxy setup. I
> > can create rules for arguments passed directly in URL but 
> my rules are
> > not triggered by argument sent by post.
> >
> > The following rules works well for URL in format
> > https://server.com/path_to_file/file.with.dots sent by 
> GET/POST methods
> > with argument, ie.
> > https://server.com/path_to_file/file.with.dots?lng=foo.
> > But once I send the argument in body of request, it is not 
> detected on
> > server. I tried to play with phase:1, phase:2 in rules but 
> I it gave the
> >
> > same result. I tried also REQUEST_BODY without success. It seems my
> > proxy ignore the body of the request. What do I wrong?
> >
> > Thanks
> >
> > Kamil
> >
> >
> > My config:
> > ----------------
> > ProxyRequests Off
> >
> > <Proxy *>
> >       Order deny,allow
> >        Allow from all
> > </Proxy>
> >
> > ProxyPreserveHost on
> > ProxyPass        /path123/  http://127.0.0.3:8080/path123/
> >
> > SecRuleEngine On
> > SecRequestBodyAccess On
> > SecResponseBodyAccess Off
> > SecRequestBodyInMemoryLimit 131072
> > SecRequestBodyLimit 131072
> >
> > SecDefaultAction "phase:2,log,auditlog,deny,status:500"
> >
> > SecRule REQUEST_FILENAME "^/path_to_file/file\.with\.dots" \
> >        "chain,pass,log,auditlog,id:12344001,msg:'Unknown arguments
> > ARGS_NAMES=%{ARGS_NAMES}'"
> > SecRule ARGS_NAMES "!^(call|page|session)$"
> >
> > SecRule REQUEST_FILENAME "^/path_to_file/file\.with\.dots" \
> >        "chain,pass,log,auditlog,id:12344001,msg:'Unknown arguments
> > ARGS_NAMES=%{ARGS_NAMES}'"
> > SecRule ARGS:lng "!^(cz|en)$"
> >
> > 
> --------------------------------------------------------------
> -----------
> > Check out the new SourceForge.net Marketplace.
> > It's the best place to buy or sell services for
> > just about anything Open Source.
> > http://sourceforge.net/services/buy/index.php
> > _______________________________________________
> > mod-security-users mailing list
> > mod-security-users <at> lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/mod-security-users
> >
> 

-------------------------------------------------------------------------
Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW!
Studies have shown that voting for your favorite open source project,
along with a healthy diet, reduces your potential for chronic lameness
and boredom. Vote Now at http://www.sourceforge.net/community/cca08