Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Already on GitHub? Sign in to your account

SanitiseArgs not working with JSON payload #715

Open
zimmerle opened this Issue May 6, 2014 · 10 comments

Comments

Owner

zimmerle commented May 6, 2014

Reported by: Bruno Savioli de Almeida.
http://sourceforge.net/p/mod-security/mailman/message/32281341/

ModSecurity version 2.8.0

Rule:

SecAction "phase:5,id:'6660666',t:none,pass,nolog,sanitiseArg:cardNumber,sanitiseArg:cardToken"

audit log:

[29/Apr/2014:12:19:54 +0100] U1@K2goFLh4AAHIFMqAAAAAS 10.5.12.18 43609 10.5.46.31 443
--72235b1e-B--
POST /psp/save HTTP/1.1
User-Agent: curl/7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1 zlib/1.2.3.4 libidn/1.23 librtmp/2.3
Host: payments
Content-Type: application/json;charset=UTF-8
Accept: application/json
Content-Length: 114

--72235b1e-C--
{"cardToken":"aaaaaaaaaaaaaaaaaaaaaaaaaa1111111111111111111111aaaaaaaaaaaaaaaaaa","cardNumber":"1000000000000001"}
--72235b1e-F--
HTTP/1.1 400 Bad Request
Content-Type: application/json
Via: 1.1 payments
Content-Length: 78
Connection: close

--72235b1e-E--
{"message":"Please check your input and try again.","error":"Invalid Details"}
--72235b1e-H--
Apache-Handler: proxy-server
Stopwatch: 1398770394130647 22955 (- - -)
Stopwatch2: 1398770394130647 22955; combined=2733, p1=266, p2=2062, p3=9, p4=355, p5=40, sr=86, sw=1, l=0, gc=0
Response-Body-Transformed: Dechunked
Producer: ModSecurity for Apache/2.8.0 (http://www.modsecurity.org/); OWASP_CRS/2.2.9.
Server: Apache
Sanitised-Args: "cardNumber", "cardToken".
Engine-Mode: "DETECTION_ONLY"

A Similar request using application/x-www-form-urlencoded works as expected.

@zimmerle zimmerle added this to the v2.8.1-RC1 milestone May 6, 2014

@zimmerle zimmerle self-assigned this May 6, 2014

@zimmerle zimmerle removed this from the v2.8.1-RC1 milestone Nov 14, 2014

ccaau commented Dec 4, 2015

Hi @zimmerle, I seem to have the same issue as described above with nginx/modsec 2.9.0 .. do you know if anyone has resolved this either by a patch or by config?

thanks,
C

Owner

zimmerle commented Dec 7, 2015

Hi @ccaau,

There was no patch to fix this issue yet. Currently we are working on libmodsecurity + Nginx connector. Marking this issue to be resolved as part of "libmodsecurity" release.

ccaau commented Dec 7, 2015

Thanks @zimmerle

Can you please confirm that there is currently no support to sanitise the REQUEST_BODY audit log section when the payload is JSON. For example, we can't use an arbitrary regex over the payload.

thanks,
C

Owner

zimmerle commented Dec 9, 2015

Hi @ccaau,

I can confirm that this functionality is not really working as expected. There is a bug/missing feature there that should be investigated. Most likely it will be ready for ModSecurity version 3. The problem is that the section C of auditlog [1] is not being sanitized when the request body is a JSON.

[1] https://github.com/SpiderLabs/ModSecurity/wiki/ModSecurity-2-Data-Formats#request-body-c

ccaau commented Dec 10, 2015

Hi @zimmerle,

thanks very much for the clarification!

Just for anyone else, we're selectively not logging the C part using ctl:auditLogParts=-CI based on the URI

Regards,
C

Hey Guys,

Was this issue resolved? Facing the same issue here.

Owner

zimmerle commented Oct 10, 2016

Hi @mohakkataria, the issue is open.

x3rus commented Dec 14, 2016 edited

Hi folks,

This issue was open a long time ago , I understand it's not an easy fix, but do you have anyway idea when it will be resolve ?

@zimmerle you said it will be ready in version 3 , this release include the fix ?

Thanks again for all you works , very nice job !

Owner

zimmerle commented Dec 16, 2016

Hi @x3rus, the SanitiseArgs is not yet implemented in v3.

Hey,

is there any estimation on until when sanitising of JSON will be implemented? As the initial post implies, this is also of PCI relevance...

Thanks for all you are doing here!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment