Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

False Positive 920300 - "Request Missing an Accept Header" #1006

Closed
abramz opened this issue Feb 2, 2018 · 2 comments

Comments

@abramz
Copy link

@abramz abramz commented Feb 2, 2018

I am using the OWASP 3.0 ruleset that Azure Application Gateways use.
I made this request from my browser and the user agent provided is valid as far as I know.
The request has a valid accept field as well.

macOS 10.13.3
chrome 63.0.3239.132
Request
POST /api/graphql HTTP/1.1
Connection: keep-alive
Content-Length: 1004
Pragma: no-cache
Cache-Control: no-cache
Accept: application/json
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 Safari/537.36
Content-Type: application/json
DNT: 1
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Response
HTTP/1.1 403 ModSecurity Action
Content-Type: text/html
Server: Microsoft-IIS/10.0
Date: Fri, 02 Feb 2018 21:56:08 GMT
Content-Length: 1233

This is what I get from the application gateway logs:

{
	"operationName": "ApplicationGatewayFirewall",
	"time": "2018-02-02T21:30:01Z",
	"category": "ApplicationGatewayFirewallLog",
	"properties": {
		"instanceId": "ApplicationGatewayRole_IN_2",
		"clientIp": "167.220.0.136",
		"clientPort": "0",
		"requestUri": "/",
		"ruleSetType": "OWASP",
		"ruleSetVersion": "3.0",
		"ruleId": "920300",
		"message": "Request Missing an Accept Header",
		"action": "Blocked",
		"site": "Global",
		"details": {
			"message": "Warning. Match of \"pm AppleWebKit Android\" against \"REQUEST_HEADERS:User-Agent\" required.",
			"data": "",
			"file": "rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf",
			"line": "1247"
		},
		"hostname": "6956493e-52c7-4202-8635-f4b71d7515d1.cloudapp.net"
	}
}
@abramz abramz changed the title False Positive 920300 - Request Missing an Accept Header False Positive 920300 - "Request Missing an Accept Header" Feb 2, 2018
@spartantri

This comment has been minimized.

Copy link
Collaborator

@spartantri spartantri commented Feb 6, 2018

That's strange, rule 920300 in 3.0 check first that the Accept header is not present and also that you user-agent does not contain AppleWebKit, and your example should not match any of those conditions, can you confirm the example request matches the log event?

@abramz

This comment has been minimized.

Copy link
Author

@abramz abramz commented Feb 7, 2018

@spartantri I went back through the rules we are hitting and I could not repro this one.

@abramz abramz closed this Feb 7, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
2 participants
You can’t perform that action at this time.