Skip to content
This repository has been archived by the owner on May 14, 2020. It is now read-only.

False-positive in rule #958291: Browsers may send "Range: 0-" headers. #173

Closed
arlimus opened this issue Mar 19, 2014 · 4 comments
Closed

False-positive in rule #958291: Browsers may send "Range: 0-" headers. #173

arlimus opened this issue Mar 19, 2014 · 4 comments

Comments

@arlimus
Copy link

arlimus commented Mar 19, 2014

The current implementation states that "Range Header exists and begins with 0 - normal browsers don't do this." (modsecurity_crs_20_protocol_violations.conf). This behavior can now be seen in both Firefox (tested with 26.0 and 27.0) and Chromium (tested with 33.0.1750.149). It only happens when requesting continuous content which requires loading, e.g. a video.

An example to reproduce: Go to http://www.videojs.com/, open development tools in Firefox/Chromium, go to network, klick on the video on the website and watch the requests for the video stream.

The request header for Chromium:

GET /v/oceans.mp4 HTTP/1.1
Host: vjs.zencdn.net
Connection: keep-alive
Accept-Encoding: identity;q=1, *;q=0
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.149 Safari/537.36
Accept: */*
Referer: http://www.videojs.com/
Accept-Language: de-DE,de;q=0.8,en-US;q=0.6,en;q=0.4
Range: bytes=0-

Similarly for Firefox:

GET /v/oceans.mp4 HTTP/1.1
Host: vjs.zencdn.net
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:27.0) Gecko/20100101 Firefox/27.0
Accept: video/webm,video/ogg,video/*;q=0.9,application/ogg;q=0.7,audio/*;q=0.6,*/*;q=0.5
Accept-Language: en-US,en;q=0.5
Range: bytes=0-
Referer: http://www.videojs.com/
Connection: keep-alive

Solutions are to either remove this rule (https://github.com/arlimus/owasp-modsecurity-crs/tree/http-range-ruleset) or try to narrow it down and identify all cases where this is allowed to happen and specify them in the ruleset (better and cleaner solution, but more error-prone).
@lifeforms
Copy link
Contributor

The Chrome PDF viewer plugin also routinely sends this header.

@MasonM
Copy link

MasonM commented Mar 25, 2014

I'm also seeing a whole lot of false positives with this rule, both from Firefox and Facebook. Example request that triggered it:

GET /content_assets/volumes/124/1/124-1-cover.jpg HTTP/1.1
User-Agent: facebookexternalhit/1.1 (+http://www.facebook.com/externalhit_uatext.php)
Accept: */*
Accept-Encoding: deflate, gzip
Range: bytes=0-5242879
Host: static.jci.org
Connection: keep-alive

MasonM added a commit to theasci/owasp-modsecurity-crs that referenced this issue Mar 25, 2014
@MasonM
Remove OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ because of false pos…
c8230c4 
…itives (see SpiderLabs#173)
@rcbarnett-zz
Copy link
Contributor

Thanks for the false positive feedback. I have removed this rule entirely for the upcoming v3.0.0 release.

@arlimus
Copy link
Author

arlimus commented Apr 3, 2014

@rcbarnett Awesome, thank you!

@CRS-migration-bot CRS-migration-bot mentioned this issue May 13, 2020
Closed
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@rcbarnett-zz @MasonM @arlimus @lifeforms