New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

XML Soap Encoding 920240 #1286

Open
wants to merge 3 commits into
base: v3.2/dev
from

Conversation

Projects
None yet
3 participants
@emphazer
Copy link
Collaborator

emphazer commented Jan 14, 2019

% characters should be always allowed

https://en.wikipedia.org/wiki/List_of_XML_and_HTML_character_entity_references

[14/Jan/2019:14:16:07 +0100] XDyLlwVeGKmHjNcA7bxy1wAAAww 127.0.0.1 58782 127.0.0.1 443
--0bd85403-B--
POST /?wsdl HTTP/1.1
Host: localhost
User-Agent: curl/7.63.0
Accept: */*
Content-Type: text/xml;charset=UTF-8
SOAPAAction: "daten"
Content-Length: 761

<?xml version="1.0" encoding="UTF-8"?>
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ns0="http://de.webservice/xsd" xmlns:ns1="http://de.webservice" xmlns:ns2="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
   <SOAP-ENV:Header />
   <ns2:Body>
      <ns1:anfrage>
         <ns1:parameter>
            <ns0:bearbeiter>
               <ns0:anwenderkennwort>%asdf</ns0:anwenderkennwort>
               <ns0:anwendername>adminasdf</ns0:anwendername>
               <ns0:wskennwort>7Aasdf%</ns0:wskennwort>
            </ns0:bearbeiter>
            <ns0:parameter>
               <ns0:anfrageparameter1>PXB_HRGE_1</ns0:anfrageparameter1>
               <ns0:anfrageparameter2>MHZasdfb</ns0:anfrageparameter2>
               <ns0:anfragetyp>AUTH</ns0:anfragetyp>
            </ns0:parameter>
         </ns1:parameter>
      </ns1:anfrage>
   </ns2:Body>
</SOAP-ENV:Envelope>
Message: Warning. Invalid URL Encoding: Non-hexadecimal digits used at XML. [file "/etc/httpd/modsecurity.d/activated_rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "450"] [id "920240"] [msg "URL Encoding Abuse Attack Attempt"] [data "%asdfadminasdf7Aasdf%PXB_HRGE_1MHZasdfbAUTH"] [severity "WARNING"] [ver "OWASP_CRS/3.1.0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/EVASION"]
@spartantri
Copy link
Collaborator

spartantri left a comment

This is can cause filter bypasss by simply adding the soapaction header, verify at least that this is valid XML or remove XML and write a XML specific rule
There is no need to escape %

@fgsch fgsch added False Positive and removed False Positive labels Jan 28, 2019

@fgsch

This comment has been minimized.

Copy link
Collaborator

fgsch commented Jan 30, 2019

What @spartantri said. Split the rule and review in which cases we want to check % (if at all) for xml.

@emphazer

This comment has been minimized.

Copy link
Collaborator Author

emphazer commented Jan 30, 2019

the problem is application/x-www-form-urlencoded does not get scanned at all with XML processor.
so its useless. or we have to activate the XML processor.

in my eyes we should remove the content-type match for text/xml

@fgsch normally the XML processor is triggered by this rule here

# Enable XML request body parser.
# Initiate XML Processor in case of xml content-type
#
SecRule REQUEST_HEADERS:Content-Type "(?:application(?:/soap\+|/)|text/)xml" \
     "id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML"
@emphazer

This comment has been minimized.

Copy link
Collaborator Author

emphazer commented Jan 30, 2019

regression test 920240-4 does fail now

@fgsch

This comment has been minimized.

Copy link
Collaborator

fgsch commented Feb 12, 2019

@emphazer have you had a chance to look at the tests that were discussed during the last meeting?

@emphazer

This comment has been minimized.

Copy link
Collaborator Author

emphazer commented Feb 16, 2019

@fgsch no, i was sick the last 10 days. :-/

@fgsch

This comment has been minimized.

Copy link
Collaborator

fgsch commented Feb 18, 2019

@emphazer no worries. Let me know if I can help in any way.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment