Skip to content
This repository has been archived by the owner. It is now read-only.

New PL3 rule 920490 to protect against content-type charset bypassing #1392

Merged
merged 14 commits into from May 9, 2019

Conversation

@dune73
Copy link
Contributor

@dune73 dune73 commented May 5, 2019

PL3: The little known x-up-devcap-post-charset request header can be used to submit
a request with a different encoding as an alternative to the charset parameter in
the Content-Type header. This can be used to circumvent charset restrictions on
the Content-Type header.
Note that this only works in combination with a User-Agent prefix.

This rule is based on a blog post by Soroush Dalili:
https://soroush.secproject.com/blog/2019/05/x-up-devcap-post-charset-header-in-aspnet-to-bypass-wafs-again/

chain"
SecRule REQUEST_HEADERS:User-Agent "@beginsWith up" \
"t:none,\
t:lowercase,\
Copy link
Contributor

@fgsch fgsch May 5, 2019

For 2 chars, I think using @\rx would be faster than doing the lowercase transformation.

Copy link
Contributor Author

@dune73 dune73 May 6, 2019

I have updated to @rx based on your remark and my tests elsewhere.

It does not matter much, though, as this is only executed if the x-up-devcap-post-charset request header is present.

Copy link
Contributor

@fgsch fgsch May 6, 2019

You left the lowercase transformation though.

Copy link
Contributor Author

@dune73 dune73 May 6, 2019

How pedantic of you!

Copy link
Contributor

@fgsch fgsch May 6, 2019

Sowry!

@dune73 dune73 force-pushed the rule-vs-x-up-devcap-post-charset branch from d3ef252 to c542d3f May 6, 2019
@dune73
Copy link
Contributor Author

@dune73 dune73 commented May 6, 2019

Travis got the hiccups for PR #1392 after merging PR #1391 (failing on the 3 new tests in 1391). Rebased my branch against v3.2/dev and force pushed to my remote branch. Now it works.

@dune73
Copy link
Contributor Author

@dune73 dune73 commented May 7, 2019

@fgs: U OK with (squashing + ) merging?

@fgsch
Copy link
Contributor

@fgsch fgsch commented May 8, 2019

Remove:

setvar:'tx.msg=%{rule.msg}',\
setvar:'tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/EVASION-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'"

Otherwise looks good to me.

@dune73 dune73 merged commit b96d00f into SpiderLabs:v3.2/dev May 9, 2019
1 check passed
1 check passed
continuous-integration/travis-ci/pr The Travis CI build passed
Details
csanders-git pushed a commit to csanders-git/owasp-modsecurity-crs that referenced this issue May 28, 2019
…SpiderLabs#1392)

* New PL3 rule 920490 to protect against content-type charset bypassing
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

None yet

2 participants