Skip to content
This repository has been archived by the owner on May 14, 2020. It is now read-only.

New PL3 rule 920490 to protect against content-type charset bypassing #1392

Merged
merged 14 commits into from
May 9, 2019

Conversation

dune73
Copy link
Contributor

@dune73 dune73 commented May 5, 2019

PL3: The little known x-up-devcap-post-charset request header can be used to submit
a request with a different encoding as an alternative to the charset parameter in
the Content-Type header. This can be used to circumvent charset restrictions on
the Content-Type header.
Note that this only works in combination with a User-Agent prefix.

This rule is based on a blog post by Soroush Dalili:
https://soroush.secproject.com/blog/2019/05/x-up-devcap-post-charset-header-in-aspnet-to-bypass-wafs-again/

chain"
SecRule REQUEST_HEADERS:User-Agent "@beginsWith up" \
"t:none,\
t:lowercase,\
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For 2 chars, I think using @\rx would be faster than doing the lowercase transformation.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have updated to @rx based on your remark and my tests elsewhere.

It does not matter much, though, as this is only executed if the x-up-devcap-post-charset request header is present.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You left the lowercase transformation though.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How pedantic of you!

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sowry!

@dune73 dune73 force-pushed the rule-vs-x-up-devcap-post-charset branch from d3ef252 to c542d3f Compare May 6, 2019 14:19
@dune73
Copy link
Contributor Author

dune73 commented May 6, 2019

Travis got the hiccups for PR #1392 after merging PR #1391 (failing on the 3 new tests in 1391). Rebased my branch against v3.2/dev and force pushed to my remote branch. Now it works.

@dune73
Copy link
Contributor Author

dune73 commented May 7, 2019

@fgs: U OK with (squashing + ) merging?

@fgsch
Copy link
Contributor

fgsch commented May 8, 2019

Remove:

setvar:'tx.msg=%{rule.msg}',\
setvar:'tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/EVASION-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'"

Otherwise looks good to me.

@dune73 dune73 merged commit b96d00f into SpiderLabs:v3.2/dev May 9, 2019
csanders-git pushed a commit to csanders-git/owasp-modsecurity-crs that referenced this pull request May 28, 2019
…SpiderLabs#1392)

* New PL3 rule 920490 to protect against content-type charset bypassing
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

2 participants