Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Adds support for regex in ctl key #718

Open
Tracked by #945
jcchavezs opened this issue Mar 13, 2023 · 10 comments
Open
Tracked by #945

Adds support for regex in ctl key #718

jcchavezs opened this issue Mar 13, 2023 · 10 comments
Assignees
@fzipi
Labels
v3.1
Milestone
v3.1

Comments

@jcchavezs
Copy link
Member

jcchavezs commented Mar 13, 2023
edited
Loading

Summary

From @fzipi:

This should be valid ctl syntax: ctl:ruleRemoveTargetById=123456;ARGS:/^mycookie_/

It doesn't work on ModSecurity: longstanding unfixed issues owasp-modsecurity/ModSecurity#717 and owasp-modsecurity/ModSecurity#911

Motivation

More args can be covered in the same rule rather than more declarations.
@jcchavezs jcchavezs added the v3.1 label Mar 13, 2023
@jcchavezs jcchavezs mentioned this issue Mar 13, 2023
Merged
4 tasks
@github-actions
Copy link

github-actions bot commented May 1, 2023

This issue is stale because it has been open for 30 days with no activity.

@github-actions github-actions bot added the stale label May 1, 2023
@M4tteoP M4tteoP removed the stale label May 2, 2023
@fzipi fzipi added this to the v3.1 milestone Jun 10, 2023
@Barnoux
Copy link

Barnoux commented Aug 13, 2023

Can't wait to see the feature ! I have so much trouble to deal with false positive rule when ARGS look like this :
ARGS:json.login.uris.0.uri
ARGS:json.login.uris.1.uri
ARGS:json.passwordHistory.2.password
ARGS:json.passwordHistory.1.password
ARGS:json.passwordHistory.0.password
etc...

@jcchavezs
Copy link
Member Author

jcchavezs commented Aug 13, 2023 via email

@flyingman15
Copy link

Feature will be veeeery appreciated!

@jcchavezs
Copy link
Member Author

jcchavezs commented Sep 21, 2023 via email

@flyingman15
Copy link

Awesome! I wonder if any of you guys could provide example cases so we make sure we aren't implementing an hypothetical feature but more like something you will actually use.

Hello,
In my case we are receiving a json containing a list or articles with their structure (title, body, url, etc). For each of them we would like to disable a rule only on their title for example. The numbering of arg names we see in ModSec logs seems to imply the only way to handle this would be with regex with ruleRemoveTargetById

@fzipi
Copy link
Member

fzipi commented Nov 11, 2023

Let me dig in my old conf files, because I had some actual use cases.

@Barnoux
Copy link

Barnoux commented Nov 24, 2023

@jcchavezs I can try to work on a use case with Vaultwarden, but i don't know exactly what you need.

@jcchavezs
Copy link
Member Author

We need to show actual rules that will benefit from this.

@jptosso jptosso mentioned this issue Dec 27, 2023
Open
16 tasks
@Barnoux
Copy link

Barnoux commented Jan 15, 2024
edited
Loading

Hi, as I enhance the configuration of CRS for the Vaultwarden application, I've encountered a scenario where employing regex for the ctl key, specifically for ARGS, could be beneficial.

In the given example, the alert (ID 932220) is triggered because the ARGS content of json.login.uris.1.uri is encrypted:

{
    "level": "error",
    "ts": 1705353717.3021958,
    "logger": "http.handlers.waf",
    "msg": "[client \"192.168.1.1\"] Coraza: Warning. Remote Command Execution: Unix Command Injection with pipe [file \"/ruleset/coreruleset/rulesV4RC2/REQUEST-932-APPLICATION-ATTACK-RCE.conf\"] [line \"0\"] [id \"932220\"] [rev \"\"] [msg \"Remote Command Execution: Unix Command Injection with pipe\"] [data \"Matched Data: =|ufR/HPSS45/Ul found within ARGS:json.login.uris.1.uri: 2.FoU9JIrRUvn6FhRbPmhKTA==|vnSOLkOXuYSRm7tER2zFgHk7dQw1II0v5NcoeCXQHE4=|ufR/HPSS45/UlE7cS1xx1zUSKOSfcL5JMN14uXCsLz4=\"] [severity \"critical\"] [ver \"OWASP_CRS/4.0.0-rc2\"] [maturity \"0\"] [accuracy \"0\"] [tag \"application-multi\"] [tag \"language-shell\"] [tag \"platform-unix\"] [tag \"attack-rce\"] [tag \"paranoia-level/2\"] [tag \"OWASP_CRS\"] [tag \"capec/1000/152/248/88\"] [tag \"PCI/6.5.2\"] [hostname \"\"] [uri \"/api/ciphers\"] [unique_id \"IvajjhfZVMldJlxH\"]\n"
}

When adding an element in the Vault, multiple URLs can be involved, as illustrated in the provided image.

Capture d’écran du 2024-01-15 22-36-49

This scenario highlights the need for adding regex for ctl key to facilitate easier whitelisting.

Here's the current whitelist rule under construction:

SecRule REQUEST_METHOD "@streq POST" \
    "id:1009,\
    phase:1,\
    pass,\
    log,\
    t:none,\
    msg:'creating new password element.',\
    rev:'1',\
    chain"
    SecRule REQUEST_URI "@beginsWith /api/ciphers" \
        "t:none,\
        ctl:ruleRemoveTargetById=932220;ARGS:json.login.username,\
        ctl:ruleRemoveTargetById=932236;ARGS:json.login.username,\
        ctl:ruleRemoveTargetById=932220;ARGS:json.login.password,\
        ctl:ruleRemoveTargetById=932236;ARGS:json.login.password,\
        ctl:ruleRemoveTargetById=932220;ARGS:json.name,\
        ctl:ruleRemoveTargetById=932236;ARGS:json.name,\
        ctl:ruleRemoveTargetById=932220;ARGS:json.notes,\
        ctl:ruleRemoveTargetById=932236;ARGS:json.notes,\
        ctl:ruleRemoveById=921180"

This rule aims to allow the creation of a new password element while excluding specific ARGS related to the mentioned alert, thereby enhancing security configurations for Vaultwarden.

@jcchavezs jcchavezs mentioned this issue Jan 29, 2024
Open
@fzipi fzipi self-assigned this May 7, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@fzipi fzipi

Labels
v3.1
Projects
None yet
Milestone
v3.1
Development

No branches or pull requests
5 participants
@fzipi @jcchavezs @flyingman15 @M4tteoP @Barnoux