Coraza isn't matching a single rule multiple times like modsecurity does

[soujanyanmbri]

Description

Modsec gives multiple matches of the same rule, while coraza doesn't.

Steps to reproduce

Run the test number: 930120-1 against modsec and coraza and check the matches with Rule: 930110

Expected Result:

Modsec matches:
id: 930110, rule_msg: Path Traversal Attack (/../) (110), match_msg: Matched Data: ../ found within ARGS:op: ../../../../../boot.ini
id: 930110, rule_msg: Path Traversal Attack (/../) (110), match_msg: Matched Data: /../ found within REQUEST_URI: /index.php?file=News&op=../../../../../boot.ini
id: 930110, rule_msg: Path Traversal Attack (/../) (110), match_msg: Matched Data: /../ found within REQUEST_URI: /index.php?file=news&op=../../../../../boot.ini

Actual result

Coraza matches:
id: 930110, rule_msg: Path Traversal Attack (/../) (110), match_msg: Matched Data: /../ found within REQUEST_URI: /index.php?file=News&op=../../../../../boot.ini%00, match_attr: http.url

[M4tteoP]

Hi, thanks for the report. I will take a closer look as soon as possible. I'm wondering: is the anomaly score lower than the one computed by modsec? Could it be a matter of printed data rather than missing multiple matches?

[soujanyanmbri]

I have checked the same in the same in the coraza playground, got a single match from Rule: 930110

md := [][]string{}
for _, m := range tx.MatchedRules() {
	msg := m.Message()
	if msg == "" {
		continue
	}
	md = append(md, []string{strconv.Itoa(m.Rule().ID()), msg})
}
matchedData, err := json.Marshal(md)

The code from the playground doesn't seem to print only a single match, It is missing multiple matches.

[M4tteoP]

I tried to reproduce it, and I'm experiencing a different behavior (more like the opposite of this report).
Let's try to fix some elements: I reproduced it with the following:

• CRS: 477d8c3431d042294af2651f08d63d10b6f3fd60 (v4.0, one of the latest commits)
• Coraza (Go middleware): 1f15017a03fe4e4fe0cf9ea4333d53fca36c9dd9 (latest commit)
• Modsec: ModSecurity for Apache/2.9.7 (just using the docker-compose that is part of the CRS commit.
• Test triggered: 930120-1

All the 930110 log lines that I can see are the following (I tried to strip off unneeded data to make them more readable):

Coraza:

Coraza: Warning. Path Traversal Attack (/../) or (/.../) [id "930110"] [data "Matched Data: /../ found within REQUEST_URI: /index.php?file=News&op=../../../../../boot.ini%00"] [severity "critical"] [ver "OWASP_CRS/4.0.0-rc1"] [uri "/index.php?file=News&op=../../../../../boot.ini%00"]

Coraza: Warning. Path Traversal Attack (/../) or (/.../) [id "930110"] [data "Matched Data: /../ found within REQUEST_URI: /index.php?file=News&op=../../../../../boot.ini%00"] [severity "critical"] [ver "OWASP_CRS/4.0.0-rc1"] [uri "/index.php?file=News&op=../../../../../boot.ini%00"]

Coraza: Warning. Path Traversal Attack (/../) or (/.../) [id "930110"] [data "Matched Data: /../ found within REQUEST_URI: /index.php?file=News&op=../../../../../boot.ini\x00"] [severity "critical"] [ver "OWASP_CRS/4.0.0-rc1"] [uri "/index.php?file=News&op=../../../../../boot.ini%00"]

Coraza: Warning. Path Traversal Attack (/../) or (/.../) [id "930110"] [data "Matched Data: /../ found within REQUEST_URI: /index.php?file=News&op=../../../../../boot.ini"] [severity "critical"] [ver "OWASP_CRS/4.0.0-rc1"] [uri "/index.php?file=News&op=../../../../../boot.ini%00"]

Coraza: Warning. Path Traversal Attack (/../) or (/.../) [id "930110"] [data "Matched Data: /../ found within REQUEST_URI: /index.php?file=news&op=../../../../../boot.ini"] [severity "critical"] [ver "OWASP_CRS/4.0.0-rc1"] [uri "/index.php?file=News&op=../../../../../boot.ini%00"]

Coraza: Warning. Path Traversal Attack (/../) or (/.../) [id "930110"] [data "Matched Data: ../ found within ARGS:op: ../../../../../boot.ini\x00"] [severity "critical"] [ver "OWASP_CRS/4.0.0-rc1"] [uri "/index.php?file=News&op=../../../../../boot.ini%00"]

Coraza: Warning. Path Traversal Attack (/../) or (/.../) [id "930110"] [data "Matched Data: ../ found within ARGS:op: ../../../../../boot.ini\x00"] [severity "critical"] [ver "OWASP_CRS/4.0.0-rc1"] [uri "/index.php?file=News&op=../../../../../boot.ini%00"]

Coraza: Warning. Path Traversal Attack (/../) or (/.../) [id "930110"] [data "Matched Data: ../ found within ARGS:op: ../../../../../boot.ini\x00"] [severity "critical"] [ver "OWASP_CRS/4.0.0-rc1"] [uri "/index.php?file=News&op=../../../../../boot.ini%00"]

Coraza: Warning. Path Traversal Attack (/../) or (/.../) [id "930110"] [data "Matched Data: ../ found within ARGS:op: ../../../../../boot.ini"] [severity "critical"] [ver "OWASP_CRS/4.0.0-rc1"] [uri "/index.php?file=News&op=../../../../../boot.ini%00"]

Coraza: Warning. Path Traversal Attack (/../) or (/.../) [id "930110"] [data "Matched Data: ../ found within ARGS:op: ../../../../../boot.ini"] [severity "critical"] [ver "OWASP_CRS/4.0.0-rc1"] [uri "/index.php?file=News&op=../../../../../boot.ini%00"]

Apache w/ModSecurity:

ModSecurity: Warning. Pattern match "(?:(?:^|[\\\\x5c/;])\\\\.{2,3}[\\\\x5c/;]|[\\\\x5c/;]\\\\.{2,3}(?:[\\\\x5c/;]|$))" at REQUEST_URI. [file "/etc/modsecurity.d/owasp-crs/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf"] [line "86"] [id "930110"] [msg "Path Traversal Attack (/../) or (/.../)"] [data "Matched Data: /../ found within REQUEST_URI: /index.php?file=News&op=../../../../../boot.ini%00"] [severity "CRITICAL"] [ver "OWASP_CRS/4.0.0-rc1"] [tag "modsecurity"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-lfi"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/255/153/126"] [hostname "localhost"] [uri "/index.php"]

ModSecurity: Warning. Pattern match "(?:(?:^|[\\\\x5c/;])\\\\.{2,3}[\\\\x5c/;]|[\\\\x5c/;]\\\\.{2,3}(?:[\\\\x5c/;]|$))" at REQUEST_URI. [file "/etc/modsecurity.d/owasp-crs/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf"] [line "86"] [id "930110"] [msg "Path Traversal Attack (/../) or (/.../)"] [data "Matched Data: /../ found within REQUEST_URI: /index.php?file=News&op=../../../../../boot.ini\\x00"] [severity "CRITICAL"] [ver "OWASP_CRS/4.0.0-rc1"] [tag "modsecurity"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-lfi"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/255/153/126"] [hostname "localhost"] [uri "/index.php"]

ModSecurity: Warning. Pattern match "(?:(?:^|[\\\\x5c/;])\\\\.{2,3}[\\\\x5c/;]|[\\\\x5c/;]\\\\.{2,3}(?:[\\\\x5c/;]|$))" at REQUEST_URI. [file "/etc/modsecurity.d/owasp-crs/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf"] [line "86"] [id "930110"] [msg "Path Traversal Attack (/../) or (/.../)"] [data "Matched Data: /../ found within REQUEST_URI: /index.php?file=News&op=../../../../../boot.ini"] [severity "CRITICAL"] [ver "OWASP_CRS/4.0.0-rc1"] [tag "modsecurity"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-lfi"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/255/153/126"] [hostname "localhost"] [uri "/index.php"]

ModSecurity: Warning. Pattern match "(?:(?:^|[\\\\x5c/;])\\\\.{2,3}[\\\\x5c/;]|[\\\\x5c/;]\\\\.{2,3}(?:[\\\\x5c/;]|$))" at REQUEST_URI. [file "/etc/modsecurity.d/owasp-crs/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf"] [line "86"] [id "930110"] [msg "Path Traversal Attack (/../) or (/.../)"] [data "Matched Data: /../ found within REQUEST_URI: /index.php?file=news&op=../../../../../boot.ini"] [severity "CRITICAL"] [ver "OWASP_CRS/4.0.0-rc1"] [tag "modsecurity"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-lfi"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/255/153/126"] [hostname "localhost"] [uri "/index.php"]

ModSecurity: Warning. Pattern match "(?:(?:^|[\\\\x5c/;])\\\\.{2,3}[\\\\x5c/;]|[\\\\x5c/;]\\\\.{2,3}(?:[\\\\x5c/;]|$))" at ARGS:op. [file "/etc/modsecurity.d/owasp-crs/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf"] [line "86"] [id "930110"] [msg "Path Traversal Attack (/../) or (/.../)"] [data "Matched Data: ../ found within ARGS:op: ../../../../../boot.ini\\x00"] [severity "CRITICAL"] [ver "OWASP_CRS/4.0.0-rc1"] [tag "modsecurity"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-lfi"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/255/153/126"] [hostname "localhost"] [uri "/index.php"]

ModSecurity: Warning. Pattern match "(?:(?:^|[\\\\x5c/;])\\\\.{2,3}[\\\\x5c/;]|[\\\\x5c/;]\\\\.{2,3}(?:[\\\\x5c/;]|$))" at ARGS:op. [file "/etc/modsecurity.d/owasp-crs/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf"] [line "86"] [id "930110"] [msg "Path Traversal Attack (/../) or (/.../)"] [data "Matched Data: ../ found within ARGS:op: ../../../../../boot.ini"] [severity "CRITICAL"] [ver "OWASP_CRS/4.0.0-rc1"] [tag "modsecurity"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-lfi"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/255/153/126"] [hostname "localhost"] [uri "/index.php"]

Coraza logs a total of 10 matches against rule 930110 while Apache w/ModSec a total of 6.

I feel that also the overall anomaly score is consistent. Looking at the the total inbound score printed by 949110:

• Coraza: 113 (per_pl=75-20-13-5)
• Apache w/ModSec: 93 (per_pl=55-20-13-5)

The discrepancy should indeed come from these 4 extra matches against 930110 which adds a total of 5*4.

So, I actually see extra matches rather than missing ones 🤔

Looking at your Coraza playground screenshots, seems like that the total score is 75, consistent with a CRS running in PL1 (see previous per_pl=75-20-13-5)

[jcchavezs]

Any feedback @soujanyanmbri?

[jcchavezs]

Any movement here @soujanyanmbri @jptosso ?

[github-actions]

This issue has been open 30 days waiting for feedback. Remove the stale label or comment, or this will be closed in 14 days.

[github-actions]

This issue was closed because it has been inactive for 14 days since being marked as stale.

[jptosso]

Is this fixed ?