-
Notifications
You must be signed in to change notification settings - Fork 724
Filter Bypass Vulnerability #62
Comments
Original reporter: samiux |
brectanus: I'll repeat my comments on this here... I agree, it is still an issue, but it is one of "Impedance Mismatch". This is documented here: And a blog on it here: http://thread.gmane.org/gmane.comp.apache.mod-security.user/5637 ModSecurity was designed in an Apache centric manner and with Apache What needs to be done -- and some thought has gone into it -- is to have You have some other options (workarounds, but require some effort):
If you do go the extension route, I am available to answer questions While it is an issue, it is also a fairly common issue among WAF/IDS/IPS |
brectanus: Adding Ryan Barnett's comment with a workaround... Here is the rule to detect if there are multiple parameters submitted that have the same name - SecRule ARGS_NAMES "." "chain,phase:2,t:none,nolog,pass,capture,setvar:'tx.arg_name%{tx.0}=+1',msg:'Multiple Parameters with the same Name.'" As you can see, we are simply creating a TX collection using macro expansion for the variable name and we are incrementing a counter each time we see a parameter. The 2nd part of the chained rule is then evaluating the TX collection to see if any of them are greater than 1. Keep in mind that this isn't a direct HTTP Parameter Pollution rule per se, as it may in fact be legitimate functionality of your app to have multiple parameters with the same name. This rule works to alert you to where those occurrences are happening. If you find that this is legit functionality, you could incorporate an exception into the rule to exclude those specific parameter names. |
rcbarnett: We added this HTTP Parameter Pollution (HPP) rule to the CRS v.2.0.0. |
CORERULES-8: Details please refer to this link.
http://www.milw0rm.com/exploits/8930
The text was updated successfully, but these errors were encountered: