0

I try to create a rule allowing any parameter value containing scrip%u0074 (Unicode value of t) to be passed. I create such a rule:

SecRule REQUEST_URI "@contains scrip%u0074" \
    "id:1234567,phase:1,pass,t:none,t:urlDecodeUni,logdata:'Bypass script',ctl:ruleRemoveTargetByTag=attack-xss,ctl:ruleRemoveTargetById=920220"

But other rules still block it. When I remove the part with t:..., it works, but the value sent to the web application is not script (Unicode replaced by utf-8), but still Unicode.

How can we improve that rule to avoid detection/blocking by other rules and replace unicode to utf-8?

Improve this question

1 Answer 1

Reset to default
0

CRS dev-on-duty here. It's dangerous to remove parts of the OWASP CRS depending on user input. It's a better idea to only remove specific arguments from a rule. What arguments contain this scrip%u0074? Can you identify them?

ctl:ruleRemoveTargetByTag=attack-xss and ctl:ruleRemoveTargetById=920220 don't work because you don't specify a target to remove, you only specify a rule. To remove an argument (target) called name, use ctl:ruleRemoveTargetByTag=attack-xss;ARGS:name and ctl:ruleRemoveTargetById=920220;ARGS:name. Place those rules BEFORE the CRS rules.

Other possibility: To exclude an entire rule/tag use ctl:ruleRemoveByTag=attack-xss and ctl:ruleRemoveById=920220 instead, if you still want to use this kind of tuning. Place those SecRule rules BEFORE the CRS rules.

See here: https://github.com/owasp-modsecurity/ModSecurity/wiki/Reference-Manual-(v2.x)#ctl

You can also (other possibility) remove an argument called "name" by removing it from a specific rule with: SecRuleUpdateTargetById 920220 !ARGS:name (Here we use the update and the !) Place those SecRuleUpdate... directives AFTER the CRS rules include.

Please have a look at the CRS tuning documentation: https://coreruleset.org/docs/concepts/false_positives_tuning/

If you still have blocks, please open an issue in our GitHub repo and fill out the false positive template: https://github.com/coreruleset/coreruleset/issues

Improve this answer
11
  • Yes, I want to do this in the context of a particular parameter, let's call a "name".
    – Texicans
    Commented Jun 26 at 15:00
  • Then you can remove this argument "name" with: SecRuleUpdateTargetById 920220 !ARGS:name.
    – franbuehler
    Commented Jun 26 at 16:19
  • I improved my rule, but still, it is blocked: SecRule REQUEST_URI "@contains scrip%u0074" \ "id:1234567,phase:1,pass,t:none,t:urlDecodeUni,logdata:'Bypass script',ctl:ruleRemoveByTag=attack-xss;!ARGS:name,ctl:ruleRemoveById=920220;!ARGS:name"
    – Texicans
    Commented Jun 26 at 18:43
  • Now, we have a target we want to remove: name. So we can write: SecRule REQUEST_URI "@contains scrip%u0074" \ "id:1234567,phase:1,pass,t:none,t:urlDecodeUni,logdata:'Bypass script',ctl:ruleRemoveTargetByTag=attack-xss;ARGS:name,ctl:ruleRemoveTargetById=920220;ARGS:name"
    – franbuehler
    Commented Jun 26 at 20:04
  • I didn't check the rule or the encoding. If it doesn't work can you try: SecRuleUpdateTargetById 920220 !ARGS:name and SecRuleUpdateTargetByTag "attack-xss" "!ARGS:name" In contrast to the SecRule (first example above, to be placed BEFORE the CRS), the SecRuleUpdateTargetById must be included AFTER the CRS. Also see coreruleset.org/docs/concepts/false_positives_tuning,
    – franbuehler
    Commented Jun 26 at 20:12

Not the answer you're looking for? Browse other questions tagged or ask your own question.