CRS Rules and Apache responses

[john smith]

Hi,

I'm new to modsecurity, still trying to understand how things work.

For example i have the latest version running on Apache and after trying some SQLI and XSS cases i don't see anything from modsecurity although apache gives a 400 error.

Is this because none of the rules in REQUEST-942-APPLICATION-ATTACK-SQLI matched or because of apache. how does that work?

I'm sharing my test cases:

SQLI:

select *

tom' or '1'='1

DROP sampletable;--

10; DROP TABLE members /*

11223344) UNION SELECT 1,'2',NULL,NULL WHERE 1=2 –-

'%/_%' ESCAPE '/';

'''|| usr ||' AND itemname = ''' || itm || '''';

XSS

<SCRIPT SRC=http://xss.rocks/xss.js></SCRIPT>

<IMG SRC=&#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;&#116;&#58;&#97;&#108;&#101;&#114;&#116;&#40;&#39;&#88;&#83;&#83;&#39;&#41;>

Usually i get a 403 from apache and something like this as an error

[Sun Mar 01 14:30:58.736707 2020] [:error] [pid 43:tid 140175342544640] [client 172.21.0.4:54110] [client 172.21.0.4] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/etc/modsecurity.d/owasp-crs/rules/RESPONSE-980-CORRELATION.conf"] [line "86"] [id "980130"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 15 - SQLI=8,XSS=0,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0): individual paranoia level scores: 0, 10, 0, 5"] [tag "event-correlation"] [hostname "modsec"] [uri "/"] [unique_id "XlvHIvjgb4WImw-7uPIKVwAAAEU"]

[john smith]

Well since i got not replies i investigated this myself and eventually found a bug not related to ModSecurity or the rule set.

This is now resolved.

[Christian Folini]

On Tue, Mar 10, 2020 at 04:55:15PM -0700, john smith wrote:
> Well since i got not replies i investigated this myself and eventually
> found a bug not related to ModSecurity or the rule set.
> This is now resolved.

Thanks for letting us know. I was puzzled by your problem, that's why I did
not respond.

Cheers,

Christian

>
> On Sunday, March 1, 2020 at 4:32:31 PM UTC+2, john smith wrote:
> >
> > Hi,
> >
> > I'm new to modsecurity, still trying to understand how things work.
> > For example i have the latest version running on Apache and after trying
> > some SQLI and XSS cases i don't see anything from modsecurity although
> > apache gives a 400 error.
> > Is this because none of the rules in REQUEST-942-APPLICATION-ATTACK-SQLI
> > matched or because of apache. how does that work?
> >
> > I'm sharing my test cases:
> >

> > *SQLI:*

> >
> > select *
> >
> > tom' or '1'='1
> >
> > DROP sampletable;--
> >
> > 10; DROP TABLE members /*
> >
> > 11223344) UNION SELECT 1,'2',NULL,NULL WHERE 1=2 –-
> >
> > '%/_%' ESCAPE '/';
> >
> > '''|| usr ||' AND itemname = ''' || itm || '''';
> >
> >

> > *XSS*

> >
> > <SCRIPT SRC=http://xss.rocks/xss.js></SCRIPT>
> >
> > <IMG
> > SRC=&#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;&#116;&#58;&#97;&#108;&#101;&#114;&#116;&#40;&#39;&#88;&#83;&#83;&#39;&#41;>
> >
> >
> >
> > Usually i get a 403 from apache and something like this as an error
> >
> > [Sun Mar 01 14:30:58.736707 2020] [:error] [pid 43:tid 140175342544640]
> > [client 172.21.0.4:54110] [client 172.21.0.4] ModSecurity: Warning.
> > Operator GE matched 5 at TX:inbound_anomaly_score. [file
> > "/etc/modsecurity.d/owasp-crs/rules/RESPONSE-980-CORRELATION.conf"] [line
> > "86"] [id "980130"] [msg "Inbound Anomaly Score Exceeded (Total Inbound
> > Score: 15 - SQLI=8,XSS=0,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0):
> > individual paranoia level scores: 0, 10, 0, 5"] [tag "event-correlation"]
> > [hostname "modsec"] [uri "/"] [unique_id "XlvHIvjgb4WImw-7uPIKVwAAAEU"]
> >
> >
>

> --
> You received this message because you are subscribed to the Google Groups "ModSecurity Core Rule Set project" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to modsecurity-core-rule-...@owasp.org.
> To view this discussion on the web visit https://groups.google.com/a/owasp.org/d/msgid/modsecurity-core-rule-set-project/a24bc1d6-af98-4717-b6fd-001bca8419ca%40owasp.org.