How do people handle false positives on (e.g.) bootstrap css files?
77 views
Skip to first unread message
Steve Hanselman
Dec 15, 2021, 9:57:57 AM12/15/21
to ModSecurity Core Rule Set project
I'm seeing triggers on rules
930100 and 930110 where the css uses background: url(../images/corners.gif);
Would this be considered a general false positive, given the use of bootstrap (and therefore fixed as an issue), or would this be considered a local issue?
What do you tend to do, use SecRuleDisableById in the server section for various projects, or amend the rule in the server section to make it more specific and not trigger on these?
Steve
Ervin Hegedüs
Dec 15, 2021, 10:09:40 AM12/15/21
to Steve Hanselman, ModSecurity Core Rule Set project
Hi Steve,
On Wed, Dec 15, 2021 at 06:57:57AM -0800, Steve Hanselman wrote:
> I'm seeing triggers on rules 930100 and 930110 where the css uses
> background: url(../images/corners.gif);
I assume you're sending the request to a server with a css
content like above - am I right?
> Would this be considered a general false positive, given the use of
> bootstrap (and therefore fixed as an issue), or would this be considered a
> local issue?
As you can see, the purpose of these rules to avoid the local
file inclusion (LFI), especially see these comments:
https://github.com/coreruleset/coreruleset/blob/v3.4/dev/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf#L89-L94
So I think this is more local issue than a general FP.
> What do you tend to do, use SecRuleDisableById in the server section for
> various projects, or amend the rule in the server section to make it more
> specific and not trigger on these?
The best thing what you can do is that you create an exclusion
rule. It depends how your endpoint works, what's the URI, but I
should do something similar:
SecRule REQUEST_URI "@beginsWith /your/css/sending/uri" \
"id:1000001,\
phase:1,\
t:none,\
pass,\
nolog,\
ctl:ruleRemoveById=930100,\
ctl:ruleRemoveById=930110"
If you know what's the POST variable which contains the css
above, you can pass only that to the exclusion with
ruleRemoveTargetById:
...
ctl:ruleRemoveTargetById=930100;ARGS:yourfield,\
ctl:ruleRemoveTargetById=930110;ARGS:yourfield"
In this case, the engine will skip only the field what your gave,
any other POST argument will inspected.
a.
On Wed, Dec 15, 2021 at 06:57:57AM -0800, Steve Hanselman wrote:
> I'm seeing triggers on rules 930100 and 930110 where the css uses
> background: url(../images/corners.gif);
content like above - am I right?
> Would this be considered a general false positive, given the use of
> bootstrap (and therefore fixed as an issue), or would this be considered a
> local issue?
file inclusion (LFI), especially see these comments:
https://github.com/coreruleset/coreruleset/blob/v3.4/dev/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf#L89-L94
So I think this is more local issue than a general FP.
> What do you tend to do, use SecRuleDisableById in the server section for
> various projects, or amend the rule in the server section to make it more
> specific and not trigger on these?
rule. It depends how your endpoint works, what's the URI, but I
should do something similar:
SecRule REQUEST_URI "@beginsWith /your/css/sending/uri" \
"id:1000001,\
phase:1,\
t:none,\
pass,\
nolog,\
ctl:ruleRemoveById=930100,\
ctl:ruleRemoveById=930110"
If you know what's the POST variable which contains the css
above, you can pass only that to the exclusion with
ruleRemoveTargetById:
...
ctl:ruleRemoveTargetById=930100;ARGS:yourfield,\
ctl:ruleRemoveTargetById=930110;ARGS:yourfield"
In this case, the engine will skip only the field what your gave,
any other POST argument will inspected.
a.
Steve Hanselman
Dec 15, 2021, 10:49:56 AM12/15/21
to ModSecurity Core Rule Set project, air...@gmail.com, ModSecurity Core Rule Set project, Steve Hanselman
Perfect, many thanks for the guidance, I'll pop that in.
Specifically it's part of the bootstrap standard build, likewise the same thing hits on yui as well.
Reply all
Reply to author
Forward
0 new messages