Blocking POST requests with payload

32 views
Skip to first unread message

stevek

unread,
Jan 3, 2023, 12:41:08 PM1/3/23
to ModSecurity Core Rule Set project
Hello MSCRS project,

First some particulars:

ModSecurity for Apache/2.9.3 (http://www.modsecurity.org/) configured.
Apache/2.4.54 (Debian) OpenSSL/1.1.1n configured
OWASP ModSecurity Core Rule Set ver.3.3.0

---

Is it possible to block this request without eliminating POST in the
REQUEST_METHOD as there is a contact form on the website that I would
like to re-enable if I can get this issue resolved?

Rule currently in use:

SecRule REQUEST_METHOD "!@within GET PUT HEAD"\
"id:20000,\
phase:1,\
deny,\
msg:'Method is not allowed by policy',\
logdata:'%{MATCHED_VAR}'"


The Host: 178.128.49.167 = digitalocean.com
(The Host: 178.128.49.167 is not my domain.)

I tried using crs rule "HOST is a numeric ipaddress" but that didn't
work either for this either.

User-Agent: Go-http-client/1.1 I tried blocking User-Agent:
Go-http-client/1.1 or contains "User-Agent: Go-http-client/1.1" to no
avail.
It's probably not a good idea to block User-Agent: Go-http-client/1.1

From modsec_audit.log:


--0bd08e63-A--
[03/Jan/2023:05:22:02 --0500] Y7QBylFoG80HkkPDqIPWiAAAAAM 94.130.75.179
26872 xxx.xxx.xxx.xxx 443
--0bd08e63-B--
POST / HTTP/1.1
Host: 178.128.49.167
User-Agent: Go-http-client/1.1
Content-Length: 1069
Content-Type: image/jpeg
Cookie:
fr=zdpB50+8ojXA7QXzsGX37HUiQUr8PQK/KcTWAlzK1L4R2jShzH/wHfymaHOTVNK/uxR+WAhUZl7a7nP+yCPvE7aIg4iohISk2CNHmRE4BMltoeLIn7+MamqM5TXScmXIOIhg31EOQulG+JMQ4kj5BmbQoh3JEx3IfiqfqgSsHEJAwmScRc9gFK2ct00HiDJUloe7MRfg6+ZLxLcgQygCL3zhrJ2xrhrZnLcRSrzbhdKDWx2E6Gf5KMrBHlmufQ8DMlRFwkzxVX//JnlZRzLJLmG0rSP05jkvmsj6Sb8ukK8JGqottxThvJdYEZepo1jckybTdQfOjSJESGHFWDECh2fh+YQygANMQB0tQNmogewU44ODMzcL5C7/tn9esi9GxmS2tJDSxz0ovsrRGqFQZT/F86Z8qBUXPaQ=
X-Psiphon-Fronting-Address: 178.128.49.167
Accept-Encoding: gzip

^ Addtionally posts with payload application-octet-stream, mpeg and
image/jpeg

--0bd08e63-F--
HTTP/1.1 403 Forbidden
Content-Length: 280
Content-Type: text/html; charset=iso-8859-1

--0bd08e63-H--
Message: Access denied with code 403 (phase 1). Match of "within GET PUT
HEAD" against "REQUEST_METHOD" required.

Thank you in advance for any and all help with this.

Steve King

Christian Folini

unread,
Jan 4, 2023, 3:22:49 AM1/4/23
to stevek, ModSecurity Core Rule Set project
Hey Steve,

On Tue, Jan 03, 2023 at 12:41:00PM -0500, stevek wrote:
> Is it possible to block this request without eliminating POST in the
> REQUEST_METHOD as there is a contact form on the website that I would like
> to re-enable if I can get this issue resolved?

You omit to document the request here, but I presume from your audit log
that you want to block a POST to /, while still allowing POST to other
URIs.

This is not strictly a CRS problem, since POST to / can be benign and we
do not flag it. We do raise anomaly score over the fact that the request
you document below lacks a valid host header (-> numeric!), but that is
not enough to block a request in the default setting.

Technically, you could reduce the anomaly threshold to a level that
blocks requests with numeric host headers. But I would not really advise
for that.

So the better option is probably to block POST requests to /. There are
multiple ways to express such a rule, I think the following proposal
is quite elgant:

SecRule REQUEST_LINE "@beginsWith POST / " \
"id:1000,phase:1,deny,log,msg:'POST to /'"

Please note the space after the slash.

Best,

Christian
> --
> You received this message because you are subscribed to the Google Groups "ModSecurity Core Rule Set project" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to modsecurity-core-rule-...@owasp.org.
> To view this discussion on the web visit https://groups.google.com/a/owasp.org/d/msgid/modsecurity-core-rule-set-project/96a26444-ef4a-0c7b-c9e7-2a8ae32a37ff%40jptx.org.
Reply all
Reply to author
Forward
0 new messages