Difference between revisions of "ModSecurity CRS RuleID-960911"

From OWASP
Jump to: navigation, search
Line 9: Line 9:
 
=== Rule Summary ===
 
=== Rule Summary ===
 
*Validate request line against the format specified in the HTTP RFC
 
*Validate request line against the format specified in the HTTP RFC
* Uses rule negation against the regex for positive security.  The regex specifies the proper construction of URI request lines such as:
 
"http:" "//" host [ ":" port ] [ abs_path [ "?" query ]]
 
 
*It also outlines proper construction for CONNECT, OPTIONS and GET requests. 
 
  
 
=== Impact ===
 
=== Impact ===
Line 18: Line 14:
  
 
=== Detailed Information ===
 
=== Detailed Information ===
 +
* Uses rule negation against the regex for positive security.  The regex specifies the proper construction of URI request lines such as:
 +
"http:" "//" host [ ":" port ] [ abs_path [ "?" query ]]
 +
*It also outlines proper construction for CONNECT, OPTIONS and GET requests.
  
 
+
///  A description of the regular expression:
Provide detailed information about the rule construction such as:
+
/// 
*Why the variable list specified was used
+
///  Beginning of line or string
*A description of the regular expression used - what is is looking for in plain english
+
///  Match expression but don't capture it. [(?:[a-z]{3,10}\s+(?:\w{3,7}?://[\w\-\./]*(?::\d+)?)?/[^?#]*(?:\?[^#\s]*)?(?:#[\S]*)?|connect (?:\d{1,3}\.){3}\d{1,3}\.?(?::\d+)?|options \*)\s+[\w\./]+|get /[^?#]*(?:\?[^#\s]*)?(?:#[\S]*)?]
*What actions are used and why
+
///      Select from 2 alternatives
 +
///          (?:[a-z]{3,10}\s+(?:\w{3,7}?://[\w\-\./]*(?::\d+)?)?/[^?#]*(?:\?[^#\s]*)?(?:#[\S]*)?|connect (?:\d{1,3}\.){3}\d{1,3}\.?(?::\d+)?|options \*)\s+[\w\./]+
 +
///              Match expression but don't capture it. [[a-z]{3,10}\s+(?:\w{3,7}?://[\w\-\./]*(?::\d+)?)?/[^?#]*(?:\?[^#\s]*)?(?:#[\S]*)?|connect (?:\d{1,3}\.){3}\d{1,3}\.?(?::\d+)?|options \*]
 +
///                  Select from 3 alternatives
 +
///                      [a-z]{3,10}\s+(?:\w{3,7}?://[\w\-\./]*(?::\d+)?)?/[^?#]*(?:\?[^#\s]*)?(?:#[\S]*)?
 +
///                          Any character in this class: [a-z], between 3 and 10 repetitions
 +
///                          Whitespace, one or more repetitions
 +
///                          Match expression but don't capture it. [\w{3,7}?://[\w\-\./]*(?::\d+)?], zero or one repetitions
 +
///                              \w{3,7}?://[\w\-\./]*(?::\d+)?
 +
///                                  Alphanumeric, between 3 and 7 repetitions, as few as possible
 +
///                                  ://
 +
///                                  Any character in this class: [\w\-\./], any number of repetitions
 +
///                                  Match expression but don't capture it. [:\d+], zero or one repetitions
 +
///                                      :\d+
 +
///                                          :
 +
///                                          Any digit, one or more repetitions
 +
///                          /
 +
///                          Any character that is NOT in this class: [?#], any number of repetitions
 +
///                          Match expression but don't capture it. [\?[^#\s]*], zero or one repetitions
 +
///                              \?[^#\s]*
 +
///                                  Literal ?
 +
///                                  Any character that is NOT in this class: [#\s], any number of repetitions
 +
///                          Match expression but don't capture it. [#[\S]*], zero or one repetitions
 +
///                              #[\S]*
 +
///                                  #
 +
///                                  Any character in this class: [\S], any number of repetitions
 +
///                      connect (?:\d{1,3}\.){3}\d{1,3}\.?(?::\d+)?
 +
///                          connect
 +
///                          Space
 +
///                          Match expression but don't capture it. [\d{1,3}\.], exactly 3 repetitions
 +
///                              \d{1,3}\.
 +
///                                  Any digit, between 1 and 3 repetitions
 +
///                                  Literal .
 +
///                          Any digit, between 1 and 3 repetitions
 +
///                          Literal ., zero or one repetitions
 +
///                          Match expression but don't capture it. [:\d+], zero or one repetitions
 +
///                              :\d+
 +
///                                  :
 +
///                                  Any digit, one or more repetitions
 +
///                      options \*
 +
///                          options
 +
///                          Space
 +
///                          Literal *
 +
///              Whitespace, one or more repetitions
 +
///              Any character in this class: [\w\./], one or more repetitions
 +
///          get /[^?#]*(?:\?[^#\s]*)?(?:#[\S]*)?
 +
///              get
 +
///              Space
 +
///              /
 +
///              Any character that is NOT in this class: [?#], any number of repetitions
 +
///              Match expression but don't capture it. [\?[^#\s]*], zero or one repetitions
 +
///                  \?[^#\s]*
 +
///                      Literal ?
 +
///                      Any character that is NOT in this class: [#\s], any number of repetitions
 +
///              Match expression but don't capture it. [#[\S]*], zero or one repetitions
 +
///                  #[\S]*
 +
///                      #
 +
///                      Any character in this class: [\S], any number of repetitions
 +
///  End of line or string
  
 
=== Affected Software ===
 
=== Affected Software ===
If this attack only affects a specific piece of public software (if this is a virtual patch for a public disclosure) specify which info.
+
Different web server software may react differently to malformed URIs.
  
 
=== Attack Scenarios ===
 
=== Attack Scenarios ===
Provide any data around "how" the attack is carried out.
+
Some malformed URIs are created on purpose as part of HTTP fingerprinting scans -
 +
http://projects.webappsec.org/Fingerprinting
 +
 
 +
Other times, these are caused by poorly written web clients.
  
 
=== Ease of Attack ===
 
=== Ease of Attack ===
How easy is it for an attacker to carry out the attack?
+
Easy.
  
 
=== Ease of Detection ===
 
=== Ease of Detection ===
How easy is it for a defender to use ModSecurity to accurately detect this attack?
+
Easy with either regular expressions or by monitoring Apache error logging in phase:5.
  
 
=== False Positives  ===
 
=== False Positives  ===
If there are any known false positives - specify them here
+
None known.
  
 
=== False Negatives ===
 
=== False Negatives ===
Are there any know issues with evasions or how an attacker might bypass detection?
+
None known.
  
 
=== Corrective Action  ===
 
=== Corrective Action  ===
Any tuning recommendations for the existing rule?
+
 
  
 
=== Contributors ===
 
=== Contributors ===
Specify your name and email if you want credit for the rule or documentation of it.
+
Ryan Barnett
  
 
=== Additional References ===
 
=== Additional References ===
Provide any external reference links (e.g. - if this is a virtual patch for a known vuln link to the Bugtraq or CVE page).
+
http://www.w3.org/Protocols/rfc2616/rfc2616-sec3.html#sec3.2.1

Revision as of 11:18, 1 September 2010

Contents

Rule ID: 906911

Rule Message: Invalid HTTP Request Line

Rule

SecRule REQUEST_LINE "!^(?:(?:[a-z]{3,10}\s+(?:\w{3,7}?://[\w\-\./]*(?::\d+)?)?/[^?#]*(?:\?[^#\s]*)?(?:#[\S]*)?|connect (?:\d{1,3}\.){3}\d{1,3}\.?(?::\d+)?|options \*)\s+[\w\./]+|get /[^?#]*(?:\?[^#\s]*)?(?:#[\S]*)?)$" \
"t:none,t:lowercase,phase:2,rev:'2.0.8',pass,nolog,auditlog,msg:'Invalid HTTP Request Line',id:'960911',severity:'4',tag:'http://www.w3.org/Protocols/rfc2616/rfc2616-sec3.html#sec3.2.1',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.protocol_violation_score=+%{tx.notice_anomaly_score},setvar:'tx.%{rule.id}-PROTOCOL_VIOLATION/INVALID_REQ-%{matched_var_name}=%{matched_var}'"

Rule Summary

  • Validate request line against the format specified in the HTTP RFC

Impact

4- Warning.

Detailed Information

  • Uses rule negation against the regex for positive security. The regex specifies the proper construction of URI request lines such as:
"http:" "//" host [ ":" port ] [ abs_path [ "?" query ]] 
  • It also outlines proper construction for CONNECT, OPTIONS and GET requests.
///  A description of the regular expression:
///  
///  Beginning of line or string
///  Match expression but don't capture it. [(?:[a-z]{3,10}\s+(?:\w{3,7}?://[\w\-\./]*(?::\d+)?)?/[^?#]*(?:\?[^#\s]*)?(?:#[\S]*)?|connect (?:\d{1,3}\.){3}\d{1,3}\.?(?::\d+)?|options \*)\s+[\w\./]+|get /[^?#]*(?:\?[^#\s]*)?(?:#[\S]*)?]
///      Select from 2 alternatives
///          (?:[a-z]{3,10}\s+(?:\w{3,7}?://[\w\-\./]*(?::\d+)?)?/[^?#]*(?:\?[^#\s]*)?(?:#[\S]*)?|connect (?:\d{1,3}\.){3}\d{1,3}\.?(?::\d+)?|options \*)\s+[\w\./]+
///              Match expression but don't capture it. [[a-z]{3,10}\s+(?:\w{3,7}?://[\w\-\./]*(?::\d+)?)?/[^?#]*(?:\?[^#\s]*)?(?:#[\S]*)?|connect (?:\d{1,3}\.){3}\d{1,3}\.?(?::\d+)?|options \*]
///                  Select from 3 alternatives
///                      [a-z]{3,10}\s+(?:\w{3,7}?://[\w\-\./]*(?::\d+)?)?/[^?#]*(?:\?[^#\s]*)?(?:#[\S]*)?
///                          Any character in this class: [a-z], between 3 and 10 repetitions
///                          Whitespace, one or more repetitions
///                          Match expression but don't capture it. [\w{3,7}?://[\w\-\./]*(?::\d+)?], zero or one repetitions
///                              \w{3,7}?://[\w\-\./]*(?::\d+)?
///                                  Alphanumeric, between 3 and 7 repetitions, as few as possible
///                                  ://
///                                  Any character in this class: [\w\-\./], any number of repetitions
///                                  Match expression but don't capture it. [:\d+], zero or one repetitions
///                                      :\d+
///                                          :
///                                          Any digit, one or more repetitions
///                          /
///                          Any character that is NOT in this class: [?#], any number of repetitions
///                          Match expression but don't capture it. [\?[^#\s]*], zero or one repetitions
///                              \?[^#\s]*
///                                  Literal ?
///                                  Any character that is NOT in this class: [#\s], any number of repetitions
///                          Match expression but don't capture it. [#[\S]*], zero or one repetitions
///                              #[\S]*
///                                  #
///                                  Any character in this class: [\S], any number of repetitions
///                      connect (?:\d{1,3}\.){3}\d{1,3}\.?(?::\d+)?
///                          connect
///                          Space
///                          Match expression but don't capture it. [\d{1,3}\.], exactly 3 repetitions
///                              \d{1,3}\.
///                                  Any digit, between 1 and 3 repetitions
///                                  Literal .
///                          Any digit, between 1 and 3 repetitions
///                          Literal ., zero or one repetitions
///                          Match expression but don't capture it. [:\d+], zero or one repetitions
///                              :\d+
///                                  :
///                                  Any digit, one or more repetitions
///                      options \*
///                          options
///                          Space
///                          Literal *
///              Whitespace, one or more repetitions
///              Any character in this class: [\w\./], one or more repetitions
///          get /[^?#]*(?:\?[^#\s]*)?(?:#[\S]*)?
///              get
///              Space
///              /
///              Any character that is NOT in this class: [?#], any number of repetitions
///              Match expression but don't capture it. [\?[^#\s]*], zero or one repetitions
///                  \?[^#\s]*
///                      Literal ?
///                      Any character that is NOT in this class: [#\s], any number of repetitions
///              Match expression but don't capture it. [#[\S]*], zero or one repetitions
///                  #[\S]*
///                      #
///                      Any character in this class: [\S], any number of repetitions
///  End of line or string

Affected Software

Different web server software may react differently to malformed URIs.

Attack Scenarios

Some malformed URIs are created on purpose as part of HTTP fingerprinting scans - http://projects.webappsec.org/Fingerprinting

Other times, these are caused by poorly written web clients.

Ease of Attack

Easy.

Ease of Detection

Easy with either regular expressions or by monitoring Apache error logging in phase:5.

False Positives

None known.

False Negatives

None known.

Corrective Action

Contributors

Ryan Barnett

Additional References

http://www.w3.org/Protocols/rfc2616/rfc2616-sec3.html#sec3.2.1