This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "ModSecurity CRS RuleID-960911"
From OWASP
| Line 9: | Line 9: | ||
=== Rule Summary === | === Rule Summary === | ||
*Validate request line against the format specified in the HTTP RFC | *Validate request line against the format specified in the HTTP RFC | ||
| − | |||
| − | |||
| − | |||
| − | |||
=== Impact === | === Impact === | ||
| Line 18: | Line 14: | ||
=== Detailed Information === | === Detailed Information === | ||
| + | * Uses rule negation against the regex for positive security. The regex specifies the proper construction of URI request lines such as: | ||
| + | "http:" "//" host [ ":" port ] [ abs_path [ "?" query ]] | ||
| + | *It also outlines proper construction for CONNECT, OPTIONS and GET requests. | ||
| − | + | /// A description of the regular expression: | |
| − | + | /// | |
| − | * | + | /// Beginning of line or string |
| − | * | + | /// Match expression but don't capture it. [(?:[a-z]{3,10}\s+(?:\w{3,7}?://[\w\-\./]*(?::\d+)?)?/[^?#]*(?:\?[^#\s]*)?(?:#[\S]*)?|connect (?:\d{1,3}\.){3}\d{1,3}\.?(?::\d+)?|options \*)\s+[\w\./]+|get /[^?#]*(?:\?[^#\s]*)?(?:#[\S]*)?] |
| − | * | + | /// Select from 2 alternatives |
| + | /// (?:[a-z]{3,10}\s+(?:\w{3,7}?://[\w\-\./]*(?::\d+)?)?/[^?#]*(?:\?[^#\s]*)?(?:#[\S]*)?|connect (?:\d{1,3}\.){3}\d{1,3}\.?(?::\d+)?|options \*)\s+[\w\./]+ | ||
| + | /// Match expression but don't capture it. [[a-z]{3,10}\s+(?:\w{3,7}?://[\w\-\./]*(?::\d+)?)?/[^?#]*(?:\?[^#\s]*)?(?:#[\S]*)?|connect (?:\d{1,3}\.){3}\d{1,3}\.?(?::\d+)?|options \*] | ||
| + | /// Select from 3 alternatives | ||
| + | /// [a-z]{3,10}\s+(?:\w{3,7}?://[\w\-\./]*(?::\d+)?)?/[^?#]*(?:\?[^#\s]*)?(?:#[\S]*)? | ||
| + | /// Any character in this class: [a-z], between 3 and 10 repetitions | ||
| + | /// Whitespace, one or more repetitions | ||
| + | /// Match expression but don't capture it. [\w{3,7}?://[\w\-\./]*(?::\d+)?], zero or one repetitions | ||
| + | /// \w{3,7}?://[\w\-\./]*(?::\d+)? | ||
| + | /// Alphanumeric, between 3 and 7 repetitions, as few as possible | ||
| + | /// :// | ||
| + | /// Any character in this class: [\w\-\./], any number of repetitions | ||
| + | /// Match expression but don't capture it. [:\d+], zero or one repetitions | ||
| + | /// :\d+ | ||
| + | /// : | ||
| + | /// Any digit, one or more repetitions | ||
| + | /// / | ||
| + | /// Any character that is NOT in this class: [?#], any number of repetitions | ||
| + | /// Match expression but don't capture it. [\?[^#\s]*], zero or one repetitions | ||
| + | /// \?[^#\s]* | ||
| + | /// Literal ? | ||
| + | /// Any character that is NOT in this class: [#\s], any number of repetitions | ||
| + | /// Match expression but don't capture it. [#[\S]*], zero or one repetitions | ||
| + | /// #[\S]* | ||
| + | /// # | ||
| + | /// Any character in this class: [\S], any number of repetitions | ||
| + | /// connect (?:\d{1,3}\.){3}\d{1,3}\.?(?::\d+)? | ||
| + | /// connect | ||
| + | /// Space | ||
| + | /// Match expression but don't capture it. [\d{1,3}\.], exactly 3 repetitions | ||
| + | /// \d{1,3}\. | ||
| + | /// Any digit, between 1 and 3 repetitions | ||
| + | /// Literal . | ||
| + | /// Any digit, between 1 and 3 repetitions | ||
| + | /// Literal ., zero or one repetitions | ||
| + | /// Match expression but don't capture it. [:\d+], zero or one repetitions | ||
| + | /// :\d+ | ||
| + | /// : | ||
| + | /// Any digit, one or more repetitions | ||
| + | /// options \* | ||
| + | /// options | ||
| + | /// Space | ||
| + | /// Literal * | ||
| + | /// Whitespace, one or more repetitions | ||
| + | /// Any character in this class: [\w\./], one or more repetitions | ||
| + | /// get /[^?#]*(?:\?[^#\s]*)?(?:#[\S]*)? | ||
| + | /// get | ||
| + | /// Space | ||
| + | /// / | ||
| + | /// Any character that is NOT in this class: [?#], any number of repetitions | ||
| + | /// Match expression but don't capture it. [\?[^#\s]*], zero or one repetitions | ||
| + | /// \?[^#\s]* | ||
| + | /// Literal ? | ||
| + | /// Any character that is NOT in this class: [#\s], any number of repetitions | ||
| + | /// Match expression but don't capture it. [#[\S]*], zero or one repetitions | ||
| + | /// #[\S]* | ||
| + | /// # | ||
| + | /// Any character in this class: [\S], any number of repetitions | ||
| + | /// End of line or string | ||
=== Affected Software === | === Affected Software === | ||
| − | + | Different web server software may react differently to malformed URIs. | |
=== Attack Scenarios === | === Attack Scenarios === | ||
| − | + | Some malformed URIs are created on purpose as part of HTTP fingerprinting scans - | |
| + | http://projects.webappsec.org/Fingerprinting | ||
| + | |||
| + | Other times, these are caused by poorly written web clients. | ||
=== Ease of Attack === | === Ease of Attack === | ||
| − | + | Easy. | |
=== Ease of Detection === | === Ease of Detection === | ||
| − | + | Easy with either regular expressions or by monitoring Apache error logging in phase:5. | |
=== False Positives === | === False Positives === | ||
| − | + | None known. | |
=== False Negatives === | === False Negatives === | ||
| − | + | None known. | |
=== Corrective Action === | === Corrective Action === | ||
| − | + | ||
=== Contributors === | === Contributors === | ||
| − | + | Ryan Barnett | |
=== Additional References === | === Additional References === | ||
| − | + | http://www.w3.org/Protocols/rfc2616/rfc2616-sec3.html#sec3.2.1 | |
Revision as of 16:18, 1 September 2010
Rule ID: 906911
Rule Message: Invalid HTTP Request Line
Rule
SecRule REQUEST_LINE "!^(?:(?:[a-z]{3,10}\s+(?:\w{3,7}?://[\w\-\./]*(?::\d+)?)?/[^?#]*(?:\?[^#\s]*)?(?:#[\S]*)?|connect (?:\d{1,3}\.){3}\d{1,3}\.?(?::\d+)?|options \*)\s+[\w\./]+|get /[^?#]*(?:\?[^#\s]*)?(?:#[\S]*)?)$" \
"t:none,t:lowercase,phase:2,rev:'2.0.8',pass,nolog,auditlog,msg:'Invalid HTTP Request Line',id:'960911',severity:'4',tag:'http://www.w3.org/Protocols/rfc2616/rfc2616-sec3.html#sec3.2.1',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.protocol_violation_score=+%{tx.notice_anomaly_score},setvar:'tx.%{rule.id}-PROTOCOL_VIOLATION/INVALID_REQ-%{matched_var_name}=%{matched_var}'"
Rule Summary
- Validate request line against the format specified in the HTTP RFC
Impact
4- Warning.
Detailed Information
- Uses rule negation against the regex for positive security. The regex specifies the proper construction of URI request lines such as:
"http:" "//" host [ ":" port ] [ abs_path [ "?" query ]]
- It also outlines proper construction for CONNECT, OPTIONS and GET requests.
/// A description of the regular expression:
///
/// Beginning of line or string
/// Match expression but don't capture it. [(?:[a-z]{3,10}\s+(?:\w{3,7}?://[\w\-\./]*(?::\d+)?)?/[^?#]*(?:\?[^#\s]*)?(?:#[\S]*)?|connect (?:\d{1,3}\.){3}\d{1,3}\.?(?::\d+)?|options \*)\s+[\w\./]+|get /[^?#]*(?:\?[^#\s]*)?(?:#[\S]*)?]
/// Select from 2 alternatives
/// (?:[a-z]{3,10}\s+(?:\w{3,7}?://[\w\-\./]*(?::\d+)?)?/[^?#]*(?:\?[^#\s]*)?(?:#[\S]*)?|connect (?:\d{1,3}\.){3}\d{1,3}\.?(?::\d+)?|options \*)\s+[\w\./]+
/// Match expression but don't capture it. [[a-z]{3,10}\s+(?:\w{3,7}?://[\w\-\./]*(?::\d+)?)?/[^?#]*(?:\?[^#\s]*)?(?:#[\S]*)?|connect (?:\d{1,3}\.){3}\d{1,3}\.?(?::\d+)?|options \*]
/// Select from 3 alternatives
/// [a-z]{3,10}\s+(?:\w{3,7}?://[\w\-\./]*(?::\d+)?)?/[^?#]*(?:\?[^#\s]*)?(?:#[\S]*)?
/// Any character in this class: [a-z], between 3 and 10 repetitions
/// Whitespace, one or more repetitions
/// Match expression but don't capture it. [\w{3,7}?://[\w\-\./]*(?::\d+)?], zero or one repetitions
/// \w{3,7}?://[\w\-\./]*(?::\d+)?
/// Alphanumeric, between 3 and 7 repetitions, as few as possible
/// ://
/// Any character in this class: [\w\-\./], any number of repetitions
/// Match expression but don't capture it. [:\d+], zero or one repetitions
/// :\d+
/// :
/// Any digit, one or more repetitions
/// /
/// Any character that is NOT in this class: [?#], any number of repetitions
/// Match expression but don't capture it. [\?[^#\s]*], zero or one repetitions
/// \?[^#\s]*
/// Literal ?
/// Any character that is NOT in this class: [#\s], any number of repetitions
/// Match expression but don't capture it. [#[\S]*], zero or one repetitions
/// #[\S]*
/// #
/// Any character in this class: [\S], any number of repetitions
/// connect (?:\d{1,3}\.){3}\d{1,3}\.?(?::\d+)?
/// connect
/// Space
/// Match expression but don't capture it. [\d{1,3}\.], exactly 3 repetitions
/// \d{1,3}\.
/// Any digit, between 1 and 3 repetitions
/// Literal .
/// Any digit, between 1 and 3 repetitions
/// Literal ., zero or one repetitions
/// Match expression but don't capture it. [:\d+], zero or one repetitions
/// :\d+
/// :
/// Any digit, one or more repetitions
/// options \*
/// options
/// Space
/// Literal *
/// Whitespace, one or more repetitions
/// Any character in this class: [\w\./], one or more repetitions
/// get /[^?#]*(?:\?[^#\s]*)?(?:#[\S]*)?
/// get
/// Space
/// /
/// Any character that is NOT in this class: [?#], any number of repetitions
/// Match expression but don't capture it. [\?[^#\s]*], zero or one repetitions
/// \?[^#\s]*
/// Literal ?
/// Any character that is NOT in this class: [#\s], any number of repetitions
/// Match expression but don't capture it. [#[\S]*], zero or one repetitions
/// #[\S]*
/// #
/// Any character in this class: [\S], any number of repetitions
/// End of line or string
Affected Software
Different web server software may react differently to malformed URIs.
Attack Scenarios
Some malformed URIs are created on purpose as part of HTTP fingerprinting scans - http://projects.webappsec.org/Fingerprinting
Other times, these are caused by poorly written web clients.
Ease of Attack
Easy.
Ease of Detection
Easy with either regular expressions or by monitoring Apache error logging in phase:5.
False Positives
None known.
False Negatives
None known.
Corrective Action
Contributors
Ryan Barnett
Additional References
http://www.w3.org/Protocols/rfc2616/rfc2616-sec3.html#sec3.2.1
