This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "ModSecurity CRS RuleID-960911"
From OWASP
| Line 21: | Line 21: | ||
<td style="background-color:#F2F2F2;table-layout:fixed;width:700px;" > | <td style="background-color:#F2F2F2;table-layout:fixed;width:700px;" > | ||
<code>SecRule REQUEST_LINE "!^(?:(?:[a-z]{3,10}\s+(?:\w{3,7}?://[\w\-\./]*(?::\d+)?)?/[^?#]*(?:\?[^#\s]*)?(?:#[\S]*)?|connect (?:\d{1,3}\.){3}\d{1,3}\.?(?::\d+)?|options \*)\s+[\w\./]+|get /[^?#]*(?:\?[^#\s]*)?(?:#[\S]*)?)$" \ | <code>SecRule REQUEST_LINE "!^(?:(?:[a-z]{3,10}\s+(?:\w{3,7}?://[\w\-\./]*(?::\d+)?)?/[^?#]*(?:\?[^#\s]*)?(?:#[\S]*)?|connect (?:\d{1,3}\.){3}\d{1,3}\.?(?::\d+)?|options \*)\s+[\w\./]+|get /[^?#]*(?:\?[^#\s]*)?(?:#[\S]*)?)$" \ | ||
| − | "t:none,t:lowercase,phase:2,rev:'2.0. | + | "t:none,t:lowercase,phase:2,rev:'2.0.9',block,nolog,auditlog,msg:'Invalid HTTP Request Line',id:'960911',severity:'4',tag:'http://www.w3.org/Protocols/rfc2616/rfc2616-sec3.html#sec3.2.1',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.protocol_violation_score=+%{tx.notice_anomaly_score},setvar:'tx.%{rule.id}-PROTOCOL_VIOLATION/INVALID_REQ-%{matched_var_name}=%{matched_var}'"</code> |
</td></tr> | </td></tr> | ||
<tr><td style="border-style:solid;border-width:1px;background-color:#CCCCCC;text-transform:uppercase " >Detailed Rule Information</td> | <tr><td style="border-style:solid;border-width:1px;background-color:#CCCCCC;text-transform:uppercase " >Detailed Rule Information</td> | ||
Revision as of 17:11, 15 November 2010
Rule ID: 906911
| Rule ID |
906911 |
| Rule Message |
Invalid HTTP Request Line |
| Rule Summary |
Validate request line against the format specified in the HTTP RFC |
| Impact |
4 - Warning |
| Rule |
|
| Detailed Rule Information |
"http:" "//" host [ ":" port ] [ abs_path [ "?" query ]]
/// A description of the regular expression:
///
/// Beginning of line or string
/// Match expression but don't capture it. [(?:[a-z]{3,10}\s+(?:\w{3,7}?://[\w\-\./]*(?::\d+)?)?/[^?#]*(?:\?[^#\s]*)?(?:#[\S]*)?|connect (?:\d{1,3}\.){3}\d{1,3}\.?(?::\d+)?|options \*)\s+[\w\./]+|get /[^?#]*(?:\?[^#\s]*)?(?:#[\S]*)?]
/// Select from 2 alternatives
/// (?:[a-z]{3,10}\s+(?:\w{3,7}?://[\w\-\./]*(?::\d+)?)?/[^?#]*(?:\?[^#\s]*)?(?:#[\S]*)?|connect (?:\d{1,3}\.){3}\d{1,3}\.?(?::\d+)?|options \*)\s+[\w\./]+
/// Match expression but don't capture it. [[a-z]{3,10}\s+(?:\w{3,7}?://[\w\-\./]*(?::\d+)?)?/[^?#]*(?:\?[^#\s]*)?(?:#[\S]*)?|connect (?:\d{1,3}\.){3}\d{1,3}\.?(?::\d+)?|options \*]
/// Select from 3 alternatives
/// [a-z]{3,10}\s+(?:\w{3,7}?://[\w\-\./]*(?::\d+)?)?/[^?#]*(?:\?[^#\s]*)?(?:#[\S]*)?
/// Any character in this class: [a-z], between 3 and 10 repetitions
/// Whitespace, one or more repetitions
/// Match expression but don't capture it. [\w{3,7}?://[\w\-\./]*(?::\d+)?], zero or one repetitions
/// \w{3,7}?://[\w\-\./]*(?::\d+)?
/// Alphanumeric, between 3 and 7 repetitions, as few as possible
/// ://
/// Any character in this class: [\w\-\./], any number of repetitions
/// Match expression but don't capture it. [:\d+], zero or one repetitions
/// :\d+
/// :
/// Any digit, one or more repetitions
/// /
/// Any character that is NOT in this class: [?#], any number of repetitions
/// Match expression but don't capture it. [\?[^#\s]*], zero or one repetitions
/// \?[^#\s]*
/// Literal ?
/// Any character that is NOT in this class: [#\s], any number of repetitions
/// Match expression but don't capture it. [#[\S]*], zero or one repetitions
/// #[\S]*
/// #
/// Any character in this class: [\S], any number of repetitions
/// connect (?:\d{1,3}\.){3}\d{1,3}\.?(?::\d+)?
/// connect
/// Space
/// Match expression but don't capture it. [\d{1,3}\.], exactly 3 repetitions
/// \d{1,3}\.
/// Any digit, between 1 and 3 repetitions
/// Literal .
/// Any digit, between 1 and 3 repetitions
/// Literal ., zero or one repetitions
/// Match expression but don't capture it. [:\d+], zero or one repetitions
/// :\d+
/// :
/// Any digit, one or more repetitions
/// options \*
/// options
/// Space
/// Literal *
/// Whitespace, one or more repetitions
/// Any character in this class: [\w\./], one or more repetitions
/// get /[^?#]*(?:\?[^#\s]*)?(?:#[\S]*)?
/// get
/// Space
/// /
/// Any character that is NOT in this class: [?#], any number of repetitions
/// Match expression but don't capture it. [\?[^#\s]*], zero or one repetitions
/// \?[^#\s]*
/// Literal ?
/// Any character that is NOT in this class: [#\s], any number of repetitions
/// Match expression but don't capture it. [#[\S]*], zero or one repetitions
/// #[\S]*
/// #
/// Any character in this class: [\S], any number of repetitions
/// End of line or string
|
| Example Payload |
Here is an example payloads taken from HTTPrint (http://net-square.com/httprint/) that will trigger this rule. 127.0.0.1 - - [14/Sep/2010:11:51:43 -0400] "\x16\x03" 501 214 TI@aD8CoAWYAAAOFHNMAAACA |
| Example Audit Log Entry |
Include an example ModSecurity Audit Log Entry for when this rule matchs.
--1167a167-A--
[14/Sep/2010:11:51:43 --0400] TI@aD8CoAWYAAAOFHNMAAACA 127.0.0.1 51285 127.0.0.1 80
--1167a167-B--
^V^C
--1167a167-F--
--1167a167-H--
Message: Match of "rx ^(?:(?:[a-z]{3,10}\\s+(?:\\w{3,7}?://[\\w\\-\\./]*(?::\\d+)?)?/[^?#]*(?:\\?[^#\\s]*)?(?:#[\\S]*)?|connect (?:\\d{1,3}\\.){3}\\d{1,3}\\.?(?::\\d+)?|options \\*)\\s+[\\w\\./]+|get /[^?#]*(?:\\?[^#\\s]*)?(?:#[\\S]*)?)$"
against "REQUEST_LINE" required. [file "/usr/local/apache/conf/modsec_current/base_rules/modsecurity_crs_20_protocol_violations.conf"] [line "34"] [id "960911"] [rev "2.0.8"] [msg "Invalid HTTP Request Line"] [severity "WARNING"]
[tag "http://www.w3.org/Protocols/rfc2616/rfc2616-sec3.html#sec3.2.1"]
Apache-Error: [file "core.c"] [line 3773] [level 3] Invalid method in request \\x16\\x03
Stopwatch: 1284479503453580 43606 (4888 42377 -)
Producer: ModSecurity for Apache/2.5.12 (http://www.modsecurity.org/); core ruleset/2.0.8.
Server: Apache/2.2.12 (Unix) mod_ssl/2.2.12 OpenSSL/0.9.8l DAV/2
--1167a167-Z--
|
| Attack Scenarios |
Some malformed URIs are created on purpose as part of HTTP fingerprinting scans - http://projects.webappsec.org/Fingerprinting Other times, these are caused by poorly written web clients. |
| Ease of Attack |
Easy |
| Ease of Detection |
Easy with either regular expressions or by monitoring Apache error logging in phase:5 |
| False Positives |
None known |
| False Negatives |
None known |
| Rule Documentation Contributor(s) |
Ryan Barnett - ryan.barnett |
| Additional References |
http://www.w3.org/Protocols/rfc2616/rfc2616-sec3.html#sec3.2.1 |
