This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "ModSecurity CRS RuleID-960911"
Line 147: | Line 147: | ||
<tr><td style="border-style:solid;border-width:1px;background-color:#CCCCCC;text-transform:uppercase " >Rule Documentation Contributor(s)</td> | <tr><td style="border-style:solid;border-width:1px;background-color:#CCCCCC;text-transform:uppercase " >Rule Documentation Contributor(s)</td> | ||
<td style="background-color:#F2F2F2;table-layout:fixed;width:700px;" > | <td style="background-color:#F2F2F2;table-layout:fixed;width:700px;" > | ||
− | Ryan Barnett - | + | Ryan Barnett - ryan.barnett[[Image:Justat.gif|10px]]owasp.org |
</td></tr> | </td></tr> | ||
<tr><td style="border-style:solid;border-width:1px;background-color:#CCCCCC;text-transform:uppercase " >Additional References</td> | <tr><td style="border-style:solid;border-width:1px;background-color:#CCCCCC;text-transform:uppercase " >Additional References</td> |
Revision as of 21:14, 7 October 2010
Rule ID: 906911
Rule ID |
906911 |
Rule Message |
Invalid HTTP Request Line |
Rule Summary |
Validate request line against the format specified in the HTTP RFC |
Impact |
4 - Warning |
Rule |
|
Detailed Rule Information |
"http:" "//" host [ ":" port ] [ abs_path [ "?" query ]]
/// A description of the regular expression: /// /// Beginning of line or string /// Match expression but don't capture it. [(?:[a-z]{3,10}\s+(?:\w{3,7}?://[\w\-\./]*(?::\d+)?)?/[^?#]*(?:\?[^#\s]*)?(?:#[\S]*)?|connect (?:\d{1,3}\.){3}\d{1,3}\.?(?::\d+)?|options \*)\s+[\w\./]+|get /[^?#]*(?:\?[^#\s]*)?(?:#[\S]*)?] /// Select from 2 alternatives /// (?:[a-z]{3,10}\s+(?:\w{3,7}?://[\w\-\./]*(?::\d+)?)?/[^?#]*(?:\?[^#\s]*)?(?:#[\S]*)?|connect (?:\d{1,3}\.){3}\d{1,3}\.?(?::\d+)?|options \*)\s+[\w\./]+ /// Match expression but don't capture it. [[a-z]{3,10}\s+(?:\w{3,7}?://[\w\-\./]*(?::\d+)?)?/[^?#]*(?:\?[^#\s]*)?(?:#[\S]*)?|connect (?:\d{1,3}\.){3}\d{1,3}\.?(?::\d+)?|options \*] /// Select from 3 alternatives /// [a-z]{3,10}\s+(?:\w{3,7}?://[\w\-\./]*(?::\d+)?)?/[^?#]*(?:\?[^#\s]*)?(?:#[\S]*)? /// Any character in this class: [a-z], between 3 and 10 repetitions /// Whitespace, one or more repetitions /// Match expression but don't capture it. [\w{3,7}?://[\w\-\./]*(?::\d+)?], zero or one repetitions /// \w{3,7}?://[\w\-\./]*(?::\d+)? /// Alphanumeric, between 3 and 7 repetitions, as few as possible /// :// /// Any character in this class: [\w\-\./], any number of repetitions /// Match expression but don't capture it. [:\d+], zero or one repetitions /// :\d+ /// : /// Any digit, one or more repetitions /// / /// Any character that is NOT in this class: [?#], any number of repetitions /// Match expression but don't capture it. [\?[^#\s]*], zero or one repetitions /// \?[^#\s]* /// Literal ? /// Any character that is NOT in this class: [#\s], any number of repetitions /// Match expression but don't capture it. [#[\S]*], zero or one repetitions /// #[\S]* /// # /// Any character in this class: [\S], any number of repetitions /// connect (?:\d{1,3}\.){3}\d{1,3}\.?(?::\d+)? /// connect /// Space /// Match expression but don't capture it. [\d{1,3}\.], exactly 3 repetitions /// \d{1,3}\. /// Any digit, between 1 and 3 repetitions /// Literal . /// Any digit, between 1 and 3 repetitions /// Literal ., zero or one repetitions /// Match expression but don't capture it. [:\d+], zero or one repetitions /// :\d+ /// : /// Any digit, one or more repetitions /// options \* /// options /// Space /// Literal * /// Whitespace, one or more repetitions /// Any character in this class: [\w\./], one or more repetitions /// get /[^?#]*(?:\?[^#\s]*)?(?:#[\S]*)? /// get /// Space /// / /// Any character that is NOT in this class: [?#], any number of repetitions /// Match expression but don't capture it. [\?[^#\s]*], zero or one repetitions /// \?[^#\s]* /// Literal ? /// Any character that is NOT in this class: [#\s], any number of repetitions /// Match expression but don't capture it. [#[\S]*], zero or one repetitions /// #[\S]* /// # /// Any character in this class: [\S], any number of repetitions /// End of line or string |
Example Payload |
Here is an example payloads taken from HTTPrint (http://net-square.com/httprint/) that will trigger this rule. 127.0.0.1 - - [14/Sep/2010:11:51:43 -0400] "\x16\x03" 501 214 TI@aD8CoAWYAAAOFHNMAAACA |
Example Audit Log Entry |
Include an example ModSecurity Audit Log Entry for when this rule matchs. --1167a167-A-- [14/Sep/2010:11:51:43 --0400] TI@aD8CoAWYAAAOFHNMAAACA 127.0.0.1 51285 127.0.0.1 80 --1167a167-B-- ^V^C --1167a167-F-- --1167a167-H-- Message: Match of "rx ^(?:(?:[a-z]{3,10}\\s+(?:\\w{3,7}?://[\\w\\-\\./]*(?::\\d+)?)?/[^?#]*(?:\\?[^#\\s]*)?(?:#[\\S]*)?|connect (?:\\d{1,3}\\.){3}\\d{1,3}\\.?(?::\\d+)?|options \\*)\\s+[\\w\\./]+|get /[^?#]*(?:\\?[^#\\s]*)?(?:#[\\S]*)?)$" against "REQUEST_LINE" required. [file "/usr/local/apache/conf/modsec_current/base_rules/modsecurity_crs_20_protocol_violations.conf"] [line "34"] [id "960911"] [rev "2.0.8"] [msg "Invalid HTTP Request Line"] [severity "WARNING"] [tag "http://www.w3.org/Protocols/rfc2616/rfc2616-sec3.html#sec3.2.1"] Apache-Error: [file "core.c"] [line 3773] [level 3] Invalid method in request \\x16\\x03 Stopwatch: 1284479503453580 43606 (4888 42377 -) Producer: ModSecurity for Apache/2.5.12 (http://www.modsecurity.org/); core ruleset/2.0.8. Server: Apache/2.2.12 (Unix) mod_ssl/2.2.12 OpenSSL/0.9.8l DAV/2 --1167a167-Z-- |
Attack Scenarios |
Some malformed URIs are created on purpose as part of HTTP fingerprinting scans - http://projects.webappsec.org/Fingerprinting Other times, these are caused by poorly written web clients. |
Ease of Attack |
Easy |
Ease of Detection |
Easy with either regular expressions or by monitoring Apache error logging in phase:5 |
False Positives |
None known |
False Negatives |
None known |
Rule Documentation Contributor(s) | |
Additional References |
http://www.w3.org/Protocols/rfc2616/rfc2616-sec3.html#sec3.2.1 |