This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
ModSecurity CRS RuleID-981227
Rule ID: 981227
| Rule ID |
981227 |
| Rule Message |
Apache Error: Invalid URI in Request |
| Rule Summary |
Identify Invalid URIs Blocked by Apache |
| Impact |
4 - Warning |
| Rule |
SecRule WEBSERVER_ERROR_LOG "@contains Invalid URI in request" "phase:5,t:none,log,pass,msg:'Apache Error: Invalid URI in Request',id:'981227',rev:'2.2.0',
logdata:'%{matched_var}',severity:'4',tag:'https://www.owasp.org/index.php/ModSecurity_CRS_RuleID-%{tx.id}',tag:'http://www.w3.org/Protocols/rfc2616/rfc2616-
sec3.html#sec3.2.1',tag:'RULE_ACCURACY_LEVEL/5',setvar:'tx.msg=%{rule.msg}',setvar:'tx.id=%{rule.id}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},
setvar:tx.protocol_violation_score=+%{tx.notice_anomaly_score},setvar:'tx.%{rule.id}-PROTOCOL_VIOLATION/INVALID_REQ-%{matched_var_name}=%{matched_var}'"
|
| Detailed Rule Information |
There are some request violations that Apache will handle internally, prior to the ModSecurity phase:1 POST-READ-REQUEST hook. For these requests, we can still get visibility by running a check in phase:5 logging to look for the Apache error msg. |
| Example Payload |
Here is an example payloads taken from the access_log: 127.0.0.1 - - [06/May/2011:11:22:24 -0400] "\tGET / HTTP/1.1" 400 226 |
| Example Audit Log Entry |
Include an example ModSecurity Audit Log Entry for when this rule matchs.
--57ae6b4f-A--
[06/May/2011:11:22:24 --0400] TcQSMMCoAWQAAKNEEHMAAAAA 127.0.0.1 62905 127.0.0.1 80
--57ae6b4f-B--
GET / HTTP/1.1
Host: local
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
--57ae6b4f-F--
HTTP/1.1 400 Bad Request
Content-Length: 226
Connection: close
Content-Type: text/html; charset=iso-8859-1
--57ae6b4f-E--
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>400 Bad Request</title>
</head><body>
<h1>Bad Request</h1>
<p>Your browser sent a request that this server could not understand.<br />
</p>
</body></html>
--57ae6b4f-H--
Message: Warning. String match "Invalid URI in request" at WEBSERVER_ERROR_LOG. [file "/usr/local/apache/conf/crs/base_rules/modsecurity_crs_20_protocol_violations.conf"]
[line "51"] [id "981227"] [rev "2.2.0"] [msg "Apache Error: Invalid URI in Request"] [data "[file \x22core.c\x22] [line 3504] [level 3] Invalid URI in request \x5c\x5ctGET / HTTP/1.1"]
[severity "WARNING"] [tag "https://www.owasp.org/index.php/ModSecurity_CRS_RuleID-981227"] [tag "http://www.w3.org/Protocols/rfc2616/rfc2616-sec3.html#sec3.2.1"]
[tag "RULE_CONFIDENCE_LEVEL/5"]
Apache-Error: [file "core.c"] [line 3504] [level 3] Invalid URI in request \\tGET / HTTP/1.1
Stopwatch: 1304695344229544 6998 (- - -)
Stopwatch2: 1304695344229544 6998; combined=5474, p1=0, p2=0, p3=140, p4=4392, p5=942, sr=0, sw=0, l=0, gc=0
Response-Body-Transformed: Dechunked
Producer: ModSecurity for Apache/2.6.0-rc2 (http://www.modsecurity.org/); core ruleset/2.2.0.
Server: Apache/2.2.17 (Unix) mod_ssl/2.2.12 OpenSSL/0.9.8l DAV/2
|
| Attack Scenarios |
Some malformed URIs are created on purpose as part of HTTP fingerprinting scans - http://projects.webappsec.org/Fingerprinting Other times, these are caused by poorly written web clients. |
| Ease of Attack |
Easy |
| Ease of Detection |
Easy with either regular expressions or by monitoring Apache error logging in phase:5 |
| False Positives |
None known |
| False Negatives |
None known |
| Rule Maturity |
0 |
| Rule Accuracy |
9 |
| Rule Documentation Contributor(s) |
Ryan Barnett - ryan.barnett |
| Additional References |
http://www.w3.org/Protocols/rfc2616/rfc2616-sec3.html#sec3.2.1 |
