ModSecurity OWASP CRS 3.3.0 false positives on a Wordpress site



  • The following search queries are blocked by ModSecurity and returns a 403 forbidden error:

    www.example.com/s=zip+someword & www.example.com/s=gzip+someword

    but not www.example.com/s=zip & www.example.com/s=gzip

    The Apache error_log:

    [Sun Jun 20 14:15:51.628805 2021] [:error] [pid 3764:tid 47658554889984] [client xxx.xxx.xxx.xxx:xxxx] [client xxx.xxx.xxx.xxx] ModSecurity: Warning. Pattern match "(?:^|=)\\\\s*(?:{|\\\\s*\\\\(\\\\s*|\\\\w+=(?:[^\\\\s]*|\\\\$.*|\\\\$.*|<.*|>.*|\\\\'.*\\\\'|\\".*\\")\\\\s+|!\\\\s*|\\\\$)*\\\\s*(?:'|\\")*(?:[\\\\?\\\\*\\\[\\\]\\\\(\\\\)\\\\-\\\\|+\\\\w'\\"\\\\./\\\\\\\]+/)?[\\\\\\\\'\\"]*(?:l[\\\\\\\\'\\"]*(?:s(?:[\\\\\\\\'\\"]*(?:b[\\\\\\\\'\\"]*_[\\\\\\\\'\\"]*r[\\\\\\\\'\\"]*e[\\\\\\\\'\\"]*l[\\\\\\\\' ..." at ARGS:s. [file "/etc/xxx/modsec_vendor_configs/OWASP3/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "463"] [id "xxxxxx"] [msg "Remote Command Execution: Direct Unix Command Execution"] [data "Matched Data: zip  found within ARGS:s: zip someword"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.0"] [tag "application-multi"] [tag "language-shell"] [tag "platform-unix"] [tag "attack-rce"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/88"] [tag "PCI/6.5.2"] [hostname "example.com"] [uri "/"] [unique_id "xxxxxxx-xxxxxxxxxxxxxxxxxxx"]
    

    How do make an exception to this ruleset REQUEST-932-APPLICATION-ATTACK-RCE.conf to allow the above queries? I'm not RegEx savvy, and I don't know how to read it.



  • The Remote Command Execution Rule with the rule id 932150 is triggered by a Unix command followed by a white space. Therefore zip+ and gzip+ trigger the rule, but not zip and gzip alone.

    You can tune this rule by partially disabling it for your search input field s. You can write the following tuning rule after your include of the CRS rules in the Apache conf:

    SecRuleUpdateTargetById 932150 "!ARGS:s"
    

    With this rule above you remove the check of the argument s from this RCE rule 932150.

    A complete guide on how to handle false positives can be found here: https://www.netnea.com/cms/apache-tutorial-8_handling-false-positives-modsecurity-core-rule-set/



Suggested Topics

  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2