158 lines
6.8 KiB
Plaintext
158 lines
6.8 KiB
Plaintext
# ------------------------------------------------------------------------
|
|
# OWASP CRS ver.4.24.0-dev
|
|
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
|
|
# Copyright (c) 2021-2026 CRS project. All rights reserved.
|
|
#
|
|
# The OWASP CRS is distributed under
|
|
# Apache Software License (ASL) version 2
|
|
# Please see the enclosed LICENSE file for full details.
|
|
# ------------------------------------------------------------------------
|
|
|
|
#
|
|
# -= Paranoia Level 0 (empty) =- (apply unconditionally)
|
|
#
|
|
|
|
# This file is to address the 3UWMWA6W vulnerability.
|
|
# It requires ModSecurity version 2.9.6 or 3.0.8 (or an updated version with backports
|
|
# of the security fixes in these versions) or a compatible engine supporting these changes.
|
|
#
|
|
# If you cannot upgrade ModSecurity, this file will cause ModSecurity to fail to start.
|
|
# In that case, you can temporarily delete this file. However, you will be missing
|
|
# protection from these rules. Therefore, we recommend upgrading your engine instead.
|
|
|
|
# The rules in this file will be part of the 920 / 921 in the future.
|
|
|
|
# Only allow specific charsets when using "_charset_"
|
|
# Note: this is in phase:2 because these are headers that come in the body
|
|
SecRule &MULTIPART_PART_HEADERS:_charset_ "!@eq 0" \
|
|
"id:922100,\
|
|
phase:2,\
|
|
block,\
|
|
t:none,\
|
|
msg:'Multipart content type global _charset_ definition is not allowed by policy',\
|
|
logdata:'Matched Data: %{ARGS._charset_}',\
|
|
tag:'application-multi',\
|
|
tag:'language-multi',\
|
|
tag:'platform-multi',\
|
|
tag:'attack-multipart-header',\
|
|
tag:'paranoia-level/1',\
|
|
tag:'OWASP_CRS',\
|
|
tag:'OWASP_CRS/MULTIPART-ATTACK',\
|
|
tag:'capec/1000/255/153',\
|
|
ver:'OWASP_CRS/4.24.0-dev',\
|
|
severity:'CRITICAL',\
|
|
setvar:'tx.922100_charset=|%{ARGS._charset_}|',\
|
|
chain"
|
|
SecRule TX:922100_CHARSET "!@within %{tx.allowed_request_content_type_charset}" \
|
|
"t:lowercase,\
|
|
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
|
|
|
|
|
# Only allow specific charsets same as Rule 920600
|
|
# Note: this is in phase:2 because these are headers that come in the body
|
|
#
|
|
# How do these rules work:
|
|
# * rule 922140 sets the multipart counter TX variable to 0
|
|
# note that this is why does not matter if more parts have the same name - see rule's test
|
|
# * rule 922150 collects all multipart headers' 'Content-Type' value
|
|
# eg. 'text/plain; charset=utf-8'
|
|
# * rule 922110 checks all the collected headers' content type and charset
|
|
#
|
|
SecRule &MULTIPART_PART_HEADERS "@gt 0" \
|
|
"id:922140,\
|
|
phase:2,\
|
|
pass,\
|
|
t:none,\
|
|
nolog,\
|
|
tag:'attack-multipart-header',\
|
|
tag:'OWASP_CRS',\
|
|
tag:'OWASP_CRS/MULTIPART-ATTACK',\
|
|
ver:'OWASP_CRS/4.24.0-dev',\
|
|
setvar:'tx.multipart_headers_content_counter=0'"
|
|
|
|
SecRule MULTIPART_PART_HEADERS "@rx ^content-type\s*:\s*(.*)$" \
|
|
"id:922150,\
|
|
phase:2,\
|
|
pass,\
|
|
capture,\
|
|
t:none,t:lowercase,\
|
|
nolog,\
|
|
tag:'attack-multipart-header',\
|
|
tag:'OWASP_CRS',\
|
|
tag:'OWASP_CRS/MULTIPART-ATTACK',\
|
|
ver:'OWASP_CRS/4.24.0-dev',\
|
|
setvar:'tx.multipart_headers_content_types_%{tx.multipart_headers_content_counter}=%{tx.1}',\
|
|
setvar:'tx.multipart_headers_content_counter=+1'"
|
|
|
|
# Regular expression generated from regex-assembly/922110.ra.
|
|
# To update the regular expression run the following shell script
|
|
# (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
|
|
# crs-toolchain regex update 922110
|
|
SecRule TX:/MULTIPART_HEADERS_CONTENT_TYPES_*/ "!@rx ^(?:(?:\*|[^!\"\(\),/:-\?\[-\]\{\}]+)/(?:\*|[^!\"\(\),/:-\?\[-\]\{\}]+)|\*)(?:[\s\x0b]*;[\s\x0b]*(?:charset[\s\x0b]*=[\s\x0b]*\"?(?:iso-8859-15?|utf-8|windows-1252)\b\"?|(?:[^\s\x0b-\"\(\),/:-\?\[-\]c\{\}]|c(?:[^!\"\(\),/:-\?\[-\]h\{\}]|h(?:[^!\"\(\),/:-\?\[-\]a\{\}]|a(?:[^!\"\(\),/:-\?\[-\]r\{\}]|r(?:[^!\"\(\),/:-\?\[-\]s\{\}]|s(?:[^!\"\(\),/:-\?\[-\]e\{\}]|e[^!\"\(\),/:-\?\[-\]t\{\}]))))))[^!\"\(\),/:-\?\[-\]\{\}]*[\s\x0b]*=[\s\x0b]*[^!\(\),/:-\?\[-\]\{\}]+);?)*(?:[\s\x0b]*,[\s\x0b]*(?:(?:\*|[^!\"\(\),/:-\?\[-\]\{\}]+)/(?:\*|[^!\"\(\),/:-\?\[-\]\{\}]+)|\*)(?:[\s\x0b]*;[\s\x0b]*(?:charset[\s\x0b]*=[\s\x0b]*\"?(?:iso-8859-15?|utf-8|windows-1252)\b\"?|(?:[^\s\x0b-\"\(\),/:-\?\[-\]c\{\}]|c(?:[^!\"\(\),/:-\?\[-\]h\{\}]|h(?:[^!\"\(\),/:-\?\[-\]a\{\}]|a(?:[^!\"\(\),/:-\?\[-\]r\{\}]|r(?:[^!\"\(\),/:-\?\[-\]s\{\}]|s(?:[^!\"\(\),/:-\?\[-\]e\{\}]|e[^!\"\(\),/:-\?\[-\]t\{\}]))))))[^!\"\(\),/:-\?\[-\]\{\}]*[\s\x0b]*=[\s\x0b]*[^!\(\),/:-\?\[-\]\{\}]+);?)*)*$" \
|
|
"id:922110,\
|
|
phase:2,\
|
|
block,\
|
|
capture,\
|
|
t:none,t:lowercase,\
|
|
msg:'Illegal MIME Multipart Header content-type: charset parameter',\
|
|
logdata:'Matched Data: %{MATCHED_VAR} found within Content-Type multipart form',\
|
|
tag:'application-multi',\
|
|
tag:'language-multi',\
|
|
tag:'platform-multi',\
|
|
tag:'attack-multipart-header',\
|
|
tag:'attack-protocol',\
|
|
tag:'paranoia-level/1',\
|
|
tag:'OWASP_CRS',\
|
|
tag:'OWASP_CRS/MULTIPART-ATTACK',\
|
|
tag:'capec/272/220',\
|
|
ver:'OWASP_CRS/4.24.0-dev',\
|
|
severity:'CRITICAL',\
|
|
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
|
|
|
# Content-Transfer-Encoding was deprecated by rfc7578 in 2015 and should not be used (see: https://www.rfc-editor.org/rfc/rfc7578#section-4.7)
|
|
# Note: this is in phase:2 because these are headers that come in the body
|
|
SecRule MULTIPART_PART_HEADERS "@rx content-transfer-encoding:(.*)" \
|
|
"id:922120,\
|
|
phase:2,\
|
|
block,\
|
|
capture,\
|
|
t:none,t:lowercase,\
|
|
msg:'Content-Transfer-Encoding was deprecated by rfc7578 in 2015 and should not be used',\
|
|
logdata:'Matched Data: %{TX.0}',\
|
|
tag:'application-multi',\
|
|
tag:'language-multi',\
|
|
tag:'platform-multi',\
|
|
tag:'attack-multipart-header',\
|
|
tag:'attack-deprecated-header',\
|
|
tag:'paranoia-level/1',\
|
|
tag:'OWASP_CRS',\
|
|
tag:'OWASP_CRS/MULTIPART-ATTACK',\
|
|
tag:'capec/272/220',\
|
|
ver:'OWASP_CRS/4.24.0-dev',\
|
|
severity:'CRITICAL',\
|
|
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
|
|
|
# Multipart header names can't contain any characters outside of range 33 and 126,
|
|
# excluding 58 (':') which is the separator.
|
|
# RFC 2045 refers RFC 822 about the header syntax.
|
|
# Note: this is in phase:2 because these are headers that come in the body
|
|
SecRule MULTIPART_PART_HEADERS "@rx [^\x21-\x7E][\x21-\x39\x3B-\x7E]*:" \
|
|
"id:922130,\
|
|
phase:2,\
|
|
block,\
|
|
capture,\
|
|
t:none,t:lowercase,\
|
|
msg:'Multipart header contains characters outside of valid range',\
|
|
logdata:'Matched Data: %{TX.0}',\
|
|
tag:'application-multi',\
|
|
tag:'language-multi',\
|
|
tag:'platform-multi',\
|
|
tag:'attack-multipart-header',\
|
|
tag:'paranoia-level/1',\
|
|
tag:'OWASP_CRS',\
|
|
tag:'OWASP_CRS/MULTIPART-ATTACK',\
|
|
tag:'capec/272/220',\
|
|
ver:'OWASP_CRS/4.24.0-dev',\
|
|
severity:'CRITICAL',\
|
|
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|