I've had ModSecurity and the Core OWASP Rule Set ver.2.2.5 installed for some months now, but a JSON endpoint on the site has recently stopped responding, and the Apache log gets the following:
[Tue Jul 21 10:41:12 2015] [error] [client 194.54.11.146] ModSecurity: Warning. Match of "streq %{SESSION.IP_HASH}" against "TX:ip_hash" required. [file "/etc/modsecurity/activated_rules/modsecurity_crs_16_session_hijacking.conf"] [line "35"] [id "981059"] [msg "Warning - Sticky SessionID Data Changed - IP Address Mismatch."] [hostname "************"] [uri "/api/campaigns/d3c735cb-0773-11e4-98bd-02f651afdab5"] [unique_id "Va4hyKwfKiYAAAYSLigAAAAJ"]
[Tue Jul 21 10:41:12 2015] [error] [client 194.54.11.146] ModSecurity: Warning. Match of "streq %{SESSION.UA_HASH}" against "TX:ua_hash" required. [file "/etc/modsecurity/activated_rules/modsecurity_crs_16_session_hijacking.conf"] [line "36"] [id "981060"] [msg "Warning - Sticky SessionID Data Changed - User-Agent Mismatch."] [hostname "************"] [uri "/api/campaigns/d3c735cb-0773-11e4-98bd-02f651afdab5"] [unique_id "Va4hyKwfKiYAAAYSLigAAAAJ"]
[Tue Jul 21 10:41:12 2015] [error] [client 194.54.11.146] ModSecurity: Warning. Operator EQ matched 2 at TX:sticky_session_anomaly. [file "/etc/modsecurity/activated_rules/modsecurity_crs_16_session_hijacking.conf"] [line "37"] [id "981061"] [msg "Possible Session Hijacking - IP Address and User-Agent Mismatch."] [hostname "************"] [uri "/api/campaigns/d3c735cb-0773-11e4-98bd-02f651afdab5"] [unique_id "Va4hyKwfKiYAAAYSLigAAAAJ"]
[Tue Jul 21 10:41:12 2015] [error] [client 194.54.11.146] ModSecurity: Warning. Match of "rx ^%{tx.allowed_request_content_type}$" against "TX:0" required. [file "/etc/modsecurity/activated_rules/modsecurity_crs_30_http_policy.conf"] [line "64"] [id "960010"] [msg "Request content type is not allowed by policy"] [data "application/json"] [severity "WARNING"] [tag "POLICY/ENCODING_NOT_ALLOWED"] [tag "WASCTC/WASC-20"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/EE2"] [tag "PCI/12.1"] [hostname "************"] [uri "/api/campaigns/d3c735cb-0773-11e4-98bd-02f651afdab5"] [unique_id "Va4hyKwfKiYAAAYSLigAAAAJ"]
I'm new to mod_security and the OWASP rules (I basically followed the guide here) but as I understand, rules are scored, and if a request passes a threshold, it's nuked. I assume this is what I'm seeing here.
The final one is the one that concerns me - "application/json" should certainly be allowed. From looking at /etc/modsecurity/modsecurity_crs_10_setup.conf, I see:
setvar:'tx.allowed_request_content_type=application/x-www-form-urlencoded|multipart/form-data|text/xml|application/xml|application/x-amf'
My question is: 1. Can I just add application/json in here to make the error go away? 2. Is that the correct way to do it?
Yes you can so it reads like this:
setvar:'tx.allowed_request_content_type=application/x-www-form-urlencoded|multipart/form-data|text/xml|application/xml|application/x-amf|application/json'
Yes that is the correct way of doing this.