Search code examples
jsonwhitelistmod-security

Modsecurity whitelist json ARG

This is the match I get:

against variable `ARGS:json' (Value: `{"j_username": "username", "j_password": "password_with_special_marks", "remember_me": false, "from":  (4 characters omitted)' ) [file "/usr/local/nginx/conf/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "509"] [id "942130"]

The password has special marks and it flags it as SQL injection.

I tried whitelisting the rule with both:

SecRuleUpdateTargetById 942130 !ARGS:'j_password'
SecRuleUpdateTargetById 942130 !ARGS:'json'

Neither of them worked. The question is what argument should I take from the match ARGS?

Solution

  • You should match ARGS:json. There are a couple of things to consider here.

    1. SecRuleUpdateTargetById MUST come after the rule. It looks like you're using OWASP CRS 3.x, so this means, ideally, renaming RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example to RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf and placing it within there.
    2. Just to be safe i'd follow the guidance put forth by the reference manual https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#secruleupdatetargetbyid. The format should be SecRuleUpdateTargetById 12345 "!ARGS:foo". In your case SecRuleUpdateTargetById 942130 "!ARGS:json"
    3. Although it may not be the case, if your entire request is JSON you can tell ModSecurity to process it as such. This is done by default in the recommended ModSecurity configuration (https://github.com/SpiderLabs/ModSecurity/blob/v2/master/modsecurity.conf-recommended#L25). If just the parameter is JSON, unfortunately ModSecurity is currently not able to process a given parameter at this time. However, protections will still work, just not as ideally as in the aforementioned case.
    4. If this is a well established project such as Drupal, consider using the existing Drupal Exclusions (https://github.com/SpiderLabs/owasp-modsecurity-crs/blob/e4e0497be4d598cce0e0a8fef20d1f1e5578c8d0/rules/REQUEST-903.9001-DRUPAL-EXCLUSION-RULES.conf). These can be enabled by commenting out SecAction 900130 in crs-setup.conf and enabling the Drupal exclusions. Please see the example https://github.com/SpiderLabs/owasp-modsecurity-crs/blob/v3.0/master/crs-setup.conf.example#L296.

    Good luck!