Search code examples
jsonsecuritysql-injectionowaspmod-security

Why Modsecurity does not deny SQL injection on JSON payload

I have an web application running behind an apache/modsecurity firewall configured with OWASP CRS.

The following URL is deny by Modsecurity:

GET /login?username=' /*!or*/1=1#

But this one pass the firewall:

POST /login
Body: {"password":"' /*!or*/1=1#"}

Is there a limitation on Modsecurity about JSON Body?

Tx

UPDATE 1: I have the latest OWASP CSR deployed:

Producer: ModSecurity for Apache/2.9.2 (http://www.modsecurity.org/); OWASP_CRS/3.1.1.
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips

The rule that was triggered with the GET is 942100("msg": "SQL Injection Attack Detected via libinjection"). This rules is the following: 

SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer|ARGS_NAMES|ARGS|XML:/* "@detectSQLi" \
    "id:942100,\
    phase:2,\
    block,\
    capture,\
    t:none,t:utf8toUnicode,t:urlDecodeUni,t:removeNulls,\
    msg:'SQL Injection Attack Detected via libinjection',\
    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
    tag:'application-multi',\
    tag:'language-multi',\
    tag:'platform-multi',\
    tag:'attack-sqli',\
    tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\
    tag:'WASCTC/WASC-19',\
    tag:'OWASP_TOP_10/A1',\
    tag:'OWASP_AppSensor/CIE1',\
    tag:'PCI/6.5.2',\
    ver:'OWASP_CRS/3.1.1',\
    severity:'CRITICAL',\
    multiMatch,\
    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
    setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
    setvar:'tx.msg=%{rule.msg}',\
    setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQL_INJECTION-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'"

UPDATE 2: Solution: Add JSON body parsing in conf:

SecRule REQUEST_HEADERS:Content-Type "application/json" "id:'200001',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=JSON"

Pay attention that in Centos, YAJL is not available within the packaged modsecurity module, you have to compile it from source to enable JSON support.

Solution

  • ModSecurity does support JSON parsing of Request Bodies since version 2.8, but you need to configure it. See more details here: https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/modsecurity-advanced-topic-of-the-week-json-support/

    However ModSecurity is just a framework that can process rules. You have not stated which rule set you are using (OWASP CRS, your own rules? Other?) nor which rule fired for the GET request. It could be it is configured only for GET requests.