Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Problem about proxy action #3170

Open
prince-java opened this issue Jun 12, 2024 · 7 comments
Open

Problem about proxy action #3170

prince-java opened this issue Jun 12, 2024 · 7 comments
Labels
2.x Related to ModSecurity version 2.x Platform - Apache

Comments

@prince-java
Copy link

prince-java commented Jun 12, 2024

Describe the bug

I find a problem about proxy action.
If access a specified webpage file, such as "http://a.com/a/index.html", it can be successfully forwarded.
If access a directory, such as "http://a.com/a/", the error_log can log the url will be forwarded, but actually it cannot be forwarded.

Logs and dumps

[Wed Jun 12 11:04:12.784758 2024] [security2:error] [pid 97647:tid 139691269490432] [client 10.16.18.12:49131] [client 10.16.18.12] ModSecurity: Access denied using proxy to (phase 2) http://www.test1.com/a/index.html. detected XSS using libinjection. [file "/www/server/apache/conf/modsecurity/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "100"] [id "941100"] [msg "XSS Attack Detected via libinjection"] [data "Matched Data: XSS data found within ARGS:id: <script>"] [severity "CRITICAL"] [ver "OWASP_CRS/4.4.0-dev"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-xss"] [tag "xss-perf-disable"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/242"] [hostname "www.test.com"] [uri "/a/index.html"] [unique_id "ZmkQLMRnhk_2RbFR9ZGHggAAAJI"]

[Wed Jun 12 11:05:46.047957 2024] [security2:error] [pid 97790:tid 139691286275840] [client 10.16.18.12:49213] [client 10.16.18.12] ModSecurity: Access denied using proxy to (phase 2) http://www.test1.com/a/. detected XSS using libinjection. [file "/www/server/apache/conf/modsecurity/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "100"] [id "941100"] [msg "XSS Attack Detected via libinjection"] [data "Matched Data: XSS data found within ARGS:id: <script>"] [severity "CRITICAL"] [ver "OWASP_CRS/4.4.0-dev"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-xss"] [tag "xss-perf-disable"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/242"] [hostname "www.test.com"] [uri "/a/"] [unique_id "ZmkQijzeTyiVCq1qyoYiawAAANA"]

To Reproduce

Steps to reproduce the behavior:
curl http://www.test.com/a/index.html?id=<script>
curl http://www.test.com/a/?id=<script>

Expected behavior

If access a directory, it also can be forwarded.

Server (please complete the following information):

  • ModSecurity version (and connector): ModSecurity v2.9.7
  • WebServer: Apache 2.4.58
  • OS (and distro): CentOS 7.9.2009 x86_64

Rule Set (please complete the following information):

  • Running any public or commercial rule set? OWASP CRS
  • What is the version number? ver.4.4.0-dev

Additional context

The SecDefaultAction configuration is as follows:
SecDefaultAction "phase:1,log,noauditlog,proxy:'[nocanon]http://www.test1.com%{REQUEST_FILENAME}'"
SecDefaultAction "phase:2,log,noauditlog,proxy:'[nocanon]http://www.test1.com%{REQUEST_FILENAME}'"

@prince-java prince-java added the 2.x Related to ModSecurity version 2.x label Jun 12, 2024
@marcstern
Copy link

Hello.
Can you explain what exactly means "it cannot be forwarded"?
Please set "LogLevel Debug" in httpd.conf and join the error log.

As a side-note, your implementation of forwarding is highly under-performant.
You should have a ProxyPass directive to perform the proxying, not using the "proxy:" action which is intended for exceptions and doesn't use traditional (optimized) pools of connections.

@prince-java
Copy link
Author

prince-java commented Jun 13, 2024

mod_debug.txt

Hello. Can you explain what exactly means "it cannot be forwarded"? Please set "LogLevel Debug" in httpd.conf and join the error log.

As a side-note, your implementation of forwarding is highly under-performant. You should have a ProxyPass directive to perform the proxying, not using the "proxy:" action which is intended for exceptions and doesn't use traditional (optimized) pools of connections.

If access a specified webpage file, such as "http://a.com/a/index.html",the error_log can log the request will be forwarded, and also the request was successfully forwarded to the honeypot server.
If access a directory, such as "http://a.com/a/", the error_log can log the url will be forwarded, but actually the request is still being executed by the current server, the response returns the HTML of the current server.

I have uploaded the debug log, at the same time I found a clear difference in the debug log between accessing a specified webpage and a directory.
When access "http://www.test.com/a/?id=%3Cscript%3E", the debug log fragments are as follows:
Output filter: Bucket type MMAP contains 923 bytes
When access "http://www.test.com/a/index.html?id=%3Cscript%3E", the debug log fragments are as follows:
Output filter: Bucket type HEAP contains 922 bytes

@marcstern
Copy link

MMAP is because the file is read locally, it's normal.
I need the httpd error log, not mod_security2 debug log.

@prince-java
Copy link
Author

MMAP is because the file is read locally, it's normal. I need the httpd error log, not mod_security2 debug log.

www.test.com-error_log.txt
Here is the httpd error log.

@marcstern
Copy link

Can I have your complete config (sanitized if needed)?

@prince-java
Copy link
Author

Can I have your complete config (sanitized if needed)?

httpd.zip

@marcstern
Copy link

marcstern commented Jul 22, 2024

Some conf files are missing, I cannot see the default action for example. Can you please send them all.
I need this because it seems you have a loop: in case of a rule blocking, you proxy the request to the same server. So /a/ is blocked, proxied to /a/ and resolved to /a/index.html.
Can you ensure you forward the request to another server (not on the same machine)?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
2.x Related to ModSecurity version 2.x Platform - Apache
Projects
None yet
Development

No branches or pull requests

2 participants