0

I have installed mod_security with the OWASP rule set and it is now blocking my ability to call a web service using a WSDL. When my code tries to make the web service call, I see the below in the mod sec audit log (domains, IP's and file names have been obscured for protection). The wsdl file resides on my local server so my question is: Is there a way to allow just this WSDL or something of the sort? I really don't want to entirely disable mod_security.

Thank you!

--76a2f126-A--
[05/Aug/2014:02:57:12 +0000] U@BICH8AAAEAAAkVDPwAAAAH x.x.x.x 45488 x.x.x.x 443
--76a2f126-B--
GET /WebService.wsdl HTTP/1.1
Host: demo.example.com
Connection: close

--76a2f126-F--
HTTP/1.1 403 Forbidden
Content-Length: 333
Connection: close
Content-Type: text/html; charset=iso-8859-1

--76a2f126-E--
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /WebService.wsdl
on this server.</p>
<p>Additionally, a 404 Not Found
error was encountered while trying to use an ErrorDocument to handle the request.</p>
</body></html>

--76a2f126-H--
Message: Access denied with code 403 (phase 2). Operator EQ matched 0 at REQUEST_HEADERS. [file "/etc/httpd/modsecurity-crs/base_rules/modsecurity_crs_21_protocol_anomalies.conf"] [line "47"] [id "960015"] [rev "1"] [msg "Request Missing an Accept Header"] [severity "NOTICE"] [ver "OWASP_CRS/2.2.9"] [maturity "9"] [accuracy "9"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_ACCEPT"] [tag "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"]
Stopwatch: 1407207432020557 41964 (- - -)
Stopwatch2: 1407207432020557 41964; combined=190, p1=116, p2=44, p3=0, p4=0, p5=30, sr=28, sw=0, l=0, gc=0
Response-Body-Transformed: Dechunked
Producer: ModSecurity for Apache/2.8.0 (http://www.modsecurity.org/); OWASP_CRS/2.2.9.
Server: Apache
Engine-Mode: "ENABLED"
Diamond
  • 9,001
  • 3
  • 24
  • 38
Jason
  • 381
  • 1
  • 7
  • 20

2 Answers2

0

You could turn off mod_security for that directory

Modify your vhost with

<Directory /path/to/dir>
  SecRuleEngine Off
</Directory>

You could also whitelist your IP by adding this to the modsec conf file

SecRule REMOTE_ADDR "^XX.XX.XX.XX" phase:1,nolog,allow,id:999999999,ctl:ruleEngine=off
Liam
  • 164
  • 2
  • 6
  • Thanks! I moved the WSDL to a sub folder and created the exemption within the vhost for that folder. That seemed to do the trick. Appreciate the help! – Jason Aug 06 '14 at 19:33
0

What makes sense for you will depend on your requirements. Telling ModSecurity not to validate that directory at all can save you some compute cycles if you're very confident that it doesn't need any additional protection, and for a GET on a static file, that's probably fine. In my case, the WSDL (and other things) are dynamic, and I ran into the same rule violations when trying to invoke the service but wanted to keep ModSecurity in place for service calls, so I went the other way. The rules that were being triggered for me turned out to be due to the client (which was WCF) not supplying all of the standard HTTP headers, and since it wouldn't be providing them in normal usage, I went ahead and suppressed just those rules (specifically, the requirements for accept and user agent headers), like so:

SecRule REQUEST_URI "@beginsWith /path/to/service" "id:ruleidhere,t:none,nolog,pass, \
  ctl:ruleRemoveByTag=OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_ACCEPT, \
  ctl:ruleRemoveByTag=OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_UA"

Not sure if that applies to your case, but it's an alternative that keeps the protection as in-tact as possible. HTH

William Scalf
  • 131
  • 2