I have an web application running behind an apache/modsecurity firewall configured with OWASP CRS.
The following URL is deny by Modsecurity:
GET /login?username=' /*!or*/1=1#
But this one pass the firewall:
POST /login
Body: {"password":"' /*!or*/1=1#"}
Is there a limitation on Modsecurity about JSON Body?
Tx
UPDATE 1: I have the latest OWASP CSR deployed:
Producer: ModSecurity for Apache/2.9.2 (http://www.modsecurity.org/); OWASP_CRS/3.1.1.
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips
The rule that was triggered with the GET is 942100("msg": "SQL Injection Attack Detected via libinjection"). This rules is the following:
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer|ARGS_NAMES|ARGS|XML:/* "@detectSQLi" \
"id:942100,\
phase:2,\
block,\
capture,\
t:none,t:utf8toUnicode,t:urlDecodeUni,t:removeNulls,\
msg:'SQL Injection Attack Detected via libinjection',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-sqli',\
tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\
tag:'WASCTC/WASC-19',\
tag:'OWASP_TOP_10/A1',\
tag:'OWASP_AppSensor/CIE1',\
tag:'PCI/6.5.2',\
ver:'OWASP_CRS/3.1.1',\
severity:'CRITICAL',\
multiMatch,\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.msg=%{rule.msg}',\
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQL_INJECTION-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'"
UPDATE 2: Solution: Add JSON body parsing in conf:
SecRule REQUEST_HEADERS:Content-Type "application/json" "id:'200001',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=JSON"
Pay attention that in Centos, YAJL is not available within the packaged modsecurity module, you have to compile it from source to enable JSON support.
