3

I have installed ModSecurity in Apache server and using it as a reverse proxy to forward request to a NodeJS applicaiton.

I have followed this tutorial to configure ModSecurity in Apache, https://www.atlantic.net/vps-hosting/securing-your-apache-web-server-with-mod-security/

I then enabled SecRuleEngine and set it value to On.

Upon starting Nodejs Application and Apache Server with ModSecurity I can see that requests are routed to NodeJs application.

However, the nodejs application is adding #/ at the end of the domain i.e it becomes http://test.com/#/

SQLi I tried performing SQLi by simply running ' or 1=1; -- for Username in a login field. Which is blocked by ModSecurity and I get Forbidden page.

XSS

When I visit,

http://test.com/#/%3Cscript%3Ealert(%E2%80%98XSS%E2%80%99)%3C/script%3E

ModSecurity doesn't block it, However If I remove #/ and visit

http://test.com/%3Cscript%3Ealert(%E2%80%98XSS%E2%80%99)%3C/script%3E

ModSecurity blocks it.

Can someone please help me understanding how to use modsecurity when NodeJS adds #/ in url?

cookiejar1
  • 31
  • 1

1 Answers1

9

A URI fragment is never actually sent to the server by a well-behaved client, it's only meant to be processed client-side, where Apache and ModSecurity can't see it.

The fragment identifier functions differently to the rest of the URI: its processing is exclusively client-sided with no participation from the web server, though the server typically helps to determine the MIME type, and the MIME type determines the processing of fragments. When an agent (such as a web browser) requests a web resource from a web server, the agent sends the URI to the server, but does not send the fragment. Instead, the agent waits for the server to send the resource, and then the agent processes the resource according to the document type and fragment value.

URI fragment - Wikipedia

Because of this it wouldn't really be possible to perform SQLi using a URI fragment (except maybe by a badly-behaved client and a poorly-programmed server).

Alexander O'Mara
  • 8,774
  • 6
  • 34
  • 38
  • thank you for your response. What you mean by "it wouldn't really be possible to perform SQLi using a URI fragment", I can indeed perfom SQLi if ModSecurity is disabled. I am testing it on https://github.com/bkimminich/juice-shop When I enable ModSecurity I can still trigger XSS but SQLi is blocked. – cookiejar1 Dec 26 '20 at 07:00
  • 5
    @cookiejar1 Like I said, a URI fragment simply isn't sent to the server by any well-behaved client, and you can't do SQLi client-side. – Alexander O'Mara Dec 26 '20 at 07:09
  • 1
    Might also be a well-behaved client executing the javascript of SPA that explicitly takes the hash value out of the URL and sends it to the server in the body of a request. But of course you're right, the original request doesn't contain them. – Bergi Dec 26 '20 at 15:24