0

I installed the security2 module to my apache server with owasp mod security base rules by adding these following lines to my httpd.conf:

<IfModule security2_module>
    Include crs/owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
    Include crs/owasp-modsecurity-crs/base_rules/*.conf
</IfModule>

When I want to access my server via http I get the message: "Forbidden You don't have permission to access / on this server". From the modsec_audit.log it seam that mod security is considering the cookie Token as an mysql injection attack.

How can I set a rule to make an exception for this TOKEN COOKIE?

Here is the modsec_audit.log 

--9e6b1648-A--
[10/Jan/2016:11:22:07 +0200] VpIiv7zUnOQAAH8eXJcAAAAC 109.100.151.192 36756 188.212.156.228 80
--9e6b1648-B--
GET /favicon.ico HTTP/1.1
Connection: keep-alive
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/45.0.2454.85 Chrome/45.0.2454.85 Safari/537.36
Accept: */*
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8,de;q=0.6
Cookie: auto_truck=665mbggj7l46n6cc51625k0a45; TOKEN=9b9a0c249ace9029708ad3809063a288957b7759s%3A40%3A%22616d62d429eb4661476349e50ef9481f578a9776%22%3B

--9e6b1648-F--
HTTP/1.1 403 Forbidden
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 185
Keep-Alive: timeout=15, max=98
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1

--9e6b1648-E--

--9e6b1648-H--
Message: Access denied with code 403 (phase 2). Pattern match "(^[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98;]+|[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98;]+$)" at REQUEST_COOKIES:TOKEN. [file "/etc/httpd/crs/owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "64"] [id "981318"] [rev "2"] [msg "SQL Injection Attack: Common Injection Testing Detected"] [data "Matched Data: \x22; found within REQUEST_COOKIES:TOKEN: 9b9a0c249ace9029708ad3809063a288957b7759s:40:\x22616d62d429eb4661476349e50ef9481f578a9776\x22;"] [severity "CRITICAL"] [ver "OWASP_CRS/2.2.9"] [maturity "9"] [accuracy "8"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"]
Action: Intercepted (phase 2)
Stopwatch: 1452417727004601 2632 (- - -)
Stopwatch2: 1452417727004601 2632; combined=1256, p1=306, p2=894, p3=0, p4=0, p5=55, sr=85, sw=1, l=0, gc=0
Response-Body-Transformed: Dechunked
Producer: ModSecurity for Apache/2.7.3 (http://www.modsecurity.org/); OWASP_CRS/2.2.9.
Server: Apache
Engine-Mode: "ENABLED"

Any help is appreciated. Thanks

sorin
  • 101
  • 2
  • You should fix the _code_, so that it does not generate cookies like that. – Michael Hampton Jan 10 '16 at 15:18
  • @MichaelHampton Thanks for reply!! I already tried that but even with a simple token (ex. 123) set in the TOKEN COOKIE I got the same respond. I have cleaned all the cookies in the browser before retesting. I also disabled the token cookie then I got bad http respond on requests for .css and .js files. – sorin Jan 10 '16 at 22:46

1 Answers1

1

Add this line after the line including your base rules to remove this rule checking for that cookie.

SecRuleUpdateTargetById 981318 !REQUEST_COOKIES:TOKEN

And then restart Apache.

Barry Pollard
  • 4,461
  • 14
  • 26