mod_security: disable cookie verification causing SQLI false positive

Question

I'm trying to configure mod_security on CentOS 7 for apache2.4 with the OWASP ruleset. The thing is my web app generates a cookie with -- characters and it gets flagged as an SQLI. I read the following article how to whitelist a certain cookie string in ModSecurity to try and disable the guilty cookie but I had no luck with that : I still get a 403 forbidden.

What I tried was to add to my whitelist.conf (in the modsecurity.d/ folder) the following rule: SecRuleUpdateTargetByMsg "SQL Comment Sequence Detected." !REQUEST_COOKIES:/^*Titlebox* (on the same line ofc):

I get a 403 forbidden if the cookie is present. I tried to create a file as indicated in the article and added the rule to a /etc/httpd/modsecurity-crs/base_rules/modsecurity_crs_61_customrules.conf file and still nothing:I get blocked.

It's problematic since this cookie is legit. Did the way to fix that problem change in the current version of mod_security ? Or I'm still doing things wrong ? Thanks for your help.

edit:

With the rule per ID looking like this: SecRuleUpdateTargetById 981172 !REQUEST_COOKIES_NAMES:/^TitleBox/ It works

With the one per Message like this: SecRuleUpdateTargetByMsg "SQL Comment Sequence Detected." !REQUEST_COOKIES_NAMES:/^TitleBox It does not work and still blocks my cookie

Answer 1

The question you linked to was about whitelisting rule 981231 which looks like this:

SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(/\*!?|\*/|[';]--|--[\s\r\n\v\f]|(?:--[^-]*?-)|([^\-&])#.*?[\s\r\n\v\f]|;?\\x00)" "phase:2,rev:'2',ver:'OWASP_CRS/2.2.9',maturity:'8',accuracy:'8',\
id:'981231',t:none,t:urlDecodeUni,block,\
msg:'SQL Comment Sequence Detected.'\
,severity:'2',capture,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.sql_injection_score=+1,setvar:'tx.msg=%{rule.msg}',setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"

You are trying to whitelist 981172 which looks like this:

SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES "([\~\!\@\#\$\%\^\&\*\(\)\-\+\=\{\}\[\]\|\:\;\"\'\´\’\‘\`\<\>].*?){8,}" "phase:2,t:none,t:urlDecodeUni,block,\
id:'981172',rev:'2',ver:'OWASP_CRS/2.2.9',maturity:'9',accuracy:'8',\
msg:'Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded',\
capture,logdata:'Matched Data: %{TX.1} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.sql_injection_score=+1,setvar:'tx.msg=%{rule.msg}',setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RESTRICTED_SQLI_CHARS-%{matched_var_name}=%{tx.0}"

As you can see the message is different for this rule, so you are whitelisting the wrong message. Hence why it is not working for you.