我正在尝试让 ModSecurity 2.7.1 与 ASP.NET MVC 3 网站配合使用。安装运行没有错误,查看事件日志,ModSecurity 已成功启动。我正在使用该modsecurity.conf-recommended文件来设置基本规则。
我遇到的问题是,每当我发布一些表单数据时,它都无法传递到控制器操作(或模型绑定)。
我已SecRuleEngine设置为DetectionOnly。
我已SecRequestBodyAccess设置为On。
使用这些设置,POST 的主体永远不会到达控制器操作。如果我设置SecRequestBodyAccess为Off,它会起作用,所以这肯定与如何ModSecurity转发主体数据有关。ModSecurity调试显示以下内容(在我看来好像全部通过了):
Second phase starting (dcfg 94b750).
Input filter: Reading request body.
Adding request argument (BODY): name "[0].IsSelected", value "on"
Adding request argument (BODY): name "[0].Quantity", value "1"
Adding request argument (BODY): name "[0].VariantSku", value "047861"
Adding request argument (BODY): name "[1].Quantity", value "0"
Adding request argument (BODY): name "[1].VariantSku", value "047862"
Input filter: Completed receiving request body (length 115).
Starting phase REQUEST_BODY.
Recipe: Invoking rule 94c620; [file "*********************"] [line "54"] [id "200001"].
Rule 94c620: SecRule "REQBODY_ERROR" "!@eq 0" "phase:2,auditlog,id:200001,t:none,log,deny,status:400,msg:'Failed to parse request body.',logdata:%{reqbody_error_msg},severity:2"
Transformation completed in 0 usec.
Executing operator "!eq" with param "0" against REQBODY_ERROR.
Operator completed in 0 usec.
Rule returned 0.
Recipe: Invoking rule 5549c38; [file "*********************"] [line "75"] [id "200002"].
Rule 5549c38: SecRule "MULTIPART_STRICT_ERROR" "!@eq 0" "phase:2,auditlog,id:200002,t:none,log,deny,status:44,msg:'Multipart request body failed strict validation: PE %{REQBODY_PROCESSOR_ERROR}, BQ %{MULTIPART_BOUNDARY_QUOTED}, BW %{MULTIPART_BOUNDARY_WHITESPACE}, DB %{MULTIPART_DATA_BEFORE}, DA %{MULTIPART_DATA_AFTER}, HF %{MULTIPART_HEADER_FOLDING}, LF %{MULTIPART_LF_LINE}, SM %{MULTIPART_MISSING_SEMICOLON}, IQ %{MULTIPART_INVALID_QUOTING}, IP %{MULTIPART_INVALID_PART}, IH %{MULTIPART_INVALID_HEADER_FOLDING}, FL %{MULTIPART_FILE_LIMIT_EXCEEDED}'"
Transformation completed in 0 usec.
Executing operator "!eq" with param "0" against MULTIPART_STRICT_ERROR.
Operator completed in 0 usec.
Rule returned 0.
Recipe: Invoking rule 554bd70; [file "********************"] [line "80"] [id "200003"].
Rule 554bd70: SecRule "MULTIPART_UNMATCHED_BOUNDARY" "!@eq 0" "phase:2,auditlog,id:200003,t:none,log,deny,status:44,msg:'Multipart parser detected a possible unmatched boundary.'"
Transformation completed in 0 usec.
Executing operator "!eq" with param "0" against MULTIPART_UNMATCHED_BOUNDARY.
Operator completed in 0 usec.
Rule returned 0.
Recipe: Invoking rule 554cbe0; [file "*********************************"] [line "94"] [id "200004"].
Rule 554cbe0: SecRule "TX:/^MSC_/" "!@streq 0" "phase:2,log,auditlog,id:200004,t:none,deny,msg:'ModSecurity internal error flagged: %{MATCHED_VAR_NAME}'"
Rule returned 0.
Hook insert_filter: Adding input forwarding filter (r 5541fc0).
Hook insert_filter: Adding output filter (r 5541fc0).
Initialising logging.
Starting phase LOGGING.
Recording persistent data took 0 microseconds.
Audit log: Ignoring a non-relevant request.
我在 Fiddler 中没有看到任何异常。我ViewModel在操作的参数中使用了。如果SecRequestBodyAccess设置为,则不绑定任何数据On。我甚至通过 log4net 记录了所有 Request.Form.Keys 和值,但也没有在那里获取任何值。
我开始怀疑它是否真的适用于 ASP.NET MVC,或者是否存在与http 模块和模型绑定之间ModSecurity的冲突。ModSecurity
有谁有什么建议或者可以确认他们已将 ModSecurity 与 ASP.NET MVC 网站配合使用?
答案1
我针对此问题提交了一个错误报告,目前该问题已在 modsecurity 2.7.2 中修复。 https://www.modsecurity.org/tracker/browse/MODSEC-371
答案2
所以,我参加这个聚会晚了几年,但是我现在正在解决类似的问题,并想分享我的发现。
这实际上不是一个 MVC 问题。它可能可能是 IIS 问题,但类似的事情似乎影响了 NGINX(基于此:https://github.com/SpiderLabs/ModSecurity/issues/664) 并且,它似乎仍然是通过 Web 平台安装程序实用程序安装的 ModSecurity 版本和 Azure AppService 中自动提供的版本中的一个问题,因此,如果有可用的补丁,它可能还没有被广泛部署。
基于 (https://github.com/SpiderLabs/ModSecurity/issues/562),我一直在设置:
SecStreamInBodyInspection On
..允许 POST 主体通过,但我没有发现任何明确的迹象表明为什么。这有点令人不安,因为我也不确定可能会有什么缺点(如果有的话),但魔法似乎有效。
有趣的是,ModSecurity 的 OWASP CRS 规则设置了 SecRequestBodyInspection 但没有设置 SecStreamInBodyInspection,这表明这个错误不会影响所有主机,但它绝对是 IIS 用户的一个陷阱。
高血压