我通过向 httpd.conf 中添加以下几行,将 security2 模块安装到带有 owasp mod security base 规则的 apache 服务器中:
<IfModule security2_module>
Include crs/owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
Include crs/owasp-modsecurity-crs/base_rules/*.conf
</IfModule>
当我想通过 http 访问我的服务器时,我收到消息:“禁止访问,您无权访问此服务器上的 /”。从 modsec_audit.log 来看,mod security 似乎将 cookie 令牌视为 mysql 注入攻击。
我如何设置规则以针对此 TOKEN COOKIE 做出例外处理?
这是 modsec_audit.log
--9e6b1648-A--
[10/Jan/2016:11:22:07 +0200] VpIiv7zUnOQAAH8eXJcAAAAC 109.100.151.192 36756 188.212.156.228 80
--9e6b1648-B--
GET /favicon.ico HTTP/1.1
Connection: keep-alive
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/45.0.2454.85 Chrome/45.0.2454.85 Safari/537.36
Accept: */*
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8,de;q=0.6
Cookie: auto_truck=665mbggj7l46n6cc51625k0a45; TOKEN=9b9a0c249ace9029708ad3809063a288957b7759s%3A40%3A%22616d62d429eb4661476349e50ef9481f578a9776%22%3B
--9e6b1648-F--
HTTP/1.1 403 Forbidden
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 185
Keep-Alive: timeout=15, max=98
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1
--9e6b1648-E--
--9e6b1648-H--
Message: Access denied with code 403 (phase 2). Pattern match "(^[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98;]+|[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98;]+$)" at REQUEST_COOKIES:TOKEN. [file "/etc/httpd/crs/owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "64"] [id "981318"] [rev "2"] [msg "SQL Injection Attack: Common Injection Testing Detected"] [data "Matched Data: \x22; found within REQUEST_COOKIES:TOKEN: 9b9a0c249ace9029708ad3809063a288957b7759s:40:\x22616d62d429eb4661476349e50ef9481f578a9776\x22;"] [severity "CRITICAL"] [ver "OWASP_CRS/2.2.9"] [maturity "9"] [accuracy "8"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"]
Action: Intercepted (phase 2)
Stopwatch: 1452417727004601 2632 (- - -)
Stopwatch2: 1452417727004601 2632; combined=1256, p1=306, p2=894, p3=0, p4=0, p5=55, sr=85, sw=1, l=0, gc=0
Response-Body-Transformed: Dechunked
Producer: ModSecurity for Apache/2.7.3 (http://www.modsecurity.org/); OWASP_CRS/2.2.9.
Server: Apache
Engine-Mode: "ENABLED"
任何帮助都值得感激。谢谢
答案1
在包含基本规则的行后添加此行,以删除针对该 cookie 的规则检查。
SecRuleUpdateTargetById 981318 !REQUEST_COOKIES:TOKEN
然后重新启动 Apache。