« SpiderLabs Radio February 1, 2013 w/ Space Rogue | Main | TrustKeeper Scan Engine Update - February 6, 2013 »

05 February 2013

Comments

Hi,

I tried to install modsecurity for IIS on three different servers, IIS 7.0 and IIS 7.5. It worked and modsecurity or IIS began blockingt requests, but it blocked way to much requests. The OWASP core rules detected on nearly each request a sql injection through cookies:

[client 192.168.99.57:63036] ModSecurity: Access denied with code 403 (phase 2). Pattern match "(^[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98;]+|[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98;]+$)" at REQUEST_COOKIES:wt3_eid. [file "C:\/inetpub/wwwroot/owasp_crs/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "64"] [id "981318"] [rev "2"] [msg "SQL Injection Attack: Common Injection Testing Detected"] [data "Matched Data: ; found within REQUEST_COOKIES:wt3_eid: ;977787962413082|2136213050900948904"] [severity "CRITICAL"] [ver "OWASP_CRS/2.2.6"] [maturity "9"] [accuracy "8"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"] [hostname "WEBDEV01"] [uri "/"] [unique_id "18374686486114074637"]

and also blocked my advertisers script:

[client 192.168.99.51:49678] ModSecurity: Access denied with code 403 (phase 2). Pattern match "([\\~\\!\\@\\#\\$\\%\\^\\&\\*\\(\\)\\-\\+\\=\\{\\}\\[\\]\\|\\:\\;\"\\'\\\xc2\xb4\\\xe2\x80\x99\\\xe2\x80\x98\\`\\].*?){4,}" at ARGS:urlAd. [file "C:\/inetpub/wwwroot/owasp_crs/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "159"] [id "981173"] [rev "2"] [msg "Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded"] [data "Matched Data: & found within ARGS:urlAd: //cloud.instore.net/instore/ia/96214?format_id=1&pt=home&tr=home"] [ver "OWASP_CRS/2.2.6"] [maturity "9"] [accuracy "8"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [hostname "WEBDEV01"] [uri "/instore/instore-min.html?urlAd=%2F%2Fcloud.instore.net%2Finstore%2Fia%2F96214%3Fformat_id%3D1%26pt%3Dhome%26tr%3Dhome&index=0"] [unique_id "17726168135477755923"]

After deleting my cookies, the cookie injection was solved, but how should I tell all my visitors to delete their cookies?

Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Working...
Your comment could not be posted. Error type:
Your comment has been posted. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.

Working...

Post a comment