false positive: REQUEST-932-APPLICATION-ATTACK-RCE.conf #4110
Comments
|
Thanks @tonychuuy. This looks like a typical issue with free text in JSON payloads. We'll take a look. |
|
You can add an exclusion to resolve this false positive. You can put the following tuning rule AFTER your CRS include:
|
But then I need to add exclusions for any number of array_n, this is a form where the user may add any number of transactions which each one has a description, in addition I have other inputs in the whole system where the user is not restricted to use any character. If I apply exclusions that means that do I need to add exclusions for all the inputs where free text is allowed? |
|
@tonychuuy You can use an regular expression to match any numbers in an array: I've dug a bit deeper into what's causing the false positive and it looks like there's no such thing as a command called |
Description
I don't know if this apply as a false positive I'm new using this software, or if I need to add an exclusion.
The error occurs because of this " | SELF" in a input field which is free to use any character.
How to reproduce the misbehavior (-> curl call)
curl -v -X POST http://localhost \ -H "Content-Type: application/json" \ -d '{ "name": "text | SELF " }'Logs
{ "transaction": { "client_ip": "", "time_stamp": "Tue Apr 29 22:23:29 2025", "client_port": "", "host_ip": "", "host_port": "", "unique_id": "", "request": { "method": "POST", "http_version": 2.0, "uri": "" }, "response": { "http_code": 403 }, "producer": { "modsecurity": "ModSecurity v3.0.14 (Linux)", "connector": "ModSecurity-nginx v1.0.3", "secrules_engine": "Enabled", "components": [ "OWASP_CRS/4.13.0\"" ] }, "messages": [ { "message": "Remote Command Execution: Unix Command Injection (command without evasion)", "details": { "match": "Matched \"Operator `Rx' with parameter `(?i)(?:b[\\\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?u[\\\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?s[\\\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$ (9409 characters omitted)' against variable `ARGS:json.transacciones.array_1.descripcion' (Value: `Compra a MODULAR ALUMINIO ESTRUCTURAL, STRUT PROFILE PG30 30X30 4 SLOTS | SELF TAPPING SCREW PG30 M1 (42 characters omitted)' )", "reference": "o72,7v39,142o72,7v39,142o72,7v39,142", "ruleId": "932235", "file": "/usr/local/coreruleset-4.13.0/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf", "lineNumber": "183", "data": "Matched Data: | SELF found within ARGS:json.transacciones.array_1.descripcion: Compra a MODULAR ALUMINIO ESTRUCTURAL, STRUT PROFILE PG30 30X30 4 SLOTS | SELF TAPPING SCREW PG30 M12X30, 477C4A84-05B6-11F0-AB76-87F605D52A8D", "severity": "2", "ver": "OWASP_CRS/4.13.0", "rev": "", "tags": [ "application-multi", "language-shell", "platform-unix", "attack-rce", "paranoia-level/1", "OWASP_CRS", "OWASP_CRS/ATTACK-RCE", "capec/1000/152/248/88", "PCI/6.5.2" ], "maturity": "0", "accuracy": "0" } }, { "message": "Inbound Anomaly Score Exceeded (Total Score: 15)", "details": { "match": "Matched \"Operator `Ge' with parameter `5' against variable `TX:BLOCKING_INBOUND_ANOMALY_SCORE' (Value: `15' )", "reference": "", "ruleId": "949110", "file": "/usr/local/coreruleset-4.13.0/rules/REQUEST-949-BLOCKING-EVALUATION.conf", "lineNumber": "222", "data": "", "severity": "0", "ver": "OWASP_CRS/4.13.0", "rev": "", "tags": [ "anomaly-evaluation", "OWASP_CRS" ], "maturity": "0", "accuracy": "0" } } ] } }Your Environment
Confirmation
[ ] I have removed any personal data (email addresses, IP addresses,
passwords, domain names) from any logs posted.
The text was updated successfully, but these errors were encountered: