Rule to check if both C-L and T-E are present

SpiderLabs · Mar 2, 2020 · 26df7ee · 26df7ee
1 parent e2f6de0
commit 26df7ee
Show file tree

Hide file tree

Showing 2 changed files with 62 additions and 0 deletions.
diff --git a/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf b/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf
@@ -243,6 +243,33 @@ SecRule REQUEST_METHOD "@rx ^POST$" \
             "setvar:'tx.anomaly_score_pl1=+%{tx.notice_anomaly_score}'"
 
 
+#
+# As per RFC7230 3.3.2: A sender MUST NOT send a Content-Length
+# header field in any message that contains a Transfer-Encoding header
+# field.
+#
+# Related to 920170, 920171 and 920180.
+#
+SecRule &REQUEST_HEADERS:Transfer-Encoding "!@eq 0" \
+    "id:920181,\
+    phase:2,\
+    block,\
+    t:none,\
+    msg:'Content-Length and Transfer-Encoding headers present.',\
+    tag:'application-multi',\
+    tag:'language-multi',\
+    tag:'platform-multi',\
+    tag:'attack-protocol',\
+    tag:'OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ',\
+    tag:'CAPEC-272',\
+    ver:'OWASP_CRS/3.2.0',\
+    severity:'WARNING',\
+    chain"
+    SecRule &REQUEST_HEADERS:Content-Length "!@eq 0" \
+        "t:none,\
+        setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
+
+
 #
 # Range Header Check
 #

diff --git a/util/regression-tests/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920181.yaml b/util/regression-tests/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920181.yaml
@@ -0,0 +1,35 @@
+---
+  meta:
+    author: "fgsch"
+    enabled: true
+    name: "920181.yaml"
+    description: "Description"
+  tests:
+    -
+      test_title: 920181-1
+      stages:
+        -
+          stage:
+            input:
+              dest_addr: "127.0.0.1"
+              port: 80
+              method: "POST"
+              uri: "/"
+              headers:
+                Host: "localhost"
+                Accept: "*/*"
+                Content-Length: 7
+                Content-Type: "application/x-www-form-urlencoded"
+                Transfer-Encoding: "chunked"
+                User-Agent: "ModSecurity CRS 3 Tests"
+              data:
+                - "7"
+                - "foo=bar"
+                - "0"
+                - ""
+                - ""
+              stop_magic: true
+            output:
+              # Apache unsets the Content-Length header if
+              # Transfer-Encoding is found!
+              no_log_contains: id "920181"