-
Notifications
You must be signed in to change notification settings - Fork 725
Block proxy requests (GET http://example.org/ HTTP/1.1) #501
Comments
Sounds great to me. Would solve a problem of inadvertently misconfigured open proxies. |
Reporting on an email conversation: Message by @lifeforms
Response by @csanders-git
|
I do like the elegance of |
Me too. I love it. Whitelisting is always better. Maybe there will be LFI attempts too by using The rule would probably need to work on I guess we will plan this for 3.1? Maybe we should note in the 3.0 CHANGES file however, that we have changed the default restricted headers. And maybe we should note which ones we removed from the details. In fact we probably should put those type of changes at the top of the list. |
3.1 or 3.0.1, I guess 3.1 since it's a new feature. |
I agree on 3.1(.0). On Tue, Nov 01, 2016 at 09:37:57AM -0700, Chaim Sanders wrote:
|
@dune73 Can we put this in a MR? What needs to be done here? |
Seems reasonable - @dune73 you want me to take or do you want it? |
I'm all for integrating this into 3.1. Ideally as part of 920 at PL1. |
Rather not me, though. Still not bottom in my inbox. |
Still hoping somebody is picking this up. |
I'm running this on my production... let's see what happen: SecRule REQUEST_URI "!@beginsWith /" "id:920490,\
phase:1,\
block,\
t:none,\
msg:'Open Proxy Scanning Detected',\
ver:'OWASP_CRS/3.1.0',\
severity:'CRITICAL',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-protocol',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
setvar:'tx.msg=%{rule.msg}',\
setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/OPEN-PROXY-%{matched_var_name}=%{tx.0}" |
@theMiddleBlue did you get any useful info from the exercise above? |
During the monthly CRS chat, @theMiddleBlue volunteered to develop the proposed rule above into a working PR. Meeting minutes: #1671 (comment) |
@theMiddleBlue : Do you have an update here? |
not yet, unfortunately it seems that this rule never triggers since my Nginx convert something like Request:
Audit log: {
"transaction": {
"client_ip": "172.18.0.1",
"time_stamp": "Wed Mar 4 15:00:02 2020",
"server_id": "09ebdb7ebc3b9ac7a7108173cd60f9ebc8e54350",
"client_port": 43752,
"host_ip": "172.18.0.4",
"host_port": 80,
"unique_id": "15833304024.405522",
"request": {
"method": "HEAD",
"http_version": 1.1,
"uri": "/test.php",
"body": "",
"headers": {
"Host": "wordpress",
"Proxy-Connection": "Keep-Alive"
}
},
"response": {
"body": "",
"http_code": 200,
"headers": {}
},
"producer": {
"modsecurity": "ModSecurity v3.0.4 (Linux)",
"connector": "ModSecurity-nginx v1.0.1",
"secrules_engine": "DetectionOnly",
"components": [
"OWASP_CRS/3.2.0\""
]
},
"messages": []
}
} |
http://www.tutorialspoint.com/http/http_requests.htm mentions:
We accept this format and I do not see why an application server or a reverse proxy should. There are quite a of these attempts on my servers.
Block at PL1?
The text was updated successfully, but these errors were encountered: