headers
Brian Rectanus | 3 Nov 20:57

[Fwd: Re: XMLRPC Payload Rule]

I don't have a good example other than those in the docs.  Those seem 
pretty straight forward.  Maybe send us what you have tried and someone 
can comment on what you may be missing?

-B

-- 
Brian Rectanus
Breach Security
Subject: I don't have a good example other than those in the docs. Those seem pretty straight forward. Maybe send us what you have tried and someone can comment on what you may be missing? -B -- -- Brian Rectanus Breach Security 
------------------------------------------------------------------------------
Come build with us! The BlackBerry(R) Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay 
ahead of the curve. Join us from November 9 - 12, 2009. Register now!
http://p.sf.net/sfu/devconference
(Continue reading)






Permalink
| Reply
| 



  


  

  








headers


Rob Greenwood
 | 
4 Nov 01:45






Picon

Gravatar





Re: [Fwd: Re:  XMLRPC Payload Rule]






Sure :)

The XML getting passed is XMLRPC and is posted to /RPC in the following format..;

POST /RPC2 HTTP/1.1
<?xml version=\"1.0\" ?>
<methodCall>
  <methodName>session.login_with_password</methodName>

   <params>
    <param>
     <value>
      <string>test</string>
     </value>
    </param>
    <param>
     <value>
      <string>test</string>

     </value>
    </param>
   </params>
</methodCall>

The element I'm bothered about filtering on is methodName, so my rule is as follows..;

SecRuleEngine On
SecDefaultAction log,deny,status:403,phase:2

SecRule REQUEST_URI "^/RPC" phase:1,pass,ctl:requestBodyProcessor=XML
SecRule XML:/methodCall/methodName/text() session.login_with_password

Debug log shows..;

[04/Nov/2009:00:34:17 +0000] [192.168.1.1/sid#82132e8][rid#82254f8][/RPC2][9] This phase consists of 1 rule(s).

[04/Nov/2009:00:34:17 +0000] [192.168.1.1/sid#82132e8][rid#82254f8][/RPC2][4] Recipe: Invoking rule 82170b0; [file "/etc/apache2/sites-enabled/000-default"] [line "14"].

[04/Nov/2009:00:34:17 +0000] [192.168.1.1/sid#82132e8][rid#82254f8][/RPC2][5] Rule 82170b0: SecRule "REQUEST_URI" " <at> rx ^/RPC" "log,status:403,phase:1,pass,ctl:requestBodyProcessor=XML"

[04/Nov/2009:00:34:17 +0000] [192.168.1.1/sid#82132e8][rid#82254f8][/RPC2][4] Transformation completed in 2 usec.
[04/Nov/2009:00:34:17 +0000] [192.168.1.1/sid#82132e8][rid#82254f8][/RPC2][4] Executing operator "rx" with param "^/RPC" against REQUEST_URI.

[04/Nov/2009:00:34:17 +0000] [192.168.1.1/sid#82132e8][rid#82254f8][/RPC2][9] Target value: "/RPC2"
[04/Nov/2009:00:34:17 +0000] [192.168.1.1/sid#82132e8][rid#82254f8][/RPC2][4] Operator completed in 31 usec.

[04/Nov/2009:00:34:17 +0000] [192.168.1.1/sid#82132e8][rid#82254f8][/RPC2][4] Ctl: Set requestBodyProcessor to XML.
[04/Nov/2009:00:34:17 +0000] [192.168.1.1/sid#82132e8][rid#82254f8][/RPC2][2] Warning. Pattern match "^/RPC" at REQUEST_URI. [file "/etc/apache2/sites-enabled/000-default"] [line "14"]

[04/Nov/2009:00:34:17 +0000] [192.168.1.1/sid#82132e8][rid#82254f8][/RPC2][4] Rule returned 1.
[04/Nov/2009:00:34:17 +0000] [192.168.1.1/sid#82132e8][rid#82254f8][/RPC2][9] Match -> mode NEXT_RULE.

[04/Nov/2009:00:34:17 +0000] [192.168.1.1/sid#82132e8][rid#82254f8][/RPC2][4] PdfProtect: Not enabled here.
[04/Nov/2009:00:34:17 +0000] [192.168.1.1/sid#82132e8][rid#82254f8][/RPC2][4] Second phase starting (dcfg 8214280).

[04/Nov/2009:00:34:17 +0000] [192.168.1.1/sid#82132e8][rid#82254f8][/RPC2][4] Input filter: Request body access not enabled.
[04/Nov/2009:00:34:17 +0000] [192.168.1.1/sid#82132e8][rid#82254f8][/RPC2][4] Time #1: 644

[04/Nov/2009:00:34:17 +0000] [192.168.1.1/sid#82132e8][rid#82254f8][/RPC2][4] Starting phase REQUEST_BODY.
[04/Nov/2009:00:34:17 +0000] [192.168.1.1/sid#82132e8][rid#82254f8][/RPC2][9] This phase consists of 1 rule(s).

[04/Nov/2009:00:34:17 +0000] [192.168.1.1/sid#82132e8][rid#82254f8][/RPC2][4] Recipe: Invoking rule 82178d0; [file "/etc/apache2/sites-enabled/000-default"] [line "15"].

[04/Nov/2009:00:34:17 +0000] [192.168.1.1/sid#82132e8][rid#82254f8][/RPC2][5] Rule 82178d0: SecRule "XML:/methodCall/methodName/text()" " <at> rx session.login_with_password" "log,deny,status:403,phase:2"

[04/Nov/2009:00:34:17 +0000] [192.168.1.1/sid#82132e8][rid#82254f8][/RPC2][4] Rule returned 0.
[04/Nov/2009:00:34:17 +0000] [192.168.1.1/sid#82132e8][rid#82254f8][/RPC2][9] No match, not chained -> mode NEXT_RULE.

[04/Nov/2009:00:34:17 +0000] [192.168.1.1/sid#82132e8][rid#82254f8][/RPC2][4] Time #2: 724

So the first phase is triggering and enabling the XML processor, but the second phase doesn't match.

Am I being stupid?

Thanks in advance!



2009/11/3 Brian Rectanus <Brian.Rectanus <at> breach.com>

I don't have a good example other than those in the docs.  Those seem pretty straight forward.  Maybe send us what you have tried and someone can comment on what you may be missing?








-B


-- 

Brian Rectanus

Breach Security

















------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day 
trial. Simplify your report design, integration and deployment - and focus on 
what you do best, core application coding. Discover what's new with
Crystal Reports now.  http://p.sf.net/sfu/bobj-july


_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Appliances, Rule Sets and Support:
http://www.modsecurity.org/breach/index.html






Permalink
| Reply
| 



  


  

  










headers


Ryan Barnett
 | 
4 Nov 01:59





Re: [Fwd: Re:  XMLRPC Payload Rule]







Did you see this message in the debug log?

[04/Nov/2009:00:34:17 +0000] [192.168.1.1/sid#82132e8][rid#82254f8][/RPC2][4] Input filter: Request body access not enabled.

You need to add - SecRequestBodyAccess On

To your conf.

Ryan C. Barnett

Director of Application Security Research

Breach Security, Inc.

Ryan.Barnett <at> Breach.com 

www.Breach.com 




From: Rob Greenwood 
To: Brian Rectanus

Cc: Mod Security 
Sent: Tue Nov 03 19:45:10 2009
Subject: Re: [mod-security-users] [Fwd: Re:  XMLRPC Payload Rule]


Sure :)

The XML getting passed is XMLRPC and is posted to /RPC in the following format..;

POST /RPC2 HTTP/1.1
<?xml version=\"1.0\" ?>
<methodCall>
  <methodName>session.login_with_password</methodName>

   <params>
    <param>
     <value>
      <string>test</string>
     </value>
    </param>
    <param>
     <value>
      <string>test</string>

     </value>
    </param>
   </params>
</methodCall>

The element I'm bothered about filtering on is methodName, so my rule is as follows..;

SecRuleEngine On
SecDefaultAction log,deny,status:403,phase:2

SecRule REQUEST_URI "^/RPC" phase:1,pass,ctl:requestBodyProcessor=XML
SecRule XML:/methodCall/methodName/text() session.login_with_password

Debug log shows..;

[04/Nov/2009:00:34:17 +0000] [192.168.1.1/sid#82132e8][rid#82254f8][/RPC2][9] This phase consists of 1 rule(s).

[04/Nov/2009:00:34:17 +0000] [192.168.1.1/sid#82132e8][rid#82254f8][/RPC2][4] Recipe: Invoking rule 82170b0; [file "/etc/apache2/sites-enabled/000-default"] [line "14"].

[04/Nov/2009:00:34:17 +0000] [192.168.1.1/sid#82132e8][rid#82254f8][/RPC2][5] Rule 82170b0: SecRule "REQUEST_URI" " <at> rx ^/RPC" "log,status:403,phase:1,pass,ctl:requestBodyProcessor=XML"

[04/Nov/2009:00:34:17 +0000] [192.168.1.1/sid#82132e8][rid#82254f8][/RPC2][4] Transformation completed in 2 usec.
[04/Nov/2009:00:34:17 +0000] [192.168.1.1/sid#82132e8][rid#82254f8][/RPC2][4] Executing operator "rx" with param "^/RPC" against REQUEST_URI.

[04/Nov/2009:00:34:17 +0000] [192.168.1.1/sid#82132e8][rid#82254f8][/RPC2][9] Target value: "/RPC2"
[04/Nov/2009:00:34:17 +0000] [192.168.1.1/sid#82132e8][rid#82254f8][/RPC2][4] Operator completed in 31 usec.

[04/Nov/2009:00:34:17 +0000] [192.168.1.1/sid#82132e8][rid#82254f8][/RPC2][4] Ctl: Set requestBodyProcessor to XML.
[04/Nov/2009:00:34:17 +0000] [192.168.1.1/sid#82132e8][rid#82254f8][/RPC2][2] Warning. Pattern match "^/RPC" at REQUEST_URI. [file "/etc/apache2/sites-enabled/000-default"] [line "14"]

[04/Nov/2009:00:34:17 +0000] [192.168.1.1/sid#82132e8][rid#82254f8][/RPC2][4] Rule returned 1.
[04/Nov/2009:00:34:17 +0000] [192.168.1.1/sid#82132e8][rid#82254f8][/RPC2][9] Match -> mode NEXT_RULE.

[04/Nov/2009:00:34:17 +0000] [192.168.1.1/sid#82132e8][rid#82254f8][/RPC2][4] PdfProtect: Not enabled here.
[04/Nov/2009:00:34:17 +0000] [192.168.1.1/sid#82132e8][rid#82254f8][/RPC2][4] Second phase starting (dcfg 8214280).

[04/Nov/2009:00:34:17 +0000] [192.168.1.1/sid#82132e8][rid#82254f8][/RPC2][4] Input filter: Request body access not enabled.
[04/Nov/2009:00:34:17 +0000] [192.168.1.1/sid#82132e8][rid#82254f8][/RPC2][4] Time #1: 644

[04/Nov/2009:00:34:17 +0000] [192.168.1.1/sid#82132e8][rid#82254f8][/RPC2][4] Starting phase REQUEST_BODY.
[04/Nov/2009:00:34:17 +0000] [192.168.1.1/sid#82132e8][rid#82254f8][/RPC2][9] This phase consists of 1 rule(s).

[04/Nov/2009:00:34:17 +0000] [192.168.1.1/sid#82132e8][rid#82254f8][/RPC2][4] Recipe: Invoking rule 82178d0; [file "/etc/apache2/sites-enabled/000-default"] [line "15"].

[04/Nov/2009:00:34:17 +0000] [192.168.1.1/sid#82132e8][rid#82254f8][/RPC2][5] Rule 82178d0: SecRule "XML:/methodCall/methodName/text()" " <at> rx session.login_with_password" "log,deny,status:403,phase:2"

[04/Nov/2009:00:34:17 +0000] [192.168.1.1/sid#82132e8][rid#82254f8][/RPC2][4] Rule returned 0.
[04/Nov/2009:00:34:17 +0000] [192.168.1.1/sid#82132e8][rid#82254f8][/RPC2][9] No match, not chained -> mode NEXT_RULE.

[04/Nov/2009:00:34:17 +0000] [192.168.1.1/sid#82132e8][rid#82254f8][/RPC2][4] Time #2: 724

So the first phase is triggering and enabling the XML processor, but the second phase doesn't match.

Am I being stupid?

Thanks in advance!

2009/11/3 Brian Rectanus <Brian.Rectanus <at> breach.com>

I don't have a good example other than those in the docs.  Those seem pretty straight forward.  Maybe send us what you have tried and someone can comment on what you may be missing?








-B


-- 

Brian Rectanus

Breach Security

















------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day 
trial. Simplify your report design, integration and deployment - and focus on 
what you do best, core application coding. Discover what's new with
Crystal Reports now.  http://p.sf.net/sfu/bobj-july


_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Appliances, Rule Sets and Support:
http://www.modsecurity.org/breach/index.html






Permalink
| Reply
| 



  


  

  








  





    



Gmane