ModSecurity OWASP核心规则集的两种配置模式

栏目: IT技术 · 发布时间: 4年前

内容简介:OWASP规则的官方Github地址:OWASP V3版本核心规则集目前支持两种配置模式:

本文主要介绍OWASP核心规则集的两种配置模式。

OWASP规则的官方Github地址: https://github.com/coreruleset/coreruleset

OWASP V3版本核心规则集目前支持两种配置模式:

异常评分模式(默认)和独自控制模式

异常评分模式 ,也可称为”协同检测模式”,在此模式下,当检测到威胁时,并不会直接阻断此次请求,而是向下继续进行规则匹配,每个匹配成功的规则都会增加”异常分数”,在对请求数据检测结束时,以及对返回数据检测结束时,都会对异常分数的总和进行判断,如果大于设置的阈值,才会进行阻断动作,并向客户端返回403代码,审计日志中也会记录此次访问中所有匹配成功的规则信息。

独自控制模式 ,此模式是V2版本规则集的默认模式,它的工作方式是,只要有一条规则匹配成功,便拦截此次访问,审计日志中也只会记录第一次检测到威胁的规则信息。

因此,通过上述描述我们可以简单得出两种模式的优缺点:

异常评分模式 :由于每次请求都会匹配所有规则,因此在高并发情况下,效率相对较低,服务器资源占用较高,但误报率相对较低;

独自控制模式 :检测到一次威胁就直接阻断请求,因此在高并发情况下,效率相对较高,服务器资源占用较小,但误报率相对较高。除此之外该模式还有一个优点,即可以通过全局配置,设置当访问被拦截后,跳转到自定义的提示页面。

如何配置跳转到自定义提示页面,可参见 http://modsecurity.cn/practice/post/8.html

在配置上,两者配置区别如下(在crs-setup.conf中进行配置):

异常评分模式

SecDefaultAction "phase:1,log,auditlog,pass"
SecDefaultAction "phase:2,log,auditlog,pass"

由于是所有规则都进行匹配,因此SecDefaultAction并未使用”deny”关键词,而是使用”pass”,即检测到威胁后继续下一规则的匹配。其中log代表记录错误日志,通常内容记录在WEB服务的错误日志文件中,auditlog代表记录审计日志,保存此次请求的详细信息。如不需要记录log或auditlog,直接删除对应的关键词即可。

独自控制模式

SecDefaultAction "phase:1,log,auditlog,deny,status:403"
SecDefaultAction "phase:2,log,auditlog,deny,status:403"

此配置表示,只要检测到威胁,则使用”deny”关键词对此次访问进行阻断,同时向服务器返回403错误代码。

在审计日志中,我们也能看到明显的差异,比如模拟一次简单的攻击,如http://服务器IP/?param=%22%3E%3Cscript%3Ealert(1);%3C/script%3E,两种模式所记录的审计日志如下(主要看日志的H部分):

异常评分模式下的审计日志

---5WCHvu3z---A--
[22/May/2020:17:16:14 +0800] 159013897435.560455 116.255.132.12 5289 172.21.0.15 80
---5WCHvu3z---B--
GET /?param=%22%3E%3Cscript%3Ealert(1);%3C/script%3E HTTP/1.1
Host: 49.233.80.239
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36
Cookie: memSize=1838
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9

---5WCHvu3z---D--

---5WCHvu3z---E--
<html>\x0d\x0a<head><title>403 Forbidden</title></head>\x0d\x0a<body>\x0d\x0a<center><h1>403 Forbidden</h1></center>\x0d\x0a<hr><center>nginx/1.16.1</center>\x0d\x0a</body>\x0d\x0a</html>\x0d\x0a<!-- a padding to disable MSIE and Chrome friendly error page -->\x0d\x0a<!-- a padding to disable MSIE and Chrome friendly error page -->\x0d\x0a<!-- a padding to disable MSIE and Chrome friendly error page -->\x0d\x0a<!-- a padding to disable MSIE and Chrome friendly error page -->\x0d\x0a<!-- a padding to disable MSIE and Chrome friendly error page -->\x0d\x0a<!-- a padding to disable MSIE and Chrome friendly error page -->\x0d\x0a

---5WCHvu3z---F--
HTTP/1.1 403
Server: nginx/1.16.1
Date: Fri, 22 May 2020 09:16:14 GMT
Content-Length: 555
Content-Type: text/html
Connection: keep-alive

---5WCHvu3z---H--
ModSecurity: Warning. detected XSS using libinjection. [file "/usr/local/nginx/conf/modsecurity/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "37"] [id "<b>941100</b>"] [rev ""] [msg "XSS Attack Detected via libinjection"] [data "Matched Data: XSS data found within ARGS:param: "><script>alert(1);</script>"] [severity "2"] [ver "OWASP_CRS/3.2.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-xss"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "OWASP_CRS/WEB_ATTACK/XSS"] [tag "WASCTC/WASC-8"] [tag "WASCTC/WASC-22"] [tag "OWASP_TOP_10/A3"] [tag "OWASP_AppSensor/IE1"] [tag "CAPEC-242"] [hostname "172.21.0.15"] [uri "/"] [unique_id "159013897435.560455"] [ref "v12,28t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls"]

ModSecurity: Warning. Matched "Operator `Rx' with parameter `(?i)<script[^>]*>[\s\S]*?' against variable `ARGS:param' (Value: `"><script>alert(1);</script>' ) [file "/usr/local/nginx/conf/modsecurity/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "68"] [id "<b>941110</b>"] [rev ""] [msg "XSS Filter - Category 1: Script Tag Vector"] [data "Matched Data: <script> found within ARGS:param: "><script>alert(1);</script>"] [severity "2"] [ver "OWASP_CRS/3.2.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-xss"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "OWASP_CRS/WEB_ATTACK/XSS"] [tag "WASCTC/WASC-8"] [tag "WASCTC/WASC-22"] [tag "OWASP_TOP_10/A3"] [tag "OWASP_AppSensor/IE1"] [tag "CAPEC-242"] [hostname "172.21.0.15"] [uri "/"] [unique_id "159013897435.560455"] [ref "o2,8v12,28t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls"]

ModSecurity: Warning. Matched "Operator `Rx' with parameter `(?i:(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)(?:on(?:d(?:e(?:vice(?:(?:orienta|mo)tion|proximity|found|light)|livery(?:success|error)|activate)|r(?:ag(?:e(?:n(?:ter|d)|xit)|(?:gestur|leav)e|start|d (3146 characters omitted)' against variable `ARGS:param' (Value: `"><script>alert(1);</script>' ) [file "/usr/local/nginx/conf/modsecurity/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "205"] [id "<b>941160</b>"] [rev ""] [msg "NoScript XSS InjectionChecker: HTML Injection"] [data "Matched Data: <script found within ARGS:param: "><script>alert(1);</script>"] [severity "2"] [ver "OWASP_CRS/3.2.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-xss"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "OWASP_CRS/WEB_ATTACK/XSS"] [tag "WASCTC/WASC-8"] [tag "WASCTC/WASC-22"] [tag "OWASP_TOP_10/A3"] [tag "OWASP_AppSensor/IE1"] [tag "CAPEC-242"] [hostname "172.21.0.15"] [uri "/"] [unique_id "159013897435.560455"] [ref "o2,7o19,8v12,28t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls"]

ModSecurity: Access denied with code 403 (phase 2). Matched "Operator `Ge' with parameter `5' against variable `TX:ANOMALY_SCORE' (Value: `15' ) [file "/usr/local/nginx/conf/modsecurity/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "79"] [id "<b>949110</b>"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 15)"] [data ""] [severity "2"] [ver ""] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "172.21.0.15"] [uri "/"] [unique_id "159013897435.560455"] [ref ""]

上述审计日志表示,此次访问,分别触发了ID为941100、941110、941160三条规则,最终ID为949110的规则对异常分数的总和进行判断,发现大于设置的阈值,便执行阻断操作,向客户端返回403错误代码,拦截此次访问。

此次拦截在异常评分模式下涉及到的规则以及触发流程如下:

首先,是REQUEST-901-INITIALIZATION.conf文件中的三条规则,ID分别为901100、901120、901140,内容如下所示:

SecRule &TX:inbound_anomaly_score_threshold "@eq 0" \
    "id:901100,\
    phase:1,\
    pass,\
    nolog,\
    setvar:'tx.inbound_anomaly_score_threshold=5'"

SecRule &TX:paranoia_level "@eq 0" \
    "id:901120,\
    phase:1,\
    pass,\
    nolog,\
    setvar:'tx.paranoia_level=1'"

SecRule &TX:critical_anomaly_score "@eq 0" \
    "id:901140,\
    phase:1,\
    pass,\
    nolog,\
    setvar:'tx.critical_anomaly_score=5'"

此三条规则通过setvar关键字分别初始了三个变量的值,tx.inbound_anomaly_score_threshold为5,tx.paranoia_level为1,tx.critical_anomaly_score为5,其中tx.inbound_anomaly_score_threshold为最终判断是否要阻断此次请求的阈值。

然后,此次访问分别触发了REQUEST-941-APPLICATION-ATTACK-XSS.conf文件中的三条规则,ID分别为941100、941110、941160,内容如下:

SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|ARGS_NAMES|ARGS|XML:/* "@detectXSS" \
    "id:941100,\
    phase:2,\
    block,\
    t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\
    msg:'XSS Attack Detected via libinjection',\
    logdata:'Matched Data: XSS data found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
    tag:'application-multi',\
    tag:'language-multi',\
    tag:'platform-multi',\
    tag:'attack-xss',\
    tag:'paranoia-level/1',\
    tag:'OWASP_CRS',\
    tag:'OWASP_CRS/WEB_ATTACK/XSS',\
    tag:'WASCTC/WASC-8',\
    tag:'WASCTC/WASC-22',\
    tag:'OWASP_TOP_10/A3',\
    tag:'OWASP_AppSensor/IE1',\
    tag:'CAPEC-242',\
    ctl:auditLogParts=+E,\
    ver:'OWASP_CRS/3.2.0',\
    severity:'CRITICAL',\
    setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"

SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer|ARGS_NAMES|ARGS|XML:/* "@rx (?i)<script[^>]*>[\s\S]*?" \
    "id:941110,\
    phase:2,\
    block,\
    capture,\
    t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\
    msg:'XSS Filter - Category 1: Script Tag Vector',\
    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
    tag:'application-multi',\
    tag:'language-multi',\
    tag:'platform-multi',\
    tag:'attack-xss',\
    tag:'paranoia-level/1',\
    tag:'OWASP_CRS',\
    tag:'OWASP_CRS/WEB_ATTACK/XSS',\
    tag:'WASCTC/WASC-8',\
    tag:'WASCTC/WASC-22',\
    tag:'OWASP_TOP_10/A3',\
    tag:'OWASP_AppSensor/IE1',\
    tag:'CAPEC-242',\
    ctl:auditLogParts=+E,\
    ver:'OWASP_CRS/3.2.0',\
    severity:'CRITICAL',\
    setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"

SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer|ARGS_NAMES|ARGS|XML:/* "@rx (?i:(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)(?:on(?:d(?:e(?:vice(?:(?:orienta|mo)tion|proximity|found|light)|livery(?:success|error)|activate)|r(?:ag(?:e(?:n(?:ter|d)|xit)|(?:gestur|leav)e|start|drop|over)|op)|i(?:s(?:c(?:hargingtimechange|onnect(?:ing|ed))|abled)|aling)|ata(?:setc(?:omplete|hanged)|(?:availabl|chang)e|error)|urationchange|ownloading|blclick)|Moz(?:M(?:agnifyGesture(?:Update|Start)?|ouse(?:PixelScroll|Hittest))|S(?:wipeGesture(?:Update|Start|End)?|crolledAreaChanged)|(?:(?:Press)?TapGestur|BeforeResiz)e|EdgeUI(?:C(?:omplet|ancel)|Start)ed|RotateGesture(?:Update|Start)?|A(?:udioAvailable|fterPaint))|c(?:o(?:m(?:p(?:osition(?:update|start|end)|lete)|mand(?:update)?)|n(?:t(?:rolselect|extmenu)|nect(?:ing|ed))|py)|a(?:(?:llschang|ch)ed|nplay(?:through)?|rdstatechange)|h(?:(?:arging(?:time)?ch)?ange|ecking)|(?:fstate|ell)change|u(?:echange|t)|l(?:ick|ose))|s(?:t(?:a(?:t(?:uschanged|echange)|lled|rt)|k(?:sessione|comma)nd|op)|e(?:ek(?:complete|ing|ed)|(?:lec(?:tstar)?)?t|n(?:ding|t))|(?:peech|ound)(?:start|end)|u(?:ccess|spend|bmit)|croll|how)|m(?:o(?:z(?:(?:pointerlock|fullscreen)(?:change|error)|(?:orientation|time)change|network(?:down|up)load)|use(?:(?:lea|mo)ve|o(?:ver|ut)|enter|wheel|down|up)|ve(?:start|end)?)|essage|ark)|a(?:n(?:imation(?:iteration|start|end)|tennastatechange)|fter(?:(?:scriptexecu|upda)te|print)|udio(?:process|start|end)|d(?:apteradded|dtrack)|ctivate|lerting|bort)|b(?:e(?:fore(?:(?:(?:de)?activa|scriptexecu)te|u(?:nload|pdate)|p(?:aste|rint)|c(?:opy|ut)|editfocus)|gin(?:Event)?)|oun(?:dary|ce)|l(?:ocked|ur)|roadcast|usy)|DOM(?:Node(?:Inserted(?:IntoDocument)?|Removed(?:FromDocument)?)|(?:CharacterData|Subtree)Modified|A(?:ttrModified|ctivate)|Focus(?:Out|In)|MouseScroll)|r(?:e(?:s(?:u(?:m(?:ing|e)|lt)|ize|et)|adystatechange|pea(?:tEven)?t|movetrack|trieving|ceived)|ow(?:s(?:inserted|delete)|e(?:nter|xit))|atechange)|p(?:op(?:up(?:hid(?:den|ing)|show(?:ing|n))|state)|a(?:ge(?:hide|show)|(?:st|us)e|int)|ro(?:pertychange|gress)|lay(?:ing)?)|t(?:ouch(?:(?:lea|mo)ve|en(?:ter|d)|cancel|start)|ransition(?:cancel|end|run)|ime(?:update|out)|ext)|u(?:s(?:erproximity|sdreceived)|p(?:gradeneeded|dateready)|n(?:derflow|load))|f(?:o(?:rm(?:change|input)|cus(?:out|in)?)|i(?:lterchange|nish)|ailed)|l(?:o(?:ad(?:e(?:d(?:meta)?data|nd)|start)|secapture)|evelchange|y)|g(?:amepad(?:(?:dis)?connected|button(?:down|up)|axismove)|et)|e(?:n(?:d(?:Event|ed)?|abled|ter)|rror(?:update)?|mptied|xit)|i(?:cc(?:cardlockerror|infochange)|n(?:coming|valid|put))|o(?:(?:(?:ff|n)lin|bsolet)e|verflow(?:changed)?|pen)|SVG(?:(?:Unl|L)oad|Resize|Scroll|Abort|Error|Zoom)|h(?:e(?:adphoneschange|l[dp])|ashchange|olding)|v(?:o(?:lum|ic)e|ersion)change|w(?:a(?:it|rn)ing|heel)|key(?:press|down|up)|(?:AppComman|Loa)d|no(?:update|match)|Request|zoom)|s(?:tyle|rc)|background|formaction|lowsrc|ping)[\s\x08]*?=|<[^\w<>]*(?:[^<>\"'\s]*:)?[^\w<>]*\W*?(?:(?:a\W*?(?:n\W*?i\W*?m\W*?a\W*?t\W*?e|p\W*?p\W*?l\W*?e\W*?t|u\W*?d\W*?i\W*?o)|b\W*?(?:i\W*?n\W*?d\W*?i\W*?n\W*?g\W*?s|a\W*?s\W*?e|o\W*?d\W*?y)|i?\W*?f\W*?r\W*?a\W*?m\W*?e|o\W*?b\W*?j\W*?e\W*?c\W*?t|i\W*?m\W*?a?\W*?g\W*?e?|e\W*?m\W*?b\W*?e\W*?d|p\W*?a\W*?r\W*?a\W*?m|v\W*?i\W*?d\W*?e\W*?o|l\W*?i\W*?n\W*?k)[^>\w]|s\W*?(?:c\W*?r\W*?i\W*?p\W*?t|t\W*?y\W*?l\W*?e|e\W*?t[^>\w]|v\W*?g)|m\W*?(?:a\W*?r\W*?q\W*?u\W*?e\W*?e|e\W*?t\W*?a[^>\w])|f\W*?o\W*?r\W*?m))" \
    "id:941160,\
    phase:2,\
    block,\
    capture,\
    t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\
    msg:'NoScript XSS InjectionChecker: HTML Injection',\
    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
    tag:'application-multi',\
    tag:'language-multi',\
    tag:'platform-multi',\
    tag:'attack-xss',\
    tag:'paranoia-level/1',\
    tag:'OWASP_CRS',\
    tag:'OWASP_CRS/WEB_ATTACK/XSS',\
    tag:'WASCTC/WASC-8',\
    tag:'WASCTC/WASC-22',\
    tag:'OWASP_TOP_10/A3',\
    tag:'OWASP_AppSensor/IE1',\
    tag:'CAPEC-242',\
    ctl:auditLogParts=+E,\
    ver:'OWASP_CRS/3.2.0',\
    severity:'CRITICAL',\
    setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"

三条规则中,每次都会通过setvar关键词,将tx.anomaly_score_pl1变量的值加5,即+%{tx.critical_anomaly_score},%{}代表获取变量的值。由于匹配了三次,因此此时tx.anomaly_score_pl1的值变成了15。

接下来,REQUEST-949-BLOCKING-EVALUATION.conf文件中的两条规则被执行,ID分别为949060、949110,规则内容如下:

SecRule TX:PARANOIA_LEVEL "@ge 1" \
    "id:949060,\
    phase:2,\
    pass,\
    t:none,\
    nolog,\
    setvar:'tx.anomaly_score=+%{tx.anomaly_score_pl1}'"

SecRule TX:ANOMALY_SCORE "@ge %{tx.inbound_anomaly_score_threshold}" \
    "id:949110,\
    phase:2,\
    deny,\
    t:none,\
    log,\
    msg:'Inbound Anomaly Score Exceeded (Total Score: %{TX.ANOMALY_SCORE})',\
    tag:'application-multi',\
    tag:'language-multi',\
    tag:'platform-multi',\
    tag:'attack-generic',\
    severity:'CRITICAL',\
    setvar:'tx.inbound_anomaly_score=%{tx.anomaly_score}'"

ID为949060的规则表示,当tx.paranoia_level的值为1时,创建变量tx.anomaly_score,同时赋予tx.anomaly_score_pl1变量的值,此时tx.anomaly_score的值也成为了15,然后,ID为949110的规则对tx.anomaly_score变量进行判断,如果大于tx.inbound_anomaly_score_threshold变量的值,则通过deny关键词进行阻断,而tx.inbound_anomaly_score_threshold变量初始值为5,15>5,tx.anomaly_score>tx.inbound_anomaly_score_threshold,条件匹配成功,此次访问被阻断。当然,实际参与此次访问判断的规则并非只有上述规则,本人只是将涉及到此次拦截的规则单独摘取出来,进行拦截流程的简要介绍。

独自控制模式下的审计日志:

---AHNuWePS---A--
[22/May/2020:17:13:41 +0800] 159013882129.161492 116.255.132.12 55959 172.21.0.15 80
---AHNuWePS---B--
GET /?param=%22%3E%3Cscript%3Ealert(1);%3C/script%3E HTTP/1.1
Host: 49.233.80.239
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36
Cookie: memSize=1838
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9

---AHNuWePS---D--

---AHNuWePS---E--
<html>\x0d\x0a<head><title>403 Forbidden</title></head>\x0d\x0a<body>\x0d\x0a<center><h1>403 Forbidden</h1></center>\x0d\x0a<hr><center>nginx/1.16.1</center>\x0d\x0a</body>\x0d\x0a</html>\x0d\x0a<!-- a padding to disable MSIE and Chrome friendly error page -->\x0d\x0a<!-- a padding to disable MSIE and Chrome friendly error page -->\x0d\x0a<!-- a padding to disable MSIE and Chrome friendly error page -->\x0d\x0a<!-- a padding to disable MSIE and Chrome friendly error page -->\x0d\x0a<!-- a padding to disable MSIE and Chrome friendly error page -->\x0d\x0a<!-- a padding to disable MSIE and Chrome friendly error page -->\x0d\x0a

---AHNuWePS---F--
HTTP/1.1 403
Server: nginx/1.16.1
Date: Fri, 22 May 2020 09:13:41 GMT
Content-Length: 555
Content-Type: text/html
Connection: keep-alive

---AHNuWePS---H--
ModSecurity: Access denied with code 403 (phase 2). detected XSS using libinjection. [file "/usr/local/nginx/conf/modsecurity/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "37"] [id "941100"] [rev ""] [msg "XSS Attack Detected via libinjection"] [data "Matched Data: XSS data found within ARGS:param: "><script>alert(1);</script>"] [severity "2"] [ver "OWASP_CRS/3.2.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-xss"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "OWASP_CRS/WEB_ATTACK/XSS"] [tag "WASCTC/WASC-8"] [tag "WASCTC/WASC-22"] [tag "OWASP_TOP_10/A3"] [tag "OWASP_AppSensor/IE1"] [tag "CAPEC-242"] [hostname "172.21.0.15"] [uri "/"] [unique_id "159013882129.161492"] [ref "v12,28t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls"]

上述部分已经阐述,独自控制模式是只要检测到一次威胁就直接拦截此次请求,因此日志显示仅触发了ID为941100的规则。

除此之外,通过DEBUG日志分析,两种模式下所进行的规则匹配次数也不相同。由于DEBUG日志内容过多,因此此处不进行日志内容展示,仅展示最终数据。

当通过访问http://服务器IP/?param=%22%3E%3Cscript%3Ealert(1);%3C/script%3E进行模拟攻击时:

异常评分模式下,包含初始化配置类等相关规则,共有340条规则被执行;

独自控制模式下,包含初始化配置类等相关规则,共有282条规则被执行。

目前本人所使用的模式为独自控制模式。


以上就是本文的全部内容,希望本文的内容对大家的学习或者工作能带来一定的帮助,也希望大家多多支持 码农网

查看所有标签

猜你喜欢:

本站部分资源来源于网络,本站转载出于传递更多信息之目的,版权归原作者或者来源机构所有,如转载稿涉及版权问题,请联系我们

码农书籍
计算广告

计算广告

刘鹏、王超 / 人民邮电出版社 / 2015-9-1 / 69.00元

计算广告是一项新兴的研究课题,它涉及大规模搜索和文本分析、信息获取、统计模型、机器学习、分类、优化以及微观经济学等诸多领域的知识。本书从实践出发,系统地介绍计算广告的产品、问题、系统和算法,并且从工业界的视角对这一领域具体技术的深入剖析。 本书立足于广告市场的根本问题,从计算广告各个阶段所遇到的市场挑战出发,以广告系统业务形态的需求和变化为主线,依次介绍合约广告系统、竞价广告系统、程序化交易......一起来看看 《计算广告》 这本书的介绍吧!

码农工具
JS 压缩/解压工具
JS 压缩/解压工具

在线压缩/解压 JS 代码

随机密码生成器
随机密码生成器

多种字符组合密码

html转js在线工具
html转js在线工具

html转js在线工具

  • New
  • 文章
  • 话题
  • 教程
    • 关注 码农网 公众号
    版权所有,保留一切权利!© 2018-2024 码农网 粤ICP备17054400号-3