Blocking a request with ModSecurity and lua script

luamod-security

I have web traffic flowing through ModSecurity.

Within the ModSecurity configuration I am calling a Lua script that is running some simple analysis on the arguments of request string. Specifically, it is checking for evidence of Cross-Site Scripting and will block the incoming traffic if there exists some evidence.

The ModSecurity rule engine configuration is as follows:

SecRuleEngine On
SecRuleScript "/path/to/lua/script/detectXSS.lua" "block"

An illustrative example of the lua script is as follows:

function main()
    -- Retrieve script parameters
    local d = m.getvars("ARGS", { "lowercase", "htmlEntityDecode" } );

    -- Loop through the parameters
    for i = 1, #d do
        -- Examine parameter value.
        if (string.find(d[i].value, "<script")) then
            return ("Suspected XSS in variable " .. d[i].name .. ".");
        end
    end

    -- Nothing wrong found.
    return nil;
end

Although XSS can be detected and returned, the blocking functionality is not occurring. Is there something obvious missing? Any help would be greatly appreciated.

Cheers

Best Answer

Despite what you might think block does not actually block requests. You need to use deny for that.

The reason for this is block is a specially defined action that you can then define how to handle. You could deny, just log, or redirect to an error page when your rule blocks. This is set with the SecDefaultAction and the default is to pass the rule as shown here: https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#SecDefaultAction. While this might not seem to make sense it also allows you to do things like switching anomaly scoring on or off easily in the OWASP CRS.

So either change your SecRuleScipt to deny rather than block:

SecRuleEngine On
SecRuleScript "/path/to/lua/script/detectXSS.lua" "deny"

Or alternatively set the default block action to deny:

SecRuleEngine On
SecDefaultAction "phase:2,deny"
SecRuleScript "/path/to/lua/script/detectXSS.lua" "block"

See here for more details on block: https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#block

Related Solutions

ModSecurity block specific string in request

Which ModSecurity version are you using? ARGS variable only includes QUERY_STRING + POST_PAYLOAD in version 1.X. If you're running version 2.X, with your above rule, testing with a request as below:

http://domain.com/a?b=km0ae9gr6m

you'll see something like this in the audit_log:

[modsecurity] [client x.x.x.x] [domain domain.com] [302] [/20120813/20120813-1226/20120813-122624-70QXqH8AAAEA AEucDbkAAAAA] [file "/etc/httpd/modsecurity.d/modsecurity_crs_10_config.conf"] [line "305"] [msg "Access Denied"] Access denied with code 403 (phase 2). Pattern match "km0ae9gr6m" at ARGS:b.

In ModSecurity 2.x, ARGS expands to individual variables. So, try this:

SecRule REQUEST_URI|ARGS|REQUEST_BODY "km0ae9gr6m" "log,deny,msg:'Access Denied'"

ModSecurity – Creating a New Request Header from SecRule in ModSecurity

In ModSecurity most of the standard collections (including REQUEST_HEADERS) are read only. You would therefore set a variable not a REQUEST_HEADER.

It doesn't usually make sense to set a REQUEST_HEADER. A RESPONSE_HEADER I can see more use for but its similarly read-only and to alter that you need to use the standard mod_headers module:

#Use ModSecurity to set an env variable
SecRule &TX:SQLI "@eq 1" "id:'129793',phase:2,set-env:BLOCK_RESPONSE"

#Use mod_header to set Header based on that env variable
Header set Blocked "True" env=BLOCK_RESPONSE

Though honestly not sure how or if that would work with a redirect as a ModSecurity action or whether that happens immediately.

Best Answer

Related Solutions

ModSecurity block specific string in request

ModSecurity – Creating a New Request Header from SecRule in ModSecurity

Related Topic