Core OWASP ModSecurity - JSON Resolution

I had ModSecurity and the OWASP Rule Set ver.2.2.5 installed for a few months now, but the JSON endpoint on the site recently stopped responding and the Apache log is the following:

[Tue Jul 21 10:41:12 2015] [error] [client 194.54.11.146] ModSecurity: Warning. Match "streq% {SESSION.IP_HASH}" against "TX: ip_hash" is mandatory. [file "/etc/modsecurity/activated_rules/modsecurity_crs_16_session_hijacking.conf"] [line "35"] [id "981059"] [msg "Warning - Sticky SessionID data Changed - IP address mismatch." ] [Hostname "************"] [uri "/ api / campaign / d3c735cb-0773-11e4-98bd-02f651afdab5"] [unique_id "Va4hyKwfKiYAAAYSLigAAAAJ"]

[Tue Jul 21 10:41:12 2015] [error] [client 194.54.11.146] ModSecurity: Warning. Match "streq% {SESSION.UA_HASH}" versus "TX: ua_hash" is mandatory. [file "/etc/modsecurity/activated_rules/modsecurity_crs_16_session_hijacking.conf"] [line "36"] [id "981060"] [msg "Warning - Sticky SessionID data Changed - User-Agent mismatch." ] [Hostname "************"] [uri "/ api / campaign / d3c735cb-0773-11e4-98bd-02f651afdab5"] [unique_id "Va4hyKwfKiYAAAYSLigAAAAJ"]

[Tue Jul 21 10:41:12 2015] [error] [client 194.54.11.146] ModSecurity: Warning. The EQ operator corresponds to 2 in TX: sticky_session_anomaly. [file "/etc/modsecurity/activated_rules/modsecurity_crs_16_session_hijacking.conf"] [line "37"] [id "981061"] [msg "Possible session hijacking - IP Address and user agent mismatch." ] [Hostname "************"] [uri "/ api / campaign / d3c735cb-0773-11e4-98bd-02f651afdab5"] [unique_id "Va4hyKwfKiYAAAYSLigAAAAJ"]

[Tue Jul 21 10:41:12 2015] [error] [client 194.54.11.146] ModSecurity: Warning. Match "rx ^% {tx.allowed_request_content_type} $" against "TX: 0" required. [file "/etc/modsecurity/activated_rules/modsecurity_crs_30_http_policy.conf"] [line "64"] [id "960010"] [msg "Request content type not allowed policy"] [data "application / json"] [severity "WARNING "] [tag" POLICY / ENCODING_NOT_ALLOWED "] [tag" WASCTC / WASC-20 "] [tag" OWASP_TOP_10 / A1 "] [tag" OWASP_AppSensor / EE2 "] [tag" PCI / 12.1 "] [hostname" *** ********* "] [uri" / api / campaign / d3c735cb-0773-11e4-98bd-02f651afdab5 "] [unique_id" Va4hyKwfKiYAAAYSLigAAAAJ "]

I am new to mod_security and OWASP rules (I basically followed the guide here ), but as I understand the rules are crammed and if the request passes the threshold it gets disabled. I guess this is what I see here.

The last question concerns me - "application / json" should definitely be allowed. From looking at /etc/modsecurity/modsecurity_crs_10_setup.conf

I see:

setvar:'tx.allowed_request_content_type=application/x-www-form-urlencoded|multipart/form-data|text/xml|application/xml|application/x-amf'

      

My question is: 1. Can I just add the app / json here to make the error go away? 2. Is it the right thing to do?

+3


source to share


1 answer


Yes, you can read like this:

setvar:'tx.allowed_request_content_type=application/x-www-form-urlencoded|multipart/form-data|text/xml|application/xml|application/x-amf|application/json'

      



Yes, this is the correct way to do it.

+2


source







All Articles