Kemp Support, how can we help?

The latest application delivery knowledge and expertise at your fingertips.

WAF Rule - File Extension to be blocked

 

The CRS rule (ID 920440 ) will trigger if a match is detected for any of the following Forbidden file extensions:
".asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/.dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/.rdb/ .resources/ .resx/ .sql/ .swp/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/"

A rule trigger example for the file extension .axd


2021-06-04T13:14:36+02:00 kemp02 wafd: [client 121.128.80.30] ModSecurity: Warning. String match within ".asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .rdb/ .resources/ .resx/ .sql/ .swp/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/" at TX:extension. [file "/tmp/waf/5/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "1034"] [id "920440"] [msg "URL file extension is restricted by policy"] [data ".axd"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/210/272"] [tag "PCI/6.5.10"] [hostname "192.168.99.21 (testvs)"] [uri "/testvs/WebResource.axd"] [unique_id "af8885df-69f6-4be5-a219-349152c6d70f"]

 

How can I add an exception to allow the .axd files?

Your options are:

1- Disable the Rule 920440 from that VS and allow all extensions

2 - Create an equivalent rules to allow the file extension needed and still block all the other one's

Rules to be created 

So the way to achieve the CRS-SETUP.CONF is as follow.

We need to open the CRS-SETUP.CONF provide by OWASP website (https://coreruleset.org/installation/) a file called crs-setup.conf.example you will then need to open it using an editor, and you will then be searching for the "Forbidden file extensions",

"Forbidden file extensions."

"Guards against unintended exposure of development/configuration files."

Once you find it you will then be creating a new custom rule (rule_900240.conf the name can be anything you want), just with the part that references "Forbidden file extensions" mention on the crs-setup.conf.example:

SecAction \
"id:900240,\
  phase:1,\
  nolog,\
  pass,\
  t:none,\
  setvar:'tx.restricted_extensions=.asd/ .asa/ .asax/ .ascx/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .rdb/ .resources/ .resx/ .sql/ .swp/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/'"

 

Rule to be created (this rule was created from the original one REQUEST-920-PROTOCOL-ENFORCEMENT.conf, the only thing to be doing here is to change the ID of the Rule, reason for is because we are disabling it for the GUI and we need to enable it again but this time using a different ID)

Creating a custom rule (Rule_820440.conf)

SecRule REQUEST_BASENAME "@rx \.([^.]+)$" \
    "id:820440,\
    phase:1,\
    block,\
    capture,\
    t:none,\
    msg:'URL file extension is restricted by policy',\
    logdata:'%{TX.0}',\
    tag:'application-multi',\
    tag:'language-multi',\
    tag:'platform-multi',\
    tag:'attack-protocol',\
    tag:'paranoia-level/1',\
    tag:'OWASP_CRS',\
    tag:'capec/1000/210/272',\
    tag:'PCI/6.5.10',\
    ver:'OWASP_CRS/3.3.2',\
    severity:'CRITICAL',\
    setvar:'tx.extension=.%{tx.1}/',\
    chain"
    SecRule TX:EXTENSION "@within %{tx.restricted_extensions}" \
        "t:none,t:urlDecodeUni,t:lowercase,\
        setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score

 

https://support.kemptechnologies.com/hc/en-us/articles/4409216181901-WAF-Rule-Writing-Guide

 

Once the two rules are created and saved as .conf files you will then need to upload them into the LM by going:

 

Web Application Firewall - Custom Rules - Waf Custom Rules

 

You will then be able to see those rules available under the WAF rules on the Virtual Service.

waf_blocking_rules_extension.jpgRules_920420_disabled.jpg

Test done on the loadmaster:

Created the two rules and apply them on the VS with the Waf enabled

.asx was taken out that is the extension that i waf to allow

SecAction \
"id:900240,\
phase:1,\
nolog,\
pass,\
t:none,\
setvar:'tx.restricted_extensions=.asd/ .asa/ .asax/ .ascx/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .rdb/ .resources/ .resx/ .sql/ .swp/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/'"

 

Create a rule based on the one that we just disabled 920440 Rule (REQUEST-920-PROTOCOL-ENFORCEMENT.conf) (Title of the rule to search for Restrict File Extension)

SecRule REQUEST_BASENAME "@rx \.([^.]+)$" \
"id:999999,\
phase:1,\
block,\
capture,\
t:none,\
msg:'URL file extension is restricted by policy',\
logdata:'%{TX.0}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-protocol',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
tag:'PCI/6.5.10',\
ver:'OWASP_CRS/3.3.0',\
severity:'CRITICAL',\
setvar:'tx.extension=.%{tx.1}/',\
chain"
SecRule TX:EXTENSION "@within %{tx.restricted_extensions}" \
"t:none,t:urlDecodeUni,t:lowercase,\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"

And then created two file on my server:

One with .asx extension and another one with .asd that it should be blocked because its part of the file

File create like this:

.asd

<html>
<head>
</head>
<body>
<h1>test page</h1>
</body>
</html>

.asx

<html>
<head>
</head>
<body>
<h1>test page</h1>
</body>
</html>

Result:

curl -k https://10.2.126.180/wafblocking.asd
<html><head><title>403 Forbidden</title></head><body>Access denied</body>

curl -k https://10.2.126.180/waftest.asx
<html>
<head>
</head>
<body>
<h1>test page</h1>
</body>
</html>

Logs on the LM:

 

Blocking one

2021-10-20T14:54:43+00:00 lb102 wafd: [client 10.0.37.4] ModSecurity: Warning. Pattern match "^[\\d.:]+$" at REQUEST_HEADERS:Host. [file "/tmp/waf/157/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "735"] [id "920350"] [msg "Host header is a numeric IP address"] [data "10.2.126.180"] [severity "WARNING"] [ver "OWASP_CRS/3.3.2"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/210/272"] [tag "PCI/6.5.10"] [hostname "10.2.126.180 (DVWA)"] [uri "/waftest.asx"] [unique_id "ecaa1b42-8c05-495c-b959-c9eaebb4aafb"]
Allowed one
2021-10-20T14:54:40+00:00 lb102 wafd: [client 10.0.37.4] ModSecurity: Access denied with code 403 (phase 2). Operator GE matched 10 at TX:anomaly_score. [file "/tmp/waf/157/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "93"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 13)"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.2"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "10.2.126.180 (DVWA)"] [uri "/wafblocking.asd"] [unique_id "8cdae785-3a23-4619-8650-ba06ae4795a2"]
The configuration used the Anomaly Scoring on the VS is set to 10 if you change it to a higher value then 13 then the rule will not be trigger.

 

 

 


Comments

Avatar

Michal Wojcicki

Very useful article! I have one question about "Blocking one" section.

In the log above when it's detected and Warning triggered - I can find rule ID 920350, check it contents, edit it, but what in case of blocking,

when ModSecurity is blocking where can I find REQUEST-949-BLOCKING-EVALUATION.conf and rule 949110?

Best Regards,
Michal Wojcicki

0

Avatar

PaulCrotty

When a rule is triggered which leads to a request been blocked, details of the event can be found under the "False Positive Analysis"  view. 

The False Positive Analysis can be selected under the WAF Configuration or in the Virtual Service Configuration.

 

0