Difference between revisions of "WAF 340362"
m |
m |
||
| Line 9: | Line 9: | ||
'''Description''' | '''Description''' | ||
| − | + | Inbound undefined compressed content (not be confused with compressed files or properly defined compressed content) is invisible to all Web Application Firewalls. Therefore they can not see or evaluate any traffic encoded in this manner. If an attack were to be encoded in this way the WAF would not catch it, therefore WAFs are configured to block this traffic. | |
| + | |||
| + | This rule looks for this header: | ||
| + | |||
| + | Content-Encoding: Identity | ||
| + | |||
| + | If this header exists, the request is rejected because the WAF can not decode this kind of content. It is invisible to the WAF (because its compressed), and therefore an attack can simply bypass the WAF by compressing an attack. | ||
| + | |||
| + | Do not disable this rule. | ||
| + | |||
| + | '''Background''' | ||
| + | |||
| + | The use of this method is also consider invalid by the HTTP 1.1 RFC. This content-coding is used only in the Accept- Encoding header, and SHOULD NOT be used in the Content-Encoding header. This rule detects this RFC non-compliant compressed inbound content and blocks it. The content is both invalid, and invisible to the WAF. The use of this method is extremely rare in practice, and if you have an application that performs in this manner the application is not in compliance with RFCs, is generating invalid encodings, and should be modified to be in compliance with the HTTP 1.1 RFC. | ||
| + | |||
| + | See the RFC below for technical details. | ||
| + | |||
| + | For example, if the "Content-Encoding" header starts with "Identity": | ||
| + | |||
| + | Content-Encoding: Identity | ||
'''False Positives:''' | '''False Positives:''' | ||
| − | None. If this rule triggers it means content encoded data is being sent to the server. If you allow this by disabling this rule you will open your system up to attacks that modsecurity can not detect or prevent. | + | None. If this rule triggers it means content encoded data, as explained above, is being sent to the server. If you allow this by disabling this rule you will open your system up to attacks that modsecurity can not detect or prevent. |
| + | |||
| + | Do not disable this rule. | ||
'''Similar Rules''' | '''Similar Rules''' | ||
None. | None. | ||
| + | |||
| + | '''References''' | ||
| + | |||
| + | http://www.w3.org/Protocols/rfc2616/rfc2616-sec3.html | ||
Revision as of 12:18, 15 June 2013
Rule ID
340362
Alert Message
Atomicorp.com WAF Rules: ModSecurity does not support content encodings and can not detect attacks using it, therefore it is blocked.
Description
Inbound undefined compressed content (not be confused with compressed files or properly defined compressed content) is invisible to all Web Application Firewalls. Therefore they can not see or evaluate any traffic encoded in this manner. If an attack were to be encoded in this way the WAF would not catch it, therefore WAFs are configured to block this traffic.
This rule looks for this header:
Content-Encoding: Identity
If this header exists, the request is rejected because the WAF can not decode this kind of content. It is invisible to the WAF (because its compressed), and therefore an attack can simply bypass the WAF by compressing an attack.
Do not disable this rule.
Background
The use of this method is also consider invalid by the HTTP 1.1 RFC. This content-coding is used only in the Accept- Encoding header, and SHOULD NOT be used in the Content-Encoding header. This rule detects this RFC non-compliant compressed inbound content and blocks it. The content is both invalid, and invisible to the WAF. The use of this method is extremely rare in practice, and if you have an application that performs in this manner the application is not in compliance with RFCs, is generating invalid encodings, and should be modified to be in compliance with the HTTP 1.1 RFC.
See the RFC below for technical details.
For example, if the "Content-Encoding" header starts with "Identity":
Content-Encoding: Identity
False Positives:
None. If this rule triggers it means content encoded data, as explained above, is being sent to the server. If you allow this by disabling this rule you will open your system up to attacks that modsecurity can not detect or prevent.
Do not disable this rule.
Similar Rules
None.
References
