Difference between revisions of "WAF 340362"

From Atomicorp Wiki
Jump to: navigation, search
(Created page with ''''Rule ID''' 340001 '''Alert Message''' Atomicorp.com WAF Rules: ModSecurity does not support content encodings and can not detect attacks using it, therefore it is blocke…')
 
m
 
(4 intermediate revisions by one user not shown)
Line 1: Line 1:
 
'''Rule ID'''  
 
'''Rule ID'''  
  
340001
+
340362
  
 
'''Alert Message'''   
 
'''Alert Message'''   
Line 9: Line 9:
 
'''Description'''   
 
'''Description'''   
  
modsecurity, the WAF used, does not support inbound compressed content (not be confused with compressed files, which it does support) and therefore it can not see or evaluate any traffic encoded in this manner.  If an attack were to be encoded in this way the WAF would not catch it, therefore the WAF is configured to block this traffic.
+
Inbound undefined compressed content (not be confused with compressed files or properly defined compressed content) is invisible to all Web Application Firewalls.  Therefore they can not see or evaluate any traffic encoded in this manner.  If an attack were to be encoded in this way the WAF would not catch it, therefore WAFs are configured to block this traffic.
 +
 
 +
This rule looks for this header:
 +
 
 +
Content-Encoding: Identity
 +
 
 +
If this header exists, the request is rejected because the WAF can not decode this kind of content.  It is invisible to the WAF (because its compressed, but the method of compression is not defined, so the WAF has no idea how to uncompress it), and therefore an attack can simply bypass the WAF by compressing an attack.
 +
 
 +
'''Do not disable this rule.'''
 +
 
 +
'''Background'''
 +
 
 +
The use of this method is also consider invalid by the HTTP 1.1 RFC.    This content-coding is used only in the Accept-Encoding header, and SHOULD NOT be  used in the Content-Encoding header.  This rule detects this RFC non-compliant compressed inbound content and blocks it correctly. The content is both invalid, and invisible to the WAF.  The use of this method is extremely rare in practice, as properly designed client applications will not do this.  If you have an application that performs in this manner the application is not in compliance with RFCs, is generating invalid encodings, is producing content the WAF will not be able to decompress (and which it will therefore block) and should be modified to be in compliance with the HTTP 1.1 RFC.
 +
 
 +
See the RFC in the references section below for technical details.
  
 
'''False Positives:'''
 
'''False Positives:'''
  
None.  This does not have any known false positives.  If it triggers it means compressed content is being sent to the server.  If you allow this by disabling this rule you will open your system up to attacks that ASL can not detect or prevent.
+
None.  If this rule triggers it means content encoded data, as explained above, is being sent to the server.  If you allow this by disabling this rule you will open your system up to attacks that modsecurity can not detect or prevent.
 +
 
 +
Do not disable this rule.
  
 
'''Similar Rules'''
 
'''Similar Rules'''
  
[[WAF_340001]]
+
None.
 +
 
 +
'''References'''
 +
 
 +
http://www.w3.org/Protocols/rfc2616/rfc2616-sec3.html

Latest revision as of 12:23, 15 June 2013

Rule ID

340362

Alert Message

Atomicorp.com WAF Rules: ModSecurity does not support content encodings and can not detect attacks using it, therefore it is blocked.

Description

Inbound undefined compressed content (not be confused with compressed files or properly defined compressed content) is invisible to all Web Application Firewalls. Therefore they can not see or evaluate any traffic encoded in this manner. If an attack were to be encoded in this way the WAF would not catch it, therefore WAFs are configured to block this traffic.

This rule looks for this header:

Content-Encoding: Identity

If this header exists, the request is rejected because the WAF can not decode this kind of content. It is invisible to the WAF (because its compressed, but the method of compression is not defined, so the WAF has no idea how to uncompress it), and therefore an attack can simply bypass the WAF by compressing an attack.

Do not disable this rule.

Background

The use of this method is also consider invalid by the HTTP 1.1 RFC. This content-coding is used only in the Accept-Encoding header, and SHOULD NOT be used in the Content-Encoding header. This rule detects this RFC non-compliant compressed inbound content and blocks it correctly. The content is both invalid, and invisible to the WAF. The use of this method is extremely rare in practice, as properly designed client applications will not do this. If you have an application that performs in this manner the application is not in compliance with RFCs, is generating invalid encodings, is producing content the WAF will not be able to decompress (and which it will therefore block) and should be modified to be in compliance with the HTTP 1.1 RFC.

See the RFC in the references section below for technical details.

False Positives:

None. If this rule triggers it means content encoded data, as explained above, is being sent to the server. If you allow this by disabling this rule you will open your system up to attacks that modsecurity can not detect or prevent.

Do not disable this rule.

Similar Rules

None.

References

http://www.w3.org/Protocols/rfc2616/rfc2616-sec3.html

Personal tools