Difference between revisions of "WAF 330792"

From Atomicorp Wiki
Jump to: navigation, search
m (Created page with "'''Rule ID''' 330792 '''Status''' Active rule currently published. '''Alert Message''' Multipart parser detected a possible unmatched boundary. This may be an impedence m...")

Revision as of 15:15, 15 August 2011

Rule ID

330792

Status

Active rule currently published.

Alert Message

Multipart parser detected a possible unmatched boundary. This may be an impedence mismatch attack, a broken application or a broken connection. This is not a false positive. Check your application or client for errors.

Description

This rule detects when, during the parsing phase of a multipart/request-body, ModSecurity encounters what feels like a boundary but it is not. Such an event may occur when evasion of ModSecurity is attempted. This is a serious condition, and can mean only one of two things:

1) An attacker is attempting to bypass the WAF by constructing a body that will not be parsed correctly by the WAF, in hopes of bypassing the WAF. 2) The application is generating non-RFC compliant, or broken message bodies that the WAF is unable to assemble. This can occur with a broken client, buggy library or even a broken connection.

False Positives

Disabling this rule will leave your system open for multipart bypass attacks, therefore it is highly recommended you first discuss this issue with the applications developers to determine why the format of the request is unparsable, and determine if they can fix their application first. This condition is extremely rare, and it is not recommended that you disable this rule if you have a false positive.

If you believe this is a false positive, please report this to our security team to determine if this is a legitimate case, or if its clever attack on your system. Instructions to report false positives are detailed on the Reporting False Positives wiki page. If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Tuning Guidance

If you know that this behaviour is acceptable for your application, you can tune it by identifying the application that is being triggered, and specifically allowing that application to generate bodies the WAF can not examine correctly. Please see the Tuning the Atomicorp WAF Rules page for basic information.

Similar Rules

WAF_330791

Knowledge Base Articles

None.

Outside References

None.

Personal tools