WAF 340362

From Atomicorp Wiki
Revision as of 12:18, 15 June 2013 by Mshinn (Talk | contribs)

Jump to: navigation, search

Rule ID

340362

Alert Message

Atomicorp.com WAF Rules: ModSecurity does not support content encodings and can not detect attacks using it, therefore it is blocked.

Description

Inbound undefined compressed content (not be confused with compressed files or properly defined compressed content) is invisible to all Web Application Firewalls. Therefore they can not see or evaluate any traffic encoded in this manner. If an attack were to be encoded in this way the WAF would not catch it, therefore WAFs are configured to block this traffic.

This rule looks for this header:

Content-Encoding: Identity

If this header exists, the request is rejected because the WAF can not decode this kind of content. It is invisible to the WAF (because its compressed), and therefore an attack can simply bypass the WAF by compressing an attack.

Do not disable this rule.

Background

The use of this method is also consider invalid by the HTTP 1.1 RFC. This content-coding is used only in the Accept- Encoding header, and SHOULD NOT be used in the Content-Encoding header. This rule detects this RFC non-compliant compressed inbound content and blocks it. The content is both invalid, and invisible to the WAF. The use of this method is extremely rare in practice, and if you have an application that performs in this manner the application is not in compliance with RFCs, is generating invalid encodings, and should be modified to be in compliance with the HTTP 1.1 RFC.

See the RFC below for technical details.

For example, if the "Content-Encoding" header starts with "Identity":

Content-Encoding: Identity

False Positives:

None. If this rule triggers it means content encoded data, as explained above, is being sent to the server. If you allow this by disabling this rule you will open your system up to attacks that modsecurity can not detect or prevent.

Do not disable this rule.

Similar Rules

None.

References

http://www.w3.org/Protocols/rfc2616/rfc2616-sec3.html

Personal tools