When a form submission contains a percent sign followed by two hex digits may cause a false positive as follows:
A good example is a person who tried to set a password similar to 'Secret%0015'. So the submission was password=Secret%250015 (and password_confirmation=Secret%250015) Mod security reported:
Message: Warning. Found 1 byte(s) in ARGS:Password outside range: 1-255. [file "/etc/httpd/owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "574"] [id "920270"] [rev "2"] [msg "Invalid character in request (null character)"] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "9"] [accuracy "9"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/EVASION"]
Discussion on the mailing list decided that the %25 was being decoded as % (properly) and then the rule evaluated the % followed by the 00 as a null.
On 06/09/2017 04:15 PM, Chaim Sanders wrote:
Yes as Manuel pointed out %00 is a null char and is forbidden. tl;dr it is used to indicate the end of a string in C and as a result languages built on C (like php) when provided with it may treat that as the end of a string even when more is provided.
In any event this is actually kinda interesting, the problem is a disagreement about how webservers versus modsec will handle the code. Depending on which webserver provides the varabiles and where, it is already url decoded. For instance Apache. So in this case Apache decoded the variable and turned %25 back into a percent sign before modsec got it. Then CRS's rule 920270 applied t:urlDecodeUni decoded it again. this led to it detected a null byte.
TO BE CLEAR PASSING AN ACTUAL NULLBYTE WILL TRIGGER THIS RULE, IT"S THE %25 THAT IS A POSSIBLE PROBLEM.
Now there is some logic here. Early microsoft IIS would do what's known as double decode, but we have other rules to detect that, so there is probably a good reason to open up a ticket and have a discussion about removing that transformation. The problem is going to be that we have to make sure that IIS/Nginx/Apache all behave in the same way, but that isn't your problem that is ours.
Reproduce this by submitting a form containing a field with xxx%00xxx
When a form submission contains a percent sign followed by two hex digits may cause a false positive as follows:
A good example is a person who tried to set a password similar to 'Secret%0015'. So the submission was password=Secret%250015 (and password_confirmation=Secret%250015) Mod security reported:
Message: Warning. Found 1 byte(s) in ARGS:Password outside range: 1-255. [file "/etc/httpd/owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "574"] [id "920270"] [rev "2"] [msg "Invalid character in request (null character)"] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "9"] [accuracy "9"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/EVASION"]
Discussion on the mailing list decided that the %25 was being decoded as % (properly) and then the rule evaluated the % followed by the 00 as a null.
On 06/09/2017 04:15 PM, Chaim Sanders wrote:
Reproduce this by submitting a form containing a field with xxx%00xxx