Il s'agit d'une duplication d'une question que je viens de poser sur StackOverflow, avant de réaliser que c'était peut-être un meilleur endroit pour la poser.
J'ai installé ModSecurity 2.9.3 et les règles de sécurité OWASP CRS 3.3.2 sur mon nouveau VPS (Virtualmin).
J'ai activé le REQUEST-903.9002-WORDPRESS-EXCLUSION-RULES et cela semble fonctionner.
L'éditeur de thème de Wordpress, en revanche, ne le fait pas. Lors de l'enregistrement, il reçoit une réponse 403 ("Saving failed").
Je sais que c'est Modsecurity car lorsque je le désactive, tout fonctionne bien.
J'ai enquêté sur le journal d'audit et j'ai créé les règles correspondantes dans REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf :
SecRule REQUEST_URI "@contains /wp-json/wp/v2/template-parts/" \
"id:10000002,\
phase:2,\
pass,\
nolog,\
ctl:ruleRemoveTargetById=949110;ARGS=content,\
ctl:ruleRemoveTargetById=941100;ARGS=content,\
ctl:ruleRemoveTargetById=941160;ARGS=content,\
ctl:ruleRemoveTargetById=941180;ARGS=content,\
ctl:ruleRemoveTargetById=932105;ARGS=content,\
ctl:ruleRemoveTargetById=980130;ARGS=content"
SecRule REQUEST_URI "@contains /wp-json/wp/v2/templates/<hostname>/page/" \
"id:10000003,\
phase:2,\
pass,\
nolog,\
ctl:ruleRemoveTargetById=949110;ARGS=content,\
ctl:ruleRemoveTargetById=941100;ARGS=content,\
ctl:ruleRemoveTargetById=941160;ARGS=content,\
ctl:ruleRemoveTargetById=941180;ARGS=content,\
ctl:ruleRemoveTargetById=932105;ARGS=content,\
ctl:ruleRemoveTargetById=980130"Je sais que les règles sont lues, car lorsque je modifie l'uri de la requête, Wordpress ne fonctionne plus du tout.
Cependant, le problème persiste. Je ne suis pas un expert de Modsecurity ; je comprends que mes règles d'exclusion ne sont pas correctement rédigées, mais je n'arrive pas à les faire fonctionner.
Voici quelques exemples de faux positifs provenant du journal d'audit, déclenchés par l'éditeur de thème Wordpress :
--48163009-H--
Message: Warning. Pattern match "(?:;|\\{|\\||\\|\\||&|&&|\\n|\\r|\\$\\(|\\$\\(\\(|`|\\${|<\\(|>\\(|\\(\\s*\\))\\s*(?:{|\\s*\\(\\s*|\\w+=(?:[^\\s]*|\\$.*|\\$.*|<.*|>.*|\\'.*\\'|\".*\")\\s+|!\\s*|\\$)*\\s*(?:'|\")*(?:[\\?\\*\\[\\]\\(\\)\\-\\|+\\w'\"\\./\\\\]+/)?[\\\\'\"]*(?:s[\\\\'\"]* ..." at ARGS:content. [file "/etc/modsecurity/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "158"] [id "932105"] [msg "Remote Command Execution: Unix Command Injection"] [data "Matched Data: {\x22top found within ARGS:content: <!-- wp:template-part {\x22slug\x22:\x22header\x22,\x22theme\x22:\x22<hostname>\x22,\x22tagName\x22:\x22header\x22} /-->\x0a\x0a<!-- wp:group {\x22tagName\x22:\x22main\x22,\x22style\x22:{\x22spacing\x22:{\x22padding\x22:{\x22top\x22:\x220\x22,\x22right\x22:\x220\x22,\x22bottom\x22:\x220\x22,\x22left\x22:\x220\x22},\x22blockGap\x22:\x220\x22}}} -->\x0a<main class=\x22wp-block-group\x22 style=\x22padding-top:0;padding-right:0;padding-bottom:0;padding-left:0\x2..."] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.2"]
Message: Warning. detected XSS using libinjection. [file "/etc/modsecurity/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "55"] [id "941100"] [msg "XSS Attack Detected via libinjection"] [data "Matched Data: XSS data found within ARGS:content: <!-- wp:template-part {\x22slug\x22:\x22header\x22,\x22theme\x22:\x22<hostname>\x22,\x22tagName\x22:\x22header\x22} /-->\x0a\x0a<!-- wp:group {\x22tagName\x22:\x22main\x22,\x22style\x22:{\x22spacing\x22:{\x22padding\x22:{\x22top\x22:\x220\x22,\x22right\x22:\x220\x22,\x22bottom\x22:\x220\x22,\x22left\x22:\x220\x22},\x22blockGap\x22:\x220\x22}}} -->\x0a<main class=\x22wp-block-group\x22 style=\x22padding-top:0;padding-right:0;padding-bottom:0;padding-left:0\x2..."] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.2"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-xss"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/242"]
Apache-Error: [file "apache2_util.c"] [line 273] [level 3] ModSecurity: Warning. Matched phrase "<!--" at ARGS:content. [file "/etc/modsecurity/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "250"] [id "941180"] [msg "Node-Validator Blacklist Keywords"] [data "Matched Data: <!-- found within ARGS:content: <!-- wp:template-part {\\\\x22slug\\\\x22:\\\\x22header\\\\x22,\\\\x22theme\\\\x22:\\\\x22<hostname>\\\\x22,\\\\x22tagname\\\\x22:\\\\x22header\\\\x22} /-->\\\\x0a\\\\x0a<!-- wp:group {\\\\x22tagname\\\\x22:\\\\x22main\\\\x22,\\\\x22style\\\\x22:{\\\\x22spacing\\\\x22:{\\\\x22padding\\\\x22:{\\\\x22top\\\\x22:\\\\x220\\\\x22,\\\\x22right\\\\x22:\\\\x220\\\\x22,\\\\x22bottom\\\\x22:\\\\x220\\\\x22,\\\\x22left\\\\x22:\\\\x220\\\\x22},\\\\x22blockgap\\\\x22:\\\\x220\\\\x22}}} -->\\\\x0a<main class=\\\\x22wp-block-group\\\\x22 style=\\\\x22padding-top:0;padding-right:0;padding-bottom:0;padding-left:0\\\\x22><!..."] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.2"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-xss"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/242"] [hostname "sit.<hostname>.com"] [uri "/wp-json/wp/v2/templates/<hostname>/page"] [unique_id "Y7-6B6WOVEBhE0cscXvdvgAAERU"]
Apache-Error: [file "apache2_util.c"] [line 273] [level 3] [client 92.46.0.178] ModSecurity: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file "/etc/modsecurity/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "93"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 20)"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.2"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "<hostname>.com"] [uri "/wp-json/wp/v2/templates/<hostname>/page"] [unique_id "Y7-6B6WOVEBhE0cscXvdvgAAERU"]
