apachesecuritymod-securitymod-security2

Customizing apache mod security to accept content-type=text/plain

in our current environment, we have an internet facing web application and all the incoming traffic to the same is routed through an apache reverse proxy. On this reverse proxy we have configured ModSecurity as well.

Now, some of our inbound requests have content-type=text/plain. All these requests are being blocked by ModSec rule set with below logs :

[Tue Jan 10 11:14:31 2017] [error] [client 175.45.116.65] ModSecurity:  [file "/etc/httpd/conf/crs/activated_rules/modsecurity_crs_30_http_policy.conf"] [line "64"] [id "960010"] [rev "2"] [msg "Request content type is not allowed by policy"] [data "text/plain"] [severity "CRITICAL"] [ver "OWASP_CRS/2.2.6"] [maturity "9"] [accuracy "9"] [tag "OWASP_CRS/POLICY/ENCODING_NOT_ALLOWED"] [tag "WASCTC/WASC-20"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/EE2"] [tag "PCI/12.1"] Access denied with code 403 (phase 1). Match of "rx ^%{tx.allowed_request_content_type}$" against "TX:0" required. [hostname "hadToRemove"] [uri "hadToRemove"] [unique_id "WHQnZwoMD1QAACBlB70AAAAN"]

Now if we want to allow text/plain as an acceptable content-type, how should we add that. We already have a conf file where we have disabled/customized some rules. I just dont know how to add this one.

PS: according this post (https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/208), this issue is already fixed but for that we will have upgrade our ruleset.

Solution

  • You should have a modsecurity_crs_10_setup.conf file where these types of things are configured and then used by the various other rules.

    That file has a line like the following:

    #
# Set the following policy settings here and they will be propagated to the 30 rules
# file (modsecurity_crs_30_http_policy.conf) by using macro expansion.  
# If you run into false positves, you can adjust the settings here.
#
SecAction \
  "id:'900012', \
  phase:1, \
  t:none, \
  setvar:'tx.allowed_methods=GET HEAD POST OPTIONS', \
  setvar:'tx.allowed_request_content_type=application/x-www-form-urlencoded|multipart/form-data|text/xml|application/xml|application/x-amf|application/json', \

    You can alter that last line to allow text/plain:

      setvar:'tx.allowed_request_content_type=application/x-www-form-urlencoded|multipart/form-data|text/xml|application/xml|application/x-amf|application/json|text/plain', \

    And then restart Apache.