By nisari
I am using modsecurity with nginx(v1.13.6) on ubuntu 16.04. When I try to upload a zip files/single jpeg/mov files via an API to my web server, I get the following error in the modsecurity error log.
2018/02/28 05:14:04 [error] 1893#0: [client 103...*] ModSecurity: Warning. Operator EQ matched 0 at REQUEST_HEADERS. [file "/usr/local/nginx/conf/owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "309"] [id "920180"] [rev "1"] [msg "POST request missing Content Length Header."] [data "0"] [severity "WARNING"] [ver "OWASP_CRS/3.0.0"] [maturity "9"] [accuracy "9"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ"] [tag "CAPEC-272"] [hostname ""] [uri "/api/upload"] [unique_id "ac"]
Is there any way to write a rule that allows all the requests that has a particular field set in the request header so that it is not an anomaly to the OWASP rules and is not blocked at the server’s firewall? Or what else can be done to overcome this error?
I added the following rule to the modsecurity.conf file but shows the following error respectively. Rule:
SecRule REQUEST_FILENAME "/api/upload"
"id:'400001',phase:1,allow,log,msg:'Upload detected',ctl:requestBodyAccess=off"
Error:
2018/02/28 05:47:17 [error] 4847#0: [client 103.92.19.39] ModSecurity: Access allowed (phase 1). Pattern match "/api/upload" at REQUEST_FILENAME. [file "/usr/local/nginx/conf/modsecurity.conf"] [line "20"] [id "400001"] [msg "Upload detected"] [hostname ""] [uri "/api/upload"] [unique_id "AcAcAc92AcAcAc9cAcjcA1Ac"]
This textbox defaults to using Markdown to format your answer.
You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!
Hello,
The error message which is being seen in the ModSecurity log indicates that the POST request is missing the Content-Length header, which is required for HTTP/1.1 requests. This is triggering the “REQUEST-920-PROTOCOL-ENFORCEMENT” rule in the OWASP ModSecurity Core Rule Set (CRS).
Adding a rule to disable the “requestBodyAccess” feature for the “/api/upload” endpoint is not recommended, as it can make your server vulnerable to certain types of attacks that rely on manipulating the request body.
Instead, you can modify the existing “REQUEST-920-PROTOCOL-ENFORCEMENT” rule to allow requests without a Content-Length header, but only for the “/api/upload” endpoint. Here’s an example of how you can do this:
- SecRule REQUEST_URI "/api/upload" \
- "id:1000,\
- phase:2,\
- pass,\
- nolog,\
- ctl:requestContentLengthCheck=0,\
- ctl:ruleRemoveById=920180"
This rule uses the “ctl” (control action) directive to disable the Content-Length header check and remove the “REQUEST-920-PROTOCOL-ENFORCEMENT” rule for requests to the “/api/upload” endpoint.
You can add this rule to a separate file in the “/usr/local/nginx/conf/owasp-modsecurity-crs/rules/” directory, such as “/usr/local/nginx/conf/owasp-modsecurity-crs/rules/REQUEST-1000-CUSTOM.conf”.
Make sure to reload or restart nginx after making changes to the ModSecurity rules.
Note that allowing requests without a Content-Length header can potentially make your server vulnerable to HTTP request smuggling attacks. You should thoroughly test your application to ensure that it is not affected by this change.
Become a contributor for community
Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.
DigitalOcean Documentation
Full documentation for every DigitalOcean product.
Resources for startups and AI-native businesses
The Wave has everything you need to know about building a business, from raising funding to marketing your product.
The developer cloud
Scale up as you grow — whether you're running one virtual machine or ten thousand.
Get started for free
Sign up and get $200 in credit for your first 60 days with DigitalOcean.*
*This promotional offer applies to new accounts only.