ModSecurity is a popular and widely deployed open source web application firewall engine. By design, ModSecurity does not include any security logic. The recommended configuration contains only a couple of rules that are tightly coupled with the performance of the engine itself. A comprehensive set of rules for ModSecurity can be obtained from a separate project called ModSecurity Core Rules.
One of the main goals of web application firewalls (WAFs) is to detect attacks against the web applications they are protecting. In the most commonly used deployment modes (e.g., when operating as a reverse proxy), a WAF will terminate the higher layers of the traffic stream (e.g., the HTTP protocol), but only inspect and pass-through the remainder of the data. In the latter case, WAFs are vulnerable to impedance mismatch issues, where they interpret traffic in one way and the backend application interprets it in another way. When an impedance mismatch issue exists, the WAF may be vulnerable to evasion attacks.
Impedance mismatch issues are possibly the most difficult aspect of WAF implementation. In many cases, correct deployment requires not only correct implementation in the WAF, but correct configuration and handling of the reported problems by administrators. Our hope is that this short document, as well as our future research in this area, will shed some light onto this rarely discussed topic of WAF design. We would be delighted if this information is used to raise the effective security in real-life WAF deployments.
- Confirmed in ModSecurity 2.6.5; earlier versions likely to be vulnerable
- Confirmed in ModSecurity Core Rule Set 2.2.4; earlier versions likely to be vulnerable.
Problem #1: Multipart bypass in ModSecurity with PHP in the backend
A mismatch between how multipart content is parsed in ModSecurity and PHP enables an attacker to perform a full rule set bypass.
PHP has a very lax multipart/form-data parser. Traditionally, securing ModSecurity against evasion in this parser is where a lot of development time was spent. In 2009, Stefan Esser published an evasion technique that relies on the use of single quotes—which are supported by PHP but were not supported by ModSecurity at the time—to trick ModSecurity into treating a request parameter as a file. This results in a bypass because ModSecurity uses separate mechanisms for the inspection of request parameter and file content, and files are often left uninspected.