modsec json processor

1. Segfault request:
2.  
3. error_log:
4. [Wed Feb 12 10:28:30 2014] [notice] child pid 23102 exit signal Segmentation fault (11)
5.  
6. audit_log:
7. --ca2ca03c-A--
8. [12/Feb/2014:10:28:29 +0000] UvtMzAoFLh4AAFo@BrMAAAAG 10.5.21.207 44990 10.5.46.31 443
9. --ca2ca03c-B--
10. POST /app/%20/init HTTP/1.1
11. Accept: application/json
12. Content-Type: application/json;charset=UTF-8
13. Content-Length: 587
14. Authorization: Basic V2ViYXBwOnF3ZXJ0xxxxxx==
15. User-Agent: Jakarta Commons-HttpClient/3.1
16. Host: payments.internal
17. Cookie: $Version=0; JSESSIONID=721CCB90694383A98CE0A81CC1708893; $Path=/app
18.  
19.  
20. request and response extracted from pcap:
21.  
22. POST /app/%20/init HTTP/1.1
23. Accept: application/json
24. Content-Type: application/json;charset=UTF-8
25. Content-Length: 587
26. Authorization: Basic XXXXXXXXXXX==
27. User-Agent: Jakarta Commons-HttpClient/3.1
28. Host: payments.internal
29. Cookie: $Version=0; JSESSIONID=721CCB90694383A98CE0A81CC1708893; $Path=/app
30.  
31. {"channel":"TEST","currency":"GBP","title":"Ms","firstName":"myFirstName","lastName":"myLastName","postcode":"N11 1GF","email":"[email protected]","address1":"1 street","address2":"London ","address3":null,"cardNumber":"111111111111111","isSavedCard":false,"isPreOrder":false,"cardType":null,"coinAmount":22000,"address4":null, "billingCountry":"GB","cardExpiryMonth":"03","cardExpiryYear":"16","cardIssueNumber":"1","cardCVSNumber":"3434","distributionCentre":"DC1","paymentMethod":"CREDITCARD","merchantUrl":"http://www.test.com"}
32.  
33. HTTP/1.1 200 OK
34. Date: Wed, 12 Feb 2014 10:28:29 GMT
35. Server: Apache-Coyote/1.1
36. Content-Type: application/json;charset=UTF-8
37. Via: 1.1 payments.internal
38. Connection: close
39. Transfer-Encoding: chunked
40.  
41. a3
42. {"pareq":null,"acsUrl":null,"provider":"payments","extraReason":null,"reference":20064024,"returnCodeReason":"3DSecure is not supported","returnCodeResult":8}
43. 0
44.  
45. ------------------------
46.  
47. Succesful Request:
48.  
49.  
50. --3e626e6b-A--
51. [12/Feb/2014:10:28:19 +0000] UvtMwwoFLh4AAFo@BrAAAAAD 10.5.21.207 53914 10.5.46.31 443
52. --3e626e6b-B--
53. POST /app/%20/init HTTP/1.1
54. Accept: application/json
55. Content-Type: application/json;charset=UTF-8
56. Content-Length: 582
57. Authorization: Basic XXXXXXXXXXX==
58. User-Agent: Jakarta Commons-HttpClient/3.1
59. Host: payments.internal
60. Cookie: $Version=0; JSESSIONID=DA37FA116A0EEAF11C7C2F9C3169DF30; $Path=/app
61.  
62. --3e626e6b-C--
63. {"channel":"TEST","currency":"USD","title":"Ms","firstName":"myFirstName","lastName":"myLastName","postcode":"123456","email":"[email protected]","address1":"Address 1 content","address2":"Address 2 content","address3":null,"cardNumber":"1000000000000001","isSavedCard":false,"isPreOrder":false,"cardType":null,"coinAmount":101250, "address4":null,"billingCountry":"AR","cardExpiryMonth":"03","cardExpiryYear":"16","cardIssueNumber":"1","cardCVSNumber":"123","distributionCentre":"DC2","paymentMethod":"CREDITCARD","merchantUrl":"http://www.test.com"}
64. --3e626e6b-F--
65. HTTP/1.1 200 OK
66. Content-Type: application/json;charset=UTF-8
67. Via: 1.1 payments.internal
68. Connection: close
69. Transfer-Encoding: chunked
70.  
71. --3e626e6b-E--
72.  
73. --3e626e6b-H--
74. Message: Warning. Pattern match "(?i:(?:c(?:o(?:n(?:t(?:entsmartz|actbot/)|cealed defense|veracrawler)|mpatible(?: ;(?: msie|\\.)|-)|py(?:rightcheck|guard)|re-project/1.0)|h(?:ina(?: local browse 2\\.|claw)|e(?:rrypicker|esebot))|rescent internet toolpak)|w(?:e(?:b(?: (?:downloader|by ..." at REQUEST_HEADERS:User-Agent. [file "/etc/httpd/modsecurity.d/activated_rules/modsecurity_crs_35_bad_robots.conf"] [line "27"] [id "990012"] [rev "2"] [msg "Rogue web site crawler"] [data "Jakarta"] [severity "WARNING"] [ver "OWASP_CRS/2.2.8"] [maturity "9"] [accuracy "9"] [tag "OWASP_CRS/AUTOMATION/MALICIOUS"] [tag "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"]
75. Message: Warning. Match of "beginsWith %{request_headers.host}" against "TX:1" required. [file "/etc/httpd/modsecurity.d/activated_rules/modsecurity_crs_40_generic_attacks.conf"] [line "163"] [id "950120"] [rev "3"] [msg "Possible Remote File Inclusion (RFI) Attack: Off-Domain Reference/Link"] [data "Matched Data: http://www.test.com found within TX:1: www.netaporter.com"] [severity "CRITICAL"] [ver "OWASP_CRS/2.2.8"] [maturity "9"] [accuracy "9"] [tag "OWASP_CRS/WEB_ATTACK/RFI"]
76. Message: Warning. Pattern match "(.*)" at TX:990012-OWASP_CRS/AUTOMATION/MALICIOUS-REQUEST_HEADERS:User-Agent. [file "/etc/httpd/modsecurity.d/activated_rules/modsecurity_crs_49_inbound_blocking.conf"] [line "26"] [id "981176"] [msg "Inbound Anomaly Score Exceeded (Total Score: 8, SQLi=0, XSS=0): Last Matched Message: Possible Remote File Inclusion (RFI) Attack: Off-Domain Reference/Link"] [data "Last Matched Data: Jakarta Commons-HttpClient/3.1"]
77. Message: Warning. Pattern match "(.*)" at TX:950120-OWASP_CRS/WEB_ATTACK/RFI-TX:1. [file "/etc/httpd/modsecurity.d/activated_rules/modsecurity_crs_49_inbound_blocking.conf"] [line "26"] [id "981176"] [msg "Inbound Anomaly Score Exceeded (Total Score: 8, SQLi=0, XSS=0): Last Matched Message: Possible Remote File Inclusion (RFI) Attack: Off-Domain Reference/Link"] [data "Last Matched Data: www.test.com"]
78. Message: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/etc/httpd/modsecurity.d/activated_rules/modsecurity_crs_60_correlation.conf"] [line "37"] [id "981204"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 8, SQLi=0, XSS=0): Possible Remote File Inclusion (RFI) Attack: Off-Domain Reference/Link"]
79. Apache-Handler: proxy-server
80. Stopwatch: 1392200899114926 208719 (- - -)
81. Stopwatch2: 1392200899114926 208719; combined=52677, p1=26226, p2=26239, p3=7, p4=121, p5=83, sr=25902, sw=1, l=0, gc=0
82. Response-Body-Transformed: Dechunked
83. Producer: ModSecurity for Apache/2.7.7 (http://www.modsecurity.org/); OWASP_CRS/2.2.8.
84. Server: Apache
85. Engine-Mode: "DETECTION_ONLY"