Pastebin launched a little side project called VERYVIRAL.com, check it out ;-) Want more features on Pastebin? Sign Up, it's FREE!
Guest

modsec json processor

By: a guest on Feb 12th, 2014  |  syntax: None  |  size: 5.68 KB  |  views: 13  |  expires: Never
download  |  raw  |  embed  |  report abuse  |  print
Text below is selected. Please press Ctrl+C to copy to your clipboard. (⌘+C on Mac)
  1. Segfault request:
  2.  
  3. error_log:
  4. [Wed Feb 12 10:28:30 2014] [notice] child pid 23102 exit signal Segmentation fault (11)
  5.  
  6. audit_log:
  7. --ca2ca03c-A--
  8. [12/Feb/2014:10:28:29 +0000] UvtMzAoFLh4AAFo@BrMAAAAG 10.5.21.207 44990 10.5.46.31 443
  9. --ca2ca03c-B--
  10. POST /app/%20/init HTTP/1.1
  11. Accept: application/json
  12. Content-Type: application/json;charset=UTF-8
  13. Content-Length: 587
  14. Authorization: Basic V2ViYXBwOnF3ZXJ0xxxxxx==
  15. User-Agent: Jakarta Commons-HttpClient/3.1
  16. Host: payments.internal
  17. Cookie: $Version=0; JSESSIONID=721CCB90694383A98CE0A81CC1708893; $Path=/app
  18.  
  19.  
  20. request and response extracted from pcap:
  21.  
  22. POST /app/%20/init HTTP/1.1
  23. Accept: application/json
  24. Content-Type: application/json;charset=UTF-8
  25. Content-Length: 587
  26. Authorization: Basic XXXXXXXXXXX==
  27. User-Agent: Jakarta Commons-HttpClient/3.1
  28. Host: payments.internal
  29. Cookie: $Version=0; JSESSIONID=721CCB90694383A98CE0A81CC1708893; $Path=/app
  30.  
  31. {"channel":"TEST","currency":"GBP","title":"Ms","firstName":"myFirstName","lastName":"myLastName","postcode":"N11 1GF","email":"test1392200959682@testing.com","address1":"1 street","address2":"London ","address3":null,"cardNumber":"111111111111111","isSavedCard":false,"isPreOrder":false,"cardType":null,"coinAmount":22000,"address4":null, "billingCountry":"GB","cardExpiryMonth":"03","cardExpiryYear":"16","cardIssueNumber":"1","cardCVSNumber":"3434","distributionCentre":"DC1","paymentMethod":"CREDITCARD","merchantUrl":"http://www.test.com"}
  32.  
  33. HTTP/1.1 200 OK
  34. Date: Wed, 12 Feb 2014 10:28:29 GMT
  35. Server: Apache-Coyote/1.1
  36. Content-Type: application/json;charset=UTF-8
  37. Via: 1.1 payments.internal
  38. Connection: close
  39. Transfer-Encoding: chunked
  40.  
  41. a3
  42. {"pareq":null,"acsUrl":null,"provider":"payments","extraReason":null,"reference":20064024,"returnCodeReason":"3DSecure is not supported","returnCodeResult":8}
  43. 0
  44.  
  45. ------------------------
  46.  
  47. Succesful Request:
  48.  
  49.  
  50. --3e626e6b-A--
  51. [12/Feb/2014:10:28:19 +0000] UvtMwwoFLh4AAFo@BrAAAAAD 10.5.21.207 53914 10.5.46.31 443
  52. --3e626e6b-B--
  53. POST /app/%20/init HTTP/1.1
  54. Accept: application/json
  55. Content-Type: application/json;charset=UTF-8
  56. Content-Length: 582
  57. Authorization: Basic XXXXXXXXXXX==
  58. User-Agent: Jakarta Commons-HttpClient/3.1
  59. Host: payments.internal
  60. Cookie: $Version=0; JSESSIONID=DA37FA116A0EEAF11C7C2F9C3169DF30; $Path=/app
  61.  
  62. --3e626e6b-C--
  63. {"channel":"TEST","currency":"USD","title":"Ms","firstName":"myFirstName","lastName":"myLastName","postcode":"123456","email":"test1392200968248@testing.com","address1":"Address 1 content","address2":"Address 2 content","address3":null,"cardNumber":"1000000000000001","isSavedCard":false,"isPreOrder":false,"cardType":null,"coinAmount":101250, "address4":null,"billingCountry":"AR","cardExpiryMonth":"03","cardExpiryYear":"16","cardIssueNumber":"1","cardCVSNumber":"123","distributionCentre":"DC2","paymentMethod":"CREDITCARD","merchantUrl":"http://www.test.com"}
  64. --3e626e6b-F--
  65. HTTP/1.1 200 OK
  66. Content-Type: application/json;charset=UTF-8
  67. Via: 1.1 payments.internal
  68. Connection: close
  69. Transfer-Encoding: chunked
  70.  
  71. --3e626e6b-E--
  72.  
  73. --3e626e6b-H--
  74. Message: Warning. Pattern match "(?i:(?:c(?:o(?:n(?:t(?:entsmartz|actbot/)|cealed defense|veracrawler)|mpatible(?: ;(?: msie|\\.)|-)|py(?:rightcheck|guard)|re-project/1.0)|h(?:ina(?: local browse 2\\.|claw)|e(?:rrypicker|esebot))|rescent internet toolpak)|w(?:e(?:b(?: (?:downloader|by ..." at REQUEST_HEADERS:User-Agent. [file "/etc/httpd/modsecurity.d/activated_rules/modsecurity_crs_35_bad_robots.conf"] [line "27"] [id "990012"] [rev "2"] [msg "Rogue web site crawler"] [data "Jakarta"] [severity "WARNING"] [ver "OWASP_CRS/2.2.8"] [maturity "9"] [accuracy "9"] [tag "OWASP_CRS/AUTOMATION/MALICIOUS"] [tag "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"]
  75. Message: Warning. Match of "beginsWith %{request_headers.host}" against "TX:1" required. [file "/etc/httpd/modsecurity.d/activated_rules/modsecurity_crs_40_generic_attacks.conf"] [line "163"] [id "950120"] [rev "3"] [msg "Possible Remote File Inclusion (RFI) Attack: Off-Domain Reference/Link"] [data "Matched Data: http://www.test.com found within TX:1: www.netaporter.com"] [severity "CRITICAL"] [ver "OWASP_CRS/2.2.8"] [maturity "9"] [accuracy "9"] [tag "OWASP_CRS/WEB_ATTACK/RFI"]
  76. Message: Warning. Pattern match "(.*)" at TX:990012-OWASP_CRS/AUTOMATION/MALICIOUS-REQUEST_HEADERS:User-Agent. [file "/etc/httpd/modsecurity.d/activated_rules/modsecurity_crs_49_inbound_blocking.conf"] [line "26"] [id "981176"] [msg "Inbound Anomaly Score Exceeded (Total Score: 8, SQLi=0, XSS=0): Last Matched Message: Possible Remote File Inclusion (RFI) Attack: Off-Domain Reference/Link"] [data "Last Matched Data: Jakarta Commons-HttpClient/3.1"]
  77. Message: Warning. Pattern match "(.*)" at TX:950120-OWASP_CRS/WEB_ATTACK/RFI-TX:1. [file "/etc/httpd/modsecurity.d/activated_rules/modsecurity_crs_49_inbound_blocking.conf"] [line "26"] [id "981176"] [msg "Inbound Anomaly Score Exceeded (Total Score: 8, SQLi=0, XSS=0): Last Matched Message: Possible Remote File Inclusion (RFI) Attack: Off-Domain Reference/Link"] [data "Last Matched Data: www.test.com"]
  78. Message: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/etc/httpd/modsecurity.d/activated_rules/modsecurity_crs_60_correlation.conf"] [line "37"] [id "981204"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 8, SQLi=0, XSS=0): Possible Remote File Inclusion (RFI) Attack: Off-Domain Reference/Link"]
  79. Apache-Handler: proxy-server
  80. Stopwatch: 1392200899114926 208719 (- - -)
  81. Stopwatch2: 1392200899114926 208719; combined=52677, p1=26226, p2=26239, p3=7, p4=121, p5=83, sr=25902, sw=1, l=0, gc=0
  82. Response-Body-Transformed: Dechunked
  83. Producer: ModSecurity for Apache/2.7.7 (http://www.modsecurity.org/); OWASP_CRS/2.2.8.
  84. Server: Apache
  85. Engine-Mode: "DETECTION_ONLY"