• caglararli@hotmail.com
  • 05386281520

ModSecurity Command Injection not working

Çağlar Arlı      -    65 Views

ModSecurity Command Injection not working

I am testing web application firewall and I have installed ModSecurity 2.9 runs Core ModSecurity Rule Set ver.2.2.9 and to test on Web application I also install DVWA Platform: Windows and trying to do Command Inject and it allows even if I included rules for command inject modsecurity_crs_40_generic_attacks.conf all other rules for SQLinject,XSS etc works fine . Command Injection in windows

the Rule for Command Inject is as follows

 SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(?:;|\{|\||\|\||&|&&|\n|\r|`)\s*[\(,@\'\"\s]*(?:[\w'\"\./]+/|[\\\\'\"\^]*\w[\\\\'\"\^]*:.*\\\\|[\^\.\w '\"/\\\\]*\\\\)?[\"\^]*(?:\.[\"\^]*\w+)?\b" \
        "phase:2,rev:'2',ver:'OWASP_CRS/2.2.9',maturity:'9',accuracy:'8',capture,t:none,t:normalisePath,ctl:auditLogParts=+E,block,msg:'System Command Injection',id:'950907',tag:'OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION',tag:'WASCTC/WASC-31',tag:'OWASP_TOP_10/A1',tag:'PCI/6.5.2',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{tx.0},skipAfter:END_COMMAND_INJECTION1"

SecMarker END_COMMAND_INJECTION1
I want to know what can be done so that if I inject a command 127.0.0.1 & shutdown /l or anything after "&" in textbox the ModSecurity must redirect to 403 error page . I have read similar post and solutions if I try my apache server will crash .