Rule 941120 Processing time is too long

[sunskyyao]

SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer|ARGS_NAMES|ARGS|XML:/* "@rx (?i)[\s"'`;/0-9=\x0B\x09\x0C\x3B\x2C\x28\x3B]+on[a-zA-Z]+[\s\x0B\x09\x0C\x3B\x2C\x28\x3B]*?="
"id:941120,
phase:2,
block,
capture,
t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,
msg:'XSS Filter - Category 2: Event Handler Vector',
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',
tag:'application-multi',
tag:'language-multi',
tag:'platform-multi',
tag:'attack-xss',
tag:'OWASP_CRS',
tag:'OWASP_CRS/WEB_ATTACK/XSS',
tag:'WASCTC/WASC-8',
tag:'WASCTC/WASC-22',
tag:'OWASP_TOP_10/A3',
tag:'OWASP_AppSensor/IE1',
tag:'CAPEC-242',
ctl:auditLogParts=+E,
ver:'OWASP_CRS/3.2.0',
severity:'CRITICAL',
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"

Type of Issue
Rule processing takes longer

Description
Post more than 1M request body,The content of request body exceeds 1M, crs processing timeout. rule id is 941120. Form data submit.The content of the file is submitted through the input box, not through the file.
1M.txt

Your Environment
nginx
CRS version (e.g. v3.2.0):
ModSecurity version (e.g. 3.2):

[airween]

Hi @sunskyyao,

thanks for the report.

Could you tell us your ModSecurity version exactly? There isn't any release with version 3.2. If your HTTP server is Nginx, then it could be libmodsecurity3 with version 3.0.[01234], or mod_security2.

Also we need the variables from your modsecurity config with these names:
grep -w "\(SecRequestBodyLimit\|SecRequestBodyNoFilesLimit\)" /path/to/your/modsecurity.conf

Thanks.

[sunskyyao]

Test environment:
modsecurity: 3.0.4
CRS : OWASP_CRS/3.2.0
server: nginx

test web:
html.zip

modsecurity.conf

modsecurity.conf.txt

root@liangay-virtual-machine:/usr/local/nginx/conf# grep -w "(SecRequestBodyLimit|SecRequestBodyNoFilesLimit)" modsecurity.conf
SecRequestBodyLimit 13107200
SecRequestBodyNoFilesLimit 131072

gdb trace thead

It is suspected that the regular expression of this rule caused pcre processing to time out. The problem may be PCRE or the rule.

[airween]

Hi @sunskyyao,

thanks for more details. The issue is still under investigating, please be patient.

[dune73]

We talked about this a big deal during (or rather after) our monthly chat.

@dune73 (thus me) came up with a simpler variant of this rule that should kill the performance / DoS problems and still match the same payloads.

"(?i)([\s\"'`;\/0-9\=\x0B\x09\x0C\x3B\x2C\x28\x3B]on(load|...|...)[\s\x0B\x09\x0C\x3B\x2C\x28\x3B]*?=)"

@airween is going to test this and provide a PR if it works. If not, we need to continue our discussion.

Meeting minutes: #1671 (comment)

[dune73]

@airween : Do you have any update on your test with this rule?

[airween]

With @theMiddleBlue we're still working on this issue. Needs more time to finish.