Modsecurity 阻止 Google Tag Manager iframe

huangapple go评论80阅读模式
英文:

Modsecurity block Google tag manager iframe

问题

我遇到了与以下问题中描述的相同问题。

这是错误日志:

[Tue May 16 18:19:38.745674 2023] [:error] [pid 1796577:tid 140122351191808] [remote CLIENT.IP.ADDRESS:55326] [client CLIENT.IP.ADDRESS] ModSecurity: Access denied with code 403 (phase 4). Match of "rx \\\\ssrc=\\\\x22https:\\\\/\\\\/www\\\\.googletagmanager\\\\.com\\\\/ns\\\\.html\\\\?id=GTM|\\\\ssrc=\\\\x22https:\\\\/\\\\/w\\\\.soundcloud\\\\.com\\\\/player\\\\/\\\\?url=" against "TX:0" required.  
[id "214540"] [rev "5"] [msg "COMODO WAF: Possibly malicious iframe tag in output||web.site|F|3"] [data "Matched Data: <iframe \\x0a\\x09\\x09height=\\x220\\x22 width=\\x220\\x22 style=\\x22display:none found within TX:0: <iframe \\x0a\\x09\\x09height=\\x220\\x22 width=\\x220\\x22 style=\\x22display:none"] [severity "ERROR"] [tag "CWAF"] [tag "FilterInFrame"] [hostname "web.site"] [uri "/index.php"] [unique_id "ZGOtGn8OVNnjiBWdgt2VdgADRxI"] [Tue May 16 18:19:38.865218 2023] [:error] [pid 1796577:tid 140122167179008] [client CLIENT.IP.ADDRESS:55326] [client CLIENT.IP.ADDRESS] ModSecurity: Warning. Operator GE matched 4 at TX:outgoing_points.
[id "214940"] [rev "2"] [msg "COMODO WAF: Outbound Points Exceeded| Total Points: 4|web.site|F|2"] [severity "CRITICAL"] [tag "CWAF"] [tag "FiltersEnd"] [hostname "web.site"] [uri "/index.php"] [unique_id "ZGOtGn8OVNnjiBWdgt2VdgADRxI"]

这是配置文件/etc/modsecurity/comodo/19_Outgoing_FilterInFrame.conf的内容:

SecRule RESPONSE_BODY "<[^a-zA-Z0-9_]{0,}iframe[^>]{1,}?\bstyle[^a-zA-Z0-9_]{0,}?=[^a-zA-Z0-9_]{0,}?[\x22']{0,1}[^a-zA-Z0-9_]{0,}?\bdisplay\b[^a-zA-Z0-9_]{0,}?:[^a-zA-Z0-9_]{0,}?\bnone\b" \
        "id:214540,chain,msg:'COMODO WAF: Possibly malicious iframe tag in output||%{tx.domain}|%{tx.mode}|3',phase:4,capture,block,setvar:'tx.outgoing_points=+%{tx.points_limit3}',setvar:'tx.points=+%{tx.points_limit3}',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',ctl:auditLogParts=+E,t:replaceComments,rev:5,severity:3,tag:'CWAF',tag:'FilterInFrame'"
SecRule &REQUEST_COOKIES:sugar_user_theme "@eq 0" \
        "chain,t:none"
SecRule TX:0 "!@rx \ssrc=\x22https:\/\/www\.googletagmanager\.com\/ns\.html\?id=GTM|\ssrc=\x22https:\/\/w\.soundcloud\.com\/player\/\?url=" \
        "t:none,t:urlDecodeUni"

SecRule RESPONSE_BODY "(?i:<[\t\n\r ]{0,}IFRAME[\t\n\r ]{0,}?[^>]{0,}?src=\x22javascript:)" \
        "id:214550,msg:'COMODO WAF: Malicious iframe+javascript tag in output||%{tx.domain}|%{tx.mode}|3',phase:4,capture,block,setvar:'tx.outgoing_points=+%{tx.points_limit3}',setvar:'tx.points=+%{tx.points_limit3}',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',ctl:auditLogParts=+E,t:none,rev:1,severity:3,tag:'CWAF',tag:'FilterInFrame'"

SecMarker SECMARKER_214400

如您所见,存在对googletagmanager和soundcloud的“白名单”,但似乎无法正常工作。网站上提到的iframe应该如下所示:

<!-- Google Tag Manager (noscript) -->
<noscript><iframe height="0" width="0" style="display:none;visibility:hidden" data-src="https://www.googletagmanager.com/ns.html?id=GTM-XXXZZZ" class="lazyload" src="data:image/gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw=="></iframe></noscript>
<!-- End Google Tag Manager (noscript) -->

我不明白为什么以下“白名单规则”不起作用,您能帮助我吗?

SecRule TX:0 "!@rx \ssrc=\x22https:\/\/www\.googletagmanager\.com\/ns\.html\?id=GTM|\ssrc=\x22https:\/\/w\.soundcloud\.com\/player\/\?url=&quot; \
        "t:none,t:urlDecodeUni"

感谢您的时间。

尝试编辑正则表达式已经厌倦了。我期望“白名单”规则能起作用。

英文:

I have the same problem described in the following issue.

Here is the error log:

[Tue May 16 18:19:38.745674 2023] [:error] [pid 1796577:tid 140122351191808] [remote CLIENT.IP.ADDRESS:55326] [client CLIENT.IP.ADDRESS] ModSecurity: Access denied with code 403 (phase 4). Match of &quot;rx \\\\ssrc=\\\\x22https:\\\\/\\\\/www\\\\.googletagmanager\\\\.com\\\\/ns\\\\.html\\\\?id=GTM|\\\\ssrc=\\\\x22https:\\\\/\\\\/w\\\\.soundcloud\\\\.com\\\\/player\\\\/\\\\?url=&quot; against &quot;TX:0&quot; required.  
[id &quot;214540&quot;] [rev &quot;5&quot;] [msg &quot;COMODO WAF: Possibly malicious iframe tag in output||web.site|F|3&quot;] [data &quot;Matched Data: &lt;iframe \\x0a\\x09\\x09height=\\x220\\x22 width=\\x220\\x22 style=\\x22display:none found within TX:0: &lt;iframe \\x0a\\x09\\x09height=\\x220\\x22 width=\\x220\\x22 style=\\x22display:none&quot;] [severity &quot;ERROR&quot;] [tag &quot;CWAF&quot;] [tag &quot;FilterInFrame&quot;] [hostname &quot;web.site&quot;] [uri &quot;/index.php&quot;] [unique_id &quot;ZGOtGn8OVNnjiBWdgt2VdgADRxI&quot;] [Tue May 16 18:19:38.865218 2023] [:error] [pid 1796577:tid 140122167179008] [client CLIENT.IP.ADDRESS:55326] [client CLIENT.IP.ADDRESS] ModSecurity: Warning. Operator GE matched 4 at TX:outgoing_points.
[id &quot;214940&quot;] [rev &quot;2&quot;] [msg &quot;COMODO WAF: Outbound Points Exceeded| Total Points: 4|web.site|F|2&quot;] [severity &quot;CRITICAL&quot;] [tag &quot;CWAF&quot;] [tag &quot;FiltersEnd&quot;] [hostname &quot;web.site&quot;] [uri &quot;/index.php&quot;] [unique_id &quot;ZGOtGn8OVNnjiBWdgt2VdgADRxI&quot;]

Here is the content of the config file /etc/modsecurity/comodo/19_Outgoing_FilterInFrame.conf:

SecRule RESPONSE_BODY &quot;&lt;[^a-zA-Z0-9_]{0,}iframe[^&gt;]{1,}?\bstyle[^a-zA-Z0-9_]{0,}?=[^a-zA-Z0-9_]{0,}?[\x22&#39;]{0,1}[^a-zA-Z0-9_]{0,}?\bdisplay\b[^a-zA-Z0-9_]{0,}?:[^a-zA-Z0-9_]{0,}?\bnone\b&quot; \
        &quot;id:214540,chain,msg:&#39;COMODO WAF: Possibly malicious iframe tag in output||%{tx.domain}|%{tx.mode}|3&#39;,phase:4,capture,block,setvar:&#39;tx.outgoing_points=+%{tx.points_limit3}&#39;,setvar:&#39;tx.points=+%{tx.points_limit3}&#39;,logdata:&#39;Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}&#39;,ctl:auditLogParts=+E,t:replaceComments,rev:5,severity:3,tag:&#39;CWAF&#39;,tag:&#39;FilterInFrame&#39;&quot;
SecRule &amp;REQUEST_COOKIES:sugar_user_theme &quot;@eq 0&quot; \
        &quot;chain,t:none&quot;
SecRule TX:0 &quot;!@rx \ssrc=\x22https:\/\/www\.googletagmanager\.com\/ns\.html\?id=GTM|\ssrc=\x22https:\/\/w\.soundcloud\.com\/player\/\?url=&quot; \
        &quot;t:none,t:urlDecodeUni&quot;

SecRule RESPONSE_BODY &quot;(?i:&lt;[\t\n\r ]{0,}IFRAME[\t\n\r ]{0,}?[^&gt;]{0,}?src=\x22javascript:)&quot; \
        &quot;id:214550,msg:&#39;COMODO WAF: Malicious iframe+javascript tag in output||%{tx.domain}|%{tx.mode}|3&#39;,phase:4,capture,block,setvar:&#39;tx.outgoing_points=+%{tx.points_limit3}&#39;,setvar:&#39;tx.points=+%{tx.points_limit3}&#39;,logdata:&#39;Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}&#39;,ctl:auditLogParts=+E,t:none,rev:1,severity:3,tag:&#39;CWAF&#39;,tag:&#39;FilterInFrame&#39;&quot;

SecMarker SECMARKER_214400

As you can see, there is a "whitelist" for googletagmanager and soundcloud but it seems is not working. The mentioned iframe on the website should be the following:

&lt;!-- Google Tag Manager (noscript) --&gt;
&lt;noscript&gt;&lt;iframe height=&quot;0&quot; width=&quot;0&quot; style=&quot;display:none;visibility:hidden&quot; data-src=&quot;https://www.googletagmanager.com/ns.html?id=GTM-XXXZZZ&quot; class=&quot;lazyload&quot; src=&quot;data:image/gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==&quot;&gt;&lt;/iframe&gt;&lt;/noscript&gt;
&lt;!-- End Google Tag Manager (noscript) --&gt;

I don't understand why the following "whitelist rule" doesnt' work, can you help me out?

SecRule TX:0 &quot;!@rx \ssrc=\x22https:\/\/www\.googletagmanager\.com\/ns\.html\?id=GTM|\ssrc=\x22https:\/\/w\.soundcloud\.com\/player\/\?url=&quot; \
        &quot;t:none,t:urlDecodeUni&quot;

Thank you for your time

Tried of editing the regexp. I expected that the "whitelist" rule works.

答案1

得分: 1

首先,你不能像这样匹配TX:0,它不会按你期望的方式工作。看一下规则214540链中的第一个SecRule - 这就是你需要匹配的,即RESPONSE_BODY

我建议使用这个排除规则,但请注意,它会在包含Google iframe的所有页面上完全禁用规则214540

SecRule RESPONSE_BODY "@contains https://www.googletagmanager.com/ns.html" \
    "id:138,\
    phase:4,\
    pass,\
    t:none,\
    nolog,\
    ctl:ruleRemoveTargetById=214540;RESPONSE_BODY"
英文:

First of all, you can't match against TX:0 like this, it will never work as you expect. Look at the first SecRule in the chain of rule 214540 - that is what you need to match i. e. RESPONSE_BODY.

I suggest this exclusion rule but note that it will completely disable rule 214540 on all pages which contains your Google iframe:

SecRule RESPONSE_BODY &quot;@contains https://www.googletagmanager.com/ns.html&quot; \
    &quot;id:138,\
    phase:4,\
    pass,\
    t:none,\
    nolog,\
    ctl:ruleRemoveTargetById=214540;RESPONSE_BODY&quot;

huangapple
  • 本文由 发表于 2023年5月17日 16:11:41
  • 转载请务必保留本文链接:https://go.coder-hub.com/76269882.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定