ModSecurity-nginx icon indicating copy to clipboard operation
ModSecurity-nginx copied to clipboard
verified publisher icon owasp-modsecurity

Unexpected Response Injection in ModSecurity-nginx

Open dbc-ca opened this issue 11 months ago • 7 comments

I am encountering unexpected behavior when using ModSecurity-nginx with a specific commit of the ModSecurity-nginx repository.

Starting from commit 62639fa2be3839e14e284d13c16516889feb8afb (dated June 18, 2024), I noticed that ModSecurity began injecting unexpected data into the response.

This issue was not present in commit ef64996aedd4bb5fa1831631361244813d48b82f (dated May 23, 2024), which was the last working version for me.

My build script use these repositories

NGINX_REPO="https://github.com/nginx/nginx.git"

MODSECURITY_REPO="https://github.com/SpiderLabs/ModSecurity.git"

MODSECURITY_NGINX_REPO="https://github.com/SpiderLabs/ModSecurity-nginx.git" MODSECURITY_NGINX_TARGET_COMMIT="ef64996aedd4bb5fa1831631361244813d48b82f"

CORERULESET_REPO="https://github.com/coreruleset/coreruleset.git"

Starting from commit 62639fa2be3839e14e284d13c16516889feb8afb, I noticed that websites behind the reverse proxy began returning unexpected/random characters in the response.

I attempted to download a file, such as example.com/test.png, through the reverse proxy. When I compared the MD5 checksum of the file downloaded on the client versus the file on the server, the checksums did not match.

This issue does not occur with commit ef64996aedd4bb5fa1831631361244813d48b82f. This indicates that something introduced in commit 62639fa2be3839e14e284d13c16516889feb8afb is modifying or injecting data into the responses.

I’m not very experienced with reporting issues, but I want to ensure this is as helpful as possible. if there’s anything specific you need from me—logs, configurations, or additional details—please let me know, and I’ll be happy to provide them.

dbc-ca avatar Jan 17 '25 21:01 dbc-ca

@dbc-ca,

thanks for report - please check #336, we are fighting with this issue :).

airween avatar Jan 18 '25 08:01 airween

same problem :O

drexlma avatar Jan 19 '25 15:01 drexlma

Image

drexlma avatar Jan 19 '25 16:01 drexlma

@drexlma,

thanks - the issue is under investigation. See #336.

airween avatar Jan 19 '25 18:01 airween

Hi @dbc-ca and @drexlma ,

I ran into a similar issue and I was able to work around it by setting SecResponseBodyAccess to Off after including /etc/nginx/modsecurity/modsecurity.conf. Maybe this helps you until @airween and the rest of the team comes up with a real solution.

arnoschoon avatar Jan 20 '25 13:01 arnoschoon

I faced the same issue and after referring to https://github.com/owasp-modsecurity/ModSecurity-nginx/issues/336, it looks like setting the following makes it work (no issues notices so far):

proxy_buffer_size 128k;
proxy_buffers 8 32k;
proxy_busy_buffers_size 128k;

Had been literally pulling my hair searching for modsecurity broken images. This thread needs some SEO :)

Sorry, I spoke too soon.

I'm on commit fb678c5b4456c733e011d4bd6ad0888baca8c124 (broken)

sharmashivanand avatar Jan 30 '25 13:01 sharmashivanand

Thank you @sharmashivanand !

I was getting zero size buf in writer t:0 r:0 f:0 0000000000000000 0000000000000000-0000000000000000 0000000000000000 0-0 while sending to client in my log, and the client was only getting half of the expected response body.

I had my proxy buffer disabled. Easy fix, after I finally found your comment.

bforbort avatar Feb 02 '25 04:02 bforbort