my rui project is getting the following error because mod security found the word UNION in my post uri.
Error communicating with AMS. Try your request again.
Description:claimplace_div_select/placeclaimUpdateAdd_oe: [CRRUI3658E] An error occurred on proxy at "/clientweb/___proxy" while trying to invoke service on "" CRRUI3658E
403
Forbidden
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access this resource.</p>
</body></html>
apache shows the following in the log
[Thu Jul 13 06:52:33.460913 2023] [security2:error] [pid 19668:tid 1324] [client 127.0.0.1:62914] [client 127.0.0.1] ModSecurity: Warning. Pattern match "(?i:(?:[\\"'`](?:;?\\\\s*?(?:having|select|union)\\\\b\\\\s*?[^\\\\s]|\\\\s*?!\\\\s*?[\\"'`\\\\w])|(?:c(?:onnection_id|urrent_user)|database)\\\\s*?\\\\([^\\\\)]*?|u(?:nion(?:[\\\\w(\\\\s]*?select| select @)|ser\\\\s*?\\\\([^\\\\)]*?)|s(?:chema\\\\s*?\\\\([^\\\\)]*?|elect.*?\\\\w?user\\\\()|in ..." at ARGS:body. [file "C:/temp/Apache24/conf/owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "183"] [id "942190"] [msg "Detects MSSQL code execution and information gathering attempts"] [data "Matched Data: \\x22UNION\\x22 found within ARGS:body: {\\x22bindingName\\x22:\\x22svc\\x22,\\x22method\\x22:\\x22placeclaimUpdateAdd\\x22,\\x22params\\x22:[{\\x22transref\\x22:\\x22000130089\\x22,\\x22cno\\x22:1995000,\\x22ac\\x22:\\x22UNION2\\x22,\\x22ac2\\x22:\\x22\\x22,\\x22bal\\x22:100.00,\\x22balcur\\x22:\\x22USD - US Dollars\\x22,\\x22bcountry\\x22:\\x22USA - UNITED STATES OF AMERICA\\x22,\\x22bname\\x22:\\x22UNION\\x22,\\x22bname2\\x22:\\x22\\x22,\\x22bstr\\x22:\\x221 UNION BLVD\\x22,\\x22baddr2\\x22:\\x22\\x22,\\x22baddr3\\x22:\\x22\\x22,\\x22BCITY\\x22..."] [sever [hostname "localhost"] [uri "/clientweb/___proxy"] [unique_id "ZK_XcY5USLxJWEOPfy20rQAAAD8"], referer: http://localhost/clientweb/menu_mainc-en_US.html
[Thu Jul 13 06:52:33.462912 2023] [security2:error] [pid 19668:tid 1324] [client 127.0.0.1:62914] [client 127.0.0.1] ModSecurity: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file "C:/temp/Apache24/conf/owasp-modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "93"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "localhost"] [uri "/clientweb/___proxy"] [unique_id "ZK_XcY5USLxJWEOPfy20rQAAAD8"], referer: http://localhost/clientweb/menu_mainc-en_US.html
I've been asked by our network security people if i can "blob / obfuscate the POST data" so as to pass mod security.
After some research i found i can modify the post data by implementing a custom http request handler using org.eclipse.equinox.http.servlet.HttpServiceServlet, but i'm not sure if that will solve the problem since i am not fimiliar with this type of modifaction.
public class CustomHttpServiceServlet extends HttpServiceServlet {
@Override
protected void service(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
// Retrieve the original request payload
BufferedReader reader = request.getReader();
StringBuilder stringBuilder = new StringBuilder();
String line;
while ((line = reader.readLine()) != null) {
stringBuilder.append(line);
}
String originalPayload = stringBuilder.toString();
// Modify the payload by appending an additional parameter
String modifiedPayload = originalPayload + "&additionalParam=123";
// Set the modified payload back into the request object
request.setCharacterEncoding("UTF-8");
request.setContent(modifiedPayload.getBytes());
// Call the superclass service method to handle the modified request
super.service(request, response);
}
}
any suggestions would be very helpful.
------------------------------
nick jones
ams
englewood cliffs NJ
------------------------------