false positive: REQUEST-932-APPLICATION-ATTACK-RCE.conf #4110
Description
Description
I don't know if this apply as a false positive I'm new using this software, or if I need to add an exclusion.
The error occurs because of this " | SELF" in a input field which is free to use any character.
(Value: `Compra a MODULAR ALUMINIO ESTRUCTURAL, STRUT PROFILE PG30 30X30 4 SLOTS | SELF TAPPING SCREW PG30 M1 (42 characters omitted)'
How to reproduce the misbehavior (-> curl call)
curl -v -X POST http://localhost \
-H "Content-Type: application/json" \
-d '{ "name": "text | SELF " }'Logs
{
"transaction": {
"client_ip": "",
"time_stamp": "Tue Apr 29 22:23:29 2025",
"client_port": "",
"host_ip": "",
"host_port": "",
"unique_id": "",
"request": {
"method": "POST",
"http_version": 2.0,
"uri": ""
},
"response": {
"http_code": 403
},
"producer": {
"modsecurity": "ModSecurity v3.0.14 (Linux)",
"connector": "ModSecurity-nginx v1.0.3",
"secrules_engine": "Enabled",
"components": [
"OWASP_CRS/4.13.0\""
]
},
"messages": [
{
"message": "Remote Command Execution: Unix Command Injection (command without evasion)",
"details": {
"match": "Matched \"Operator `Rx' with parameter `(?i)(?:b[\\\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?u[\\\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?s[\\\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$ (9409 characters omitted)' against variable `ARGS:json.transacciones.array_1.descripcion' (Value: `Compra a MODULAR ALUMINIO ESTRUCTURAL, STRUT PROFILE PG30 30X30 4 SLOTS | SELF TAPPING SCREW PG30 M1 (42 characters omitted)' )",
"reference": "o72,7v39,142o72,7v39,142o72,7v39,142",
"ruleId": "932235",
"file": "/usr/local/coreruleset-4.13.0/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf",
"lineNumber": "183",
"data": "Matched Data: | SELF found within ARGS:json.transacciones.array_1.descripcion: Compra a MODULAR ALUMINIO ESTRUCTURAL, STRUT PROFILE PG30 30X30 4 SLOTS | SELF TAPPING SCREW PG30 M12X30, 477C4A84-05B6-11F0-AB76-87F605D52A8D",
"severity": "2",
"ver": "OWASP_CRS/4.13.0",
"rev": "",
"tags": [
"application-multi",
"language-shell",
"platform-unix",
"attack-rce",
"paranoia-level/1",
"OWASP_CRS",
"OWASP_CRS/ATTACK-RCE",
"capec/1000/152/248/88",
"PCI/6.5.2"
],
"maturity": "0",
"accuracy": "0"
}
},
{
"message": "Inbound Anomaly Score Exceeded (Total Score: 15)",
"details": {
"match": "Matched \"Operator `Ge' with parameter `5' against variable `TX:BLOCKING_INBOUND_ANOMALY_SCORE' (Value: `15' )",
"reference": "",
"ruleId": "949110",
"file": "/usr/local/coreruleset-4.13.0/rules/REQUEST-949-BLOCKING-EVALUATION.conf",
"lineNumber": "222",
"data": "",
"severity": "0",
"ver": "OWASP_CRS/4.13.0",
"rev": "",
"tags": [
"anomaly-evaluation",
"OWASP_CRS"
],
"maturity": "0",
"accuracy": "0"
}
}
]
}
}Your Environment
- CRS version (e.g., v3.3.4): OWASP_CRS/4.13.0
- Paranoia level setting (e.g. PL1) : paranoia-level/1 PL1
- ModSecurity version (e.g., 2.9.6): v3.0.14 (Linux)
- Web Server and version or cloud provider / CDN (e.g., Apache httpd 2.4.54): nginx-1.27.4
- Operating System and version: Debian 12
Confirmation
[ ] I have removed any personal data (email addresses, IP addresses,
passwords, domain names) from any logs posted.