linux – Mod Security: Multipart XML fails with Message: “XML parser error: XML: Failed parsing document.”

The CRS Rule 200000 seems to hit and I didn’t found the exact problem yet.

Versions:

  • owasp-modsecurity-crs-3.2.0
  • Apache/2.4.38

The Log looks like this:

(30/Mar/2021:14:28:57 +0200) YGMZiY3fnzEmfTyS-ahEbwAAAA8 secretIP 31385 secretIP 443
--29428f7a-B--
POST /secretService/SecretService.svc HTTP/1.1
MIME-Version: 1.0
Content-Type: multipart/related; type="application/xop+xml";start="<http://tempuri.org/0>";boundary="uuid:53bac015-047d-4030-baf7-118016f7cd7d+id=1";start-info="application/soap+xml"
Host: Secrethost
Content-Length: 1351
Accept-Encoding: gzip, deflate

--29428f7a-C--

--uuid:53bac015-047d-4030-baf7-118016f7cd7d+id=1
Content-ID: <http://tempuri.org/0>
Content-Transfer-Encoding: 8bit
Content-Type: application/xop+xml;charset=utf-8;type="application/soap+xml"

<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://www.w3.org/2005/08/addressing"><s:Header>...</s:Header><s:Body>SECRETSTUFFINHERE</s:Body></s:Envelope>
--uuid:53bac015-047d-4030-baf7-118016f7cd7d+id=1--

--29428f7a-F--
HTTP/1.1 500 Internal Server Error
Upgrade: h2,h2c
Connection: Upgrade, close
Accept-Ranges: bytes
Content-Type: text/html

--29428f7a-H--
Message: Warning. Match of "rx ^(\w/.+-)+(?:\s?;\s?(?:boundary|charset)\s?=\s?('"\w.()+,/:=?-)+)?$" against "REQUEST_HEADERS:Content-Type" required. (file "SECRETPATH/owasp-modsecurity-crs-3.2.0/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf") (line "908") (id "920470") (msg "Illegal Content-Type header") (data "multipart/related; type=x22application/xop+xmlx22;start=x22<http://tempuri.org/0>x22;boundary=x22uuid:53bac015-047d-4030-baf7-118016f7cd7d+id=1x22;start-info=x22application/soap+xmlx22") (severity "CRITICAL") (ver "OWASP_CRS/3.2.0") (tag "application-multi") (tag "language-multi") (tag "platform-multi") (tag "attack-protocol") (tag "paranoia-level/1") (tag "OWASP_CRS") (tag "OWASP_CRS/PROTOCOL_VIOLATION/CONTENT_TYPE") (tag "WASCTC/WASC-20") (tag "OWASP_TOP_10/A1") (tag "OWASP_AppSensor/EE2") (tag "PCI/12.1")
Message: XML parser error: XML: Failed parsing document.
Message: XML parser error: XML: Failed parsing document.
Apache-Error: (file "apache2_util.c") (line 273) (level 3) (client SECRETIP) ModSecurity: Warning. Match of "rx ^(\\\\w/.+-)+(?:\\\\s?;\\\\s?(?:boundary|charset)\\\\s?=\\\\s?('\\"\\\\w.()+,/:=?-)+)?$"

Things to Note:

  • I’m not sure if the 500 Return Code comes from Mod Security or something other failed but if we make an exception for the rule, it works however

In my Eyes there are two problems that I see.

First, it tries to Parse the Multipart XML and it fails:

  • We set the Body Processor to XML in the httpd.conf:
    SecRule REQUEST_HEADERS:Content-Type "?:application(?:/soap+|/)|text/)xml""id:200000,phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML"
  • The Documentation states, the following possible choices there (but what should be configured when the Body is a Multipart XML as in our case?):

Built-in processors are URLENCODED, MULTIPART, and XML

Second the Regex for the Content-Type Header fails:

  • The Regex here: Warning. Match of "rx ^(\w/.+-)+(?:\s?;\s?(?:boundary|charset)\s?=\s?('"\w.()+,/:=?-)+)?$" against "REQUEST_HEADERS:Content-Type" required. seam to search for the words “boundary” and “charset” however, according to this issue found here: GitHub Issue there should be more.

Questions:

  • Where the second one seems fixable I don’t see how to fix the first
    problem
  • Assuming every hit in the Rules gets a score higher, where do i see when i hit a threshold so that the request is blocked? The loglevel seems to give no indication (based on my ressearches).