ModSecurity: Path Confusion and really easy bypass on v2 and v3
Andrea Menin brings us a great find with a deviously simple WAF bypass. The core bug belongs to ModSecurity and the variables it exposes to be used by the various rulesets others have created.
The concept here is simple the REQUEST_FILENAME
variables normally should contain the entirety of the request path from the first /
and ending with the start of the url parameters as designated by the ?
character. For example /api/v3/example/endpoint?param=1
the REQUEST_FILENAME
is /api/v3/example/endpoint
The problem is that it will attempt to decode any URL-encoded sequences in the path before it parses out the start of the parameters. So if a path were to include a %3F
(the url-encoded format of ?
). Any data after%3F
would not be included in the REQUEST_FILENAME
variable, even though the actual backend server is very likely to include it in the path. Creating room to easily smuggle in bits that would usually get blocked by a WAF/. the REQUEST_BASENAME
and PATH_INFO
variables are both impacted by this issue also.