[Request] Add Umbraco support to OWASP/Cloudflare rulesets


#1

Umbraco is a fairly widely known/used CMS, so I thought it might be worth adding support for its backoffice to the OWASP/Cloudflare ruleset lists.

I see there’s support for a variety of widely used platforms, like Wordpress, and Joomla.

We recently had an issue which was a result of the Web Application Firewall blocking API requests to the backoffice. I’ve resolved this by adding pagerules to disable security for those API endpoints, but ideally there would be a ruleset that doesn’t consume pagerules, and isn’t a blanket on/off switch.

Umbraco lets us edit HTML/Razor/CSS/Javascript/XML in the backend, as well as attach files and other features. Our users were getting flagged due to trying to upload gpx map files (XML based) to the backend, along with a rich HTML editor. It appears that was too much XML in a single post, and OWASP triggered a bunch of rules on it, requesting a challenge against the Ajax requests, breaking the site.

Below is an example of one (of many) of those challenged requests.

{
  "id": "3c87199cfddf3470",
  "country": "GB",
  "ip": "IPV6ADDRESSREDACTED",
  "protocol": "HTTP/2",
  "method": "POST",
  "host": "hostname.co.uk",
  "user_agent": "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36",
  "uri": "/umbraco/backoffice/UmbracoApi/Content/PostSave",
  "request_duration": 67000320,
  "triggered_rule_ids": [
    "100013",
    "950901",
    "960024",
    "973300",
    "973301",
    "973304",
    "973306",
    "973316",
    "973333",
    "973335",
    "973338",
    "981133",
    "981136",
    "981176",
    "981243",
    "981245",
    "981257",
    "2000001",
    "2000003",
    "2000004",
    "2000006"
  ],
  "action": "challenge",
  "cloudflare_location": "LHR",
  "occurred_at": "2017-12-05T12:45:00.31Z",
  "rule_detail": [
    {
      "id": "960024",
      "description": "OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION-ARGS:JSON_ARG_0138=. </"
    },
    {
      "id": "950901",
      "description": "OWASP_CRS/WEB_ATTACK/SQL_INJECTION-ARGS:JSON_ARG_0138=p>Trust10"
    },
    {
      "id": "981257",
      "description": "DETECTS MYSQL COMMENT-/SPACE-OBFUSCATED INJECTIONS AND BACKTICK TERMINATION-OWASP_CRS/WEB_ATTACK/SQLI-2000000408_146=, 5k loops to get achieve your 10k. So you'll be able to get to grips with the terrain which will test your climbing skills with a few stiles and hedges to negotiate. If you come with family and friends, they can enjoy everything else Godolphin has to "
    },
    {
      "id": "981245",
      "description": "DETECTS BASIC SQL AUTHENTICATION BYPASS ATTEMPTS 2/3-OWASP_CRS/WEB_ATTACK/SQLI-2000000408_146=\">https://w"
    },
    {
      "id": "981243",
      "description": "DETECTS CLASSIC SQL INJECTION PROBINGS 2/2-OWASP_CRS/WEB_ATTACK/SQLI-2000000408_146=0"
    },
    {
      "id": "973338",
      "description": "OWASP_CRS/WEB_ATTACK/XSS-2000000412_204= style="
    },
    {
      "id": "973300",
      "description": "OWASP_CRS/WEB_ATTACK/XSS-ARGS:JSON_ARG_0138=<p>"
    },
    {
      "id": "973301",
      "description": "OWASP_CRS/WEB_ATTACK/XSS-ARGS:JSON_ARG_0150=rel="
    },
    {
      "id": "973304",
      "description": "OWASP_CRS/WEB_ATTACK/XSS-2000000408_136=href="
    },
    {
      "id": "973306",
      "description": "OWASP_CRS/WEB_ATTACK/XSS-2000000408_136=style="
    },
    {
      "id": "973335",
      "description": "OWASP_CRS/WEB_ATTACK/XSS-2000000412_217=\"/media/155977/lock_up_with_tagline.jpg?width=216&height=93\" alt=\"\" rel=\"12315\" data-id=\"12315\" /></p> <p>Welcome to Godolphins Trust10 route. This is your opportunity to explore an ancient and atmospheric estate with a medieval garden and historic house.<"
    },
    {
      "id": "973333",
      "description": "OWASP_CRS/WEB_ATTACK/XSS-2000000412_217=\"/media/155977/lock_up_with_tagline.jpg?width="
    },
    {
      "id": "",
      "description": "0="
    },
    {
      "id": "",
      "description": "1="
    },
    {
      "id": "",
      "description": "2="
    },
    {
      "id": "",
      "description": "3="
    },
    {
      "id": "",
      "description": "4="
    },
    {
      "id": "973316",
      "description": "OWASP_CRS/WEB_ATTACK/XSS-2000000412_217= style=\"width: 216px; height: 93px;\" src=\"/media/155977/lock_up_with_tagline.jpg?width=216&height=93\" alt=\"\" rel=\"12315\" data-id=\"12315\" /></p> <p>Welcome to Godolphins Trust10 route. This is your opportunity to explore an ancient and atmospheric estate wi"
    },
    {
      "id": "960024",
      "description": "OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION-ARGS:JSON_ARG_0138"
    }
  ],
  "rule_message": "Inbound Anomaly Score Exceeded (Total Score: 63, SQLi=8, XSS=40): Last Matched Message: IE XSS Filters - Attack Detected.",
  "type": "waf",
  "rule_id": "981176",
  "zone_id": "ce69a84202600302d6e365da651fcf65",
  "cookie": ""
}

#2

Current resolution is to add the following 2 pagerules, disabling security:

https://hostname.co.uk/Umbraco/Api/*

https://hostname.co.uk/umbraco/backoffice/UmbracoApi/*