{"id":718,"date":"2015-12-20T10:49:41","date_gmt":"2015-12-20T09:49:41","guid":{"rendered":"http:\/\/www.netnea.com\/cms\/?p=718"},"modified":"2015-12-20T21:54:19","modified_gmt":"2015-12-20T20:54:19","slug":"modsec-crs-2-2-x-vs-3-0-0-dev","status":"publish","type":"post","link":"https:\/\/www.netnea.com\/cms\/2015\/12\/20\/modsec-crs-2-2-x-vs-3-0-0-dev\/","title":{"rendered":"OWASP ModSecurity Core Rules: Comparing 2.2.x and 3.0.0-dev"},"content":{"rendered":"

It has been a while since we have seen big development in the OWASP ModSecurity Core Rules. This is due to the fact, that the development took place in a separate branch named 3.0.0-dev which adopts many of the newer features and operators included in ModSecurity since 2.7; notably @detectSQLi and @detectXSS. When you take a closer look at the new rules, you realize quickly, that the whole file structure has been adopted. It looks quite unfamiliar if you got used to the 2.2.X rulesets.<\/p>\n

I want to understand the differences between the rulesets and given the fact we are talking of several hundred rules, reading them one by one or following the changelog seems a daunting task. Let’s take a more behavioristic approach. Let’s see them in action.<\/p>\n

The idea here is to setup two servers, one with Core Rules v2.2.9 and one with Core Rules v3.0.0-dev. Then configure a minimal set of local pages and have a vulnerability scanner examine the site. This won’t be a sophisticated venture into securing a site, but rather a report on how v2.2.9 reacts to a scan and what v3.0.0-dev does with the same requests.<\/p>\n

For quick access and simplicity I used nmap first. Nmap comes with a lot of http scanning scripts and I ran them all one after another. However, they are more reconnaissance tools than attack scripts, so most of the requests went unnoticed by ModSecurity (well outside of thousands of fuzzying requests which were blocked with a 414). So I switched over to nikto. Nikto is not the newest scanner (and my version 2.1.4 is not the latest), but it’s very quick. And it is an attack scanner firing thousands of http exploits at a server. ModSecurity is alarmed by a lot of these, so we actually end up with many alerts and thus enough data to compare the two Core Rule versions.<\/p>\n

Nikto has been called with the following commando:
\n$> nikto -h localhost -p 80
\n<\/tt><\/p>\n

Core Rules v2.2.9 would let nikto carry out its tasks. But with v3.0.0-dev, there is a new feature: IP repudiation. As soon as the scanner had ramped up, ModSecurity realized what we are up to and started to block the source IP. This is done via an internal collection and based on the setting of the variable IP:BLOCK, rule 981140 will skip all further processing and rule 981175 will block the client IP. That’s a good feature. I do not know about false positives and I would not be surprised if legitimate users would be blocked by this rule. However, there is no need to allow a scanner to run thousands of requests against a website without reaction. In production some tuning might be due. In our case, tuning is also necessary, since the blocking mechanism cloaks the other rules which are not being executed. So I disabled the ip blocking as follows:<\/p>\n


\n# No Blocking via IP repudiation, based on previous requests
\nSecRuleRemoveById 981140
\nSecRuleRemoveById 981175
\n<\/tt><\/p>\n

Then I reran the test and ended up with 6179 requests for both rulesets.<\/p>\n

Here is a graphical overview over the distribution of the anomaly scores:<\/p>\n

\"modsec-positive-stats\"<\/a><\/p>\n

And here the statistical data (generated using modsec-positive-stats.rb<\/a>):<\/p>\n

\r\n\r\n\t\t\t\t  Core Rules v2.2.9  | Core Rules v3.0.0-dev\r\nINCOMING                     Num of req. | % of req. |# of req| % of req. \r\nNumber of incoming req. (total) |   6197 | 100.0000% |   6197 | 100.0000% \r\n\r\nEmpty or miss. incoming score   |      0 |   0.0000% |      0 |   0.0000%\r\nReqs with incoming score of   0 |    217 |   3.5016% |    217 |   3.5016%\r\nReqs with incoming score of   1 |      0 |   0.0000% |      0 |   0.0000%\r\nReqs with incoming score of   2 |      0 |   0.0000% |      0 |   0.0000%\r\nReqs with incoming score of   3 |      0 |   0.0000% |      0 |   0.0000%\r\nReqs with incoming score of   4 |      0 |   0.0000% |      0 |   0.0000%\r\nReqs with incoming score of   5 |      0 |   0.0000% |      0 |   0.0000%\r\nReqs with incoming score of   6 |      0 |   0.0000% |      0 |   0.0000%\r\nReqs with incoming score of   7 |      0 |   0.0000% |   2826 |  45.6027%\r\nReqs with incoming score of   8 |      0 |   0.0000% |      0 |   0.0000%\r\nReqs with incoming score of   9 |      0 |   0.0000% |      0 |   0.0000%\r\nReqs with incoming score of  10 |   2850 |  45.9899% |    197 |   3.1789%\r\nReqs with incoming score of  11 |      0 |   0.0000% |      2 |   0.0322%\r\nReqs with incoming score of  12 |      0 |   0.0000% |     80 |   1.2909%\r\nReqs with incoming score of  13 |    201 |   3.2435% |      0 |   0.0000%\r\nReqs with incoming score of  14 |      0 |   0.0000% |      0 |   0.0000%\r\nReqs with incoming score of  15 |    142 |   2.2914% |     19 |   0.3065%\r\nReqs with incoming score of  16 |      3 |   0.0484% |      6 |   0.0968%\r\nReqs with incoming score of  17 |      0 |   0.0000% |    117 |   1.8880%\r\nReqs with incoming score of  18 |     52 |   0.8391% |     67 |   1.0811%\r\nReqs with incoming score of  19 |      2 |   0.0322% |      0 |   0.0000%\r\nReqs with incoming score of  20 |   2113 |  34.0971% |     26 |   0.4195%\r\nReqs with incoming score of  21 |     16 |   0.2581% |     25 |   0.4034%\r\nReqs with incoming score of  22 |      1 |   0.0161% |   2195 |  35.4203%\r\nReqs with incoming score of  23 |     76 |   1.2263% |      0 |   0.0000%\r\nReqs with incoming score of  24 |     93 |   1.5007% |      0 |   0.0000%\r\nReqs with incoming score of  25 |    155 |   2.5012% |      4 |   0.0645%\r\nReqs with incoming score of  26 |     16 |   0.2581% |      1 |   0.0161%\r\nReqs with incoming score of  27 |      5 |   0.0806% |    182 |   2.9369%\r\nReqs with incoming score of  28 |     11 |   0.1775% |      2 |   0.0322%\r\nReqs with incoming score of  29 |      0 |   0.0000% |      0 |   0.0000%\r\nReqs with incoming score of  30 |     13 |   0.2097% |      7 |   0.1129%\r\nReqs with incoming score of  31 |      8 |   0.1290% |      1 |   0.0161%\r\nReqs with incoming score of  32 |     23 |   0.3711% |    125 |   2.0171%\r\nReqs with incoming score of  33 |      5 |   0.0806% |      0 |   0.0000%\r\nReqs with incoming score of  34 |      0 |   0.0000% |      0 |   0.0000%\r\nReqs with incoming score of  35 |      6 |   0.0968% |     12 |   0.1936%\r\nReqs with incoming score of  36 |      0 |   0.0000% |     21 |   0.3388%\r\nReqs with incoming score of  37 |      0 |   0.0000% |     27 |   0.4356%\r\nReqs with incoming score of  38 |      8 |   0.1290% |      0 |   0.0000%\r\nReqs with incoming score of  39 |      0 |   0.0000% |      0 |   0.0000%\r\nReqs with incoming score of  40 |      0 |   0.0000% |      2 |   0.0322%\r\nReqs with incoming score of  41 |      0 |   0.0000% |      7 |   0.1129%\r\nReqs with incoming score of  42 |      0 |   0.0000% |     14 |   0.2259%\r\nReqs with incoming score of  43 |      2 |   0.0322% |      0 |   0.0000%\r\nReqs with incoming score of  44 |      3 |   0.0484% |      1 |   0.0161%\r\nReqs with incoming score of  45 |      1 |   0.0161% |      3 |   0.0484%\r\nReqs with incoming score of  46 |      0 |   0.0000% |      0 |   0.0000%\r\nReqs with incoming score of  47 |      0 |   0.0000% |      5 |   0.0806%\r\nReqs with incoming score of  48 |     10 |   0.1613% |      0 |   0.0000%\r\nReqs with incoming score of  49 |      0 |   0.0000% |      0 |   0.0000%\r\nReqs with incoming score of  50 |      1 |   0.0161% |      0 |   0.0000%\r\nReqs with incoming score of  51 |      2 |   0.0322% |      0 |   0.0000%\r\nReqs with incoming score of  52 |      0 |   0.0000% |      1 |   0.0161%\r\nReqs with incoming score of  53 |     52 |   0.8391% |      0 |   0.0000%\r\nReqs with incoming score of  54 |      3 |   0.0484% |      0 |   0.0000%\r\nReqs with incoming score of  55 |      0 |   0.0000% |      1 |   0.0161%\r\nReqs with incoming score of  56 |     81 |   1.3070% |      0 |   0.0000%\r\nReqs with incoming score of  57 |      0 |   0.0000% |      1 |   0.0161%\r\nReqs with incoming score of  58 |      2 |   0.0322% |      0 |   0.0000%\r\nReqs with incoming score of  59 |      0 |   0.0000% |      0 |   0.0000%\r\nReqs with incoming score of  60 |      0 |   0.0000% |      0 |   0.0000%\r\nReqs with incoming score of  61 |      8 |   0.1290% |      0 |   0.0000%\r\nReqs with incoming score of  62 |      0 |   0.0000% |      1 |   0.0161%\r\nReqs with incoming score of  63 |      3 |   0.0484% |      0 |   0.0000%\r\nReqs with incoming score of  64 |      0 |   0.0000% |      0 |   0.0000%\r\nReqs with incoming score of  65 |      0 |   0.0000% |      0 |   0.0000%\r\nReqs with incoming score of  66 |      2 |   0.0322% |      0 |   0.0000%\r\nReqs with incoming score of  67 |      0 |   0.0000% |      0 |   0.0000%\r\nReqs with incoming score of  68 |      0 |   0.0000% |      0 |   0.0000%\r\nReqs with incoming score of  69 |      0 |   0.0000% |      0 |   0.0000%\r\nReqs with incoming score of  70 |      0 |   0.0000% |      0 |   0.0000%\r\nReqs with incoming score of  71 |      4 |   0.0645% |      0 |   0.0000%\r\nReqs with incoming score of  72 |      0 |   0.0000% |      1 |   0.0161%\r\nReqs with incoming score of  73 |      1 |   0.0161% |      0 |   0.0000%\r\nReqs with incoming score of  74 |      0 |   0.0000% |      0 |   0.0000%\r\nReqs with incoming score of  75 |      0 |   0.0000% |      0 |   0.0000%\r\nReqs with incoming score of  76 |      0 |   0.0000% |      0 |   0.0000%\r\nReqs with incoming score of  77 |      0 |   0.0000% |      0 |   0.0000%\r\nReqs with incoming score of  78 |      0 |   0.0000% |      0 |   0.0000%\r\nReqs with incoming score of  79 |      0 |   0.0000% |      0 |   0.0000%\r\nReqs with incoming score of  80 |      0 |   0.0000% |      0 |   0.0000%\r\nReqs with incoming score of  81 |      0 |   0.0000% |      0 |   0.0000%\r\nReqs with incoming score of  82 |      0 |   0.0000% |      1 |   0.0161%\r\nReqs with incoming score of  83 |      0 |   0.0000% |      0 |   0.0000%\r\nReqs with incoming score of  84 |      0 |   0.0000% |      0 |   0.0000%\r\nReqs with incoming score of  85 |      0 |   0.0000% |      0 |   0.0000%\r\nReqs with incoming score of  86 |      1 |   0.0161% |      0 |   0.0000%\r\nReqs with incoming score of  87 |      0 |   0.0000% |      0 |   0.0000%\r\nReqs with incoming score of  88 |      0 |   0.0000% |      0 |   0.0000%\r\nReqs with incoming score of  89 |      0 |   0.0000% |      0 |   0.0000%\r\nReqs with incoming score of  90 |      0 |   0.0000% |      0 |   0.0000%\r\nReqs with incoming score of  91 |      0 |   0.0000% |      0 |   0.0000%\r\nReqs with incoming score of  92 |      0 |   0.0000% |      0 |   0.0000%\r\nReqs with incoming score of  93 |      0 |   0.0000% |      0 |   0.0000%\r\nReqs with incoming score of  94 |      1 |   0.0161% |      0 |   0.0000%\r\nReqs with incoming score of  95 |      0 |   0.0000% |      0 |   0.0000%\r\nReqs with incoming score of  96 |      1 |   0.0161% |      0 |   0.0000%\r\nReqs with incoming score of  97 |      0 |   0.0000% |      0 |   0.0000%\r\nReqs with incoming score of  98 |      0 |   0.0000% |      0 |   0.0000%\r\nReqs with incoming score of  99 |      0 |   0.0000% |      0 |   0.0000%\r\nReqs with incoming score of 100 |      0 |   0.0000% |      0 |   0.0000%\r\nReqs with incoming score of 101 |      0 |   0.0000% |      0 |   0.0000%\r\nReqs with incoming score of 102 |      1 |   0.0161% |      0 |   0.0000%\r\nReqs with incoming score of 103 |      0 |   0.0000% |      0 |   0.0000%\r\nReqs with incoming score of 104 |      0 |   0.0000% |      0 |   0.0000%\r\nReqs with incoming score of 105 |      0 |   0.0000% |      0 |   0.0000%\r\nReqs with incoming score of 106 |      0 |   0.0000% |      0 |   0.0000%\r\nReqs with incoming score of 107 |      0 |   0.0000% |      0 |   0.0000%\r\nReqs with incoming score of 108 |      0 |   0.0000% |      0 |   0.0000%\r\nReqs with incoming score of 109 |      0 |   0.0000% |      0 |   0.0000%\r\nReqs with incoming score of 110 |      0 |   0.0000% |      0 |   0.0000%\r\nReqs with incoming score of 111 |      0 |   0.0000% |      0 |   0.0000%\r\nReqs with incoming score of 112 |      0 |   0.0000% |      0 |   0.0000%\r\nReqs with incoming score of 113 |      0 |   0.0000% |      0 |   0.0000%\r\nReqs with incoming score of 114 |      0 |   0.0000% |      0 |   0.0000%\r\nReqs with incoming score of 115 |      0 |   0.0000% |      0 |   0.0000%\r\nReqs with incoming score of 116 |      0 |   0.0000% |      0 |   0.0000%\r\nReqs with incoming score of 117 |      0 |   0.0000% |      0 |   0.0000%\r\nReqs with incoming score of 118 |      0 |   0.0000% |      0 |   0.0000%\r\nReqs with incoming score of 119 |      0 |   0.0000% |      0 |   0.0000%\r\nReqs with incoming score of 120 |      0 |   0.0000% |      0 |   0.0000%\r\nReqs with incoming score of 121 |      0 |   0.0000% |      0 |   0.0000%\r\nReqs with incoming score of 122 |      0 |   0.0000% |      0 |   0.0000%\r\nReqs with incoming score of 123 |      0 |   0.0000% |      0 |   0.0000%\r\nReqs with incoming score of 124 |      0 |   0.0000% |      0 |   0.0000%\r\nReqs with incoming score of 125 |      0 |   0.0000% |      0 |   0.0000%\r\nReqs with incoming score of 126 |      0 |   0.0000% |      0 |   0.0000%\r\nReqs with incoming score of 127 |      0 |   0.0000% |      0 |   0.0000%\r\nReqs with incoming score of 128 |      0 |   0.0000% |      0 |   0.0000%\r\nReqs with incoming score of 129 |      0 |   0.0000% |      0 |   0.0000%\r\nReqs with incoming score of 130 |      0 |   0.0000% |      0 |   0.0000%\r\nReqs with incoming score of 131 |      0 |   0.0000% |      0 |   0.0000%\r\nReqs with incoming score of 132 |      1 |   0.0161% |      0 |   0.0000%\r\nReqs with incoming score of 133 |      0 |   0.0000% |      0 |   0.0000%\r\nReqs with incoming score of 134 |      0 |   0.0000% |      0 |   0.0000%\r\nReqs with incoming score of 135 |      0 |   0.0000% |      0 |   0.0000%\r\nReqs with incoming score of 136 |      0 |   0.0000% |      0 |   0.0000%\r\nReqs with incoming score of 137 |      0 |   0.0000% |      0 |   0.0000%\r\nReqs with incoming score of 138 |      0 |   0.0000% |      0 |   0.0000%\r\nReqs with incoming score of 139 |      0 |   0.0000% |      0 |   0.0000%\r\nReqs with incoming score of 140 |      0 |   0.0000% |      0 |   0.0000%\r\nReqs with incoming score of 141 |      0 |   0.0000% |      0 |   0.0000%\r\nReqs with incoming score of 142 |      0 |   0.0000% |      0 |   0.0000%\r\nReqs with incoming score of 143 |      0 |   0.0000% |      0 |   0.0000%\r\nReqs with incoming score of 144 |      0 |   0.0000% |      0 |   0.0000%\r\nReqs with incoming score of 145 |      0 |   0.0000% |      0 |   0.0000%\r\nReqs with incoming score of 146 |      0 |   0.0000% |      0 |   0.0000%\r\nReqs with incoming score of 147 |      0 |   0.0000% |      0 |   0.0000%\r\nReqs with incoming score of 148 |      1 |   0.0161% |      0 |   0.0000%\r\n\r\n2.2.9 \t   Avg:  15.8043  Median: 13.0000  Std. deviation:   9.5405\r\n3.0.0-dev  Avg:  14.3466  Median: 10.0000  Std. deviation:   8.7512\r\n\r\n\r\nOUTGOING                     Num of req. | % of req.  of req. | % of req. \r\nNumber of outgoing req. (total) |   6197 | 100.0000% |   6197 | 100.0000% \r\n                                                                          \r\nEmpty or miss. outgoing score   |      0 |   0.0000% |      0 |   0.0000% \r\nReqs with outgoing score of   0 |   6193 |  99.9354% |   6193 |  99.9354% \r\nReqs with outgoing score of   1 |      0 |   0.0000% |      0 |   0.0000% \r\nReqs with outgoing score of   2 |      0 |   0.0000% |      0 |   0.0000% \r\nReqs with outgoing score of   3 |      0 |   0.0000% |      0 |   0.0000% \r\nReqs with outgoing score of   4 |      4 |   0.0645% |      4 |   0.0645% \r\n\r\n2.2.9     Avg:   0.0026   Median:  0.0000  Std. deviation:   0.1016\r\n3.0.0-dev Avg:   0.0026   Median:  0.0000  Std. deviation:   0.1016\r\n<\/code>\r\n<\/pre>\n
So for 2.2.9, almost all nikto requests triggered at least two rules and ended up with a
\nscore of 10 or above. That is not the case with the 3.0.0-dev ruleset. Here, almost half of
\nthe requests stayed below 10. But mind you, we disabled the rule 981175, which would
\nhave stopped almost all these requests. An interesting feature of the new ruleset is
\nthe cluster at the score of 22. This is higher than a similar cluster of the v2.2.9
\nruleset at 20. So in this midrange, a lot of requests score a bit higher with the
\nnew ruleset.<\/p>\n
The highest substantial cluster of requests with the v3.0.0-dev ruleset hit a score of
\n32. With the old v2.2.9 rules, we have a cluster at a score of 56. The highest scoring
\nrequest with the v3.0.0-dev ruleset came in at 82:<\/p>\n
“GET \/submit.php?subject=<script>alert(‘Vulnerable’)<\/script>&story=<script>alert(‘Vulnerable’)<\/script>&storyext=<script>alert(‘Vulnerable’)<\/script>&op=Preview HTTP\/1.1”<\/p>\n
This request has the nikto test ID 000786. With the v2.2.9 ruleset, the very same
\nrequest scored 148.<\/p>\n
So in the higher range, v2.2.9 seems to lead to higher scores. When we look at the
\naverage and the median, they are slightly higher for 2.2.9 and the results
\nseem to be a bit more stretched out according to the standard deviation.<\/p>\n
Now scoring a bit lower than before is no fault in itself. It all depends on the anomaly
\nthreshold which you set. So when migrating adjusting the anomaly setting seems
\nimportant. A threshold of 10 would have stopped over 95% of all nikto requests with
\nthe v2.2.9 ruleset. With the new one, almost 50% of the requests stay below 10.<\/p>\n
With the http responses, there was no difference in my tests. That is not surprising, as
\nthere is no application to exploit and thus no interesting responses to scan.<\/p>\n
Let’s move to the rules themselves. Which rules are actually scoring? Here is an overview.<\/p>\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n
v2.2.9\u00a0RuleID<\/strong><\/td>\nv2.2.9\u00a0Description<\/strong><\/td>\nHits<\/strong><\/td>\n<\/td>\nHits<\/strong><\/td>\nv3.0.0-dev\u00a0Description<\/strong><\/td>\nv3.0.0-dev\u00a0RuleID<\/strong><\/td>\n<\/tr>\n
950000<\/td>\nSession Fixation<\/td>\n1<\/td>\n\"arrow-red\"<\/td>\n0<\/td>\nRule not triggering anymore in v3.0.0-dev<\/td>\n950000<\/td>\n<\/tr>\n
950001<\/td>\nSQL Injection Attack<\/td>\n5<\/td>\n\"arrow-red\"<\/td>\n3<\/td>\nSQL Injection Attack<\/td>\n950001<\/td>\n<\/tr>\n
950005<\/td>\nRemote File Access Attempt<\/td>\n223<\/td>\n\"arrow-red\"<\/td>\n219<\/td>\nOS File Access Attempt<\/td>\n950005<\/td>\n<\/tr>\n
950006<\/td>\nSystem Command Injection<\/td>\n6<\/td>\n\"arrow-red\"<\/td>\n<\/td>\nRule gone in v3.0.0-dev<\/td>\n<\/td>\n<\/tr>\n
950011<\/td>\nSSI injection Attack<\/td>\n3<\/td>\n\"arrow-red\"<\/td>\n<\/td>\nRule gone in v3.0.0-dev<\/td>\n<\/td>\n<\/tr>\n
950103<\/td>\nPath Traversal Attack<\/td>\n178<\/td>\n\"arrow-green\"<\/td>\n190<\/td>\nPath Traversal Attack (\/..\/)<\/td>\n950103<\/td>\n<\/tr>\n
<\/td>\nNew rule in v3.0.0-dev<\/td>\n<\/td>\n\"arrow-green\"<\/td>\n259<\/td>\nPath Traversal At (\/..\/)<\/td>\n950104<\/td>\n<\/tr>\n
950107<\/td>\nURL Encoding Abuse Attack Attempt<\/td>\n1<\/td>\n<\/td>\n1<\/td>\nURL Encoding Abuse Attack Attempt<\/td>\n950107<\/td>\n<\/tr>\n
950109<\/td>\nMultiple URL Encoding Detected<\/td>\n67<\/td>\n<\/td>\n67<\/td>\nMultiple URL Encoding Detected<\/td>\n950109<\/td>\n<\/tr>\n
950118<\/td>\nRemote File Inclusion Attack<\/td>\n141<\/td>\n<\/td>\n141<\/td>\nPossible Remote File Inclusion (RFI) Attack: Common RFI
\nVulnerable …<\/td>\n		950118<\/td>\n<\/tr>\n
950119<\/td>\nRemote File Inclusion Attack<\/td>\n2272<\/td>\n<\/td>\n2272<\/td>\nPossible Remote File Inclusion (RFI) Attack: URL Payload Used
\n…<\/td>\n		950119<\/td>\n<\/tr>\n
950120<\/td>\nPossible Remote File Inclusion (RFI) Attack: Off-Domain …<\/td>\n2331<\/td>\n<\/td>\n2331<\/td>\nPossible Remote File Inclusion (RFI) Attack: Off-Domain
\nReference\/Link<\/td>\n		950120<\/td>\n<\/tr>\n
950901<\/td>\nSQL Injection Attack: SQL Tautology Detected.<\/td>\n245<\/td>\n\"arrow-green\"<\/td>\n246<\/td>\nSQL Injection Attack: SQL Tautology Detected.<\/td>\n950901<\/td>\n<\/tr>\n
950907<\/td>\nSystem Command Injection<\/td>\n1<\/td>\n\"arrow-green\"<\/td>\n196<\/td>\nRemote Command Execution (RCE) Attempt<\/td>\n950907<\/td>\n<\/tr>\n
<\/td>\nNew rule in v3.0.0-dev<\/td>\n<\/td>\n\"arrow-green\"<\/td>\n1<\/td>\nHTTP Header Injection Attack via payload (CR\/LF deteced)<\/td>\n950913<\/td>\n<\/tr>\n
950921<\/td>\nBackdoor access<\/td>\n1<\/td>\n\"arrow-red\"<\/td>\n<\/td>\nRule gone in v3.0.0-dev<\/td>\n<\/td>\n<\/tr>\n
958001<\/td>\nCross-site Scripting (XSS) Attack<\/td>\n105<\/td>\n\"arrow-red\"<\/td>\n<\/td>\nRule gone in v3.0.0-dev, probably integrated into 973340-973343<\/td>\n<\/td>\n<\/tr>\n
958031<\/td>\nCross-site Scripting (XSS) Attack<\/td>\n2<\/td>\n\"arrow-red\"<\/td>\n<\/td>\nRule gone in v3.0.0-dev, probably integrated into 973340-973343<\/td>\n<\/td>\n<\/tr>\n
958051<\/td>\nCross-site Scripting (XSS) Attack<\/td>\n243<\/td>\n\"arrow-red\"<\/td>\n<\/td>\nRule gone in v3.0.0-dev, probably integrated into 973340-973343<\/td>\n<\/td>\n<\/tr>\n
958052<\/td>\nCross-site Scripting (XSS) Attack<\/td>\n282<\/td>\n\"arrow-red\"<\/td>\n<\/td>\nRule gone in v3.0.0-dev, probably integrated into 973340-973343<\/td>\n<\/td>\n<\/tr>\n
<\/td>\nNew rule in v3.0.0-dev<\/td>\n<\/td>\n\"arrow-green\"<\/td>\n3<\/td>\nPHP Injection Attack: Configuration Directive Found<\/td>\n958979<\/td>\n<\/tr>\n
<\/td>\nNew rule in v3.0.0-dev<\/td>\n<\/td>\n\"arrow-green\"<\/td>\n67<\/td>\nPHP Injection Attack: Variables Found<\/td>\n958980<\/td>\n<\/tr>\n
959071<\/td>\nSQL Injection Attack<\/td>\n2<\/td>\n\"arrow-red\"<\/td>\n<\/td>\nRule gone in v3.0.0-dev<\/td>\n<\/td>\n<\/tr>\n
959073<\/td>\nSQL Injection Attack<\/td>\n5<\/td>\n\"arrow-red\"<\/td>\n<\/td>\nRule gone in v3.0.0-dev<\/td>\n<\/td>\n<\/tr>\n
960008<\/td>\nRequest Missing a Host Header<\/td>\n1<\/td>\n<\/td>\n1<\/td>\nRequest Missing a Host Header<\/td>\n960008<\/td>\n<\/tr>\n
960010<\/td>\nRequest content type is not allowed by policy<\/td>\n5<\/td>\n\"arrow-red\"<\/td>\n1<\/td>\nRequest content type is not allowed by policy<\/td>\n960010<\/td>\n<\/tr>\n
960011<\/td>\nGET or HEAD Request with Body Content.<\/td>\n17<\/td>\n<\/td>\n17<\/td>\nGET or HEAD Request with Body Content.<\/td>\n960011<\/td>\n<\/tr>\n
960015<\/td>\nRequest Missing an Accept Header<\/td>\n6079<\/td>\n<\/td>\n6079<\/td>\nRequest Missing an Accept Header<\/td>\n960015<\/td>\n<\/tr>\n
960024<\/td>\nMeta-Character Anomaly Detection Alert – Repetative Non-Word
\n…<\/td>\n		417<\/td>\n\"arrow-red\"<\/td>\n<\/td>\nRule gone in v3.0.0-dev<\/td>\n<\/td>\n<\/tr>\n
960032<\/td>\nMethod is not allowed by policy<\/td>\n11<\/td>\n\"arrow-red\"<\/td>\n1<\/td>\nMethod is not allowed by policy<\/td>\n960032<\/td>\n<\/tr>\n
960034<\/td>\nHTTP protocol version is not allowed by policy<\/td>\n13<\/td>\n<\/td>\n13<\/td>\nHTTP protocol version is not allowed by policy<\/td>\n960034<\/td>\n<\/tr>\n
960035<\/td>\nURL file extension is restricted by policy<\/td>\n219<\/td>\n<\/td>\n219<\/td>\nURL file extension is restricted by policy<\/td>\n960035<\/td>\n<\/tr>\n
960208<\/td>\nArgument value too long<\/td>\n1<\/td>\n\"arrow-red\"<\/td>\n<\/td>\nMisconfiguration by the author: Limit not set properly<\/td>\n<\/td>\n<\/tr>\n
960209<\/td>\nArgument name too long<\/td>\n1<\/td>\n\"arrow-red\"<\/td>\n<\/td>\nMisconfiguration by the author: Limit not set properly<\/td>\n<\/td>\n<\/tr>\n
960901<\/td>\nInvalid character in request<\/td>\n65<\/td>\n<\/td>\n65<\/td>\nInvalid character in request<\/td>\n960901<\/td>\n<\/tr>\n
960911<\/td>\nInvalid HTTP Request Line<\/td>\n17<\/td>\n\"arrow-red\"<\/td>\n10<\/td>\nInvalid HTTP Request Line<\/td>\n960911<\/td>\n<\/tr>\n
970901<\/td>\nThe application is not available<\/td>\n4<\/td>\n<\/td>\n4<\/td>\nThe Application Returned a 500-Level Status Code<\/td>\n970901<\/td>\n<\/tr>\n
973300<\/td>\nPossible XSS Attack Detected – HTML Tag Handler<\/td>\n246<\/td>\n\"arrow-red\"<\/td>\n<\/td>\nRule gone in v3.0.0-dev<\/td>\n<\/td>\n<\/tr>\n
973304<\/td>\nXSS Attack Detected<\/td>\n2<\/td>\n\"arrow-red\"<\/td>\n<\/td>\nRule gone in v3.0.0-dev<\/td>\n<\/td>\n<\/tr>\n
973305<\/td>\nXSS Attack Detected<\/td>\n15<\/td>\n\"arrow-red\"<\/td>\n<\/td>\nRule gone in v3.0.0-dev<\/td>\n<\/td>\n<\/tr>\n
973307<\/td>\nXSS Attack Detected<\/td>\n282<\/td>\n\"arrow-red\"<\/td>\n<\/td>\nRule gone in v3.0.0-dev<\/td>\n<\/td>\n<\/tr>\n
973331<\/td>\nIE XSS Filters – Attack Detected.<\/td>\n243<\/td>\n\"arrow-red\"<\/td>\n<\/td>\nRule gone in v3.0.0-dev<\/td>\n<\/td>\n<\/tr>\n
973334<\/td>\nIE XSS Filters – Attack Detected.<\/td>\n2<\/td>\n\"arrow-red\"<\/td>\n<\/td>\nRule gone in v3.0.0-dev<\/td>\n<\/td>\n<\/tr>\n
973335<\/td>\nIE XSS Filters – Attack Detected.<\/td>\n63<\/td>\n\"arrow-red\"<\/td>\n<\/td>\nRule gone in v3.0.0-dev<\/td>\n<\/td>\n<\/tr>\n
973336<\/td>\nXSS Filter – Category 1: Script Tag Vector<\/td>\n230<\/td>\n\"arrow-green\"<\/td>\n244<\/td>\nXSS Filter – Category 1: Script Tag Vector<\/td>\n973336<\/td>\n<\/tr>\n
973338<\/td>\nXSS Filter – Category 3: Javascript URI Vector<\/td>\n3<\/td>\n\"arrow-red\"<\/td>\n2<\/td>\nXSS Filter – Category 4: Javascript URI Vector<\/td>\n973338<\/td>\n<\/tr>\n
<\/td>\nNew rule in v3.0.0-dev<\/td>\n<\/td>\n\"arrow-green\"<\/td>\n247<\/td>\nNoScript XSS InjectionChecker: HTML Injection<\/td>\n973340<\/td>\n<\/tr>\n
<\/td>\nNew rule in v3.0.0-dev<\/td>\n<\/td>\n\"arrow-green\"<\/td>\n15<\/td>\nNoScript XSS InjectionChecker: Attribute Injection<\/td>\n973341<\/td>\n<\/tr>\n
<\/td>\nNew rule in v3.0.0-dev<\/td>\n<\/td>\n\"arrow-green\"<\/td>\n114<\/td>\nNode-Validator Blacklist Keywords<\/td>\n973342<\/td>\n<\/tr>\n
<\/td>\nNew rule in v3.0.0-dev<\/td>\n<\/td>\n\"arrow-green\"<\/td>\n246<\/td>\nXSS Attack Detected via Libinjection<\/td>\n973343<\/td>\n<\/tr>\n
973346<\/td>\nIE XSS Filters – Attack Detected.<\/td>\n15<\/td>\n<\/td>\n15<\/td>\nIE XSS Filters – Attack Detected.<\/td>\n973346<\/td>\n<\/tr>\n
981173<\/td>\nRestricted SQL Character Anomaly Detection Alert – Total # of
\n…<\/td>\n		427<\/td>\n\"arrow-red\"<\/td>\n<\/td>\nRule gone in v3.0.0-dev<\/td>\n<\/td>\n<\/tr>\n
981227<\/td>\nApache Error: Invalid URI in Request.<\/td>\n19<\/td>\n<\/td>\n19<\/td>\nApache Error: Invalid URI in Request.<\/td>\n981227<\/td>\n<\/tr>\n
981231<\/td>\nSQL Comment Sequence Detected.<\/td>\n71<\/td>\n\"arrow-red\"<\/td>\n<\/td>\nRule gone in v3.0.0-dev<\/td>\n<\/td>\n<\/tr>\n
981240<\/td>\nDetects MySQL comments, conditions and ch(a)r injections<\/td>\n3<\/td>\n<\/td>\n3<\/td>\nDetects MySQL comments, conditions and ch(a)r injections<\/td>\n981240<\/td>\n<\/tr>\n
981242<\/td>\nDetects classic SQL injection probings 1\/2<\/td>\n9<\/td>\n<\/td>\n9<\/td>\nDetects classic SQL injection probings 1\/2<\/td>\n981242<\/td>\n<\/tr>\n
981243<\/td>\nDetects classic SQL injection probings 2\/2<\/td>\n154<\/td>\n<\/td>\n154<\/td>\nDetects classic SQL injection probings 2\/2<\/td>\n981243<\/td>\n<\/tr>\n
981245<\/td>\nDetects basic SQL authentication bypass attempts 2\/3<\/td>\n76<\/td>\n<\/td>\n76<\/td>\nDetects basic SQL authentication bypass attempts 2\/3<\/td>\n981245<\/td>\n<\/tr>\n
981246<\/td>\nDetects basic SQL authentication bypass attempts 3\/3<\/td>\n29<\/td>\n<\/td>\n29<\/td>\nDetects basic SQL authentication bypass attempts 3\/3<\/td>\n981246<\/td>\n<\/tr>\n
981249<\/td>\nDetects chained SQL injection attempts 2\/2<\/td>\n8<\/td>\n<\/td>\n8<\/td>\nDetects chained SQL injection attempts 2\/2<\/td>\n981249<\/td>\n<\/tr>\n
981257<\/td>\nDetects MySQL comment-\/space-obfuscated injections and backtick
\n…<\/td>\n		6<\/td>\n<\/td>\n6<\/td>\nDetects MySQL comment-\/space-obfuscated injections and backtick
\n…<\/td>\n		981257<\/td>\n<\/tr>\n
981260<\/td>\nSQL Hex Encoding Identified<\/td>\n3<\/td>\n\"arrow-red\"<\/td>\n<\/td>\nRule gone in v3.0.0-dev<\/td>\n<\/td>\n<\/tr>\n
<\/td>\nNew rule in v3.0.0-dev<\/td>\n<\/td>\n\"arrow-green\"<\/td>\n32<\/td>\nSQL Injection Attack Detected via LibInjection<\/td>\n981261<\/td>\n<\/tr>\n
981276<\/td>\nLooking for basic sql injection. Common attack string for mysql
\n…<\/td>\n		3<\/td>\n<\/td>\n3<\/td>\nLooking for basic sql injection. Common attack string for mysql
\n…<\/td>\n		981276<\/td>\n<\/tr>\n
981317<\/td>\nSQL SELECT Statement Anomaly Detection Alert<\/td>\n3<\/td>\n\"arrow-red\"<\/td>\n<\/td>\nRule gone in v3.0.0-dev<\/td>\n<\/td>\n<\/tr>\n
981318<\/td>\nSQL Injection Attack: Common Injection Testing Detected<\/td>\n161<\/td>\n\"arrow-red\"<\/td>\n125<\/td>\nSQL Injection Attack: Common Injection Testing Detected<\/td>\n981318<\/td>\n<\/tr>\n
981319<\/td>\nSQL Injection Attack: SQL Operator Detected<\/td>\n1<\/td>\n<\/td>\n1<\/td>\nSQL Injection Attack: SQL Operator Detected<\/td>\n981319<\/td>\n<\/tr>\n
990002<\/td>\nRequest Indicates a Security Scanner Scanned the Site<\/td>\n6079<\/td>\n<\/td>\n6079<\/td>\nRequest Indicates a Security Scanner Scanned the Site<\/td>\n990002<\/td>\n<\/tr>\n
990012<\/td>\nRogue web site crawler<\/td>\n6079<\/td>\n\"arrow-red\"<\/td>\n<\/td>\nRule gone in v3.0.0-dev<\/td>\n<\/td>\n<\/tr>\n
990902<\/td>\nRequest Indicates a Security Scanner Scanned the Site<\/td>\n0<\/td>\n\"arrow-green\"<\/td>\n2336<\/td>\nRequest Indicates a Security Scanner Scanned the Site<\/td>\n990902<\/td>\n<\/tr>\n
<\/td>\n<\/td>\n<\/td>\n<\/td>\n<\/td>\n<\/td>\n<\/td>\n<\/tr>\n
<\/td>\nTOTAL<\/td>\n33275<\/td>\n\"arrow-red\"<\/td>\n28352<\/td>\nTOTAL<\/td>\n<\/td>\n<\/tr>\n
<\/td>\n<\/td>\n<\/td>\n<\/td>\n<\/td>\n<\/td>\n<\/td>\n<\/tr>\n
<\/td>\n<\/td>\n<\/td>\n<\/td>\n<\/td>\n<\/td>\n<\/td>\n<\/tr>\n
<\/td>\n<\/td>\n<\/td>\n<\/td>\n<\/td>\n<\/td>\n<\/td>\n<\/tr>\n
<\/td>\n<\/td>\n<\/td>\n<\/td>\n<\/td>\n<\/td>\n<\/td>\n<\/tr>\n
<\/td>\n<\/td>\n<\/td>\n<\/td>\n<\/td>\n<\/td>\n<\/td>\n<\/tr>\n
<\/td>\n<\/td>\n<\/tr>\n
<\/td>\n<\/td>\n<\/tr>\n
<\/td>\n<\/td>\n<\/tr>\n
<\/td>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n
We see less hits for about half of the rules. They appear weaker, or they are gone
\nfrom the ruleset. About a third of the rules come in with exactly the same number
\nof rules and a bit more than a sixth of the rules bring more hits or they are new
\nrules.<\/p>\n
I did not look into all the rules in detail. So it is likely, rules shifted
\ntheir ids, or they were consolidated. The github changelog might contain
\nthis information.<\/p>\n
For this blog post, I will only look at the most striking changes:
\nRule 950104 (Path Traversal Attack) : New rule in v3.0.0-dev<\/b>
\nThis is a new and very simple rule looking at the URI patterns “..\\” and “..\/”
\nIt’s a sibling of 950103, but a lot easier to read.
\nThe numbers are impressive: 359 new hits.<\/p>\n
Rule 950907 (Remote Command Execution (RCE) Attempt) : Bigger teeth in v3.0.0-dev<\/b>
\nThis rule has been rewritten and enriched with a big number of system commands
\nout of a file named os-commands.data. The success is striking:
\n196 hits vs. 1 in the simple variant in the v2.2.9 ruleset.<\/p>\n
Rule 950913 (HTTP Header Injection Attack via payload) : New rule in v3.0.0-dev<\/b>
\nThis new rule with a single hit is not newsworthy at all. But then I happened
\nto propose it for inclusion via a pull request<\/a>.
\nTo see this exotic regex
\ntrigger an alert with a well-known attack scanner pleases me.<\/p>\n
Rules 958001, 958031, 958051, 958052 (Cross-site Scripting (XSS) Attack) : Gone from v3.0.0-dev<\/b>
\nThese rules are all gone from the new version. There are new rules compensating
\nfor the loss partly, but the new rules do not make up for the over 600 alerts
\nthat this group of rules triggered.<\/p>\n
Rule 958980 (PHP Injection Attack: Variables Found) : New rule in v3.0.0-dev<\/b>
\nThat’s a new rule based on items in the data file php-variables.data.
\nNice one. Rule 958979 does the same with php-config-directives.data.<\/p>\n
Rule 960024 (Meta-Character Anomaly Detection Alert – Repetative Non-Word … ) : Gone from v3.0.0-dev<\/strong>
\nThis rule disappeared from the ruleset. It is likely, this simple ruleset
\ntriggered a lot of false positives: \\W{4,}
\nIt is similar to the case of the rules 981172 and 981173 whose disappearance I
\ndescribed in a recent blogpost<\/a>.
\n960024 is the same type of shepherd dog that barks quickly and often
\n(417 times, mind you!) and hands out 3 anomaly scoring points.
\nI think it should be brought back.<\/p>\n
Rules 973300, 973304, 973305, 973307, 973331, 973334, 973335 (Various XSS Rules) : Gone from v3.0.0-dev ruleset<\/strong>
\nLike the Anti-XSS rule described above, these are gone for good despite summing 800 alerts.
\nThere are new Anti-XSS rules described below, but I do not think they make up for the
\nloss.<\/p>\n
Rules 973340, 973341, 973342 (Various Anti-XSS rules) : New rules in v3.0.0-dev<\/strong>
\nThis is a group of new rules aimed to prevent XSS. Especially 973340 brings
\na very big Regex with obvious success and 247 hits.
\nThis is nice but it does not cover the loss of the Anti-XSS rules mentioned above.<\/p>\n
Rule 973343 (XSS Attack Detected via Libinjection) : New rule in v3.0.0-dev<\/strong>
\nSo this is the rule with the new @detectXSS operator based on libinjection
\nfrom client9: https:\/\/libinjection.client9.com\/<\/a>, https:\/\/github.com\/client9\/libinjection<\/a>.
\nThis neat library brought 246 hits, so its inclusion is welcome. However,
\nthere are issues. It has been a topic before on the ModSecurity mailinglist,
\nbut I mention them here again: LibInjection seems to be a fine piece of code.
\nBut the website comes with a broken SSL Certificate and a server error, the
\nChangelog on github is severely outdated and the inclusion of XSS detection
\ninto the library is mostly undocumented as is the functioning of @detectXSS and
\n@detectSQLi in ModSecurity. 99% of the commits to libinjection were done by
\nthe main developer.
\nIf you want to know how this works, you will find little information beyond
\nslides presented at OWASP meetings. What I would like to see is a technical
\ndescription of how this parser works. If I would be happy with impressive
\nslides, I would go and buy a commerical product.
\nI have no idea of the code quality, but from what I can tell about the project
\nlooking at the surface, libinjection does not look trustworthy.<\/p>\n
Rules 981172, 981173 (Restricted SQL Character Anomaly Detection Alert) : Gone from v3.0.0-dev<\/strong>
\n981172 did not trigger any alarms, but its sibling 981173 did issue 427 alerts.
\nLike 96024, these are workhorses likely to trigger a lot of false positives. And
\nthis is why they went away. I am working on a pull request to bring them back,
\nprobably via an optional setting.
\nSee this blogpost<\/a> for a more detailed discussion.<\/p>\n
Rule 981231 (SQL Comment Sequence Detected) : Gone from 3.0.0-dev<\/strong>
\nThis rule was removed from the dev-tree of the Core Rules. It was aimed at
\nSQL comments. Maybe this was not deemed important enough, or a cause of
\ntoo many false positives. I can not tell. But 71 hits in my tests
\nmay be enough to reconsider this step.<\/p>\n
Rule 981261 (SQL Injection Attack Detected via LibInjection) : New rule in v3.0.0-dev<\/strong>
\nThis is the rule with the new @detectSQLi operator based on libinjection.
\nGiven the number of other SQLi rules triggered I actually expected more hits
\nhere. But then all I know about libinjection are the impressive slides.
\nGiven my tests, there was not the same haircut with Anti-SQLi rules like with
\nAnti-XSS. But @detectSQLi still does not compensate the ones that are gone.<\/p>\n
Rule 981318 (SQL Injection Attack: Common Injection Testing Detected) : Rule with shorter teeth<\/strong>
\nThis rule is no longer applied to cookies and it does not cover the same range of
\ncharacters anymore. See:
\nTargets old: SecRule REQUEST_COOKIES|!REQUEST_COOKIES:\/__utm\/|!REQUEST_COOKIES:\/_pk_ref\/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:\/*
\nTargets new: SecRule ARGS_NAMES|ARGS|XML:\/*
\nRegex old: “(^[\\”‘`\u00b4\u2019\u2018;]+|[\\”‘`\u00b4\u2019\u2018;]+$)”
\nRegex new: “(^[\\”‘`;]+|[\\”‘`]+$)”
\nWe lost about a quarter of the hits with this simplification.<\/p>\n
Rule 990012 (Request Indicates a Security Scanner Scanned the Site) : Gone from v3.0.0-dev<\/strong>
\nThis rule is gone from the ruleset. The loss of 6000 hits based on the
\ndata file modsecurity_35_bad_robots.data is partially compensated in the
\n990902 rule, which received an extended pair of teeth. But we lost
\nmore than 3000 alerts.
\nThe reason for the removal could be, that this rule is redundant to 990002,
\nwhich was based on modsecurity_35_scanners.data. But in fact, the two
\ndata files are complementary and both rules target the User-Agent.
\nThe data file scanners-user-agents.data now used in rule 990002 received
\nsome of the user agents in modsecurity_35_bad_robots.data, but far from all.
\nSo I really do not know.<\/p>\n
Rule 990902 (Request Indicates a Security Scanner Scanned the Site) : Rule with bigger teeth in v3.0.0-dev<\/strong>
\n990902 used to test only for 2-3 regexes in the former edition. Now the dataset was expanded.
\nObviously to cover nikto as well. The feat is performed via the query string parameter
\nhttp:\/\/cirt.net\/rfiinc.txt sent by nikto in thousands of cases.
\nThe 2336 hits look impressive here and if a script kiddy attacker really makes
\nan approach using this tool, then the bells will go off. But all these
\nanti-scanner rules only work against the obvious scanning attempts, so we
\nshould not trust them too much. The expansion of 990902 sure is a good thing.<\/p>\n
So this is my overview over the development of the OWASP ModSecurity Core Rules 3.0.0.
\nThere are interesting new features, but also important rules which disappeared. I
\nhope some of them can be brought back before the 3.0.0 ruleset is released to the public.<\/p>\n
If you have questions or feedback, then please get in touch via mail or twitter.<\/p>\n
Christian Folini, netnea, @ChrFolini<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
It has been a while since we have seen big development in the OWASP ModSecurity Core Rules. This is due to the fact, that the development took place in a separate branch named 3.0.0-dev which adopts many of the newer features and operators included in ModSecurity since 2.7; notably @detectSQLi and @detectXSS. When you take […]<\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[33,10,15],"class_list":{"0":"post-718","1":"post","2":"type-post","3":"status-publish","4":"format-standard","6":"category-security","7":"tag-core-rules","8":"tag-modsecurity","9":"tag-security-2","10":"czr-hentry"},"_links":{"self":[{"href":"https:\/\/www.netnea.com\/cms\/wp-json\/wp\/v2\/posts\/718","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.netnea.com\/cms\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.netnea.com\/cms\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.netnea.com\/cms\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/www.netnea.com\/cms\/wp-json\/wp\/v2\/comments?post=718"}],"version-history":[{"count":33,"href":"https:\/\/www.netnea.com\/cms\/wp-json\/wp\/v2\/posts\/718\/revisions"}],"predecessor-version":[{"id":755,"href":"https:\/\/www.netnea.com\/cms\/wp-json\/wp\/v2\/posts\/718\/revisions\/755"}],"wp:attachment":[{"href":"https:\/\/www.netnea.com\/cms\/wp-json\/wp\/v2\/media?parent=718"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.netnea.com\/cms\/wp-json\/wp\/v2\/categories?post=718"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.netnea.com\/cms\/wp-json\/wp\/v2\/tags?post=718"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}