Here are a couple of fixes I've made to the session hijacking CRS 2.2.5 rules in use with modsecurity 2.6.8. Some of our cookie names have been changed, so ASPSESSIONIDXXX did not match in RESPONSE_HEADERS:/Set-Cookie2?/ but did match in REQUEST_COOKIES.
Also there is a bug related to comparisons on collection keys that do not exist. When a request contains a cookie that has not been saved to the SESSION collection before, the intention is for tx.anomaly_score to be incremented by 5 (critical) and the rest of the checks skipped, but this does not happen. Any test on a collection key that does not exist always returns false. This means the test on SESSION:VALID "!@eq 1" returns false, when the intention is for it to return true if the session cookie has not been seen before. And the following rules in the block are run which triggers 981059,981060,981061 to return true since it is a new session collection withou ip_hash or ua_hash keys. -- Ben
modsecurity_crs_16_session_hijacking.conf.patch
Description: Binary data
_______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
