Ben, Please follow the steps here to submit a GitHub Pull request for updates -
http://www.modsecurity.org/developers/#GitHub -- Ryan Barnett Lead Security Researcher Trustwave - SpiderLabs On Nov 11, 2012, at 4:15 PM, Ben WIlliams <benwilliams+ow...@joobworld.com> wrote: > Here are a couple of fixes I've made to the session hijacking CRS > 2.2.5 rules in use with modsecurity 2.6.8. > Some of our cookie names have been changed, so ASPSESSIONIDXXX did not > match in RESPONSE_HEADERS:/Set-Cookie2?/ but did match in > REQUEST_COOKIES. > > Also there is a bug related to comparisons on collection keys that do > not exist. When a request contains a cookie that has not been saved to > the SESSION collection before, the intention is for tx.anomaly_score > to be incremented by 5 (critical) and the rest of the checks skipped, > but this does not happen. Any test on a collection key that does not > exist always returns false. This means the test on SESSION:VALID "!@eq > 1" returns false, when the intention is for it to return true if the > session cookie has not been seen before. And the following rules in > the block are run which triggers 981059,981060,981061 to return true > since it is a new session collection withou ip_hash or ua_hash keys. > > -- > Ben > <modsecurity_crs_16_session_hijacking.conf.patch> > _______________________________________________ > Owasp-modsecurity-core-rule-set mailing list > Owasp-modsecurity-core-rule-set@lists.owasp.org > https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set _______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
