On Wed, Mar 13, 2013 at 3:37 AM, conn.zhang <conn.zh...@dbappsecurity.com.cn > wrote:
> ** > Hello,all! > Now, I'm using SecHashKey SecParam and SecHashMethodRx variables set the > cookies token. > My rule looks like this: > > SecHashEngine On > SecHashParam cookie_token > SecHashKey Rand SessionID > SecHashMethodRx HashLocation "Set-Cookie2?" > SecRule REQUEST_HEADERS "@validate Hash Cookie" \ > > "phase:2,capture,t:none,block,ctl:HashEnforcement=On,log,auitlog,status:403,id:'999900'" > > I don't see the token was set in cookie header. > Hi, While this question isn't related to the core rule set, the HashLocation SecHashMethodRx type can only be used to sign the Location header in the response (not the Set-Cookie header). One way to sign the cookie would be to send the cookie value you want to sign to a Lua script that creates the hash, then use mod_headers to inject the hash back into the Set-Cookie header. You could then use a similar process to validate the hash value when the cookie is submitted by the client. For a somewhat similar example used to protect hidden input fields see: http://blog.spiderlabs.com/2012/07/reducing-web-apps-attack-surface.html -- - Josh > > ------------------------------ > DBAppSecurity > > _______________________________________________ > Owasp-modsecurity-core-rule-set mailing list > Owasp-modsecurity-core-rule-set@lists.owasp.org > https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set > >
_______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
