From: "conn.zhang" <conn.zh...@dbappsecurity.com.cn<mailto:conn.zh...@dbappsecurity.com.cn>> Reply-To: "conn.zhang" <conn.zh...@dbappsecurity.com.cn<mailto:conn.zh...@dbappsecurity.com.cn>> Date: Tuesday, March 12, 2013 9:37 PM To: owasp-modsecurity-core-rule-set <owasp-modsecurity-core-rule-set@lists.owasp.org<mailto:owasp-modsecurity-core-rule-set@lists.owasp.org>>, owasp-modsecurity-core-rule-set <owasp-modsecurity-core-rule-set@lists.owasp.org<mailto:owasp-modsecurity-core-rule-set@lists.owasp.org>>, owasp-modsecurity-core-rule-set <owasp-modsecurity-core-rule-set@lists.owasp.org<mailto:owasp-modsecurity-core-rule-set@lists.owasp.org>>, owasp-modsecurity-core-rule-set <owasp-modsecurity-core-rule-set@lists.owasp.org<mailto:owasp-modsecurity-core-rule-set@lists.owasp.org>>, owasp-modsecurity-core-rule-set <owasp-modsecurity-core-rule-set@lists.owasp.org<mailto:owasp-modsecurity-core-rule-set@lists.owasp.org>>, owasp-modsecurity-core-rule-set <owasp-modsecurity-core-rule-set@lists.owasp.org<mailto:owasp-modsecurity-core-rule-set@lists.owasp.org>> Subject: [Owasp-modsecurity-core-rule-set] Using SecHashKey, SecParam, SecHashMethodRx set cookie token
Hello,all! Now, I'm using SecHashKey SecParam and SecHashMethodRx variables set the cookies token. My rule looks like this: SecHashEngine On SecHashParam cookie_token SecHashKey Rand SessionID SecHashMethodRx HashLocation "Set-Cookie2?" SecRule REQUEST_HEADERS "@validate Hash Cookie" \ "phase:2,capture,t:none,block,ctl:HashEnforcement=On,log,auitlog,status:403,id:'999900'" I don't see the token was set in cookie header. ________________________________ DBAppSecurity The SecHashEngine does not protect Cookies at this point. We have plans to add this capability. In the meantime, there are some options using SecRules. In "Chapter 8: Defending Session State: of my book - http://www.wiley.com/WileyCDA/WileyTitle/productCd-1118362187.html – I cover this in Recipe 82-: Detecting Cookie Tampering. If you have already activated the OWASP CRS rules to create the Session Collection, you can use this rule to save the Set-Cookie data to the Session Collection - # # -=[ Save Set-Cookie Name/Value Pairs ]=- # SecRule RESPONSE_HEADERS:/Set-Cookie2?/ "^(.*?)=(.*?);" "chain,phase:3,id:'981063',t:none,nolog,pass,capture,setvar:tx.cookie_name_counter=+1,setvar:tx.cookie_name_%{tx.cookie_name_counter}=/%{tx.1}/,setvar:'session.cookie_list=%{session.cookie_list} %{tx.0}'" SecRule SESSION:COOKIE_LIST ".*" "t:trimLeft,setvar:session.cookie_list=%{matched_var}" You can then validate Request Cookies with this rule - SecRule REQUEST_COOKIES ".*" "chain,phase:1,id:'958233',t:none,block,msg:'Invalid Cookie Data Submitted.',logdata:'Cookie Data: %{matched_var}',tag:'OWASP_AppSensor/SE1',setvar:'tx.req_cookie_%{matched_var_name}=%{matched_var};'" SecRule TX:/REQ_COOKIE_/ "!@within %{session.cookie_list}" "setvar:tx.cookie_name=%{tx.1},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/INVALID_SESSIONID-%{matched_var_name}=%{tx.0}" Keep in mind that you may run into false positives if you site uses JS to create/modify Cookies. -Ryan ________________________________ This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.
_______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
