From: Rolling Stone <jzy2...@hotmail.com<mailto:jzy2...@hotmail.com>> Date: Thursday, September 12, 2013 10:54 AM To: <owasp-modsecurity-core-rule-set@lists.owasp.org<mailto:owasp-modsecurity-core-rule-set@lists.owasp.org>> Subject: [Owasp-modsecurity-core-rule-set] XSS/CSP brain storm
Many agree that deploying CSP for Web apps is a hassle, one of which requires externalizing all inline JS. I would like to discuss about the idea of making this process automated by ModSecurity Core rule set with assistant of Lua script, can anyone help me validate this idea? Here is workflow: In “learning mode”, creating Lua script to: 1- Intercept and scan response data, parses HTML and identify inline JS and JS embedded in HTML events. 2- Then, creating a new .js file to include identified JS, store(e.g. FTP) it in one of web location can be accessed by public domain. 3- Remove inline JS blocks from response. 4- Replace HTML event with new JS function for event call from response. 5- Calculate CSP content based on original response as well as adding location for newly generated .js file. 6- Append generated CSP headers to response. 7- Save metadata info (i.e. new .js file name, hash of original response, request URL to local data store for caching (performance consideration) “Learning mode” is referring to Core rule set performing above actions ONLY when it sees request from trusted source such as given IP address. Automated requested can be sent by open sources web crawlers available out there, or web browsers manually. Thanks, R.S. First of all – I agree with your problem statement. While CSP has value, orgs have a difficult time retro-fitting their apps to support it. If you have not see it, please see my recently blog post on how to implement CSP as a part of virtual patching remediation for XSS vulns - http://blog.spiderlabs.com/2013/07/modsecurity-advanced-topic-of-the-week-mitigating-xss-vulnerabilities-using-targeted-csp-enforcement.html I like your idea however it would not be easy… As Achim mentioned, doing proper parsing/extraction of JS data, etc… would be challenging. Due to the extensive respnose data changes needed here, this would probably best suited for some new additional engine vs. Lua API. I do think this idea is work exploring however. -Ryan ________________________________ This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.
_______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
