On Tue, Oct 1, 2013 at 10:56 PM, John McGowan <j...@lynch2.com> wrote:

> Is it possible for a mod_security rule to drop a cookie or an argument
> from a request without dropping the entire request?


Hi John,

While I would not recommend this approach, you could use mod_headers to
remove the cookie and the rsub action to remove POST body data from
requests if you know the cookie/parameter name ahead of time. There is a
good chance that this will negatively affect the functionality of the web
application though. If your getting too many false positives for a given
cookie/parameter value and you know that they are not vulnerable to a given
attack type, have you tried disabling rules by tag name? This may be a
cleaner approach to solving your problem.

--
 - Josh


>  We're constantly
> having to monitor our error_log and add exceptions whenever us or a
> 3rd party is setting a cookie or an argument that looks suspicious to
> the core rules set.
>
> Ideally I'd like to be able to tell mod_security to drop any offending
> get or post args or cookies if they look suspicious so that the
> request is still handled, but the scary data doesn't end up getting
> processed.  Of course I'd want to log this when it happens so that if
> the cookie/arg is something that my app cares about I can decide what
> needs to happen next.
>
> I'm tired of having to add exceptions every time some new 3rd party
> cookie gets set on the domain that has complex characters, or
> resembles a injection attack.
>
> --
> John McGowan
> _______________________________________________
> Owasp-modsecurity-core-rule-set mailing list
> Owasp-modsecurity-core-rule-set@lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
>
_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
Owasp-modsecurity-core-rule-set@lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set

Reply via email to