|
Hi everyone! I'm trying to fit the Session Highjacking rules (modsecurity_crs_16_session_hijacking.conf) to my web app. My problem was described by someone else (but apparently never solved) on that older post on the modsecurity-users list: http://sourceforge.net/p/mod-security/mailman/message/30069414/ The Session Highjacking rules look at request and response cookies to find or create a new sessions. That works perfectly. However, the two rules after it will run in ANY case, even when no sessions has been initialized: ----------------------------------------- SecRule REMOTE_ADDR "^(\d{1,3}\.\d{1,3}\.\d{1,3}\.)""chain,phase:3,id:'981063',capture,t:none,nolog,pass" SecRule TX:1 ".*""t:sha1,t:hexEncode,setvar:session.ip_hash=%{matched_var}" SecRule REQUEST_HEADERS:User-Agent ".*""phase:3,id:'981064',t:none,t:sha1,t:hexEncode,nolog,pass,setvar:session.ua_hash=%{matched_var}" ----------------------------------------- Because the session collection wasn't initialized (e.g. for anonymous users or bots), the setvars fail and the log is filled with errors like: ----------------------------------------- [example.com/sid#7fc5067fe380][rid#7fc4f43380a0][/path/to/file][3] Could not set variable "session.ip_hash" as the collection does not exist. [example.com/sid#7fc5067fe380][rid#7fc4f43380a0][/path/to/file][3] Could not set variable "session.ua_hash" as the collection does not exist. ----------------------------------------- To avoid this problem, I would like to chain these rules with a Collection Existence check, to avoid non-existence errors. My two questions: 1/ I don't know how to test for the existence of the session collection. I don't know if it makes a difference that the rule is parsed on phase 3 (response headers). 2/ More importantly, it seems like even chaining it to an impossible rule (e.g. SecRule &ARGS:x58t4z5 "@gt 128") will not stop it from logging these errors! Maybe I misunderstood chaining or variable collections, but I can't seem to comprehend this issue! If anyone can enlighten me on either or both, I'd be delighted to hear your advice. Thanks! Ramy |
_______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
