Dauto,
As you know, this is part of the optional rules collection and this
means it is less used and less tested then the other core rules.
Personally, I have not used this ruleset, so I am not really sure it
works as advertised.
A few questions, I would try to answer if I was debugging this?
- Is the 16 session hijacking ruleset enabled?
- Are you sure it is executed before the 43 csrf file (I guess it is)
- Is the session collection active at the moment 981144 is exctivated?
- Do you see any values in the session collection?
- Can you write and read from the session collection?
Ahoj,
Christian
On Thu, May 12, 2016 at 12:08:47AM +0200, Dauto Jeichande wrote:
> Dear all,
> I´m testing the modsecurity_crs_43_csrf_protection.conf. I can see that the
> requests to the application contains the CSRF Token. However in the error.log
> I'm having the following warning when browsing the application:
> ModSecurity: Warning. Match of "streq %{SESSION.CSRF_TOKEN}" against
> "ARGS:CSRF_TOKEN" required. [file
> "/usr/local/apache/conf/crs/activated_rules/modsecurity_crs_43_csrf_protection.conf"]
> [line "34"] [id "981144"] [msg "CSRF Attack Detected - Invalid Token."]
> [hostname "xxxxx"] [uri "xxxxxx"] [unique_id "xxxxxxxxxxxxxx"]
> What should I do to fix this warning.
> Thanks,
> Dauto
>
> -
>
> _______________________________________________
> Owasp-modsecurity-core-rule-set mailing list
> Owasp-modsecurity-core-rule-set@lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
--
mailto:christian.fol...@netnea.com
http://www.christian-folini.ch
twitter: @ChrFolini
_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
Owasp-modsecurity-core-rule-set@lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
