Re: [Owasp-modsecurity-core-rule-set] CSRF Attack Detected - Invalid Token

Thu, 12 May 2016 01:09:13 -0700 

Hi Christian,
Thank you for your replay. I will use your feedback to investigate the reason, 
but will postpone to another time. From my research I found also that this rule 
is not much used and need some extra efforts to put it working on specific 
application.
Regards,
Dauto

> Date: Thu, 12 May 2016 09:13:14 +0200
> From: christian.fol...@netnea.com
> To: jeicha...@hotmail.com
> CC: owasp-modsecurity-core-rule-set@lists.owasp.org
> Subject: Re: [Owasp-modsecurity-core-rule-set] CSRF Attack Detected - Invalid 
> Token
> 
> Dauto,
> 
> As you know, this is part of the optional rules collection and this
> means it is less used and less tested then the other core rules.
> 
> Personally, I have not used this ruleset, so I am not really sure it
> works as advertised.
> 
> A few questions, I would try to answer if I was debugging this?
> - Is the 16 session hijacking ruleset enabled?
> - Are you sure it is executed before the 43 csrf file (I guess it is)
> - Is the session collection active at the moment 981144 is exctivated?
> - Do you see any values in the session collection?
> - Can you write and read from the session collection?
> 
> Ahoj,
> 
> Christian
> 
> On Thu, May 12, 2016 at 12:08:47AM +0200, Dauto Jeichande wrote:
> > Dear all,
> > I´m testing the modsecurity_crs_43_csrf_protection.conf. I can see that the 
> > requests to the application contains the CSRF Token. However in the 
> > error.log I'm having the following warning when browsing the application:
> >  ModSecurity: Warning. Match of "streq %{SESSION.CSRF_TOKEN}" against 
> > "ARGS:CSRF_TOKEN" required. [file 
> > "/usr/local/apache/conf/crs/activated_rules/modsecurity_crs_43_csrf_protection.conf"]
> >  [line "34"] [id "981144"] [msg "CSRF Attack Detected - Invalid Token."] 
> > [hostname "xxxxx"] [uri "xxxxxx"] [unique_id "xxxxxxxxxxxxxx"]
> > What should  I do to fix this warning.
> > Thanks,
> > Dauto                                         
> > 
> > -                                                                           
> >   
> 
> > _______________________________________________
> > Owasp-modsecurity-core-rule-set mailing list
> > Owasp-modsecurity-core-rule-set@lists.owasp.org
> > https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
> 
> 
> -- 
> mailto:christian.fol...@netnea.com
> http://www.christian-folini.ch
> twitter: @ChrFolini
                                          
_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
Owasp-modsecurity-core-rule-set@lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set

Reply via email to