On 02/15/2011 11:38 AM, Jim Manico wrote:
[snip[
> Ryan Barnett just spit out a new (impressive) mod security rule so you
> can tactically patch without touching code (see below).
>
[snip]
> First step is to inspect the ARGS and REQUEST_HEADERS data using a regex
> to match on potential floating point payloads -
>
> SecRule ARGS|REQUEST_HEADERS "[0-9\.]{12,}e-[0-9]{3,}"
> "phase:2,t:none,t:lowercase,nolog,pass,exec:/usr/local/apache/conf/modsec_c
> urrent/base_rules/FloatingPointDoSAttack.lua"
>
> If a payload is found that matches the regex check, ModSecurity will
> execute an external Lua script. The lua script then extracts out
> payloads, strips out the "." and then searches for the MagicDoSNumber. If
> this is found, then a TX variable is exported -
Great idea, but the regex still needs work. For instance, one needn't
even use scientific notation at all, unless there is some other
mod_security rule restricting the overall length of an HTTP request
header. E.g.,
Accept-Language: en-us; q=0.000000000...00022250738585072012
where I've omitted the appropriate # of zeros for the sake of readability.
Similarly, one could also write the quality metric using 'e-90' or
'e-3' or whatever; even 'e+2' if I wanted. But the approach is correct;
only the regex needs work unless there's some other mod_security rule
that would catch these things.
-kevin
--
Kevin W. Wall
"The most likely way for the world to be destroyed, most experts agree,
is by accident. That's where we come in; we're computer professionals.
We cause accidents." -- Nathaniel Borenstein, co-creator of MIME
_______________________________________________
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
_______________________________________________
