Thanks Ryan for the reply

But i am not sure how i can make use of that in "optional_rules/modsecurity_crs_43_csrf_protection.conf"

If i replace <LocationMatch .*> in "optional_rules/modsecurity_crs_43_csrf_protection.conf" with location

Now i get this error .."Unknown command in config: location "

Below given is what i did .Please correct and guide me how i should use the same  

#<LocationMatch .*>
 location ~* {
SecRule &ARGS "@ge 1" "chain,phase:2,id:'981143',t:none,block,msg:'CSRF Attack Detected - Missing CSRF Token.'"
 SecRule &ARGS:CSRF_TOKEN "!@eq 1" "setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/CSRF-%{matched_var_name}=%{matched_var}"

SecRule &ARGS "@ge 1" "chain,phase:2,id:'981144',t:none,block,msg:'CSRF Attack Detected - Invalid Token.'"
SecRule ARGS:CSRF_TOKEN "!@streq %{SESSION.CSRF_TOKEN}" "setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/CSRF-%{matched_var_name}=%{matched_var}"



#
# This rule will use Content Injection to append the CSRF Token
#
SecRule &SESSION:CSRF_TOKEN "@eq 1" "phase:4,id:'981145',t:none,nolog,pass,append:'<html><script language=\"JavaScript\"> \
\
var tokenName = \'CSRF_TOKEN\'; \
var tokenValue = \'%{session.csrf_token}\'; \
\
function updateTags() { \
\
        var all = document.all ? document.all : document.getElementsByTagName(\'*\'); \
        var len = all.length; \

modsecurity rules goes here
.
.
.
}
#</LocationMatch>



Regards
Madhumitha



On Mon, Mar 24, 2014 at 9:52 PM, Ryan Barnett <RBarnett@trustwave.com> wrote:
Madhumitha,
You are correct – that rules file uses Apache-specific <LocationMatch> directives.  The idea is that you don't want to inject anti-CSRF tokens into all responses.  This allows the user to defined directories, etc.. Where they want to use it.  

If you are running on Nginx – you should be able to use the Location directive syntax here - http://wiki.nginx.org/HttpCoreModule#location

Ryan Barnett

Lead Security Researcher, SpiderLabs

 

Trustwave | SMART SECURITY ON DEMAND

www.trustwave.com


From: Madhumita Mitha <madhu@appcito.net>
Reply-To: "mod-security-users@lists.sourceforge.net" <mod-security-users@lists.sourceforge.net>
Date: Monday, March 24, 2014 9:22 AM
To: "mod-security-users@lists.sourceforge.net" <mod-security-users@lists.sourceforge.net>
Subject: [mod-security-users] CSRF support in modsecurity + Nginx

Hi 

I am using nginx 1.4 and modsecurity 2.7.7

Apart from the base rules I am trying to use the "optional_rules/modsecurity_crs_43_csrf_protection.conf" in nginx.

But when i start the nginx with the above said rules i get the following error "Unknown command in config: <LocationMatch " and the nginx refuses to start


When i  did searched for the info, one of the sites says the LocationMatch(Apache directive) support is not there for IIS and it will be provided shortly


Does this hold true for nginx as well ?

And if i comment out LocationMatch, nginx starts properly and if i do so then i fear i may not be able to add the CSRF support with nginx+modsecurity

Or is it any particular segment that i can comment out in the file "optional_rules/modsecurity_crs_43_csrf_protection.conf" and add CSRF support


Please help


Regards
Madhumitha

.



This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.

------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and their
applications. Written by three acclaimed leaders in the field,
this first edition is now available. Download your free book today!
http://p.sf.net/sfu/13534_NeoTech
_______________________________________________
mod-security-users mailing list
mod-security-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/