[mod-security-users] Signing variables and having ModSecurity check them
Brought to you by:
victorhora,
zimmerletw
From: <chr...@po...> - 2009-04-30 06:20:20
|
Dear list, Last night, I had an idea to solve a problem, which I have been turning in my head for a while. The proposed solution makes use of ModSecurity and I am not really sure I am making good use of it. Maybe somebody spends a few brain cycles to think this through and let me know his thoughts. The problem ----------- We have a lean webserver hosting static pages and running a simple cgi. We do not have a session and we do not have a serverside store (and I do not want any). Now the user submits some form, we execute the cgi and then we direct the user to a static page. Now comes the catch: the page should display some small bit of content depending on the form submission. Think of "Thank you for your submission, Christian." This can be done via a query string and a bit of javascript: redirect: -> http://www.example.com/submission_ok.html?display=Christian (In reality the "display" variable would be base64 encoded.) But obviously, this opens the door for injection attacks which give example.com a bad name (http://www.example.com/submission_ok.html?display=idiot) So I decided to go with Server Side Includes. They are much more secure then they used to be thanks to a NoExec option. The idea is to use ModSecurity to base64-decode the variable display and write it into a environment variable. Then insert the environment variable into the quasi-static html-page. This does not protect us from injection attack mentioned above. But if we check for the Referer, we should be quite safe. At least in theory. In practice, I do not want to trust the Referer as it is controlled by the Browser and as I do not really trust the browser. So I was kind of stuck. The proposed solution --------------------- Then a solution sprang to my mind: I borrowed it from mod_auth_tkt. Mod_auth_tkt is a very lean authentication module working with signed cookies. Signed rang a bell with me. So here we go. - The cgi will assemble the base64 encoded variable display. - Then it adds the client IP and a secret to it: display2. - Then it calculates the sha1 hash of display2. - Then it assembles the query string consisting of the hash and the display variable: ?hash=434zt934thwefz3&display=AB5GHYJd8 or so. - Then it tells the browser to do a redirect. - The client performs the redirect. - The server recieves the request to the static page. - It takes the variable display, it adds the client IP and the secret to it and runs the hash. - Then it checks this hash with the one provided by the client. - If this is okay, then it inserts the base64 decoded display variable via SSI, otherwise, it does not. I have not yet implemented this, but I am confident ModSecurity will let me do it. However, maybe I have made a mistake and maybe it is simply overkill and I overlooked a much more elegant solution. So any feedback is welcome. Best regards, Christian -- Christian Folini Webserver Security Engineer Die Schweizerische Post Informationstechnologie Unix Engineering IT 222 Webergutstrasse 12 CH-3030 Bern (Zollikofen) Tel: +41 (0)58 338 79 96 Fax: +41 (0)58 338 46 99 E-Mail: chr...@po... |