[mod-security-users] CSRF with Apache 2.4.9 and Mod_security 2.8
Brought to you by:
victorhora,
zimmerletw
From: Francis H. <fhi...@gm...> - 2014-06-05 23:30:37
|
Hi, I'm trying to get the csrf rules to work with Apache 2.4.9 and mod_security. They are not working consistently, sometimes the Javascript is appended, other times not. I have not been able to work out any pattern to this inconsistency. In the debug log I see the rule being triggered... [05/Jun/2014:17:44:19 --0500] [hostname/sid#207e580][rid#7ffb2c002970][/WebApplicationRoot/][5] Rule 231c738: SecRule "&SESSION:CSRF_TOKEN" "@eq 1" "phase:4,auditlog,id:981145,t:none,nolog,pass,append:'<html><script language=\"JavaScript\"> var tokenName = 'CSRF_TOKEN'; var tokenValue = '%{session.csrf_token}'; \rfunction updateTags() { var all = document.all ? document.all : document.getElementsByTagName('*'); var len = all.length; for(var i=0; i<len; i++) { var e = all[i]; updateTag(e, 'src'); updateTag(e, 'href'); } } \rfunction updateForms() { var forms = document.getElementsByTagName('form'); for(i=0; i<forms.length; i++) { var html = forms[i].innerHTML; html += '<input type=hidden name=' + tokenName + ' value=' + tokenValue + ' />'; forms[i].innerHTML = html; } } \rfunction updateTag(element, attr) { var location = element.getAttribute(attr); if(location != null && location != '' && i [05/Jun/2014:17:44:19 --0500] [hostname/sid#207e580][rid#7ffb2c002970][/WebApplicationRoot/][4] Transformation completed in 1 usec. [05/Jun/2014:17:44:19 --0500] [hostname/sid#207e580][rid#7ffb2c002970][/WebApplicationRoot/][4] Executing operator "eq" with param "1" against &SESSION:CSRF_TOKEN. [05/Jun/2014:17:44:19 --0500] [hostname/sid#207e580][rid#7ffb2c002970][/WebApplicationRoot/][4] Operator completed in 1 usec. [05/Jun/2014:17:44:19 --0500] [hostname/sid#207e580][rid#7ffb2c002970][/WebApplicationRoot/][4] Rule returned 0. [05/Jun/2014:17:44:19 --0500] [hostname/sid#207e580][rid#7ffb2c002970][/WebApplicationRoot/][4] Output filter: Output forwarding complete. but often nothing appears in the browser. Then sometimes it does. Also if the LocationMatch is set to .* everything (.js, .css .jpg .ico) triggers the rule even though the directive says SecResponseBodyMimeType text/plain text/html text/xml I have to explicity match .*\.do|.*\.jsp Any ideas? Regards, fjh. |