[mod-security-users] CSRF with Apache 2.4.9 and Mod_security 2.8

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

Hi,

I'm trying to get the csrf rules to work with Apache 2.4.9 and mod_security.

They are not working consistently, sometimes the Javascript is appended,
other times not. I have not been able to work out any pattern to this
inconsistency.

In the debug log I see the rule being triggered...

[05/Jun/2014:17:44:19 --0500]
[hostname/sid#207e580][rid#7ffb2c002970][/WebApplicationRoot/][5] Rule
231c738: SecRule "&SESSION:CSRF_TOKEN" "@eq 1"
"phase:4,auditlog,id:981145,t:none,nolog,pass,append:'<html><script
language=\"JavaScript\"> var tokenName = 'CSRF_TOKEN'; var tokenValue =
'%{session.csrf_token}'; \rfunction updateTags() {         var all =
document.all ? document.all : document.getElementsByTagName('*');
var len = all.length;         for(var i=0; i<len; i++) {
var e = all[i];                                 updateTag(e, 'src');
          updateTag(e, 'href');         } } \rfunction updateForms() {
    var forms = document.getElementsByTagName('form');
    for(i=0; i<forms.length; i++) {                 var html =
forms[i].innerHTML;                                 html += '<input
type=hidden name=' + tokenName + ' value=' + tokenValue + ' />';
      forms[i].innerHTML = html;         } } \rfunction updateTag(element,
attr) {         var location = element.getAttribute(attr);
if(location != null && location != '' && i
[05/Jun/2014:17:44:19 --0500]
[hostname/sid#207e580][rid#7ffb2c002970][/WebApplicationRoot/][4]
Transformation completed in 1 usec.
[05/Jun/2014:17:44:19 --0500]
[hostname/sid#207e580][rid#7ffb2c002970][/WebApplicationRoot/][4] Executing
operator "eq" with param "1" against &SESSION:CSRF_TOKEN.
[05/Jun/2014:17:44:19 --0500]
[hostname/sid#207e580][rid#7ffb2c002970][/WebApplicationRoot/][4] Operator
completed in 1 usec.
[05/Jun/2014:17:44:19 --0500]
[hostname/sid#207e580][rid#7ffb2c002970][/WebApplicationRoot/][4] Rule
returned 0.
[05/Jun/2014:17:44:19 --0500]
[hostname/sid#207e580][rid#7ffb2c002970][/WebApplicationRoot/][4] Output
filter: Output forwarding complete.

but often nothing appears in the browser. Then sometimes it does.

Also if the LocationMatch is set to .* everything (.js, .css .jpg .ico)
triggers the rule even though the directive says

SecResponseBodyMimeType text/plain text/html text/xml

I have to explicity match .*\.do|.*\.jsp

Any ideas?

Regards, fjh.