Re: [mod-security-users] Bypass all rules on Cookies
Brought to you by:
victorhora,
zimmerletw
From: Walter H. <mo...@sp...> - 2014-07-19 11:09:49
|
On 19 Jul 2014, at 11:12, Laurens De Vries <ld...@am...> wrote: > Is there either a setting, or a rule I can add, to clear/bypass any cookie for all rules of the Core Set. Adding a rule like this to your configuration could go a long way. It will bypass checking cookies for rules with any tag (which is almost all of the CRS): SecAction \ "id:1234567,phase:1,t:none,nolog,pass,\ ctl:ruleRemoveTargetByTag=.*;REQUEST_COOKIES” I wouldn’t recommend doing this though. It’s a bit better to whitelist individual cookie names, instead of every cookie. Of course, for this, you must know the cookie name: SecAction \ "id:1234567,phase:1,t:none,nolog,pass,\ ctl:ruleRemoveTargetByTag=.*;REQUEST_COOKIES:yourcookiename” However, cookies can be manipulated by a client just like other parameters! If you run applications that handle cookies insecurely, you might open up yourself to attacks again. So it’s even better to validate the cookie contents before whitelisting. For instance, if you have problems with a PHPSESSID cookie which due to random chance contains some prohibited words, the following snippet will whitelist the PHPSESSID cookie *only* if it matches a valid cookie string from the PHP manual. SecRule REQUEST_COOKIES:PHPSESSID "^[a-zA-z0-9\-,]+$" \ "id:1234567,phase:1,t:none,nolog,pass,\ ctl:ruleRemoveTargetByTag=.*;REQUEST_COOKIES:PHPSESSID" Now if someone would try some form of injection via the PHP session handler, they’d likely need some special characters and the request won’t be whitelisted. - Walter Hop | PGP key: https://lifeforms.nl/pgp |