Re: [mod-security-users] Bypass all rules on Cookies
Brought to you by:
victorhora,
zimmerletw
From: Laurens de V. <ld...@am...> - 2014-07-21 17:25:30
|
Thank you Walter Hop. I will try the rule. Is there some standard location where custom/local rules are normally stored, and do i have to worry about the id: 1234567 ? Regarding your recommendation. Other subdomains are pretty free in the way cookies are set, so a whitelist is not feasible. Surely I should be ok considering that my application does not use cookies, and considering I have RequestHeader unset any cookie value for that domain ? In fact I was surprised mod_security 'saw' them. Laurens On Jul 19, 2014, at 13:09 , Walter Hop wrote: > On 19 Jul 2014, at 11:12, Laurens De Vries <ld...@am...> wrote: > >> Is there either a setting, or a rule I can add, to clear/bypass any cookie for all rules of the Core Set. > > > Adding a rule like this to your configuration could go a long way. It will bypass checking cookies for rules with any tag (which is almost all of the CRS): > > SecAction \ > "id:1234567,phase:1,t:none,nolog,pass,\ > ctl:ruleRemoveTargetByTag=.*;REQUEST_COOKIES” > > I wouldn’t recommend doing this though. It’s a bit better to whitelist individual cookie names, instead of every cookie. Of course, for this, you must know the cookie name: > > SecAction \ > "id:1234567,phase:1,t:none,nolog,pass,\ > ctl:ruleRemoveTargetByTag=.*;REQUEST_COOKIES:yourcookiename” > > However, cookies can be manipulated by a client just like other parameters! If you run applications that handle cookies insecurely, you might open up yourself to attacks again. So it’s even better to validate the cookie contents before whitelisting. For instance, if you have problems with a PHPSESSID cookie which due to random chance contains some prohibited words, the following snippet will whitelist the PHPSESSID cookie *only* if it matches a valid cookie string from the PHP manual. > > SecRule REQUEST_COOKIES:PHPSESSID "^[a-zA-z0-9\-,]+$" \ > "id:1234567,phase:1,t:none,nolog,pass,\ > ctl:ruleRemoveTargetByTag=.*;REQUEST_COOKIES:PHPSESSID" > > Now if someone would try some form of injection via the PHP session handler, they’d likely need some special characters and the request won’t be whitelisted. > > - > Walter Hop | PGP key: https://lifeforms.nl/pgp > > ------------------------------------------------------------------------------ > Want fast and easy access to all the code in your enterprise? Index and > search up to 200,000 lines of code with a free copy of Black Duck > Code Sight - the same software that powers the world's largest code > search on Ohloh, the Black Duck Open Hub! Try it now. > http://p.sf.net/sfu/bds_______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ |