Re: [mod-security-users] HTTP Request Smuggling
Brought to you by:
victorhora,
zimmerletw
From: Erwin G. <erw...@zi...> - 2007-06-15 09:06:24
|
Marc, Nice approach! What I was wondering: - Does ModSecurity see 1 or 2 HTTP requests from 1 HTTP request containing CRLF and other stuff that split up the request? Because this would be interesting to know for your rules What happens if you combine HTTP Request Smuggling with very small TCP/IP packets (same trick to evade IDS) Did someone test this? Thanks, Erwin -----Original Message----- From: mod...@li... [mailto:mod...@li...] On Behalf Of Marc Stern Sent: vrijdag 15 juni 2007 10:50 To: mod...@li... Subject: [mod-security-users] HTTP Request Smuggling I'm trying to write rules for protecting against HTTP Request Smuggling. These attacks use some malformed requests that are (at least some of=20 them) not trapped by core rules. I think that some candidates for core rules are: =20 SecRule &REQUEST_HEADERS:Content-Length "@gt 1" "phase:1,drop" =20 SecRule &REQUEST_HEADERS:Content-Type "@gt 1" "phase:1,drop" =20 SecRule &REQUEST_HEADERS:Host "@gt 1" "phase:1,drop" =20 SecRule &REQUEST_HEADERS:Content-Disposition "@gt 1" "phase:1,drop" These ensure that the headers are present only once. Maybe some other headers should be added ? To block the other attacks, we need to check the complete request, like =20 GET /foobar.html HTTP/1.1 =20 Host: www.site.com =20 Connection: Keep-Alive =20 ... Is this possible ? I don't find any variable allowing that. Note that it was (and maybe still is) possible to attack Apache with=20 HRS, so, if ModSecurity only receives the various parts separately, it=20 could be too late. Marc ------------------------------------------------------------------------ - This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ _______________________________________________ mod-security-users mailing list mod...@li... https://lists.sourceforge.net/lists/listinfo/mod-security-users -------------------------------------------------------------------------= ------- Note: This message is for the named person's use only. It may contain confiden= tial, proprietary or legally privileged information. No confidentiality = or privilege is waived or lost by any mistransmission. If you receive th= is message in error, please immediately delete it and all copies of it fr= om your system, destroy any hard copies of it and notify the sender. You= =20must not, directly or indirectly, use, disclose, distribute, print, or= =20copy any part of this message if you are not the intended recipient. T= HIS COMPANY NAME and any of its subsidiaries each reserve the right to mo= nitor all e-mail communications through its networks. Any views expressed in this message are those of the individual sender, e= xcept where the message states otherwise and the sender is authorized to = state them to be the views of any such entity. Thank You.=20 -------------------------------------------------------------------------= ------- |