[mod-security-users] Interesting feature
Brought to you by:
victorhora,
zimmerletw
From: Nick G. <nic...@gm...> - 2007-07-31 13:08:17
|
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <head> </head> <body bgcolor="#ffffff" text="#000000"> Hi Guys,<br> <br> I thought about a killing feature that I'd love to see in ModSecurity.<br> <br> Let's consider this form as example:<br> <blockquote><form action="Page2" method="..."><br> <input name="input1" ...><br> <input name="input2" type=hidden value="hidden value"><br> <input name="input3" type=radio ...><br> <input name="input4" type=checkbox ...><br> <select name="input5" ...><br> <option value="value1">...</option><br> <option value="value2">...</option><br> </select><br> </form><br> </blockquote> If the only way to reach "Page2" is from a form stored in another page (or even from several pages), like with most applications, it would be very handy to check if the form was not modified by a hacker. Here are the checks that should, ideally, be performed:<br> <ul> <li>Page2 was indicated as ACTION in the form</li> <li>method is the same as indicated in the form<br> </li> <li>all input parameters are present</li> <li>no extra input parameters are present</li> <li>hidden values are not modified</li> <li>CHECKBOX, RADIO & SELECT input parameters are allowed values<br> </li> </ul> It may, at first, sound difficult to check this, but it actually isn't.<br> When serving the page containing the form, you can parse it and copy the form (only the relevant part). You electronically sign it (typically with a MAC), and you store it in a cookie.<br> On "Page2", you check the input against the signed cookie.<br> <br> >From a directive point of view, I guess the following would be needed:<br> <ul> <li>a directive, to be used on the application location, to tell to create and check the secure cookie</li> <li>a directive, to be used on allowed entry pages with GET parameters, to not check the cookie<br> </li> </ul> <br> This is no trivial work, but I guess it really worth it.<br> <br> Regards,<br> <br> Nick </body> </html> |