Thread: [mod-security-users] changing session token attributes
Brought to you by:
victorhora,
zimmerletw
From: J A. <ja...@gm...> - 2008-01-29 13:50:21
|
I want to create a rule to rewrite a cookie's attributes, i.e. add secure and HttpOnly flags and reset the path to a different directory. I figure I can use the RESPONSE_HEADERS variable, but I'm not sure how to go about creating a rule to rewrite content. Can someone point me to an example? Thanks - J |
From: Ryan B. <Ryan.Barnett@Breach.com> - 2008-01-29 14:20:22
|
In the current version of ModSecurity, you can not edit/manipulate outbound data. The exception here is the new Content Injection actions in Mod 2.5, however that is for response body data and it can not manipulate response headers. =20 In order to do what you need, you will probably need to use mod_headers - http://httpd.apache.org/docs/2.2/mod/mod_headers.html#header =20 --=20 Ryan C. Barnett ModSecurity Community Manager Breach Security: Director of Training Web Application Security Consortium (WASC) Member CIS Apache Benchmark Project Lead SANS Instructor, GCIA, GCFA, GCIH, GSNA, GCUX, GSEC Author: Preventing Web Attacks with Apache =20 ________________________________ From: mod...@li... [mailto:mod...@li...] On Behalf Of J Amuse Sent: Tuesday, January 29, 2008 8:50 AM To: mod...@li... Subject: [mod-security-users] changing session token attributes =20 I want to create a rule to rewrite a cookie's attributes, i.e. add secure and HttpOnly flags and reset the path to a different directory. I figure I can use the RESPONSE_HEADERS variable, but I'm not sure how to go about creating a rule to rewrite content. Can someone point me to an example? Thanks - J |
From: J A. <ja...@gm...> - 2008-01-29 15:48:59
|
On Jan 29, 2008 4:18 PM, Ryan Barnett <Rya...@br...> wrote: > In the current version of ModSecurity, you can not edit/manipulate > outbound data. > I'm new to ModSecurity, so please excuse me if I totally misunderstood. I previously asked a question on the list about CSRF protection mechanisms and Ivan Ristic responded that I could inject nonces into forms via ModSecurity, so I understood from that that you could manipulate outbound data. What am I missing? - J > The exception here is the new Content Injection actions in Mod 2.5, > however that is for response body data and it can not manipulate response > headers. > > > > In order to do what you need, you will probably need to use mod_headers - > http://httpd.apache.org/docs/2.2/mod/mod_headers.html#header > > > > -- > *Ryan C. Barnett > *ModSecurity Community Manager > > Breach Security: Director of Training > > Web Application Security Consortium (WASC) Member > > CIS Apache Benchmark Project Lead > > SANS Instructor, GCIA, GCFA, GCIH, GSNA, GCUX, GSEC > > Author: Preventing Web Attacks with Apache > > > ------------------------------ > > *From:* mod...@li... [mailto: > mod...@li...] *On Behalf Of *J Amuse > *Sent:* Tuesday, January 29, 2008 8:50 AM > *To:* mod...@li... > *Subject:* [mod-security-users] changing session token attributes > > > > I want to create a rule to rewrite a cookie's attributes, i.e. add secure > and HttpOnly flags and reset the path to a different directory. I figure I > can use the RESPONSE_HEADERS variable, but I'm not sure how to go about > creating a rule to rewrite content. Can someone point me to an example? > > Thanks > - J > |
From: Ryan B. <Ryan.Barnett@Breach.com> - 2008-01-29 15:51:43
|
________________________________ From: J Amuse [mailto:ja...@gm...]=20 Sent: Tuesday, January 29, 2008 10:49 AM To: Ryan Barnett Cc: mod...@li... Subject: Re: [mod-security-users] changing session token attributes =20 =20 On Jan 29, 2008 4:18 PM, Ryan Barnett <Rya...@br...> wrote: In the current version of ModSecurity, you can not edit/manipulate outbound data. I'm new to ModSecurity, so please excuse me if I totally misunderstood. I previously asked a question on the list about CSRF protection mechanisms and Ivan Ristic responded that I could inject nonces into forms via ModSecurity, so I understood from that that you could manipulate outbound data. What am I missing? [Ryan Barnett] The answer is in the following section of my original response :-) You can use content injection to inject new data into response body data. For your scenario, you want to add data to the response headers (cookie header specifically) and you can not currently do that with Mod. - J =20 The exception here is the new Content Injection actions in Mod 2.5, however that is for response body data and it can not manipulate response headers. =20 In order to do what you need, you will probably need to use mod_headers - http://httpd.apache.org/docs/2.2/mod/mod_headers.html#header =20 --=20 Ryan C. Barnett ModSecurity Community Manager Breach Security: Director of Training Web Application Security Consortium (WASC) Member CIS Apache Benchmark Project Lead SANS Instructor, GCIA, GCFA, GCIH, GSNA, GCUX, GSEC Author: Preventing Web Attacks with Apache =20 =09 ________________________________ From: mod...@li... [mailto:mod...@li...] On Behalf Of J Amuse Sent: Tuesday, January 29, 2008 8:50 AM To: mod...@li... Subject: [mod-security-users] changing session token attributes =20 I want to create a rule to rewrite a cookie's attributes, i.e. add secure and HttpOnly flags and reset the path to a different directory. I figure I can use the RESPONSE_HEADERS variable, but I'm not sure how to go about creating a rule to rewrite content. Can someone point me to an example? =09 Thanks - J =20 |
From: Brian R. <Bri...@br...> - 2008-01-29 16:32:56
|
Ryan Barnett wrote: > ------------------------------------------------------------------------ > > *From:* J Amuse [mailto:ja...@gm...] > *Sent:* Tuesday, January 29, 2008 10:49 AM > *To:* Ryan Barnett > *Cc:* mod...@li... > *Subject:* Re: [mod-security-users] changing session token attributes > > > > > > On Jan 29, 2008 4:18 PM, Ryan Barnett <Rya...@br... > <mailto:Rya...@br...>> wrote: > > In the current version of ModSecurity, you can not edit/manipulate > outbound data. > > > I'm new to ModSecurity, so please excuse me if I totally misunderstood. > I previously asked a question on the list about CSRF protection > mechanisms and Ivan Ristic responded that I could inject nonces into > forms via ModSecurity, so I understood from that that you could > manipulate outbound data. What am I missing? > > */[Ryan Barnett] The answer is in the following section of my original > response /**/J/**/ You can use content injection to inject new data > into response body data. For your scenario, you want to add data to the > response headers (cookie header specifically) and you can not currently > do that with Mod./* > > - J > > > The exception here is the new Content Injection actions in Mod 2.5, > however that is for response body data and it can not manipulate > response headers. > > > > In order to do what you need, you will probably need to use > mod_headers - > http://httpd.apache.org/docs/2.2/mod/mod_headers.html#header I was recently testing this, so here is a simple example of what you can do with ModSecurity along with mod_header. Basically use ModSecurity to get any values you need and do any logic, then use mod_header to set headers for you... # When an arg has "foo" in it set the env var foo=bar SecRule ARGS "^.*foo.*$" "phase:2,pass,nolog,capture,setenv:foo=%{TX.0}" # If the foo env var is set, add a Set-Cookie header that # sets a cookie to the value of the arg matching foo above Header add Set-Cookie "mycookie=%{foo}e; Path=/some/path/" env=foo This is of course a poor example (security wise), but should give you some ideas what is possible. later, -B -- Brian Rectanus Breach Security |
From: Ivan R. <iva...@gm...> - 2008-01-29 19:04:12
|
I was speaking of what is possible to do in general, not using ModSecurity. In fact, the most appropriate path for your work is to create a separate Apache module. On Jan 29, 2008 3:48 PM, J Amuse <ja...@gm...> wrote: > > > > On Jan 29, 2008 4:18 PM, Ryan Barnett <Rya...@br...> wrote: > > > > > > > > > > In the current version of ModSecurity, you can not edit/manipulate > outbound data. > > > > I'm new to ModSecurity, so please excuse me if I totally misunderstood. I > previously asked a question on the list about CSRF protection mechanisms and > Ivan Ristic responded that I could inject nonces into forms via ModSecurity, > so I understood from that that you could manipulate outbound data. What am I > missing? > > - J > > > > > > > > > > > > The exception here is the new Content Injection actions in Mod 2.5, > however that is for response body data and it can not manipulate response > headers. > > > > > > > > In order to do what you need, you will probably need to use mod_headers - > http://httpd.apache.org/docs/2.2/mod/mod_headers.html#header > > > > > > > > > > > > > > -- > > Ryan C. Barnett > > ModSecurity Community Manager > > > > Breach Security: Director of Training > > > > Web Application Security Consortium (WASC) Member > > > > CIS Apache Benchmark Project Lead > > > > SANS Instructor, GCIA, GCFA, GCIH, GSNA, GCUX, GSEC > > > > Author: Preventing Web Attacks with Apache > > > > > > > > > > ________________________________ > > > > > From: mod...@li... > [mailto:mod...@li...] On Behalf Of J > Amuse > > Sent: Tuesday, January 29, 2008 8:50 AM > > To: mod...@li... > > Subject: [mod-security-users] changing session token attributes > > > > > > > > > > I want to create a rule to rewrite a cookie's attributes, i.e. add secure > and HttpOnly flags and reset the path to a different directory. I figure I > can use the RESPONSE_HEADERS variable, but I'm not sure how to go about > creating a rule to rewrite content. Can someone point me to an example? > > > > Thanks > > - J > > > ------------------------------------------------------------------------- > This SF.net email is sponsored by: Microsoft > Defy all challenges. Microsoft(R) Visual Studio 2008. > http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > -- Ivan Ristic |