Thread: [mod-security-users] Tokens?
Brought to you by:
victorhora,
zimmerletw
From: Christian M. <cma...@is...> - 2005-04-29 18:56:16
|
Hi, i was looking others Application firewalls and i saw that some of=20 them use tokens to sign forms or variables with a hash. There are=20 plans to implement this on Mod_Security? or there is someone already=20 working on it? Thanks P.S: I also noted that there is no TODO list, could be very interesting=20 to see what things are needed, or what are the people expecting from the=20 mod? :) Christian --=20 _________________________________ Christian Martorella e-Security Engineer cma...@is... Internet Security Auditors, S.L. c. Santander, 101. Edif. A. 2=BA 1=AA. 08030 Barcelona Tel: 93 305 13 18 Fax: 93 278 22 48 www.isecauditors.com ____________________________________ Este mensaje y los documentos que, en su caso lleve anexos, pueden contener informaci=F3n confidencial. Por ello, se informa a quien lo reciba por error que la informaci=F3n contenida en el mismo es reservada y su uso no autorizado est=E1 prohibido legalmente, por lo que en tal caso le rogamos que nos lo comunique por la misma v=EDa o por tel=E9fono (93 305 13 18), se abstenga de realizar copias del mensaje o remitirlo o entregarlo a otra persona y proceda a borrarlo de inmediato. En cumplimiento de la Ley Org=E1nica 15/1999 de 13 de diciembre de protecci=F3n de datos de car=E1cter personal, Internet Security Auditors S.L., le informa de que sus datos personales se han incluido en ficheros informatizados titularidad de Internet Security Auditors S.L., que ser=E1 el =FAnico destinatario de dichos datos, y cuya finalida= d exclusiva es la gesti=F3n de clientes y acciones de comunicaci=F3n comercial, y de que tiene la posibilidad de ejercer los derechos de acceso, rectificaci=F3n, cancelaci=F3n y oposici=F3n previstos en la ley mediante carta dirigida a Internet Security Auditors, c. Santander, 101. Edif. A. 2=BA 1=AA, 08030 Barcelona, o v=EDa e-mail a la siguiente direcci=F3n de correo: le...@is... |
From: Ivan R. <iv...@we...> - 2005-04-30 09:09:42
|
Christian Martorella wrote: > Hi, i was looking others Application firewalls and i saw that some of > them use tokens to sign forms or variables with a hash. Can you be more specific? What are they signing? The hidden fields, the names of the fields? > There are > plans to implement this on Mod_Security? or there is someone already > working on it? No. I am not convinced such feature would have significant value in real life. I can see how it can help in a specific case (e.g. when someone has an app with a hidden field that should never change). But I do not think it can work as a generic protection measure people can turn on and forget about it. In this day and age many applications are creating forms dynamically at runtime, and using JavaScript to change the values in the hidden fields. > P.S: I also noted that there is no TODO list, could be very interesting > to see what things are needed, or what are the people expecting from the > mod? :) I used to have a public TODO list but it was frequently out of sync. -- Ivan Ristic Apache Security (O'Reilly) - http://www.apachesecurity.net Open source web application firewall - http://www.modsecurity.org |
From: Christian M. <cma...@is...> - 2005-05-03 11:16:38
|
Ivan Ristic wrote: > Christian Martorella wrote: > >> Hi, i was looking others Application firewalls and i saw that some of=20 >> them use tokens to sign forms or variables with a hash. > > > Can you be more specific? What are they signing? The hidden fields, > the names of the fields? > > What you sign with a hash is the values of the hidden fields, or the=20 values of the URL parameters. For example if you have=20 =20 <input name=3D"year" type=3D"hidden"=20 value=3D"1984?MSEC=3DOurhashOurhashOurHash"> So if someone change 1984 to 1982, when you recalculate the hash for=20 year it will be different and you deny the request. I know this would bring more performance issues, but it will be good for=20 Parameter Tampering, Cookie Tampering, and all tampering that could be do= ne. >> There are plans to implement this on Mod_Security? or there is=20 >> someone already working on it? > > > No. I am not convinced such feature would have significant value in > real life. I can see how it can help in a specific case (e.g. when > someone has an app with a hidden field that should never change). But > I do not think it can work as a generic protection measure people can > turn on and forget about it. In this day and age many applications ar= e > creating forms dynamically at runtime, and using JavaScript to change > the values in the hidden fields. > Maybe you are right, but what about cookies? or session Ids? or url=20 parameters that if you change a value you will be take to a private zone=20 for example..? My examples are for badly designed applications that a company couldnt secure. I just was seeing what other Application Firewalls were doing, and i=20 found this functionality. Cheers! --=20 _________________________________ Christian Martorella e-Security Engineer cma...@is... Internet Security Auditors, S.L. c. Santander, 101. Edif. A. 2=BA 1=AA. 08030 Barcelona Tel: 93 305 13 18 Fax: 93 278 22 48 www.isecauditors.com ____________________________________ Este mensaje y los documentos que, en su caso lleve anexos, pueden contener informaci=F3n confidencial. Por ello, se informa a quien lo reciba por error que la informaci=F3n contenida en el mismo es reservada y su uso no autorizado est=E1 prohibido legalmente, por lo que en tal caso le rogamos que nos lo comunique por la misma v=EDa o por tel=E9fono (93 305 13 18), se abstenga de realizar copias del mensaje o remitirlo o entregarlo a otra persona y proceda a borrarlo de inmediato. En cumplimiento de la Ley Org=E1nica 15/1999 de 13 de diciembre de protecci=F3n de datos de car=E1cter personal, Internet Security Auditors S.L., le informa de que sus datos personales se han incluido en ficheros informatizados titularidad de Internet Security Auditors S.L., que ser=E1 el =FAnico destinatario de dichos datos, y cuya finalida= d exclusiva es la gesti=F3n de clientes y acciones de comunicaci=F3n comercial, y de que tiene la posibilidad de ejercer los derechos de acceso, rectificaci=F3n, cancelaci=F3n y oposici=F3n previstos en la ley mediante carta dirigida a Internet Security Auditors, c. Santander, 101. Edif. A. 2=BA 1=AA, 08030 Barcelona, o v=EDa e-mail a la siguiente direcci=F3n de correo: le...@is... |