On Wed, Aug 7, 2013 at 11:02 PM, hans.klunder@xs4all.nl <hans.klunder@xs4all.nl> wrote:

Josh,

thanks for your answer.

The number of x's should be random (say between 1 and 80) to ensure that the response size differs (its an attempt to tackle the BREACH SSL attack ;-))

Hi Hans,

I may be completely off but injecting a random header value does not effect the content-length value. I think you need to inject a random number of bytes to the response body.

- Josh

The setenv seems to be doable by exec-ing a lua script, but I was wondering if there was a cleaner way.

Cheers,

Hans

Op 7-8-2013 21:38, Josh Amishav-Zlatin schreef:
On Wed, Aug 7, 2013 at 7:30 PM, hans.klunder@xs4all.nl <hans.klunder@xs4all.nl> wrote:

Hi,

I'm rather new to mod_security

I'd like to insert a variable sized header on responses

e.g:
X-padding: xxxx
or
X-padding: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
etc

where the number of x-s randomly differs per response.

Is this possible with a standard rule or would I need to define a custom
function for this ?

Hi Hans,

How do you decide how many x's are appropriate for each response? Depending on the implementation, you could use a combination of the ModSecurity setenv action and a ModHeaders rule to inject the header.

--

- Josh

KR,
Hans

------------------------------------------------------------------------------
Get 100% visibility into Java/.NET code with AppDynamics Lite!
It's a free troubleshooting tool designed for production.
Get down to code-level detail for bottlenecks, with <2% overhead.
Download for free and get started troubleshooting in minutes.
http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk
_______________________________________________
mod-security-users mailing list
mod-security-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/
------------------------------------------------------------------------------
Get 100% visibility into Java/.NET code with AppDynamics Lite!
It's a free troubleshooting tool designed for production.
Get down to code-level detail for bottlenecks, with <2% overhead. 
Download for free and get started troubleshooting in minutes. 
http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk
_______________________________________________
mod-security-users mailing list
mod-security-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/
------------------------------------------------------------------------------
Get 100% visibility into Java/.NET code with AppDynamics Lite!
It's a free troubleshooting tool designed for production.
Get down to code-level detail for bottlenecks, with <2% overhead.
Download for free and get started troubleshooting in minutes.
http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk
_______________________________________________
mod-security-users mailing list
mod-security-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/