Josh,

You are right that the header won't affect the content length of the body.
However if I read the description of the attack  (http://www.kb.cert.org/vuls/id/987798) then the man in the middle checks the size of the SSL payload, not the body content length.
As the header is part of the SSL payload, varying the header would alter the SSL payload size and therefore blind the MITM :-)

Cheers,

Hans

Op 7-8-2013 23:27, Josh Amishav-Zlatin schreef:
On Wed, Aug 7, 2013 at 11:02 PM, hans.klunder@xs4all.nl <hans.klunder@xs4all.nl> wrote:
Josh,

thanks for your answer.

The number of x's should be random (say between 1 and 80) to ensure that the response size differs (its an attempt to tackle the BREACH SSL attack ;-))

Hi Hans,

I may be completely off but injecting a random header value does not effect the content-length value. I think you need to inject a random number of bytes to the response body. 

--
 - Josh
 
The setenv seems to be doable by exec-ing a lua script, but I was wondering if there was a cleaner way.

Cheers,

Hans




Op 7-8-2013 21:38, Josh Amishav-Zlatin schreef:
On Wed, Aug 7, 2013 at 7:30 PM, hans.klunder@xs4all.nl <hans.klunder@xs4all.nl> wrote:
Hi,

I'm rather new to mod_security

I'd like to insert a variable sized header on responses

e.g:
X-padding: xxxx
or
X-padding: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
etc

where the number of x-s randomly differs per response.

Is this possible with a standard rule or would I need to define a custom
function for this ?


Hi Hans,

How do you decide how many x's are appropriate for each response? Depending on the implementation, you could use a combination of the ModSecurity setenv action and a ModHeaders rule to inject the header.

--
 - Josh
 
KR,
Hans


------------------------------------------------------------------------------
Get 100% visibility into Java/.NET code with AppDynamics Lite!
It's a free troubleshooting tool designed for production.
Get down to code-level detail for bottlenecks, with <2% overhead.
Download for free and get started troubleshooting in minutes.
http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk
_______________________________________________
mod-security-users mailing list
mod-security-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/



------------------------------------------------------------------------------
Get 100% visibility into Java/.NET code with AppDynamics Lite!
It's a free troubleshooting tool designed for production.
Get down to code-level detail for bottlenecks, with <2% overhead. 
Download for free and get started troubleshooting in minutes. 
http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk


_______________________________________________
mod-security-users mailing list
mod-security-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/


------------------------------------------------------------------------------
Get 100% visibility into Java/.NET code with AppDynamics Lite!
It's a free troubleshooting tool designed for production.
Get down to code-level detail for bottlenecks, with <2% overhead.
Download for free and get started troubleshooting in minutes.
http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk
_______________________________________________
mod-security-users mailing list
mod-security-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/




------------------------------------------------------------------------------
Get 100% visibility into Java/.NET code with AppDynamics Lite!
It's a free troubleshooting tool designed for production.
Get down to code-level detail for bottlenecks, with <2% overhead. 
Download for free and get started troubleshooting in minutes. 
http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk


_______________________________________________
mod-security-users mailing list
mod-security-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/