From: Josh Amishav-Zlatin <jamuse@owasp.org>
Date: Thursday, July 18, 2013 5:11 AM
To: "Abfalterer, Armin" <Armin.Abfalterer@united-security-providers.ch>
Cc: "mod-security-users@lists.sourceforge.net" <mod-security-users@lists.sourceforge.net>
Subject: Re: [mod-security-users] Cookie exclusion

On Thu, Jul 18, 2013 at 11:07 AM, Abfalterer, Armin <Armin.Abfalterer@united-security-providers.ch> wrote:
Hi all,

we've encountered lots of false positive (caused by different rules) due to the particular value of a specific cookie.

What is the name of the specific cookie?  Let's assume it is called "foo", then I would suggest you use the following updated version that Josh provided -

SecRuleUpdateTargetByTag "WEB_ATTACK/XSS" "!REQUEST_COOKIES:foo"
SecRuleUpdateTargetByTag "WEB_ATTACK/SQL_INJECTION" "!REQUEST_COOKIES:foo"

This would exclude that specific cookie value from being inspected by any of the XSS or SQLi rules.

-Ryan


So my question is if it is possible to exclude a specific cookie from the  mod_security validation?


Hi Armin,

The easiest way is probably to use SecRuleUpdateTargetByTag and then cycle through the various tags, e.g.:

SecRuleUpdateTargetByTag "WEB_ATTACK/XSS" "!REQUEST_COOKIES"
SecRuleUpdateTargetByTag "WEB_ATTACK/SQL_INJECTION" "!REQUEST_COOKIES
...

--
 - Josh
 
Regards, Armin

------------------------------------------------------------------------------
See everything from the browser to the database with AppDynamics
Get end-to-end visibility with application monitoring from AppDynamics
Isolate bottlenecks and diagnose root cause in seconds.
Start your free trial of AppDynamics Pro today!
http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
_______________________________________________
mod-security-users mailing list
mod-security-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/





This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.